IP SLA port

Hi,
Just a quick clarification. We use IP SLA product with a router configured as the SA agent(with ip sla monitor responder enabled) and use our SNMP Management station (Concord) to measure/take the stats from the routers and display accordingly. However, all the SA Agents (Customer CPE) have now moved behind a 3rd party maintained firewall. I need to open up this firewall but am unsure of the direction of the traffic flow.
So, I think it uses UDP Port 1967 but can you tell me if the SNMP Concorde Station polls the SA Agents/Customer CPE with UDP port 167 as destination?
dunshaughlin_PE14_dub>sh ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 0.0.0.0 0 10.88.79.225 1967 0 0 211 0
17 255.255.255.255 0 10.80.103.84 2067 0 0 100001 0
17 10.196.126.39 162 10.80.103.84 50646 0 0 0 0

Back again, I've just been onto the Concorde support people.
They have come back to me confirming that there concorde server can communicate via Port 161 to both the SAA Source and SAA Destination. The SAA Destination where the Responder command is enabled(10.80.103.105) can ping the SAA Source(10.80.100.54). However, Concorde are insisting that I need to confirm that the SAA source and SAA Destionation SLA app are communicating with each other.
I can successfully ping between each other but the ACL 111 I have enabled on both ends is not picking anything up even though Concorde is setup to poll every 62 seconds? My access-list 111 which I am debugging is
SAA_Responder_dub#sh access-list 111
Extended IP access list 111
10 permit icmp host 10.80.100.54 host 10.88.163.225
20 permit icmp host 10.80.100.54 host 10.80.103.105
30 permit ip host 10.80.100.54 host 10.80.103.105
40 permit ip host 10.80.100.54 host 10.88.163.225
SAA_Responder_dub#
Any ideas or should I raise a TAC?

Similar Messages

CSCtg82170: ip sla target port changes to 1967

I've been impacted by this bug significantly. The sla's are used for gathering stats that populate a customer portal. The bug basically causes the sla to fail when the event occurs and there's no indication that it's occurred.
For no reason the target port changes to 1967 which is reserved for IP SLA control packets.
example:
ip sla 778482511
udp-jitter 10.197.197.253 15426 source-ip 192.168.15.254 num-packets 20 interval 300
vrf xxxxxx
owner xxx
tag AutoGenerated
frequency 300
ip sla schedule 778482511 life forever start-time now
becomes
ip sla 778482511
udp-jitter 10.197.197.253 1967 source-ip 192.168.15.254 num-packets 20 interval 300
vrf xxxxxx
owner xxx
tag AutoGenerated
frequency 300
ip sla schedule 778482511 life forever start-time now
It took quite some time to work out what was actually happening and some time on a Tac service request before it was acknowledge as a bug.
Below is a table indicating device counts for various platforms and images with the affected count at the bottom.
h/w           image            count
1841      12.4(15)T8                98
1841      12.4(7a)                     41
1941      15.1(1)T                1944
1941      15.1(1)T2                     3
1941      15.1(3)T3                   48
1941      15.1(4)M4                349
1941      15.2(1)T1                     3
1941      15.2(2)T                       2
2821      12.4(15)T9                   1
2821      12.4(2)T1                   21
2821      12.4(24)T2                 79
2951      15.2(1)T                     24
3845      12.4(24)T2                   6
2921/K9 15.1(2)T1                     2
2921/K9 15.2(1)T                     48
3750ME 12.1(14)AX2               2
3750ME 12.2(52)SE               59
Total 2730
Devices currently displaying the issue
1941      15.1(1)T           324
1941      15.1(3)T3             3
1941      15.1(4)M4           10
If you've been struck by this bug I know you'll be relieved that it's actually a bug and your not going insane :-)
We currently have extra monitoring/checking in order to get on top of the issue but a fix would be really great.

We're having a similar issue with icmp-echo in that our source-ip address changes quite frequently in the running config (7201 rtr). The destination ip also appears to change when viewing sh ip sla configuration but not in the running config. We're currently running 12.4(24)T1. Looks like we'll be doing an IOS upgrade in the near future...

ASA 5505 8.4. How to configure the switch to the backup channel to the primary with a delay (ex., 5 min) using the SLA?

I have ASA 5505 8.4. How to configure the switch to the backup channel to the primary with a delay (for example 5 min.) using the SLA monitor?
Or as something else to implement it?
My configuration for SLA monitor:
sla monitor 123
type echo protocol ipIcmpEcho IP_GATEWAY_MAIN interface outside_cifra
num-packets 3
timeout 3000
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability

Hey cadet alain,
thank you for your answer :-)
I have deleted all such attempts not working, so a packet-trace will be not very useful conent...
Here is the LogLine when i try to browse port 80 from outside (80.xxx.xxx.180:80) without VPN connection:
3
Nov 21 2011
18:29:56
77.xxx.xxx.99
59068
80.xxx.xxx.180
80
TCP access denied by ACL from 77.xxx.xxx.99/59068 to outside:80.xxx.xxx.180/80
The attached file is only the show running-config
Now i can with my AnyConnect Clients, too, but after connection is up, my vpnclients can't surf the web any longer because anyconnect serves as default route on 0.0.0.0 ... that's bad, too
Actually the AnyConnect and Nat/ACL Problem are my last two open Problems until i setup the second ASA on the right ;-)
Regards.
Chris

Is it possible to input itunes into DVI/HDCP input from imac with Apple mini display portS?

