Ingress command for SPAN Destination Port - 3550

Hi,
I use this command on two identical switches to enable ingress traffic on destination monitor port:
monitor session 1 destination interface fa0/37 ingress vlan 1.
This works to allow remote connect via the LAN to a portable using sniffer software on one of the switches but on the other switch the portable is using Ethereal and cannot be connected to via the LAN.
The portable using Sniffer has NIC with enhanced drivers from software developer of Sniffer; the other portable has no special drivers.
Question: what is going on with the second switch with the portable that I cannot connect to via the LAN?
Thanks in advance for the help.

ingress feature would allow the PC being used to take sniffer capture to participate in the traffic, in your case vlan 1 traffic. The issue sounds to me like an issue with the Ethereal where it might not be able to allow the NIC to do both caopturing and rx/tx regular traffic for the PC/Laptop. One thing you can do to make sure this is the case, is to swap the connection of the device with Sniffer and device with Ethereal, if the issue follows the Etereal, then that will confirm it has to do with Ethereal, you might have to tweak it. Have you tried having the Ethereal in promiscuos mode? I am not familiar with Ethereal, so you might have to paly with it.

Similar Messages

Intrusion-detection-module 7 data-port 2: Capture not allowed on a SPAN destination port

Hi all
I have 2 switches Cat6509E. each with IDSM module
I have on first switch this commands
intrusion-detection module 7 data-port 1 capture
intrusion-detection module 7 data-port 2 capture
intrusion-detection module 7 data-port 1 capture allowed-vlan 4,6,16,17,66
intrusion-detection module 7 data-port 2 capture allowed-vlan 68,70,74,134,145
And when I trying to put the same on second switch I will get this error message
Intrusion-detection-module 7 data-port 2: Capture not allowed on a SPAN destination port
What does it mean?
Output "sh monitor" is the same on both switches
Session 1
Type                   : Service Module Session
Modules allowed        : 1-9
Modules active         : 1,7
BPDUs allowed          : Yes
Session 2
Type                   : Local Session
Source VLANs           :
    Both               : 4
Destination Ports      : analysis-module 8 data-port 1
Peter

Hi Peter,
     The first switch that you mention is configured (judging from the "intrusion-detection" commands) to use the VACL capture method of sending traffic to the IDSM-2 for inspection. You can read about this method here:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1030828
In short, you configure a VACL to define the traffic you want to capture and apply it to the appropriate VLANs. When traffic matches the VACL, it's copied to the IDSM-2 ports that have been configured with the "intrusion-detection module 7 data-port 1 capture" commands.
On the second switch it appears that there is a monitor session setup SPANing traffic to the IDSM-2 port. This is an alternative method of sending trafic to the IDSM-2 for inspection and is mutually exclusive with the VACL method on a particular IDSM-2 interface. You can read about the SPAN method here:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1030816
This method, in short, simply involves configuring a SPAN session with the IDSM-2 interface as the desination.
You'll need to choose one method or the other for configuring the second switch. If you want it to match the configuration on the first switch, simply remove the monitor (SPAN) session that's currently configured.
Best Regards,
Justin

Trunk port as a destination for SPAN session

Can we make a trunk port as a destination for SPAN session? If yes, how

Of course you can. It will be configured the same as an access port:
monitor session 1 destination int g0/24
However be aware of the following:
Destination Port
Each local SPAN session destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source port.
The destination port has these characteristics:
•It must reside on the same switch as the source port (for a local SPAN session).
•It can be any Ethernet physical port.
•It cannot be a source port or a reflector port.
•It cannot be an EtherChannel group or a VLAN.
•It can be a physical port that is assigned to an EtherChannel group, even if the EtherChannel group has been specified as a SPAN source. The port is removed from the group while it is configured as a SPAN destination port.
•The port does not transmit any traffic except that required for the SPAN session.
•If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic at Layer 2.
•It does not participate in spanning tree while the SPAN session is active.
•When it is a destination port, it does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP, or LACP).
•No address learning occurs on the destination port.
•A destination port receives copies of sent and received traffic for all monitored source ports. If a destination port is oversubscribed, it could become congested. This could affect traffic forwarding on one or more of the source ports.

