Inspect not working in cisco ASA

Similar Messages

• Pat is not working on my asa

  Hi there. 
  I just trying to do PAT with gns3. but not working and i don't have any idea.
  (Cisco Adaptive Security Appliance Software Version 8.4(2))
  and also i figure out that there are some changes in nat configuration. i did but didn't work. 
  I cannot ping from my host 192.168.100.116 to 1.1.12.1 ~ 1.1.12.2, 8.8.8.8 
  i turn debug in R1 and i can see the icmp. 
  R1#
  *Mar  1 01:31:28.091: ICMP: echo reply sent, src 1.1.12.1, dst 10.10.10.1
  R1#
  *Mar  1 01:31:32.739: ICMP: echo reply sent, src 1.1.12.1, dst 10.10.10.1
  R1#
  And also can see xlate on ASA
  ASA-1# sh xlate
  1 in use, 9 most used
  Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
  ICMP PAT from inside:192.168.100.116/1 to outside:10.10.10.1/6370 flags ri idle 0:00:04 timeout 0:00:30
  ASA-1#
  This is my topology. 
  [ASA1]
  ASA-1# sh run ip
  interface GigabitEthernet0
   nameif outside
   security-level 0
   ip address 10.10.10.1 255.255.255.0
  interface GigabitEthernet1
   nameif inside
   security-level 100
   ip address 10.10.20.1 255.255.255.0
  ASA-1# sh run object network
  object network obj-192.168.100.0
   subnet 0.0.0.0 0.0.0.0
  ASA-1# conf t
  ASA-1(config)# ob
  ASA-1(config)# object net
  ASA-1(config)# object network obj-192.168.100.0
  ASA-1(config-network-object)# nat (in
  ASA-1(config-network-object)# nat (inside,ou
  ASA-1(config-network-object)# nat (inside,outside) dy
  ASA-1(config-network-object)# nat (inside,outside) dynamic inter
  ASA-1(config-network-object)# nat (inside,outside) dynamic interface
  ASA-1(config-network-object)# end
  [R4]
  interface FastEthernet0/0
   ip address 10.10.20.254 255.255.255.0
   duplex auto
   speed auto
  interface FastEthernet0/1
   ip address 192.168.100.254 255.255.255.0
   duplex auto
   speed auto
  no ip http server
  no ip http secure-server
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 10.10.20.1
  [HOST]
  ip address 192.168.100.116/24
  [R1]
  interface FastEthernet0/0
   ip address 10.10.10.254 255.255.255.0
   duplex auto
   speed auto
  interface FastEthernet0/1
   ip address 1.1.12.1 255.255.255.0
   duplex auto
   speed auto
  no ip http server
  no ip http secure-server
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
  what am i mssing ?
  please corret me. 
  Thank you in advance. 

  just reload... .. i'm still stuck in the ping. 
  changed topology more simple. but still not working. 
  Here is all what i did. 
  [ASA]
  access-list ICMP extended permit icmp any any echo-reply
  access-list ICMP extended permit icmp any any time-exceeded
  access-group ICMP in interface outside
  interface GigabitEthernet0
   description To_UP
   nameif outside
   security-level 0
   ip address 10.10.10.2 255.255.255.0
  interface GigabitEthernet1
   description To_DOWN
   nameif inside
   security-level 100
   ip address 10.10.20.1 255.255.255.0
  [R1]
  interface FastEthernet0/0
   ip address 10.10.10.1 255.255.255.0
  ip route 10.10.20.0 255.255.255.0 10.10.10.2 (I don't think i need this)
  [R4]
  interface FastEthernet0/0
   ip address 10.10.20.2 255.255.255.0
  ip route 10.10.10.0 255.255.255.0 10.10.20.1 (same as well)
  [outout tracer]
  ciscoasa# packet-tracer input inside icmp 10.10.20.1 8 0 10.10.10.1
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   10.10.10.0      255.255.255.0   outside
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: DROP <---??????????????????????????
  Config:
  Implicit Rule
  Additional Information:
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  output-interface: outside
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  ciscoasa#
  [ASA]
  ciscoasa# show access-list
  access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
              alert-interval 300
  access-list ICMP; 2 elements; name hash: 0x2d2cf426
  access-list ICMP line 1 extended permit icmp any any echo-reply (hitcnt=0) 0x0b307247
  access-list ICMP line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x1e6b1395
  ciscoasa#
  I created acl and permit it
  Thank you. 