Is it possible to input itunes into DVI/HDCP input from imac with Apple mini display port? Or is there another way?

The problem with itunes is needing a computer running it. or continuous internet connection.
A Time Capsule is AC mains powered.. no battery. Although you can certainly buy an older Gen4 TC and modify it ...
https://sites.google.com/site/lapastenague/time-capsule-power-supply-repair-kits
I have run my TC on a 12V SLA battery.. which would neatly meet that part of the functionality you want. But it is heavy and not really the rugged sort of device I think you want.
But I would look at other media players and other ways of storing movies than iTunes.. if you want to carry the whole lot around with you .. A bunch of SD cards even you could plug into the ipad??
External storage for iPad?
A small cheap PC/Mac laptop with a 1TB hard disk in it.. and 11" or 13" screen.. can often be a much better solution than lugging around multiple items so you can fit Apple devices into your life.

IP SLA Request size (ARR data portion) UDP Jitter

Looking through the documentation for ip sla udp jitter, Cisco says these are the default values -
"By default, ten packet frames (N), each with a payload size of 10 bytes (S), are generated every 10 ms (T), and the operation is repeated every 60 seconds (F)."
however, looking at sh ip sla configuration on my router I get different values -
ip sla 1001
udp-jitter 2.2.2.2 20000 source-ip 1.1.1.1
ip sla schedule 1001 life 3000 start-time now
sh ip sla configuration
Entry number: 1001
Owner:
Tag:
Operation timeout (milliseconds): 5000
Type of operation to perform: udp-jitter
Target address/Source address: 1.1.1.1/2.2.2.2
Target port/Source port: 20000/0
Type Of Service parameter: 0x0
Request size (ARR data portion): 32
Packet Interval (milliseconds)/Number of packets: 20/10
This is confusing to me. According to this, the operation is sending 10 frames, at 32 bytes each with 20 ms between frames. Is this correct? Or are these default parameters for UDP Jitter? If so, this definitely does not match up with the data presented on cisco.com
thanks,
Alex

Hi Alex ,
for UDP-jitter , Request Data size is :32( By Default) ,however you can change it .
NMS-6500(config-ip-sla-jitter)#request-data-size ?
<16-1500> Number of bytes in payload
for ICMP ECHO ,
Request Data size is :28 ( By Default)
Thanks-
Afroz
[Do rate the useful post]

IP SLA UDP-ECHO socket error

have this configuration on ASR1002F router. Trying to setup IP Sla so that we can monitor the delay on WAN interfaces. Would like to send UDP-ECHO from one router to another across the WAN. I need to send and receive on fixed port numbers. Keep getting socket errors. any ideas on what i need to do?
no ip sla 5
ip sla 5
udp-echo <dest ip> 65000 source-port 65000 control disable
frequency 5
ip sla schedule 5 life forever start-time now
exit

Was there a "source-ip xx.xx.xx.xx" portion on the "udp-echo 65000 source-port 65000 control disable" line?

IP SLA responder on Catalyst 2960S stacked

Hi
I have a pair of switches stacked:
Switch Ports Model                          SW Version          SW Image
     1    52      WS-C2960S-48FPS-L 15.0(1)SE             C2960S-UNIVERSALK9-M
*    2    52      WS-C2960S-48FPS-L 15.0(1)SE             C2960S-UNIVERSALK9-M
When I try to enable ip sla responder on the stack I get:
%SYS-3-HARIKARI: Process IP SLAs Responder top-level routine exited
I have been able to find a bug in the toolkit. Should ip sla responder be supported on the
stack as above?
Thanks
Lee Flight

I can confirm 15.0(1)SE3 still has the bug.
I just tested 15.0(2)SE3 released yesterday in a lab environment and....... (drum roll)..... no more HARIKARI . Hardware were two WS-C2960S-48FPS-L unstacked (one of them with installed stacking module though)
Haven't tried the earlier 15.0(2) (i.e. SE, SE1 and SE2) releases - maybe they work too.

IP-sla udp-jitter / one-way delay no output

Hi *,
i have a question regarding "ip sla udp-jitter".
On some connectins i get an output for the "show ip sla stat" for the _one-way delay_
on other links i don't get an output. The Configuration is always the same and the Probes are running.
NTP is configured but in my opinion the fact weather i get output for the _one-way delay_
or not depends on the ntp root despersion.
Is there a max allowed time differances between the two routes ?
Here one working / one not working output of the same Router but different peers:
Not working::
Latest operation return code: OK
RTT Values:
Number Of RTT: 100RTT Min/Avg/Max: 11/11/13 milliseconds
Latency one-way time:
Number of Latency one-way Samples: 0
Source to Destination Latency one way Min/Avg/Max: 0/0/0 milliseconds
Destination to Source Latency one way Min/Avg/Max: 0/0/0 milliseconds
Working:
Latest operation return code: OK
RTT Values:
Number Of RTT: 100RTT Min/Avg/Max: 12/13/14 milliseconds
Latency one-way time:
Number of Latency one-way Samples: 100
Source to Destination Latency one way Min/Avg/Max: 6/7/8 milliseconds
Destination to Source Latency one way Min/Avg/Max: 5/6/7 milliseconds
I hope one of you can help me to find / fix the problem,
Thanks in advance / Emanuel

