Ipfilter & icmp echo fails

Similar Messages

• IPM 4.2.0 and icmp-echo 0.0.0.0 problem

  Hi,
  I'm having a problem with IPM.
  We are running LMS 3.2 with IPM 4.2.0.
  I used IPM to configure a device to perform a ping to an ad-hoc target, the source router was configured as:
  ip sla 182611
  icmp-echo 0.0.0.0
  request-data-size 64
  owner ipm|<name>
  tag <tag>
  ip sla schedule 182611life forever start-time now ageout 3600
  The target device is an ad-hoc with an ip-address but the IP SLA job ends up as 0.0.0.0.
  When I'm running 'show ip sla statistics' it shows that the ping are timed out (as they are being sent to 0.0.0.0 instead of the real IP address).
  The source router is running:
  Cisco IOS Software, 3800  Software  (C3825-ADVSECURITYK9-M), Version 12.4(22)T, RELEASE  SOFTWARE (fc1)
  Anyone had familiar problems?
  Thanks,
  Amit

  jclarke wrote:I haven't seen this before.  Can you redo the configuration, and collect a sniffer trace of SNMP traffic between the IPM server and the device?  This will help determine if the problem is with IPM or IOS.
  Hi,
  My IPM is running on Solaris 10.
  Can you advise what/how I can sniff the SNMP traffic between the server and the IOS device?
  Here is more information from the device:
  #show version
       Cisco IOS Software, C3550
  Software (C3550-IPSERVICESK9-M), Version 12.2(46)SE, RELEASE SOFTWARE
  (fc2)
  #show running-config | inc 154366
  ip sla 154366
  ip sla schedule 154366 life forever start-time now ageout 3600ip sla reaction-configuration 154366 react timeout threshold-type immediate action-type trapOnly
  ip sla reaction-configuration 154366 react rtt threshold-value 4000 3000 threshold-type consecutive 2 action-type trapOnly
  35PROB#show ip sla configuration 154366
  IP SLAs, Infrastructure Engine-II.
  Entry number: 154366Owner: ipm|unix107776a44Tag: 35PROB_AMIT
  Type of operation to perform: echoTarget address: 0.0.0.0
  Source address: 0.0.0.0Request size (ARR data portion): 64
  Operation timeout (milliseconds): 5000Type Of Service parameters: 0x0
  Verify data: NoVrf Name:
  Schedule:    Operation frequency (seconds): 60
      Next Scheduled Start Time: Start Time already passed    Group Scheduled : FALSE
      Randomly Scheduled : FALSE    Life (seconds): Forever
      Entry Ageout (seconds): 3600    Recurring (Starting Everyday): FALSE
      Status of entry (SNMP RowStatus): ActiveThreshold (milliseconds): 4000
  Distribution Statistics:
      Number of statistic hours kept: 2    Number of statistic distribution buckets kept: 1
      Statistic distribution interval (milliseconds): 20
  History Statistics:    Number of history Lives kept: 0
      Number of history Buckets kept: 15    History Filter Type: None
  Enhanced History:
  Thanks

• ASA 8.4(2) doesn't respond to ICMP echo on ip address with port forwarding only

  Hello,
  In order to meet our requirements we had to configure PAT for TCP 80 on 2 external IP addresses to one internal IP in DMZ. TCP port 80 is being translated for both external IP addresses and it works as expected. However, since we have migrated to ASA both external IP addresses don't respond to ICMP echo requests generating following error:
  %ASA-3-106014: Deny inbound icmp src outside:<Source IP> dst outside:<Destination IP> (type 8, code 0)
  Previously we have been using Cisco router to achieve the same objective and it worked well.
  I have noticed that when I add "same-security-traffic permit intra-interface" to a configuration the message mentioned above stops appearing in a logs.
  As far as I can tell ASA sends packet back through outside interface, despite the fact that appliance advertises its mac address in response to arp request for the same external IP address.
  Is there any way to make ASA realise that it should respond to ICMP echo requests on external IP addresses that have forwarding setup?
  I do realise that ICMP would work in 1-to-1 NAT scenario, but we can't apply 1-to-1 NAT for 2 external IP addresses to point to one internal IP address.
  Kind Regards,
  Paul Preston

  Hi Julio,
  Interesting. I have tried to map two external IP addresses with using 1 to 1 nat to a single internal IP, but when I tried to configure a second one I remember a message "mapping exists"...
  I think that it might be easier if I paste relevent config:
  access-list From_Internet extended permit icmp any any
  access-list From_Internet extended permit tcp any gt 1023 host 172.17.0.103 eq www
  access-list From_Internet extended deny ip any any log warnings
  object network www-91-17.103
  host 172.17.0.103
  object network www-92-17.103
  host 172.17.0.103
  icmp permit any outside
  object network www-91-17.103
  nat (DMZ,outside) static x.x.x.91 service tcp www www
  object network www-92-17.103
  nat (DMZ,outside) static x.x.x.92 service tcp www www
  With a config above NAT works for both IP addresses, but unfortunately neither IP address respond to icmp echo requests.
  Kind Regards,
  Paul Preston

• ACL filtering icmp ECHO-Reply Behavior

  Hello Guys.... 
                     I needed some help here.....i have attached the topology with this in case you dont get what iam trying to ask
  i have just 2 routers connected directly like this......     R1<------------> R2,  The network between them is 10.1.12.0/24, R1 has an ip address of
  10.1.12.1 & R2 has an ip address  of 10.1.12.2.....Well so far so good hmmm
  Now the Question is simple i want to block ICMP echo-reply's coming from R1 to R2  simple as that But it only works if i apply an ACL on R2's
  Interface in the INBOUND Direction why on earth it dosent work if i apply the ACL on R1's interface in the OUTBOUND direction ??? 
  THE ACL is this one#  access-list 100 deny icmp host 10.1.12.1 host 10.1.12.2 echo-reply
                                         access-list 100 permit ip any any
  It works if i apply this in the inbound direction of R2 but why dosen't it work if i apply this in the OUTBOUND direction of R1?
  Please do help me out thanks :)

  Hi,
  I believe that's because "Access lists that are applied to interfaces do not filter traffic that originates from that router."
  See http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacls.html#wp1001135
  for details.
  Best regards,
  Milan

• Nexus 5500 duplicate ICMP echo-replay

  I am experiencing inconsistent echo-replay from devices connected via VPC to Nexus 5500s while pinging from the Nexus exec prompt.
  In some cases I receive normal response when pinging from one Nexus,  but no response when pinging from the other switch. In other instance I receive normal response to one Nexus, and duplicate replays to the other. It looks like a VPC related bug. NXOS is 5.1.3.N2.1
  5501# ping 10.12.12.232
  PING 10.12.12.232 (10.12.12.232): 56 data bytes
  64 bytes from 10.12.12.232: icmp_seq=0 ttl=253 time=8.585 ms
  64 bytes from 10.12.12.232: icmp_seq=0 ttl=254 time=9.227 ms (DUP!)
  64 bytes from 10.12.12.232: icmp_seq=1 ttl=253 time=1.011 ms
  64 bytes from 10.12.12.232: icmp_seq=2 ttl=253 time=8.097 ms
  64 bytes from 10.12.12.232: icmp_seq=2 ttl=254 time=9.429 ms (DUP!)
  64 bytes from 10.12.12.232: icmp_seq=3 ttl=253 time=18.195 ms
  64 bytes from 10.12.12.232: icmp_seq=4 ttl=253 time=8.807 ms
  5502# ping 10.12.12.232
  PING 10.12.12.232 (10.12.12.232): 56 data bytes
  64 bytes from 10.12.12.232: icmp_seq=0 ttl=254 time=0.985 ms
  64 bytes from 10.12.12.232: icmp_seq=1 ttl=254 time=0.884 ms
  64 bytes from 10.12.12.232: icmp_seq=2 ttl=254 time=0.875 ms
  64 bytes from 10.12.12.232: icmp_seq=3 ttl=254 time=3.105 ms
  64 bytes from 10.12.12.232: icmp_seq=4 ttl=254 time=8.378 ms
  Thanks
  Jarek

  Hi
  I found this in the configuration guide for the Nexus 7000 configuring VPCs
  "When you enable this feature (peer-gateway), Cisco NX-OS automatically disables IP redirects on all interface VLANs mapped over a vPC VLAN to avoid generation of IP redirect messages for packets switched through the peer gateway router."
  However this is not happening automatically on the 5K, so you need to manually add "no ip redirects" on each VPC vlan interface to prevent duplicate pings.

