Ipfilter & icmp echo fails
On several Solaris 10 08/07 boxes following ipfilter rules do not work:
pass out all keep state
pass in quick proto icmp all icmp-type echo
pass in quick proto tcp from any to any port = ssh keep state
block in log all
ssh goes through, but there is no ping reply. Can't see anything in ipmon.log, so it seems the connection is not blocked.
Any hints?
I am trying to figure out how to block ICMP ping reply. I have a static ip that I have given to Airport Extreme.
Kind of shocked as routers 1/3rd the cost allow this.
Similar Messages
-
IPM 4.2.0 and icmp-echo 0.0.0.0 problem
Hi,
I'm having a problem with IPM.
We are running LMS 3.2 with IPM 4.2.0.
I used IPM to configure a device to perform a ping to an ad-hoc target, the source router was configured as:
ip sla 182611
icmp-echo 0.0.0.0
request-data-size 64
owner ipm|<name>
tag <tag>
ip sla schedule 182611life forever start-time now ageout 3600
The target device is an ad-hoc with an ip-address but the IP SLA job ends up as 0.0.0.0.
When I'm running 'show ip sla statistics' it shows that the ping are timed out (as they are being sent to 0.0.0.0 instead of the real IP address).
The source router is running:
Cisco IOS Software, 3800 Software (C3825-ADVSECURITYK9-M), Version 12.4(22)T, RELEASE SOFTWARE (fc1)
Anyone had familiar problems?
Thanks,
Amitjclarke wrote:I haven't seen this before. Can you redo the configuration, and collect a sniffer trace of SNMP traffic between the IPM server and the device? This will help determine if the problem is with IPM or IOS.
Hi,
My IPM is running on Solaris 10.
Can you advise what/how I can sniff the SNMP traffic between the server and the IOS device?
Here is more information from the device:
#show version
Cisco IOS Software, C3550
Software (C3550-IPSERVICESK9-M), Version 12.2(46)SE, RELEASE SOFTWARE
(fc2)
#show running-config | inc 154366
ip sla 154366
ip sla schedule 154366 life forever start-time now ageout 3600ip sla reaction-configuration 154366 react timeout threshold-type immediate action-type trapOnly
ip sla reaction-configuration 154366 react rtt threshold-value 4000 3000 threshold-type consecutive 2 action-type trapOnly
35PROB#show ip sla configuration 154366
IP SLAs, Infrastructure Engine-II.
Entry number: 154366Owner: ipm|unix107776a44Tag: 35PROB_AMIT
Type of operation to perform: echoTarget address: 0.0.0.0
Source address: 0.0.0.0Request size (ARR data portion): 64
Operation timeout (milliseconds): 5000Type Of Service parameters: 0x0
Verify data: NoVrf Name:
Schedule: Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed Group Scheduled : FALSE
Randomly Scheduled : FALSE Life (seconds): Forever
Entry Ageout (seconds): 3600 Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): ActiveThreshold (milliseconds): 4000
Distribution Statistics:
Number of statistic hours kept: 2 Number of statistic distribution buckets kept: 1
Statistic distribution interval (milliseconds): 20
History Statistics: Number of history Lives kept: 0
Number of history Buckets kept: 15 History Filter Type: None
Enhanced History:
Thanks -
ASA 8.4(2) doesn't respond to ICMP echo on ip address with port forwarding only
Hello,
In order to meet our requirements we had to configure PAT for TCP 80 on 2 external IP addresses to one internal IP in DMZ. TCP port 80 is being translated for both external IP addresses and it works as expected. However, since we have migrated to ASA both external IP addresses don't respond to ICMP echo requests generating following error:
%ASA-3-106014: Deny inbound icmp src outside:<Source IP> dst outside:<Destination IP> (type 8, code 0)
Previously we have been using Cisco router to achieve the same objective and it worked well.
I have noticed that when I add "same-security-traffic permit intra-interface" to a configuration the message mentioned above stops appearing in a logs.
As far as I can tell ASA sends packet back through outside interface, despite the fact that appliance advertises its mac address in response to arp request for the same external IP address.
Is there any way to make ASA realise that it should respond to ICMP echo requests on external IP addresses that have forwarding setup?
I do realise that ICMP would work in 1-to-1 NAT scenario, but we can't apply 1-to-1 NAT for 2 external IP addresses to point to one internal IP address.
Kind Regards,
Paul PrestonHi Julio,
Interesting. I have tried to map two external IP addresses with using 1 to 1 nat to a single internal IP, but when I tried to configure a second one I remember a message "mapping exists"...
I think that it might be easier if I paste relevent config:
access-list From_Internet extended permit icmp any any
access-list From_Internet extended permit tcp any gt 1023 host 172.17.0.103 eq www
access-list From_Internet extended deny ip any any log warnings
object network www-91-17.103
host 172.17.0.103
object network www-92-17.103
host 172.17.0.103
icmp permit any outside
object network www-91-17.103
nat (DMZ,outside) static x.x.x.91 service tcp www www
object network www-92-17.103
nat (DMZ,outside) static x.x.x.92 service tcp www www
With a config above NAT works for both IP addresses, but unfortunately neither IP address respond to icmp echo requests.
Kind Regards,
Paul Preston -
ACL filtering icmp ECHO-Reply Behavior
Hello Guys....
I needed some help here.....i have attached the topology with this in case you dont get what iam trying to ask
i have just 2 routers connected directly like this...... R1<------------> R2, The network between them is 10.1.12.0/24, R1 has an ip address of
10.1.12.1 & R2 has an ip address of 10.1.12.2.....Well so far so good hmmm
Now the Question is simple i want to block ICMP echo-reply's coming from R1 to R2 simple as that But it only works if i apply an ACL on R2's
Interface in the INBOUND Direction why on earth it dosent work if i apply the ACL on R1's interface in the OUTBOUND direction ???
THE ACL is this one# access-list 100 deny icmp host 10.1.12.1 host 10.1.12.2 echo-reply
access-list 100 permit ip any any
It works if i apply this in the inbound direction of R2 but why dosen't it work if i apply this in the OUTBOUND direction of R1?
Please do help me out thanks :)Hi,
I believe that's because "Access lists that are applied to interfaces do not filter traffic that originates from that router."
See http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacls.html#wp1001135
for details.
Best regards,
Milan -
Nexus 5500 duplicate ICMP echo-replay
I am experiencing inconsistent echo-replay from devices connected via VPC to Nexus 5500s while pinging from the Nexus exec prompt.
In some cases I receive normal response when pinging from one Nexus, but no response when pinging from the other switch. In other instance I receive normal response to one Nexus, and duplicate replays to the other. It looks like a VPC related bug. NXOS is 5.1.3.N2.1
5501# ping 10.12.12.232
PING 10.12.12.232 (10.12.12.232): 56 data bytes
64 bytes from 10.12.12.232: icmp_seq=0 ttl=253 time=8.585 ms
64 bytes from 10.12.12.232: icmp_seq=0 ttl=254 time=9.227 ms (DUP!)
64 bytes from 10.12.12.232: icmp_seq=1 ttl=253 time=1.011 ms
64 bytes from 10.12.12.232: icmp_seq=2 ttl=253 time=8.097 ms
64 bytes from 10.12.12.232: icmp_seq=2 ttl=254 time=9.429 ms (DUP!)
64 bytes from 10.12.12.232: icmp_seq=3 ttl=253 time=18.195 ms
64 bytes from 10.12.12.232: icmp_seq=4 ttl=253 time=8.807 ms
5502# ping 10.12.12.232
PING 10.12.12.232 (10.12.12.232): 56 data bytes
64 bytes from 10.12.12.232: icmp_seq=0 ttl=254 time=0.985 ms
64 bytes from 10.12.12.232: icmp_seq=1 ttl=254 time=0.884 ms
64 bytes from 10.12.12.232: icmp_seq=2 ttl=254 time=0.875 ms
64 bytes from 10.12.12.232: icmp_seq=3 ttl=254 time=3.105 ms
64 bytes from 10.12.12.232: icmp_seq=4 ttl=254 time=8.378 ms
Thanks
JarekHi
I found this in the configuration guide for the Nexus 7000 configuring VPCs
"When you enable this feature (peer-gateway), Cisco NX-OS automatically disables IP redirects on all interface VLANs mapped over a vPC VLAN to avoid generation of IP redirect messages for packets switched through the peer gateway router."
However this is not happening automatically on the 5K, so you need to manually add "no ip redirects" on each VPC vlan interface to prevent duplicate pings. -
Event filter question Nachi Worm ICMP Echo Request (2156)
The intent is to only see this alert when the source is my IP space. Is it possible to create 2 seperate event filters for this sig? I'd like one sig to filter events when my IP space when it is the destination and the other would allow alerts when my IP space is the source. Would they need to be in some order like access lists i.e. allow specific icmp then deny other icmp?
Yes this is possible.
In version 4,x create a filter that matches SIGID 2156, and also matches $IN for the source and $OUT for the destination and set Exception to True for that filter.
The create a second filter to match SIGID 2156 and leave the address fields defaulted so that all addresses will be matched and leave Exception as the default False.
The first filter line will allow the 2156 to fire when the source is IN your network and the destination is OUT of your netowrk.
