IKEv2 with NAT-T and VRF (FlexVPN)
Hi,
I'm struggling to get this to work and the IOS debug commands show nothing.
Spoke1
======
crypto ikev2 keyring LAN-to-LAN
peer HUB
identity address 93.174.221.254
pre-shared-key local TEST
pre-shared-key remote TSET
crypto ikev2 profile IPSEC_IKEv2
match identity remote address 93.174.221.254 255.255.255.255
identity local fqdn spoke1.domain.com
authentication remote pre-share
authentication local pre-share
keyring local LAN-to-LAN
crypto ipsec transform-set ESP-TUNNEL esp-aes esp-sha-hmac
mode tunnel
crypto ipsec profile IPSEC
set transform-set ESP-TUNNEL
set ikev2-profile IPSEC_IKEv2
interface Tunnel2
description VTI2 | CUSTOMER2
vrf forwarding CUSTOMER2
ip unnumbered Loopback2
tunnel source Dialer1
tunnel mode ipsec ipv4
tunnel destination 93.174.221.254
tunnel path-mtu-discovery
tunnel protection ipsec profile IPSEC
interface Loopback2
vrf forwarding CUSTOMER2
ip address 10.47.255.1 255.255.255.255
interface Dialer1
ip address negociated
HUB
====
crypto ikev2 keyring LAN-to-LAN
peer spoke1.domain.com
identity fqdn spoke1.domain.com
pre-shared-key local TSET
pre-shared-key remote TEST
crypto ikev2 profile IPSEC_IKEv2
match identity remote fqdn spoke1.domain.com
identity local address 93.174.221.254
authentication remote pre-share
authentication local pre-share
keyring local LAN-to-LAN
virtual-template 2
crypto ipsec transform-set ESP-TUNNEL esp-aes esp-sha-hmac
mode tunnel
crypto ipsec profile IPSEC
set transform-set ESP-TUNNEL
set ikev2-profile IPSEC_IKEv2
interface Virtual-Template2 type tunnel
description VTI2 | CUSTOMER2
vrf forwarding CUSTOMER2
ip unnumbered Loopback2
tunnel source Loopback254
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile IPSEC
interface Loopback2
vrf forwarding CUSTOMER2
ip address 10.47.255.252 255.255.255.255
interface Loopback254
ip address 93.174.221.254 255.255.255.255
The spoke can ping anything on the internet including the hub public facing address 93.174.221.254 but the tunnel does not come up. Each end is running RIPv2 under the "CUSTOMER2" context with "network 10.0.0.0" and no auto-summary. Static routes don't seem to kick it into life either. Any help would be much appreciated, thanks.
thanks for the response.
For some unexplainable reason when I switch on the following debugs:
Spoke1#debug crypto ikev2 client flexvpn
FlexVPN debugging is on
Spoke1#debug crypto ikev2 error
IKEv2 error debugging is on
Spoke1#debug crypto ikev2 packet
IKEv2 packet debugging is on
Nothing seems to show on the console
Spoke1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 580/645/700 ms
Spoke1#ping 93.174.221.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 93.174.221.254, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 580/645/700 ms
*The high latency is because Dialer1 is currently on GPRS because 3G coverage where i'm testing is poor.
I have this in the Spoke1 config:
ip route vrf CUSTOMER2 10.47.0.0 255.255.0.0 Tunnel2
So I'd have thought pinging something like 10.47.255.252 would bring Tunnel2 up or show some debug messsages. Unfortunately all I get is this:
Spoke1#ping vrf CUSTOMER2 10.47.255.252
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.47.255.252, timeout is 2 seconds:
Success rate is 0 percent (0/5)
Spoke1#sh ip route vrf CUSTOMER2:
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.47.1.0/24 is directly connected, Vlan2
L 10.47.1.1/32 is directly connected, Vlan2
C 10.47.255.1/32 is directly connected, Loopback2
How do I enable crypto logging session ?
And i'll try an MTU of 1452 just encase path-discovery isn't working?
My understanding is that a virtual-access interface should appear for each spoke that connects, but that doesn't seem to be happening.
Similar Messages
-
Cisco 1700 with MP-BGP and VRF support
I have a Cisco 1721 with MP-BGP Support, you can create VRFs with it and every other MPLSVPN feature, but the commands for MPLS switching are not supported like Router(config-if)mpls ip , I read in some forums that you can create MPLS VPN without enabling MPLS at all, just with MPBGP, but I couldn't do it myself, Can someone tell me how to make it work or what can I do with a Cisco 1721 that supports MP-BGP?
thanks in advanceHere is an example. Take care about overhead for packets like VoIP. The overhead is 88 bytes.
The packet semms something like that.
IpHeader-pub@ - NAT-Tudp4500 - ESP - IpHeader-priv@(vrf discriminator) - GRE - Original IP Header - Data - Esp Trailer.
In this case you neet tunnel-mode because you use
private @ in order to determine vrf (vrf discriminator).
This is a LAB config, all other security parameters you need on a router are not configured. If you add access-list on the external interface of REMOTE you have to understand every encapsulation step in order to well tune it.
Good reading.
The PPT draw shows physically and logically views.
PS, take care about fragmentation issues, the problematic is still not well managed by the routers, I could not made Tunnel-path-mtu discovery work with vrf's. The workaround is to fragment packets. It's not good for performance but actually there is no other solution concerning that.
Kind Regards
Miguel -
E4200 v1 - NAT issue - and more....
Please bear with me, I try to make things work - but my skills are not enough for this... Please help anyone..
2 things:
#1)
I want to Disable NAT on my E4200 v1 with latest FW, since already my ADSL modem does this,... or the other way around - but it does not make much sense they both do it...
My problem is how to set up the static route..
ADSL modem
IP:192.168.01 (GT784WN) with NAT enabled, and all other filters disabled.
E4200
Internet IP: 192.168.0.2
GW: 192.168.0.1
LAN IP: 192.168.1.1
How should I set up the static route on E4200 for things to work with NAT disabled?
Would it make sense to disable NAT on the cable modem instead - and let E4200 handle that?
If so - how would the routing have to be configured?
#2)
All my computers are connected to E4200, some with wire and some wireless....
In Windows, Explorer, Network - On top there is supposed to be a list with recognized "Computers",
What I see, varies A LOT....
I always see the computer itself: MYFS01,
and I always see the E4200 (MyHUB) (why this is here I don't understand either - I have Media services disabled in E4200)
If I unplugg the E4200 from power... and plug back in again,.. I get ALL Computers listed... Backup device connected via LAN, some WiFi connected devices including my PlayBook,... - but after some time, anything from a few minutes to an hour - most "computers" dissapear from the list - and won't get back until I unplug the E4200.. A reboot of any of the computers does not work either...
I have noticed - that When the list of "computers" in Windows are reduced, I am unable to do a "net view" from my main computer (MYFS01), but after I reboot the E4200, and devices pops up again,... doing a "net view" show all the computers...
Also - While they do not show up in Windows Explorer, I can still access ALL computers and devices - with both \\IP access or \\computername ...
To test, I then took away the E4200 and used ONLY the ADSLmodem (GT784WN) - and I see all Computers always...
Now I don't understand anything - I first thought this was a Windows 7 issue, but - since it seems to be working with another Switch/router - I suspect the E4200 to be the bad one... but - I could of course be wrong,,,,
ANY assistance would be appreciated...
thanxYou are correct. You do NOT want double NAT'ing going on.
You need to put your GT784WN into bridge mode.
Perform a Google search on "GT784WN bridge mode". I found some good links that looked like they would help you do this.
Putting your GT784WN into bridge mode will turn it into modem only. You should also turn off all firewall, security, uPnP, wireless, etc settings on the GT784WN. You need to dumb it down as much as possible. The E4200 v1 needs to do all the work.
This is exactly what I did with my Arris cable DOCSIS 3.0 router. -
AnyConnect and IKEv2 with IOS Local AAA
Hi,
Is it possible to utilise AnyConnect IKEv2 (terminating on an ASR1k) with the IOS Local AAA feature authenticate remote access using EAP-MD5, or is an external RADIUS server required to support user authentication? I was hoping to develop a standalone proof-of-concept using IOS Local AAA (with aaa attribute lists where appropriate) to store RADIUS 'User' and 'Group' profiles. However, I suspect I can only store the 'Group' profiles locally, and the user authentication requires an external RADIUS server supporting EAP-MD5 to support the tunnel method?
Cheers,
MattYour NAT is nearly correct. There are just two small things:
1) What do you want to achive with this rule and the corresponding ACL? "permit ip any any" on the outside interface is probably a bad idea. Better to configure the needed ports directly with object NAT and specific ACL-lines.
nat (inside,outside) source static WAN interface
2) The NAT-exemtion is nearly fine. This NAT-rule is typically configured with two more parameters:
nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup -
Static NAT refresh and best practice with inside and DMZ
I've been out of the firewall game for a while and now have been re-tasked with some configuration, both updating ASA's to 8.4 and making some new services avaiable. So I've dug into refreshing my knowledge of NAT operation and have a question based on best practice and would like a sanity check.
This is a very basic, I apologize in advance. I just need the cobwebs dusted off.
The scenario is this: If I have an SQL server on an inside network that a DMZ host needs access to, is it best to present the inside (SQL server in this example) IP via static to the DMZ or the DMZ (SQL client in this example) with static to the inside?
I think its to present the higher security resource into the lower security network. For example, when a service from the DMZ is made available to the outside/public, the real IP from the higher security interface is mapped to the lower.
So I would think the same would apply to the inside/DMZ, making 'static (inside,dmz)' the 'proper' method for the pre 8.3 and this for 8.3 and up:
object network insideSQLIP
host xx.xx.xx.xx
nat (inside,dmz) static yy.yy.yy.yy
Am I on the right track?Hello Rgnelson,
It is not related to the security level of the zone, instead, it is how should the behavior be, what I mean is, for
nat (inside,dmz) static yy.yy.yy.yy
- Any traffic hitting translated address yy.yy.yy.yy on the dmz zone should be re-directed to the host xx.xx.xx.xx on the inside interface.
- Traffic initiated from the real host xx.xx.xx.xx should be translated to yy.yy.yy.yy if the hosts accesses any resources on the DMZ Interface.
If you reverse it to (dmz,inside) the behavior will be reversed as well, so If you need to translate the address from the DMZ interface going to the inside interface you should use the (dmz,inside).
For your case I would say what is common, since the server is in the INSIDE zone, you should configure
object network insideSQLIP
host xx.xx.xx.xx
nat (inside,dmz) static yy.yy.yy.yy
At this time, users from the DMZ zone will be able to access the server using the yy.yy.yy.yy IP Address.
HTH
AMatahen -
Double NAT Error with Airport Extreme and Airport Express
I have an Airport Extreme 802.11n base station which is connected to my DSL Modem/ Router via Ethernet. I have a MacPro which does not have an airport card installed so I bought an Airport Express 802.11n - which is connected to my MacPro via ethernet - and thus provides my MacPro with internet access.
Originally I had the APExtreme and the APExpress set up in a WDS - all worked well - my other wifi equipped macs and devices in the house connected to the network with no problem, but I did notice that the maximum throughput I was getting was 802.11g speeds - this is of course due to the overhead of the WDS.
I originally purchased these 802.11n devices because I wanted the higher throughput - so I decided to terminate the WDS and just have the APExpress (attached to my MacPro) "join" the wireless network instead of extending it - which works and I am enjoying the 802.11n speed.
So, I just upgraded a couple of my Macs to 10.6.2 and was going to start using "Back to My Mac" and I got the error that there is a double NAT address problem and that "Back to My Mac" won't work until this is resolved.
I know that going back to a WDS will resolve the double NAT problem - but I don't want to take the performance hit that goes with the WDS.
So, short of buying an Airport card for my MacPro (which would eliminate the need of the APExpress)
Is there any other way to resolve this double NAT problem besides WDS?
Thanks for any advice.First of all thanks for your quick reply!
Connecting my MacPro to the Airport Extreme would be a serious pain as the DSL Modem and APExtreme are upstairs near the only connection point in the building to a phone line - and my MacPro is downstairs.
I suppose I could dig out a very long ethernet cable to perform the test. But before I jump through that hoop - please explain to me what you are trying to get at - in other words - what does it mean if this resolves the double nat error - and what does it mean if it does not? -
hi Everyone,
I'm running a Cisco 3620 with two interfaces, a FE and an ADSL WIC, and I'm noticing some unexpected behaviour with NAT(ing) some UDP ports, here are the config rules in question:
ip nat inside source static udp 192.168.100.26 14000 interface Dialer1 14000
ip nat inside source static udp 192.168.100.26 14001 interface Dialer1 14001
ip nat inside source static udp 192.168.100.26 14001 interface Dialer1 14002
when I receive traffic through those ports, I see the following in
show ip nat translations | include 14000
udp 64.7.136.227:1038 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1039 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1040 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1041 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1042 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1043 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1044 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:14000 192.168.100.26:14000 --- ---
How can I make this NAT static so that every host originates from port 14000 rather then a dynamic one that is being assigned now?
Any help is greatly appreaciated.
AleksPerhaps I wasn't clear enough in what I needed it to do, here's a show ip nat translations for another (working) NAT
(d) port on the same router:
tcp 64.7.136.227:6667 192.168.100.199:6667 xxx.xxx.xxx.xxx:54375 xxx.xxx.xxx.xxx:54375
tcp 64.7.136.227:6667 192.168.100.199:6667 xxx.xxx.xxx.xxx:50183 xxx.xxx.xxx.xxx:50183
tcp 64.7.136.227:6667 192.168.100.199:6667 xxx.xxx.xxx.xxx:50891 xxx.xxx.xxx.xxx:50891
tcp 64.7.136.227:6667 192.168.100.199:6667 xxx.xxx.xxx.xxx:60443 xxx.xxx.xxx.xxx:60443
tcp 64.7.136.227:6667 192.168.100.199:6667 xxx.xxx.xxx.xxx:2897 xxx.xxx.xxx.xxx:2897
tcp 64.7.136.227:6667 192.168.100.199:6667 xxx.xxx.xxx.xxx:51890 xxx.xxx.xxx.xxx:51890
Notice how the forwarded port is the same on the router interface (64.7.136.227:6667) accross all of the connections that have connected. Now this NAT rule behaves as it should, same syntax used as for the one I originally posted
ip nat inside source static tcp 192.168.100.199 6667 interface Dialer1 6667
the only difference is that this one gets properly assigned to the requested port, whereas these rules
ip nat inside source static udp 192.168.100.26 14000 interface Dialer1 14000
ip nat inside source static udp 192.168.100.26 14001 interface Dialer1 14001
ip nat inside source static udp 192.168.100.26 14001 interface Dialer1 14002
have a dynamically assigned port on (64.7.136.227) interface, as the show ip nat translations shows:
udp 64.7.136.227:1038 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1039 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1040 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
Basically how do I get the three rules to behave the same way as the one on top does...