• Event filter question Nachi Worm ICMP Echo Request (2156)

  The intent is to only see this alert when the source is my IP space. Is it possible to create 2 seperate event filters for this sig? I'd like one sig to filter events when my IP space when it is the destination and the other would allow alerts when my IP space is the source. Would they need to be in some order like access lists i.e. allow specific icmp then deny other icmp?

  Yes this is possible.
  In version 4,x create a filter that matches SIGID 2156, and also matches $IN for the source and $OUT for the destination and set Exception to True for that filter.
  The create a second filter to match SIGID 2156 and leave the address fields defaulted so that all addresses will be matched and leave Exception as the default False.
  The first filter line will allow the 2156 to fire when the source is IN your network and the destination is OUT of your netowrk.
  The second will prevemt the signature 2156 for firing on any other address combinations like:
  Source IN and Destination IN
  Source OUT and Destination IN
  Source OUT and Destination OUT
  (Note: You asked that no alarms be generated for Destination IN, but also assume you don't want alarms for source OUT and destination OUT either)
  NOTE: In version 4.x the order of the 2 filters is unimportant. The Exclusion TRUE filter will always override all Exclusion FALSE filters so the Exclusion TRUE filter will always cause the signature to fire.
  In version 5.x the ordering of the filters is important.
  In version 5.x create a filter that matches SIGID 2156, and also matches $IN for the source and $OUT for the destination, leave the Actions to Subtract field blank (so not actions are removed) and set Stop On Match to True for that filter.
  Then create a second filter to match SIGID 2156 and leave the address fields defaulted so that all addresses will be matched and select ALL Actions in the Actions To Subtract field.
  The first filter line will allow the 2156 to fire when the source is IN your network and the destination is OUT of your netowrk.
  This is because that first filter will be matched and no actions will be removed (like produceAlert). The Stop On Match being True will prevent the checking of the next filter.
  The second will prevemt the signature 2156 for firing on any other address combinations like:
  Source IN and Destination IN
  Source OUT and Destination IN
  Source OUT and Destination OUT
  (Note: You asked that no alarms be generated for Destination IN, but also assume you don't want alarms for source OUT and destination OUT either)
  NOTE: In version 5.x the order of the 2 filters is important. The sensor will start at the top of the filter list. If that filter matches it will remove the actions in the Actions To Subtract field and then check the Stop On Match field.
  If Stop On Match is true then it stops processing the rest of the filter lines.
  But if Stop On Match is false then it will continue processing the rest of the filter lines.
  If the second filter had come first then it would have been matched even on the Source IN Destination OUT alerts and would have removed all actions and prevented the sig from firing. So the ordering is important.
  Also be aware that if Stop On Match was accidentally set to false on the first filter, then the sensor would have continued and also matched the second filter and would have removed all actions because of the second filter.

• Cisco Embedded Event Manager Issue

  Hello Experts,
  I have taken the following sample EEM from
  https://learningnetwork.cisco.com/blogs/network-sheriff/2009/06/19/writing-your-first-eem-applet
  The intention is to send a notification to an email address about a network problem. I have modified it bit for illustrative purposes. You will see that there are various show commands.
  Can someone please show me how to email the show commands instead just appending them to the directory called "server_unreachable"?
  TechWiseTV4506(config)#eve
  nt manager environment _email_server 172.16.1.44 (<-my Post Cast server)
  TechWiseTV4506(config)#event manager environment _email_to [email protected]
  TechWiseTV4506(config)#event manager environment _email_from [email protected]
  event manager applet email_server_unreachable
  event track 10 state down
  action 1.0 syslog msg "Houston we have a problem. Ping failed, server unreachable!"
  action 1.1 cli command "enable"
  action 1.2 cli command "del /force flash:server_unreachable"
  action 1.3 cli command "show clock | append server_unreachable"
  action 1.4 cli command "show ip arp 172.16.1.55 | append server_unreachable"
  action 1.5 cli command "show ip route 172.16.1.55 | append server_unreachable"
  action 1.6 cli command "show interface FastEthernet0/1/1 | append server_unreachable"
  action 1.7 cli command "more flash:server_unreachable"
  action 1.8 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "Server Unreachable: ICMP-Echos Failed" body "$_cli_result
  action 1.9 syslog msg "Server unreachable alert has been sent to email server!"
  Cheers
  Carlton

  This applet will actually email the results.  However, in order to get all of the output together, it uses the server_unreachable file as an accumulator buffer.  That file could be deleted as action 2.0:
  action 2.0 cli command "delete /force flash:server_unreachable"
  But that is already there in action 1.2, so it's not really needed.
  What will happen is the applet will more the file to collect all of the output.  That aggregated output will be stored in the $_cli_result variable.  The result is that the body of your email will contain the consolidated command output.

• NICDRV test04 fails saying  driver cannot receive ICMP reply from the peer

  Hi,
  I am running NICDRV tests and while running test04 check multicast support, I fail with the error:
  driver xxx cannot receive ICMP reply from the peer.COuld anyone tell me why is this happening?
  For full report:
  stdout| STRATEGY:
  stdout| - Add multicast route and join multicast group
  stdout| - Receive ip_multicast traffic from the client side
  stdout| with 1 multicast group.
  stdout| - Send ip_multicast traffic to the client side
  stdout| with 1 multicast group.
  stdout| - Join multiple multicast groups, and receive multicast
  stdout| traffic of multiple groups from the client.
  stdout| - For WiFi drivers, ping 224.0.0.1 multicast address for
  stdout| 10 seconds and verify the traffic using snoop.
  stdout|
  stdout| TESTABILITY: implicit
  stdout|
  stdout| 192.168.11.10 is alive
  stdout| 192.168.11.11 is alive
  stdout| ping -i xxx -s 224.0.0.1
  stdout| snoop -d xxx -o /tmp/snoop-multicast.tmp
  stdout| sleep 10 seconds to collect packet
  stdout| verify if driver igb can send multicast packet to the peer
  stdout| 1 0.00000 192.168.11.10 -> 224.0.0.1 ICMP Echo request (ID: 18511 Sequence number: 1)
  stdout| 2 0.99996 192.168.11.10 -> 224.0.0.1 ICMP Echo request (ID: 18511 Sequence number: 2)
  stdout| 3 1.00000 192.168.11.10 -> 224.0.0.1 ICMP Echo request (ID: 18511 Sequence number: 3)
  stdout| 4 1.00002 192.168.11.10 -> 224.0.0.1 ICMP Echo request (ID: 18511 Sequence number: 4)
  stdout| 5 0.99997 192.168.11.10 -> 224.0.0.1 ICMP Echo request (ID: 18511 Sequence number: 5)
  stdout| 6 1.00002 192.168.11.10 -> 224.0.0.1 ICMP Echo request (ID: 18511 Sequence number: 6)
  stdout| 7 0.99999 192.168.11.10 -> 224.0.0.1 ICMP Echo request (ID: 18511 Sequence number: 7)
  stdout| 8 0.99998 192.168.11.10 -> 224.0.0.1 ICMP Echo request (ID: 18511 Sequence number: 8)
  stdout| 9 1.00002 192.168.11.10 -> 224.0.0.1 ICMP Echo request (ID: 18511 Sequence number: 9)
  stdout| verify if driver xxx can receive ICMP reply from the peer
  stdout| driver xxx cannot receive ICMP reply from the peer
  Test_Case_End| 18498 tests/functional/test04/runme | FAIL | 11:44:29 80659327923251 0 |
  Thkx,
  Ram

  Well, I finally figured it out.  When trying to receive text messages from my iPhone pals, I would get a failure message and a suggestion to update my profile.  When I selected that option, the phone would sit for a long time trying to connect and then fail.  I went into my settings and was able to force an update.  Lo and behold, all of the backed up text messages started to down load.  It seems as though when I received the texts from my friends, the system was aware that I had not received then and they were held somewhere in the cloud.  Then they were continuously resent until I fixed the problem at my end.  They all downloaded over night and the problem has been resolved.