Hi everyone,
I have the same doubt.
I did a ip sla configuration on 1841 and 7206VXR and don't show nothing in one-way delay.
----------------------7206---------------------
-ip sla monitor responder
-ip sla monitor 1
- type jitter dest-ipaddr 10.9.105.14 dest-port 16384 source-ipaddr 10.8.20.102 codec g711alaw
- tos 184
-ip sla monitor schedule 1 start-time now
-ntp peer 10.9.105.14
HOST)#show ip sla sta
Round Trip Time (RTT) for       Index 1
        Latest RTT: 507 milliseconds
Latest operation start time: 10:57:36.619 UTC Sun Oct 10 2010
Latest operation return code: OK
RTT Values:
        Number Of RTT: 1000             RTT Min/Avg/Max: 125/507/846 milliseconds
Latency one-way time:
        Number of Latency one-way Samples: 0
        Source to Destination Latency one way Min/Avg/Max: 0/0/0 milliseconds
        Destination to Source Latency one way Min/Avg/Max: 0/0/0 milliseconds
Jitter Time:
        Number of Jitter Samples: 999
        Source to Destination Jitter Min/Avg/Max: 1/1/6 milliseconds
        Destination to Source Jitter Min/Avg/Max: 1/5/23 milliseconds
Packet Loss Values:
        Loss Source to Destination: 0           Loss Destination to Source: 0
        Out Of Sequence: 0      Tail Drop: 0    Packet Late Arrival: 0
Voice Score Values:
        Calculated Planning Impairment Factor (ICPIF): 17
        Mean Opinion Score (MOS): 3.84
Number of successes: 38
Number of failures: 0
Operation time to live: 1347 sec
-------------------------1841-------------------------------
-ip sla monitor responder
-ip sla monitor 1
- type jitter dest-ipaddr 10.8.20.102 dest-port 16384 source-ipaddr 10.9.105.14 codec g711alaw
- tos 184
-ip sla monitor schedule 1 start-time now
-ntp peer 10.8.20.102
3383)#show ip sla monitor statistic
Round trip time (RTT)   Index 1
        Latest RTT: 614 ms
Latest operation start time: 10:50:50.491 UTC Wed Oct 27 2010
Latest operation return code: OK
RTT Values
        Number Of RTT: 999
        RTT Min/Avg/Max: 347/614/867 ms
Latency one-way time milliseconds
        Number of one-way Samples: 0
        Source to Destination one way Min/Avg/Max: 0/0/0 ms
        Destination to Source one way Min/Avg/Max: 0/0/0 ms
Jitter time milliseconds
        Number of SD Jitter Samples: 997
        Number of DS Jitter Samples: 998
        Source to Destination Jitter Min/Avg/Max: 0/6/19 ms
        Destination to Source Jitter Min/Avg/Max: 0/1/3 ms
Packet Loss Values
        Loss Source to Destination: 1           Loss Destination to Source: 0
        Out Of Sequence: 0      Tail Drop: 0    Packet Late Arrival: 0
Voice Score Values
        Calculated Planning Impairment Factor (ICPIF): 20
MOS score: 3.72
Number of successes: 32
Number of failures: 0
Operation time to live: 1668 sec

IP SLA, Tunnels, and static routes

Here's the scenario: 1 router will have a primary and secondary ISP connection. I set up an SLA to track connectivity on the primary connection. Here are the static routes:
ip route 0.0.0.0 0.0.0.0 Tunnel55 track 10
ip route 12.54.X.X 255.255.255.240 GigabitEthernet0/0 track 10
ip route 12.54.X.Y 255.255.255.255 X.15.115.X track 10
ip route 192.168.32.0 255.255.240.0 Tunnel55 track 10
ip route 192.168.48.0 255.255.252.0 Tunnel55 track 10
ip route 192.168.56.0 255.255.255.0 Tunnel55 track 10
ip route 0.0.0.0 0.0.0.0 Tunnel56 254
ip route 12.54.X.X 255.255.255.240 GigabitEthernet0/1 254
ip route 12.54.X.Y 255.255.255.255 X.15.81.X 254
ip route 192.168.32.0 255.255.240.0 Tunnel56 254
ip route 192.168.48.0 255.255.252.0 Tunnel56 254
ip route 192.168.56.0 255.255.255.0 Tunnel56 254
So I shut down the port (gi0/0) belonging to the primary port. At this point, it seemed like it worked fine. The routes shifted over to the backup routes. However, when I re-enabled the port, only two of the routes switched back. The routes pointing to Tunnels stayed on the secondary tunnel. When I browsed my static routes, I saw this:
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S*    0.0.0.0/0 is directly connected, Tunnel56
      12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S        12.x.x.16/28 is directly connected, GigabitEthernet0/0
S        12.x.y.20/32 [1/0] via x.15.115.x
S     192.168.32.0/20 is directly connected, Tunnel56
S     192.168.48.0/22 is directly connected, Tunnel56
S     192.168.56.0/24 is directly connected, Tunnel56
Is there something special I need to do for Tunnels to allow the Tunnel routes to switch back automatically?