Thank you,
Aleks -
9iAS 1.0.2 and Discoverer 3i with NAT IP translation
We just installed 9iAS 1.0.2 and Discoverer 3i on an NT box. We also use NAT IP Translation at our agency. Everything works fine if we're connecting to the Discoverer server using the local IP, but if we're outside the network, we have to connect using the NAT IP and it fails when trying to get to the User panel.
I was told to upgrade to 9iAS 1.0.2.1. I was wondering if this will resolve the NAT IP translation.
Any help will be appreciated. Thanks.You're probably not going to be able to use Discoverer 3i as an "extranet" solution. This is due, in part, to Discover 3i's use of the IIOP protocol, which isn't optimized for routing of packets outside of the subnet that your Discover box is located. Under the IIOP connections that Discover 3i employs two (I think) disticnt ports are used (can't rememeber what they are off the top of my head) and then as the session continues, random port connections are established. These random port connections are rarely ever the same and even more are opend for additional user connections. To see what I mean, open a cmd session and do a netstat to see what ports are open. As you use Discoverer 3i, keep doing a netstat...you'll see the ports open and then close as the session continues.
Oracle has since implemented "extranet" functionaltiy in Discover 4i. Other than Discover 4i, you're only other solution is to implement a Terminal (or Citrix server) on the same subnet as your Discover 3i box. you can then implement a "published application" with the client piece and setup appropiate firewall/NAT rules to allow users on other subnets to use the application. If you would like more detailed information, send me an e-mail and I will dig up the research I have already performed concerning this situation.
Thanks,
Mike -
IPSEC tunnel with NAT and NetMeeting
I have established an IPSEC tunnel with two Cisco 2621 routers. Clients over the Internet are able to dial into the MCU server, which is behind one of the Cisco 2621 routers configured with NAT but the MCU is not able to call the client. The MCU is able to call any server or client on the LAN however it is not able to call anyone passed the router configured with NAT. Could anyone who has experience with NAT and IPSEC help me out?
Thanks,The following doc should help...
http://www.cisco.com/warp/public/707/ipsecnat.html -
Example provided is on 1941 ISR routers with 15.2(2)T1 software. One router has 15.3(1)T.
IKEv2 with pre-shared key comes up fine.
IKEv2 with certificates gives auth exchange fail error
IKEv1 with same certificates comes up fine.
The above were Microsoft CA certificates.
I tried with IOS CA certificates, still auth exchange fail error.
Same results with 3945 and 2911 routers on IOS 15.1(2)TThis is details of how I got it working.
sho tech ipsec
------------------ show version ------------------
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Wed 29-Feb-12 20:40 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
happy uptime is 30 minutes
System returned to ROM by power-on
System restarted at 20:26:58 UTC Fri Mar 1 2013
System image file is "flash0:c2900-universalk9-mz.SPA.152-2.T1.bin"
Last reload type: Normal Reload
Last reload reason: power-on
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO2911/K9 (revision 1.0) with 487424K/36864K bytes of memory.
Processor board ID FTX1621AJFU
3 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
Device# PID SN
*0 CISCO2911/K9 FTX1621AJFU
Technology Package License Information for Module:'c2900'
Technology Technology-package Technology-package
Current Type Next reboot
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
uc None None None
data None None None
Configuration register is 0x2102
------------------ show running-config ------------------
Building configuration...
Current configuration : 6483 bytes
! Last configuration change at 20:56:07 UTC Fri Mar 1 2013 by csfc
! NVRAM config last updated at 20:55:05 UTC Fri Mar 1 2013 by csfc
! NVRAM config last updated at 20:55:05 UTC Fri Mar 1 2013 by csfc
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname happy
boot-start-marker
boot-end-marker
security passwords min-length 6
logging buffered 51200 warnings
no logging console
enable secret 4 4Q5iiIH2YznVeGHA3p6Qjm8oBj4LWNDTHjsG21MxgXU
no aaa new-model
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
ip domain name csfc.com
ip name-server 192.168.1.3
no ip cef
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint dc-ca
enrollment terminal
subject-name cn=happy.csfc,c=us
revocation-check none
crypto pki certificate map CRT 10
issuer-name co csfc
crypto pki certificate chain dc-ca
certificate 3F51979A000000000012
3082038E 30820333 A0030201 02020A3F 51979A00 00000000 12300A06 082A8648
CE3D0403 02303B31 13301106 0A099226 8993F22C 64011916 03636F6D 31143012
060A0992 268993F2 2C640119 16046373 6663310E 300C0603 55040313 0564632D
6361301E 170D3133 30333031 31383532 35365A17 0D313530 33303131 38353235
365A3022 310B3009 06035504 06130275 73311330 11060355 0403130A 68617070
792E6373 66633059 30130607 2A8648CE 3D020106 082A8648 CE3D0301 07034200
0429D4D8 F89E295B F7AF826F 86A3F29D EF48FCFF D2374B0F D39CD393 620D3EFD
D484BFA4 3ED08E16 7FDF839D 0FF85690 26C0545C 1B56EC17 7A2E6C1D 5D1A6CD8
DDA38202 36308202 32300B06 03551D0F 04040302 06C0301D 0603551D 0E041604
142DCC8D 554A4853 C4C03B3D 2400E3EA 459406B5 AE301F06 03551D23 04183016
80142389 F56583FC B73D3F11 79A47EAB 96721E76 81AA3081 BB060355 1D1F0481
B33081B0 3081ADA0 81AAA081 A78681A4 6C646170 3A2F2F2F 434E3D64 632D6361
2C434E3D 44432C43 4E3D4344 502C434E 3D507562 6C696325 32304B65 79253230
53657276 69636573 2C434E3D 53657276 69636573 2C434E3D 436F6E66 69677572
6174696F 6E2C4443 3D637366 632C4443 3D636F6D 3F636572 74696669 63617465
5265766F 63617469 6F6E4C69 73743F62 6173653F 6F626A65 6374436C 6173733D
63524C44 69737472 69627574 696F6E50 6F696E74 3081B406 082B0601 05050701
010481A7 3081A430 81A10608 2B060105 05073002 8681946C 6461703A 2F2F2F43
4E3D6463 2D63612C 434E3D41 49412C43 4E3D5075 626C6963 2532304B 65792532
30536572 76696365 732C434E 3D536572 76696365 732C434E 3D436F6E 66696775
72617469 6F6E2C44 433D6373 66632C44 433D636F 6D3F6341 43657274 69666963
6174653F 62617365 3F6F626A 65637443 6C617373 3D636572 74696669 63617469
6F6E4175 74686F72 69747930 3C06092B 06010401 82371507 042F302D 06252B06
01040182 37150881 98D47A81 B6D74A87 A98B18DF C60887B8 D4794787 BCE00C86
9D892C02 01640201 11301306 03551D25 040C300A 06082B06 01050508 0202301B
06092B06 01040182 37150A04 0E300C30 0A06082B 06010505 08020230 0A06082A
8648CE3D 04030203 49003046 022100E7 E5814B90 CE6EABE2 B12C818A 6323160D
632C0551 B765DA29 0CA4BAAC 27325F02 2100E516 11985F3E CDB23FE7 BB91C836
74C457BB 5EA87ED6 3D9DCF41 AE4CDD40 A28F
quit
certificate ca 2C8A76A7904BB4B341B3AAFA9ED387D3
308201DC 30820183 A0030201 0202102C 8A76A790 4BB4B341 B3AAFA9E D387D330
0A06082A 8648CE3D 04030230 3B311330 11060A09 92268993 F22C6401 19160363
6F6D3114 3012060A 09922689 93F22C64 01191604 63736663 310E300C 06035504
03130564 632D6361 301E170D 31333031 32333135 32383435 5A170D31 38303132
33313533 3834345A 303B3113 3011060A 09922689 93F22C64 01191603 636F6D31
14301206 0A099226 8993F22C 64011916 04637366 63310E30 0C060355 04031305
64632D63 61305930 1306072A 8648CE3D 02010608 2A8648CE 3D030107 03420004
EFA5B6B5 BC89C22A B91DDDBB 60034DB9 21655D71 3965177D 9D5956D0 8C45ABC9
38EB4175 44AA06DC 19B94DAB 368AC06C 35077B97 24BE5879 758256FA 03838F2F
A3693067 30130609 2B060104 01823714 0204061E 04004300 41300E06 03551D0F
0101FF04 04030201 86300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
0E041604 142389F5 6583FCB7 3D3F1179 A47EAB96 721E7681 AA301006 092B0601
04018237 15010403 02010030 0A06082A 8648CE3D 04030203 47003044 022010BD
C2ADC8B7 C2C05DB2 CFE2E78A B3A47E2E 8A3193CA 607E4AE3 EEF105F0 42CE0220
056C951C 45ECD966 DFA9BADB 9F1CC71E 8F029C12 F94593A6 21B50A49 C1E62581
quit
license udi pid CISCO2911/K9 sn FTX1621AJFU
username csfc privilege 15 secret 4
username admin privilege 15 secret 4
username Happy privilege 15 secret 4
redundancy
crypto ikev2 proposal prop-1
encryption aes-cbc-256
integrity sha256
group 19
crypto ikev2 policy policy1
proposal prop-1
crypto ikev2 profile default
match certificate CRT
identity local dn
authentication local ecdsa-sig
authentication remote rsa-sig
authentication remote ecdsa-sig
pki trustpoint dc-ca
no crypto ikev2 diagnose error
no crypto ikev2 http-url cert
crypto ikev2 certificate-cache 750
crypto ikev2 fragmentation mtu 1400
crypto logging ikev2
crypto ipsec transform-set SEC esp-aes esp-sha256-hmac
crypto ipsec profile default
set transform-set SEC
set ikev2-profile default
interface Tunnel0
no ip address
interface Tunnel1
ip address 192.168.100.1 255.255.255.0
tunnel source GigabitEthernet0/1
tunnel destination 192.168.11.42
tunnel protection ipsec profile default
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 192.168.1.40 255.255.255.0
duplex full
speed auto
interface GigabitEthernet0/1
ip address 192.168.11.41 255.255.255.252
duplex full
speed auto
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip route 192.168.2.0 255.255.255.0 Tunnel1
no cdp advertise-v2
control-plane
banner login ^CCPLEEEESE!^C
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
password
login local
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
scheduler allocate 20000 1000
sntp server 192.168.1.3 version 3
end
------------------ show crypto tech-support ------------------
------------------ show crypto isakmp sa count ------------------
Active ISAKMP SA's: 0
Standby ISAKMP SA's: 0
Currently being negotiated ISAKMP SA's: 0
Dead ISAKMP SA's: 0
------------------ show crypto ipsec sa count ------------------
IPsec SA total: 2, active: 2, rekeying: 0, unused: 0, invalid: 0
------------------ show crypto isakmp sa detail ------------------
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
IPv6 Crypto ISAKMP SA
------------------ show crypto ipsec sa detail ------------------
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 192.168.11.41
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.11.41/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.11.42/255.255.255.255/47/0)
current_peer 192.168.11.42 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 271, #pkts encrypt: 271, #pkts digest: 271
#pkts decaps: 275, #pkts decrypt: 275, #pkts verify: 275
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 192.168.11.41, remote crypto endpt.: 192.168.11.42
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x1DF8CFFA(502845434)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xBF473CF2(3209116914)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: SW:5, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4181836/3479)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1DF8CFFA(502845434)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: SW:6, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4181837/3479)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
------------------ show crypto session summary ------------------
------------------ show crypto session detail ------------------
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Tunnel1
Uptime: 00:02:00
Session status: UP-ACTIVE
Peer: 192.168.11.42 port 500 fvrf: (none) ivrf: (none)
Phase1_id: cn=grumpy.csfc,c=us
Desc: (none)
IKEv2 SA: local 192.168.11.41/500 remote 192.168.11.42/500 Active
Capabilities:(none) connid:3 lifetime:23:58:00
IPSEC FLOW: permit 47 host 192.168.11.41 host 192.168.11.42
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 275 drop 0 life (KB/Sec) 4181836/3479
Outbound: #pkts enc'ed 271 drop 0 life (KB/Sec) 4181837/3479
------------------ show crypto isakmp peers ------------------
------------------ show crypto ruleset detail ------------------
Mtree:
199 VRF 0 11 192.168.11.41/500 ANY Forward, Forward
299 VRF 0 11 192.168.11.41/4500 ANY Forward, Forward
200000199 VRF 0 11 ANY/848 ANY Forward, Forward
200000299 VRF 0 11 ANY ANY/848 Forward, Forward
6553700000000000101 VRF 0 2F 192.168.11.41 192.168.11.42 Discard/notify, Encrypt
6553700000000000199 VRF 0 2F 192.168.11.41 192.168.11.42 Discard/notify, Discard/notify
------------------ show processes memory | include Crypto IKMP ------------------
260 0 5432 880 18424 3 3 Crypto IKMP
------------------ show processes cpu | include Crypto IKMP ------------------
260 0 6 0 0.00% 0.00% 0.00% 0 Crypto IKMP
------------------ show crypto eli ------------------
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA
IPSec-Session : 0 active, 3200 max, 0 failed
------------------ show cry engine accelerator statistic ------------------
Device: Onboard VPN
Location: Onboard: 0
:Statistics for encryption device since the last clear
of counters 1826 seconds ago
0 packets in 0 packets out
0 bytes in 0 bytes out
0 paks/sec in 0 paks/sec out
0 Kbits/sec in 0 Kbits/sec out
0 packets decrypted 0 packets encrypted
0 bytes before decrypt 0 bytes encrypted
0 bytes decrypted 0 bytes after encrypt
0 packets decompressed 0 packets compressed
0 bytes before decomp 0 bytes before comp
0 bytes after decomp 0 bytes after comp
0 packets bypass decompr 0 packets bypass compres
0 bytes bypass decompres 0 bytes bypass compressi
0 packets not decompress 0 packets not compressed
0 bytes not decompressed 0 bytes not compressed
1.0:1 compression ratio 1.0:1 overall
Last 5 minutes:
0 packets in 0 packets out
0 paks/sec in 0 paks/sec out
0 bits/sec in 0 bits/sec out
0 bytes decrypted 0 bytes encrypted
0 Kbits/sec decrypted 0 Kbits/sec encrypted
1.0:1 compression ratio 1.0:1 overall
------------------ show cry isakmp diagnose error ------------------
Exit Path Table - status: disable, current entry 0, deleted 0, max allow 10
------------------ show cry isakmp diagnose error count ------------------
Exit Trace counters
------------------ show crypto call admission statistics ------------------
Crypto Call Admission Control Statistics
System Resource Limit: 0 Max IKE SAs: 0 Max in nego: 1000
Total IKE SA Count: 0 active: 0 negotiating: 0
Incoming IKE Requests: 0 accepted: 0 rejected: 0
Outgoing IKE Requests: 0 accepted: 0 rejected: 0
Rejected IKE Requests: 0 rsrc low: 0 Active SA limit: 0
In-neg SA limit: 0
IKE packets dropped at dispatch: 0
Max IPSEC SAs: 0
Total IPSEC SA Count: 0 active: 0 negotiating: 0
Incoming IPSEC Requests: 0 accepted: 0 rejected: 0
Outgoing IPSEC Requests: 0 accepted: 0 rejected: 0
Phase1.5 SAs under negotiation: 0
sho ip int bri
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/0 192.168.1.40 YES NVRAM up up
GigabitEthernet0/1 192.168.11.41 YES NVRAM up up
GigabitEthernet0/2 unassigned YES NVRAM administratively down down
Tunnel0 unassigned YES unset up down
Tunnel1 192.168.100.1 YES NVRAM up up
happy#
happy#sho crypto pki cert verb
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 3F51979A000000000012
Certificate Usage: Signature
Issuer:
cn=dc-ca
dc=csfc
dc=com
Subject:
Name: happy.csfc
cn=happy.csfc
c=us
CRL Distribution Points:
ldap:///CN=dc-ca,CN=DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=csfc,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 18:52:56 UTC Mar 1 2013
end date: 18:52:56 UTC Mar 1 2015
Subject Key Info:
Public Key Algorithm: rsaEncryption
EC Public Key: (256 bit)
Signature Algorithm: SHA256 with ECDSA
Fingerprint MD5: BF234623 9E7F2C73 EBE07B0A 9E89FC76
Fingerprint SHA1: DB8A8D50 23D9E2DD AC2ED2DC 5A857569 279F44D5
X509v3 extensions:
X509v3 Key Usage: C0000000
Digital Signature
Non Repudiation
X509v3 Subject Key ID: 2DCC8D55 4A4853C4 C03B3D24 00E3EA45 9406B5AE
X509v3 Authority Key ID: 2389F565 83FCB73D 3F1179A4 7EAB9672 1E7681AA
Authority Info Access:
Extended Key Usage:
1.3.6.1.5.5.8.2.2
Associated Trustpoints: dc-ca
Storage: nvram:dc-ca#12.cer
Key Label: happy.csfc.com
Key storage device: private config
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 2C8A76A7904BB4B341B3AAFA9ED387D3
Certificate Usage: Signature
Issuer:
cn=dc-ca
dc=csfc
dc=com
Subject:
cn=dc-ca
dc=csfc
dc=com
Validity Date:
start date: 15:28:45 UTC Jan 23 2013
end date: 15:38:44 UTC Jan 23 2018
--More-- Subject Key Info:
Public Key Algorithm: rsaEncryption
EC Public Key: (256 bit)
Signature Algorithm: SHA256 with ECDSA
Fingerprint MD5: 1F937411 4DB57036 73D54124 E50E83FC
Fingerprint SHA1: E78FE0BF DF5F168A 67860C48 78EC427C 66FE551A
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: 2389F565 83FCB73D 3F1179A4 7EAB9672 1E7681AA
X509v3 Basic Constraints:
CA: TRUE
Authority Info Access:
Associated Trustpoints: dc-ca
Storage: nvram:dc-ca#87D3CA.cer
happy#sho crypt key mypubkey all
% Key pair was generated at: 18:44:07 UTC Mar 1 2013
Key name: eckey
Key type: EC KEYS
Storage Device: private-config
Usage: Signature Key
Key is not exportable.