2950C Unable to ping destination port in monitor session

I have 2 Pix firewalls and a web filtering server running Surfcontrol. In order for Surfcontrol to filter web usage it has to see the traffic being sent to the firewall's. I have created a monitor session and have used the firewall ports as the source with transmit and receive, and the web filter server as the destination. However when I do this I am not able to ping the web filter server. The web filter is unable to function ie block websites based on the rules that we have setup if the destination port is unable to send packets to internal workstations.
Is there anything I can do to allow the destination port to be able to send packets to internal workstations ??

Hi Frined,
When you configure SPAN destination port , that port will just work as a monitoring port and will not work for general network traffic.
If you do " sh int" you will see line protocol down (monitoring)
Now if you want that port to monitor as well as take part into normal network also you have to enable ingress traffic on the destination port
"monitor session session_number destination interface interface-id [ingress vlan vlan id]"
Check this link for more details
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12119ea1/2950scg/swspan.htm#1218090
HTH
Ankur

SPAN / Monitor Ports - packet switched on Line Card

Hi Forum,
I got a quick SPAN / Monitor question. I need to create a monitor session where the source is a VLAN. The question is if the L2 source and destination are switched internally on a different linecard to the the monitor destination, then does the SPAN port know about it.
I was wondering as in theory, the packet does not go on the backplane, then how does the switch monitor session know about it ??
Graham

Hi,
In the Catalyst 6500 Series, it is important to note that egress SPAN is done on the supervisor. This allows all traffic subject to egress SPAN to be sent across the fabric to the supervisor and then to the SPAN destination port, which can use significant system resources and affect user traffic. Ingress SPAN will be done on ingress modules so SPAN performance would be the sum of all participating replication engines. The performance of the SPAN feature depends on the packet size and the type of ASIC available in the replication engine.
See this link below that contains details about the SPAN on different platforms.
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#topic6
Regards,

SPAN 2 ports on 2 2950's

Hi,
Can someone confirm either way whether it is possible or not to configure a single SPAN destination port on one 2950 to mirror one source port on itself and one source port on a second 2950 trunked together. I really wish to do this without requiring any other gear at all, but am dubious that this is actually possible. I'd love to be proved wrong...
Cheers
Chris

Hi Chris,
Let me confirm what you want is you have 2 2950 switches and you want one port on one 2950 to work as destination port and you want some other ports on same switch to be working as source port and also you want some ports on other 2950 to send their traffic to destination port which is already configured on other 2950.
If yes then it is possible via RSPAN.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950scg/swspan.htm#wp1336553
Regards,
Ankur

Mac book pro (2008)will not start up,command-v gives (error) Import:Importer start failed for 89(kr:268435459)invalid destination port)

will not start up.
tried Command-v
message reads
(error) Import:Importer start failed for 89 (kr:268435459)invalid destination port)

First, uninstall "SuperTV" (whatever that is) according to the developer's instructions. It isn't working and it's filling the log with noise.
If you have more than one user account, these instructions must be carried out as an administrator.
Launch the Console application.
Step 1
Make sure the title of the Console window is All Messages. If it isn't, select All Messages from the SYSTEM LOG QUERIES menu on the left.
Enter "BOOT_TIME" (without the quotes) in the search box. Note the timestamps of those log messages, which refer to the times when the system was booted. Now clear the search box and scroll back in the log to the last boot time when you had the problem. Post the messages logged before the boot, while the system was unresponsive or was failing to shut down. Please include the BOOT_TIME message at the end of the log extract.
Post the log text, please, not a screenshot. If there are runs of repeated messages, post only one example of each. Don’t post many repetitions of the same message. When posting a log extract, be selective. In most cases, a few dozen lines are more than enough.
PLEASE DO NOT INDISCRIMINATELY DUMP THOUSANDS OF LINES FROM THE LOG INTO A MESSAGE. If you do that, I will not respond.
Important: Some private information, such as your name, may appear in the log. Edit it out by search-and-replace in a text editor before posting.
Step 2
Still in Console, look under System Diagnostic Reports for crash or panic logs, and post the most recent one, if any. In the interest of privacy, I suggest you edit out the “Anonymous UUID,” a long string of letters, numbers, and dashes in the header of the report, if present (it may not be.) Please don’t post shutdownStall, spin, or hang logs — they're very long and not helpful.