Hello Ken,
I can see you are sending the probe packets to the same object ( using the track ID 10 )
After you bring the interface tunnel up, can you confirm if you can send traffic to that object?
Regards,
Julio

IP SLA stats - one-way latency / MOS score 4.34 not updating

I'm trying to use Cisco IP SLA to bench mark voice traffic peformance before and after I apply QoS to the network.
* I've setup IP SLA in both directions over a DSL connection between a 7600, and an 1801
* I've setup IP SLA in both directions over an Ethernet WAN link between a 7200 and another 7200
ip sla 1
udp-jitter 10.101.1.1 32770 source-ip 10.101.2.1 source-port 32770 codec g711alaw
frequency 30
ip sla schedule 1 life forever start-time now
ip sla responder
I have a problem in that I'm not getting any meaningful data from the IP SLA statistics for Voice Score Values:, or any data for Latency one-way time: for any of my tests(x 4).
After a day of testing it seems the MOS score never changes from 4.34, and the ICPIF never changes from 1
Is there something wrong with my config? Is this working properly or could this be a bug?
ADSL-R1#show ip sla statistics 1 details
Round Trip Time (RTT) for       Index 1
        Latest RTT: 48 milliseconds
Latest operation start time: *09:27:48.435 UTC Thu Jul 5 2012
Latest operation return code: OK
Over thresholds occurred: FALSE
RTT Values:
        Number Of RTT: 999              RTT Min/Avg/Max: 45/48/89 milliseconds
Latency one-way time:
        Number of Latency one-way Samples: 0
        Source to Destination Latency one way Min/Avg/Max: 0/0/0 milliseconds
        Destination to Source Latency one way Min/Avg/Max: 0/0/0 milliseconds
        Source to Destination Latency one way Sum/Sum2: 0/0
        Destination to Source Latency one way Sum/Sum2: 0/0
Jitter Time:
        Number of Jitter Samples: 997
        Source to Destination Jitter Min/Avg/Max: 1/2/26 milliseconds
        Destination to Source Jitter Min/Avg/Max: 1/1/18 milliseconds
        Source to destination positive jitter Min/Avg/Max: 1/2/26 milliseconds
        Source to destination positive jitter Number/Sum/Sum2: 348/793/4295
        Source to destination negative jitter Min/Avg/Max: 1/2/16 milliseconds
        Source to destination negative jitter Number/Sum/Sum2: 346/802/3742
        Destination to Source positive jitter Min/Avg/Max: 1/1/18 milliseconds
        Destination to Source positive jitter Number/Sum/Sum2: 330/611/2051
        Destination to Source negative jitter Min/Avg/Max: 1/1/18 milliseconds
        Destination to Source negative jitter Number/Sum/Sum2: 318/606/1992
        Interarrival jitterout: 0       Interarrival jitterin: 0
Packet Loss Values:
        Loss Source to Destination: 0           Loss Destination to Source: 1
        Out Of Sequence: 0      Tail Drop: 0    Packet Late Arrival: 0
Voice Score Values:
        Calculated Planning Impairment Factor (ICPIF): 1
MOS score: 4.34
Number of successes: 72
Number of failures: 0
Operation time to live: Forever
Operational state of entry: Active
Last time this entry was reset: Never
7200-R2#show ip sla statistics details
Round Trip Time (RTT) for       Index 1
Type of operation: jitter
        Latest RTT: 6 ms
Latest operation start time: 08:08:31.349 UTC Thu Jul 5 2012
Latest operation return code: OK
RTT Values
        Number Of RTT: 1000
        RTT Min/Avg/Max: 2/6/199 ms
Latency one-way time milliseconds
        Number of Latency one-way Samples: 0
        Source to Destination Latency one way Min/Avg/Max: 0/0/0 ms
        Destination to Source Latency one way Min/Avg/Max: 0/0/0 ms
        Source to Destination Latency one way Sum/Sum2: 0/0
        Destination to Source Latency one way Sum/Sum2: 0/0
Jitter time milliseconds
        Number of SD Jitter Samples: 999
        Number of DS Jitter Samples: 999
        Source to Destination Jitter Min/Avg/Max: 0/2/13 ms
        Destination to Source Jitter Min/Avg/Max: 0/1/195 ms
        Source to destination positive jitter Min/Avg/Max: 1/1/13 ms
        Source to destination positive jitter Number/Sum/Sum2: 342/638/2142
        Source to destination negative jitter Min/Avg/Max: 1/1/11 ms
        Source to destination negative jitter Number/Sum/Sum2: 335/638/1886
        Destination to Source positive jitter Min/Avg/Max: 1/2/195 ms
        Destination to Source positive jitter Number/Sum/Sum2: 198/408/38510
        Destination to Source negative jitter Min/Avg/Max: 1/2/128 ms
        Destination to Source negative jitter Number/Sum/Sum2: 203/408/20720
        Interarrival jitterout: 0       Interarrival jitterin: 0
        Over thresholds occurred: FALSE
Packet Loss Values
        Loss Source to Destination: 0           Loss Destination to Source: 0
        Out Of Sequence: 0      Tail Drop: 0    Packet Late Arrival: 0
        Packet Skipped: 0
Voice Score Values
        Calculated Planning Impairment Factor (ICPIF): 1
MOS score: 4.34
Number of successes: 19
Number of failures: 0
Operation time to live: Forever
Operational state of entry: Active
Last time this entry was reset: 15:59:31.345 UTC Wed Jul 4 2012