Key Data:
30593013 06072A86 48CE3D02 0106082A 8648CE3D 03010703 4200049A 28E9709A
2F81DEE9 9ED27787 B790D3B4 487B3F2D DBA06E95 43298A54 19A3B0B7 E9107223
5CB9F3CD 9D8BD0E9 9AB9FFC4 698C1912 CBADC469 9E7CD6D3 46E5A2
% Key pair was generated at: 18:49:21 UTC Mar 1 2013
Key name: happy.csfc.com
Key type: EC KEYS
Storage Device: private-config
Usage: Signature Key
Key is not exportable.
Key Data:
30593013 06072A86 48CE3D02 0106082A 8648CE3D 03010703 42000429 D4D8F89E
295BF7AF 826F86A3 F29DEF48 FCFFD237 4B0FD39C D393620D 3EFDD484 BFA43ED0
8E167FDF 839D0FF8 569026C0 545C1B56 EC177A2E 6C1D5D1A 6CD8DD
happy# sho crypto ike2 v2 session detail
IPv4 Crypto IKEv2 Session
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote fvrf/ivrf Status
3 192.168.11.41/500 192.168.11.42/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: ECDSA, Auth verify: ECDSA
Life/Active Time: 86400/339 sec
CE id: 1084, Session-id: 1
Status Description: Negotiation done
Local spi: 239BE9D173BFD509 Remote spi: C7A295975E26147B
Local id: cn=happy.csfc,c=us
Remote id: cn=grumpy.csfc,c=us
Local req msg id: 0 Remote req msg id: 2
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 2
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
NAT-T is not detected
Cisco Trust Security SGT is disabled
Child sa: local selector 192.168.11.41/0 - 192.168.11.41/65535
remote selector 192.168.11.42/0 - 192.168.11.42/65535
ESP spi in/out: 0xBF473CF2/0x1DF8CFFA
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 128, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
IPv6 Crypto IKEv2 Session
happy#sho crypto ikev2 session sa detail
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
3 192.168.11.41/500 192.168.11.42/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: ECDSA, Auth verify: ECDSA
Life/Active Time: 86400/386 sec
CE id: 1084, Session-id: 1
Status Description: Negotiation done
Local spi: 239BE9D173BFD509 Remote spi: C7A295975E26147B
Local id: cn=happy.csfc,c=us
Remote id: cn=grumpy.csfc,c=us
Local req msg id: 0 Remote req msg id: 2
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 2
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
NAT-T is not detected
Cisco Trust Security SGT is disabled
IPv6 Crypto IKEv2 SA
happy#sho crypto ikev2 sa detail stats
Crypto IKEv2 SA Statistics
System Resource Limit: 0 Max IKEv2 SAs: 0 Max in nego: 1000
Total IKEv2 SA Count: 1 active: 1 negotiating: 0
Incoming IKEv2 Requests: 34 accepted: 34 rejected: 0
Outgoing IKEv2 Requests: 50 accepted: 50 rejected: 0
Rejected IKEv2 Requests: 0 rsrc low: 0 SA limit: 0
IKEv2 packets dropped at dispatch: 0
Incoming IKEV2 Cookie Challenged Requests: 0
accepted: 0 rejected: 0 rejected no cookie: 0
happy#exit -
Cisco 7206 has with LLQ QOS and cpu 85 %
hi all ,
i want to mention issue about cisco router 7206 npeg2 :
can this router handle traffic 780 Mbps as download and 75 MBps as upload ?? with cpu 85 % and with LLQ qos ??
im asking this question because my QOS althoug it matched alot of traffic , it some time get slow and seems that QOS not working fine , im sure that my work is fine, because it was fine , but recent days i added more bw ???!!!!!
dont know if need more memory for router for QOS :
===============================================================
7200Gateway#sh memory
Head Total(b) Used(b) Free(b) Lowest(b) Largest(b)
Processor 6B97A80 1883669308 114125456 1769543852 1768174580 1760364316
I/O 78000000 67108864 4482572 62626292 62598896 62617884
Transient 77000000 16777216 22196 16755020 16222412 16728368
Processor memory
Address Bytes Prev Next Ref PrevF NextF Alloc PC what
06B97A80 0000010004 00000000 06B9A1C4 001 -------- -------- 01A493D8 CEF: fib
06B9A1C4 0000000028 06B97A80 06B9A210 000 87F3D04 87FD620 015FC24C AAA Attr Binary/String
06B9A210 0000004700 06B9A1C4 06B9B49C 001 -------- -------- 01AC85B4 ADJ: adjacency
06B9B49C 0000004100 06B9A210 06B9C4D0 001 -------- -------- 0011245C HTTP CORE
06B9C4D0 0000004100 06B9B49C 06B9D504 001 -------- -------- 00112548 HTTP CORE
06B9D504 0000004100 06B9C4D0 06B9E538 001 -------- -------- 00112548 HTTP CORE
06B9E538 0000004100 06B9D504 06B9F56C 001 -------- -------- 00112548 HTTP CORE
06B9F56C 0000004100 06B9E538 06BA05A0 001 -------- -------- 00112548 HTTP CORE
06BA05A0 0000000756 06B9F56C 06BA08C4 001 -------- -------- 0343C38C Process
06BA08C4 0000000204 06BA05A0 06BA09C0 001 -------- -------- 0343FAB4 Process Events
06BA09C0 0000022764 06BA08C4 06BA62DC 001 -------- -------- 04055CB4 IPSM Octet Str
06BA62DC 0000014488 06BA09C0 06BA9BA4 001 -------- -------- 0405C0C4 ipsm IPSEC Fai
06BA9BA4 0000004100 06BA62DC 06BAABD8 001 -------- -------- 00112548 H
===========================================================================
==========================================
7200Gateway#sh version
Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 12.4(24)T7, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 28-Feb-12 12:53 by prod_rel_team
ROM: System Bootstrap, Version 12.4(12.2r)T, RELEASE SOFTWARE (fc1)
7200Gateway uptime is 2 weeks, 5 days, 19 hours, 43 minutes
System returned to ROM by power-on
System image file is "disk2:/c7200p-adventerprisek9-mz.124-24.T7.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 7206VXR (NPE-G2) processor (revision A) with 1966080K/65536K bytes of memory.
Processor board ID 13252317
MPC7448 CPU at 1666Mhz, Implementation 0, Rev 2.2
6 slot VXR midplane, Version 2.0
Last reset from power-on
PCI bus mb1 (Slots 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb1 has a total of 0 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
PCI bus mb2 (Slots 2, 4 and 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 0 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
Please refer to the following document "Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth points oversubscription and usage guidelines.
1 FastEthernet interface
3 Gigabit Ethernet interfaces
2045K bytes of NVRAM.
250880K bytes of ATA PCMCIA card at slot 2 (Sector size 512 bytes).