• ASDM not working on new ASA

  Hi Everyone,
  I am setting up new ASA for testing purposes.
  So far it has single interface Active which is management.
  I can ssh to ASA  fine but ASDM is not working.
  sh run http shows
  sh run http
  http server enable
  http 172.31.20.0 255.255.255.0 management
  sh run ssh
  ssh 172.31.20.0 255.255.255.0 management.
  Regards
  MAhesh

  Hi Julio,
  sh run ssl foed not sjow any output
  show flash | include asdm
    111  16280544    Jun 29 2011 12:10:58  asdm-645.bin
  sh run asdm
  no asdm history enable
  sh ver shows
  up 2 days 2 hours
  Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
  Internal ATA Compact Flash, 256MB
  BIOS Flash M50FW016 @ 0xfff00000, 2048KB
  Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                               Boot microcode        : CN1000-MC-BOOT-2.00
                               SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03
                               IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.06
                               Number of accelerators: 1
  0: Ext: GigabitEthernet0/0  : address is e8b7.483d.0d68, irq 9
  1: Ext: GigabitEthernet0/1  : address is e8b7.483d.0d69, irq 9
  2: Ext: GigabitEthernet0/2  : address is e8b7.483d.0d6a, irq 9
  3: Ext: GigabitEthernet0/3  : address is e8b7.483d.0d6b, irq 9
  4: Ext: Management0/0       : address is e8b7.483d.0d6c, irq 11
  5: Int: Not used            : irq 11
  6: Int: Not used            : irq 5
  Licensed features for this platform:
  Maximum Physical Interfaces       : Unlimited      perpetual
  Maximum VLANs                     : 150            perpetual
  Inside Hosts                      : Unlimited      perpetual
  Failover                          : Active/Active  perpetual
  VPN-DES                           : Enabled        perpetual
  VPN-3DES-AES                      : Enabled        perpetual
  Security Contexts                 : 2              perpetual
  GTP/GPRS                          : Disabled       perpetual
  AnyConnect Premium Peers          : 2              perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 750            perpetual
  Total VPN Peers                   : 750            perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Disabled       perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  This platform has an ASA 5520 VPN Plus license.
  Regards
  MAhesh

• Adaptiva Software Distribution not working with Cisco APs in Local Mode

  A worldwide customer would like to use a new Software distribution system called Adaptiva to replace SCCM within Windows environment. As far as I understand, Adaptiva is designed to work like a snowball system. A single PC at a remote side can be "infected" with new Software and will distribute the package to other PCs within the same IP-subnet, saving WAN bandwidth.
  First tests are showing that it is working well with Cisco WLAN solution as long as we are using Flexconnect WLAN APs.
  Customer locations with Local WLAN AP design create problems for this new software distribution method.
  The WLAN-PCs can be reached from outside, but the establishment of the Client/Server-model between the WLAN Clients is not working. The Port used by this software for communication between clients in each WLAN subnet is UDP Port 34329.
  Our WLCs are running at  7.4.130.0. The problem is appearing independently of AP Multicast settings or Broadcast Forwarding.  Enabling Broadcast forwarding without Reboot did not improve the situation.
  Global Multicast Mode and IGMP Snooping are also of no influence.
  P2P Blocking Action is "Disabled" within the WLAN setup.
  Who has any idea what might cause this communication problem between WLAN clients in Local Mode of APs ?
  Thank You for answers
  Wini

  I can think of two solutions. You could 1: turn the "auto-lock" to never, so that your phone never sleeps. Or, you could 2: jailbreak your iPhone and install "insomnia". I wish we had the Cisco Mobile app. I usually use wifi/insomnia and turn data off at work since we have wireless pretty much everywhere...
  Sent from Cisco Technical Support iPad App

• The Software that came with my book does not work. CISCO CCENT / CCNA ICND1 by wendell odom

  Hello this is my first post on cisco support and hope I can get some help. I recently purchased the book CISCO CCENT / CCNA ICND1 by wendell odom and when I used the CD to install the Pearson Practice exams, it does not work. I tried everything! It even asks for a activation code, which on the CD It says "Refer to the Activation Code Included in the DVD Sleeve when Registering Pearson IT Certification Practice Test Software"I don't see anything related to a Activation Code anywhere on the CD OR on the sleeve! So now I can't use that.
             The Network simulator Wendell odom uses in his videos is already outdated it seems and I can't get mine to work. Why? Because I bought this book in hopes of this being a beginner book and praying the person won't skip information to actually set up the book. So now the videos are useless because I can't connect because I have no idea how...
            The Network Simulator lite, wow 3/3 When giving me software to use. The Prompt command does not work, Only the enter key will work but when I try to put in a password I can't hit anything else but enter.
               I hope I can get help from a more official member as to seeing how I bought this book and I can read but whats really the point if I don't have the hands on training?