The second will prevemt the signature 2156 for firing on any other address combinations like:
Source IN and Destination IN
Source OUT and Destination IN
Source OUT and Destination OUT
(Note: You asked that no alarms be generated for Destination IN, but also assume you don't want alarms for source OUT and destination OUT either)
NOTE: In version 4.x the order of the 2 filters is unimportant. The Exclusion TRUE filter will always override all Exclusion FALSE filters so the Exclusion TRUE filter will always cause the signature to fire.
In version 5.x the ordering of the filters is important.
In version 5.x create a filter that matches SIGID 2156, and also matches $IN for the source and $OUT for the destination, leave the Actions to Subtract field blank (so not actions are removed) and set Stop On Match to True for that filter.
Then create a second filter to match SIGID 2156 and leave the address fields defaulted so that all addresses will be matched and select ALL Actions in the Actions To Subtract field.
The first filter line will allow the 2156 to fire when the source is IN your network and the destination is OUT of your netowrk.
This is because that first filter will be matched and no actions will be removed (like produceAlert). The Stop On Match being True will prevent the checking of the next filter.
The second will prevemt the signature 2156 for firing on any other address combinations like:
Source IN and Destination IN
Source OUT and Destination IN
Source OUT and Destination OUT
(Note: You asked that no alarms be generated for Destination IN, but also assume you don't want alarms for source OUT and destination OUT either)
NOTE: In version 5.x the order of the 2 filters is important. The sensor will start at the top of the filter list. If that filter matches it will remove the actions in the Actions To Subtract field and then check the Stop On Match field.
If Stop On Match is true then it stops processing the rest of the filter lines.
But if Stop On Match is false then it will continue processing the rest of the filter lines.
If the second filter had come first then it would have been matched even on the Source IN Destination OUT alerts and would have removed all actions and prevented the sig from firing. So the ordering is important.
Also be aware that if Stop On Match was accidentally set to false on the first filter, then the sensor would have continued and also matched the second filter and would have removed all actions because of the second filter. -
Cisco Embedded Event Manager Issue
Hello Experts,
I have taken the following sample EEM from
https://learningnetwork.cisco.com/blogs/network-sheriff/2009/06/19/writing-your-first-eem-applet
The intention is to send a notification to an email address about a network problem. I have modified it bit for illustrative purposes. You will see that there are various show commands.
Can someone please show me how to email the show commands instead just appending them to the directory called "server_unreachable"?
TechWiseTV4506(config)#eve
nt manager environment _email_server 172.16.1.44 (<-my Post Cast server)
TechWiseTV4506(config)#event manager environment _email_to [email protected]
TechWiseTV4506(config)#event manager environment _email_from [email protected]
event manager applet email_server_unreachable
event track 10 state down
action 1.0 syslog msg "Houston we have a problem. Ping failed, server unreachable!"
action 1.1 cli command "enable"
action 1.2 cli command "del /force flash:server_unreachable"
action 1.3 cli command "show clock | append server_unreachable"
action 1.4 cli command "show ip arp 172.16.1.55 | append server_unreachable"
action 1.5 cli command "show ip route 172.16.1.55 | append server_unreachable"
action 1.6 cli command "show interface FastEthernet0/1/1 | append server_unreachable"
action 1.7 cli command "more flash:server_unreachable"
action 1.8 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "Server Unreachable: ICMP-Echos Failed" body "$_cli_result
action 1.9 syslog msg "Server unreachable alert has been sent to email server!"
Cheers
CarltonThis applet will actually email the results. However, in order to get all of the output together, it uses the server_unreachable file as an accumulator buffer. That file could be deleted as action 2.0:
action 2.0 cli command "delete /force flash:server_unreachable"
But that is already there in action 1.2, so it's not really needed.
What will happen is the applet will more the file to collect all of the output. That aggregated output will be stored in the $_cli_result variable. The result is that the body of your email will contain the consolidated command output. -
NICDRV test04 fails saying driver cannot receive ICMP reply from the peer
Hi,
I am running NICDRV tests and while running test04 check multicast support, I fail with the error:
driver xxx cannot receive ICMP reply from the peer.COuld anyone tell me why is this happening?
For full report:
stdout| STRATEGY:
stdout| - Add multicast route and join multicast group
stdout| - Receive ip_multicast traffic from the client side
stdout| with 1 multicast group.
stdout| - Send ip_multicast traffic to the client side
stdout| with 1 multicast group.
stdout| - Join multiple multicast groups, and receive multicast
stdout| traffic of multiple groups from the client.
stdout| - For WiFi drivers, ping 224.0.0.1 multicast address for
stdout| 10 seconds and verify the traffic using snoop.
stdout|
stdout| TESTABILITY: implicit
stdout|
stdout| 192.168.11.10 is alive
stdout| 192.168.11.11 is alive
stdout| ping -i xxx -s 224.0.0.1
stdout| snoop -d xxx -o /tmp/snoop-multicast.tmp
stdout| sleep 10 seconds to collect packet
stdout| verify if driver igb can send multicast packet to the peer
stdout| 1 0.00000 192.168.11.10 -> 224.0.0.1 ICMP Echo request (ID: 18511 Sequence number: 1)
stdout| 2 0.99996 192.168.11.10 -> 224.0.0.1 ICMP Echo request (ID: 18511 Sequence number: 2)
stdout| 3 1.00000 192.168.11.10 -> 224.0.0.1 ICMP Echo request (ID: 18511 Sequence number: 3)
stdout| 4 1.00002 192.168.11.10 -> 224.0.0.1 ICMP Echo request (ID: 18511 Sequence number: 4)
stdout| 5 0.99997 192.168.11.10 -> 224.0.0.1 ICMP Echo request (ID: 18511 Sequence number: 5)
stdout| 6 1.00002 192.168.11.10 -> 224.0.0.1 ICMP Echo request (ID: 18511 Sequence number: 6)
stdout| 7 0.99999 192.168.11.10 -> 224.0.0.1 ICMP Echo request (ID: 18511 Sequence number: 7)
stdout| 8 0.99998 192.168.11.10 -> 224.0.0.1 ICMP Echo request (ID: 18511 Sequence number: 8)
stdout| 9 1.00002 192.168.11.10 -> 224.0.0.1 ICMP Echo request (ID: 18511 Sequence number: 9)
stdout| verify if driver xxx can receive ICMP reply from the peer
stdout| driver xxx cannot receive ICMP reply from the peer
Test_Case_End| 18498 tests/functional/test04/runme | FAIL | 11:44:29 80659327923251 0 |
Thkx,
RamWell, I finally figured it out. When trying to receive text messages from my iPhone pals, I would get a failure message and a suggestion to update my profile. When I selected that option, the phone would sit for a long time trying to connect and then fail. I went into my settings and was able to force an update. Lo and behold, all of the backed up text messages started to down load. It seems as though when I received the texts from my friends, the system was aware that I had not received then and they were held somewhere in the cloud. Then they were continuously resent until I fixed the problem at my end. They all downloaded over night and the problem has been resolved.
-
ASA - ICMP works on a L2L tunnel but TCP fails.
All,
I have just started to work with the ASA's and I have a couple of problems with two 5510 8.4(1) ASA's supporting a L2L tunnel.
Problem-1:
Below is the topology and currently the only config on these ASA's is what is required to get the LAN2LAN tunnel setup and nothing more. ASA01 and ASA02 are the tunnel termination devices.
LAN A->Routing device->ASA-01 ----->Internet<------------ASA-02<-Routing device<-LAN2
Below is what is working
- Tunnel is established between the ASA's.
- I can ping from LAN A to LAN B and viceversa.
Below is not what is working
- I cannot RDP from a device in LAN A to LAN B and vice versa.
What we found in troubleshooting when we initiate a RDP session from a server in LAN-A to Server in LAN-B.
- The packet capture on ASA - A shows that the SYN leaves the ingress(LAN interface).
- The packet capture on ASA - B shows that the SYN is leaving the LAN interface.
- Dont see a SYN-ACK on ASA-B. First we thought there might be a different reason(detailed below as problem-2) but we dont see the syn-ack on ASA-A either.
- Doing a asp-drop capture on ASA-B we saw that the SYN,ACK from server in LAN-B is being dropped with the following message
Drop-reason: (tcp-not-syn) First TCP packet not SYN
Any ideas on why ASA-B doesnt treat this is as a established tcp session?
Problem -2
On the packet capture wizard in ASDM if I do a capture on the LAN interface of the ASA02 I can only see packets leaving the ASA towards the LAN but I do not see anything coming back into the interface from the LAN interface. This works the same whether I do a ICMP or a TCP session(RDP).
For example - Ping from a server on LAN A to LAN B
- On ASA01
The packet capture wizard shows both icmp-echo from LAN-A and icmp-reply from LAN-B
- On ASA02
The packet capture wizard shows icmp-echo from LAN-A both not the icmp-reply from LAN-B.
I am not sure what the reason for both the problems above and the reasons might just be that my skill level with ASA's are just not there yet. Any guidance will be great appreciated.
Thanks,
VishnuHello Vishnu,
Any ideas on why ASA-B doesnt treat this is as a established tcp session?
This is happening because the ASA is not seeing the entire 3 way hanshake, Are you sure all the packets are going across the ASA??? I would recommend you to do captures on both inside interfaces just for RDP traffic and attach them to this post so I can correlate to determine if indeed the ASA is receving what it needs.