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
==============================================================
7200Gateway#sh processes cpu
CPU utilization for five seconds: 85%/84%; one minute: 84%; five minutes: 84%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
1 32 416 76 0.00% 0.00% 0.00% 0 Chunk Manager
2 32788 342520 95 0.00% 0.05% 0.05% 0 Load Meter
3 0 1 0 0.00% 0.00% 0.00% 0 chkpt message ha
4 0 1 0 0.00% 0.00% 0.00% 0 EDDRI_MAIN
5 2624584 213262 12306 0.00% 0.03% 0.04% 0 Check heaps
6 56 373 150 0.00% 0.00% 0.00% 0 Pool Manager
7 0 2 0 0.00% 0.00% 0.00% 0 Timers
8 0 2 0 0.00% 0.00% 0.00% 0 ATM AutoVC Perio
9 0 2 0 0.00% 0.00% 0.00% 0 ATM VC Auto Crea
10 16 28543 0 0.00% 0.00% 0.00% 0 IPC Dynamic Cach
11 0 1 0 0.00% 0.00% 0.00% 0 IPC Zone Manager
12 688 1670887 0 0.00% 0.00% 0.00% 0 IPC Periodic Tim
13 520 1670887 0 0.00% 0.00% 0.00% 0 IPC Deferred Por
14 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat Manager
15 0 1 0 0.00% 0.00% 0.00% 0 IPC BackPressure
16 9007072 30711869 293 1.35% 0.15% 0.11% 0 EnvMon
17 0 1 0 0.00% 0.00% 0.00% 0 OIR Handler
18 0 1 0 0.00% 0.00% 0.00% 0 Crash writer
19 1380 3892 354 0.00% 0.00% 0.00% 0 ARP Input
20 1584 1784473 0 0.00% 0.00% 0.00% 0 ARP Background
21 0 2 0 0.00% 0.00% 0.00% 0 ATM Idle Timer
22 0 1 0 0.00% 0.00% 0.00% 0 CEF MIB API
23 4 134 29 0.00% 0.00% 0.00% 0 AAA high-capacit
24 0 1 0 0.00% 0.00% 0.00% 0 AAA_SERVER_DEADT
25 0 1 0 0.00% 0.00% 0.00% 0 Policy Manager
26 0 2 0 0.00% 0.00% 0.00% 0 DDR Timers
27 0 5 0 0.00% 0.00% 0.00% 0 Entity MIB API
28 0 2 0 0.00% 0.00% 0.00% 0 Serial Backgroun
29 0 1 0 0.00% 0.00% 0.00% 0 RO Notify Timers
30 0 1 0 0.00% 0.00% 0.00% 0 RMI RM Notify Wa
31 28 281 99 0.00% 0.00% 0.00% 0 EEM ED Syslog
32 0 2 0 0.00% 0.00% 0.00% 0 SMART
33 724 1712571 0 0.00% 0.00% 0.00% 0 GraphIt
34 0 2 0 0.00% 0.00% 0.00% 0 Dialer event
35 0 1 0 0.00% 0.00% 0.00% 0 SERIAL A'detect
36 0 2 0 0.00% 0.00% 0.00% 0 XML Proxy Client
37 0 2 0 0.00% 0.00% 0.00% 0 VSA background
38 0 1 0 0.00% 0.00% 0.00% 0 VSA Cleanup Proc
39 0 1 0 0.00% 0.00% 0.00% 0 Critical Bkgnd
40 4348 444483 9 0.00% 0.00% 0.00% 0 Net Background
41 0 2 0 0.00% 0.00% 0.00% 0 IDB Work
42 32 501 63 0.00% 0.00% 0.00% 0 Logger
43 1236 1710802 0 0.00% 0.00% 0.00% 0 TTY Background
44 16504 1712627 9 0.07% 0.00% 0.00% 0 Per-Second Jobs
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
45 20 34 588 0.00% 0.00% 0.00% 0 IF-MGR control p
46 8 40 200 0.00% 0.00% 0.00% 0 IF-MGR event pro
47 0 1 0 0.00% 0.00% 0.00% 0 Inode Table Dest
48 0 1 0 0.00% 0.00% 0.00% 0 IKE HA Mgr
49 0 1 0 0.00% 0.00% 0.00% 0 IPSEC HA Mgr
50 4 4 1000 0.00% 0.00% 0.00% 0 rf task
51 12808 179149 71 0.00% 0.00% 0.00% 0 Net Input
52 1304 342532 3 0.00% 0.00% 0.00% 0 Compute load avg
53 610136 28974 21058 0.00% 0.00% 0.00% 0 Per-minute Jobs
54 0 1 0 0.00% 0.00% 0.00% 0 Token Daemon
55 4 10570 0 0.00% 0.00% 0.00% 0 Transport Port A
56 1272 505453 2 0.00% 0.00% 0.00% 0 HC Counter Timer
57 0 1 0 0.00% 0.00% 0.00% 0 Coproc Event Pro
58 0 1 0 0.00% 0.00% 0.00% 0 POS APS Event Pr
59 0 1 0 0.00% 0.00% 0.00% 0 SONET alarm time
60 0 1 0 0.00% 0.00% 0.00% 0 CSP Timer
61 204 4 51000 0.00% 0.00% 0.00% 0 USB Startup
62 0 2 0 0.00% 0.00% 0.00% 0 FPD Management P
63 0 1 0 0.00% 0.00% 0.00% 0 FPD Action Proce
64 0 2 0 0.00% 0.00% 0.00% 0 VNM DSPRM MAIN
65 0 1 0 0.00% 0.00% 0.00% 0 RF_INTERDEV_DELA
66 0 1 0 0.00% 0.00% 0.00% 0 RF_INTERDEV_SCTP
67 464 1712577 0 0.00% 0.00% 0.00% 0 ISA Common Helpe
68 0 2 0 0.00% 0.00% 0.00% 0 Flash MIB Update
69 0 58 0 0.00% 0.00% 0.00% 0 Flash Card Oir
70 0 1 0 0.00% 0.00% 0.00% 0 CES Line Conditi
71 0 1 0 0.00% 0.00% 0.00% 0 CF_INTERDEV_SCTP
72 0 1 0 0.00% 0.00% 0.00% 0 Async write proc
73 0 2 0 0.00% 0.00% 0.00% 0 Ethernet CFM
74 736 1670893 0 0.00% 0.00% 0.00% 0 Ethernet Timer C
75 0 1 0 0.00% 0.00% 0.00% 0 delayed evt hand
76 28 112 250 0.00% 0.00% 0.00% 0 AAA Server
77 0 1 0 0.00% 0.00% 0.00% 0 AAA ACCT Proc
78 0 1 0 0.00% 0.00% 0.00% 0 ACCT Periodic Pr
79 0 2 0 0.00% 0.00% 0.00% 0 AAA Dictionary R
80 744 1670882 0 0.00% 0.00% 0.00% 0 BGP Scheduler
81 0 2 0 0.00% 0.00% 0.00% 0 Ethernet OAM Pro
82 0 2 0 0.00% 0.00% 0.00% 0 Ethernet LMI
83 0 2 0 0.00% 0.00% 0.00% 0 CEF switching ba
84 3684 14726 250 0.00% 0.00% 0.00% 0 ADJ resolve proc
85 8 30 266 0.00% 0.00% 0.00% 0 IP ARP Adjacency
86 0 1 0 0.00% 0.00% 0.00% 0 IP ARP Retry Age
87 3481296 6804010 511 0.00% 0.02% 0.01% 0 IP Input
88 0 1 0 0.00% 0.00% 0.00% 0 ICMP event handl
89 0 9 0 0.00% 0.00% 0.00% 0 TurboACL
90 0 2 0 0.00% 0.00% 0.00% 0 TurboACL chunk
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
91 0 1 0 0.00% 0.00% 0.00% 0 IPv6 Echo event
92 16 2854 5 0.00% 0.00% 0.00% 0 MOP Protocols
93 0 1 0 0.00% 0.00% 0.00% 0 LSP Tunnel FRR
94 0 1 0 0.00% 0.00% 0.00% 0 MPLS Auto-Tunnel
95 0 3 0 0.00% 0.00% 0.00% 0 PPP Hooks
96 0 1 0 0.00% 0.00% 0.00% 0 Async write proc
97 0 1 0 0.00% 0.00% 0.00% 0 SSS Manager
98 0 1 0 0.00% 0.00% 0.00% 0 SSS Feature Mana
99 0 1 0 0.00% 0.00% 0.00% 0 SSS Feature Time
100 0 2 0 0.00% 0.00% 0.00% 0 Spanning Tree
101 0 1 0 0.00% 0.00% 0.00% 0 X.25 Encaps Mana
102 20 96 208 0.00% 0.00% 0.00% 0 SSM connection m
103 0 1 0 0.00% 0.00% 0.00% 0 AC Switch
104 4 5709 0 0.00% 0.00% 0.00% 0 Authentication P
105 0 1 0 0.00% 0.00% 0.00% 0 Auth-proxy AAA B
106 0 2 0 0.00% 0.00% 0.00% 0 EAPoUDP Process
107 0 2 0 0.00% 0.00% 0.00% 0 IP Host Track Pr
108 0 2 0 0.00% 0.00% 0.00% 0 KRB5 AAA
109 1152 49386 23 0.00% 0.00% 0.00% 0 IP Background
110 2276 28582 79 0.00% 0.00% 0.00% 0 IP RIB Update
111 60 34442 1 0.00% 0.00% 0.00% 0 CEF background p
112 6784 2485297 2 0.00% 0.00% 0.00% 0 CEF: IPv4 proces
113 12 104 115 0.00% 0.00% 0.00% 0 ADJ background
114 0 2 0 0.00% 0.00% 0.00% 0 PPP IP Route
115 0 2 0 0.00% 0.00% 0.00% 0 PPP IPCP
116 0 1 0 0.00% 0.00% 0.00% 0 IP Traceroute
117 7292 7550370 0 0.00% 0.00% 0.00% 0 TCP Timer
118 1300 10511 123 0.00% 0.00% 0.00% 0 TCP Protocols
119 0 1 0 0.00% 0.00% 0.00% 0 Socket Timers
120 18228 11429 1594 0.00% 0.00% 0.00% 0 HTTP CORE
121 0 2 0 0.00% 0.00% 0.00% 0 RLM groups Proce
122 0 1 0 0.00% 0.00% 0.00% 0 L2X Data Daemon
123 0 1 0 0.00% 0.00% 0.00% 0 ac_atm_state_eve
124 0 2 0 0.00% 0.00% 0.00% 0 SNMP Timers
125 1320 1710737 0 0.00% 0.00% 0.00% 0 RUDPV1 Main Proc
126 0 1 0 0.00% 0.00% 0.00% 0 bsm_timers
127 568 1710728 0 0.00% 0.00% 0.00% 0 bsm_xmt_proc
128 0 1 0 0.00% 0.00% 0.00% 0 COPS
129 0 2 0 0.00% 0.00% 0.00% 0 Dialer Forwarder
130 0 3 0 0.00% 0.00% 0.00% 0 Flow Exporter Ti
131 0 2 0 0.00% 0.00% 0.00% 0 ATM OAM Input
132 0 2 0 0.00% 0.00% 0.00% 0 ATM OAM TIMER
133 0 1 0 0.00% 0.00% 0.00% 0 RARP Input
134 0 1 0 0.00% 0.00% 0.00% 0 IPv6 Inspect Tim
135 0 1 0 0.00% 0.00% 0.00% 0 LAPB Process
136 0 2 0 0.00% 0.00% 0.00% 0 LFDp Input Proc
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
137 0 1 0 0.00% 0.00% 0.00% 0 PAD InCall
138 0 2 0 0.00% 0.00% 0.00% 0 X.25 Background
139 0 2 0 0.00% 0.00% 0.00% 0 PPP Bind
140 0 2 0 0.00% 0.00% 0.00% 0 PPP SSS
141 0 1 0 0.00% 0.00% 0.00% 0 MQC Flow Event B
142 35504 424737438 0 0.23% 0.25% 0.23% 0 HQF Shaper Backg
143 4068 17031478 0 0.00% 0.00% 0.00% 0 RBSCP Background
144 0 2 0 0.00% 0.00% 0.00% 0 SCTP Main Proces
145 0 1 0 0.00% 0.00% 0.00% 0 VPDN call manage
146 0 1 0 0.00% 0.00% 0.00% 0 CHKPT EXAMPLE
147 0 1 0 0.00% 0.00% 0.00% 0 CHKPT DevTest
148 0 1 0 0.00% 0.00% 0.00% 0 IPS Process
149 0 2 0 0.00% 0.00% 0.00% 0 IPS Auto Update
150 0 2 0 0.00% 0.00% 0.00% 0 SDEE Management
151 948 3338807 0 0.00% 0.00% 0.00% 0 Inspect process
152 0 1 0 0.00% 0.00% 0.00% 0 xcpa-driver
153 52 136947 0 0.00% 0.00% 0.00% 0 FW DP Inspect pr
154 1112 3338806 0 0.00% 0.00% 0.00% 0 CCE DP URLF cach
155 0 2 0 0.00% 0.00% 0.00% 0 URL filter proc
156 0 1 0 0.00% 0.00% 0.00% 0 XSM_EVENT_ENGINE
157 144 171238 0 0.00% 0.00% 0.00% 0 XSM_ENQUEUER
158 68 171238 0 0.00% 0.00% 0.00% 0 XSM Historian
159 0 1 0 0.00% 0.00% 0.00% 0 Select Timers
160 4 2 2000 0.00% 0.00% 0.00% 0 HTTP Process
161 0 2 0 0.00% 0.00% 0.00% 0 CIFS API Process
162 0 2 0 0.00% 0.00% 0.00% 0 CIFS Proxy Proce
163 0 1 0 0.00% 0.00% 0.00% 0 Crypto HW Proc
164 56 114166 0 0.00% 0.00% 0.00% 0 ACE policy loade
165 156 68505 2 0.00% 0.00% 0.00% 0 CRM_CALL_UPDATE_
166 36688 172862 212 0.00% 0.00% 0.00% 0 BGP I/O
167 0 2 0 0.00% 0.00% 0.00% 0 AAA Cached Serve
168 0 2 0 0.00% 0.00% 0.00% 0 ENABLE AAA
169 0 1 0 0.00% 0.00% 0.00% 0 EM Background Pr
170 0 1 0 0.00% 0.00% 0.00% 0 Key chain liveke
171 0 2 0 0.00% 0.00% 0.00% 0 LINE AAA
172 44 112 392 0.00% 0.00% 0.00% 0 LOCAL AAA
173 0 42 0 0.00% 0.00% 0.00% 0 MPLS Auto Mesh P
174 0 2 0 0.00% 0.00% 0.00% 0 TPLUS
175 0 2 0 0.00% 0.00% 0.00% 0 VSP_MGR
176 0 1 0 0.00% 0.00% 0.00% 0 FW_TEST_TRP
177 0 1 0 0.00% 0.00% 0.00% 0 EPM MAIN PROCESS
178 4 3 1333 0.00% 0.00% 0.00% 0 Crypto WUI
179 0 2 0 0.00% 0.00% 0.00% 0 Crypto Support
180 0 1 0 0.00% 0.00% 0.00% 0 IPSECv6 PS Proc
181 0 1 0 0.00% 0.00% 0.00% 0 CCVPM_HTSP
182 0 1 0 0.00% 0.00% 0.00% 0 CCVPM_R2
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
183 0 1 0 0.00% 0.00% 0.00% 0 EPHONE MWI Refre
184 0 1903 0 0.00% 0.00% 0.00% 0 FB/KS Log HouseK
185 0 2 0 0.00% 0.00% 0.00% 0 EPHONE MWI BG Pr
186 0 1 0 0.00% 0.00% 0.00% 0 Skinny HW confer
187 0 1 0 0.00% 0.00% 0.00% 0 CCSWVOICE
188 206492 114180 1808 0.00% 0.00% 0.00% 0 BGP Scanner
189 0 1 0 0.00% 0.00% 0.00% 0 http client proc
190 0 3 0 0.00% 0.00% 0.00% 0 BGP Event
191 0 1 0 0.00% 0.00% 0.00% 0 QOS_MODULE_MAIN
192 0 1 0 0.00% 0.00% 0.00% 0 RPMS_PROC_MAIN
193 0 1 0 0.00% 0.00% 0.00% 0 VoIP AAA
194 0 2 0 0.00% 0.00% 0.00% 0 Dialog Manager
195 184 104 1769 0.00% 0.00% 0.00% 0 crypto engine pr
196 0 4 0 0.00% 0.00% 0.00% 0 Crypto CA
197 0 1 0 0.00% 0.00% 0.00% 0 Crypto PKI-CRL
198 28008 64288 435 0.00% 0.00% 0.00% 0 encrypt proc
199 384768 28300 13596 0.00% 0.00% 0.00% 0 crypto sw pk pro
200 8 27 296 0.00% 0.00% 0.00% 0 Crypto INT
201 456 2019 225 0.00% 0.00% 0.00% 0 Crypto IKE Dispa
202 2128 2714 784 0.00% 0.00% 0.00% 0 Crypto IKMP
203 0 1 0 0.00% 0.00% 0.00% 0 IPSEC manual key
204 180 85737 2 0.00% 0.00% 0.00% 0 IPSEC key engine
205 0 1 0 0.00% 0.00% 0.00% 0 CRYPTO QoS proce
206 28 142 197 0.00% 0.00% 0.00% 0 Crypto ACL
207 0 1 0 0.00% 0.00% 0.00% 0 Crypto PAS Proc
208 0 1 0 0.00% 0.00% 0.00% 0 GDOI GM Process
209 0 1 0 0.00% 0.00% 0.00% 0 UNICAST REKEY
210 0 1 0 0.00% 0.00% 0.00% 0 UNICAST REKEY AC
211 0 1 0 0.00% 0.00% 0.00% 0 MV64 TDR Process
212 0 1 0 0.00% 0.00% 0.00% 0 IMA Traps
213 0 1 0 0.00% 0.00% 0.00% 0 SYSMGT Events
214 0 2 0 0.00% 0.00% 0.00% 0 Control-plane ho
215 0 1 0 0.00% 0.00% 0.00% 0 DATA Transfer Pr
216 0 1 0 0.00% 0.00% 0.00% 0 DATA Collector
217 0 1 0 0.00% 0.00% 0.00% 0 Async write proc
218 116 292 397 0.00% 0.00% 0.00% 0 AAA SEND STOP EV
219 136 171243 0 0.00% 0.00% 0.00% 0 RMON Recycle Pro
220 0 2 0 0.00% 0.00% 0.00% 0 RMON Deferred Se
221 0 1 0 0.00% 0.00% 0.00% 0 Syslog Traps
222 0 2 0 0.00% 0.00% 0.00% 0 EEM ED Resource
223 0 2 0 0.00% 0.00% 0.00% 0 EEM ED Routing
224 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Track
225 80 53575 1 0.00% 0.00% 0.00% 0 Crypto cTCP proc
226 0 1 0 0.00% 0.00% 0.00% 0 IP SLAs Ethernet
227 4 1 4000 0.00% 0.00% 0.00% 0 RMON Packets
228 820 1709984 0 0.00% 0.00% 0.00% 0 trunk conditioni
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
229 0 1 0 0.00% 0.00% 0.00% 0 trunk conditioni
230 12 120 100 0.00% 0.00% 0.00% 0 EEM Server
231 4 2 2000 0.00% 0.00% 0.00% 0 Call Home proces
232 52 260 200 0.00% 0.00% 0.00% 0 Syslog
233 0 1 0 0.00% 0.00% 0.00% 0 VPDN Test
234 0 2 0 0.00% 0.00% 0.00% 0 EEM Policy Direc
235 0 2 0 0.00% 0.00% 0.00% 0 EEM ED CLI
236 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Counter
237 0 3 0 0.00% 0.00% 0.00% 0 EM ED GOLD
238 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Interface
239 0 3 0 0.00% 0.00% 0.00% 0 EEM ED IOSWD
240 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Ipsla
241 0 3 0 0.00% 0.00% 0.00% 0 EEM ED None
242 0 2 0 0.00% 0.00% 0.00% 0 EEM ED Nf
243 0 3 0 0.00% 0.00% 0.00% 0 EEM ED OIR
244 0 3 0 0.00% 0.00% 0.00% 0 EEM ED RF
245 0 3 0 0.00% 0.00% 0.00% 0 EEM ED SNMP