  Keunepete,
  When I ordered my books for the ICND1 and ICND2, they came with a CD in the back pocket (sleeve) of the book. Along with the CD was a thick piece of paper that had the activation code on it. It was a white, square piece of paper with big black print on it. Did you buy your book used? Was the CD sealed in the back pocket?
  -Zach

• Successmaker program not working behind Cisco SA520

  My customer is a small school in British Columbia. They have used the Successmaker program (written by Pearson Education) to teach numeracy and literacy skills. Since installing a SA520 the teachers are saying that Successmaker does not work properly.
  I am at my wits end.
  I have disabled content filtering for the SA520, I have disabled IDS on the SA520. I am using the default outbound firewall rule allowing inside addresses access anywhere on the Internet, and I have created an inbound firewall rule allowing all traffic and all services from the Successmaker server IP address that their tech support gave us.Their app is still unable to work properly.
  What am I missing?
  Before the SA520 was installed the school was using PAT to map different ports on the public IP on the school cable modem to inside addresses. The whole school was a big DMZ, and any port scanning would have reached into their network. The port mappings were never communicated to the Successmaker folks, so I doubt they were ever relevant to the issue. The Successmaker App is web based, and according to their tech support uses "transfer encoding:chunked" technology. I read up on this and it dates back pre Web 2.0 (pre flash, pre silverlight, pre basically the silicon chip). It is discussed in RFC 2616, the SA520 is Linux based, not IOS based. Does that mean that it does not understand RFC2616? I doubt it, and even if it didn't understand RFC 2616 surely all the steps I have taken above would blow a hole the size of a barn door through the firewall?
  If this weren't a school would not be as emotionally connected as I am to their situation. Without this firewall they will be without much protection at all.
  Can you help?
  Message was edited by: dirkventer - I added the feedback received from Successmaker tech support. It suggests that the Cisco SA520 may be a problem, something I don't want to believe.

  Hi Quendale
  I'm sorry to say that putting a student computer in the DMZ didn't resolve the issue.
  In setting up the DMZ I made the following changes -
  1) I confirmed that the Option interface was in DMZ mode, and that it had a static IP on a new subnet.
  2) We also configured the DMZ DHCP to assign addresses in the subnet, using the firewall DMZ IP as default gateway, and using the firewall DMZ IP as DNS server.
  3) I created a default firewall rule allowing all outbound traffic from the DMZ to the Internet, and created a firewall rule allowing all inbound traffic from the Successmaker server on the Internet (insecure) zone to the DMZ.
  4) I confirmed that IPS was off for the DMZ (Default) and that the content filter exception for the DMZ was still disabled.
  The same problem occurred, which makes me believe that the reason for the application not working in the LAN zone had nothing to do with IPS or content filtering. As far as the firewall rule goes, the impact of the inbound rule seems to have been the same - i.e. ineffectual.
  Connecting the PC running successmaker directly to the school cable modem works.
  The possibility that the application in question has traffic blocked because of a RFC (2616?)  governing the way get and post requests should be formatted would still exist so long as integrity/compliance checking of packets is something that cannot be bypassed via the firewall configuration. Suffice it to say that the application appears dated and uses nothing of web 2.0. One of the options available to my customer is the purchase of the Web 2.0 version of successmaker ($600/seat), but they are only prepared to explore this option if the indications are that the older application, not the firewall is at fault. Pearson Education support swears blindly that thousands of BC school children continue to use the old app behind Cisco firewalls. I don't deny that the possibility exists that the Pearson support technician is stretching the truth, having an older application that has ceased to function with more sophisticated firewalls because RFC violations in packet formatting have become significant would doubtless present a solid easy-sell for their upgraded version, which is expensive, especially for a school.

• Redirect to web authentication not working on Cisco 5508 Wireless Controller

  Hi,
  I have a wlan with web authentication:
  http://i55.tinypic.com/w145zk.png
  and
  http://i51.tinypic.com/344sfm0.png
  When I connect to  the SSID (I get correct IP from the Cisco 5508 Controller) and try to  surf, I do not get redirected to the web authentication page (https://1.1.1.1/login.html), when I manually insert the URL I get "cannot display the webpage". Any idea?
  The virtual interface is 1.1.1.1.
  Here is a screenshot of interface and internal dhcp:
  http://i52.tinypic.com/2vkm1d2.png
  Any idea why clients are not redirecting?
  Thanks!