• ASA - ICMP works on a L2L tunnel but TCP fails.

  All,
  I have just started to work with the ASA's and I have a couple of problems with two 5510 8.4(1) ASA's supporting a L2L tunnel.
  Problem-1:
  Below  is the topology and currently the only config on these ASA's is what is  required to get the LAN2LAN tunnel setup and nothing more. ASA01 and ASA02 are the tunnel termination devices.
  LAN A->Routing device->ASA-01 ----->Internet<------------ASA-02<-Routing device<-LAN2
  Below is what is working
  - Tunnel is established between the ASA's.
  - I can ping from LAN A to LAN B and viceversa.
  Below is not what is working
  - I cannot RDP from a device in LAN A to LAN B and vice versa.
  What we found in troubleshooting when we initiate a RDP session from a server in LAN-A to Server in LAN-B.
  - The packet capture on  ASA - A shows that the SYN leaves the ingress(LAN interface).
  -  The packet capture on ASA - B shows that the SYN is leaving the LAN interface.
  -  Dont see a SYN-ACK on ASA-B. First we thought there might be a  different reason(detailed below as problem-2) but we dont see the  syn-ack on ASA-A either.
  - Doing a asp-drop capture on ASA-B we saw that the SYN,ACK from server in LAN-B is being dropped with the following message
  Drop-reason: (tcp-not-syn) First TCP packet not SYN
  Any ideas on why ASA-B doesnt treat this is as a established tcp session?
  Problem -2
  On the packet capture wizard in ASDM if I do a  capture on the LAN interface of the ASA02 I can only see packets  leaving the ASA towards the LAN but I do not see anything coming back  into the interface from the LAN interface. This works the same whether I  do a ICMP or a TCP session(RDP).
  For example - Ping from a server on LAN A to LAN B
  - On ASA01
  The packet capture wizard shows both icmp-echo from LAN-A and icmp-reply from LAN-B
  - On ASA02
  The packet capture wizard shows icmp-echo from LAN-A both not the icmp-reply from LAN-B.
  I am not sure what the reason for both the problems above and the reasons might just be that my skill level with ASA's are just not there yet. Any guidance will be great appreciated.
  Thanks,
  Vishnu

  Hello Vishnu,
  Any ideas on why ASA-B doesnt treat this is as a established tcp session?
  This is happening because the ASA is not seeing the entire 3 way hanshake, Are you sure all the packets are going across the ASA??? I would recommend you to do captures on both inside interfaces just for RDP traffic and attach them to this post so I can correlate to determine if indeed the ASA is receving what it needs.
  On the packet capture wizard in ASDM if I do a  capture on the LAN interface of the ASA02 I can only see packets  leaving the ASA towards the LAN but I do not see anything coming back  into the interface from the LAN interface. This works the same whether I  do a ICMP or a TCP session(RDP).
  That's exactly the reason of why this problem is happening, Good job correlating the facts,
  Resolution of the issues:
  I would say the problem is on the Routing device between ASA-2 and the LAN-2...
  Make sure the Routing device knows that in order to reach the LAN-1 it needs to send the traffic back to the ASA-2 as somehow this traffic is not making it on the right interface,
  Remember to rate all of the helpful posts. That's as important as a Thanks.
  Julio Carvajal Segura

