IP SLA reachability error - icmp
We have had IP SLA configured for fail over for months now with no problems. All of the sudden it started to fail over to backup link. As we investigated we discovered that there was not actually any problem with the main ISP. Reset the configuration and it resolved for a day or so but then went into a down state again. There have not been any configuration changes of note. Have verified the ping but the track object still reports reachability down. Stumped??
Any one experienced this type of issue?
Hello,
can you post the result of the "show logg" command ?
also how many routers do you have in your site ? if two are they connected directley with a cable or to a switch ?
The problem could be due to a WAN link issue.
Best regards,
Similar Messages
-
IOS Remote Desktop App resolves hostname but throws Host is not reachable error.
Hello,
I am trying to use the Remote Desktop app on my iPad running iOS 7.0.2 to connect to a server through our Juniper VPN. When I type the hostname or IP address I get an error that say "Host is not reachable". If I connect through my Mac I have no
problem when on the same VPN. I have looked through all of the setting in Junos Pulse and it is setup to route all traffic through the VPN, and I do not know of anything that would be blocking it on the network end.
Edit: I am connecting to a Windows Server 2008 R2 box with RDP turned on with all types of connections.
Here is the log data for my latest attempt.
[2013-Nov-19 11:23:42] RDP (0): *** Application lauched ***
[2013-Nov-19 11:23:43] RDP (0): Application became foreground application
[2013-Nov-19 11:24:30] RDP (0): ----- BEGIN ACTIVE CONNECTION -----
[2013-Nov-19 11:24:30] RDP (0): client version: 8.0.24094 on iPad3,4 (iPhone OS 7.0.3)
[2013-Nov-19 11:24:30] RDP (0): Protocol state changed to: ProtocolConnectingNetwork(1)
[2013-Nov-19 11:24:30] RDP (0): Showing credentials dialog
[2013-Nov-19 11:24:49] RDP (0): Final rdp configuration used: {
activeUsername = "DOMAIN\\UserName";
arcTimeout = 1800;
cacheId = BEBD1725D63BB841;
configurationVersion = 8;
console = 0;
host = "server.mysite.com";
label = "Server";
mouseMode = "-1";
port = 3389;
soundMode = 1;
swapMouseButtons = 0;
type = rdp;
utilityBar = "-1";
kCFProxyTypeKey = kCFProxyTypeNone;
[2013-Nov-19 11:24:49] RDP (0): --- BEGIN INTERFACE LIST ---
[2013-Nov-19 11:24:49] RDP (0): lo0 af=18 addr= netmask=
[2013-Nov-19 11:24:49] RDP (0): lo0 af=30 (AF_INET6) addr=::1 netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
[2013-Nov-19 11:24:49] RDP (0): lo0 af=2 (AF_INET) addr=127.0.0.1 netmask=255.0.0.0
[2013-Nov-19 11:24:49] RDP (0): lo0 af=30 (AF_INET6) addr=fe80::1%lo0 netmask=ffff:ffff:ffff:ffff::
[2013-Nov-19 11:24:49] RDP (0): en0 af=18 addr= netmask=
[2013-Nov-19 11:24:49] RDP (0): en0 af=30 (AF_INET6) addr=fe80::66:9d3c:3d77:5cce%en0 netmask=ffff:ffff:ffff:ffff::
[2013-Nov-19 11:24:49] RDP (0): en0 af=2 (AF_INET) addr=192.168.114.44 netmask=255.255.252.0
[2013-Nov-19 11:24:49] RDP (0): awdl0 af=18 addr= netmask=
[2013-Nov-19 11:24:49] RDP (0): awdl0 af=30 (AF_INET6) addr=fe80::3c11:d7ff:feb2:7a82%awdl0 netmask=ffff:ffff:ffff:ffff::
[2013-Nov-19 11:24:49] RDP (0): en2 af=18 addr= netmask=
[2013-Nov-19 11:24:49] RDP (0): utun0 af=18 addr= netmask=
[2013-Nov-19 11:24:49] RDP (0): utun0 af=2 (AF_INET) addr=10.100.01.01 netmask=255.255.255.255
[2013-Nov-19 11:24:49] RDP (0): --- END INTERFACE LIST ---
[2013-Nov-19 11:24:49] RDP (0): Not using any proxy
[2013-Nov-19 11:24:49] RDP (0): Protocol state changed to: ProtocolConnectingNetwork(1)
[2013-Nov-19 11:24:49] RDP (0): Resolved 'server.mysite.com' to '10.100.01.01' using NameResolveMethod_Unknown(0)
[2013-Nov-19 11:25:09] RDP (0): Exception caught: Exception in file '/Users/build/jenkins/workspace/rc-ios-develop/protocols/RDP/cftcpendpoint.cpp' at line 242
User Message : Host is not reachable
[2013-Nov-19 11:25:09] RDP (0): Error message: Host is not reachable(phase: 0, type: 0, reason: 0, systemCode: -1, systemMessage: )
[2013-Nov-19 11:25:09] RDP (0): Protocol state changed to: ProtocolDisconnecting(7)
[2013-Nov-19 11:25:09] RDP (0): Protocol state changed to: ProtocolDisconnected(8)
[2013-Nov-19 11:25:09] RDP (0): ------ END ACTIVE CONNECTION ------
CameronHi,
According to the log, your iPad tried to connect the remote server with IP address 10.100.01.01/32. Please check if it is the correct IP address of the server.
Also, please make sure that your iPad can connect to your VPN network successfully and get a valid IP address so that it can remote your internal server.
Thanks.
Jeremy Wu
TechNet Community Support -
TCL script or applet to disable port based on reachability
I am looking for a script or applet that will dis/enable an ethernet interface on Cat 6500
based on reachablity to an external destination. Reachability should be verified either directly by sending ICMP packets, or based on IPSLA status.
Thank you,
Jarek"This will ping every 5 seconds for reachability."
ip sla 1
type icmp-echo 10.1.1.1
timeout 1000
threshold 1000
frequency 5
ip sla schedule 1 life forever start-time now
"Creates object tracking with IP SLA operation from above."
track 1 rtr 1 reachability
"EEM will shutdown the interface if its unreachable."
event manager applet interface-shut
event track 1 state down
action 0.0 cli command "enable"
action 0.1 cli command "conf t"
action 1.0 cli command "interface fa0"
action 2.0 cli command "shut"
action 3.0 syslog msg "interface-shut EEM shut down interface fa0"
"EEM will bring the interface up when its reachable."
event manager applet interface-noshut
event track 1 state up
action 0.0 cli command "enable"
action 0.1 cli command "conf t"
action 1.0 cli command "interface fa0"
action 2.0 cli command "no shut"
action 3.0 syslog msg "interface EEM brought up interface fa0" -
Hi,
Ive just tried putting TACACs onto a 7206 VXR (124-4.XD4) and am getting the following error:%AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
Config is vanilla and has been used on other switches/routers in the network:
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa accounting exec start-stop tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated local
aaa authorization commands 0 default group tacacs+ if-authenticated local
aaa authorization commands 15 default group tacacs+ if-authenticated local
tacacs-server key xxx
tacacs-server host x.x.x.x
Ive been unable to find any bugs or info relating to this error on the web. Has anyone else seen this problem?
Cheers.Hi Rohit,
Thanks for the feedback. Ive removed the command and the issue still appears to be that the router doesnt recognise TACACs although it accepts the commands. When the config is applied it bypasses TACACs for authentication and goes to the enable pwd? The servers reachable via ICMP but showing failed connect attempts along with the AAA-3-BADSERVERTYPEERROR in the log. Ive rolled out the same config across multiple platforms in the network. Its just this box thats sulking.
B2UL-bord1#sh tacac
Tacacs+ Server : 10.2.2.66/49
Socket opens: 33
Socket closes: 33
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 29
Total Packets Sent: 0
Total Packets Recv: 0
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key xxx
Cheers -
Photosmart C4385 "Device Not Reachable"
I know this has been addressed in other threads, but none of the solutions have worked for me and my configuration is a little different. So here goes:
I'm running OS 10.6 Snow Leopard with my C4385. My computer is connected to a wireless network via an extender. I don't know anything about the router other than it's probably a Cisco since that's in the network name. The router and extender are both in my landlord's house, so I don't have access to them to reboot, check settings, or anything. Until this morning my printer was associated with the main network, which worked fine, but the signal is very weak and I would rather have it associated with the extender network. I went through the HP Setup Assistant and now all I get is the "Device Not Reachable" error message, whether I use the extender or main network.
I printed a Network Configuration Page and typed the printer's IP into my browser, and it shows up just fine, saying it's connected to the main network. Print & Fax under System Preferences disagrees and I can't print at all anymore (except with the USB cable). The only thing I changed recently is switching to a manual IP address for my laptop since I had lots of connectivity issues with automatic IPs, but after that everything worked until this morning when I ran Setup Assistant.
Sorry for writing a novel. I wish I had more information about the hardware but my landlord's not very helpful with these sorts of things. Any advice would be great! I've tried scrubbing software and reinstalling it and resetting the printing system, with no luck.I see a couple of potential problems, here.
First, adding the printer by IP is dicey. If the router changes the printer's IP (actually WHEN it does, because eventually it will), then your Mac may lose track of it. Plus, adding by IP usually only enables printing, not scanning.
Second, HP printers don't seem to play well with wifi extenders. Is there a way to move your printer so that it is connected to the main router, not the extender?
Say thanks by clicking "Kudos" "thumbs up" in the post that helped you.