  Thanks for the reply dmantil!
  When I changed the Virtual DNS name to 1.1.1.1 (the same as the IP) I get redirected if I use http://198.133.219.25, but not with http://cisco.com, I get redirected only if I use IP.
  I forgot to mention that the controller is in a lab with no access to DNS server. Does the controller check if the domain is valid before redirecting users? I cant find any documentation on how the controller redirect users.

• Arp inspection not working on ASA

  Folks,
  I configured a transparent firewall on ASA. I have arp inspection enabled, with dynamic mac learning and dynamic arp. I am able to ping through the transparent firewall using 2 routers with the same mac-address. The firewall shows me that it is learning both the mac-addresses and also forwarding packets, can someone help me understand why this is happening?

  For some reason it will not take the shun command...I've tried every combanation I could think of but it will always fail.. I'm guessing there is a bug or that its just not allowed in transparent mode.. 
  You have to use the vlan before the number or it says invalid host.. when I do specify the vlan 2 it take it and then comes back with "Invalid vlan (2) shun failed

• Airplay not working with an ASA in the middle

  Hi All
  This is my case: In the lab I could configure mDNS on my 5508 with the global multicast and igmp snooping disabled. Only I needed was Global mDNS multicast enabled (based on Cisco Guide) and it worked fine under the following scenarios:
  All the services connected wireless
  IPAD on subnet A and Apple TV on subnet B, no Firewall in the middle. Peer to Peer Blocking in the WLC was any DROP or DISABLED and it worked fine.
  BUT, when I moved into production environment, the only way that it works is by having both Apple Devices in the same subnet with the Peer to Peer bloking DISABLED. I have a firewall ASA in the middle so I do not know what should I check in the firewall to allow Airplay to work.
  However, there is something really weird. in the IPAD, I can see the AIRPLAY icon at the bottom of the screen, when I click on it, I can see MIRRORING button and I moved it to the right to activated it BUT nothing happens on the AppleTV connected to an screen. I mean, looks like the request for MIRRORING from the IPAD to the Apple TV device is not reaching the last one. A few seconds after activating MIRRORING in the IPAD looks like the request is dropped since that the mirroring is not active.
  Is there any particular multicast configuration required in the ASA including ports (like 5353 udp)?
  I have an open case with TAC but any ideas are welcomed.
  By the way, I am running v 7.6 in the WLC in order to implement mDNS (traffic between ssid's subnet managed by the WLC - Bonjour Gateway is not neccesary)
  thanks
  Abraham

  Hi David,
  Let me share with you my findings. Apple TV requires more than 5353 port opened. Please see the following link and include in your ASA those additional ports/range. I mean, 7000, 7100, 5000 (udp/tcp), etc etc.
  http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/apple-macbook-airplay-appletv-firewall-port-findings/td-p/55048
  After opening those ports, the service is working BUT with significant LATENCY/SLOWNESS which we are trying to solve.
  We took some packets captures on the ASA ingress/egress interfaces for both contexts (see pictures attached) and I could see many retransmissions and duplicated ACK so I tried something else that worked (see Apple TV Works attached file) BUT this is not the final solution we need so we are still working on this issue in order to check if there is something wrong with our routing/switching process in the 6500 LAN SW.
  I created static routes in the ASA contexts to communicate the IPAD to the APPLE TV (ports already opened in the ASA as indicated before) without traversing the Wireless 6500 SW (test performed on VLAN A and VLAN B) and it worked fine. However as I said, this is not the solution we want because the Wireless 6500 SW must manage inter-ASA-contexts traffic.
  In addition to that I attached another picture/diagram that shows when Apple TV service fails-latency (traffic crossing the Wireless 6500 SW for communication between ASA contexts).
  Important to say that I am NOT using MULTICAST or BROADCAST ENABLED in the WLC. I am based on mDNS as indicated in the Cisco Guide/Instructions for version 7.5 and above.
  Hope this helps.