New command for radius-server source-ports

I am trying to find the new command fro radius-server source-ports 1645-1646 since it appears to be depricated. We use tacacs so we do not have the radius server specified but we do need to put in the ports. Can someone please tell me the new command for radius-server source-ports?
Thanks

Both of the links that Peter posted are interesting and helpful. I would like to take a slightly different approach in answering your question.
In every version of IOS there are certain commands that get inserted into running-config when a particular feature is activated. It looks like in your version the radius-server source-ports is one of those commands. I do not think it is anything that you should be concerned about.
And I do not believe that having the radius-server source-ports command would prevent TACACS from working. I believe that there is likely to be some fault in your configuration. If you would post the aaa parts of the config then maybe we could see what the problem is.
In my experience configuring aaa some of the common problems include not correctly identifying the TACACS server, not having exactly the same key configured on the Cisco device and the TACACS server, not having connectivity to the TACACS server (can the Cisco device ping the server, and can the server ping the device), or errors in the authentication or authorization prameters specified.
Post some information and we will see what we can do.
HTH
Rick

Command to block a port in Vlan

I have 3 switches interconnecting to each other. A PC in switch A wishes to ping to PC on Switch C. There are 2 paths leading to it, what command can i use to block one of the port so that there is only one path?
Is it setting one of the switch as root? Or is it something to do with portfast?
Note:Pulling out the physical link is not an option.

Hi,
By default, you have Spanning tree enabled on the switches and it should automatically block the redundent port. Use the command " show spanning-tree brief " command to check it is enable on the switch.
Based on the lowest bridge ID( Lowest MAC + Priority ) the switches will automatically calculate the root and once agreed upon that the root switch blocks the redundent path based on some calculation. If you want you can force a particular switch to be root switch by lowering dwon the priority which is by default 32768 for the switches. You can use command " spanning-tree priority in the config mode.
Portfast puts the port into forwarding state directly from blocking and thus skipping the intermediate states. It is generally used on host ports. Never enable portfast on the ports connecting to switches as it might results in a loop.
HTH,
-amit singh

How do I NAT based on destination port while source port can be ANY

Goal - I want to forward Internet bound HTTP and HTTPS traffic to a Proxy via an IPSEC Tunnel - I want to maintain my private IP as it goes accross the IPSEC Tunnel - I also want remaining Internet Traffic to route Normally by NATing to my outside address.
In 8.4 this is quite easy as I can specify a destination port and have "any" source port for the NAT
Here is a snap shot of the config:
object service Proxy_HTTP
service tcp destination eq www
object service Proxy_HTTPS
service tcp destination eq https
nat (inside,outside) source static any any service Proxy_HTTP Proxy_HTTP
nat (inside,outside) source static any any service Proxy_HTTPS Proxy_HTTPS
object network Non_Proxy
nat (any,outside) dynamic interface
PROBLEM: I need this behavior in 8.2.x - I have found no way to mimic this.
You cannot use NAT Exemption as it cannot be port based
A static policy NAT with Access list will not work as you must specify a single source port - Since there is no way to predict the source port this wont work.
I don't see any of the other NAT Types working this way.
If there is a way to make this work in 8.2 please let me know - We have many ASAs and we are not ready to make the leap to 8.4 but we need to use the proxy.

Karen-
Results: Did not work. The web based shortcuts did not appear.
Below is the steps taken with your tips incorporated. (Again it's lengthy sorry about that, but anyone can recreate what was done here. Maybe someone can see something left out by doing/reviewing it).
Here is what was done:
1. Installed a fresh install of Windows 8.1 enterprise on a pc. No updates were ran.
2. During setup created the admin account.
3. Logged into the account a simple start screen was arranged and setup by:
Starting desktop Internet Explorer. Going to Technet's website. Clicked tools and then selecting "Add site to Apps" from the drop down menu. Went to Apps screen, right clicked and pinned it to start screen. Repeated this procedure with an
educational web based site.
Right clicked a few provisioned apps and unpinned them from the start screen.
Made a few groups and labeled them. Web based shortcuts were arranged with one provisioned app in that particular group.
4. Opened a Powershell, right clicked it and ran as administrator. Typed the following:
export-startlayout -path C:\Users\Public\Master.xml -as xml
(Master is the name chosen for this test .xml file and was put in a location all users would have privelages to access it).
5. Opened the command prompt and right clicked and "ran as administrator", typed in gpedit.
6. In the Local Group Policy under User Configuration, under Start Menu and Taskbar I choose the Start Screen Layout.
7. Enabled the policy and typed in: C:\Users\Public\Master.xml for the Start Layout File.
8. Opened computer management, under Local Users and Groups I chose Users, right clicked in the middle screen and created a new user called Alpha.
9. Logged out of the inital account and logged into newly created Alpha account.
10. When the Alpha account logged in the start screen came up with everything changed in the inital account but no web based shortcuts were found on the start screen or App view.