On the packet capture wizard in ASDM if I do a capture on the LAN interface of the ASA02 I can only see packets leaving the ASA towards the LAN but I do not see anything coming back into the interface from the LAN interface. This works the same whether I do a ICMP or a TCP session(RDP).
That's exactly the reason of why this problem is happening, Good job correlating the facts,
Resolution of the issues:
I would say the problem is on the Routing device between ASA-2 and the LAN-2...
Make sure the Routing device knows that in order to reach the LAN-1 it needs to send the traffic back to the ASA-2 as somehow this traffic is not making it on the right interface,
Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura -
"failed to find profile ID" on Cellular Interface
Hello World,
I try to make a connection to a Wirelless 3G.
I configure modem and I think that the modem is connected
show cellular 0/0/0 all
Hardware Information
====================
Modem Firmware Version = T1_0_3_2AP R361 CNSZ
Modem Firmware built = 04/15/11
Hardware Version = 1.0
International Mobile Subscriber Identity (IMSI) = 546010100686679
International Mobile Equipment Identity (IMEI) = 357115041341178
Integrated Circuit Card ID (ICCID) = 8968701111106200287
Mobile Subscriber International Subscriber
IDentity Number (MSISDN) =
Factory Serial Number (FSN) = CC3322315641011
Modem Status = Online
Current Modem Temperature = 29 deg C, State = Normal
PRI SKU ID = 9900198, SKU Rev. = 1.2
Profile Information
====================
Profile 1 = INACTIVE* **
PDP Type = IPv4
Access Point Name (APN) = USB
Authentication = None
Username:
Password:
* - Default profile
Data Connection Information
===========================
Data Transmitted = 0 bytes, Received = 0 bytes
Profile 1, Packet Session Status = INACTIVE
Inactivity Reason = Normal inactivate state
Profile 2, Packet Session Status = INACTIVE
Inactivity Reason = Normal inactivate state
Profile 3, Packet Session Status = INACTIVE
Inactivity Reason = Normal inactivate state
Profile 4, Packet Session Status = INACTIVE
Inactivity Reason = Normal inactivate state
Profile 5, Packet Session Status = INACTIVE
Inactivity Reason = Normal inactivate state
Profile 6, Packet Session Status = INACTIVE
Inactivity Reason = Normal inactivate state
Profile 7, Packet Session Status = INACTIVE
Inactivity Reason = Normal inactivate state
Profile 8, Packet Session Status = INACTIVE
Inactivity Reason = Normal inactivate state
Profile 9, Packet Session Status = INACTIVE
Inactivity Reason = Normal inactivate state
Profile 10, Packet Session Status = INACTIVE
Inactivity Reason = Normal inactivate state
Profile 11, Packet Session Status = INACTIVE
Inactivity Reason = Normal inactivate state
Profile 12, Packet Session Status = INACTIVE
Inactivity Reason = Normal inactivate state
Profile 13, Packet Session Status = INACTIVE
Inactivity Reason = Normal inactivate state
Profile 14, Packet Session Status = INACTIVE
Inactivity Reason = Normal inactivate state
Profile 15, Packet Session Status = INACTIVE
Inactivity Reason = Normal inactivate state
Profile 16, Packet Session Status = INACTIVE
Inactivity Reason = Normal inactivate state
Network Information
===================
Current Service Status = Normal, Service Error = None
Current Service = Combined
Packet Service = UMTS/WCDMA (Attached)
Packet Session Status = Inactive
Current Roaming Status = Home
Network Selection Mode = Automatic
Country = NCL, Network = MOBNCL
Mobile Country Code (MCC) = 546
Mobile Network Code (MNC) = 1
Location Area Code (LAC) = 10
Routing Area Code (RAC) = 1
Cell ID = 30521
Primary Scrambling Code = 434
PLMN Selection = Automatic
Registered PLMN = NCL MOBILIS , Abbreviated = MOBNCL
Service Provider =
Radio Information
=================
Radio power mode = ON
Current Band = WCDMA 2100, Channel Number = 10762
Current RSSI(RSCP) = -63 dBm
Band Selected = Auto
Number of nearby cells = 1
Cell 1
Primary Scrambling Code = 0x1B2
RSCP = -64 dBm, ECIO = -7 dBm
Modem Security Information
==========================
Card Holder Verification (CHV1) = Disabled
SIM Status = OK
SIM User Operation Required = None
Number of CHV1 Retries remaining = 3
GPS Information
==========================
GPS Info
GPS State: GPS disabled
SMS Information
===============
Incoming Message Information
SMS stored in modem = 1
SMS archived since booting up = 0
Total SMS deleted since booting up = 0
Storage records allocated = 60
Storage records used = 1
Number of callbacks triggered by SMS = 0
Number of successful archive since booting up = 0
Number of failed archive since booting up = 0
Outgoing Message Information
Total SMS sent successfully = 0
Total SMS send failure = 0
Number of outgoing SMS pending = 0
Number of successful archive since booting up = 0
Number of failed archive since booting up = 0
Last Outgoing SMS Status = SUCCESS
Copy-to-SIM Status = 0x0
Send-to-Network Status = 0x0
Report-Outgoing-Message-Number:
Reference Number = 0
Result Code = 0x0
Diag Code = 0x0 0x0 0x0 0x0 0x0
SMS Archive URL =
Error Information
=================
Cached info is displayed
at!err
QDSP6 ARM9 (not saved)
00 08 uim 08480 00 01 hsu_conf_sel_nv 00572
01 63 gsnvif 00245 01 01 hsu_conf_sel_nv 00616
02 FF cmtask 01162 02 01 timer 03552
03 1B mmglbl 00392
04 1B gsnvif 00478
05 1B rr_init 01597
06 1B rr_init 01601
07 1B rrcdata 08026
08 01 gmmutil 01099
09 01 gmmutil 01118
10 01 gmmutil 01141
11 01 gmmutil 01156
12 01 gmmutil 01174
13 01 gmmutil 01198
14 14 rrcllcp 16550
15 04 rrccspf 02198
16 17 rrccsp 20686
17 04 gsdi 09787
18 01 gsdi_co 01538
19 1B cnlbs 03307
OK
at!gcdump
No crash data available
OK
Modem Crashdump Information
===========================
Modem crashdump logging: off
I have the following config
chat-script OPT3G "" "ATDT*99***1#"
interface Cellular0/0/0
ip address negotiated
ip virtual-reassembly in
encapsulation slip
no ip route-cache
load-interval 60
dialer in-band
dialer string OPT3G
dialer-group 1
async mode interactive
interface Cellular0/0/1
no ip address
encapsulation slip
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0
dialer-list 1 protocol ip permit
access-list 1 permit any
line 0/0/0
exec-timeout 0 0
script dialer OPT3G
login
modem InOut
no exec
transport input all
transport output all
autoselect during-login
autoselect ppp
line 0/0/1
exec-timeout 0 0
script dialer OPT3G
login
modem InOut
no exec
transport input all
I make debug
debug chat
debug cellular 0/0/0 messages all
I try to start the interface
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
*Jul 22 07:08:31.363: [Cellular0/0/0]:MGMT RX (RSCP_ECIO) (24 bytes):
00 14 6B 96 70 0B 07 00 00 00 00 00 00 0A 00 01
00 01 01 B2 00 3E 00 0D
*Jul 22 07:08:32.283: CHAT0/0/0: Attempting async line dialer script
*Jul 22 07:08:32.283: CHAT0/0/0: Dialing using Modem script: OPT3G & System script: none
*Jul 22 07:08:32.283: CHAT0/0/0: process started
*Jul 22 07:08:32.283: CHAT0/0/0: Asserting DTR
*Jul 22 07:08:32.283: CHAT0/0/0: Chat script OPT3G started
*Jul 22 07:08:32.283: CHAT0/0/0: Sending string: ATDT*99***1#
*Jul 22 07:08:32.283: CHAT0/0/0: Chat script OPT3G finished, status = Success.
*Jul 22 07:08:34.283: %LINK-3-UPDOWN: Interface Cellular0/0/0, changed state to up
*Jul 22 07:08:34.283: cellular_dip_ip_address_negotiated: failed to find profile ID for Cellular0/0/0
*Jul 22 07:08:34.363: [Cellular0/0/0]:MGMT RX (RSCP_ECIO) (24 bytes):
00 14 6B 97 70 0B 07 00 00 00 00 00 00 0A 00 01
00 01 01 B2 00 3F 00 0C
*Jul 22 07:08:35.283: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0/0/0, changed state to up.
*Jul 22 07:08:36.283: cellular_dip_cell_set_encap_whip: Invalid profile ID 255 for Cellular0/0/0
*Jul 22 07:08:36.835: [Cellular0/0/0]:MGMT RX (HEARTBEAT) (14 bytes):
00 0A 6B 98 00 00 07 00 00 00 00 00 00 00
*Jul 22 07:08:37.363: [Cellular0/0/0]:MGMT RX (RSCP_ECIO) (24 bytes):
00 14 6B 99 70 0B 07 00 00 00 00 00 00 0A 00 01
00 01 01 B2 00 3E 00 0C
*Jul 22 07:08:38.283: cellular_dip_cell_set_encap_whip: Invalid profile ID 255 for Cellular0/0/0.