I am employed by HP -
LMS 3.2(solaris 10) - User Tracking: again "ogs_server_urn" Not found! errors
LMS 3.2 on a solaris 10 server that had problems with ctm_config.txt in the past (https://supportforums.cisco.com/thread/2033941) now again has problems with the device selctor in UT. There are FATAL errors of the below type logged to CampusOGSServer.log:
[ Tue Oct 19 18:27:22 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /Campus@lms-server/Campus@sdeu1121/System Defined Groups/All Unreachable Devices
[ Tue Oct 19 18:30:52 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /Campus@lms-server
[ Tue Oct 19 18:33:03 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /Campus@lms-server/Campus@sdeu1121/System Defined Groups/All Unreachable Devices
[ Tue Oct 19 18:35:04 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /RME@lms-server/Pre-deployed
[ Tue Oct 19 18:35:05 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /RME@lms-server/User Defined Groups
To create the failure I go to UT > Reports > Report Generator => Switch Port Report > Switch Port Summary
The Device Selector that opens does not contain any devices and clicking on the Search Button produces the following error:
Problem with File /WEB-INF/screens/deviceselector/DeviceFilter.jsp!!!URN_NOT_FOUND : urn "ogs_server_urn" : Not found !!
also the following error is found in /opt/CSCOpx/MDC/tomcat/logs/stdout.log:
Oct 18, 2010 2:18:49 PM org.apache.catalina.core.ApplicationDispatcher invoke
SEVERE: Servlet.service() for servlet jsp threw exception
com.cisco.nm.xms.ctm.common.CTMException: URN_NOT_FOUND : urn "ogs_server_urn" : Not found !!
at com.cisco.nm.xms.ctm.client.CTMCall.establishIPC(CTMCall.java:238)
at com.cisco.nm.xms.ctm.client.CTMCall.<init>(CTMCall.java:218)
at com.cisco.nm.xms.ctm.client.CTMClientProxy.<init>(CTMClientProxy.java:64)
at com.cisco.nm.xms.ctm.client.CTMClientProxy.getProxy(CTMClientProxy.java:180)
at com.cisco.nm.xms.ogs.client.OGSServerProxy.init(OGSServerProxy.java:179)
at com.cisco.nm.xms.ogs.client.OGSServerProxy.init(OGSServerProxy.java:98)
at com.cisco.nm.xms.ogs.client.OGSServerProxy.<init>(OGSServerProxy.java:85)
at com.cisco.nm.xms.ogs.client.mgmt.OGSRuleExpressionUtil.getServerProxy(OGSRuleExpressionUtil.java:102)
at com.cisco.nm.xms.ogs.client.mgmt.OGSRuleExpressionUtil.getClassDefUtil(OGSRuleExpressionUtil.java:123)
at com.cisco.nm.xms.ogs.client.mgmt.OGSRuleExpressionUtil.getInternalClasses(OGSRuleExpressionUtil.java:153)
at com.cisco.nm.xms.ogs.client.mgmt.OGSRuleExpressionUtil.getClasses(OGSRuleExpressionUtil.java:174)
at org.apache.jsp.WEB_002dINF.screens.deviceselector.DeviceFilter_jsp._jspService(DeviceFilter_jsp.java:158)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:332)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:692)
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:594)
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:506)
at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:966)
at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:614)
at com.cisco.nm.uii.taglib.framework.ContentAreaTag.doStartTag(ContentAreaTag.java:76)
at org.apache.jsp.WEB_002dINF.screens.popup_jsp._jspx_meth_embu_contentarea_0(popup_jsp.java:876)
at org.apache.jsp.WEB_002dINF.screens.popup_jsp._jspService(popup_jsp.java:693)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:332)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:692)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:470)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:405)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
at org.apache.struts.action.ActionServlet.processActionForward(ActionServlet.java:1758)
at com.cisco.nm.uii.UIIController.processActionForward(UIIController.java:380)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1595)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:491)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at com.cisco.nm.cmf.util.AccessLogFilter.doFilter(AccessLogFilter.java:128)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199)
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:754)
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:684)
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:876)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)
I did check the ctm_config.txt file in campus and cmapps directory, removed the ctmregistry and ctmregistry.backup files from /opt/CSCOpx/MDC/tomcat/webapps/campus/WEB-INF/lib, removed all files and directories below /opt/CSCOpx/MDC/tomcat/work/Standalone/localhost/ and restarted the services;
No change...
What I noticed when looking directly into CMF database is that "CampusOgsGroupCacheTable" is completely empty where as the following tables contain data:
CampusOgsGroupPropertiesTable
CampusOGSTagTable
CampusUserGroupAssociationTable
What could be the reason for this behaviour?
I yet thought about the option to export all the groups from CMF (or at least the campus groups) and drop all tables from OGS and re-importing the groups but when I try to do this I get the following error:
root@lms-server # ./perl ./OGSCli.sh -u admin
Enter CiscoWorks password:
Authentication succeeded.
INFO: Enter EXIT to quit from OGSCli prompt any time.
Enter an OGSCli task <export | import> [export]:export
Enter a filename to export groups:./OGSGroupExport.info
WARN: The group details in the selected file will be overwritten with the new export groups information.Do you want to continue? (y/n) [n]:y
Enter a User-defined Group hierarchy name to export or All to export all User-defined Groups from all applications [All]:All
INFO: The hierarchies of the User-defined Groups in all applications that are installed in all servers, will be exported to ./OGSGroupExport.info.
Authorization succeeded.
ERROR: Could not export the specified User-defined Groups hierarchies to ./OGSGroupExport.info.
ERROR: This could be because of one or more of the following reasons:
ERROR: * OGSServer process may not be running
ERROR: * Application or remote Grouping Server may not be reachable
ERROR: * Free disk space may be low
ERROR: * You do not have the required file permissions to create the file.
ERROR: See /var/adm/CSCOpx/log/CMFOGSClient.log for more details.
root@lms-server # ./perl ./OGSCli.sh -u admin -d
Enter CiscoWorks password:
Authentication failed.
Verify the username and password that you have entered.
root@lms-server #
just to be sure I upload the 2 ctm_config.txt files ....I was wondering about the fact that even CampusOGSServer was running, CTM could not allocate the necessary ports (netstat -a).Because everything seems to be ok I commented out
DYNAMIC_PORT_ALLOCATION=0
in ..../campus/WEB-INF/lib/ctm_config.txt
after stopping and starting CampusOGSServer (pdterm/pdexec) the device selector in UT was up and running again ...
I did a test with setting
DYNAMIC_PORT_ALLOCATION=1
result: UT device selector was broken
It looks like this line (no matter if set to 0 or 1) seems to break "campus CTM" on this server...
It is running for now, but there are still 3 issues open and I do not know if they are directly associated
1) OGSCli is still not working and finishes with this message:
root@lms-server # ls -al | grep -i ogs
-rwxrwxr-x 1 casuser casusers 3288 Nov 20 2008 OGSCli.sh
-rwxrwxrwx 1 root casusers 0 Oct 19 11:34 OGSGroupExport.info
root@lms-server # chown casuser:casusers OGSGroupExport.info
root@lms-server # ./OGSCli.sh -u admin
Enter CiscoWorks password:
Authentication succeeded.
INFO: Enter EXIT to quit from OGSCli prompt any time.
Enter an OGSCli task [export]:export
Enter a filename to export groups:OGSGroupExport.info
WARN: The group details in the selected file will be overwritten with the new export groups information.Do you want to continue? (y/n) [n]:y
Enter a User-defined Group hierarchy name to export or All to export all User-defined Groups from all applications [All]:All
INFO: The hierarchies of the User-defined Groups in all applications that are installed in all servers, will be exported to OGSGroupExport.info.
Authorization succeeded.
ERROR: Could not export the specified User-defined Groups hierarchies to OGSGroupExport.info.
ERROR: This could be because of one or more of the following reasons:
ERROR: * OGSServer process may not be running
ERROR: * Application or remote Grouping Server may not be reachable
ERROR: * Free disk space may be low
ERROR: * You do not have the required file permissions to create the file.
ERROR: See /var/adm/CSCOpx/log/CMFOGSClient.log for more details.
root@lms-server #
the /var/adm/CSCOpx/log/CMFOGSClient.log is attached and there seems to be some certification issues; I recreated the certificate and in the GUI it shows to be set and be valid...
2) these FATAL messages appear in CampusOGSServer.log and I am not sure if they are harmless:
[ Thu May 20 16:16:34 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /Campus@lms-server/Campus@sdeu
1121/System Defined Groups/All Unreachable Devices
[ Thu May 20 16:20:10 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /Campus@lms-server
[ Thu May 20 16:22:24 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /Campus@lms-server/Campus@sdeu
1121/System Defined Groups/All Unreachable Devices
[ Thu May 20 16:24:23 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /RME@lms-server/Pre-deployed
[ Thu May 20 16:24:23 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /RME@lms-server/User Defined G
roups
[ Thu May 20 16:24:23 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /RME@lms-server/User Defined G
roups/All-CE-NM
[ Thu May 20 16:24:47 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /DFM@lms-server/User Defined G
roups/Customizable Groups/Customizable Group 2
[ Thu May 20 16:24:50 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /DFM@lms-server/User Defined G
roups/IN-Devices
[ Thu May 20 16:24:55 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /DFM@lms-server/User Defined G
roups/Customizable Groups
[ Thu May 20 16:25:03 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /DFM@lms-server/User Defined G
roups/Customizable Groups/Customizable Group 3
[ Thu May 20 16:29:01 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /RME@lms-server
[ Thu May 20 16:29:02 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /RME@lms-server/All Devices
[ Thu May 20 16:29:02 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /RME@lms-server/Normal Devices
[ Thu May 20 16:29:13 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /DFM@lms-server/User Defined G
roups/Customizable Groups/Customizable Group 4
[ Thu May 20 16:29:14 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /DFM@lms-server/User Defined G
roups/Customizable Groups/Customizable Group A
[ Thu May 20 16:29:34 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /DFM@lms-server/User Defined G
roups/Customizable Groups/Customizable Group B
[ Thu May 20 16:29:35 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /DFM@lms-server/User Defined G
roups/Customizable Groups/Customizable Group C
[ Thu MOGSGroups.infoay 20 16:30:34 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /RME@lms-server/User Defined G
roups/DE-Switche-IOS
[ Thu May 20 16:30:39 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /DFM@lms-server
[ Thu May 20 16:30:39 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /DFM@lms-server/User Defined G
roups
[ Thu May 20 16:30:39 CEST 2010 ]FATAL com.cisco.nm.xms.ogs.server.GroupCacheImpl getHierarchy No top-level cache for: /DFM@lms-server/User Defined G
roups/Customizable Groups/Customizable Group 1
3) I found CampusOgsGroupCacheTable in cmf database to be empty on 2 different lms 3.2 installations (both solaris) but I cannot believe that this is ok due to some stored procedures pointing to this table to keep it on sync with CampusOgsGroupPropertiesTable -
Ip SLA RTP based VOIP Operation - To find out MOS value
Hi All,
I am new to VOIP. We are trying to find out the MOS value in our VOIP network. For that we thought of using IP SLA RTP Based VOIP operation to get the MOS values. http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/htrtpvip.html
I ve used 3825 with NM HDV module with 3 DSP as SLA originator and AS 5400 XM as SLA responder.
But i'm not getting the MOS values,
show ip sla statistics shows that the operation failed due to Format Failure.
I ve attached the config of my 3825. Kindly go through it and advise if any changes to be done.