• "failed to find profile ID" on Cellular Interface

  Hello World,
  I try to make a connection to a Wirelless 3G.
  I configure modem and I think that the modem is connected 
  show cellular 0/0/0 all
  Hardware Information
  ====================
  Modem Firmware Version = T1_0_3_2AP R361 CNSZ
  Modem Firmware built = 04/15/11
  Hardware Version = 1.0
  International Mobile Subscriber Identity (IMSI) = 546010100686679
  International Mobile Equipment Identity (IMEI) = 357115041341178
  Integrated Circuit Card ID (ICCID) = 8968701111106200287
  Mobile Subscriber International Subscriber
  IDentity Number (MSISDN) =
  Factory Serial Number (FSN) = CC3322315641011
  Modem Status = Online
  Current Modem Temperature = 29 deg C, State = Normal
  PRI SKU ID = 9900198, SKU Rev. = 1.2
  Profile Information
  ====================
  Profile 1 = INACTIVE* **
  PDP Type = IPv4
  Access Point Name (APN) = USB
  Authentication = None
  Username:
  Password:
    * - Default profile
  Data Connection Information
  ===========================
  Data Transmitted = 0 bytes, Received = 0 bytes
  Profile 1, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 2, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 3, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 4, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 5, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 6, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 7, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 8, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 9, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 10, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 11, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 12, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 13, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 14, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 15, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Profile 16, Packet Session Status = INACTIVE
          Inactivity Reason = Normal inactivate state
  Network Information
  ===================
  Current Service Status = Normal, Service Error = None
  Current Service = Combined
  Packet Service = UMTS/WCDMA (Attached)
  Packet Session Status = Inactive
  Current Roaming Status = Home
  Network Selection Mode = Automatic
  Country = NCL, Network = MOBNCL
  Mobile Country Code (MCC) = 546
  Mobile Network Code (MNC) = 1
  Location Area Code (LAC) = 10
  Routing Area Code (RAC) = 1
  Cell ID = 30521
  Primary Scrambling Code = 434
  PLMN Selection = Automatic
  Registered PLMN = NCL MOBILIS , Abbreviated = MOBNCL
  Service Provider =
  Radio Information
  =================
  Radio power mode = ON
  Current Band = WCDMA 2100, Channel Number = 10762
  Current RSSI(RSCP) = -63 dBm
  Band Selected = Auto
  Number of nearby cells = 1
  Cell 1
          Primary Scrambling Code = 0x1B2
          RSCP = -64 dBm, ECIO = -7 dBm
  Modem Security Information
  ==========================
  Card Holder Verification (CHV1) = Disabled
  SIM Status = OK
  SIM User Operation Required = None
  Number of CHV1 Retries remaining = 3
  GPS Information
  ==========================
  GPS Info
  GPS State: GPS disabled
  SMS Information
  ===============
  Incoming Message Information
  SMS stored in modem = 1
  SMS archived since booting up = 0
  Total SMS deleted since booting up = 0
  Storage records allocated = 60
  Storage records used = 1
  Number of callbacks triggered by SMS = 0
  Number of successful archive since booting up = 0
  Number of failed archive since booting up = 0
  Outgoing Message Information
  Total SMS sent successfully = 0
  Total SMS send failure = 0
  Number of outgoing SMS pending = 0
  Number of successful archive since booting up = 0
  Number of failed archive since booting up = 0
  Last Outgoing SMS Status = SUCCESS
  Copy-to-SIM Status =     0x0
  Send-to-Network Status = 0x0
  Report-Outgoing-Message-Number:
    Reference Number =     0
    Result Code =          0x0
    Diag Code =            0x0 0x0 0x0 0x0 0x0
  SMS Archive URL =
  Error Information
  =================
   Cached info is displayed
  at!err
  QDSP6                             ARM9 (not saved)
  00   08 uim              08480    00   01 hsu_conf_sel_nv  00572
  01   63 gsnvif           00245    01   01 hsu_conf_sel_nv  00616
  02   FF cmtask           01162    02   01 timer            03552
  03   1B mmglbl           00392
  04   1B gsnvif           00478
  05   1B rr_init          01597
  06   1B rr_init          01601
  07   1B rrcdata          08026
  08   01 gmmutil          01099
  09   01 gmmutil          01118
  10   01 gmmutil          01141
  11   01 gmmutil          01156
  12   01 gmmutil          01174
  13   01 gmmutil          01198
  14   14 rrcllcp          16550
  15   04 rrccspf          02198
  16   17 rrccsp           20686
  17   04 gsdi             09787
  18   01 gsdi_co          01538
  19   1B cnlbs            03307
  OK
  at!gcdump
  No crash data available
  OK
  Modem Crashdump Information
  ===========================
  Modem crashdump logging: off
  I have the following config
  chat-script OPT3G "" "ATDT*99***1#"
  interface Cellular0/0/0
   ip address negotiated
   ip virtual-reassembly in
   encapsulation slip
   no ip route-cache
   load-interval 60
   dialer in-band
   dialer string OPT3G
   dialer-group 1
   async mode interactive
  interface Cellular0/0/1
   no ip address
   encapsulation slip
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip route 0.0.0.0 0.0.0.0 Cellular0/0/0
  dialer-list 1 protocol ip permit
  access-list 1 permit any
  line 0/0/0
   exec-timeout 0 0
   script dialer OPT3G
   login
   modem InOut
   no exec
   transport input all
   transport output all
   autoselect during-login
   autoselect ppp
  line 0/0/1
   exec-timeout 0 0
   script dialer OPT3G
   login
   modem InOut
   no exec
   transport input all
  I make debug
  debug chat
  debug cellular 0/0/0 messages all
  I try to start the interface
  Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
  *Jul 22 07:08:31.363: [Cellular0/0/0]:MGMT RX (RSCP_ECIO) (24 bytes):
   00 14 6B 96 70 0B 07 00 00 00 00 00 00 0A 00 01
   00 01 01 B2 00 3E 00 0D
  *Jul 22 07:08:32.283: CHAT0/0/0: Attempting async line dialer script
  *Jul 22 07:08:32.283: CHAT0/0/0: Dialing using Modem script: OPT3G & System script: none
  *Jul 22 07:08:32.283: CHAT0/0/0: process started
  *Jul 22 07:08:32.283: CHAT0/0/0: Asserting DTR
  *Jul 22 07:08:32.283: CHAT0/0/0: Chat script OPT3G started
  *Jul 22 07:08:32.283: CHAT0/0/0: Sending string: ATDT*99***1#
  *Jul 22 07:08:32.283: CHAT0/0/0: Chat script OPT3G finished, status = Success.
  *Jul 22 07:08:34.283: %LINK-3-UPDOWN: Interface Cellular0/0/0, changed state to up
  *Jul 22 07:08:34.283: cellular_dip_ip_address_negotiated: failed to find profile ID for Cellular0/0/0
  *Jul 22 07:08:34.363: [Cellular0/0/0]:MGMT RX (RSCP_ECIO) (24 bytes):
   00 14 6B 97 70 0B 07 00 00 00 00 00 00 0A 00 01
   00 01 01 B2 00 3F 00 0C
  *Jul 22 07:08:35.283: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0/0/0, changed state to up.
  *Jul 22 07:08:36.283: cellular_dip_cell_set_encap_whip: Invalid profile ID 255 for Cellular0/0/0
  *Jul 22 07:08:36.835: [Cellular0/0/0]:MGMT RX (HEARTBEAT) (14 bytes):
   00 0A 6B 98 00 00 07 00 00 00 00 00 00 00
  *Jul 22 07:08:37.363: [Cellular0/0/0]:MGMT RX (RSCP_ECIO) (24 bytes):
   00 14 6B 99 70 0B 07 00 00 00 00 00 00 0A 00 01
   00 01 01 B2 00 3E 00 0C
  *Jul 22 07:08:38.283: cellular_dip_cell_set_encap_whip: Invalid profile ID 255 for Cellular0/0/0.
  *Jul 22 07:08:40.283: cellular_dip_cell_set_encap_whip: Invalid profile ID 255 for Cellular0/0/0
  *Jul 22 07:08:40.367: [Cellular0/0/0]:MGMT RX (RSCP_ECIO) (24 bytes):
   00 14 6B 9A 70 0B 07 00 00 00 00 00 00 0A 00 01
   00 01 01 B2 00 40 00 0F
  Success rate is 0 percent (0/5)
  RTR-TEST98#
  *Jul 22 07:08:43.371: [Cellular0/0/0]:MGMT RX (RSCP_ECIO) (24 bytes):
   00 14 6B 9B 70 0B 07 00 00 00 00 00 00 0A 00 01
   00 01 01 B2 00 3C 00 11
  *Jul 22 07:08:43.835: [Cellular0/0/0]:MGMT RX (HEARTBEAT) (14 bytes):
   00 0A 6B 9C 00 00 07 00 00 00 00 00 00 00
  *Jul 22 07:08:46.375: [Cellular0/0/0]:MGMT RX (RSCP_ECIO) (24 bytes):
   00 14 6B 9D 70 0B 07 00 00 00 00 00 00 0A 00 01
   00 01 01 B2 00 3E 00 0D
  *Jul 22 07:08:49.379: [Cellular0/0/0]:MGMT RX (RSCP_ECIO) (24 bytes):
   00 14 6B 9E 70 0B 07 00 00 00 00 00 00 0A 00 01
   00 01 01 B2 00 3E 00 0C
  *Jul 22 07:08:50.835: [Cellular0/0/0]:MGMT RX (HEARTBEAT) (14 bytes):
   00 0A 6B 9F 00 00 07 00 00 00 00 00 00 00
  *Jul 22 07:08:52.383: [Cellular0/0/0]:MGMT RX (RSCP_ECIO) (24 bytes):
   00 14 6B A0 70 0B 07 00 00 00 00 00 00 0A 00 01
   00 01 01 B2 00 3E 00 0E

  hello everyone,
  I still have my issue and can't connect my 3G interface.
  I can complete my issue with this log 
  *Aug 12 08:35:34.023: cellular_dip_ip_address_negotiated: failed to find profile ID for Cellular0/0/0
  *Aug 12 08:35:38.019: cellular_dip_cell_set_encap_whip: Invalid profile ID 255 for Cellular0/0/0
  Thank's for your help.

• 10.3.9 - 10.4 Migration failed! Server lost! - How to set DHCP info?