*Jul 22 07:08:40.283: cellular_dip_cell_set_encap_whip: Invalid profile ID 255 for Cellular0/0/0
*Jul 22 07:08:40.367: [Cellular0/0/0]:MGMT RX (RSCP_ECIO) (24 bytes):
00 14 6B 9A 70 0B 07 00 00 00 00 00 00 0A 00 01
00 01 01 B2 00 40 00 0F
Success rate is 0 percent (0/5)
RTR-TEST98#
*Jul 22 07:08:43.371: [Cellular0/0/0]:MGMT RX (RSCP_ECIO) (24 bytes):
00 14 6B 9B 70 0B 07 00 00 00 00 00 00 0A 00 01
00 01 01 B2 00 3C 00 11
*Jul 22 07:08:43.835: [Cellular0/0/0]:MGMT RX (HEARTBEAT) (14 bytes):
00 0A 6B 9C 00 00 07 00 00 00 00 00 00 00
*Jul 22 07:08:46.375: [Cellular0/0/0]:MGMT RX (RSCP_ECIO) (24 bytes):
00 14 6B 9D 70 0B 07 00 00 00 00 00 00 0A 00 01
00 01 01 B2 00 3E 00 0D
*Jul 22 07:08:49.379: [Cellular0/0/0]:MGMT RX (RSCP_ECIO) (24 bytes):
00 14 6B 9E 70 0B 07 00 00 00 00 00 00 0A 00 01
00 01 01 B2 00 3E 00 0C
*Jul 22 07:08:50.835: [Cellular0/0/0]:MGMT RX (HEARTBEAT) (14 bytes):
00 0A 6B 9F 00 00 07 00 00 00 00 00 00 00
*Jul 22 07:08:52.383: [Cellular0/0/0]:MGMT RX (RSCP_ECIO) (24 bytes):
00 14 6B A0 70 0B 07 00 00 00 00 00 00 0A 00 01
00 01 01 B2 00 3E 00 0Ehello everyone,
I still have my issue and can't connect my 3G interface.
I can complete my issue with this log
*Aug 12 08:35:34.023: cellular_dip_ip_address_negotiated: failed to find profile ID for Cellular0/0/0
*Aug 12 08:35:38.019: cellular_dip_cell_set_encap_whip: Invalid profile ID 255 for Cellular0/0/0
Thank's for your help. -
Today we tried to migrate our Xserve from 10.3.9 to 10.4
We've chosen to start the update from a PowerBook and attached our Xserve in FireWire Target Mode.
Update/Install ran smoothly, BUT ON RESTART WE LOST CONTACT TO OUR XSERVE
In system.log it says
HeadlessStartup: Enabling root account so we can remotely administrate.
Apr 5 14:03:18 everlearn /System/Library/ServerSetup/serversetup: defaults info /usr/bin/defaults write -g AppleLanguages '(de, English, ja, fr)'
Apr 5 14:03:20 everlearn /System/Library/ServerSetup/serversetup: CFUserTextEncoding info 0:3
Apr 5 14:03:22 everlearn /System/Library/ServerSetup/serversetup: user library preferences ByHost folder is existed.
Apr 5 14:03:22 everlearn /System/Library/ServerSetup/serversetup: copyPath from rootByHost to userByHost failed.
Apr 5 14:03:22 everlearn /System/Library/ServerSetup/serversetup: create file userByHost is OK.
Apr 5 14:03:25 everlearn mDNSResponder: Service "everlearn.ssh.tcp.local." renamed to "wipaed-dev"
Apr 5 14:03:25 everlearn mDNSResponder: Service "everlearn.sftp-ssh.tcp.local." renamed to "wipaed-dev"
Apr 5 14:03:47 everlearn sudo: root : TTY=unknown ; PWD=/ ; USER=cyrusimap ; COMMAND=/usr/bin/cyrus/tools/mkimap
Apr 5 14:03:55 everlearn root: Setting SquirrelMail language to 'de_DE'
Apr 5 14:03:57 everlearn sudo: root : TTY=unknown ; PWD=/private/var/imap/db.backup2 ; USER=cyrusimap ; COMMAND=/usr/bin/touch /var/imap/db/skipstamp
Apr 5 14:03:57 everlearn sudo: root : TTY=unknown ; PWD=/private/var/imap/db.backup2 ; USER=cyrusimap ; COMMAND=/usr/bin/cyrus/bin/ctl_mboxlist.old -d
Apr 5 14:04:00 everlearn sudo: root : TTY=unknown ; PWD=/private/var/imap/db.backup2 ; USER=cyrusimap ; COMMAND=/bin/mv /var/imap/mailboxes.db /var/imap/mailboxes.db.old
Apr 5 14:04:00 everlearn sudo: root : TTY=unknown ; PWD=/private/var/imap/db ; USER=cyrusimap ; COMMAND=/usr/bin/touch /var/imap/db/skipstamp
Apr 5 14:04:01 everlearn sudo: root : TTY=unknown ; PWD=/private/var/imap/db ; USER=cyrusimap ; COMMAND=/usr/bin/cyrus/bin/ctl_mboxlist -u
Apr 5 14:04:01 everlearn ctl_mboxlist[942]: skiplist: recovered /var/imap/mailboxes.db (0 records, 144 bytes) in 0 seconds
Apr 5 14:04:05 everlearn /System/Library/ServerSetup/MigrationExtras/49_webconfigmigrator: Existing /private/etc/httpd/httpd_macosxserver.conf file couldn't be read! Nothing to migrate.
Apr 5 14:04:05 everlearn /System/Library/ServerSetup/MigrationExtras/50_ipfwconfigmigrator: No Jaguar firewall settings to migrate from NetInfo directory dsRecTypeNative:/config/IPFilters.
Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:Migrating old IP address group. New name:'Migrated: 10-net' New id:'Migrated: 10-net'
Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'SSH - Secure Shell' enabled because 'ssh' was enabled in old rules
Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'Server Admin SSL, also Web-ASIP' enabled because 'asip-webadmin' was enabled in old rules
Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'Remote Directory Access' enabled because 'remoteda' was enabled in old rules
Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'Server administration using Server Admin' enabled because 'serveradmin_pseudoservice' was enabled in old rules
Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'ICMP - echo reply messages (replies to outgoing pings)' enabled because 'icmppingpseudoservice' was enabled in old rules
Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'IGMP - Internet Group Management Protocol' enabled because 'igmp_pseudoservice' was enabled in old rules
Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'RTSP - QTSS streaming' enabled because 'rtsp' was enabled in old rules
Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'WebObjects' enabled because 'webobjects' was enabled in old rules
Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'QTSS web administration' enabled because 'qtssweb_pseudoservice' was enabled in old rules
Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'QTSS MP3 streaming' enabled because 'qtssmp3_pseudoservice' was enabled in old rules
Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'HTTP - web service alternate (Apache 2 default)' enabled because 'http-alt' was enabled in old rules
Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'HTTP - web service' enabled because 'http' was enabled in old rules
Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:Migration applying old customized enable status to rule '65000'
Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:Migration applying old customized enable status to rule '63300'
Apr 5 14:04:09 everlearn root: The previous /etc/httpd/workers.properties file has been saved as /etc/httpd/workers.properties.applesaved. The current /etc/httpd/workers.properties file now includes a blojsom worker.
Apr 5 14:04:31 everlearn servermgrd: cupsd mach_msg error (ipc/rcv) timed out
Since then we cannot find the Xserve via ping or even with a PowerBook in the same subnet.
How can we restore TCP/IP information, subnet info etc.
Right now we CANNOT ACCESS PER SSH but ONLY VIA FIREWIRE ACCESS, therefore we cannot use changeip and serversetup.
How can we set DHCP information without ssh access only access to the files?
What to set?`
Where to set?
Any information is greatly appreciated.
karstenThe main ethernet port had been disabled by the installer!
We connected a powerbook (just plain ethernet cable) to the other port which was running with some old ip number and send
ping 224.0.0.1
This gives you the ip number
then we logged in via ssh
then
networksetup -setnetworkserviceenabled "Ethernet…" on
Now we can work through the messed up install… -
802.1x port authentication failing after getting a access-accept packet
Hi all,
Im not 100% sure what the hell is going on here.
Any idea's or help will be appreciated.
Heres the topology.
1 x windows 2012 NPS
1x 3750X
1x Windows 7 x64
data flow
<laptop> - - [gi 1/0/13]<3750X>[gi 1/0/48]- -[gi 5/39]<6513>[po 1] - - [po 4]<6509><5/1> - - <VMWARE>[NPS Server]
The switch that is doing the authentication is the 3750X. Here is the IOS version.
Switch Ports Model SW Version SW Image
* 1 54 WS-C3750X-48 15.2(1)E C3750E-UNIVERSALK9-M
A wireshark trace on the NPS server shows that the packets are arriving and being sent back
Wireshark on a mirror of the trunk port connecting the 6513. It also shows packets being sent and arriving. access-accept packets are being recieved.
As you can see in the debug output, the switch is getting a access-accept, then it is stating a AAA failure.
here is a debug output as you plug in the laptop.