Update (RESOVLED)
The MOS and ICPIF scores do change. I saturated the WAN link with FTP down/upload traffic inducing packet loss,increased jitter and delay. The scores degraded accordingling show ip sla statistics 10 details
R#show ip sla statistics 10
Round Trip Time (RTT) for       Index 10
Type of operation: jitter
        Latest RTT: 292 ms
Latest operation start time: 19:07:12.358 UTC Tue Jul 17 2012
Latest operation return code: OK
RTT Values
        Number Of RTT: 979
        RTT Min/Avg/Max: 58/292/487 ms
Latency one-way time milliseconds
        Number of Latency one-way Samples: 1
        Source to Destination Latency one way Min/Avg/Max: 1/1/1 ms
        Destination to Source Latency one way Min/Avg/Max: 112/112/112 ms
Jitter time milliseconds
        Number of SD Jitter Samples: 958
        Number of DS Jitter Samples: 958
        Source to Destination Jitter Min/Avg/Max: 0/1/6 ms
        Destination to Source Jitter Min/Avg/Max: 0/11/151 ms
Packet Loss Values
        Loss Source to Destination: 0           Loss Destination to Source: 21
        Out Of Sequence: 0      Tail Drop: 0
        Packet Late Arrival: 0 Packet Skipped: 0
Voice Score Values
        Calculated Planning Impairment Factor (ICPIF): 10
MOS score: 4.09
Number of successes: 32
Number of failures: 0
Operation time to live: Forever
        Source to Destination Latency one way Sum/Sum2: 9591/94681
        Destination to Source Latency one way Sum/Sum2: 346227/125286895
Jitter time milliseconds
        Number of SD Jitter Samples: 999
        Number of DS Jitter Samples: 999
        Source to Destination Jitter Min/Avg/Max: 0/2/11 ms
        Destination to Source Jitter Min/Avg/Max: 0/10/48 ms
        Source to destination positive jitter Min/Avg/Max: 1/2/11 ms
        Source to destination positive jitter Number/Sum/Sum2: 231/513/2789
        Source to destination negative jitter Min/Avg/Max: 1/2/10 ms
        Source to destination negative jitter Number/Sum/Sum2: 232/512/2724
        Destination to Source positive jitter Min/Avg/Max: 1/15/48 ms
        Destination to Source positive jitter Number/Sum/Sum2: 305/4762/93106
        Destination to Source negative jitter Min/Avg/Max: 1/6/42 ms
        Destination to Source negative jitter Number/Sum/Sum2: 682/4717/43395
        Interarrival jitterout: 0       Interarrival jitterin: 0
        Over thresholds occurred: FALSE
Packet Loss Values
        Loss Source to Destination: 0           Loss Destination to Source: 0
        Out Of Sequence: 0      Tail Drop: 0    Packet Late Arrival: 0
        Packet Skipped: 0
Voice Score Values
        Calculated Planning Impairment Factor (ICPIF): 5
MOS score: 4.24
Number of successes: 43
Number of failures: 0
Operation time to live: Forever
Operational state of entry: Active
Last time this entry was reset: 17:51:41.945 BST Fri Jul 20 2012

ME IP SLA on U-PE device?

Hello,
A Service provider delivers EVCs with QoS and wants to monitoring the performance of their customers using IP SLA. We recommend using shadow routers on SP POPs and measure between these POPs, but they want to see the performance on every EVC on the network using IP SLA directly on the U-PE device.
I was reading that the ME3400 has some limitations regarding IP SLA:
The Cisco ME 3400 switch includes partial support for Cisco IOS IP Service Level Agreements (IP SLAs) to provide advanced network service monitoring information and collect data pertaining to SLAs verification. The switch can initiate and reply jitter probes. However, the traffic does not follow the queuing configuration that is applied to customer traffic. All locally originated traffic always goes to the same egress queue on the switch port, regardless of the ToS setting for the IP SLAs probe. We recommend the use of an external shadow router to measure latency and packet drop rate (PDR) across the switch.
http://www.cisco.com/en/US/products/ps6580/prod_release_note09186a00806700ee.html#wp833196
Is there any U-PE device that has full IP SLA support? Do you have any recommendation?
Thanks!
Alex

Cisco IP solution centre also supprots SLA.