Load-balancing Algorithm for NX-OS Port Channels

Hi, all
I do not understand description of port-channel load-balance ethernet command.
switch(config)# port-channel load-balance ethernet ?
destination-ip         Destination IP address
destination-mac        Destination MAC address
destination-port       Destination TCP/UDP port
source-dest-ip         Source & Destination IP address (includes l2)
source-dest-ip-only    Source & Destination IP addresses only
source-dest-mac        Source & Destination MAC address
source-dest-port       Source & Destination TCP/UDP port (includes l2 and l3)
source-dest-port-only Source & Destination TCP/UDP port only
source-ip              Source IP address
source-mac             Source MAC address
source-port            Source TCP/UDP port
Please tell me what the following descriptions mean.
Source & Destination IP address (includes l2)
Source & Destination TCP/UDP port (includes l2 and l3)
What are the meaning of "includes l2" and "includes l2 and l3" ?
Thank you for your cooperation in advance.

Hi Satoru,
On the Nexus 5000/6000 platforms, all FEXs will inherit the global hashing algorithm from the parent device.
On the Nexus 7000 platform, hashing algorithms can be assigned on a per FEX basis (all load balancing changes must be made from the Admin VDC):
N7K-A(config)# port-channel load-balance src-dst ip-l4port fex 134
Any FEX without a hashing algorithm configured with inherit the global hash. Making changes to the modular/global hash will not alter FEX specific hashing algorithms.
To verify the configuration applied you can use this command:
N5K_A# show port-channel load-balance
On the Nexus 7000, the per FEX algorithm can be checked by appending the ‘fex <#>’ to the end of the command in the Admin VDC or the FEX’s respective VDC:
N7K-A(config)# show port-channel load-balance fex 134
Regards,
Richard

851W - mac address changes destination port on bridge

Hello,
We have a 851w configured in bridge mode between the wireless lan and the wired local lan.
The mac addresses of the machines connected through wire keep changing the destination port on where they are registered.
If they are on FastEthernetX everything works ok, when they are on VLAN1 we loose connection between wire and wireless clients.
NORMAL OPERATION
Destination Address Address Type VLAN Destination Port
0019.7d83.xxxx          Dynamic        1     Vlan1
0021.8656.xxxx          Dynamic        1     FastEthernet0
0022.9064.xxxx          Self               1     Vlan1
ERROR: NO NETWORK
Destination Address Address Type VLAN Destination Port
0019.7d83.xxxx          Dynamic        1     Vlan1
0021.8656.xxxx          Dynamic        1     Vlan1
0022.9064.xxxx          Self               1     Vlan1
I tryed to debug using the various debug arp commands but didn't find any useful info.
Why does it change the destination port?
How can I make it stable?
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname UM01
boot-start-marker
boot system flash:/c850-advsecurityk9-mz.124-11.XW6.bin
boot-end-marker
logging buffered 51200 warnings
dot11 ssid UM01
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 00101615105E3F233C1569
ip cef
bridge irb
interface FastEthernet0
no ip address
ip virtual-reassembly
no dot11 extension aironet
encryption vlan 1 mode ciphers aes-ccm
ssid UM01
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2412
station-role root
no cdp enable
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Vlan1
no ip address
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
interface BVI1
description Bridge to Internal Network
ip address 10.10.189.254 255.255.255.0
no ip http server
no ip http secure-server
no cdp run
control-plane
bridge 1 protocol ieee
bridge 1 route ip
line con 0
privilege level 15
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input ssh
scheduler max-task-time 5000
end

FYI, the solution we found was to force the mac address of each wired computer to a physical interface and vlan 1.
This seems to have stabilize the communications, no more mac address hopping between destination port.