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:45.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:46.641: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:47.538: dot1x-ev:[Gi1/0/13] Interface state changed to UP
Oct 24 10:53:47.564: dot1x-packet:[6431.500e.9b00, Gi1/0/13] queuing an EAPOL pkt on Auth Q
Oct 24 10:53:47.572: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/13
Oct 24 10:53:47.572: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x1
Oct 24 10:53:47.572: dot1x-packet: length: 0x0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 0,TYPE= 0,LEN= 0
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Couldn't find the supplicant in the list
Oct 24 10:53:47.572: dot1x-ev:[6431.500e.9b00, Gi1/0/13] New client detected, sending session start event for 6431.500e.9b00
Oct 24 10:53:47.572: AAA/BIND(00000047): Bind i/f
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Sending create new context event to EAP for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: EAP-EVENT: Received context create from LL (Dot1x-Authenticator) (0x15000045)
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received AAA ID 0x00000047 from LL
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: Assigning AAA ID 0x00000047
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: CTS not enabled on interface Gi1/0/13
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received Session ID "C0A846660000004700DF6030" from LL
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Setting authentication mode: Passthrough
Oct 24 10:53:47.580: eap_authen : initial state eap_auth_initialize has enter
Oct 24 10:53:47.580: EAP-EVENT: Allocated new EAP context (handle = 0xE8000047)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Created a client entry (0x15000045)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Dot1x authentication started for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: %AUTHMGR-5-START: Starting 'dot1x' for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.580: EAP-EVENT: Received EAP event 'EAP_AUTHENTICATOR_START' on handle 0xE8000047
Oct 24 10:53:47.580: eap_authen : during state eap_auth_initialize, got event 25(eapStartTmo)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_initialize -> eap_auth_select_action
Oct 24 10:53:47.580: eap_authen : during state eap_auth_select_action, got event 20(eapDecisionPropose)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_select_action -> eap_auth_propose_method
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_propose_method
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_propose_method -> eap_auth_method_request
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_method_request
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_method_request -> eap_auth_tx_packet
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Current method = Identity
Oct 24 10:53:47.580: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_ID_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_tx_packet
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_tx_packet -> eap_auth_idle
Oct 24 10:53:47.589: EAP-AUTH-TX-PAK: Code:REQUEST ID:0x1 Length:0x0005 Type:IDENTITY
Oct 24 10:53:47.589: EAP-EVENT: Started 'Authenticator ReqId Retransmit' timer (30s) for EAP sesion handle 0xE8000047
Oct 24 10:53:47.589: EAP-EVENT: Started EAP tick timer
Oct 24 10:53:47.589: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_TX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.597: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.597: dot1x-packet: length: 0x0005
Oct 24 10:53:47.597: dot1x-packet:EAP code: 0x1 id: 0x1 length: 0x0005
Oct 24 10:53:47.597: dot1x-packet: type: 0x1
Oct 24 10:53:47.597: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL packet sent to client 0x15000045
Oct 24 10:53:47.606: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Queuing an EAPOL pkt on Authenticator Q
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 2,TYPE= 1,LEN= 31
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001f
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Response sent to the server from 0x15000045
Oct 24 10:53:47.606: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_RX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-RX-PAK: Code:RESPONSE ID:0x1 Length:0x001F Type:IDENTITY
Oct 24 10:53:47.606: Payload: 47454E4552414C5C72616E64792E636F ...
Oct 24 10:53:47.606: eap_authen : during state eap_auth_idle, got event 1(eapRxPacket)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_idle -> eap_auth_received
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response received by context 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response type = Identity
Oct 24 10:53:47.606: EAP-EVENT: Stopping 'Authenticator ReqId Retransmit' timer for EAP sesion handle 0xE8000047
Oct 24 10:53:47.606: eap_authen : during state eap_auth_received, got event 10(eapMethodData)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_received -> eap_auth_method_response
Oct 24 10:53:47.606: EAP-AUTH-EVENT: Received peer identity: GENERAL\randy.coburn.admin
Oct 24 10:53:47.606: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_IDENTITY' on handle 0xE8000047
Oct 24 10:53:47.606: eap_authen : during state eap_auth_method_response, got event 13(eapMethodEnd)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_method_response -> eap_auth_select_action
Oct 24 10:53:47.606: eap_authen : during state eap_auth_select_action, got event 19(eapDecisionPass)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_select_action -> eap_auth_passthru_init
Oct 24 10:53:47.606: eap_authen : during state eap_auth_passthru_init, got event 22(eapPthruIdentity)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_passthru_init -> eap_auth_aaa_req
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_GET_PEER_MAC_ADDRESS' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding Audit-Session-ID "C0A846660000004700DF6030" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added Audit-Session-ID
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding IDB "0x070B90F8" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added IDB
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_AAA_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: eap_auth_aaa_authen_request_shim aaa_service 19, eap aaa_list handle 0, mlist handle 0
Oct 24 10:53:47.614: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Request sent successfully
Oct 24 10:53:47.614: eap_authen : during state eap_auth_aaa_req, got event 24(eapAAAReqOk)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_aaa_req -> eap_auth_aaa_idle
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute hwidb
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-type
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-service
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute clid-mac-addr
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute target-scope
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-unique-id
Oct 24 10:53:47.614: RADIUS(00000000): Config NAS IP: 0.0.0.0
Oct 24 10:53:47.614: RADIUS(00000000): sending
Oct 24 10:53:47.614: RADIUS/ENCODE: Best Local IP-Address 192.168.70.102 for Radius-Server 192.168.19.121
Oct 24 10:53:47.614: RADIUS(00000000): Send Access-Request to 192.168.19.121:1645 id 1645/21, len 288
Oct 24 10:53:47.614: RADIUS: authenticator F1 BA E5 31 71 54 BF 1A - A2 B1 5E 1A 63 72 1E 72
Oct 24 10:53:47.614: RADIUS: User-Name [1] 28 "GENERAL\randy.coburn.admin"
Oct 24 10:53:47.614: RADIUS: Service-Type [6] 6 Framed [2]
Oct 24 10:53:47.614: RADIUS: Vendor, Cisco [26] 27
Oct 24 10:53:47.614: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"
Oct 24 10:53:47.614: RADIUS: Framed-MTU [12] 6 1500
Oct 24 10:53:47.614: RADIUS: Called-Station-Id [30] 19 "AC-F2-C5-75-7D-0D"
Oct 24 10:53:47.614: RADIUS: Calling-Station-Id [31] 19 "64-31-50-0E-9B-00"
Oct 24 10:53:47.614: RADIUS: EAP-Message [79] 33
Oct 24 10:53:47.614: RADIUS: 02 01 00 1F 01 47 45 4E 45 52 41 4C 5C 72 61 6E 64 79 2E 63 6F [GENERAL\randy.co]
Oct 24 10:53:47.622: RADIUS: 62 75 72 6E 2E 61 64 6D 69 6E [ burn.admin]
Oct 24 10:53:47.622: RADIUS: Message-Authenticato[80] 18
Oct 24 10:53:47.622: RADIUS: EE 52 4D ED B9 06 F3 CE 63 AC 9D 73 24 1B A7 ED [ RMcs$]
Oct 24 10:53:47.622: RADIUS: EAP-Key-Name [102] 2 *
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco [26] 49
Oct 24 10:53:47.622: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A846660000004700DF6030"
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco [26] 20
Oct 24 10:53:47.622: RADIUS: Cisco AVpair [1] 14 "method=dot1x"
Oct 24 10:53:47.622: RADIUS: NAS-IP-Address [4] 6 192.168.70.102
Oct 24 10:53:47.622: RADIUS: NAS-Port [5] 6 60000
Oct 24 10:53:47.622: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/13"
Oct 24 10:53:47.622: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Oct 24 10:53:47.622: RADIUS(00000000): Sending a IPv4 Radius Packet
Oct 24 10:53:47.622: RADIUS(00000000): Started 10 sec timeout
Oct 24 10:53:47.622: RADIUS: Received from id 1645/21 192.168.19.121:1645, Access-Accept, len 66
Oct 24 10:53:47.622: RADIUS: authenticator 92 F6 07 AF C1 AB 0B 4C - 1D 9E A0 D1 01 36 27 26
Oct 24 10:53:47.622: RADIUS: Class [25] 46
Oct 24 10:53:47.622: RADIUS: 76 E3 06 66 00 00 01 37 00 01 02 00 C0 A8 13 79 00 00 00 00 00 00 00 00 00 00 00 00 01 CE CF F8 1F 7B 75 41 00 00 00 00 00 00 00 50 [ vf7y{uAP]
Oct 24 10:53:47.622: RADIUS(00000000): Received from id 1645/21
Oct 24 10:53:47.622: EAP-EVENT: eap_aaa_reply
Oct 24 10:53:47.622: EAP-AUTH-AAA-EVENT: Reply received session_label 72000033
Oct 24 10:53:47.622: EAP-EVENT: Received AAA event 'EAP_AAA_FAIL' on handle 0xE8000047
Oct 24 10:53:47.622: eap_authen : during state eap_auth_aaa_idle, got event 8(eapAAAFail)
Oct 24 10:53:47.622: @@@ eap_authen : eap_auth_aaa_idle -> eap_auth_failure
Oct 24 10:53:47.631: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.631: EAP-AUTH-TX-PAK: Code:FAILURE ID:0x1 Length:0x0004
Oct 24 10:53:47.631: EAP-AUTH-EVENT: FAIL for EAP method ID: 1, name: , on handle 0xE8000047
Oct 24 10:53:47.631: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_FAIL' on handle 0xE8000047
Oct 24 10:53:47.631: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Received an EAP Fail
Oct 24 10:53:47.639: %DOT1X-5-FAIL: Authentication failed for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Added username in dot1x
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Dot1x did not receive any key data
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Processing client delete for hdl 0x15000045 sent by Auth Mgr
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] 6431.500e.9b00: sending canned failure due to method termination
Oct 24 10:53:47.639: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.639: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.639: dot1x-packet: length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:EAP code: 0x4 id: 0x1 length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL canned status packet sent to client 0x15000045
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Deleting client 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.639: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client 6431.500e.9b00 on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.648: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Delete auth client (0x15000045) message
Oct 24 10:53:47.648: EAP-EVENT: Received free context (0xE8000047) from LL (Dot1x-Authenticator)
Oct 24 10:53:47.648: dot1x-ev:Auth client ctx destroyed
Oct 24 10:53:47.648: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_DELETE' on handle 0xE8000047
Oct 24 10:53:47.648: EAP-AUTH-EVENT: Freed EAP auth context
Oct 24 10:53:47.648: EAP-EVENT: Freed EAP context
Oct 24 10:53:48.621: EAP-EVENT: Stopped EAP tick timer
Oct 24 10:53:49.485: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:50.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:54.518: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:55.524: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to downHi Jatin,
See below the data that you have requested.