  Today we tried to migrate our Xserve from 10.3.9 to 10.4
  We've chosen to start the update from a PowerBook and attached our Xserve in FireWire Target Mode.
  Update/Install ran smoothly, BUT ON RESTART WE LOST CONTACT TO OUR XSERVE
  In system.log it says
  HeadlessStartup: Enabling root account so we can remotely administrate.
  Apr 5 14:03:18 everlearn /System/Library/ServerSetup/serversetup: defaults info /usr/bin/defaults write -g AppleLanguages '(de, English, ja, fr)'
  Apr 5 14:03:20 everlearn /System/Library/ServerSetup/serversetup: CFUserTextEncoding info 0:3
  Apr 5 14:03:22 everlearn /System/Library/ServerSetup/serversetup: user library preferences ByHost folder is existed.
  Apr 5 14:03:22 everlearn /System/Library/ServerSetup/serversetup: copyPath from rootByHost to userByHost failed.
  Apr 5 14:03:22 everlearn /System/Library/ServerSetup/serversetup: create file userByHost is OK.
  Apr 5 14:03:25 everlearn mDNSResponder: Service "everlearn.ssh.tcp.local." renamed to "wipaed-dev"
  Apr 5 14:03:25 everlearn mDNSResponder: Service "everlearn.sftp-ssh.tcp.local." renamed to "wipaed-dev"
  Apr 5 14:03:47 everlearn sudo: root : TTY=unknown ; PWD=/ ; USER=cyrusimap ; COMMAND=/usr/bin/cyrus/tools/mkimap
  Apr 5 14:03:55 everlearn root: Setting SquirrelMail language to 'de_DE'
  Apr 5 14:03:57 everlearn sudo: root : TTY=unknown ; PWD=/private/var/imap/db.backup2 ; USER=cyrusimap ; COMMAND=/usr/bin/touch /var/imap/db/skipstamp
  Apr 5 14:03:57 everlearn sudo: root : TTY=unknown ; PWD=/private/var/imap/db.backup2 ; USER=cyrusimap ; COMMAND=/usr/bin/cyrus/bin/ctl_mboxlist.old -d
  Apr 5 14:04:00 everlearn sudo: root : TTY=unknown ; PWD=/private/var/imap/db.backup2 ; USER=cyrusimap ; COMMAND=/bin/mv /var/imap/mailboxes.db /var/imap/mailboxes.db.old
  Apr 5 14:04:00 everlearn sudo: root : TTY=unknown ; PWD=/private/var/imap/db ; USER=cyrusimap ; COMMAND=/usr/bin/touch /var/imap/db/skipstamp
  Apr 5 14:04:01 everlearn sudo: root : TTY=unknown ; PWD=/private/var/imap/db ; USER=cyrusimap ; COMMAND=/usr/bin/cyrus/bin/ctl_mboxlist -u
  Apr 5 14:04:01 everlearn ctl_mboxlist[942]: skiplist: recovered /var/imap/mailboxes.db (0 records, 144 bytes) in 0 seconds
  Apr 5 14:04:05 everlearn /System/Library/ServerSetup/MigrationExtras/49_webconfigmigrator: Existing /private/etc/httpd/httpd_macosxserver.conf file couldn't be read! Nothing to migrate.
  Apr 5 14:04:05 everlearn /System/Library/ServerSetup/MigrationExtras/50_ipfwconfigmigrator: No Jaguar firewall settings to migrate from NetInfo directory dsRecTypeNative:/config/IPFilters.
  Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:Migrating old IP address group. New name:'Migrated: 10-net' New id:'Migrated: 10-net'
  Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'SSH - Secure Shell' enabled because 'ssh' was enabled in old rules
  Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'Server Admin SSL, also Web-ASIP' enabled because 'asip-webadmin' was enabled in old rules
  Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'Remote Directory Access' enabled because 'remoteda' was enabled in old rules
  Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'Server administration using Server Admin' enabled because 'serveradmin_pseudoservice' was enabled in old rules
  Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'ICMP - echo reply messages (replies to outgoing pings)' enabled because 'icmppingpseudoservice' was enabled in old rules
  Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'IGMP - Internet Group Management Protocol' enabled because 'igmp_pseudoservice' was enabled in old rules
  Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'RTSP - QTSS streaming' enabled because 'rtsp' was enabled in old rules
  Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'WebObjects' enabled because 'webobjects' was enabled in old rules
  Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'QTSS web administration' enabled because 'qtssweb_pseudoservice' was enabled in old rules
  Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'QTSS MP3 streaming' enabled because 'qtssmp3_pseudoservice' was enabled in old rules
  Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'HTTP - web service alternate (Apache 2 default)' enabled because 'http-alt' was enabled in old rules
  Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:IP address group 'any' has 'HTTP - web service' enabled because 'http' was enabled in old rules
  Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:Migration applying old customized enable status to rule '65000'
  Apr 5 14:04:09 everlearn /System/Library/ServerSetup/MigrationExtras/60_ipfwconfigmigrator: ipfw config migration:Notice:Migration applying old customized enable status to rule '63300'
  Apr 5 14:04:09 everlearn root: The previous /etc/httpd/workers.properties file has been saved as /etc/httpd/workers.properties.applesaved. The current /etc/httpd/workers.properties file now includes a blojsom worker.
  Apr 5 14:04:31 everlearn servermgrd: cupsd mach_msg error (ipc/rcv) timed out
  Since then we cannot find the Xserve via ping or even with a PowerBook in the same subnet.
  How can we restore TCP/IP information, subnet info etc.
  Right now we CANNOT ACCESS PER SSH but ONLY VIA FIREWIRE ACCESS, therefore we cannot use changeip and serversetup.
  How can we set DHCP information without ssh access only access to the files?
  What to set?`
  Where to set?
  Any information is greatly appreciated.
  karsten

  The main ethernet port had been disabled by the installer!
  We connected a powerbook (just plain ethernet cable) to the other port which was running with some old ip number and send
  ping 224.0.0.1
  This gives you the ip number
  then we logged in via ssh
  then
  networksetup -setnetworkserviceenabled "Ethernet…" on
  Now we can work through the messed up install…