• Call/video not working between Cisco jabber for Windows and VCS control C40s

  Hello,
  I've been struggling with no luck how to make a call using Cisco Jabber for Windows 9.6.0 registered to CM 8.6.2 with intercluster ICT to another CM 8.6.2 where we have a VCS Control 7.0.2 via GK H225, and all C40s are registered as H.323.
  The VCS has interworking between H323 and SIP, however not sure if there is any problem with that. Assuming it is ok, not sure either if I'm facing any interoperability issue because in my remote site I have C40 (H323 registered at VCS and SIP listening mode) and cisco jabber for windows which is SIP based.
  If is not possible, would I be able to change my C40 from H323 to SIP at VCS, or have both H323/SIP registered at VCS? If so, will I need to change as well instead of GK I'll have to establish a SIP Trunk between the CM and VCS?
  Another thing I do not believe either I would be able to have one VCS connected with two clusters, right?
  I'm just trying to find a solution in case my current topology is not compatible, but feel free if you have any better idea to make it work.
  Anyway here is what is happening:
  When I make a call from my cisco jabber windows to C40 using alias number. The call is being redirected just fine to the C40 and it rings, however when someoene or the auto answer picks it up, the call dropped right away.
  However, if I enabled the MTP in my CSF device, the call gets longer before dropping. I was even able to see my jabber " start video" turns green, before was grayed out all the time and the call dropped faster. I hear a fast busy tone. 
  I'm able to provide SDI traces, logs, diagnostic sip/h323 calls from VCS in order to know for sure if this is an incompatible issue or something I can workaround.
  Let me know if someone of you are interested in read these logs or could point me on the right direction.
  Thanks!

  Ok,
  I have looked at both logs. I have to mentinon though that you didnt
  provide the log that shows the h323 setup between cucm and the VCS. This
  is  most likely because the call originated from a different cucm than
  the ones you provided the logs from.
  The call would have orginated from the first cucm in the cucm group of
  this trunk: Name=RL_TRUNK_VIDEO
  The cucm ip will be : 10.252.53.10.
  This is the VCS log that confirms where the h323 request originated
  from:
  pr 10 22:50:29 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:29,187"
  Module="network.h323" Level="DEBUG":  Src-ip="10.252.53.10"  Src-
  port="54000"
   Received RAS PDU:
  Having said that here is my analysis of the logs that you sent..
  Jabber sent an INVITE to CUCM and advertised all the codecs (audio and
  video it can support)..
  Observer that Jabber says it doesnt support G729 anexB
  21:55:16.576 |//SIP/SIPTcp/wait_SdlReadRsp: Incoming SIP TCP message
  from 10.223.20.73 on port 54677 index 90661 with 2220 bytes:
  [862370,NET]
  INVITE sip:[email protected];user=phone SIP/2.0
  Via: SIP/2.0/TCP 10.223.20.73:54677;branch=z9hG4bK000029d3
  From: "4122107" <sip:[email protected]>;tag=00059a3c78000011000070b0
  -00000e65
  To: <sip:[email protected]>
  Call-ID: [email protected]
  Max-Forwards: 70
  Date: Fri, 11 Apr 2014 01:55:16 GMT
  CSeq: 101 INVITE
  User-Agent: Cisco-CSF/9.4.1
  m=audio 19252 RTP/AVP 0 8 18 105 104 101
  c=IN IP4 10.223.20.73
  a=rtpmap:0 PCMU/8000
  a=rtpmap:8 PCMA/8000
  a=rtpmap:18 G729/8000
  a=fmtp:18 annexb=no
  a=rtpmap:105 G7221/16000
  a=fmtp:105 bitrate=24000
  a=rtpmap:104 G7221/16000
  a=fmtp:104 bitrate=32000
  a=rtpmap:101 telephone-event/8000
  a=fmtp:101 0-15
  a=sendrecv
  m=video 28878 RTP/AVP 97
  c=IN IP4 10.223.20.73
  ++++Now lets observer the capabilites exchange during h245 negotiation
  between cucm and VCS++++
  Here CUCM advertises its caps to VCS (afterreceiving caps from VCS)
  Note that G729A, G729AB, G729 is all advertised..
  Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,017"
  Module="network.h323" Level="DEBUG":  Src-ip="10.252.53.10"  Src-
  port="45660"
   Received H.245 PDU:
   value MultimediaSystemControlMessage
  ::= request : terminalCapabilitySet
   capabilityTableEntryNumber 2,
         capability receiveAudioCapability :
  g729wAnnexB : 6
         capabilityTableEntryNumber 3,
     capability receiveAudioCapability : g729AnnexAwAnnexB : 6
         capabilityTableEntryNumber 4,
         capability
  receiveAudioCapability : g729 : 6
  capabilityTableEntryNumber 5,
         capability receiveAudioCapability :
  g729AnnexA : 6
  ++++++
  After doing MSD (master slave determination, we move to the OLC phas e..
  Here we see that the far end..c40 wants to use G729AB for media++++
  Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,783"
  Module="network.h323" Level="DEBUG":  Src-ip="10.224.114.11"  Src-
  port="11163"
   Received H.245 PDU:
   value MultimediaSystemControlMessage
  ::= request : openLogicalChannel :
     forwardLogicalChannelNumber 1,
  forwardLogicalChannelParameters
       dataType audioData :
  g729AnnexAwAnnexB : 20,
       multiplexParameters
  h2250LogicalChannelParameters :
  +++Next VCS sends G729AB as the codec to use to CUCM+++
  Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,784"
  Module="network.h323" Level="DEBUG":  Dst-ip="10.252.53.10"  Dst-
  port="45660"
   Sending H.245 PDU:
   value MultimediaSystemControlMessage
  ::= request : openLogicalChannel :
     forwardLogicalChannelNumber 1,
  forwardLogicalChannelParameters
       dataType audioData :
  g729AnnexAwAnnexB : 20,
       multiplexParameters
  h2250LogicalChannelParameters :
  ++++The next thing we get is an OLC reject from CUCM and this is where
  th call drops++
  Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,790"
  Module="network.h323" Level="DEBUG":  Src-ip="10.252.53.10"  Src-
  port="45660"
   Received H.245 PDU:
   value MultimediaSystemControlMessage
  ::= response : openLogicalChannelReject :
  forwardLogicalChannelNumber 1,
     cause dataTypeNotSupported : NULL
  Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,790"
  Module="network.h323" Level="INFO":  Dst-ip="10.224.114.11"  Dst-
  port="11163"
    Detail="Sending H.245 OpenLogicalChannelRejResponse
  +++We then receive a call release from cucm with cause code of 47:
  resource unavailable++++
  Apr 10 22:50:32 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:32,365"
  Module="network.h323" Level="DEBUG":  Src-ip="10.252.53.10"  Src-
  port="50913"
   Received H.225 PDU:
   Q931
     Message Type: Release
  Complete
     Call reference flag: Message sent from originating side
  Call reference value: 0x7b
     Info Element : Cause
       Location: Usr
     Cause Value: Resource unavailable
     Info Element : User User
     Length = 22
  Suggestions:
  Change the region setting between the ICT trunk to VCS and Jabber to use
  G711 and test again.