show run bits.
aaa new-model
aaa authentication dot1x default group radius
aaa session-id common
clock timezone BST 0 0
clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
dot1x system-auth-control
interface GigabitEthernet1/0/13
switchport access vlan 80
switchport mode access
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface GigabitEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 70
switchport mode trunk
radius server NPS1
address ipv4 192.168.19.121 auth-port 1645 acct-port 1646
timeout 10
key thesecret
ip default-gateway 192.168.70.1
SW1-randy#show auth sessions interface gig 1/0/13
Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/13 803f.5d09.189e N/A UNKNOWN Unauth C0A846660000002F00251DBC
SW1-randy#Show mac address-table Interface GigabitEthernet1/0/13
Mac Address Table
Vlan Mac Address Type Ports
80 803f.5d09.189e DYNAMIC Drop
SW1-randy#ping 192.168.19.121
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.19.121, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Here is a wireshark of the accept packet.
Message was edited by: randy coburn
Added wireshark trace -
Hello
I would like to track icmp jitter for end host. I verified in documentation that it can be any host as a destination. But i got error on this operation:
Latest RTT: NoConnection/Busy/Timeout
I verified that there is no firewall between the source and destination and icmp timestamp request works when done manually:
r01#ping
Protocol [ip]:
Target IP address: 10.23.33.6
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: Timestamp
Number of timestamps [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[TV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.33.6, timeout is 2 seconds:
Packet has IP options: Total option bytes= 40, padded length=40
Timestamp: Type 0. Overflows: 0 length 40, ptr 5
>>Current pointer<<
Time= 01:00:00.000 CET (00000000)
Time= 01:00:00.000 CET (00000000)
Time= 01:00:00.000 CET (00000000)
Time= 01:00:00.000 CET (00000000)
Time= 01:00:00.000 CET (00000000)
Time= 01:00:00.000 CET (00000000)
Time= 01:00:00.000 CET (00000000)
Time= 01:00:00.000 CET (00000000)
Time= 01:00:00.000 CET (00000000)
Reply to request 0 (4 ms). Received packet has no options
Reply to request 1 (4 ms). Received packet has no options
Reply to request 2 (1 ms). Received packet has no options
Reply to request 3 (1 ms). Received packet has no options
Reply to request 4 (1 ms). Received packet has no options
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r01#sh ip sla statistics 196
IPSLAs Latest Operation Statistics
IPSLA operation id: 196
Type of operation: icmp-jitter
Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: 12:45:21.019 CET Fri Nov 21 2014
Latest operation return code: Timeout
RTT Values:
Number Of RTT: 0 RTT Min/Avg/Max: 0/0/0
Latency one-way time:
Number of Latency one-way Samples: 0
Source to Destination Latency one way Min/Avg/Max: 0/0/0
Destination to Source Latency one way Min/Avg/Max: 0/0/0
Jitter Time:
Number of SD Jitter Samples: 0
Number of DS Jitter Samples: 0
Source to Destination Jitter Min/Avg/Max: 0/0/0
Destination to Source Jitter Min/Avg/Max: 0/0/0
Packet Late Arrival: 0
Out Of Sequence: 0
Source to Destination: 0 Destination to Source 0
In both Directions: 0
Packet Skipped: 0 Packet Unprocessed: 0
Packet Loss: 0
Loss Period Length Min/Max: 0/0
Number of successes: 0
Number of failures: 34
ip sla 197
icmp-jitter 10.23.33.6
frequency 30
ip sla schedule 197 life forever start-time now
Nov 21 12:57:43: IP SLAs(197) Scheduler: saaSchedulerEventWakeup
Nov 21 12:57:43: IP SLAs(197) Scheduler: Starting an operation
Nov 21 12:57:43: IP SLAs(197) icmpjitter operation: Starting icmpjitter operation
Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
Nov 21 12:57:49: IP SLAs(197) Scheduler: Updating result
Nov 21 12:57:49: IP SLAs(197) Scheduler: start wakeup timer, delay = 24796
Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
Any help would be appreciated.Hi Jorge
According to Cisco documentation icmp-jitter should work on any IP Device.
I have a similar issue.
1. I can run icmp-jitter successfully to non cisco routers
2. it fails to run to a generic ip device.
Imran -
Hi,
I have a slight issue I'm having some problems resolving..
The scenario is as follows;
I have an external provider which connects to me via VPN to a Juniper SSG firewall, that works fine.
I then have an external site, which does NOT reside in my MPLS cloud, so I have to deploy IPSec via Internet to reach it.
That also works fine and I have multiple SA's running on that site with no issues or problems.
The external provider has a small network device deployed on the external site which monitor cooling values in one of our warehouses.
The external site which is connect via IPSEC has a Cisco 1921 and a numerous Cisco 3550 deployed.
The VLAN for the cooling provider is vlan 150 and is setup with 10.150.4.0/24 where .1 is the def gw and .10 is the cooling monitor device.
The external provider's servers are located within 192.168.220.0/24 subnet.
As of right now, we can reach the Cisco 1921 through the whole IPsec tunnel from 192.168.220.182 with all services, ping, telnet whatnot, but we are unable to ping the cooling device from 192.168.220.0/24.
However from the Cisco 1921, we can ping both 192.168.220.0/24 and the locally connected 10.150.4.10
So basicly it seems to be the last bit when the traffic goes through the 1921 and to the switch where it fails and I can't for the life of me figure out why.
Network diagram attached.. any ideas?
This is the 1921 config:
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname bergen-vpn-gw
boot-start-marker
boot system flash flash:c1841-adventerprisek9-mz.124-25d.bin
boot-end-marker
logging buffered 50000
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
aaa session-id common
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
no ipv6 cef
no ip source-route
ip cef
no ip bootp server
no ip domain lookup
ip domain name xxxxx
multilink bundle-name authenticated
license udi pid CISCO1921/K9 sn FCZ1508C1P4
license boot module c1900 technology-package securityk9
license boot module c1900 technology-package datak9
vtp mode client
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key harakiri address 1.2.3.4
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto map VPN 10 ipsec-isakmp
set peer 1.2.3.4
set transform-set 3DES-SHA
match address VPN
interface GigabitEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
interface GigabitEthernet0/0.99
description *** Test VLAN To be removed ***
encapsulation dot1Q 99
ip address 10.90.90.1 255.255.255.0
no ip route-cache
interface GigabitEthernet0/0.112
encapsulation dot1Q 112
ip address 192.168.112.1 255.255.255.0
ip helper-address 172.30.1.223
no ip route-cache
interface GigabitEthernet0/0.150
encapsulation dot1Q 150
ip address 10.150.4.1 255.255.255.0
no ip redirects
no ip proxy-arp
no ip route-cache
interface GigabitEthernet0/0.178
encapsulation dot1Q 178
ip address 192.168.178.1 255.255.255.0
ip helper-address 172.30.1.223
no ip redirects
no ip proxy-arp
no ip route-cache
interface GigabitEthernet0/0.999
encapsulation dot1Q 999
no ip route-cache
interface GigabitEthernet0/1
ip address 1.2.3.4 255.255.255.252
no ip redirects
no ip proxy-arp
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map VPN
interface FastEthernet0/0/0
switchport access vlan 99
interface FastEthernet0/0/1
interface FastEthernet0/0/2
interface FastEthernet0/0/3
interface Vlan1
no ip address
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 85.200.203.29
ip access-list extended VPN
permit ip 10.90.90.0 0.0.0.255 172.30.1.0 0.0.0.255
permit ip 10.90.90.0 0.0.0.255 172.22.0.0 0.0.255.255
permit ip 10.90.90.0 0.0.0.255 172.18.5.0 0.0.0.255
permit ip 10.90.90.0 0.0.0.255 10.50.0.0 0.0.255.255
permit ip 192.168.112.0 0.0.0.255 172.30.1.0 0.0.0.255
permit ip 192.168.112.0 0.0.0.255 172.22.0.0 0.0.255.255
permit ip 192.168.112.0 0.0.0.255 172.18.5.0 0.0.0.255
permit ip 192.168.112.0 0.0.0.255 10.50.0.0 0.0.255.255
permit ip 192.168.178.0 0.0.0.255 172.30.1.0 0.0.0.255
permit ip 192.168.178.0 0.0.0.255 172.22.0.0 0.0.255.255
permit ip 192.168.178.0 0.0.0.255 172.18.5.0 0.0.0.255
permit ip 192.168.178.0 0.0.0.255 10.50.0.0 0.0.255.255
permit ip 192.168.112.0 0.0.0.255 172.30.240.0 0.0.0.255
permit ip 192.168.178.0 0.0.0.255 172.30.240.0 0.0.0.255
permit ip 192.168.112.0 0.0.0.255 10.70.0.0 0.0.0.255
permit ip 192.168.178.0 0.0.0.255 10.70.0.0 0.0.0.255
permit ip 10.150.4.0 0.0.0.255 192.168.220.0 0.0.0.255 log
ip sla 1
icmp-echo 172.30.1.223 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 1 start-time now
ip sla 2
icmp-echo 10.50.1.200 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 2 start-time now
ip sla 3
icmp-echo 172.18.5.121 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 3 start-time now
ip sla 4
icmp-echo 172.22.0.140 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 4 start-time now
ip sla 5
icmp-echo 172.30.240.40 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 5 start-time now
ip sla 6
icmp-echo 10.70.0.200 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 6 start-time now
cdp source-interface GigabitEthernet0/0.112
snmp-server community bamacomro RO
cdp source-interface GigabitEthernet0/0.112
snmp-server community bamacomro RO
snmp-server community bamacomrw RW
control-plane
banner motd ^CCC-----------------------------------------------------------------------------
This system is solely for the use of authorised users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all their activities monitored and recorded by system personell.