• 802.1x port authentication failing after getting a access-accept packet

  Hi all,
  Im not 100% sure what the hell is going on here.
  Any idea's or help will be appreciated.
  Heres the topology.
  1 x windows 2012 NPS
  1x 3750X
  1x Windows 7 x64
  data flow
  <laptop> - - [gi 1/0/13]<3750X>[gi 1/0/48]- -[gi 5/39]<6513>[po 1] - - [po 4]<6509><5/1> - - <VMWARE>[NPS Server]
  The switch that is doing the authentication is the 3750X. Here is the IOS version.
  Switch Ports Model              SW Version            SW Image
  *    1 54    WS-C3750X-48       15.2(1)E              C3750E-UNIVERSALK9-M
  A wireshark trace on the NPS server shows that the packets are arriving and being sent back
  Wireshark on a mirror of the trunk port connecting the 6513. It also shows packets being sent and arriving. access-accept packets are being recieved.
  As you can see in the debug output, the switch is getting a access-accept, then it is stating a AAA failure.
  here is a debug output as you plug in the laptop.
  Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
  Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
  Oct 24 10:53:45.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
  Oct 24 10:53:46.641: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down
  Oct 24 10:53:47.538: dot1x-ev:[Gi1/0/13] Interface state changed to UP
  Oct 24 10:53:47.564: dot1x-packet:[6431.500e.9b00, Gi1/0/13] queuing an EAPOL pkt on Auth Q
  Oct 24 10:53:47.572: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/13
  Oct 24 10:53:47.572: dot1x-packet:EAPOL pak rx - Ver: 0x1  type: 0x1
  Oct 24 10:53:47.572: dot1x-packet: length: 0x0000
  Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 0,TYPE= 0,LEN= 0
  Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
  Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Couldn't find the supplicant in the list
  Oct 24 10:53:47.572: dot1x-ev:[6431.500e.9b00, Gi1/0/13] New client detected, sending session start event for 6431.500e.9b00
  Oct 24 10:53:47.572: AAA/BIND(00000047): Bind i/f
  Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Sending create new context event to EAP for 0x15000045 (6431.500e.9b00)
  Oct 24 10:53:47.580: EAP-EVENT: Received context create from LL (Dot1x-Authenticator) (0x15000045)
  Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received AAA ID 0x00000047 from LL
  Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: Assigning AAA ID 0x00000047
  Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: CTS not enabled on interface Gi1/0/13
  Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received Session ID "C0A846660000004700DF6030" from LL
  Oct 24 10:53:47.580: EAP-AUTH-EVENT: Setting authentication mode: Passthrough
  Oct 24 10:53:47.580:     eap_authen : initial state eap_auth_initialize has enter
  Oct 24 10:53:47.580: EAP-EVENT: Allocated new EAP context (handle = 0xE8000047)
  Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Created a client entry (0x15000045)
  Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Dot1x authentication started for 0x15000045 (6431.500e.9b00)
  Oct 24 10:53:47.580: %AUTHMGR-5-START: Starting 'dot1x' for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
  Oct 24 10:53:47.580: EAP-EVENT: Received EAP event 'EAP_AUTHENTICATOR_START' on handle 0xE8000047
  Oct 24 10:53:47.580:     eap_authen : during state eap_auth_initialize, got event 25(eapStartTmo)
  Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_initialize -> eap_auth_select_action
  Oct 24 10:53:47.580:     eap_authen : during state eap_auth_select_action, got event 20(eapDecisionPropose)
  Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_select_action -> eap_auth_propose_method
  Oct 24 10:53:47.580:     eap_authen : idle during state eap_auth_propose_method
  Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_propose_method -> eap_auth_method_request
  Oct 24 10:53:47.580:     eap_authen : idle during state eap_auth_method_request
  Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_method_request -> eap_auth_tx_packet
  Oct 24 10:53:47.580: EAP-AUTH-EVENT: Current method = Identity
  Oct 24 10:53:47.580: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_ID_REQUEST' on handle 0xE8000047
  Oct 24 10:53:47.580:     eap_authen : idle during state eap_auth_tx_packet
  Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_tx_packet -> eap_auth_idle
  Oct 24 10:53:47.589: EAP-AUTH-TX-PAK: Code:REQUEST  ID:0x1   Length:0x0005  Type:IDENTITY
  Oct 24 10:53:47.589: EAP-EVENT: Started 'Authenticator ReqId Retransmit' timer (30s) for EAP sesion handle 0xE8000047
  Oct 24 10:53:47.589: EAP-EVENT: Started EAP tick timer
  Oct 24 10:53:47.589: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_TX_PACKET' on handle 0xE8000047
  Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
  Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
  Oct 24 10:53:47.597: dot1x-packet:EAPOL pak Tx - Ver: 0x3  type: 0x0
  Oct 24 10:53:47.597: dot1x-packet: length: 0x0005
  Oct 24 10:53:47.597: dot1x-packet:EAP code: 0x1  id: 0x1  length: 0x0005
  Oct 24 10:53:47.597: dot1x-packet: type: 0x1
  Oct 24 10:53:47.597: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL packet sent to client 0x15000045
  Oct 24 10:53:47.606: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Queuing an EAPOL pkt on Authenticator Q
  Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1  type: 0x0
  Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
  Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 2,TYPE= 1,LEN= 31
  Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001f
  Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1  type: 0x0
  Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
  Oct 24 10:53:47.606: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Response sent to the server from 0x15000045
  Oct 24 10:53:47.606: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_RX_PACKET' on handle 0xE8000047
  Oct 24 10:53:47.606: EAP-AUTH-RX-PAK: Code:RESPONSE  ID:0x1   Length:0x001F  Type:IDENTITY
  Oct 24 10:53:47.606:     Payload:  47454E4552414C5C72616E64792E636F ...
  Oct 24 10:53:47.606:     eap_authen : during state eap_auth_idle, got event 1(eapRxPacket)
  Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_idle -> eap_auth_received
  Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response received by context 0xE8000047
  Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response type = Identity
  Oct 24 10:53:47.606: EAP-EVENT: Stopping 'Authenticator ReqId Retransmit' timer for EAP sesion handle 0xE8000047
  Oct 24 10:53:47.606:     eap_authen : during state eap_auth_received, got event 10(eapMethodData)
  Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_received -> eap_auth_method_response
  Oct 24 10:53:47.606: EAP-AUTH-EVENT: Received peer identity: GENERAL\randy.coburn.admin
  Oct 24 10:53:47.606: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_IDENTITY' on handle 0xE8000047
  Oct 24 10:53:47.606:     eap_authen : during state eap_auth_method_response, got event 13(eapMethodEnd)
  Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_method_response -> eap_auth_select_action
  Oct 24 10:53:47.606:     eap_authen : during state eap_auth_select_action, got event 19(eapDecisionPass)
  Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_select_action -> eap_auth_passthru_init
  Oct 24 10:53:47.606:     eap_authen : during state eap_auth_passthru_init, got event 22(eapPthruIdentity)
  Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_passthru_init -> eap_auth_aaa_req
  Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_GET_PEER_MAC_ADDRESS' on handle 0xE8000047
  Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding Audit-Session-ID "C0A846660000004700DF6030" to RADIUS Req
  Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added Audit-Session-ID
  Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding IDB "0x070B90F8" to RADIUS Req
  Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added IDB
  Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_AAA_REQUEST' on handle 0xE8000047
  Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: eap_auth_aaa_authen_request_shim aaa_service 19, eap aaa_list handle 0, mlist handle 0
  Oct 24 10:53:47.614: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
  Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Request sent successfully
  Oct 24 10:53:47.614:     eap_authen : during state eap_auth_aaa_req, got event 24(eapAAAReqOk)
  Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_aaa_req -> eap_auth_aaa_idle
  Oct 24 10:53:47.614: RADIUS/ENCODE(00000000):Orig. component type = Invalid
  Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute hwidb
  Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-type
  Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-service
  Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute clid-mac-addr
  Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute target-scope
  Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-unique-id
  Oct 24 10:53:47.614: RADIUS(00000000): Config NAS IP: 0.0.0.0
  Oct 24 10:53:47.614: RADIUS(00000000): sending
  Oct 24 10:53:47.614: RADIUS/ENCODE: Best Local IP-Address 192.168.70.102 for Radius-Server 192.168.19.121
  Oct 24 10:53:47.614: RADIUS(00000000): Send Access-Request to 192.168.19.121:1645 id 1645/21, len 288
  Oct 24 10:53:47.614: RADIUS:  authenticator F1 BA E5 31 71 54 BF 1A - A2 B1 5E 1A 63 72 1E 72
  Oct 24 10:53:47.614: RADIUS:  User-Name           [1]   28  "GENERAL\randy.coburn.admin"
  Oct 24 10:53:47.614: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  Oct 24 10:53:47.614: RADIUS:  Vendor, Cisco       [26]  27
  Oct 24 10:53:47.614: RADIUS:   Cisco AVpair       [1]   21  "service-type=Framed"
  Oct 24 10:53:47.614: RADIUS:  Framed-MTU          [12]  6   1500
  Oct 24 10:53:47.614: RADIUS:  Called-Station-Id   [30]  19  "AC-F2-C5-75-7D-0D"
  Oct 24 10:53:47.614: RADIUS:  Calling-Station-Id  [31]  19  "64-31-50-0E-9B-00"
  Oct 24 10:53:47.614: RADIUS:  EAP-Message         [79]  33
  Oct 24 10:53:47.614: RADIUS:   02 01 00 1F 01 47 45 4E 45 52 41 4C 5C 72 61 6E 64 79 2E 63 6F  [GENERAL\randy.co]
  Oct 24 10:53:47.622: RADIUS:   62 75 72 6E 2E 61 64 6D 69 6E        [ burn.admin]
  Oct 24 10:53:47.622: RADIUS:  Message-Authenticato[80]  18
  Oct 24 10:53:47.622: RADIUS:   EE 52 4D ED B9 06 F3 CE 63 AC 9D 73 24 1B A7 ED             [ RMcs$]
  Oct 24 10:53:47.622: RADIUS:  EAP-Key-Name        [102] 2   *
  Oct 24 10:53:47.622: RADIUS:  Vendor, Cisco       [26]  49
  Oct 24 10:53:47.622: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A846660000004700DF6030"
  Oct 24 10:53:47.622: RADIUS:  Vendor, Cisco       [26]  20
  Oct 24 10:53:47.622: RADIUS:   Cisco AVpair       [1]   14  "method=dot1x"
  Oct 24 10:53:47.622: RADIUS:  NAS-IP-Address      [4]   6   192.168.70.102
  Oct 24 10:53:47.622: RADIUS:  NAS-Port            [5]   6   60000
  Oct 24 10:53:47.622: RADIUS:  NAS-Port-Id         [87]  23  "GigabitEthernet1/0/13"
  Oct 24 10:53:47.622: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  Oct 24 10:53:47.622: RADIUS(00000000): Sending a IPv4 Radius Packet
  Oct 24 10:53:47.622: RADIUS(00000000): Started 10 sec timeout
  Oct 24 10:53:47.622: RADIUS: Received from id 1645/21 192.168.19.121:1645, Access-Accept, len 66
  Oct 24 10:53:47.622: RADIUS:  authenticator 92 F6 07 AF C1 AB 0B 4C - 1D 9E A0 D1 01 36 27 26
  Oct 24 10:53:47.622: RADIUS:  Class               [25]  46
  Oct 24 10:53:47.622: RADIUS:   76 E3 06 66 00 00 01 37 00 01 02 00 C0 A8 13 79 00 00 00 00 00 00 00 00 00 00 00 00 01 CE CF F8 1F 7B 75 41 00 00 00 00 00 00 00 50          [ vf7y{uAP]
  Oct 24 10:53:47.622: RADIUS(00000000): Received from id 1645/21
  Oct 24 10:53:47.622: EAP-EVENT: eap_aaa_reply
  Oct 24 10:53:47.622: EAP-AUTH-AAA-EVENT: Reply received session_label 72000033
  Oct 24 10:53:47.622: EAP-EVENT: Received AAA event 'EAP_AAA_FAIL' on handle 0xE8000047
  Oct 24 10:53:47.622:     eap_authen : during state eap_auth_aaa_idle, got event 8(eapAAAFail)
  Oct 24 10:53:47.622: @@@ eap_authen : eap_auth_aaa_idle -> eap_auth_failure
  Oct 24 10:53:47.631: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
  Oct 24 10:53:47.631: EAP-AUTH-TX-PAK: Code:FAILURE  ID:0x1   Length:0x0004
  Oct 24 10:53:47.631: EAP-AUTH-EVENT: FAIL for EAP method ID: 1, name: , on handle 0xE8000047
  Oct 24 10:53:47.631: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_FAIL' on handle 0xE8000047
  Oct 24 10:53:47.631: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Received an EAP Fail
  Oct 24 10:53:47.639: %DOT1X-5-FAIL: Authentication failed for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
  Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Added username in dot1x
  Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Dot1x did not receive any key data
  Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Processing client delete for hdl 0x15000045 sent by Auth Mgr
  Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] 6431.500e.9b00: sending canned failure due to method termination
  Oct 24 10:53:47.639: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
  Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
  Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
  Oct 24 10:53:47.639: dot1x-packet:EAPOL pak Tx - Ver: 0x3  type: 0x0
  Oct 24 10:53:47.639: dot1x-packet: length: 0x0004
  Oct 24 10:53:47.639: dot1x-packet:EAP code: 0x4  id: 0x1  length: 0x0004
  Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL canned status packet sent to client 0x15000045
  Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Deleting client 0x15000045 (6431.500e.9b00)
  Oct 24 10:53:47.639: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client 6431.500e.9b00 on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
  Oct 24 10:53:47.639: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
  Oct 24 10:53:47.648: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Delete auth client (0x15000045) message
  Oct 24 10:53:47.648: EAP-EVENT: Received free context (0xE8000047) from LL (Dot1x-Authenticator)
  Oct 24 10:53:47.648: dot1x-ev:Auth client ctx destroyed
  Oct 24 10:53:47.648: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_DELETE' on handle 0xE8000047
  Oct 24 10:53:47.648: EAP-AUTH-EVENT: Freed EAP auth context
  Oct 24 10:53:47.648: EAP-EVENT: Freed EAP context
  Oct 24 10:53:48.621: EAP-EVENT: Stopped EAP tick timer
  Oct 24 10:53:49.485: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to up
  Oct 24 10:53:50.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to up
  Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
  Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
  Oct 24 10:53:54.518: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
  Oct 24 10:53:55.524: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down