In AS 5400 XM there is no special config related to this. I ve enabled only " IP SLA RESPONDER"
Error message:
LAB-3825-R6# sh ip sla stat
Round Trip Time (RTT) for Index 1
Type of operation: rtp
Latest operation start time: *05:04:58.707 UTC Wed May 14 2008
Latest operation return code: Format failure
Latest RTT (milliseconds): 0
Source to Destination Path Measurements:
Interarrival Jitter: 0
Packets Sent: 0
Packets Lost: 0
Estimated R-factor: 0 MOS-CQ: 0.00
Destination to Source Path Measurements:
Interarrival Jitter: 0
Packets Sent: 0
Packets Lost: 0
Estimated R-factor: 0 MOS-CQ: 0.00
Operation time to live: Forever
Operational state of entry: Active
Last time this entry was reset: Never
LAB-3825-R6# sh ip sla stat aggre
Round Trip Time (RTT) for Index 1
Type of operation: rtp
Start Time Index: *05:06:21.019 UTC Wed May 14 2008
Number of successful operations: 0
Number of operations over threshold: 0
Number of failed operations due to a Timeout: 0
Number of failed operations due to a No Connection: 1
Number of failed operations due to an Internal Error: 5
Number of failed operations due to a Sequence Error: 0
RTT (avg/min/max): 0/0/0 ms
Source to Destination Path Measurements:
Interarrival Jitter (avg/min/max): 0/0/0
Packets Sent (avg/min/max): 0/0/0
Packets Lost (avg/min/max): 0/0/0
Estimated R-factor (avg/min/max): 0/0/0
MOS-CQ (avg/min/max): 0.00/0.00/0.00
Destination to Source Path Measurements:
Interarrival Jitter (avg/min/max): 0/0/0
Packets Sent (avg/min/max): 0/0/0
Packets Lost (avg/min/max): 0/0/0
Estimated R-factor (avg/min/max): 0/0/0
MOS-CQ (avg/min/max): 0.00/0.00/0.00
Any help is greatly appreciated.
thanks in advance.Hi,
AS 5400 cannot be used even as SLA responder for RTP probe. Thats the reason i got the Format Failure error. We can view the type of SLA Probes the router supports by issuing the following command:
sh ip sla application.
for eg below is what i ve taken from AS 5400
sh ip sla application
IP Service Level Agreements
Version: Round Trip Time MIB 2.2.0, Infrastructure Engine-II
Time of last change in whole IP SLAs: 10:48:00.737 IST Tue May 20 2008
Estimated system max number of entries: 49625
Estimated number of configurable operations: 49608
Number of Entries configured : 17
Number of active Entries : 17
Number of pending Entries : 0
Number of inactive Entries : 0
Supported Operation Types
Type of Operation to Perform: dhcp
Type of Operation to Perform: dlsw
Type of Operation to Perform: dns
Type of Operation to Perform: echo
Type of Operation to Perform: frameRelay
Type of Operation to Perform: ftp
Type of Operation to Perform: http
Type of Operation to Perform: icmpJitter
Type of Operation to Perform: jitter
Type of Operation to Perform: pathEcho
Type of Operation to Perform: pathJitter
Type of Operation to Perform: tcpConnect
Type of Operation to Perform: udpEcho
Type of Operation to Perform: voip
IP SLAs low memory water mark: 68416281
chnmgw1#
Hope this will help others looking for RTP based VOIP operation.. -
LMS 3.2.1 - Unreachable Device Report - ICMP problem
Hello,
I use the unreachable device report in CS for checking the basic reachability of the managed devices.
A very useful feature!
But on one LMS installation I have a huge number of "unreachable" devices which are normally reachable via ICMP.
I use only the ICMP check with a timeout of 2 sec and one retry.
Checking the debug for that polling told me that at the beginning of the daily running job all works fine.
CS sends an ICMP to 10 devices and gets response. After that the next 10 devices and so on.
After some cycles it increases the number of parallel workflows to 2, means 2x 10 devices will be polled.
And with that change the problems begin, from my point of view. At this point 2 or 3 devices will be marked as unreachable.
With the next cycle of 2x10 devices 5-8 devices are "unreachable" and then all devices till the end are unreachable.
That sounds like there is an overflow on the application or server which can't handle so much ICMP replies.
Changing the timeout or retries didn't help.
Is there a possibility to fix the parallel requests to 10 without an increase?
Thanks a lot!
SvenThis sounds like #
CSCte60815 DCRDevice Poll using ICMP wrongly shows devices as Unreachable
You may have to use snmp as well to get the correct status. -
Site-to-site VPN failover via 3G HWIC
Small problem. Branch utilizes a 2811 router connected via MPLS to core via serial interface. If serial ip sla reachability fails, fire up the cell interface, dial out and connect to the internet. Establish ipsec tunnel to a peer ASA and pass local LAN traffic over the tunnel. Problem is the tunnel does come up and I am 'briefly' able to communicate across the tunnel but then *poof*. No more communication. Tried multiple ideas and thoughts (different encypt, authentication etc). I am thinking that per my config, the IPSEC session is trying to establish before the dialer session is fully up, thus potentially causing problems with the authentication to the peer. Any help would be appreciated. Here is the debug of isakmp, ipsec, dialer and ppp when I manually kill the serial interface:
14th_Street(config)#int s0/1/0:0
14th_Street(config-if)#shut
14th_Street(config-if)#
*Nov 25 17:44:55.011 UTC: %BGP-5-ADJCHANGE: neighbor xxx.xxx.xxx.xxx Down Interface flap
*Nov 25 17:44:55.911 UTC: IPSEC(sa_initiate): Kicking the dialer interface
*Nov 25 17:44:55.911 UTC: Ce0/0/0 DDR: place call
*Nov 25 17:44:55.911 UTC: Ce0/0/0 DDR: Dialing cause ip (s=xxx.xxx.xxx.xxx, d=xxx.xxx.xxx.xxx)
*Nov 25 17:44:55.911 UTC: Ce0/0/0 DDR: Attempting to dial cdma
*Nov 25 17:44:55.911 UTC: CHAT0/0/0: Attempting async line dialer script
*Nov 25 17:44:55.911 UTC: CHAT0/0/0: Dialing using Modem script: cdma & System script: none
*Nov 25 17:44:55.911 UTC: CHAT0/0/0: process started
*Nov 25 17:44:55.911 UTC: CHAT0/0/0: Asserting DTR
*Nov 25 17:44:55.911 UTC: CHAT0/0/0: Chat script cdma started
*Nov 25 17:44:55.915 UTC: IPSEC(sa_initiate): Kicking the dialer interface
*Nov 25 17:44:56.999 UTC: %LINK-5-CHANGED: Interface Serial0/1/0:0, changed state to administratively down
*Nov 25 17:44:56.999 UTC: Se0/1/0:0 PPP: Sending Acct Event[Down] id[1]
*Nov 25 17:44:56.999 UTC: Se0/1/0:0 CDPCP: State is Closed
*Nov 25 17:44:56.999 UTC: Se0/1/0:0 IPCP: State is Closed
*Nov 25 17:44:57.003 UTC: Se0/1/0:0 PPP: Phase is TERMINATING
*Nov 25 17:44:57.003 UTC: Se0/1/0:0 LCP: State is Closed
*Nov 25 17:44:57.003 UTC: Se0/1/0:0 PPP: Phase is DOWN
*Nov 25 17:44:57.003 UTC: Se0/1/0:0 IPCP: Remove route to xxx.xxx.xxx.xxx
*Nov 25 17:44:57.007 UTC: IPSEC(sa_initiate): Kicking the dialer interface
*Nov 25 17:44:57.099 UTC: %TRACKING-5-STATE: 1 ip sla 1 reachability Up->Down
*Nov 25 17:44:57.811 UTC: CHAT0/0/0: Chat script cdma finished, status = Success
*Nov 25 17:44:58.031 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/0:0, changed state to down
*Nov 25 17:44:58.031 UTC: IPSEC(sa_initiate): Kicking the dialer interface
*Nov 25 17:44:58.035 UTC: IPSEC(sa_initiate): Kicking the dialer interface
*Nov 25 17:44:58.911 UTC: IPSEC(sa_initiate): Kicking the dialer interface
*Nov 25 17:45:00.027 UTC: %LINK-3-UPDOWN: Interface Cellular0/0/0, changed state to up
*Nov 25 17:45:00.027 UTC: Ce0/0/0 DDR: Dialer statechange to up
*Nov 25 17:45:00.027 UTC: Ce0/0/0 DDR: Dialer call has been placed
*Nov 25 17:45:00.031 UTC: Ce0/0/0 PPP: Using dialer call direction
*Nov 25 17:45:00.031 UTC: Ce0/0/0 PPP: Treating connection as a callout
*Nov 25 17:45:00.031 UTC: Ce0/0/0 PPP: Session handle[FD000001] Session id[2]
*Nov 25 17:45:00.031 UTC: Ce0/0/0 PPP: Phase is ESTABLISHING, Active Open
*Nov 25 17:45:00.031 UTC: Ce0/0/0 PPP: Authorization NOT required
*Nov 25 17:45:00.031 UTC: Ce0/0/0 PPP: No remote authentication for call-out
*Nov 25 17:45:00.031 UTC: Ce0/0/0 LCP: O CONFREQ [Closed] id 1 len 20
*Nov 25 17:45:00.031 UTC: Ce0/0/0 LCP: ACCM 0x000A0000 (0x0206000A0000)
*Nov 25 17:45:00.031 UTC: Ce0/0/0 LCP: MagicNumber 0x13255539 (0x050613255539)
*Nov 25 17:45:00.031 UTC: Ce0/0/0 LCP: PFC (0x0702)
*Nov 25 17:45:00.031 UTC: Ce0/0/0 LCP: ACFC (0x0802)
*Nov 25 17:45:00.031 UTC: IPSEC(sa_initiate): Kicking the dialer interface
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: I CONFREQ [REQsent] id 0 len 24
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: MRU 1500 (0x010405DC)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: ACCM 0x00000000 (0x020600000000)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: MagicNumber 0xCD87E220 (0x0506CD87E220)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: PFC (0x0702)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: ACFC (0x0802)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: O CONFACK [REQsent] id 0 len 24
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: MRU 1500 (0x010405DC)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: ACCM 0x00000000 (0x020600000000)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: MagicNumber 0xCD87E220 (0x0506CD87E220)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: PFC (0x0702)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: ACFC (0x0802)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: I CONFACK [ACKsent] id 1 len 20