Use of this system evidence an express consent to such monitoring and
agreement that if such monitoring reveals evidence of possible abuse or
criminal activity, system personell may provide the result of such
monitoring to appropiate officials.
-----------------------------------------------------------------------------^C
line con 0
exec-timeout 5 0
logging synchronous
line aux 0
line vty 0 4
access-class telnet in
exec-timeout 180 0
logging synchronous
transport input telnet ssh
line vty 5 15
access-class telnet in
exec-timeout 180 0
password 7 094F471A1A0A
logging synchronous
transport input telnet ssh
scheduler allocate 20000 1000
endI had that issue 1 year go
"decrypted packet failed SA identity check" means that we have decrypted a traffic that does not match the proxy ID negotiated
Juniper is violating RFC4301. there is nothing we can do against RFC violation
As mentioned in Section 4.4.1, "The Security Policy Database (SPD)",
the SPD (or associated caches) MUST be consulted during the
processing of all traffic that crosses the IPsec protection boundary,
including IPsec management traffic. If no policy is found in the SPD
that matches a packet (for either inbound or outbound traffic), the
packet MUST be discarded.
I know JNPR can do 2 vpn modes. There is one where we could use a VTI instead of a crypto map on the Cisco side. That was the solution to the problem we had.
Cheers, -
Suspecting ESP 10 to fail in ASR1002
ASR1002 Cisco doesnt recognise ESP 10 module. Log is attached. We need to decide wether the chassi is OK or it is also affected.
We have conducted the following experiment: turned on the ASR1002 without ESP module and assigned 192.168.0.2 adress to an interface.
After that tried to ping 192.168.0.2 from outside, all pings have been lost.
Does the ASR1002 have to respond on the interface without ESP module?
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.1(3)S1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Sat 08-Oct-11 01:16 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2011 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
% failed to initialize nvram
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco ASR1002 (2RU) processor with 1700171K/6147K bytes of memory.
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
7798783K bytes of eUSB flash at bootflash:.
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no]: no
Press RETURN to get started!
*Dec 12 16:40:24.348: %ASR1000_RP_NV-3-NV_ACCESS_FAIL: Initial read of NVRAM contents failed
*Dec 12 16:40:31.211: %LINK-3-UPDOWN: Interface Lsmpi0, changed state to up
*Dec 12 16:40:31.211: %LINK-3-UPDOWN: Interface EOBC0, changed state to up
*Dec 12 16:40:31.211: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up
*Dec 12 16:40:31.212: %LINEPROTO-5-UPDOWN: Line protocol on Interface LI-Null0, changed state to up
*Dec 12 16:40:31.212: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to down
*Dec 12 16:40:31.212: %LINK-3-UPDOWN: Interface LIIN0, changed state to up
*Dec 12 16:40:31.350: %NETCLK-5-NETCLK_MODE_CHANGE: Network clock source not available. The network clock has changed to freerun
*Dec 12 16:40:31.440: %ASR1000_MGMTVRF-6-CREATE_SUCCESS_INFO: Management vrf Mgmt-intf created with ID 1, ipv4 table-id 0x1, ipv6 table-id 0x1E000001
*Dec 12 16:40:31.715: %DYNCMD-7-PKGINT_INSTALLED: The command package 'platform_trace' has been succesfully installed
*Dec 12 16:40:33.429: %LINEPROTO-5-UPDOWN: Line protocol on Interface Lsmpi0, changed state to up
*Dec 12 16:40:33.430: %LINEPROTO-5-UPDOWN: Line protocol on Interface EOBC0, changed state to up
*Dec 12 16:40:33.430: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*Dec 12 16:40:33.430: %LINEPROTO-5-UPDOWN: Line protocol on Interface LIIN0, changed state to up
*Dec 12 16:40:23.540: %IOSXE-5-PLATFORM: R0/0: xinetd[32286]: xinetd Version 2.3.14 started with no options compiled in.
*Dec 12 16:40:23.554: %IOSXE-5-PLATFORM: R0/0: xinetd[32286]: Started working: 1 available service
*Dec 12 16:40:34.225: %DYNCMD-7-CMDSET_LOADED: The Dynamic Command set has been loaded from the Shell Manager
*Dec 12 16:40:58.021: %LINK-5-CHANGED: Interface GigabitEthernet0/0/0, changed state to administratively down
*Dec 12 16:40:58.022: %LINK-5-CHANGED: Interface GigabitEthernet0/0/1, changed state to administratively down
*Dec 12 16:40:58.022: %LINK-5-CHANGED: Interface GigabitEthernet0/0/2, changed state to administratively down
*Dec 12 16:40:58.023: %LINK-5-CHANGED: Interface GigabitEthernet0/0/3, changed state to administratively down
*Dec 12 16:40:58.023: %LINK-5-CHANGED: Interface GigabitEthernet0, changed state to administratively down
*Dec 12 16:40:59.021: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to down
*Dec 12 16:40:59.022: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to down
*Dec 12 16:40:59.022: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/2, changed state to down
*Dec 12 16:40:59.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/3, changed state to down
*Dec 12 16:41:02.525: %ASR1000_OIR-6-REMSPA: SPA removed from subslot 0/0, interfaces disabled
*Dec 12 16:41:02.527: %SPA_OIR-6-OFFLINECARD: SPA (4XGE-BUILT-IN) offline in subslot 0/0
*Dec 12 16:41:02.531: %ASR1000_OIR-6-INSCARD: Card (fp) inserted in slot F0
*Dec 12 16:41:02.532: %ASR1000_OIR-6-INSCARD: Card (cc) inserted in slot 0
*Dec 12 16:41:02.532: %ASR1000_OIR-6-ONLINECARD: Card (cc) online in slot 0
*Dec 12 16:41:02.536: %ASR1000_OIR-6-INSSPA: SPA inserted in subslot 0/0
*Dec 12 16:41:02.743: %SYS-5-RESTART: System restarted --
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.1(3)S1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Sat 08-Oct-11 01:16 by mcpre
*Dec 12 16:41:05.577: %SPA_OIR-6-ONLINECARD: SPA (4XGE-BUILT-IN) online in subslot 0/0
Router>
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#in
Router(config)#int
Router(config)#interface lo
Router(config)#interface loo
Router(config)#interface loopback 0
Router(config-if)#ip ad
Router(config-if)#ip address 19
*Dec 12 16:42:04.778: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up2.1
Router(config-if)#ip address 192.168.0.1 255.255.255.0
Router(config-if)#exit
Router(config)#exit
Router#sho
Router#show run
Router#show running-config int
Router#show running-config interface
*Dec 12 16:42:18.204: %SYS-5-CONFIG_I: Configured from console by consolelo
Router#show running-config interface lo0
Router#show running-config interface loo
Router#show running-config interface loopback 0
Building configuration...
Current configuration : 65 bytes
interface Loopback0
ip address 192.168.0.1 255.255.255.0
end
Router#ping 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Success rate is 0 percent (0/5)
Router#sho
Router#show in
Router#show in
Router#show inte
Router#show interfaces lo
Router#show interfaces loo
Router#show interfaces loopback 0
Loopback0 is up, line protocol is up
Hardware is Loopback
Internet address is 192.168.0.1/24
MTU 1514 bytes, BW 8000000 Kbit/sec, DLY 5000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation LOOPBACK, loopback not set
Keepalive set (10 sec)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
Router#
Router#
*Dec 12 16:43:06.922: %TRANSCEIVER-6-INSERTED: SIP0/0: transceiver module inserted in GigabitEthernet0/0/0
Router#sho
Router#show run
Router#show running-config in
Router#show running-config interface gi0/0/
% Incomplete command.
Router#show running-config interface gi0/0
% Incomplete command.
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#in
Router(config)#int
Router(config)#interface gi0/0
% Incomplete command.
Router(config)#interface gi0/0/0
Router(config-if)#no shu
Router(config-if)#no shutdown
Router(config-if)#ip ad
Router(config-if)#ip address 192.1
*Dec 12 16:43:44.764: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to down68.2.