  Hi Jatin,
  See below the data that you have requested.
  show run bits.
  aaa new-model
  aaa authentication dot1x default group radius
  aaa session-id common
  clock timezone BST 0 0
  clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
  dot1x system-auth-control
  interface GigabitEthernet1/0/13
  switchport access vlan 80
  switchport mode access
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface GigabitEthernet1/0/48
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 70
  switchport mode trunk
  radius server NPS1
  address ipv4 192.168.19.121 auth-port 1645 acct-port 1646
  timeout 10
  key thesecret
  ip default-gateway 192.168.70.1
  SW1-randy#show auth sessions interface gig 1/0/13
  Interface    MAC Address    Method       Domain          Status    Fg Session ID
  Gi1/0/13     803f.5d09.189e N/A          UNKNOWN      Unauth         C0A846660000002F00251DBC
  SW1-randy#Show mac address-table Interface GigabitEthernet1/0/13
            Mac Address Table
  Vlan    Mac Address       Type        Ports
    80    803f.5d09.189e    DYNAMIC     Drop
  SW1-randy#ping 192.168.19.121
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.19.121, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
  Here is a wireshark of the accept packet.
  Message was edited by: randy coburn
  Added wireshark trace

• IP SLA icmp jitter operation

  Hello
  I would like to track icmp jitter for end host. I verified in documentation that it can be any host as a destination. But i got error on this operation:
   Latest RTT: NoConnection/Busy/Timeout
  I verified that there is no firewall between the source and destination and icmp timestamp request works when done manually:
  r01#ping          
  Protocol [ip]:     
  Target IP address: 10.23.33.6
  Repeat count [5]: 
  Datagram size [100]: 
  Timeout in seconds [2]: 
  Extended commands [n]: y
  Source address or interface: 
  Type of service [0]: 
  Set DF bit in IP header? [no]: 
  Validate reply data? [no]: 
  Data pattern [0xABCD]: 
  Loose, Strict, Record, Timestamp, Verbose[none]: Timestamp
  Number of timestamps [ 9 ]: 
  Loose, Strict, Record, Timestamp, Verbose[TV]: 
  Sweep range of sizes [n]: 
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.23.33.6, timeout is 2 seconds:
  Packet has IP options:  Total option bytes= 40, padded length=40
   Timestamp: Type 0.  Overflows: 0 length 40, ptr 5
    >>Current pointer<<
    Time= 01:00:00.000 CET (00000000)
    Time= 01:00:00.000 CET (00000000)
    Time= 01:00:00.000 CET (00000000)
    Time= 01:00:00.000 CET (00000000)
    Time= 01:00:00.000 CET (00000000)
    Time= 01:00:00.000 CET (00000000)
    Time= 01:00:00.000 CET (00000000)
    Time= 01:00:00.000 CET (00000000)
    Time= 01:00:00.000 CET (00000000)
  Reply to request 0 (4 ms).  Received packet has no options
  Reply to request 1 (4 ms).  Received packet has no options
  Reply to request 2 (1 ms).  Received packet has no options
  Reply to request 3 (1 ms).  Received packet has no options
  Reply to request 4 (1 ms).  Received packet has no options
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
  r01#sh ip sla statistics 196
  IPSLAs Latest Operation Statistics
  IPSLA operation id: 196
  Type of operation: icmp-jitter
          Latest RTT: NoConnection/Busy/Timeout
  Latest operation start time: 12:45:21.019 CET Fri Nov 21 2014
  Latest operation return code: Timeout
  RTT Values:
          Number Of RTT: 0                RTT Min/Avg/Max: 0/0/0 
  Latency one-way time:
          Number of Latency one-way Samples: 0
          Source to Destination Latency one way Min/Avg/Max: 0/0/0 
          Destination to Source Latency one way Min/Avg/Max: 0/0/0 
  Jitter Time:
          Number of SD Jitter Samples: 0
          Number of DS Jitter Samples: 0
          Source to Destination Jitter Min/Avg/Max: 0/0/0 
          Destination to Source Jitter Min/Avg/Max: 0/0/0 
  Packet Late Arrival: 0
  Out Of Sequence: 0
          Source to Destination: 0        Destination to Source 0
          In both Directions: 0
  Packet Skipped: 0       Packet Unprocessed: 0
  Packet Loss: 0
          Loss Period Length Min/Max: 0/0
  Number of successes: 0
  Number of failures: 34
  ip sla 197
   icmp-jitter 10.23.33.6
   frequency 30
  ip sla schedule 197 life forever start-time now
  Nov 21 12:57:43: IP SLAs(197) Scheduler: saaSchedulerEventWakeup
  Nov 21 12:57:43: IP SLAs(197) Scheduler: Starting an operation
  Nov 21 12:57:43: IP SLAs(197) icmpjitter operation: Starting icmpjitter operation
  Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
  Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
  Nov 21 12:57:49: IP SLAs(197) Scheduler: Updating result
  Nov 21 12:57:49: IP SLAs(197) Scheduler: start wakeup timer, delay = 24796
  Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
  Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
  Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
  Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
  Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
  Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
  Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
  Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
  Nov 21 12:57:49: IP SLAs(197) icmpjitter operation: Timeout
  Any help would be appreciated.