• GVRP not working on Cisco SG300-28

  I have three Cisco SG300-28 switches. I setup a test lab environment with a core (server) switch in Layer 3 mode and the rest are (clients) in Layer 2 mode. As I understand, these switches doesn't support VTP, only GVRP. And GVRP works the same with VTP. Whenever you create VLANs on the core or main switch, other switches will learn from the core switch and no VLAN creation for the client switches will be made. (Hope I got it right. I guess GVRP is more complicated than VTP).
  GOAL: Obviously, I want to use GVRP to create VLANs on the main switch so that I won't be doing it all over on the other switches.
  The following is my (so far) configuration through CLI only:
  I haven't use the web GUI. My SW version is 1.1.2.0.
  1. I already enabled the GVRP globally.
  2. I configured GE 12 & GE 24 as TRUNK ports for the core switch that connects both switches, I also configured GE 12 ports for both the client switches. All other ports are in ACCESS mode. (I am connected to GE 2 port)
  3. I enabled GVRP on the TRUNK ports only for all switches.
  4. I allowed all vlans on the TRUNK ports. (#switchport trunk allowed vlan add all)
  5. All TRUNK ports registration mode is NORMAL and dynamic vlan creation is enabled on all trunk and access ports.
  6. I created 3 VLANs without configuring its IP Addresses:
       vlan 2 = MGT
       vlan 3 = IT
       vlan 4 = MKTG
  I don't know if I missed something on the configuration or the connection. I was expecting the vlans I created will be learned from other switches. Hope somebody can help me out. Thanks a lot.
  QUESTIONS:
  1. Is it necessary to enable all switches to layer 3 mode? Or depends on the network setup? Does this affect the GVRP?
  2. Does switching ports to TRUNK mode means they are already 802.1q ports by default? Because I can't configure TRUNK ports to 802.1q (#switchport encapsulation dot1q) config like other switches.
  SAMPLE CONFIGURATION:
  *** START CONFIG***
  vlan database
  vlan 2-4
  exit
  interface range gi12,gi24
  gvrp enable
  exit
  gvrp enable
  interface vlan 1
  ip address 172.10.10.10 255.255.255.0
  exit
  interface vlan 1
  no ip address dhcp
  exit
  no bonjour enable
  bonjour interface range vlan 1
  hostname SW1
  line telnet
  exec-timeout 0
  exit
  line telnet
  password 1e3855b6b22c5775cd12207ced02a082b073e4a8 encrypted
  exit
  line console
  password 1e3855b6b22c5775cd12207ced02a082b073e4a8 encrypted
  exit
  enable password level 15 encrypted 1e3855b6b22c5775cd12207ced02a082b073e4a8
  no snmp-server server
  clock source sntp
  no ip domain lookup
  ip telnet server
  banner login ^C
  SWITCH 1: PLEASE DO NOT LOG IN
  ^C
  interface gigabitethernet1
  switchport mode access
  exit
  interface gigabitethernet2
  switchport mode access
  exit
  interface gigabitethernet11
  switchport mode access
  exit
  interface gigabitethernet12
  switchport trunk allowed vlan add 2-4
  exit
  interface gigabitethernet13
  switchport mode access
  exit
  interface gigabitethernet14
  switchport mode access
  exit
  interface vlan 2
  name MGT
  exit
  interface vlan 3
  name IT
  exit
  interface vlan 4
  name MKTG
  exit
  *** END CONFIG ***