*Dec 12 16:43:43.813: %LINK-3-UPDOWN: SIP0/0: Interface GigabitEthernet0/0/0, changed state to down1
*Dec 12 16:43:47.440: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to up
*Dec 12 16:43:46.437: %LINK-3-UPDOWN: SIP0/0: Interface GigabitEthernet0/0/0, changed state to up
*Dec 12 16:43:48.440: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to up
Router(config-if)#ip address 192.168.2.1 255.255.255.0
Router(config-if)#exit
Router(config)#exit
Router#sho
Router#show run
Router#show running-config int
Router#show running-config interface
*Dec 12 16:43:56.015: %SYS-5-CONFIG_I: Configured from console by consolegi
Router#show running-config interface gigabitEthernet 0/0/0
Building configuration...
Current configuration : 94 bytes
interface GigabitEthernet0/0/0
ip address 192.168.2.1 255.255.255.0
negotiation auto
end
Router#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
Success rate is 0 percent (0/5)
Router#sho
Router#show in
Router#show inte
Router#show interfaces gi
Router#show interfaces gigabitEthernet 0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
Hardware is 4XGE-BUILT-IN, address is 8843.e100.7300 (bia 8843.e100.7300)
Internet address is 192.168.2.1/24
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
Full Duplex, 1000Mbps, link type is auto, media type is LX
output flow-control is off, input flow-control is off
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:27, output hang never
Last clearing of "show interface" counters never
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
17 packets input, 2015 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 17 multicast, 0 pause input
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 4 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
Router#sho
Router#show pl
Router#show platform
Chassis type: ASR1002
Slot Type State Insert time (ago)
0 ASR1002-SIP10 ok 00:06:40
0/0 4XGE-BUILT-IN ok 00:03:56
R0 ASR1002-RP1 ok, active 00:06:40
F0 unknown 00:06:40
P0 ASR1002-PWR-AC ok 00:05:28
P1 ASR1002-PWR-AC ps, fail 00:05:28
Slot CPLD Version Firmware Version
0 07120202 12.2(33r)XNC
R0 08011017 12.2(33r)XNC
F0 N/A N/A
Router#
System Bootstrap, Version 12.2(33r)XNC, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2009 by cisco Systems, Inc.
Current image running: Boot ROM0
Last reset cause: PowerOn
Last reset at: Fri Dec 12 16:48:51 UTC 2014
ASR1002-RP1 platform with 4194303 Kbytes of main memory
Warning: filesystem is not clean
Located asr1000rp1-adventerprisek9.03.04.01.S.151-3.S1.bin
Image size 312873272 inode num 13, bks cnt 76386 blk size 8*512
Boot image size = 312873272 (0x12a61138) bytes
Missing or illegal ip address for variable DEFAULT_GATEWAY
Using midplane macaddr
Missing or illegal ip address for variable IP_ADDRESS
Missing or illegal ip address for variable IP_SUBNET_MASK
Package header rev 0 structure detected
Calculating SHA-1 hash...done
validate_package: SHA-1 hash:
calculated 61d80af0:032b96a1:6b3b2b5c:667f969a:ad8e4c9f
expected 61d80af0:032b96a1:6b3b2b5c:667f969a:ad8e4c9f
Image validated
%IOSXEBOOT-4-FILESYS_ERRORS_CORRECTED: (rp/0): bootflash contained errors which were auto-corrected.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.1(3)S1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Sat 08-Oct-11 01:16 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2011 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
% failed to initialize nvram
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco ASR1002 (2RU) processor with 1700171K/6147K bytes of memory.
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
7798783K bytes of eUSB flash at bootflash:.
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no]:
% Please answer 'yes' or 'no'.
Would you like to enter the initial configuration dialog? [yes/no]:
% Please answer 'yes' or 'no'.
Would you like to enter the initial configuration dialog? [yes/no]: no
Press RETURN to get started!
*Dec 12 16:52:16.032: %ASR1000_RP_NV-3-NV_ACCESS_FAIL: Initial read of NVRAM contents failed
*Dec 12 16:52:24.113: %LINK-3-UPDOWN: Interface Lsmpi0, changed state to up
*Dec 12 16:52:24.114: %LINK-3-UPDOWN: Interface EOBC0, changed state to up
*Dec 12 16:52:24.114: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up
*Dec 12 16:52:24.115: %LINEPROTO-5-UPDOWN: Line protocol on Interface LI-Null0, changed state to up
*Dec 12 16:52:24.11
Router>5: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to down
*Dec 12 16:52:24.115: %LINK-3-UPDOWN: Interface LIIN0, changed state to up
*Dec 12 16:52:24.361: %NETCLK-5-NETCLK_MODE_CHANGE: Network clock source not available. The network clock has changed to freerun
*Dec 12 16:52:24.656: %ASR1000_MGMTVRF-6-CREATE_SUCCESS_INFO: Management vrf Mgmt-intf created with ID 1, ipv4 table-id 0x1, ipv6 table-id 0x1E000001
*Dec 12 16:52:25.151: %LINEPROTO-5-UPDOWN: Line protocol on Interface Lsmpi0, changed state to up
*Dec 12 16:52:25.152: %LINEPROTO-5-UPDOWN: Line protocol on Interface EOBC0, changed state to up
*Dec 12 16:52:25.152: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*Dec 12 16:52:25.152: %LINEPROTO-5-UPDOWN: Line protocol on Interface LIIN0, changed state to up
*Dec 12 16:52:25.546: %DYNCMD-7-PKGINT_INSTALLED: The command package 'platform_trace' has been succesfully installed
*Dec 12 16:52:28.680: %DYNCMD-7-CMDSET_LOADED: The Dynamic Command set has been loaded from the Shell Manager
*Dec 12 16:52:15.830: %IOSXE-5-PLATFORM: R0/0: xinetd[31943]: xinetd Version 2.3.14 started with no options compiled in.
*Dec 12 16:52:15.844: %IOSXE-5-PLATFORM: R0/0: xinetd[31943]: Started working: 1 available service
*Dec 12 16:52:50.090: %LINK-5-CHANGED: Interface GigabitEthernet0/0/0, changed state to administratively down
*Dec 12 16:52:50.091: %LINK-5-CHANGED: Interface GigabitEthernet0/0/1, changed state to administratively down
*Dec 12 16:52:50.091: %LINK-5-CHANGED: Interface GigabitEthernet0/0/2, changed state to administratively down
*Dec 12 16:52:50.091: %LINK-5-CHANGED: Interface GigabitEthernet0/0/3, changed state to administratively down
*Dec 12 16:52:50.092: %LINK-5-CHANGED: Interface GigabitEthernet0, changed state to administratively down
*Dec 12 16:52:51.090: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to down
*Dec 12 16:52:51.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to down
*Dec 12 16:52:51.092: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/2, changed state to down
*Dec 12 16:52:51.092: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/3, changed state to down
*Dec 12 16:52:57.608: %ASR1000_OIR-6-REMSPA: SPA removed from subslot 0/0, interfaces disabled
*Dec 12 16:52:57.609: %SPA_OIR-6-OFFLINECARD: SPA (4XGE-BUILT-IN) offline in subslot 0/0
*Dec 12 16:52:57.613: %ASR1000_OIR-6-INSCARD: Card (cc) inserted in slot 0
*Dec 12 16:52:57.613: %ASR1000_OIR-6-ONLINECARD: Card (cc) online in slot 0
*Dec 12 16:52:57.615: %ASR1000_OIR-6-INSSPA: SPA inserted in subslot 0/0
*Dec 12 16:52:57.819: %SYS-5-RESTART: System restarted --
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.1(3)S1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Sat 08-Oct-11 01:16 by mcpre
*Dec 12 16:53:00.828: %SPA_OIR-6-ONLINECARD: SPA (4XGE-BUILT-IN) online in subslot 0/0
Router>en
Router#sho
Router#show pla
Router#show platform
Chassis type: ASR1002
Slot Type State Insert time (ago)
0 ASR1002-SIP10 ok 00:02:40
0/0Are you able to download and install other applications for your Mac?
Try following along with this Apple doc -> Troubleshooting iTunes installation on Mac OS X
Maybe you are looking for
-
Still no crossfade in Director 11
In more than ten years have the creators of Director not been able to provide a decent crossfade transition. It is hard to believe that even in Director 11 the transitions panel has been left untouched. It looks like Director 4. Of course I know how
-
Isight: "I failed to respond"??
alright, so i've already seen a couple of people who have been having this problem, and most say its the firewall. But thing is that SOMETIMES itdoes work. This early afternoon around noon i was able to connect with my friend aaron, but shortly after
-
Automatic price adjustment based on material quality
Hi Gurus, Please throw some light on following scenario. X material will be received in batches, and that material will subject to Quality Inspection. (QM is activated) While doing GR for this material, in inspection it has been found that the materi
-
Hi Guru: When I use MIGO,I encountered below issue,Posting only possible in periods 1998/03 and 1998/02 in company code 0001,and the system gave me the hint as below: For the system, the first of the entered periods is the current period. At the begi
-
Communicating with Serial Port
Hi, Hi I have an application that i have to communicate with serial port... Its working perfectly if am giving all the com settings as constants(pls hav a look @ codea). But i want to read the port number and baud reate from text file.When i changed