246 0 2 0 0.00% 0.00% 0.00% 0 EEM ED SNMP Noti
247 36 42890 0 0.00% 0.00% 0.00% 0 EEM ED Timer
248 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Test
249 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Config
250 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Env
251 0 3 0 0.00% 0.00% 0.00% 0 EEM ED RPC
252 0 2 0 0.00% 0.00% 0.00% 0 cpf_process_msg_
253 0 1 0 0.00% 0.00% 0.00% 0 Key Proc
254 36 28543 1 0.00% 0.00% 0.00% 0 Call Home Timer
255 0 1 0 0.00% 0.00% 0.00% 0 tHUB
256 0 1 0 0.00% 0.00% 0.00% 0 Async write proc
257 104 953 109 0.00% 0.00% 0.00% 0 SSH Event handle
258 16 28543 0 0.00% 0.00% 0.00% 0 Secure Login
259 84 54 1555 0.00% 0.00% 0.00% 0 Tunnel Security
260 56 67 835 0.00% 0.00% 0.00% 0 Crypto SS Proces
261 0 1 0 0.00% 0.00% 0.00% 0 cpf_process_tpQ
262 0 1 0 0.00% 0.00% 0.00% 0 TCP Listener
263 0 2 0 0.00% 0.00% 0.00% 0 IP Flow Top Talk
264 1180 3338804 0 0.00% 0.00% 0.00% 0 IP NAT Ager
265 0 1 0 0.00% 0.00% 0.00% 0 IP NAT WLAN
266 24 28563 0 0.00% 0.00% 0.00% 0 IP SLAs Event Pr
267 434504 1489526 291 0.00% 0.00% 0.00% 0 IP SNMP
268 170304 877961 193 0.00% 0.00% 0.00% 0 PDU DISPATCHER
269 495704 877992 564 0.00% 0.00% 0.00% 0 SNMP ENGINE
270 0 2 0 0.00% 0.00% 0.00% 0 IP SNMPV6
271 0 1 0 0.00% 0.00% 0.00% 0 SNMP ConfCopyPro
272 0 1 0 0.00% 0.00% 0.00% 0 SNMP Traps
273 1185420 1715196 691 0.00% 0.00% 0.00% 0 NTP
274 412 29 14206 0.00% 0.00% 0.00% 0 VTEMPLATE Backgr
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
275 18608 174262 106 0.00% 0.00% 0.00% 0 BGP Router
276 36 27171 1 0.00% 0.00% 0.00% 0 DFS flush period
277 8 12 666 0.00% 0.00% 0.00% 0 Collection proce
278 16 651 24 0.00% 0.00% 0.00% 0 CRYPTO IKMP IPC
279 1724 850 2028 0.00% 0.00% 0.00% 2 SSH Process
281 0 1 0 0.00% 0.00% 0.00% 0 Skinny MOH Event
282 64 173856 0 0.00% 0.00% 0.00% 0 Skinny Socket Se
283 0 1451 0 0.00% 0.00% 0.00% 0 Web Write Housek
==============================================================
wish to help ASAPJosephDoherty wrote:DisclaimerThe Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.Liability DisclaimerIn no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.PostingThe fact you are matching with any ACLs, will decrease maximum performance.The fact you are using a policy-may, will decrease maximum performance.The fact is a -G2 only has finite capacity.In other words, what you're seeing might be completely normal for your traffic volume, your traffic composition and your configuration.If you believe your router is overloaded, and generally above 75% CPU might be so considered, either you'll need a faster device (see ASR 1Ks), or you might try changing your configuration to decrease your configuration load on the router.What's your CPU load if your remove the policy-map from the interface?If removing the policy-map from the interface shows a significant CPU loading decrease - QED.If you need/desire such QoS, then you'll want a "faster" router.You might be also able to decrease your CPU a little by some "tuning". I already mention the TurboACL feature statement. With ACLs, fewer are faster, and how they ordered (especially without TurboACL) impacts CPU. How you order you class-maps, within a policy, and how the match statements are ordered will also have some impact on the CPU load. If buffers are being allocated/deallocated, that too will impact CPU loading. I assume CEF is enabled, but for some traffic, flow caching might decrease CPU load.Remember a software based router, like the 7200s, are, more or less, a computer that takes your configuration and determines what's to be done with every packet it "sees". The more your configuration requires for per packet analysis, the more load for each packet.There are whitepapers addressing high CPU load caused by "process switching", but what you posted appears to be mostly all interrupt processing, which is "fast path", or optimal, packet forwarding. There's not much you can normally do to improve against that, other than insuring your configuration is as optimal as possible for your needs (again, things like sequencing/ordering of statements).
hi ,
thanks very very much for this nice information,
let me answer you :
you said that NPE G2 has finite capacity , but how to know this full capacity ???
i mean that my policy map is matching the traffic , but the matched traffic is not being enhancemend ??!!!
last about two weeks , the matched traffic of youtube was excellent and no interrupt durting the my rush hour.
i didnt change any thing, but my bw increased from 730 Mbps to 760Mbps ,
im un able to make sure that i need to chnage my platform to faster one.
agian
my cpu is 60 % without QOS
after QOS it increase to 80-85 %
agian ,
about NBAR
i want to tell you that i cant depend on NBAR , as an example , im matching the ips of videos of facebook , i cant depend on NBAR because it is https videos.
but in summary ,
my qos is matching well , but i have no real enhancement for my traffic.
did you face my issue before ???
i mean have you see like my problem ?
like my router platform with cpu over 80 % and 750Mbps , and matched qos without good result ??
note that i upgraded to iso 15 , but seems same issue !!!
regards -
Cisco ASA 8.3(1) with VPN Client and IP Communicator - one way communication
Hi Community.
I have a strange problem with my setup and I'm pretty sure it's either some type of routing (or NAT) or just a missing rule allowing the traffic. But I'm now at a point where I'd like to request your help.
I have some remote access users who have the Cisco IP Communicator (CIPC) installed on their notebooks. So:
VPN user with CIPC <> ASA Firewall <> Voice Router <> CCM <> IP Phone
The VPN works fine for any other traffic. Also the basic connection for the IP Communicator works fine. It get's connected to the CallManager, is shown as registered and you even can call an internal phone and also external phones. BUT: while you can hear the called party (so the internal phone) it doesn't work for the other way. There is no sound coming from the remote/caller.
I already figured out that it's also not possible to ping from the VPN phone to the internal IP Phone subnet. While the VPN user can ping any other device in the internal network, he can't do it to the Cisco IP Phones. But if the VPN phone calls a none-internal phone (mobiles...) - it works!
My thought is that the call can't be build up correctly between the VPN phone and the internal phone.
I found similiar situations with google but they are all for the other way around: call to internal works, but not to VPN.
What do you think?Hi,
Typically ASA lists specific networks to the VPN Client when Split Tunnel is used.
This would mean that there is a Split Tunnel ACL used in the ASA configurations for this VPN connection which needs to have the missing network added for the traffic to be tunneled to the VPN connection.
- Jouni -
Issues with mobility and autodiscovery with Lync 2013 and IIS/ARR
Hi all,
this is my last resort after days and days searching a solution for this problem... unsuccessfully.
All works fine unless the autodiscovery service with external users and the mobility service for both internal and external ones.
I deployed a Standard Edition Lync Server 2013 with:
a consolidated Frontend server in LAN
an Archiving and Monitoring server in LAN
an Edge server in DMZ with 2 NICs (one in DMZ network and one in LAN)
a IIS/ARR 2.5 reverse proxy in DMZ with 2 NICs (one in DMZ network and one in LAN)
All these roles are on Windows Server 2012 R2.
No split-DNS is deployed since I have different domains for internal and external. In any case I used the pinpoint DNS tip to resolve some records internally (I followed this guide http://tsoorad.blogspot.ch/2012/10/lync-server-dns-pinpoint-zones.html)
Here DNS records into internal domain:
A-record for meet.domain-ext.com points to Frontend server local IP
A-record for dialin.domain-ext.com points to Frontend server local IP
A-record for lyncdiscoverinternal.domain-ext.com points to Frontend server IP
A-record for lyncwebexternal.domain-ext.com points to Frontend sever local IP
A-record for autodiscover.domain-ext.com points to Exchange server local IP
Here DNS records into external domain:
CNAME-record for lyncdiscover.domain-ext.com points to lyncwebexternal.domain-ext.com
CNAME-record for sipexternal.domain-ext.com points to lyncwebexternal.domain-ext.com
A-record for meet.domain-ext.com points to Reverse Proxy public IP
A-record for dialin.domain-ext.com points to Reverse Proxy public IP
A-record for lyncwebexternal.domain-ext.com points to Reverse Proxy public IP
I installed and configured IIS/ARR 2.5 with KB2732764 and KB2785586 on Reverse Proxy following the NextHop guide. The local IP address of external NIC on Reverse Proxy is NATTED by a Cisco ASA firewall with public IP address and only 80/443
ports are permitted.
The problems occurs when I try to connect whit my Lync 2013 APP on iPad using autodiscovery service, both internally and externally. After some seconds the APP shows the message “Cannot connect to the server because it could be busy or
temporarily unavailable. Retry.” When I used the IIS/ARR 3.0 the problem looked like an authentication issue, then I came back to ISS/ARR 2.5 version with its KB. Now I cannot understand what is the cause about logfail.
The same behavior occurs with Android Lync 2013 APP and Windows Phone 8 APP.
Moreover my Lync 2013 client on Windows 7 can connect internally with autodiscovery settings but it cannot do it externally.
I'm a bit confused because I cannot understand if the problem is about external webservice of Frontend server or about Reverse Proxy configuration or about Lync Control Panel configuration.
Here is an extracted of iPad Lync 2013 log (sorry if it’s a bit long).
Any helps are very appreciated, thansk a lot!
</SentRequest>
2013-12-20
11:33:00.781 Lync[563:3a71018c] INFO APPLICATION
CUrlRedirectAndTrustResolver.cpp/201:CUrlRedirectAndTrustResolver::processUrl
called with url = http://lyncdiscover.domain-ext.com/, hopCount = 0, maxHops =
10
2013-12-20
11:33:00.781 Lync[563:6d00000] INFO UTILITIES
CHttpStreamPool.cpp/409:Allocating stream 0x11cbe40 for url -
https://lyncdiscover.domain-ext.com/ with persistent id as 6
2013-12-20
11:33:00.782 Lync[563:3a71018c] INFO TRANSPORT CTransportThread.cpp/131:Added
Request(UcwaAutoDiscoveryRequest) to Request Processor queue
2013-12-20
11:33:00.782 Lync[563:6d00000] VERBOSE TRANSPORT
CHttpProxyHelper.cpp/436:CHttpProxyHelper::discoverProxy : No proxy found for
url https://lyncdiscover.domain-ext.com/?sipuri=sip:[email protected].
Sending over direct connection.
2013-12-20
11:33:00.782 Lync[563:3a71018c] INFO APPLICATION
CTransportRequestRetrialQueue.cpp/385:Submitting new req.
UrlTrustResolver(0x1201358)
2013-12-20
11:33:00.782 Lync[563:3a71018c] INFO APPLICATION
CUcwaAutoDiscoveryService.cpp/1783:Successfully started the GetUserUrlOperation
request for http://lyncdiscover.domain-ext.com/?sipuri=sip:[email protected]
2013-12-20
11:33:00.796 Lync[563:6d00000] INFO TRANSPORT CTransportThread.cpp/343:Sent
Request(UcwaAutoDiscoveryRequest) to Request Processor
2013-12-20
11:33:00.796 Lync[563:6d00000] WARNING TRANSPORT
CCredentialManager.cpp/317:CCredentialManager::getSpecificCredential returning
NULL credential for serviceId (4) type (1)!
2013-12-20
11:33:00.797 Lync[563:6d00000] INFO TRANSPORT
TransportUtilityFunctions.cpp/631:<SentRequest>
GET
http://lyncdiscover.domain-ext.com/
Request Id:
0x1201358
HttpHeader:Accept
application/vnd.microsoft.rtc.autodiscover+xml;v=1
</SentRequest>
2013-12-20
11:33:00.797 Lync[563:6d00000] INFO UTILITIES
CHttpStreamPool.cpp/409:Allocating stream 0x12028f0 for url -
http://lyncdiscover.domain-ext.com/ with persistent id as 7
2013-12-20
11:33:00.798 Lync[563:6d00000] VERBOSE TRANSPORT
CHttpProxyHelper.cpp/436:CHttpProxyHelper::discoverProxy : No proxy found for
url http://lyncdiscover.domain-ext.com/. Sending over direct connection.