Using EEM to identify destination port of incoming traffic

I'm using the following script to pull out the source port from a syslog message generated by an ACL. The intent is to grab the destination port for use later in the script:
no event manager applet REDIRECT
event manager applet REDIRECT
event syslog pattern "IPACCESSLOGP:"
action 10 cli command "enable"
action 15 wait 2
action 100 cli command "show log | i IPACCESSLOGP"
action 105 wait 2
action 120 regexp "[0-9.]+\)," "$_cli_result" result
action 130 if $_regexp_result eq 1
action 135 string trimright "$result" "),"
action 140 puts "PORT:$_string_result"
action 150 else
action 160 puts "NO MATCH"
action 170 end
The isssue is that if the logging buffer has no entries, the script appears to grab the port correctly. If there are multiple ACL syslog messages, it will process the first one it finds and print out the port correctly. I have debugged "event man action cli" and cannot determine why the match is failing (output below):
HPR#clear log
Clear logging buffer [confirm]
!HERE IS THE FIRST PACKET DESTINED FOR PORT 31340:
HPR#
*Dec 10 14:15:05.939: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 192.168.194.1(7379) -> 192.168.194.100(31340), 1 packe
t
*Dec 10 14:15:06.015: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : CTL : cli_open called.
*Dec 10 14:15:06.027: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR>
*Dec 10 14:15:06.027: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : IN : HPR>enable
*Dec 10 14:15:06.051: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR#
*Dec 10 14:15:06.051: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : IN : HPR#show log | i IPACCESSLOGP
*Dec 10 14:15:06.311: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : *Dec 10 14:15:05.939: %SEC-6-IPACCESSLOGP: list
100 permitted tcp 192.168.194.1(7379) -> 192.168.194.100(31340), 1 packet
*Dec 10 14:15:06.311: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR#
*Dec 10 14:15:08.327: %HA_EM-6-LOG: REDIRECT: PORT:31340
*Dec 10 14:15:10.327: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : CTL : cli_close called.
!HERE IS THE FIRST PACKET DESTINED FOR PORT 31341:
HPR#
*Dec 10 14:15:46.439: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 192.168.194.1(7388) -> 192.168.194.100(31341), 1 packe
t
*Dec 10 14:15:46.515: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : CTL : cli_open called.
*Dec 10 14:15:46.527: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR>
*Dec 10 14:15:46.531: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : IN : HPR>enable
*Dec 10 14:15:46.551: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR#
*Dec 10 14:15:46.551: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : IN : HPR#show log | i IPACCESSLOGP
*Dec 10 14:15:46.831: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : *Dec 10 14:15:05.939: %SEC-6-IPACCESSLOGP: list
100 permitted tcp 192.168.194.1(7379) -> 192.168.194.100(31340), 1 packet
*Dec 10 14:15:46.831: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : *Dec 10 14:15:06.051: %HA_EM-6-LOG: REDIRECT : D
EBUG(cli_lib) : : IN : HPR#show log | i IPACCESSLOGP
*Dec 10 14:15:46.835: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : *Dec 10 14:15:06.311: %HA_EM-6-LOG: REDIRECT : D
EBUG(cli_lib) : : OUT : *Dec 10 14:15:05.939: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 192.168.194.1(7379) -> 192.168
.194.100(31340), 1 packet
*Dec 10 14:15:46.835: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : *Dec 10 14:15:46.439: %SEC-6-IPACCESSLOGP: list
100 permitted tcp 192.168.194.1(7388) -> 192.168.194.100(31341), 1 packet
*Dec 10 14:15:46.835: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR#
*Dec 10 14:15:48.847: %HA_EM-6-LOG: REDIRECT: PORT:31340
*Dec 10 14:15:50.847: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : CTL : cli_close called.
Is there a more precise way to pull just the information about the message that triggered the EEM applet (like an environment variable that I could match on and pull the port info out with a regex?
Thank you,