  trust me i am also heaving the same issue with my 3 Cisco SF300-24 ports ad i need the same what you was looking forward for...
  can you please check my question and comment what i am missing :(
  Aside to this i will try creating Vlans on my client switch without assigning the ip address as it's already assign and created on core switch.
  Thanks,
  Sandy

• ASDM stopped working on Cisco ASA 5510

  Hi All,
  We have a ASA 5510 running 8.2(1) and ASDM 6.2(1)
  Since yesterday evening ASDM sunddely stopped working. When I login I get Unable to launch device manager from xx.xx.xx.xx
  Firewall Uptime as of today 1 year 145 days. Firewall has 1GB ram and 76% free
  I can ssh to firewall fine, but ASDM or https://xx.xx.xx.xx wont work - On internet explorer it says Page not displayed. Google Chrome chrome -
  SSL connection Error - Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
  I can telent to Port 443 fine.
  When I look at the logs:
  Jun 25 2013 14:33:40: %ASA-6-725001: Starting SSL handshake with client inside:xx.xx.xx.xx/11934 for TLSv1 session.
  Jun 25 2013 14:33:40: %ASA-7-725014: SSL lib error. Function: SSL3_SETUP_BUFFERS Reason: malloc failure
  Jun 25 2013 14:33:40: %ASA-7-725014: SSL lib error. Function: SSL23_GET_CLIENT_HELLO Reason:
  Jun 25 2013 14:33:40: %ASA-7-710005: TCP request discarded from xx.xx.xx.xx/11934 to inside:yy.yy.yy.yy/443
  Jun 25 2013 14:33:40: %ASA-6-106015: Deny TCP (no connection) from xx.xx.xx.xx/11934 to yy.yy.yy.yy/443 flags FIN ACK  on interface inside
  Jun 25 2013 14:33:40: %ASA-7-710005: TCP request discarded from xx.xx.xx.xx/11934 to inside:yy.yy.yy.yy/443
  xx.xx.xx.xx - is the PC IP
  yy.yy.yy.yy - is the IP of inside interface on firewall
  Note: ASDM was left running over the weekend and was working fine until yesterday evening. No changes have been made for the last week.
  *Rebooting the ASA is not an option
  Can anyone help?
  Thanks in advance