2013-12-20
11:33:00.798 Lync[563:6d00000] INFO TRANSPORT CHttpStreamPool.cpp/556:Not
setting TLS as the url(http://lyncdiscover.domain-ext.com/) is not https
2013-12-20
11:33:00.812 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:33:00.812 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:33:00.812 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:33:00.813 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:33:00.813 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:33:04.104 Lync[563:6d00000] INFO UTILITIES CHttpConnection.cpp/577:Received
kCFStreamEventEndEncountered (UcwaAutoDiscoveryRequest)isHeadersAvailable =
true responseHeadersHandle = 12c5d70
2013-12-20
11:33:04.105 Lync[563:6d00000] INFO UTILITIES CHttpConnection.cpp/628:Response
status = 200 for request UcwaAutoDiscoveryRequest
2013-12-20
11:33:04.105 Lync[563:6d00000] INFO UTILITIES
CHttpStreamPool.cpp/455:Scheduling stream 0x12028f0 for release.
2013-12-20
11:33:04.105 Lync[563:6d00000] INFO TRANSPORT
CHttpRequestProcessor.cpp/173:Received response of
request(UcwaAutoDiscoveryRequest) with status = 0x0
2013-12-20
11:33:04.106 Lync[563:6d00000] INFO TRANSPORT
TransportUtilityFunctions.cpp/925:<ReceivedResponse>
GET
http://lyncdiscover.domain-ext.com/
Request Id:
0x1201358
HttpHeader:Cache-Control
no-cache
HttpHeader:Content-Length
1076
HttpHeader:Content-Type
application/vnd.microsoft.rtc.autodiscover+xml; v=1
HttpHeader:Date
Fri, 20 Dec 2013 10:33:02 GMT
HttpHeader:Expires
-1
HttpHeader:Pragma
no-cache
HttpHeader:Server
Microsoft-IIS/8.5
HttpHeader:StatusCode
200
HttpHeader:X-AspNet-Version
4.0.30319
HttpHeader:X-Content-Type-Options
nosniff
HttpHeader:X-MS-Server-Fqdn
frontend-lync.domain-int.com
HttpHeader:X-Powered-By
ASP.NET, ARR/2.5
Ôªø<?xml
version="1.0" encoding="utf-8"?><AutodiscoverResponse
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
AccessLocation="Internal"><Root><Link
token="Domain" href="https://frontend-lync.domain-int.com/Autodiscover/AutodiscoverService.svc/root/domain?originalDomain=domain-ext.com"
/><Link token="User" href="https://frontend-lync.domain-int.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=domain-ext.com"
/><Link token="Self" href="https://frontend-lync.domain-int.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=domain-ext.com"
/><Link token="OAuth" href="https://frontend-lync.domain-int.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=domain-ext.com"
/><Link token="External/XFrame"
href="https://lyncwebexternal.domain-ext.com/Autodiscover/XFrame/XFrame.html"
/><Link token="Internal/XFrame" href="https://frontend-lync.domain-int.com/Autodiscover/XFrame/XFrame.html"
/><Link token="XFrame" href="https://lyncwebexternal.domain-ext.com/Autodiscover/XFrame/XFrame.html"
/></Root></AutodiscoverResponse>
</ReceivedResponse>
2013-12-20
11:33:04.108 Lync[563:6d00000] INFO TRANSPORT
CUcwaAutoDiscoveryResponse.cpp/112:location value is internal
2013-12-20
11:33:04.108 Lync[563:6d00000] INFO TRANSPORT
CUcwaAutoDiscoveryResponse.cpp/195:User url is https://frontend-lync.domain-int.com/autodiscover/autodiscoverservice.svc/root/user?originaldomain=domain-ext.com
2013-12-20
11:33:04.109 Lync[563:6d00000] INFO TRANSPORT
CHttpRequestProcessor.cpp/266:Sending event to main thread for
request(0x1201358)
2013-12-20
11:33:04.109 Lync[563:3a71018c] INFO APPLICATION
CTransportRequestRetrialQueue.cpp/822:Req. completed, Stopping timer.
2013-12-20
11:33:04.109 Lync[563:3a71018c] INFO APPLICATION
CUrlRedirectAndTrustResolver.cpp/610:UrlRedirectAndTrustResolver complete with
url = http://lyncdiscover.domain-ext.com/, Hops = 1, status = S_OK (S0-0-0)
2013-12-20
11:33:04.109 Lync[563:3a71018c] INFO APPLICATION
CTransportRequestRetrialQueue.cpp/725:Response received for req.
UrlTrustResolver(0x1201358): S_OK (S0-0-0) (Success); Done with req.; Stopping
resend timer
2013-12-20
11:33:04.110 Lync[563:3a71018c] INFO APPLICATION
CUcwaAutoDiscoveryGetUserUrlOperation.cpp/393:CUcwaAutoDiscoverGetUserUrlOperation::onEvent
received. Status = S_OK (S0-0-0), url =
http://lyncdiscover.domain-ext.com/
2013-12-20
11:33:04.110 Lync[563:3a71018c] INFO APPLICATION
CUcwaAutoDiscoveryGetUserUrlOperation.cpp/449:Received a root response
2013-12-20
11:33:04.110 Lync[563:3a71018c] INFO APPLICATION
CUcwaAutoDiscoveryGetUserUrlOperation.cpp/456:Running trust check on user url.
url = https://frontend-lync.domain-int.com/autodiscover/autodiscoverservice.svc/root/user?originaldomain=domain-ext.com
2013-12-20
11:33:04.110 Lync[563:3a71018c] INFO APPLICATION
CUrlRedirectAndTrustResolver.cpp/77:Starting CUrlRedirectAndTrustResolver with
url = https://frontend-lync.domain-int.com/autodiscover/autodiscoverservice.svc/root/user?originaldomain=domain-ext.com,
maxHops = 1
2013-12-20
11:33:04.110 Lync[563:3a71018c] INFO APPLICATION
CUrlRedirectAndTrustResolver.cpp/201:CUrlRedirectAndTrustResolver::processUrl
called with url = https://frontend-lync.domain-int.com/autodiscover/autodiscoverservice.svc/root/user,
hopCount = 0, maxHops = 1
2013-12-20
11:33:04.111 Lync[563:3a71018c] INFO TRANSPORT CTransportThread.cpp/131:Added
Request(UcwaAutoDiscoveryRequest) to Request Processor queue
2013-12-20
11:33:04.111 Lync[563:3a71018c] INFO APPLICATION
CTransportRequestRetrialQueue.cpp/385:Submitting new req.
UrlTrustResolver(0x11d4d38)
2013-12-20
11:33:04.111 Lync[563:6d00000] INFO TRANSPORT CTransportThread.cpp/343:Sent
Request(UcwaAutoDiscoveryRequest) to Request Processor
2013-12-20
11:33:04.111 Lync[563:6d00000] WARNING TRANSPORT
CCredentialManager.cpp/317:CCredentialManager::getSpecificCredential returning
NULL credential for serviceId (4) type (1)!
2013-12-20
11:33:04.112 Lync[563:6d00000] INFO TRANSPORT
TransportUtilityFunctions.cpp/631:<SentRequest>
GET
https://frontend-lync.domain-int.com/autodiscover/autodiscoverservice.svc/root/user
Request Id:
0x11d4d38
HttpHeader:Accept
application/vnd.microsoft.rtc.autodiscover+xml;v=1
</SentRequest>
2013-12-20
11:33:04.112 Lync[563:6d00000] INFO UTILITIES
CHttpStreamPool.cpp/409:Allocating stream 0x125fa90 for url - https://frontend-lync.domain-int.com/autodiscover/autodiscoverservice.svc/root/user
with persistent id as 7
2013-12-20
11:33:04.112 Lync[563:6d00000] VERBOSE TRANSPORT
CHttpProxyHelper.cpp/436:CHttpProxyHelper::discoverProxy : No proxy found for
url https://frontend-lync.domain-int.com/autodiscover/autodiscoverservice.svc/root/user.
Sending over direct connection.
2013-12-20
11:33:04.113 Lync[563:6d00000] INFO UTILITIES CHttpStreamPool.cpp/609:Releasing
stream 0x12028f0.
2013-12-20
11:33:04.261 Lync[563:6d00000] INFO UTILITIES CHttpConnection.cpp/577:Received
kCFStreamEventEndEncountered (UcwaAutoDiscoveryRequest)isHeadersAvailable =
true responseHeadersHandle = 11cfbd0
2013-12-20
11:33:04.262 Lync[563:6d00000] INFO UTILITIES CHttpConnection.cpp/628:Response
status = 200 for request UcwaAutoDiscoveryRequest
2013-12-20
11:33:04.262 Lync[563:6d00000] INFO UTILITIES
CHttpStreamPool.cpp/455:Scheduling stream 0x11cbe40 for release.
2013-12-20
11:33:04.263 Lync[563:6d00000] INFO TRANSPORT
CHttpRequestProcessor.cpp/173:Received response of
request(UcwaAutoDiscoveryRequest) with status = 0x0
2013-12-20
11:33:04.263 Lync[563:6d00000] INFO TRANSPORT
TransportUtilityFunctions.cpp/925:<ReceivedResponse>
GET
https://lyncdiscover.domain-ext.com/?sipuri=sip:[email protected]
Request Id:
0x12450d8
HttpHeader:Cache-Control
no-cache
HttpHeader:Content-Length
1076
HttpHeader:Content-Type
application/vnd.microsoft.rtc.autodiscover+xml; v=1
HttpHeader:Date
Fri, 20 Dec 2013 10:33:02 GMT
HttpHeader:Expires
-1
HttpHeader:Pragma
no-cache
HttpHeader:Server
Microsoft-IIS/8.5
HttpHeader:StatusCode
200
HttpHeader:X-AspNet-Version
4.0.30319
HttpHeader:X-Content-Type-Options
nosniff
HttpHeader:X-MS-Server-Fqdn
frontend-lync.domain-int.com
HttpHeader:X-Powered-By
ASP.NET, ARR/2.5
Ôªø<?xml
version="1.0" encoding="utf-8"?><AutodiscoverResponse
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
AccessLocation="Internal"><Root><Link
token="Domain" href="https://frontend-lync.domain-int.com/Autodiscover/AutodiscoverService.svc/root/domain?originalDomain=domain-ext.com"
/><Link token="User" href="https://frontend-lync.domain-int.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=domain-ext.com"
/><Link token="Self" href="https://frontend-lync.domain-int.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=domain-ext.com"
/><Link token="OAuth" href="https://frontend-lync.domain-int.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=domain-ext.com"
/><Link token="External/XFrame"
href="https://lyncwebexternal.domain-ext.com/Autodiscover/XFrame/XFrame.html"
/><Link token="Internal/XFrame" href="https://frontend-lync.domain-int.com/Autodiscover/XFrame/XFrame.html"
/><Link token="XFrame" href="https://lyncwebexternal.domain-ext.com/Autodiscover/XFrame/XFrame.html"
/></Root></AutodiscoverResponse>
</ReceivedResponse>
2013-12-20
11:33:04.264 Lync[563:6d00000] INFO TRANSPORT
CUcwaAutoDiscoveryResponse.cpp/112:location value is internal
2013-12-20
11:33:04.265 Lync[563:6d00000] INFO TRANSPORT
CUcwaAutoDiscoveryResponse.cpp/195:User url is https://frontend-lync.domain-int.com/autodiscover/autodiscoverservice.svc/root/user?originaldomain=domain-ext.com
2013-12-20
11:33:04.265 Lync[563:6d00000] INFO TRANSPORT
CHttpRequestProcessor.cpp/266:Sending event to main thread for
request(0x12450d8)
2013-12-20
11:33:04.266 Lync[563:3a71018c] INFO APPLICATION CTransportRequestRetrialQueue.cpp/822:Req.
completed, Stopping timer.
2013-12-20
11:33:04.266 Lync[563:3a71018c] INFO APPLICATION
CUcwaAutoDiscoveryGetUserUrlOperation.cpp/290:Received a root response
2013-12-20
11:33:04.266 Lync[563:3a71018c] INFO APPLICATION CUcwaAutoDiscoveryGetUserUrlOperation.cpp/224:UcwaAutoDiscoveryGetUserUrlOperation
completed with url = https://lyncdiscover.domain-ext.com/?sipuri=sip:[email protected],
userUrl = https://frontend-lync.domain-int.com/autodiscover/autodiscoverservice.svc/root/user?originaldomain=domain-ext.com,
status = S_OK (S0-0-0)
2013-12-20
11:33:04.266 Lync[563:3a71018c] INFO APPLICATION
CTransportRequestRetrialQueue.cpp/725:Response received for req.
GET-UnAuthenticatedGet(0x12450d8): S_OK (S0-0-0) (Success); Done with req.; Stopping
resend timer
2013-12-20
11:33:04.267 Lync[563:3a71018c] INFO APPLICATION
CTransportRequestRetrialQueue.cpp/399:Cancelling all requests
2013-12-20
11:33:04.267 Lync[563:3a71018c] INFO APPLICATION
CTransportRequestRetrialQueue.cpp/409:Cancelling request: 0x11d4d38
2013-12-20
11:33:04.267 Lync[563:3a71018c] INFO TRANSPORT CSessionBase.hxx/158:Cancelling
request: 0x11d4d38
2013-12-20
11:33:04.267 Lync[563:3a71018c] INFO TRANSPORT CTransportThread.cpp/163:Added
Request(UcwaAutoDiscoveryRequest) to Request Processor queue
2013-12-20
11:33:04.267 Lync[563:3a71018c] INFO APPLICATION
CUrlRedirectAndTrustResolver.cpp/610:UrlRedirectAndTrustResolver complete with
url = https://frontend-lync.domain-int.com/autodiscover/autodiscoverservice.svc/root/user,
Hops = 1, status = W_Cancelled (W0-0-6)
2013-12-20
11:33:04.267 Lync[563:3a71018c] INFO APPLICATION
CUcwaAutoDiscoveryGetUserUrlOperation.cpp/224:UcwaAutoDiscoveryGetUserUrlOperation
completed with url = http://lyncdiscover.domain-ext.com/?sipuri=sip:[email protected],
userUrl = , status = W_Cancelled (W0-0-6)
2013-12-20
11:33:04.268 Lync[563:6d00000] INFO TRANSPORT CTransportThread.cpp/343:Sent
Request(UcwaAutoDiscoveryRequest) to Request Processor
2013-12-20
11:33:04.268 Lync[563:3a71018c] INFO TRANSPORT CCredentialManager.cpp/176:getSpecificCredential
for serviceId(1) returning: credType (1) signInName ([email protected])
domain () username (mattia.spagnoli) password.empty() (0) certificate.isValid()
(0) privateKey.empty() (1) compatibleServiceIds(1)
2013-12-20
11:33:04.268 Lync[563:3a71018c] INFO TRANSPORT
CMetaDataManager.cpp/403:Received a request to get the meta data of type 0 for
url https://frontend-lync.domain-int.com/autodiscover/autodiscoverservice.svc/root/user?originaldomain=domain-ext.com
2013-12-20
11:33:04.269 Lync[563:3a71018c] INFO TRANSPORT CMetaDataManager.cpp/467:Sending
Unauthenticated get to get the web-ticket url
2013-12-20
11:33:04.269 Lync[563:3a71018c] INFO TRANSPORT CTransportThread.cpp/131:Added
Request() to Request Processor queue
2013-12-20
11:33:04.269 Lync[563:3a71018c] INFO TRANSPORT
CAuthenticationResolver.cpp/109:Waiting on Meta Data from https://frontend-lync.domain-int.com/autodiscover/autodiscoverservice.svc/root/user?originaldomain=domain-ext.com
2013-12-20
11:33:04.269 Lync[563:62d4000] INFO TRANSPORT CTransportThread.cpp/343:Sent
Request() to Request Processor
2013-12-20
11:33:04.270 Lync[563:3a71018c] INFO APPLICATION
CTransportRequestRetrialQueue.cpp/385:Submitting new req.