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: ACCM 0x000A0000 (0x0206000A0000)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: MagicNumber 0x13255539 (0x050613255539)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: PFC (0x0702)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: ACFC (0x0802)
*Nov 25 17:45:00.035 UTC: Ce0/0/0 LCP: State is Open
*Nov 25 17:45:00.035 UTC: Ce0/0/0 PPP: Phase is FORWARDING, Attempting Forward
*Nov 25 17:45:00.035 UTC: Ce0/0/0 PPP: Phase is ESTABLISHING, Finish LCP
*Nov 25 17:45:00.039 UTC: Ce0/0/0 PPP: Phase is UP
*Nov 25 17:45:00.039 UTC: Ce0/0/0 IPCP: O CONFREQ [Closed] id 1 len 22
*Nov 25 17:45:00.039 UTC: Ce0/0/0 IPCP: Address 0.0.0.0 (0x030600000000)
*Nov 25 17:45:00.039 UTC: Ce0/0/0 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
*Nov 25 17:45:00.039 UTC: Ce0/0/0 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
*Nov 25 17:45:00.039 UTC: Ce0/0/0 PPP: Process pending ncp packets
*Nov 25 17:45:00.039 UTC: Ce0/0/0 IPCP: I CONFREQ [REQsent] id 0 len 10
*Nov 25 17:45:00.039 UTC: Ce0/0/0 IPCP: Address xxx.xxx.xxx.xxx (0x030642AEA8C0)
*Nov 25 17:45:00.039 UTC: Ce0/0/0 IPCP: O CONFACK [REQsent] id 0 len 10
*Nov 25 17:45:00.039 UTC: Ce0/0/0 IPCP: Address xxx.xxx.xxx.xxx (0x030642AEA8C0)
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP: I CONFNAK [ACKsent] id 1 len 22
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP: Address xxx.xxx.xxx.xxx (0x0306A69F5EA9)
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP: PrimaryDNS xxx.xxx.xxx.xxx (0x810642AE4721)
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP: SecondaryDNS xxx.xxx.xxx.xxx (0x8306454E600E)
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP: O CONFREQ [ACKsent] id 2 len 22
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP: Address xxx.xxx.xxx.xxx (0x0306A69F5EA9)
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP: PrimaryDNS xxx.xxx.xxx.xxx (0x810642AE4721)
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP: SecondaryDNS xxx.xxx.xxx.xxx (0x8306454E600E)
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP: I CONFNAK [ACKsent] id 2 len 4
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP: O CONFREQ [ACKsent] id 3 len 22
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP: Address xxx.xxx.xxx.xxx (0x0306A69F5EA9)
*Nov 25 17:45:00.043 UTC: Ce0/0/0 IPCP: PrimaryDNS xxx.xxx.xxx.xxx (0x810642AE4721)
*Nov 25 17:45:00.047 UTC: Ce0/0/0 IPCP: SecondaryDNS xxx.xxx.xxx.xxx (0x8306454E600E)
*Nov 25 17:45:00.047 UTC: Ce0/0/0 IPCP: I CONFNAK [ACKsent] id 3 len 4
*Nov 25 17:45:00.047 UTC: Ce0/0/0 IPCP: O CONFREQ [ACKsent] id 4 len 22
*Nov 25 17:45:00.047 UTC: Ce0/0/0 IPCP: Address xxx.xxx.xxx.xxx (0x0306A69F5EA9)
*Nov 25 17:45:00.047 UTC: Ce0/0/0 IPCP: PrimaryDNS xxx.xxx.xxx.xxx (0x810642AE4721)
*Nov 25 17:45:00.047 UTC: Ce0/0/0 IPCP: SecondaryDNS xxx.xxx.xxx.xxx (0x8306454E600E)
*Nov 25 17:45:00.051 UTC: Ce0/0/0 IPCP: I CONFACK [ACKsent] id 4 len 22
*Nov 25 17:45:00.051 UTC: Ce0/0/0 IPCP: Address xxx.xxx.xxx.xxx (0x0306A69F5EA9)
*Nov 25 17:45:00.051 UTC: Ce0/0/0 IPCP: PrimaryDNS xxx.xxx.xxx.xxx (0x810642AE4721)
*Nov 25 17:45:00.051 UTC: Ce0/0/0 IPCP: SecondaryDNS xxx.xxx.xxx.xxx (0x8306454E600E)
*Nov 25 17:45:00.051 UTC: Ce0/0/0 IPCP: State is Open
*Nov 25 17:45:00.051 UTC: Ce0/0/0 IPCP: Install negotiated IP interface address xxx.xxx.xxx.xxx
*Nov 25 17:45:00.059 UTC: IPSEC(recalculate_mtu): reset sadb_root 4975A1A8 mtu to 1500
*Nov 25 17:45:00.063 UTC: Ce0/0/0 IPCP: Install route to xxx.xxx.xxx.xxx
*Nov 25 17:45:00.063 UTC: Ce0/0/0 DDR: dialer protocol up
*Nov 25 17:45:00.067 UTC: Ce0/0/0 IPCP: Add link info for cef entry xxx.xxx.xxx.xxx
*Nov 25 17:45:01.027 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0/0/0, changed state to up
*Nov 25 17:45:29.763 UTC: DDR: IP Address is (xxx.xxx.xxx.xxx) for (Ce0/0/0)
*Nov 25 17:45:29.763 UTC: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= xxx.xxx.xxx.xxx, remote= xxx.xxx.xxx.xxx,
local_proxy= 192.168.221.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 86400s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Nov 25 17:45:29.767 UTC: ISAKMP:(0): SA request profile is (NULL)
*Nov 25 17:45:29.767 UTC: ISAKMP: Created a peer struct for xxx.xxx.xxx.xxx, peer port 500
*Nov 25 17:45:29.767 UTC: ISAKMP: New peer created peer = 0x47AC3A08 peer_handle = 0x80000002
*Nov 25 17:45:29.767 UTC: ISAKMP: Locking peer struct 0x47AC3A08, refcount 1 for isakmp_initiator
*Nov 25 17:45:29.767 UTC: ISAKMP: local port 500, remote port 500
*Nov 25 17:45:29.767 UTC: ISAKMP: set new node 0 to QM_IDLE
*Nov 25 17:45:29.771 UTC: insert sa successfully sa = 4B6322B8
*Nov 25 17:45:29.771 UTC: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Nov 25 17:45:29.771 UTC: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xxx
*Nov 25 17:45:29.771 UTC: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Nov 25 17:45:29.771 UTC: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Nov 25 17:45:29.771 UTC: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Nov 25 17:45:29.771 UTC: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Nov 25 17:45:29.771 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Nov 25 17:45:29.771 UTC: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Nov 25 17:45:29.771 UTC: ISAKMP:(0): beginning Main Mode exchange
*Nov 25 17:45:29.771 UTC: ISAKMP:(0): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE
*Nov 25 17:45:29.771 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Nov 25 17:45:29.927 UTC: ISAKMP (0:0): received packet from xxx.xxx.xxx.xxx dport 500 sport 500 Global (I) MM_NO_STATE
*Nov 25 17:45:29.927 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov 25 17:45:29.931 UTC: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Nov 25 17:45:29.931 UTC: ISAKMP:(0): processing SA payload. message ID = 0
*Nov 25 17:45:29.931 UTC: ISAKMP:(0): processing vendor id payload
*Nov 25 17:45:29.931 UTC: ISAKMP:(0): processing IKE frag vendor id payload
*Nov 25 17:45:29.931 UTC: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Nov 25 17:45:29.931 UTC: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xxx
*Nov 25 17:45:29.931 UTC: ISAKMP:(0): local preshared key found
*Nov 25 17:45:29.931 UTC: ISAKMP : Scanning profiles for xauth ...
*Nov 25 17:45:29.931 UTC: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Nov 25 17:45:29.931 UTC: ISAKMP: encryption 3DES-CBC
*Nov 25 17:45:29.931 UTC: ISAKMP: hash SHA
*Nov 25 17:45:29.931 UTC: ISAKMP: default group 2
*Nov 25 17:45:29.931 UTC: ISAKMP: auth pre-share
*Nov 25 17:45:29.931 UTC: ISAKMP: life type in seconds
*Nov 25 17:45:29.931 UTC: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Nov 25 17:45:29.931 UTC: ISAKMP:(0):atts are acceptable. Next payload is 0
*Nov 25 17:45:29.931 UTC: ISAKMP:(0):Acceptable atts:actual life: 0
*Nov 25 17:45:29.931 UTC: ISAKMP:(0):Acceptable atts:life: 0
*Nov 25 17:45:29.931 UTC: ISAKMP:(0):Fill atts in sa vpi_length:4
*Nov 25 17:45:29.931 UTC: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Nov 25 17:45:29.931 UTC: ISAKMP:(0):Returning Actual lifetime: 86400
*Nov 25 17:45:29.931 UTC: ISAKMP:(0)::Started lifetime timer: 86400.
*Nov 25 17:45:29.971 UTC: ISAKMP:(0): processing vendor id payload
*Nov 25 17:45:29.971 UTC: ISAKMP:(0): processing IKE frag vendor id payload
*Nov 25 17:45:29.971 UTC: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Nov 25 17:45:29.971 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov 25 17:45:29.971 UTC: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Nov 25 17:45:29.971 UTC: ISAKMP:(0): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_SA_SETUP
*Nov 25 17:45:29.975 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Nov 25 17:45:29.975 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov 25 17:45:29.975 UTC: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Nov 25 17:45:30.171 UTC: ISAKMP (0:0): received packet from xxx.xxx.xxx.xxx dport 500 sport 500 Global (I) MM_SA_SETUP
*Nov 25 17:45:30.171 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov 25 17:45:30.171 UTC: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Nov 25 17:45:30.171 UTC: ISAKMP:(0): processing KE payload. message ID = 0
*Nov 25 17:45:30.219 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0
*Nov 25 17:45:30.219 UTC: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xxx
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001): processing vendor id payload
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001): vendor ID is Unity
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001): processing vendor id payload
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001): vendor ID seems Unity/DPD but major 71 mismatch
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001): vendor ID is XAUTH
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001): processing vendor id payload
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001): speaking to another IOS box!