802.1x port authentication not working

I am having some troubles figuring out what is going on here. I am trying to setup 802.1x port based authentication to assign clients to VLANs. I inherited this mess and its been a long time since I have used this. I ran a wireshark on my Radius server and I see no packets even coming from my switch IP address when I plug into a port (I verified communication because pings come up in my trace)
Switch info:
sw-ConfB>sho ver
Cisco IOS Software, C2960C Software (C2960c405-UNIVERSALK9-M), Version 12.2(55)EX3, RELEASE SOFTWARE (fc2)
Port config:
interface FastEthernet0/11
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
Radius Server Info:
radius-server host 10.0.1.52 auth-port 1645 acct-port 1646 key 802.1x!
Kinda lost why not Radius packet even comes from the switch. Any tips?

sw-ConfB#sho ru
Building configuration...
Current configuration : 6301 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname sw-ConfB
boot-start-marker
boot-end-marker
enable secret 5 $1$3QAC$puzutRpCI5zR3Xv55xBVH0
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
system mtu routing 1500
crypto pki trustpoint TP-self-signed-706182400
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-706182400
revocation-check none
rsakeypair TP-self-signed-706182400
crypto pki certificate chain TP-self-signed-706182400
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37303631 38323430 30301E17 0D393330 33303130 30303430
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3730 36313832
34303030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
C72AE421 F5BF8C62 7C9E14C1 E73686FB 67DD760A 0C6C790D 935143A0 8DD96CC8
D14A11C1 D16F9583 AE3B591E 68581049 1C837110 1B1C0398 BDE81C86 3F80CD45
E55EBE76 73B9F7AB 5F14CBD5 2BD38330 E1B4FA92 32490A66 CE0BE135 9B695D97
BF7C04FB 2999CF98 2336E82C 559A89C1 7F4E2948 1D73EBD4 236E4DD9 4D8675AB
02030100 01A36930 67300F06 03551D13 0101FF04 05300301 01FF3014 0603551D
11040D30 0B820973 772D436F 6E66422E 301F0603 551D2304 18301680 14C35330
A1D32EA5 C2A07CC9 B1B3CCDB EB93CAA7 02301D06 03551D0E 04160414 C35330A1
D32EA5C2 A07CC9B1 B3CCDBEB 93CAA702 300D0609 2A864886 F70D0101 04050003
8181002E FC217BF1 F9E6FBE1 B07270A6 79A57AA5 691A949D C61C00C2 09C1C3CA
CA14EE07 60BA058E CFDCD8E7 19D83B68 5F06B92C 8612B396 B18BA823 C0E83021
2EFD391E 06113246 5609E287 7883422A 0513AF6D 5BF03CDE 92786B1D 3E01284C
1EE23296 12999C71 BE8A5BEA 4B768F7E 6EB63E05 B71AF375 7FB72B98 7665BF45 D14622
quit
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet0/1
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/2
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/3
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/4
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/5
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/6
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/7
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/8
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/9
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/10
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/11
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/12
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface GigabitEthernet0/1
switchport trunk native vlan 200
switchport trunk allowed vlan 100,200,900
switchport mode trunk
interface GigabitEthernet0/2
switchport access vlan 100
switchport mode access
interface Vlan1
no ip address
interface Vlan100
ip address 10.0.1.3 255.255.255.0
interface Vlan200
ip address 10.0.2.4 255.255.255.0
interface Vlan900
ip address 10.0.9.4 255.255.255.0
ip default-gateway 10.0.1.1
ip http server
ip http secure-server
ip sla enable reaction-alerts
radius-server host 10.0.1.52 auth-port 1645 acct-port 1646 key 802.1x!
radius-server retransmit 5
radius-server key secret
radius-server vsa send authentication