  Hi All,
  We have a ASA 5510 running 8.2(1) and ASDM 6.2(1)
  Since yesterday evening ASDM sunddely stopped working. When I login I get Unable to launch device manager from xx.xx.xx.xx
  Firewall Uptime as of today 1 year 145 days. Firewall has 1GB ram and 76% free
  I can ssh to firewall fine, but ASDM or https://xx.xx.xx.xx wont work - On internet explorer it says Page not displayed. Google Chrome chrome -
  SSL connection Error - Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
  I can telent to Port 443 fine.
  When I look at the logs:
  Jun 25 2013 14:33:40: %ASA-6-725001: Starting SSL handshake with client inside:xx.xx.xx.xx/11934 for TLSv1 session.
  Jun 25 2013 14:33:40: %ASA-7-725014: SSL lib error. Function: SSL3_SETUP_BUFFERS Reason: malloc failure
  Jun 25 2013 14:33:40: %ASA-7-725014: SSL lib error. Function: SSL23_GET_CLIENT_HELLO Reason:
  Jun 25 2013 14:33:40: %ASA-7-710005: TCP request discarded from xx.xx.xx.xx/11934 to inside:yy.yy.yy.yy/443
  Jun 25 2013 14:33:40: %ASA-6-106015: Deny TCP (no connection) from xx.xx.xx.xx/11934 to yy.yy.yy.yy/443 flags FIN ACK  on interface inside
  Jun 25 2013 14:33:40: %ASA-7-710005: TCP request discarded from xx.xx.xx.xx/11934 to inside:yy.yy.yy.yy/443
  xx.xx.xx.xx - is the PC IP
  yy.yy.yy.yy - is the IP of inside interface on firewall
  Note: ASDM was left running over the weekend and was working fine until yesterday evening. No changes have been made for the last week.
  *Rebooting the ASA is not an option
  Can anyone help?
  Thanks in advance

• Edge Inspect not working for domain.dev URL's running locally on my laptop, displays error message.

  "An error occured
  Web page not availiable".
  This, printed on a white screen, on my iphone5 (OSX and iOS all running latest updates, latest Adobe Edge Inspect, freshly downloaded) is all I see when I try to visit any of the sites I run on my laptop with Apache.
  I set up my domains as "http://foobar.dev"  (where '.dev' is the TLD on my localhost for things ... local).
  I can view any public internet sites, and they will show up on Edge Inspect on my phone, with no problem.
  I've tested this with turning off the firewall on my computer... (but I'm surprised thats how edge works, but what ever).
  Any guides? tricks? help?
  Thanks.

  Edge Inspect doesn't do anything different to read the website off your computer than a normal browser does. We send a URL to the connected devices and expect them to be able to load that address into the WebView/UIWebView components in the Edge Inspect app on the devices.The reason you're seeing an issue with Edge Inspect and your http://foobar.dev site is the same reason why you wouldn't/shouldn't expect to type that URL into a browser on another machine and be able to view the website... there's no external DNS server to talk to that knows where that address is actually located.
  So, Edge Inspect might be doing less than you thought is was in those terms. The main focus of Edge Inspect really is:
  1. Managing the connection from your computer to multiple connected devices
  2. Translating localhost, 127.0.0.1, and <machinename>.local urls
  3. Keeping multiple devices in sync
  4. Simplifying things like cache clearing and screenshots on all your devices
  5. Providing a simple interface into weinre for remote inspection
  Definitely read more on xip.io. It's a public website, yes. We don't have anything to do with it, but it does provide a nice workflow for using virtual hosts with Edge Inspect.
  Mark
  Message was edited by: Mark Rausch to clarify the 1st paragraph

• Tacacs+ Enable password is not working on Cisco Switch

  Ladies/Gents,
  I am facing issues when enabling tacacs authentication on my cisco switch, aaa login/password is working, aaa enable is not. Underneath details of my devices.
  Cisco ACS 1121: version 5.1
  Cisco Switch 3560: ios ver 15
  I also attached here some documents for your review and comment (switch aaa configuration, debug aaa authentication, acs captured screen)
  Hoping to receive an update and comment from you soon.
  Thanks,
  Arnold

  Hi Edward,
  I created a new shell profiles named "root" as the default one "Permit Access" can't be access or modified, underneath the steps I've made.
  1. Create a new shell profile name "root" with max privilege of 15. And then used it in "Default Device Admin/Authorization/Rule-1" shell profile - see attached file for more details.
  2. Telnet the Switch and then Issue "debug aaa authentication" using both "Root Shell" and "Permit Access" applied in Rule-1 profile.
  Note:
  I also attached here the captured screen and debug result for the "shell profiles"

• Why does my mac not work with cisco E3000 router

  It says that it needs os x 10.6.1 or later and I have that and its not working

  Ask Cisco, but:
  Internet Quick Assist:
  http://support.apple.com/kb/HT1144?viewlocale=en_US
  Troubleshooting internet settings:
  http://support.apple.com/kb/HT1714?viewlocale=en_US