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001): processing vendor id payload
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001):vendor ID seems Unity/DPD but hash mismatch
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001):Send initial contact
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Nov 25 17:45:30.223 UTC: ISAKMP (0:1001): ID payload
next-payload : 8
type : 1
address : xxx.xxx.xxx.xxx
protocol : 17
port : 500
length : 12
*Nov 25 17:45:30.223 UTC: ISAKMP:(1001):Total payload length: 12
*Nov 25 17:45:30.227 UTC: ISAKMP:(1001): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Nov 25 17:45:30.227 UTC: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Nov 25 17:45:30.227 UTC: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov 25 17:45:30.227 UTC: ISAKMP:(1001):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Nov 25 17:45:30.495 UTC: ISAKMP (0:1001): received packet from xxx.xxx.xxx.xxx dport 500 sport 500 Global (I) MM_KEY_EXCH
*Nov 25 17:45:30.495 UTC: ISAKMP:(1001): processing ID payload. message ID = 0
*Nov 25 17:45:30.495 UTC: ISAKMP (0:1001): ID payload
next-payload : 8
type : 1
address : xxx.xxx.xxx.xxx
protocol : 17
port : 500
length : 12
*Nov 25 17:45:30.495 UTC: ISAKMP:(0):: peer matches *none* of the profiles
*Nov 25 17:45:30.495 UTC: ISAKMP:(1001): processing HASH payload. message ID = 0
*Nov 25 17:45:30.495 UTC: ISAKMP:received payload type 17
*Nov 25 17:45:30.495 UTC: ISAKMP:(1001): processing vendor id payload
*Nov 25 17:45:30.495 UTC: ISAKMP:(1001): vendor ID is DPD
*Nov 25 17:45:30.495 UTC: ISAKMP:(1001):SA authentication status:
authenticated
*Nov 25 17:45:30.495 UTC: ISAKMP:(1001):SA has been authenticated with xxx.xxx.xxx.xxx
*Nov 25 17:45:30.495 UTC: ISAKMP: Trying to insert a peer xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx/500/, and inserted successfully 47AC3A08.
*Nov 25 17:45:30.495 UTC: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov 25 17:45:30.499 UTC: ISAKMP:(1001):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Nov 25 17:45:30.499 UTC: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov 25 17:45:30.499 UTC: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Nov 25 17:45:30.499 UTC: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov 25 17:45:30.499 UTC: ISAKMP:(1001):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Nov 25 17:45:30.499 UTC: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 458622291
*Nov 25 17:45:30.503 UTC: ISAKMP:(1001):QM Initiator gets spi
*Nov 25 17:45:30.503 UTC: ISAKMP:(1001): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) QM_IDLE
*Nov 25 17:45:30.503 UTC: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Nov 25 17:45:30.503 UTC: ISAKMP:(1001):Node 458622291, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Nov 25 17:45:30.503 UTC: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Nov 25 17:45:30.503 UTC: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Nov 25 17:45:30.503 UTC: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Nov 25 17:45:30.715 UTC: ISAKMP (0:1001): received packet from xxx.xxx.xxx.xxx dport 500 sport 500 Global (I) QM_IDLE
*Nov 25 17:45:30.715 UTC: ISAKMP:(1001): processing HASH payload. message ID = 458622291
*Nov 25 17:45:30.715 UTC: ISAKMP:(1001): processing SA payload. message ID = 458622291
*Nov 25 17:45:30.715 UTC: ISAKMP:(1001):Checking IPSec proposal 1
*Nov 25 17:45:30.715 UTC: ISAKMP: transform 1, ESP_3DES
*Nov 25 17:45:30.715 UTC: ISAKMP: attributes in transform:
*Nov 25 17:45:30.715 UTC: ISAKMP: SA life type in seconds
*Nov 25 17:45:30.715 UTC: ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80
*Nov 25 17:45:30.715 UTC: ISAKMP: SA life type in kilobytes
*Nov 25 17:45:30.715 UTC: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Nov 25 17:45:30.715 UTC: ISAKMP: encaps is 1 (Tunnel)
*Nov 25 17:45:30.715 UTC: ISAKMP: authenticator is HMAC-SHA
*Nov 25 17:45:30.715 UTC: ISAKMP:(1001):atts are acceptable.
*Nov 25 17:45:30.715 UTC: IPSEC(validate_proposal_request): proposal part #1
*Nov 25 17:45:30.715 UTC: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= xxx.xxx.xxx.xxx, remote= xxx.xxx.xxx.xxx,
local_proxy= 192.168.221.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Nov 25 17:45:30.715 UTC: Crypto mapdb : proxy_match
src addr : 192.168.221.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
*Nov 25 17:45:30.715 UTC: ISAKMP:(1001): processing NONCE payload. message ID = 458622291
*Nov 25 17:45:30.715 UTC: ISAKMP:(1001): processing ID payload. message ID = 458622291
*Nov 25 17:45:30.715 UTC: ISAKMP:(1001): processing ID payload. message ID = 458622291
*Nov 25 17:45:30.719 UTC: ISAKMP:(1001): processing NOTIFY RESPONDER_LIFETIME protocol 3
spi 399189113, message ID = 458622291, sa = 4B6322B8
*Nov 25 17:45:30.719 UTC: ISAKMP:(1001):SA authentication status:
authenticated
*Nov 25 17:45:30.719 UTC: ISAKMP:(1001): processing responder lifetime
*Nov 25 17:45:30.719 UTC: ISAKMP (1001): responder lifetime of 28800s
*Nov 25 17:45:30.719 UTC: ISAKMP:(1001): Creating IPSec SAs
*Nov 25 17:45:30.719 UTC: inbound SA from xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx (f/i) 0/ 0
(proxy 0.0.0.0 to 192.168.221.0)
*Nov 25 17:45:30.719 UTC: has spi 0x498026E2 and conn_id 0
*Nov 25 17:45:30.719 UTC: lifetime of 28790 seconds
*Nov 25 17:45:30.719 UTC: lifetime of 4608000 kilobytes
*Nov 25 17:45:30.719 UTC: outbound SA from xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx (f/i) 0/0
(proxy 192.168.221.0 to 0.0.0.0)
*Nov 25 17:45:30.719 UTC: has spi 0x17CB2479 and conn_id 0
*Nov 25 17:45:30.719 UTC: lifetime of 28790 seconds
*Nov 25 17:45:30.719 UTC: lifetime of 4608000 kilobytes
*Nov 25 17:45:30.719 UTC: ISAKMP:(1001): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) QM_IDLE
*Nov 25 17:45:30.719 UTC: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Nov 25 17:45:30.723 UTC: ISAKMP:(1001):deleting node 458622291 error FALSE reason "No Error"
*Nov 25 17:45:30.723 UTC: ISAKMP:(1001):Node 458622291, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Nov 25 17:45:30.723 UTC: ISAKMP:(1001):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
*Nov 25 17:45:30.723 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Nov 25 17:45:30.723 UTC: Crypto mapdb : proxy_match
src addr : 192.168.221.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
*Nov 25 17:45:30.723 UTC: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer xxx.xxx.xxx.xxx
*Nov 25 17:45:30.723 UTC: IPSEC(policy_db_add_ident): src 192.168.221.0, dest 0.0.0.0, dest_port 0
*Nov 25 17:45:30.723 UTC: IPSEC(create_sa): sa created,
(sa) sa_dest= xxx.xxx.xxx.xxx, sa_proto= 50,
sa_spi= 0x498026E2(1233135330),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001
*Nov 25 17:45:30.723 UTC: IPSEC(create_sa): sa created,
(sa) sa_dest= xxx.xxx.xxx.xxx, sa_proto= 50,
sa_spi= 0x17CB2479(399189113),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2002
*Nov 25 17:45:30.723 UTC: IPSEC(update_current_outbound_sa): updated peer xxx.xxx.xxx.xxx current outbound sa to SPI 17CB2479
*Nov 25 17:45:46.935 UTC: ISAKMP (0:1001): received packet from xxx.xxx.xxx.xxx dport 500 sport 500 Global (I) QM_IDLE
*Nov 25 17:45:46.935 UTC: ISAKMP: set new node -1909459720 to QM_IDLE
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001): processing HASH payload. message ID = -1909459720
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -1909459720, sa = 4B6322B8
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001):deleting node -1909459720 error FALSE reason "Informational (in) state 1"
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001):DPD/R_U_THERE received from peer xxx.xxx.xxx.xxx, sequence 0x7BDFE4C6
*Nov 25 17:45:46.939 UTC: ISAKMP: set new node -777989143 to QM_IDLE
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 1224841120, message ID = -777989143
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001): seq. no 0x7BDFE4C6
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) QM_IDLE
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Nov 25 17:45:46.939 UTC: ISAKMP:(1001):purging node -777989143
*Nov 25 17:45:46.943 UTC: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Nov 25 17:45:46.943 UTC: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
And here is the config:
Building configuration...