GET-AuthenticatedUserGetRequest(0x1201ab8)
2013-12-20
11:33:04.270 Lync[563:62d4000] WARNING TRANSPORT
CCredentialManager.cpp/317:CCredentialManager::getSpecificCredential returning
NULL credential for serviceId (4) type (1)!
2013-12-20
11:33:04.270 Lync[563:3a71018c] INFO APPLICATION
CUcwaAutoDiscoveryService.cpp/1189:Submitting Authenticated AutoDiscovery
request to https://frontend-lync.domain-int.com/autodiscover/autodiscoverservice.svc/root/user?originaldomain=domain-ext.com
2013-12-20
11:33:04.270 Lync[563:6d00000] INFO UTILITIES
CHttpStreamPool.cpp/455:Scheduling stream 0x125fa90 for release.
2013-12-20
11:33:04.271 Lync[563:62d4000] INFO TRANSPORT
TransportUtilityFunctions.cpp/631:<SentRequest>
GET
https://frontend-lync.domain-int.com/autodiscover/autodiscoverservice.svc/root/user?originaldomain=domain-ext.com
Request Id:
0x1206198
HttpHeader:Accept
HttpHeader:X-MS-WebTicket
xxxxxxxxxx
</SentRequest>
2013-12-20
11:33:04.271 Lync[563:3a71018c] INFO APPLICATION
CUcwaAutoDiscoveryService.cpp/1662:Ignoring GetUserUrlOperation event as
current state is 6
2013-12-20
11:33:04.271 Lync[563:62d4000] INFO UTILITIES
CHttpStreamPool.cpp/409:Allocating stream 0x11c0a40 for url - https://frontend-lync.domain-int.com/autodiscover/autodiscoverservice.svc/root/user
with persistent id as 15
2013-12-20
11:33:04.271 Lync[563:3a71018c] INFO APPLICATION CUcwaAutoDiscoveryService.cpp/1664:Request
url was http://lyncdiscover.domain-ext.com/?sipuri=sip:[email protected]
2013-12-20
11:33:04.272 Lync[563:62d4000] VERBOSE TRANSPORT
CHttpProxyHelper.cpp/436:CHttpProxyHelper::discoverProxy : No proxy found for
url https://frontend-lync.domain-int.com/autodiscover/autodiscoverservice.svc/root/user?originaldomain=domain-ext.com.
Sending over direct connection.
2013-12-20
11:33:20.621 Lync[563:3a71018c] INFO UTILITIES
CNetworkMonitor.cpp/217:Reachabilility Flags IsWWAN(0):Reachable(0):TransientConnection(0):ConnectionRequired(0):ConnectionOnTraffic(0):InterventionRequired(0):ConnectionOnDemand(0):IsLocalAddress(0):IsDirect(0)
2013-12-20
11:33:20.623 Lync[563:3a71018c] INFO UTILITIES CNetworkMonitor.cpp/186:Updated
networkAvailableToConnect(CellularDataNetwork) -> NoNetwork,
isInAirplaneMode(0) -> 1
2013-12-20
11:33:20.623 Lync[563:3a71018c] INFO APPLICATION
CUcmpConversationsManager.cpp/4091:CUcmpConversationsManager::canDoVideoBasedOnNetworkAndPolicy
returns false because RequestWiFiForAudio or RequestWifiForVideo is true and
current network : is not WiFi
2013-12-20
11:33:20.623 Lync[563:3a71018c] INFO APPLICATION
CUcmpConversationsManager.cpp/1672:CUcmpConversationsManager::queryCapability
on StartP2PVideoCall returns false because
canDoVideoBasedOnNetworkAndPolicy
returned false
2013-12-20
11:33:20.904 Lync[563:3a71018c] INFO UTILITIES
CNetworkMonitor.cpp/217:Reachabilility Flags
IsWWAN(1):Reachable(1):TransientConnection(1):ConnectionRequired(0):ConnectionOnTraffic(0):InterventionRequired(0):ConnectionOnDemand(0):IsLocalAddress(1):IsDirect(0)
2013-12-20
11:33:20.905 Lync[563:3a71018c] INFO UTILITIES CNetworkMonitor.cpp/186:Updated
networkAvailableToConnect(NoNetwork) -> CellularDataNetwork,
isInAirplaneMode(1) -> 0
2013-12-20
11:33:20.905 Lync[563:3a71018c] INFO TRANSPORT CEventChannelManager.cpp/826:Received
network monitor event so restarting event channel.
2013-12-20
11:33:20.906 Lync[563:3a71018c] INFO TRANSPORT
CEventChannelManager.cpp/520:Moving the event channel aggressive mode.
2013-12-20
11:33:20.906 Lync[563:3a71018c] INFO APPLICATION
CUcmpConversationsManager.cpp/4091:CUcmpConversationsManager::canDoVideoBasedOnNetworkAndPolicy
returns false because RequestWiFiForAudio or RequestWifiForVideo is true and
current network : is not WiFi
2013-12-20
11:33:20.906 Lync[563:3a71018c] INFO APPLICATION
CUcmpConversationsManager.cpp/1672:CUcmpConversationsManager::queryCapability
on StartP2PVideoCall returns false because
canDoVideoBasedOnNetworkAndPolicy
returned false
2013-12-20
11:33:20.906 Lync[563:3a71018c] INFO APPLICATION CUcwaAutoDiscoveryService.cpp/2070:adIsEnabled
= 1, sipUri = sip:[email protected], m_internalADUrlInput =
m_externalADUrlInput =
2013-12-20
11:33:20.906 Lync[563:3a71018c] INFO APPLICATION
CUcwaAutoDiscoveryService.cpp/255:Discovery is in progress and process state is
6Ignoring request to start network discovery
2013-12-20
11:34:04.274 Lync[563:62d4000] INFO UTILITIES
CHttpStreamPool.cpp/455:Scheduling stream 0x11c0a40 for release.
2013-12-20
11:34:04.275 Lync[563:62d4000] ERROR UTILITIES CHttpConnection.cpp/517:Connection
timedout for request (0x%u0x12d1ea0) - notifying error E_ConnectionTimeoutError
2013-12-20
11:34:04.275 Lync[563:62d4000] INFO TRANSPORT
CHttpRequestProcessor.cpp/173:Received response of request() with status =
0x22020005
2013-12-20
11:34:04.276 Lync[563:62d4000] INFO TRANSPORT
CHttpRequestProcessor.cpp/201:Request
resulted in E_ConnectionTimeoutError (E2-2-5). The retry counter is: 0
2013-12-20
11:34:04.276 Lync[563:62d4000] INFO TRANSPORT
CHttpRequestProcessor.cpp/266:Sending event to main thread for
request(0x1206198)
2013-12-20
11:34:04.277 Lync[563:3a71018c] INFO TRANSPORT
CMetaDataManager.cpp/581:Received response for meta data request of type 60
with status 570556421
2013-12-20
11:34:04.277 Lync[563:3a71018c] ERROR TRANSPORT CMetaDataManager.cpp/597:Unable
to get a response to an unauthenticated get to url https://frontend-lync.domain-int.com/autodiscover/autodiscoverservice.svc/root/user?originaldomain=domain-ext.com
2013-12-20
11:34:04.278 Lync[563:3a71018c] INFO TRANSPORT CAuthenticationResolver.cpp/210:MetaData
retrieval for url https://frontend-lync.domain-int.com/autodiscover/autodiscoverservice.svc/root/user?originaldomain=domain-ext.com
completed with status 570556421
2013-12-20
11:34:04.278 Lync[563:3a71018c] INFO TRANSPORT CAuthenticationResolver.cpp/239:Deleting
1 pended Meta data requests for url https://frontend-lync.domain-int.com/autodiscover/autodiscoverservice.svc/root/user?originaldomain=domain-ext.com
2013-12-20
11:34:04.278 Lync[563:3a71018c] ERROR TRANSPORT CAuthenticationResolver.cpp/288:Unable
to get the meta data for server url https://frontend-lync.domain-int.com/autodiscover/autodiscoverservice.svc/root/user?originaldomain=domain-ext.com
2013-12-20
11:34:04.279 Lync[563:3a71018c] INFO TRANSPORT
CAuthenticationResolver.cpp/293:Failing request to the request manager
2013-12-20
11:34:04.279 Lync[563:3a71018c] INFO TRANSPORT CRequestManager.cpp/273:Failing
secure request UcwaAutoDiscoveryRequest with status E_ConnectionTimeoutError
(E2-2-5)
2013-12-20
11:34:04.279 Lync[563:3a71018c] INFO APPLICATION
CTransportRequestRetrialQueue.cpp/822:Req. completed, Stopping timer.
2013-12-20
11:34:04.279 Lync[563:3a71018c] INFO APPLICATION
CUcwaAutoDiscoveryService.cpp/1284:Received autodiscovery response with status
E_ConnectionTimeoutError (E2-2-5)
2013-12-20
11:34:04.279 Lync[563:3a71018c] INFO APPLICATION
CUcwaAutoDiscoveryService.cpp/1242:Raising Autodiscovery event with status
E_ConnectionTimeoutError (E2-2-5) for eventType 0
2013-12-20
11:34:04.280 Lync[563:3a71018c] INFO APPLICATION CUcwaAutoDiscoveryServiceRetrialWrapper.cpp/417:Received
event for type 0 with status E_ConnectionTimeoutError (E2-2-5)
2013-12-20
11:34:04.280 Lync[563:3a71018c] INFO APPLICATION
CUcwaAutoDiscoveryServiceRetrialWrapper.cpp/496:Raising Autodiscovery event
with status E_ConnectionTimeoutError (E2-2-5) for eventType 0
2013-12-20
11:34:04.280 Lync[563:3a71018c] ERROR APPLICATION
CUcwaAppSession.cpp/2066:Auto-discovery failed, aborting sign-in!
2013-12-20
11:34:04.280 Lync[563:3a71018c] INFO APPLICATION CUcwaAppSession.cpp/998:CUcwaAppSession::setNewActualState()
state=0
2013-12-20
11:34:04.294 Lync[563:3a71018c] INFO UTILITIES
CBasePersistableComponent.cpp/230:Storing 7 out-of-sync components took 10ms
2013-12-20
11:34:04.295 Lync[563:3a71018c] INFO UTILITIES CiOsAppStateQuery.h/147:Clearing
keep-alive timer callback
2013-12-20
11:34:04.295 Lync[563:6d00000] INFO TRANSPORT
CHttpRequestProcessor.cpp/134:Clearing request processor for component
UcwaAutoDiscoverySession on sign-out.
2013-12-20
11:34:04.295 Lync[563:62d4000] INFO TRANSPORT
CHttpRequestProcessor.cpp/134:Clearing request processor for component
MetaDataManager on sign-out.
2013-12-20
11:34:04.295 Lync[563:3a71018c] INFO APPLICATION CAlertReporter.cpp/64:Alert
received! Category 1, Type 201, level 0, error E_ConnectionTimeoutError
(E2-2-5), context '', hasAction=false
2013-12-20
11:34:04.296 Lync[563:6d00000] INFO UTILITIES CHttpStreamPool.cpp/609:Releasing
stream 0x11cbe40.
2013-12-20
11:34:04.296 Lync[563:62d4000] INFO UTILITIES CHttpStreamPool.cpp/609:Releasing
stream 0x11c0a40.
2013-12-20
11:34:04.296 Lync[563:3a71018c] INFO APPLICATION CAlertReporter.cpp/117:Alert
cleared of Category 1, Type 201, cleared 0 alerts
2013-12-20
11:34:04.297 Lync[563:3a71018c] INFO APPLICATION
CTransportRequestRetrialQueue.cpp/725:Response received for req.
GET-AuthenticatedUserGetRequest(0x1201ab8): E_ConnectionTimeoutError (E2-2-5)
(RemoteNetworkTemporaryError); Done with req.; Stopping resend timer
2013-12-20
11:34:04.298 Lync[563:3a71018c] INFO UI CMAudioUtil.mm/322:stopSound
2013-12-20
11:34:04.298 Lync[563:3a71018c] INFO UI CMAudioUtil.mm/322:stopSound
2013-12-20
11:34:04.298 Lync[563:3a71018c] INFO UI CMAudioUtil.mm/322:stopSound
2013-12-20
11:34:04.298 Lync[563:3a71018c] INFO UI CMAudioVideoToastViewController.mm/992:Cancelling
local notification
2013-12-20
11:34:04.299 Lync[563:6d00000] INFO UTILITIES CHttpStreamPool.cpp/609:Releasing
stream 0x125fa90.
2013-12-20
11:34:04.300 Lync[563:3a71018c] INFO UI CMRootViewController.mm/378:ActualState
= 0 DesiredState = 2 DataAvailable = 0
2013-12-20
11:34:04.300 Lync[563:3a71018c] INFO UI
CMDetailViewController.mm/229:ActualState = 0 DesiredState = 1 DataAvailable = 0
2013-12-20
11:34:04.300 Lync[563:3a71018c] INFO UI CMDetailViewController.mm/262:ActualState
= IsSignedOut DesiredState = BeSignedIn DataAvailable = 0 Showing UI =
CredentialTableViewController
2013-12-20
11:34:04.300 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:34:04.301 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:34:04.301 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:34:04.301 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:34:04.301 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:34:04.301 Lync[563:3a71018c] INFO UI CMNotificationManager.mm/705:desired
view is alert, size 1
2013-12-20
11:34:04.301 Lync[563:3a71018c] INFO UI CMNotificationManager.mm/745:adding the
desired view
2013-12-20
11:34:04.302 Lync[563:3a71018c] INFO UI CMNotificationManager.mm/480:reposition
floating views
2013-12-20
11:34:04.302 Lync[563:3a71018c] INFO UI CMAlertViewController.mm/110:showalert
is 1
2013-12-20
11:34:04.302 Lync[563:3a71018c] INFO UI CMAlertViewController.mm/114:showalert
is 0
2013-12-20
11:34:04.302 Lync[563:3a71018c] INFO UI CMUIUtil.mm/402:Mapping error code =
0x22020005, context = , type = 201
2013-12-20 11:34:04.303 Lync[563:3a71018c] INFO UI
CMUIUtil.mm/1680:Mapped error message is 'Non riesco a connettermi al server
perché potrebbe essere occupato o temporaneamente non disponibile. Riprova.