I made a modification to the script that clears the log file after it runs....that appears to hav fixed the issue with it reading the port information from the first syslog message. But the script only works when being debugged ("debug event man action cli") and then only gets "NO MATCH" when debugging is disabled. Yikes!
HPR#show run | b event
event manager applet REDIRECT
event syslog pattern "IPACCESSLOGP:"
action 10 cli command "enable"
action 100 cli command "show log | i IPACCESSLOGP"
action 105 wait 2
action 120 regexp "[0-9.]+\)," "$_cli_result" result
action 130 if $_regexp_result eq 1
action 135 string trimright "$result" "),"
action 140 puts "PORT:$_string_result"
action 145 cli command "tclsh clearlog.tcl"
action 150 else
action 160 puts "NO MATCH"
action 170 end
end
Here's the debug:
!NO DEBUG: SENDING PACKETS ON PORT 666 (NO MATCH)
HPR#
*Dec 10 14:47:18.511: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 192.168.194.1(7908) -> 192.168.194.100(666), 1 packet
*Dec 10 14:47:20.883: %HA_EM-6-LOG: REDIRECT: NO MATCH
!NO DEBUG: SENDING PACKETS ON PORT 667 (PORT:666 displayed)
HPR#
*Dec 10 14:47:33.259: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 192.168.194.1(7912) -> 192.168.194.100(667), 1 packet
*Dec 10 14:47:35.639: %HA_EM-6-LOG: REDIRECT: PORT:666
!CLEARED LOG AND ENABLED DEBUGGING ("debug event man action cli")
HPR#clear log
Clear logging buffer [confirm]
HPR#debug event man action cli
Debug EEM action cli debugging is on
HPR#
HPR#clear log
Clear logging buffer [confirm]
!SENDING PACKETS ON PORT 668 (WIN!)
HPR#
*Dec 10 14:48:05.927: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 192.168.194.1(7918) -> 192.168.194.100(668), 1 packet
*Dec 10 14:48:06.003: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : CTL : cli_open called.
*Dec 10 14:48:06.019: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR>
*Dec 10 14:48:06.019: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : IN : HPR>enable
*Dec 10 14:48:06.039: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR#
*Dec 10 14:48:06.043: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : IN : HPR#show log | i IPACCESSLOGP
*Dec 10 14:48:06.287: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : *Dec 10 14:48:05.927: %SEC-6-IPACCESSLOGP: list
100 permitted tcp 192.168.194.1(7918) -> 192.168.194.100(668), 1 packet
*Dec 10 14:48:06.287: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR#
*Dec 10 14:48:08.299: %HA_EM-6-LOG: REDIRECT: PORT:668
*Dec 10 14:48:08.303: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : IN : HPR#tclsh clearlog.tcl
*Dec 10 14:48:08.543: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR#
*Dec 10 14:48:08.547: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : CTL : cli_close called.
!SENDING PACKETS ON PORT 669 (WIN!)
*Dec 10 14:48:11.499: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 192.168.194.1(7921) -> 192.168.194.100(669), 1 packet
*Dec 10 14:48:11.579: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : CTL : cli_open called.
*Dec 10 14:48:11.591: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR>
*Dec 10 14:48:11.595: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : IN : HPR>enable
*Dec 10 14:48:11.615: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR#
*Dec 10 14:48:11.615: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : IN : HPR#show log | i IPACCESSLOGP
*Dec 10 14:48:11.879: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : *Dec 10 14:48:11.499: %SEC-6-IPACCESSLOGP: list
100 permitted tcp 192.168.194.1(7921) -> 192.168.194.100(669), 1 packet
*Dec 10 14:48:11.879: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR#
*Dec 10 14:48:13.891: %HA_EM-6-LOG: REDIRECT: PORT:669
*Dec 10 14:48:13.895: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : IN : HPR#tclsh clearlog.tcl
*Dec 10 14:48:14.123: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR#
*Dec 10 14:48:14.127: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : CTL : cli_close called.
Thoughts?

Monitoring destination port - port buffer overflow risk?