Current configuration : 10137 bytes
version 12.4
service pad to-xot
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
hostname Test
boot-start-marker
boot-end-marker
card type t1 0 1
logging message-counter syslog
logging buffered 4096
aaa new-model
aaa authentication login default local
aaa authentication ppp network local-case
aaa authorization console
aaa authorization exec default local
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
network-clock-participate wic 1
network-clock-select 1 T1 0/1/0
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.121.1 192.168.121.99
ip dhcp excluded-address 192.168.121.200 192.168.121.254
ip dhcp excluded-address 192.168.221.1 192.168.221.99
ip dhcp excluded-address 192.168.221.200 192.168.221.254
ip dhcp pool Voice
network 192.168.121.0 255.255.255.0
option 150 ip 10.101.90.6
default-router 192.168.121.254
ip dhcp pool Data
network 192.168.221.0 255.255.255.0
default-router 192.168.221.254
dns-server 10.1.90.189 10.5.100.30
no ip bootp server
no ip domain lookup
ip domain name xxxxxx
ip multicast-routing
no ipv6 cef
multilink bundle-name authenticated
chat-script cdma "" "ATDT#777" TIMEOUT 60 "CONNECT"
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
no supplementary-service sip moved-temporarily
fax protocol pass-through g711ulaw
no fax-relay sg3-to-g3
h323
modem passthrough nse codec g711ulaw
sip
header-passing error-passthru
outbound-proxy ipv4:xxx.xxx.xxx.xxx
early-offer forced
midcall-signaling passthru
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g729r8
voice class h323 1
h225 timeout tcp establish 3
voice translation-rule 1
rule 1 // // type any international
voice translation-rule 3
rule 1 /^8/ //
voice translation-profile International
translate called 1
voice translation-profile OutboundRedirecting
translate called 3
voice-card 0
no dspfarm
dsp services dspfarm
username xx
archive
log config
hidekeys
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key xxxxxxxxx address xxx.xxx.xxx.xxx
crypto ipsec transform-set CellFOSet esp-3des esp-sha-hmac
crypto map CellFOMap 1 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set security-association lifetime seconds 190
set transform-set CellFOSet
match address 100
controller T1 0/1/0
framing esf
linecode b8zs
cablelength long 0db
channel-group 0 timeslots 1-24
ip tftp source-interface FastEthernet0/0.1
track 1 ip sla 1 reachability
class-map match-all VOICE
match ip dscp ef
class-map match-any VOICE-CTRL
match ip dscp af31
match ip dscp cs3
policy-map WAN-EDGE
class VOICE
priority 384
set ip dscp ef
class VOICE-CTRL
set ip dscp af21
bandwidth 32
class class-default
fair-queue
set ip dscp default
interface Loopback0
ip address 192.168.222.21 255.255.255.255
h323-gateway voip interface
h323-gateway voip bind srcaddr 192.168.222.21
interface FastEthernet0/0
description Physical Interface for Data VLAN 10 and Voice VLAN 20
no ip address
ip flow ingress
ip pim sparse-dense-mode
no ip route-cache cef
duplex auto
speed auto
interface FastEthernet0/0.1
description Interface to Data VLAN 10
encapsulation dot1Q 10
ip address 192.168.221.254 255.255.255.0
no ip redirects
no ip unreachables
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip virtual-reassembly
no cdp enable
interface FastEthernet0/0.2
description Interface to Voice VLAN 20
encapsulation dot1Q 20
ip address 192.168.121.254 255.255.255.0
no ip redirects
no ip unreachables
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
no cdp enable
interface FastEthernet0/1
description Unused port
no ip address
shutdown
duplex auto
speed auto
no cdp enable
interface Cellular0/0/0
ip address negotiated
ip virtual-reassembly
encapsulation ppp
dialer in-band
dialer string cdma
dialer-group 1
async mode interactive
ppp chap hostname [email protected]
ppp chap password 7 xxxxxxxxxxxxxxxx
ppp ipcp dns request
crypto map CellFOMap
interface Serial0/1/0:0
ip address xxx.xxx.xxx.xxx 255.255.255.252
ip flow ingress
ip flow egress
encapsulation ppp
service-policy output WAN-EDGE
router bgp 65000
no synchronization
bgp log-neighbor-changes
bgp suppress-inactive
network xxx.xxx.xxx.xxx mask 255.255.255.252
network 192.168.121.0
network 192.168.221.0
network 192.168.222.21 mask 255.255.255.255
neighbor xxx.xxx.xxx.xxx remote-as 15270
default-information originate
no auto-summary
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Serial0/1/0:0 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 20
no ip http server
no ip http secure-server
ip flow-export source FastEthernet0/0.1
ip flow-export version 5
ip flow-export destination 10.1.90.25 2055
ip nat inside source list 100 interface Cellular0/0/0 overload
ip access-list standard MON_SNMP_RO
permit xxx.xxx.xxx.xxx
permit xxx.xxx.xxx.xxx
permit xxx.xxx.xxx.xxx
permit xxx.xxx.xxx.xxx
ip radius source-interface FastEthernet0/0.1
ip sla 1
icmp-echo xxx.xxx.xxx.xxx
timeout 1000
threshold 2
frequency 3
ip sla schedule 1 life forever start-time now
logging trap notifications
logging 10.1.90.167
access-list 100 remark = FO to C0/0/0 for Branch =
access-list 100 permit ip 192.168.221.0 0.0.0.255 any
access-list 100 permit ip any any
access-list 100 deny eigrp any any
access-list 100 deny igmp any any
dialer-list 1 protocol ip list 100
snmp-server community xxx RO
snmp-server enable traps tty
<---------- Truncated to remove VoIP Rules -------------->
banner motd ^C
This is a proprietary system.
^C
line con 0
line aux 0
line 0/0/0
script dialer cdma
modem InOut
no exec
rxspeed 3100000
txspeed 1800000
line vty 0 4
transport input telnet
line vty 5 15
transport input telnet
scheduler allocate 20000 1000
ntp server 10.1.99.5
endHi,
Here is configurations from my Lab ASA5520 with Dual ISP
interface GigabitEthernet0/0
description Primary ISP
nameif WAN-1
security-level 0
ip address 192.168.101.2 255.255.255.0
interface GigabitEthernet0/1
description Secondary ISP
nameif WAN-2
security-level 0
ip address 192.168.102.2 255.255.255.0
interface GigabitEthernet0/2
description LAN
nameif LAN
security-level 100
ip address 10.0.20.2 255.255.255.0
route WAN-1 0.0.0.0 0.0.0.0 192.168.101.1 1 track 200
route WAN-2 0.0.0.0 0.0.0.0 192.168.102.1 254
route LAN 10.0.0.0 255.255.255.0 10.0.20.1 1
access-list L2L-VPN-CRYPTOMAP remark Encryption Domain
access-list L2L-VPN-CRYPTOMAP extended permit ip 10.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list LAN-NAT0 extended permit ip 10.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (LAN) 0 access-list LAN-NAT0
sla monitor 200
type echo protocol ipIcmpEcho 192.168.101.1 interface WAN-1
num-packets 3
timeout 1000
frequency 5
sla monitor schedule 200 life forever start-time now
track 200 rtr 200 reachability
crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CRYPTOMAP 10 match address L2L-VPN-CRYPTOMAP
crypto map CRYPTOMAP 10 set peer 192.168.103.2
crypto map CRYPTOMAP 10 set transform-set AES-256
crypto map CRYPTOMAP interface WAN-1
crypto map CRYPTOMAP interface WAN-2
crypto isakmp enable WAN-1
crypto isakmp enable WAN-2
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
tunnel-group 192.168.103.2 type ipsec-l2l
tunnel-group 192.168.103.2 ipsec-attributes
pre-shared-key *****
Hope this helps
- Jouni -
Hi All
Is it possible in IOS to have for a particular subnet:
a) Two static routes?
b) Make one static route a higher priority than the other?
c) If one static router "goes down", failover to the lower priority static route?
We have a l2tp/vpdn connection to a supplier which can be accessed via two vlans/routes. I would like to make one route the preferred one but the "route" to failover if the preferred route goes down.
Again, many thanks in advance for all responses!
Thanks
JohnHi John,
Hope the below explaination will help you...
R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2
R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
If you notice the Administrative Distance for the secondary route pointing to ISP2 is increased to 10 so that it becomes the backup link.
The above configuration with just two floating static routes partially accomplishes our requirement as it will work only in the scenario where the routers interfaces connected to the WAN link are in up/down or down/down status. But in a lot of situations we see that even though the links remain up but we are not able to reach the gateway, this usually happens when the issue is at the ISP side.
In such scenarios, IP SLAs becomes an engineer's best friend. With around six additional IOS commands we can have a more reliable automatic failover environment.
Using IP SLA the Cisco IOS gets the ability to use Internet Control Message Protocol (ICMP) pings to identify when a WAN link goes down at the remote end and hence allows the initiation of a backup connection from an alternative port. The Reliable Static Routing Backup using Object Tracking feature can ensure reliable backup in the case of several catastrophic events, such as Internet circuit failure or peer device failure.
IP SLA is configured to ping a target, such as a publicly routable IP address or a target inside the corporate network or your next-hop IP on the ISP's router. The pings are routed from the primary interface only. Following a sample configuration of IP SLA to generate icmp ping targeted at the ISP1s next-hop IP.
R1(config)# ip sla 1
R1(config)# icmp-echo 2.2.2.2 source-interface FastEthernet0/0
R1(config)# timeout 1000
R1(config)# threshold 2
R1(config)# frequency 3
R1(config)# ip sla schedule 1 life forever start-time now
The above configuration defines and starts an IP SLA probe.
The ICMP Echo probe sends an ICMP Echo packet to next-hop IP 2.2.2.2 every 3 seconds, as defined by the “frequency” parameter.
Timeout sets the amount of time (in milliseconds) for which the Cisco IOS IP SLAs operation waits for a response from its request packet.
Threshold sets the rising threshold that generates a reaction event and stores history information for the Cisco IOS IP SLAs operation.
After defining the IP SLA operation our next step is to define an object that tracks the SLA probe. This can be accomplished by using the IOS Track Object as shown below:
R1(config)# track 1 ip sla 1 reachability
The above command will track the state of the IP SLA operation. If there are no ping responses from the next-hop IP the track will go down and it will come up when the ip sla operation starts receiving ping response.
To verify the track status use the use the “show track” command as shown below:
R1# show track
Track 1
IP SLA 1 reachability
Reachability is Down
1 change, last change 00:03:19
Latest operation return code: Unknown
The above output shows that the track status is down. Every IP SLAs operation maintains an operation return-code value. This return code is interpreted by the tracking process. The return code may return OK, OverThreshold, and several other return codes.
Different operations may have different return-code values, so only values common to all operation types are used. The below table shows the track states as per the IP SLA return code.
Tracking
Return Code
Track State
Reachability
OK or over threshold
(all other return codes)
Up
Down
The Last step in the IP SLA Reliable Static Route configuration is to add the “track” statement to the default routes pointing to the ISP routers as shown below:
R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2 track 1
R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
The track number keyword and argument combination specifies that the static route will be installed only if the state of the configured track object is up. Hence if the track status is down the secondary route will be used to forward all the traffic.
Please rate the helpfull posts.
Regards,
Naidu. -
Cisco ASA 5505 Blocking LAN Domain Queries
Hi guys,
Okay my scenario, datacentre hosted system with 4 servers connected to a CISCO ASA5505, everything was working fine with 4x windows server 2003 machines but since pulling 2 out and replacing them with windows server 2008 machines i get a flood of the error below and it blocks communications back to the IP listed which is the domain controller so naturally this makes the 2 new servers unusable.
1: they are all connected to the inside VLAN directly via the ASA's switch ports.
2: the are all in the same 255.255.255.0 subnet including the ASA inside interface
3: removing the gateway on the affected machines makes no difference the ASA continues to block it which indicates whether or not the machines use the asa as a gateway its inspecting the traffic and blocking
I have posted the error below and my config, its strange its only affecting the new server 2008 machines and im hoping you can offer suggestions.