VPN Tunnel w/ 802.1X port authentication against remote RADIUS server

I have a Cisco 892 setup as a VPN client connecting to an ASA 5515-X. The tunnel works fine and comes up if theirs correct traffic. I have two RADIUS servers I want to use certificate based authentication to, that are located behind the ASA 5515-X.
If I connect a computer that has the correct certificates to ports FA0 through 3, authentication won't work. I'll see the following. This happens even if the VPN tunnel is established already by doing something such as connecting a VOIP phone. No entrys are located in the RADIUS logs, and I also cannot ping the RADIUS servers from VLAN10.
*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812,1813 is not responding.
*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.100:1812,1813 is being marked alive.
*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.26.10:1812,1813 is not responding.
*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.26.10:1812,1813 is being marked alive.
If I connect a second PC to an interface with 802.1X disabled, such as FA6, the VPN tunnel will establish itself correctly. In this situation, I can ping the RADIUS servers from VLAN10. If I go ahead and connect another PC with correct certificates to a port with 802.1X enabled such as port FA0 through 3, then 802.1X will suceed.
Current configuration : 6199 bytes
! Last configuration change at 15:40:11 EST Mon Feb 3 2014 by
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router1
boot-start-marker
boot-end-marker
aaa new-model
aaa local authentication default authorization default
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
ip cef
ip dhcp pool pool
import all
network 192.168.28.0 255.255.255.248
bootfile PXEboot.com
default-router 192.168.28.1
dns-server 192.168.26.10 192.168.1.100 8.8.8.8 4.2.2.2
domain-name domain.local
option 66 ip 192.168.23.10
option 67 ascii PXEboot.com
option 150 ip 192.168.23.10
lease 0 2
ip dhcp pool phonepool
network 192.168.28.128 255.255.255.248
default-router 192.168.28.129
dns-server 192.168.26.10 192.168.1.100
option 150 ip 192.168.1.132
domain-name domain.local
lease 0 2
ip dhcp pool guestpool
network 10.254.0.0 255.255.255.0
dns-server 8.8.8.8 4.2.2.2
domain-name local
default-router 10.254.0.1
lease 0 2
no ip domain lookup
ip domain name remote.domain.local
no ipv6 cef
multilink bundle-name authenticated
license udi pid CISCO892-K9
dot1x system-auth-control
username somebody privilege 15 password 0 password
redundancy
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key secretpassword address 123.123.123.123
crypto ipsec transform-set pix-set esp-aes 256 esp-sha-hmac
mode tunnel
crypto map pix 10 ipsec-isakmp
set peer 123.123.123.123
set transform-set pix-set
match address 110
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
interface FastEthernet0
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet1
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet2
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet3
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet4
switchport access vlan 10
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet5
switchport access vlan 12
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet6
switchport access vlan 10
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet7
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map pix
interface Vlan1
no ip address
interface Vlan10
ip address 192.168.28.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
interface Vlan11
ip address 192.168.28.129 255.255.255.248
interface Vlan12
ip address 10.254.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 101 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
ip radius source-interface Vlan10
ip sla auto discovery
access-list 101 deny ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.28.0 0.0.0.255 any
access-list 101 permit ip 10.254.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 110 permit ip 192.168.29.0 0.0.0.255 192.168.0.0 0.0.255.255
radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key secretkey
radius-server host 192.168.26.10 auth-port 1812 acct-port 1813 key secretkey
control-plane
mgcp profile default
line con 0
line aux 0
line vty 0 4
transport input all
ntp source FastEthernet0
ntp server 192.168.26.10
ntp server 192.168.1.100
end

I have 802.1X certificate authentication enabled on the computers. As described in my post above, authentication will work if theirs another device on the same VLAN that is connected to a port that bypasses authentication. It seems like I have a chicken and egg scenario, a device needs to be sucessfully connected to VLAN10 before the router will use it's VLAN10 interface to communicate with my remote RADIUS server.

Pbr based ports , not working

Hi,
I need that incoming connection to port 3389 come to ISP1, and incoming connection to port 5800 come to ISP2. I configured the follow config, but not working, could you help me?
And i need another config, the IP SLA to configure outbound traffic from inside to any destination ( except ports 3389 and 5800), the ISP1 is the primary link , when this link is down, the ISP2 stay actived to outbound traffic.
interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map internet
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 2.2.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface GigabitEthernet0/2
ip address 3.3.3.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
ip nat inside source list nat-isp1 interface GigabitEthernet0/1 overload
ip nat inside source list nat-isp2 interface GigabitEthernet0/2 overload
ip access-list extended nat-isp1
permit ip any any
ip access-list extended nat-isp2
permit ip any any
ip nat inside source static tcp 1.1.1.3 5800 3.3.3.2 5800 extendable
ip nat inside source static tcp 1.1.1.3 3389 2.2.2.2 3389 extendable
ip route 0.0.0.0 0.0.0.0 2.2.2.1
ip route 0.0.0.0 0.0.0.0 3.3.3.1
ip access-list extended pbr-isp1
permit tcp any any eq 3389
ip access-list extended pbr-isp2
permit tcp any any eq 5800
route-map internet permit 20
match ip address pbr-isp1
set ip next-hop 2.2.2.1
set interface GigabitEthernet0/1
route-map internet permit 30
match ip address pbr-isp2
set ip next-hop 3.3.3.1
set interface GigabitEthernet0/2