2013-12-20
11:34:04.304 Lync[563:3a71018c] ERROR UI
CMDismissButtonBaseViewController.mm/89:before: view height 1024.000000, width
45.000000, x 64.000000, y 0.000000
2013-12-20
11:34:04.304 Lync[563:3a71018c] INFO UI
CMNotificationManager.mm/1089:viewFrame: origin x 64.000000, origin y 0.000000,
height 1024.000000, width 45.000000
2013-12-20
11:34:04.304 Lync[563:3a71018c] INFO UI CMNotificationManager.mm/1195:resize
alert label, origin x 44.000000, origin y 2.000000, height 41.000000, width
936.000000
2013-12-20
11:34:04.305 Lync[563:3a71018c] ERROR UI CMDismissButtonBaseViewController.mm/104:after:
self.label.frame height 41.000000, width 936.000000, x 44.000000, y 2.000000
2013-12-20
11:34:04.305 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:34:04.305 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:34:04.305 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:34:04.305 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:34:04.305 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:34:04.306 Lync[563:3a71018c] INFO UI CMNotificationManager.mm/705:desired
view is alert, size 1
2013-12-20
11:34:04.306 Lync[563:3a71018c] INFO UI CMNotificationManager.mm/718:desired
view is same as the current view
2013-12-20
11:34:04.306 Lync[563:3a71018c] INFO UI CMNotificationManager.mm/480:reposition
floating views
2013-12-20
11:34:04.306 Lync[563:3a71018c] INFO UI CMAlertViewController.mm/110:showalert
is 0
2013-12-20
11:34:04.306 Lync[563:3a71018c] ERROR UI
CMDismissButtonBaseViewController.mm/89:before: view height 1024.000000, width
45.000000, x 64.000000, y 0.000000
2013-12-20
11:34:04.307 Lync[563:3a71018c] INFO UI
CMNotificationManager.mm/1089:viewFrame: origin x 64.000000, origin y 0.000000,
height 1024.000000, width 45.000000
2013-12-20
11:34:04.307 Lync[563:3a71018c] INFO UI CMNotificationManager.mm/1195:resize
alert label, origin x 44.000000, origin y 2.000000, height 41.000000, width
936.000000
2013-12-20
11:34:04.307 Lync[563:3a71018c] ERROR UI
CMDismissButtonBaseViewController.mm/104:after: self.label.frame height
41.000000, width 936.000000, x 44.000000, y 2.000000
2013-12-20
11:34:04.337 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:34:04.337 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:34:04.338 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:34:04.338 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:34:04.338 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:34:04.338 Lync[563:3a71018c] INFO UI CMNotificationManager.mm/705:desired
view is alert, size 1
2013-12-20
11:34:04.338 Lync[563:3a71018c] INFO UI CMNotificationManager.mm/718:desired
view is same as the current view
2013-12-20
11:34:04.338 Lync[563:3a71018c] INFO UI CMNotificationManager.mm/480:reposition
floating views
2013-12-20
11:34:04.339 Lync[563:3a71018c] INFO UI CMAlertViewController.mm/110:showalert is
0
2013-12-20
11:34:04.339 Lync[563:3a71018c] ERROR UI
CMDismissButtonBaseViewController.mm/89:before: view height 1024.000000, width
45.000000, x 64.000000, y 0.000000
2013-12-20
11:34:04.339 Lync[563:3a71018c] INFO UI CMNotificationManager.mm/1089:viewFrame:
origin x 64.000000, origin y 0.000000, height 1024.000000, width 45.000000
2013-12-20
11:34:04.339 Lync[563:3a71018c] INFO UI CMNotificationManager.mm/1195:resize
alert label, origin x 44.000000, origin y 2.000000, height 41.000000, width
936.000000
2013-12-20
11:34:04.339 Lync[563:3a71018c] ERROR UI
CMDismissButtonBaseViewController.mm/104:after: self.label.frame height
41.000000, width 936.000000, x 44.000000, y 2.000000
2013-12-20
11:34:04.340 Lync[563:3a71018c] INFO UI CMSplitViewController.mm/162:Details
Pane is in Full screen with controller
2013-12-20
11:34:04.340 Lync[563:3a71018c] INFO UI CMSplitViewController.mm/204:Split view
frame orientation UIInterfaceOrientationLandscapeLeft Height = 748.000000 Width
= 1024.000000 origin.x = 20.000000 origin.y = 0.000000 keyboardHeight =
0.000000
2013-12-20
11:34:04.341 Lync[563:3a71018c] INFO UI CMSplitViewController.mm/162:Details
Pane is in Full screen with controller
2013-12-20
11:34:04.341 Lync[563:3a71018c] INFO UI CMSplitViewController.mm/204:Split view
frame orientation UIInterfaceOrientationLandscapeLeft Height = 748.000000 Width
= 1024.000000 origin.x = 20.000000 origin.y = 0.000000 keyboardHeight =
0.000000
2013-12-20
11:34:04.343 Lync[563:3a71018c] INFO UI
CMToolsViewController.mm/349:ActualState = 0 DesiredState = 1 DataAvailable = 0
2013-12-20
11:34:04.344 Lync[563:3a71018c] INFO UI
CMAlertViewController.mm/93:ObservableListItem Added event received
2013-12-20
11:34:04.344 Lync[563:3a71018c] INFO UI CMAlertViewController.mm/103:showalert
is 1
2013-12-20
11:34:04.344 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:34:04.344 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:34:04.344 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:34:04.344 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:34:04.345 Lync[563:3a71018c] INFO UI CMConversationCommon.mm/43:not signed
in
2013-12-20
11:34:04.345 Lync[563:3a71018c] INFO UI CMNotificationManager.mm/705:desired
view is alert, size 1
2013-12-20
11:34:04.345 Lync[563:3a71018c] INFO UI CMNotificationManager.mm/718:desired
view is same as the current view
2013-12-20
11:34:04.345 Lync[563:3a71018c] INFO UI CMNotificationManager.mm/480:reposition
floating views
2013-12-20
11:34:04.345 Lync[563:3a71018c] INFO UI CMAlertViewController.mm/110:showalert
is 1
2013-12-20
11:34:04.345 Lync[563:3a71018c] INFO UI CMAlertViewController.mm/114:showalert
is 0
2013-12-20
11:34:04.345 Lync[563:3a71018c] INFO UI CMUIUtil.mm/402:Mapping error code =
0x22020005, context = , type = 201
2013-12-20
11:34:04.346 Lync[563:3a71018c] INFO UI CMUIUtil.mm/1680:Mapped error message
is ‘Cannot connect to the server because it could be busy or temporarily
unavailable. Retry.’Hi Kent,
thanks a lot for your reply!
I created _sip._tls.domain-ext.com SRV record in the external DNS and now autodiscovery works fine. At the beginning I had not created it because I thought lyncdiscover.domain-ext.com A record was enough for autodiscovery. I still cannot understand
why lyncdiscover.domain-ext.com points to reverse proxy, while _sip._tls.domain-ext.com points to Edge server. It's strange because both are part of the research order of Lync 2013 desktop clients.
By the way, mobility still does not work. I tried to insert bot the https URLs as manual configuration but Lync 2013 for iPad was not be able to login. I tried to paste both the URLs in the web browser and:
with https://<ExtwebFQDN>/Autodiscover/autodiscoverservice.svc/Root appears the "Root.json" file to be downloaded;
with https://<IntwebFQDN>/AutoDiscover/AutoDiscover.svc/Root
the message "500-Internal error of server" appears.
Any suggests from you about how to check the configuration of ISS/ARR 2.5?
Thanks again! -
Trouble with CCME 4 and VIC2-2FXO; IOS 12.4(9)T
Trouble with CCME 4 and VIC2-2FXO; IOS 12.4(9)T
I am having trouble making outgoing call or answering incoming call.
When I try to call out from my IP 7961 phone, it fails with the message "unknown number".
For incoming call, it rings but when I pick up the call nothing happens,
Put the receiver back on hook, the phone carries on ringing. I am in UK
and just trying to set up test system with one analogue line. Any help will
be most appreciated. My config of the 2811 router is posted below. All calls ineternally works fine.
Thank you for your help.
hostname Test-CME
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp excluded-address 10.139.139.1 10.139.139.10
ip dhcp pool host
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
option 150 ip 10.10.10.1
ip dhcp pool data
network 10.139.139.0 255.255.255.0
default-router 10.139.139.1
dns-server 10.139.139.5
voice-card 0
no dspfarm
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
supplementary-service h450.12
h323
sip
header-passing
registrar server expires max 3600 min 3600
interface FastEthernet0/1
no ip address
no ip mroute-cache
duplex auto
speed auto
no shut
interface FastEthernet0/1.2
description ** Data VLAN **
encapsulation dot1Q 2
ip address 10.139.139.1 255.255.255.0
interface FastEthernet0/1.3
description ** Voice VLAN **
encapsulation dot1Q 3
ip address 10.10.10.1 255.255.255.0
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:
tftp-server flash:S00104000100.sbn
tftp-server flash:TERM41.7-0-3-0S.loads
tftp-server flash:term61.default.loads
tftp-server flash:term41.default.loads
tftp-server flash:CVM41.2-0-2-26.sbn
tftp-server flash:cnu41.2-7-6-26.sbn
tftp-server flash:Jar41.2-9-2-26.sbn
tftp-server flash:term70.default.loads
tftp-server flash:term71.default.loads
tftp-server flash:cnu70.2-7-6-26.sbn
tftp-server flash:Jar70.2-9-2-26.sbn
tftp-server flash:TERM70.7-0-3-0S.loads
tftp-server flash:CVM70.2-0-2-26.sbn
control-plane
voice-port 0/3/0
connection plar opx 202
caller-id enable
dial-peer voice 1 pots
incoming called-number .
destination-pattern 9T
port 0/3/0
telephony-service
load 7914 S00104000100
load 7941 TERM41.7-0-3-0S
load 7961 TERM41.7-0-3-0S
load 7970 TERM70.7-0-3-0S
max-ephones 20
max-dn 40
ip source-address 10.10.10.1 port 2000
calling-number initiator
service phone videoCapability 1
system message MKC CME
url services http://10.10.10.1/voiceview/common/login.do
url authentication
http://10.10.10.1/voiceview/authentication/authenticate.do
time-zone 21
date-format dd-mm-yy
voicemail 600
max-conferences 8 gain -6
call-forward pattern .T
call-forward system redirecting-expanded
moh music-on-hold.au
web admin system name admin secret 0 test
dn-webedit
time-webedit
transfer-system full-consult dss
transfer-pattern 9.T
secondary-dialtone 9
create cnf-files
ephone-dn 1 dual-line
number 201
label 201
description Sarah
name Sarah
ephone-dn 2 dual-line
number 202
label 202
description Vitthal
name User2 Vitthal
ephone-dn 3 dual-line
number 203 secondary
label 203
description Neil
name User3 Neil
ephone 1
video
username "user1" password 201
mac-address 0018.18EE.947F
type 7961 addon 1 7914
button 1:1
ephone 2
video
username "user2" password 202
mac-address 0018.18BB.B973
type 7941
button 1:2
ephone 3
video
username "user3" password 203
mac-address 0018.1885.6BA2
type 7970
button 1:3Hi
Please find enclosed debug attachment for voice ccapi and ephone. First, I called from outside. Extension 202 rings but when I answered on extension 202 nothing happens. Replace the rceiever and the pone starts ringing again.Second step. I tried to call out by dialing 9 and then number but after a while phone displays unknown number.
Thank you for your help.
Vitthal -
Lync Implementation with different internal and external domain sync
Hello Experts,
Having Windows 2012r2 with Lync 2013 frontend and Edge 2012 server on Win2012. Internal domain name is test.local and Internet domain name is : tgroup.com. Internally all the clients are able to sync with frontend
server using [email protected] or [email protected] Internal CA and External Digicert works fine. But only problem is with external clients who want to communicate through edge server.
Edge server has 3 LAN ip address (nat with public IP), 10.10.10.2, 10.10.10.3, 10.10.10.4 and another Internal network interface which has ip 10.10.20.3
which uses that to communicate with front-end.
How to achieve this ? We dont have reverse proxy configured and we have only two servers.
Regards, Ganesh, MCTS, MCP, ITILV2 This posting is provided with no warranties and confers no rights. Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread.The reverse proxy is used to publish URL's like the meet and dialin url, the address book url and the lync mobile client (smart phones and tablets) urls. This doesn't impact the external desktop user access as thats via the edge server. There is more to
it than that but for the sake of keeping this simple lets stick to that for now.
As far as SIP domains go. Think of your Lync users as having a SIP address similar to email addresses. You wouldn't have a user with an internal email address but with a different external email address. In fact best practice is to have the Lync SIP address
match the email address.
My reccomendation is to use the ttgoup.com as a sip domain and not the test.local
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
Lync Sorted blog
Maybe you are looking for
-
Deleting error messages in ABAP stack and JAVA stack
Hello, found some useful answers here about deleting messages which are successfully delivered! What I miss is an answer about: a) Error messages in RWB In Component monitoring -> Archiving you can plan a job to delete messages in status "successfu
-
Is timed capturing possible?
I have a number of VHS tapes that I need to digitize. Ideally, I'd like to digitize them at night after I've left my office. Is it possible in Premiere CS4 to capture a preset amount of time? Otherwise it would keep capturing long after the tape i
-
Report is going in warning r12
Hi expert, many times my users complain me all reports is going in warning. in this case i check the manager if the all manager are active and the manager's actual and target are different. i down all manager and after down all manager completely r
-
Report : Selling Drugs, Injection Glutathione,Medical Product .
Today I found this website using PayPal account to selling Medical Products.I knew that these items in their store are inhibited item for PayPal. There are plenty of products that selling are using IM or IV. Injection method. Some products are med
-
Looking for mp3 reader not flash based for my website
Hello, I am changing my website from a flash based plateform to a an html solution. Because i want iphone, itouch and ipad users to see it. My problem is that mp3 audio readers all seem to be flash based plugins. Is there some other kind of mp3 reade