Errors:
2 Dec 08 2012 12:02:41 106007 10.50.15.117 55068 DNS Deny inbound UDP from 10.50.15.117/55068 to 10.50.15.5/53 due to DNS Query
Result of the command: "show run"
: Saved
ASA Version 8.2(1)
hostname xxxxx-ASA5505
domain-name xxx.local
enable password
passwd
names
name 10.50.17.0 Hobart description Hobart
name 10.50.16.0 Launceston description Launceston
name 10.50.18.0 Burnie description Burnie
name 10.50.24.0 Devonport description Devonport
name 10.50.23.0 burniewilmot description burniewilmot
name 10.50.35.0 Warrnamboolmain description warrnamboolmain
name 10.50.30.0 hamilton description hamilton
name 10.50.20.0 Portland description Portland
name 10.50.31.0 Camperdown description Camperdown
name 10.50.32.0 wboolsh description wboolsh
name 10.50.33.0 wblthy description wblthy
dns-guard
interface Vlan1
nameif inside
security-level 100
ip address 10.50.15.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 111.223.228.154 255.255.255.248
interface Vlan5
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
domain-name xxx.local
object-group service IpPrinting tcp
port-object eq 9100
object-group icmp-type icmp
icmp-object alternate-address
icmp-object conversion-error
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object unreachable
object-group network dns_servers
network-object host 10.50.15.5
object-group service domain udp
port-object eq domain
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq domain
access-list inside_access_in extended permit udp any any object-group domain
access-list outside_access_in extended permit ip any any inactive
access-list outside_access_in extended permit tcp any 111.223.228.152 255.255.255.248 eq smtp
access-list outside_access_in extended permit tcp any 111.223.228.152 255.255.255.248 eq www
access-list vpnusers_splitTunnelAcl standard permit 111.223.231.120 255.255.255.248
access-list inside_nat0_outbound extended permit ip 111.223.231.120 255.255.255.248 14.0.0.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 111.223.231.120 255.255.255.248 111.223.228.152 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 111.223.228.152 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Hobart 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Warrnamboolmain 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Launceston 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 14.0.0.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Burnie 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Devonport 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 burniewilmot 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 hamilton 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Portland 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Camperdown 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 wboolsh 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 wblthy 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Hobart 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 10.50.15.0 255.255.255.0 Launceston 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Burnie 255.255.255.0
access-list outside_3_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Hobart 255.255.255.0
access-list outside_4_cryptomap extended permit ip 10.50.15.0 255.255.255.0 burniewilmot 255.255.255.0
access-list outside_5_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Warrnamboolmain 255.255.255.0
access-list outside_6_cryptomap extended permit ip 10.50.15.0 255.255.255.0 hamilton 255.255.255.0
access-list outside_7_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Portland 255.255.255.0
access-list outside_8_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Camperdown 255.255.255.0
access-list outside_9_cryptomap extended permit ip 10.50.15.0 255.255.255.0 wboolsh 255.255.255.0
access-list outside_10_cryptomap extended permit ip 10.50.15.0 255.255.255.0 wblthy 255.255.255.0
access-list dmz_access_in extended permit tcp any interface outside eq www inactive
access-list dmz_access_in extended permit tcp any 111.223.228.152 255.255.255.248 eq smtp
pager lines 24
logging enable
logging asdm warnings
mtu inside 1300
mtu outside 1300
mtu dmz 1500
ip local pool vpnclient 14.0.0.1-14.0.0.15 mask 255.0.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.50.15.0 255.255.255.0
static (outside,inside) tcp 10.50.15.5 www 0.0.0.0 www netmask 255.255.255.255
static (inside,outside) tcp interface www 10.50.15.5 www netmask 255.255.255.255 dns
static (inside,outside) tcp interface smtp 10.50.15.5 smtp netmask 255.255.255.255 dns
static (inside,inside) 10.50.15.0 255.255.255.0 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 111.223.228.153 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
rd DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.50.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set esp-des-sha esp-des esp-sha-hmac
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 58.96.86.56
crypto map outside_map 1 set transform-set esp-des-sha
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map0 1 match address outside_1_cryptomap_1
crypto map outside_map0 1 set peer 59.167.207.106
crypto map outside_map0 1 set transform-set ESP-3DES-SHA
crypto map outside_map0 2 match address outside_2_cryptomap
crypto map outside_map0 2 set peer 59.167.204.53
crypto map outside_map0 2 set transform-set ESP-3DES-SHA
crypto map outside_map0 3 match address outside_3_cryptomap
crypto map outside_map0 3 set pfs
crypto map outside_map0 3 set peer 203.45.159.34
crypto map outside_map0 3 set transform-set ESP-3DES-SHA
crypto map outside_map0 4 match address outside_4_cryptomap
crypto map outside_map0 4 set peer 203.45.134.39
crypto map outside_map0 4 set transform-set ESP-3DES-SHA
crypto map outside_map0 5 match address outside_5_cryptomap
crypto map outside_map0 5 set peer 58.96.75.47
crypto map outside_map0 5 set transform-set ESP-3DES-SHA
crypto map outside_map0 6 match address outside_6_cryptomap
crypto map outside_map0 6 set peer 58.96.85.151
crypto map outside_map0 6 set transform-set ESP-3DES-SHA
crypto map outside_map0 7 match address outside_7_cryptomap
crypto map outside_map0 7 set peer 58.96.78.238
crypto map outside_map0 7 set transform-set ESP-3DES-SHA
crypto map outside_map0 8 match address outside_8_cryptomap
crypto map outside_map0 8 set peer 58.96.69.82
crypto map outside_map0 8 set transform-set ESP-3DES-SHA
crypto map outside_map0 9 match address outside_9_cryptomap
crypto map outside_map0 9 set peer 58.96.83.244
crypto map outside_map0 9 set transform-set ESP-3DES-SHA
crypto map outside_map0 10 match address outside_10_cryptomap
crypto map outside_map0 10 set peer 58.96.80.122
crypto map outside_map0 10 set transform-set ESP-3DES-SHA
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.50.15.50-10.50.15.55 inside
dhcpd dns 10.50.15.5 interface inside
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 130.194.10.150
webvpn
group-policy xxx internal
group-policy xxx attributes
dns-server value 10.50.15.5
vpn-tunnel-protocol IPSec
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
dhcp-network-scope 14.0.0.0
vpn-tunnel-protocol IPSec webvpn
ipv6-address-pools none
group-policy vpnusers internal
group-policy vpnusers attributes
dns-server value 10.50.15.5 139.130.4.4
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnusers_splitTunnelAcl
username aspireremote password
username aspireremote attributes
service-type remote-access
username richard.lawes password
username netscreen password
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group TunnelGroup1 type remote-access
tunnel-group TunnelGroup1 general-attributes
address-pool (outside) vpnclient
address-pool vpnclient
default-group-policy GroupPolicy1
dhcp-server 192.168.0.5
tunnel-group TunnelGroup1 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group vpnusers type remote-access
tunnel-group vpnusers general-attributes
address-pool vpnclient
default-group-policy vpnusers
tunnel-group vpnusers ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 59.167.207.106 type ipsec-l2l
tunnel-group 59.167.207.106 ipsec-attributes
pre-shared-key *
tunnel-group aspirevpn type remote-access
tunnel-group aspirevpn general-attributes
address-pool vpnclient
default-group-policy xxxvpn
tunnel-group xxxvpn ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 59.167.204.53 type ipsec-l2l
tunnel-group 59.167.204.53 ipsec-attributes
pre-shared-key *
tunnel-group 203.45.159.34 type ipsec-l2l
tunnel-group 203.45.159.34 ipsec-attributes
pre-shared-key *
tunnel-group 203.45.134.39 type ipsec-l2l
tunnel-group 203.45.134.39 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 58.96.75.47 type ipsec-l2l
tunnel-group 58.96.75.47 ipsec-attributes
pre-shared-key *
tunnel-group 58.96.85.151 type ipsec-l2l
tunnel-group 58.96.85.151 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 58.96.78.238 type ipsec-l2l
tunnel-group 58.96.78.238 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 58.96.69.82 type ipsec-l2l
tunnel-group 58.96.69.82 ipsec-attributes
pre-shared-key *
tunnel-group 58.96.83.244 type ipsec-l2l
tunnel-group 58.96.83.244 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 58.96.80.122 type ipsec-l2l
tunnel-group 58.96.80.122 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
prompt hostname contextHello Richard,
My first though is why is the ASA receiving this traffic is this is traffic that should not reach the default-gateway.
Anyway try the following
same-security-traffic permit intra-interface
Let me know how it goes
Julio -
NAT ASA5512 8.6(1)2 in and out
Hello Everyone,
This is my first post so please forgive me if I miss something. I have an ASA5512 running 8.6(1)2 that I am trying to NAT a public IP address from my ISP to multiple phone systems on the inside of my network. One of these phone systems is at the same site as the ASA5512 and I have no problems getting this one to work with my current config. The problem comes when I apply the same type of NAT rule that works at the main site to allow NAT to the other sites. These sites are connected via a point-to-point system from our ISP. The point-to-point does not seem to be an issue as I can ping any device at our other sites and I can RDP into computers and servers at the others sites. I can also call internally between sites but when I try to call the other sites from my cell I cant get through. Also when I forward one of the extensions at the others sites to my cell and then call internally I do not get an outside line.
In the config below you can see that Ive applied the same NAT and ACL rules to the adminphonesystem and the deltaphonesystem objects. The adminphonesystem can make calls and recieve them with no issues. The deltaphonesystem cannot make or recieve calls from outside our network. Only internal calls are working for the deltaphonesystem. Ive done packet traces in every which way and corrected any issues that I have found with no fix to the problem. So I cleaned up my config and posted it here. Really hope someone can give me a few pointers in getting this problem solved.
On another note I have a Cisco ASA5505 with smartnet support. So i throw it in place of the 5512 and call cisco support. A tech calls me back and we get everything working perfectly on the 5505 with a few simple rules. I say thank you and have a nice. Then I throw the 5512 back in and replicate the rules from the 5505 that were working. Both of these units are using the new NAT setup that was released after 8.3. To my surprise the 5512 doesnt work even though I have the same rules as the 5505. If anyone can answer that side question please do.