Hi All,
On a 6506-E I am using local span (the simplest version).
There is a possibility that 2Gb/s is duplicated to a 1Gb/s monitor destination port. Of course 50% of the traffic will drop, due to lack of bandwidth on the monitor destination port.
Environment(simplified):
Cisco 6506-E
24 x 1Gb/s SFP ports (WS-X6824-SFP)
IOS release 15.1(1)SY1
The case is, dropping packets is no issue on the monitor destination port. However, on the same module, a WS-X6824-SFP (24 SFP port) is also critical production traffic active.
This results in two questions:
-Are the output buffers on the WS-X6824-SFP, shared among all 24 ports?
-If so, can the oversubscribed monitor destination port use the largest portion of this shared buffer on the interface module?
Thanks in advance for any input on this.
Kind regards,
Joris

Du fait de certains vi manquants je ne peux pas executer votre code, Parmis le nombre important de vi GET HTTP, savez-vous lequel est responsable de l'erreur ?, et est-ce toujours le même ?
L'erreur renvoyée concerne le port série, quelle est la configuration de ses buffers d'entrée / sortie (visible dans le gestionnaire de périphérique)
Cordialement,
Vincent.O
National Instruments France
#adMrkt{text-align: center;font-size:11px; font-weight: bold;} #adMrkt a {text-decoration: none;} #adMrkt a:hover{font-size: 9px;} #adMrkt a span{display: none;} #adMrkt a:hover span{display: block;}
Été de LabVIEW 2014
12 présentations en ligne, du 30 juin au 18 juillet

Error occurred while forwarding a message for distributed destination

Is there a change in the way that Uniform Distributed Destinations are handled in the cluster after weblogic9.2?
I am using oracle weblogic 10.3.0.1 in production mode. I have two managed servers, each managed server has a JMS Server.
I create a Uniform distributed Topic on the System module, and publish a message to it.
I can see the message in the topic on the first JMSServer but the following error happens and the message never makes it to the second JMSServer
<Sep 24, 2009 2:00:45 PM GMT+00:00> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RESUMING>
<Sep 24, 2009 2:00:45 PM GMT+00:00> <Notice> <Cluster> <BEA-000162> <Starting "async" replication service with remote cluster address "null">
<Sep 24, 2009 2:00:45 PM GMT+00:00> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on IP:PORT for protocols iiops, t3s, CLUSTER-BROADCAST-SECURE, ldaps, https.>
<Sep 24, 2009 2:00:45 PM GMT+00:00> <Notice> <WebLogicServer> <BEA-000330> <Started WebLogic Managed Server "ManSvr1" for domain "Domain" running in Production Mode>
<Sep 24, 2009 2:00:46 PM GMT+00:00> <Notice> <Cluster> <BEA-000102> <Joining cluster Clus on mip:mport>
<Sep 24, 2009 2:00:47 PM GMT+00:00> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING>
<Sep 24, 2009 2:00:47 PM GMT+00:00> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
<Sep 24, 2009 2:09:52 PM GMT+00:00> <Warning> <JMS> <BEA-040498> <An error occurred while forwarding a message for distributed destination member JMSSystemResource!JMSServer2@example: weblogic.messaging.dispatcher.DispatcherException: java.rmi.RemoteException: Could not establish a connection with 8935413426058515615S:fqhn:[-1,-1,sslport,sslport,-1,-1,-1]:Domain:ManSvr2, java.rmi.ConnectException: No known valid port for: 'Default[t3]:t3(t3):fqhn:nonsslport:null:-1'; No available router to destination; nested exception is:
java.rmi.ConnectException: No known valid port for: 'Default[t3]:t3(t3):fqhn:nonsslport:null:-1'; No available router to destination; nested exception is:
java.rmi.ConnectException: Could not establish a connection with 8935413426058515615S:fqhn:[-1,-1,sslport,sslport,-1,-1,-1]:Domain:ManSvr2, java.rmi.ConnectException: No known valid port for: 'Default[t3]:t3(t3):fqhn:nonsslport:null:-1'; No available router to destination; nested exception is:

I specified the cluster address, but still get the following errors after a message is published to the topic. Are there other configuration items that can be checked?
<Sep 29, 2009 9:51:49 AM GMT+00:00> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
<Sep 29, 2009 9:52:01 AM GMT+00:00> <Notice> <Server> <BEA-002613> <Channel "DefaultAdministration" is now listening on 10.241.134.92:7018
for protocols admin, CLUSTER-BROADCAST-SECURE, ldaps, https.>
<Sep 29, 2009 9:53:26 AM GMT+00:00> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on 10.241.134.92:7019 for
protocols iiops, t3s, CLUSTER-BROADCAST-SECURE, ldaps, https.>
<Sep 29, 2009 9:53:26 AM GMT+00:00> <Notice> <WebLogicServer> <BEA-000330> <Started WebLogic Managed Server "ClusManSv
r2" for domain "domain" running in Production Mode>
<Sep 29, 2009 9:53:26 AM GMT+00:00> <Notice> <Cluster> <BEA-000102> <Joining cluster Clus on 224.0.0.10:7390>
<Sep 29, 2009 9:53:27 AM GMT+00:00> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING>
<Sep 29, 2009 9:53:27 AM GMT+00:00> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
<Sep 29, 2009 9:56:14 AM GMT+00:00> <Warning> <JMS> <BEA-040498> <An error occurred while forwarding a message for distributed destinati
on member SOAFJMSSystemResource!SOAFJMSServer1@EventingAdminTopic: weblogic.messaging.dispatcher.DispatcherException: java.rmi.RemoteExc
eption: Could not establish a connection with 5660061832836428941S:managedServer.net:[-1,-1,7017,7017,-1,-1,-1]:testnn
2092.net:domain:ClusManSvr1, java.rmi.ConnectException: No known valid port for: 'Def
ault[t3]:t3(t3):managedServer.net:7018:null:-1'; No available router to destination; nested exception is:
java.rmi.ConnectException: No known valid port for: 'Default[t3]:t3(t3):managedServer.net:7018:null:-1'; No ava
ilable router to destination; nested exception is:
java.rmi.ConnectException: Could not establish a connection with 5660061832836428941S:managedServer.net:[-1,-1,1
1217,7017,-1,-1,-1]:managedServer.net:domain:ClusManSvr1, java.rmi.ConnectException: No
known valid port for: 'Default[t3]:t3(t3):managedServer.net:7018:null:-1'; No available router to destination; nested
exception is:
java.rmi.ConnectException: No known valid port for: 'Default[t3]:t3(t3):managedServer.net:7018:null:-1'; No ava
ilable router to destination
weblogic.messaging.dispatcher.DispatcherException: java.rmi.RemoteException: Could not establish a connection with 5660061832836428941S:
managedServer.net:[-1,-1,7017,7017,-1,-1,-1]:managedServer.net:domain:
ClusManSvr1, java.rmi.ConnectException: No known valid port for: 'Default[t3]:t3(t3):managedServer.net:7018:null:-1'; N
o available router to destination; nested exception is:
java.rmi.ConnectException: No known valid port for: 'Default[t3]:t3(t3):managedServer.net:7018:null:-1'; No ava
ilable router to destination; nested exception is:
java.rmi.ConnectException: Could not establish a connection with 5660061832836428941S:managedServer.net:[-1,-1,1
1217,7017,-1,-1,-1]:managedServer.net:domain:ClusManSvr1, java.rmi.ConnectException: No
known valid port for: 'Default[t3]:t3(t3):managedServer.net:7018:null:-1'; No available router to destination; nested
exception is:
java.rmi.ConnectException: No known valid port for: 'Default[t3]:t3(t3):managedServer.net:7018:null:-1'; No ava
ilable router to destination
at weblogic.messaging.dispatcher.DispatcherWrapperState.dispatchAsync(DispatcherWrapperState.java:158)
at weblogic.jms.dispatcher.DispatcherAdapter.dispatchAsync(DispatcherAdapter.java:84)
at weblogic.jms.backend.BEForwardingConsumer$1.run(BEForwardingConsumer.java:503)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.jms.backend.BEForwardingConsumer.processMessages(BEForwardingConsumer.java:499)
Truncated. see log file for complete stacktrace
java.rmi.RemoteException: Could not establish a connection with 5660061832836428941S:managedServer.net:[-1,-1,7017,701
7,-1,-1,-1]:managedServer.net:domain:ClusManSvr1, java.rmi.ConnectException: No known v

Ingress command for SPAN Destination Port - 3550

Similar Messages

Maybe you are looking for