Hi LukaszTJB ,
Sorry for the late, I need help again, i´ve configured this way,the IPsla is working, but when the ISP2 come up, the nat table dont clear automatic, i tried EEM but no success.
I need another thing, supose the active link is ISP1, i need the incommig from ISP2 connections by port 5800 working.
=====================================================================
Interfaces:
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map internet
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 2.2.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/2
ip address 3.3.3.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
=============================================================
NATs:
ip nat inside source route-map ISP2 interface GigabitEthernet0/1 overload
ip nat inside source route-map ISP1 interface GigabitEthernet0/2 overload
==================================================================
Routes and IP SLA:
ip route 0.0.0.0 0.0.0.0.0 2.2.2.1 track 10
ip route 0.0.0.0 0.0.0.0.0 3.3.3.1 254
track 10 ip sla 1 reachability
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/2
threshold 5
frequency 5
ip sla schedule 1 life forever start-time now
ip sla responder
=======================================================
Configs to ISP1:
ip access-list extended acl-ISP1
deny tcp any eq 5800 any
permit ip any any
permit icmp any any
ip access-list extended nat-ISP1
permit ip 1.1.1.0 0.0.0.255 any
route-map internet permit 10
match ip address acl-ISP1
match interface GigabitEthernet0/2
set ip next-hop 2.2.2.1
route-map ISP1 permit 10
match ip address nat-ISP1
match interface GigabitEthernet0/2
==============================================================
Configs to ISP2:
ip nat inside source static tcp 1.1.1.3 5800 3.3.3.2 5800 extendable
ip access-list extended nat-ISP2
permit ip 1.1.1.0 0.0.0.255 any
ip access-list extended acl-ISP2
permit tcp any eq 5800 any
deny ip any any
route-map internet permit 20
match ip address acl-ISP2
match interface GigabitEthernet0/1
set ip next-hop 3.3.3.1
route-map ISP2 permit 10
match ip address nat-ISP2
match interface GigabitEthernet0/1
=============================================================
EEM :
event manager applet Clear_NAT
event track 10 state any
action 0.0 cli command "enable"
action 1.0 cli command "clear ip nat translation forced *"
action 3.0 syslog msg "WAN failover, cleared NAT"

Trying to configure an Async port on a 1760

is there a difference in the way async ports are configured between 1800 and 1700 RTRs?
i have 3 remote 1800 RTRs that have a dialup backup link via a modem connected to the AUX port.
they work great.
so now i'm tasked with doing the same with a 1760 RTR.
well, thinking that a 1760 SHOULDN'T be that much different than a 1800 i pasted an 1800 config into the 1760.
everything works except the ASYNC port will not accept the " dialer-group 1" cmd.
i'm getting this msg:
"Remove Dialer Profile Configuration first" when i insert the cmd.
here's the RTR config
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
hostname Colwich_TX_RTR
boot-start-marker
boot-end-marker
logging buffered 4096 debugging
enable password 7 0822455D0A16
no aaa new-model
clock timezone central -5
ip cef
no ip domain lookup
ip domain name kbsad.local
ip name-server 10.30.47.4
ip sla monitor 9
type echo protocol ipIcmpEcho 10.30.13.25
timeout 1000
threshold 2
frequency 3
ip sla monitor schedule 9 life forever start-time now
frame-relay switching
chat-script Dialout ABORT ERROR ABORT BUSY "" "AT" OK "ATDT \T" TIMEOUT 30 CONNECT \c
modemcap entry MY_USR_MODEM:MSC=&F1S0=1
username grivers privilege 15 password 7 082A5B4D014857
username tcrane privilege 15 password 7 082A5B4D014857
track 122 rtr 9 reachability
interface Loopback0
ip address 10.254.253.6 255.255.255.255
interface FastEthernet0/0
description Connection to KWCH
ip address 10.30.13.28 255.255.255.248
speed auto
full-duplex
interface Serial0/0
no ip address
shutdown
no fair-queue
interface Ethernet1/0
description Colwich Xmitter LAN
ip address 10.30.50.254 255.255.255.0
ip helper-address 10.30.40.0
no ip route-cache cef
no ip route-cache
full-duplex
interface Async5
no ip address
encapsulation ppp
no ip route-cache cef
no ip route-cache
dialer in-band
dialer pool-member 1
async mode interactive
routing dynamic
interface Dialer1
ip address negotiated
no ip redirects
encapsulation ppp
no ip route-cache cef
no ip route-cache
dialer pool 1
dialer remote-name KWCH_RTR
dialer string 98324031
dialer-group 1
router eigrp 1
network 10.0.0.0
auto-summary
ip route 10.30.40.0 255.255.248.0 10.30.13.25 track 122
ip route 0.0.0.0 0.0.0.0 10.30.13.25
ip route 10.30.40.0 255.255.248.0 Dialer1 100
ip http server
ip http authentication local
no ip http secure-server
logging history informational
logging 10.30.41.60
access-list 102 permit ip any any
access-list 103 permit ip any any
dialer-list 1 protocol ip list 102
snmp-server community KWCHnet RO
snmp-server location CW Site
snmp-server contact KWCH IT Dept
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps syslog
snmp-server enable traps rtr
snmp-server host 10.30.41.60
control-plane
banner login ^CC WELCOME TO THE COLWICH TX ROUTER ^C
line con 0
exec-timeout 15 0
password 7 15191C0F0C
login local
line aux 0
password 7 1511021F0725
script dialer Dialout
login
modem InOut
modem autoconfigure type MY_USR_MODEM
transport input all
transport output all
autoselect during-login
autoselect ppp
speed 115200
flowcontrol hardware
line vty 0 4
exec-timeout 15 0
password 7 000F04050C
login local
line vty 5 15
exec-timeout 15 0
password 7 104D000A0618
login
ntp clock-period 17208463
ntp server 10.30.46.155
end
Any thoughts?
Thanks, Gary

You already have a "dialer-group 1" statement under your Dialer1 interface. I think it's telling you that when you try to add a second one under the async interface.

IP SLA port

Similar Messages

Maybe you are looking for