ASA Version 8.6(1)2
hostname AdminASA
domain-name
enable password encrypted
passwd encrypted
names
interface GigabitEthernet0/0
shutdown
no nameif
security-level 0
no ip address
interface GigabitEthernet0/1
nameif Outside
security-level 0
ip address 76.320.333.43 255.255.255.224
interface GigabitEthernet0/2
nameif Inside
security-level 100
ip address 10.1.99.1 255.255.255.0
interface GigabitEthernet0/3
nameif P2P
security-level 100
ip address 10.2.99.2 255.255.255.0
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name corp.centermh.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network DeltaNetwork
subnet 10.1.96.0 255.255.255.0
object network GunnisonNetwork
subnet 10.1.97.0 255.255.255.0
object network MiamiNetwork
subnet 10.1.98.0 255.255.255.0
object network NuclaNetwork
subnet 10.1.93.0 255.255.255.0
object network TellurideNetwork
subnet 10.1.94.0 255.255.255.0
object network AdminPhoneSystem
host 10.1.99.225
description Inside IP Address of Admin Phone System
object network DeltaPhoneSystem
host 10.1.96.225
description Internal IP Address of Delta Phone System
object network AdminPhonePublic
host 76.320.333.48
description Public IP Address of Admin Phone System
object network FastTrackPhone
host 234.213.124.81
description FastTrack SIP Trunk Authtication IP Address
object network FastTrackMonitor
host 290.230.195.8
description FastTrack Monitoring server
object network DeltaPhonePublic
host 76.320.333.51
description Public IP Address of Delta Phone System
object-group icmp-type ICMP-All
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object alternate-address
icmp-object conversion-error
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object unreachable
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list global_access extended permit icmp object FastTrackMonitor any object-group ICMP-All
access-list Local_access_in extended permit ip any any
access-list MPLS_access_in extended permit ip any any
access-list CTN_access_in extended permit object-group TCPUDP object FastTrackPhone object DeltaPhoneSystem eq sip
access-list CTN_access_in extended permit icmp object FastTrackPhone object DeltaPhoneSystem object-group ICMP-All
access-list CTN_access_in extended permit object-group TCPUDP object FastTrackPhone object AdminPhoneSystem eq sip
access-list CTN_access_in extended permit icmp object FastTrackPhone object AdminPhoneSystem object-group ICMP-All
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu P2P 1500
mtu management 1500
ip local pool vpnUsers 10.1.99.200-10.1.99.210 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (Inside,Outside) source static DeltaPhoneSystem DeltaPhonePublic no-proxy-arp
nat (Inside,Outside) source static AdminPhoneSystem AdminPhonePublic no-proxy-arp
nat (P2P,Outside) after-auto source dynamic any interface
nat (Inside,Outside) after-auto source dynamic any interface
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group P2P_access_in in interface P2P
access-group global_access global
route Outside 0.0.0.0 0.0.0.0 76.320.333.42 6
route P2P 10.1.93.0 255.255.255.0 10.2.99.1 1
route P2P 10.1.94.0 255.255.255.0 10.2.99.1 1
route P2P 10.1.95.0 255.255.255.0 10.2.99.1 1
route P2P 10.1.96.0 255.255.255.0 10.2.99.1 1
route P2P 10.1.97.0 255.255.255.0 10.2.99.1 1
route P2P 10.1.98.0 255.255.255.0 10.2.99.1 1
route P2P 10.2.93.0 255.255.255.0 10.2.99.1 2
route P2P 10.2.94.0 255.255.255.0 10.2.99.1 2
route P2P 10.2.95.0 255.255.255.0 10.2.99.1 2
route P2P 10.2.96.0 255.255.255.0 10.2.99.1 2
route P2P 10.2.97.0 255.255.255.0 10.2.99.1 2
route P2P 10.2.98.0 255.255.255.0 10.2.99.1 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.99.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.1.99.0 255.255.255.0 Inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 128.138.140.44 prefer
webvpn
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
username privilege 15
username privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
contact-email-addr
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 8
subscribe-to-alert-group configuration periodic monthly 8
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: endHi,
If I am not mistaken then atleast one big problem is the source interface in the other NAT configuration command
You have this
nat (Inside,Outside) source static DeltaPhoneSystem DeltaPhonePublic no-proxy-arp
Yet you have this "object network" and "route"
object network DeltaPhoneSystem
host 10.1.96.225
route P2P 10.1.96.0 255.255.255.0 10.2.99.1 1
So seems to me that your NAT configuration should be
nat (P2P,Outside) source static DeltaPhoneSystem DeltaPhonePublic no-proxy-arp
Just as a side note, I personally prefer to configure Static NAT with Network Object NAT. With those configurations your Static NAT configurations would look like this
object network DeltaPhoneSystem
host 10.1.96.225
nat (P2P,Outside) static 76.320.333.51
object network AdminPhoneSystem
host 10.1.99.225
nat (Inside,Outside) static 76.320.333.48
Also one very important note, if you are using multiple public subnets on your ASA "Outside" interface then the way this is implemented by your ISP has a lot of meaning.
If the ISP has configured one public subnet between its gateway device and your ASA and routed the other subnet(s) towards the ASAs "Outside" interface IP address then there is no problem.
If the ISP has configured both (or all) public subnets on their gateway interface (others as "secondary" subnets) then you will (to my understanding) run into a problem with ARP with nonconnected networks on the ASA.To correct this you would require you to either change the setup to the first option with the ISP or update your ASA software to 9.0(2) or possibly 9.1(2) to get access to the command "arp permit-nonconnected"
Here is the section from the patch notes that also explains the commands purpose
ARP cache additions for non-connected subnets
The ASA ARP cache only contains entries from directly-connected subnets by default. You can now enable the ARP cache to also include non-directly-connected subnets. We do not recommend enabling this feature unless you know the security risks. This feature could facilitate denial of service (DoS) attack against the ASA; a user on any interface could send out many ARP replies and overload the ASA ARP table with false entries.
You may want to use this feature if you use:
•Secondary subnets.
•Proxy ARP on adjacent routes for traffic forwarding.
We introduced the following command: arp permit-nonconnected.
Also available in 8.4(5).
If you want to take a look at a NAT 8.3+ document I made here on the CSC then follow this link
https://supportforums.cisco.com/docs/DOC-31116
Hopefully the above helps with your problem
Please do remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni -
Solaris Intel ( Network Card )
Having problem to connect Solaris 8 Intel on Network. Using IBM PCI 10/100 Ethernet Adapter. Check hardware compatibility list, and the card is in the list.
I gave two computer, with Linksys 4 port hub. Give the computer name comp1 with ip address 10.0.0.5 with subnet 255.255.255.0. No NIS and DNS. Tried to ping comp1 , and here is the error :
ICMP Host Unreachable from gateway localhost (127.0.0.1)
for icmp from localhost ( 127.0.0.1) to comp1 ( 10.0.0.5)
Where seems to be the problem ?
Any good resource on solaris unix networking website as well ?Hi
This is message indicating that your network is not finding the route to
the 10.0.0.5. Since its looking from 127.... it probably means that you
have not setup the networking properly.
Check the output of
$ ifconfig -a
-Manish -
Hello all,
I have been trying to upload a URL in my java application but I am always getting URL not reachable error message generating from a thrown exception. I know this may be easy but I am not able to find any solution for this is there a way to set java access to the internet other than modifying the plugin with the proper proxy setting ?Try searching with Google and find an answer in seconds.
http://www.javaworld.com/javaworld/javatips/jw-javatip42.html
http://www.rgagnon.com/javadetails/java-0085.html -
Database connectivity problem with instant client.
Guys,
I've installed the Oracle instant client basic and ODBC files in my system.
But when I create a system DSN and test the connectivity my database connectivity,it fails with
ORA-12637:Packet receive failed error
My TNSNAMES reads below:
ONDSP101.DIGITALINDIASW.NET =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = namesrv1.xy.zz.com)(PORT = 1522))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = ONDSP101)
and my SQLNET as below:
AUTOMATIC_IPC = OFF
TRACE_LEVEL_CLIENT = ON
SQLNET.INBOUND_CONNECT_TIMEOUT=20
NAMES.DEFAULT_DOMAIN = na.pg.com
NAME.DEFAULT_ZONE = na.pg.com
SQLNET.CRYPTO_SEED = "kdg:9yv2$-plo*u6b2x!"
NAMES.DIRECTORY_PATH = (ONAMES,TNSNAMES)
NAMES.PREFERRED_SERVERS =
(ADDRESS_LIST =
(ADDRESS =
(COMMUNITY = TCP.xy.zz.com)
(PROTOCOL = TCP)
(Host = namesrv1.xy.zz.com)
(Port = 1522)
(ADDRESS =
(COMMUNITY = TCP.xy.zz.com)
(PROTOCOL = TCP)
(Host = namesrv2.xy.zz.com)
(Port = 1522)
I've placed my TNSNAMES and SQLNET file in the same folder having the instant client files and I've set my TNSADMIN,LD_LIBRARY_PATH and PATH environmental variable to the folder location.
Note:I'm able to connect to the database using SQLplus.
Thanks,
Bhagat12637, 00000, "Packet receive failed"
// *Cause: A process was unable to receive a packet from another process.
// Possible causes are:
// 1. The other process was terminated.
// 2. The machine on which the other process is running went down.
// 3. Some other communications error occurred.
// *Action: If the cause is not obvious, contact Oracle Customer Support.
These days I very seldom use ODBC for Oracle - most recently it was simply to get Enterprise Architect to "talk" to Oracle. I never used it for my client applications (unlike in the fast distant past), so what I know about ODBC is seriously outdated.
Even so, a few comments. :-)
Have you tried creating a user DSN, in case a system DSN somehow works different environment wise?
The above error description sounds like the original TCP connection was successful (i.e. it is not a host unknown or not reachable error). Subsequent packets seem to fails.
To confirm, run the listener on namesrv1.xy.zz.com with logging enabled and have a look at the listener.log - does it show a connection being accepted/handled from your PC when you use the ODBC DSN?
Have you tried the Oracle ODBC drivers? When getting EA connected I had problems (also with Instant Client) and Microsoft ODBC driver for Oracle. Downloaded and installed the Oracle ODBC driver and it worked just fine first time around.
PS. You should raise this topic on the Instant Client Forum instead.
Maybe you are looking for
-
when I run through https://testconnectivity.microsoft.com and do the Lync test for logging in we get: Couldn't sign in. Error: Error Message: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provid
-
Please somebody help cause I'm getting hopeless here. Got my Xbox Live connection now for two years with no problems. Decided to buy a new router... got the WRT150N... and since then no connection whatsoever... really strange. Did all the tests but n
-
I purchased an Ipad yesterday. I wish to transfer music from my laptop to ipad. Can I know the procedure?
-
Making DLL with C++ builder to use in Labview
Anybody knows how to make DLL in C++ builder to use in Labview?? Regards,
-
What format video does itunes play?
i want to download video onto itunes so I can download onto my iPhone and watch, however i don't want to have to pay for it. what format do i have to download for it to be compatiable?