  Hi Jorge
  According to Cisco documentation icmp-jitter should work on any IP Device.
  I have a similar issue.
  1. I can run icmp-jitter successfully to non cisco routers
  2. it fails to run to a generic ip device.
  Imran

• Site2Site Tunnel issue PSEC(epa_des_crypt): decrypted packet failed SA identity check

  Hi,
  I have a slight issue I'm having some problems resolving..
  The scenario is as follows;
  I have an external provider which connects to me via VPN to a Juniper SSG firewall, that works fine.
  I then have an external site, which does NOT reside in my MPLS cloud, so I have to deploy IPSec via Internet to reach it.
  That also works fine and I have multiple SA's running on that site with no issues or problems.
  The external provider has a small network device deployed on the external site which monitor cooling values in one of our warehouses.
  The external site which is connect via IPSEC has a Cisco 1921 and a numerous Cisco 3550 deployed.
  The VLAN for the cooling provider is vlan 150 and is setup with 10.150.4.0/24 where .1 is the def gw and .10 is the cooling monitor device.
  The external provider's servers are located within 192.168.220.0/24 subnet.
  As of right now, we can reach the Cisco 1921 through the whole IPsec tunnel from 192.168.220.182 with all services, ping, telnet whatnot, but we are unable to ping the cooling device from 192.168.220.0/24.
  However from the Cisco 1921, we can ping both 192.168.220.0/24 and the locally connected 10.150.4.10
  So basicly it seems to be the last bit when the traffic goes through the 1921 and to the switch where it fails and I can't for the life of me figure out why.
  Network diagram attached.. any ideas?
  This is the 1921 config:
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime
  service timestamps log datetime msec localtime
  service password-encryption
  hostname bergen-vpn-gw
  boot-start-marker
  boot system flash flash:c1841-adventerprisek9-mz.124-25d.bin
  boot-end-marker
  logging buffered 50000
  aaa new-model
  aaa authentication login default local
  aaa authentication enable default enable
  aaa session-id common
  clock timezone CET 1
  clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
  no ipv6 cef
  no ip source-route
  ip cef
  no ip bootp server
  no ip domain lookup
  ip domain name xxxxx
  multilink bundle-name authenticated
  license udi pid CISCO1921/K9 sn FCZ1508C1P4
  license boot module c1900 technology-package securityk9
  license boot module c1900 technology-package datak9
  vtp mode client
  redundancy
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key harakiri address 1.2.3.4
  crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
  crypto map VPN 10 ipsec-isakmp
  set peer 1.2.3.4
  set transform-set 3DES-SHA
  match address VPN
  interface GigabitEthernet0/0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip route-cache cef
  no ip route-cache
  duplex auto
  speed auto
  interface GigabitEthernet0/0.99
  description *** Test VLAN To be removed ***
  encapsulation dot1Q 99
  ip address 10.90.90.1 255.255.255.0
  no ip route-cache
  interface GigabitEthernet0/0.112
  encapsulation dot1Q 112
  ip address 192.168.112.1 255.255.255.0
  ip helper-address 172.30.1.223
  no ip route-cache
  interface GigabitEthernet0/0.150
  encapsulation dot1Q 150
  ip address 10.150.4.1 255.255.255.0
  no ip redirects
  no ip proxy-arp
  no ip route-cache
  interface GigabitEthernet0/0.178
  encapsulation dot1Q 178
  ip address 192.168.178.1 255.255.255.0
  ip helper-address 172.30.1.223
  no ip redirects
  no ip proxy-arp
  no ip route-cache
  interface GigabitEthernet0/0.999
  encapsulation dot1Q 999
  no ip route-cache
  interface GigabitEthernet0/1
  ip address 1.2.3.4 255.255.255.252
  no ip redirects
  no ip proxy-arp
  no ip route-cache cef
  no ip route-cache
  duplex auto
  speed auto
  crypto map VPN
  interface FastEthernet0/0/0
  switchport access vlan 99
  interface FastEthernet0/0/1
  interface FastEthernet0/0/2
  interface FastEthernet0/0/3
  interface Vlan1
  no ip address
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip route 0.0.0.0 0.0.0.0 85.200.203.29
  ip access-list extended VPN
  permit ip 10.90.90.0 0.0.0.255 172.30.1.0 0.0.0.255
  permit ip 10.90.90.0 0.0.0.255 172.22.0.0 0.0.255.255
  permit ip 10.90.90.0 0.0.0.255 172.18.5.0 0.0.0.255
  permit ip 10.90.90.0 0.0.0.255 10.50.0.0 0.0.255.255
  permit ip 192.168.112.0 0.0.0.255 172.30.1.0 0.0.0.255
  permit ip 192.168.112.0 0.0.0.255 172.22.0.0 0.0.255.255
  permit ip 192.168.112.0 0.0.0.255 172.18.5.0 0.0.0.255
  permit ip 192.168.112.0 0.0.0.255 10.50.0.0 0.0.255.255
  permit ip 192.168.178.0 0.0.0.255 172.30.1.0 0.0.0.255
  permit ip 192.168.178.0 0.0.0.255 172.22.0.0 0.0.255.255
  permit ip 192.168.178.0 0.0.0.255 172.18.5.0 0.0.0.255
  permit ip 192.168.178.0 0.0.0.255 10.50.0.0 0.0.255.255
  permit ip 192.168.112.0 0.0.0.255 172.30.240.0 0.0.0.255
  permit ip 192.168.178.0 0.0.0.255 172.30.240.0 0.0.0.255
  permit ip 192.168.112.0 0.0.0.255 10.70.0.0 0.0.0.255
  permit ip 192.168.178.0 0.0.0.255 10.70.0.0 0.0.0.255
  permit ip 10.150.4.0 0.0.0.255 192.168.220.0 0.0.0.255 log
  ip sla 1
  icmp-echo 172.30.1.223 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 1 start-time now
  ip sla 2
  icmp-echo 10.50.1.200 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 2 start-time now
  ip sla 3
  icmp-echo 172.18.5.121 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 3 start-time now
  ip sla 4
  icmp-echo 172.22.0.140 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 4 start-time now
  ip sla 5
  icmp-echo 172.30.240.40 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 5 start-time now
  ip sla 6
  icmp-echo 10.70.0.200 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 6 start-time now
  cdp source-interface GigabitEthernet0/0.112
  snmp-server community bamacomro RO
  cdp source-interface GigabitEthernet0/0.112
  snmp-server community bamacomro RO
  snmp-server community bamacomrw RW
  control-plane
  banner motd ^CCC-----------------------------------------------------------------------------
  This system is solely for the use of authorised users for official purposes.
  You have no expectation of privacy in its use and to ensure that the system
  is functioning properly, individuals using this computer system are subject
  to having all their activities monitored and recorded by system personell.
  Use of this system evidence an express consent to such monitoring and
  agreement that if such monitoring reveals evidence of possible abuse or
  criminal activity, system personell may provide the result of such
  monitoring to appropiate officials.
  -----------------------------------------------------------------------------^C
  line con 0
  exec-timeout 5 0
  logging synchronous
  line aux 0
  line vty 0 4
  access-class telnet in
  exec-timeout 180 0
  logging synchronous
  transport input telnet ssh
  line vty 5 15
  access-class telnet in
  exec-timeout 180 0
  password 7 094F471A1A0A
  logging synchronous
  transport input telnet ssh
  scheduler allocate 20000 1000
  end

  I had that issue 1 year go
  "decrypted packet failed SA identity check" means that we have decrypted a traffic that does not match the proxy ID negotiated
  Juniper is violating RFC4301. there is nothing we can do against RFC violation
  As mentioned in Section 4.4.1, "The Security Policy Database (SPD)",
  the SPD (or associated caches) MUST be consulted during the
  processing of all traffic that crosses the IPsec protection boundary,
  including IPsec management traffic.  If no policy is found in the SPD
  that matches a packet (for either inbound or outbound traffic), the
  packet MUST be discarded.
  I know JNPR can do 2 vpn modes. There is one where we could use a VTI instead of a crypto map on the Cisco side. That was the solution to the problem we had.
  Cheers,

• Suspecting ESP 10 to fail in ASR1002

  ASR1002 Cisco doesnt recognise ESP 10 module. Log is attached. We need to decide wether the chassi is OK or it is also affected.
  We have conducted the following experiment: turned on the ASR1002  without ESP module and assigned 192.168.0.2 adress to an interface.
  After that tried to ping 192.168.0.2 from outside, all pings have been lost.
  Does the ASR1002 have to respond on the interface without ESP module?
  subject to restrictions as set forth in subparagraph
  (c) of the Commercial Computer Software - Restricted
  Rights clause at FAR sec. 52.227-19 and subparagraph
  (c) (1) (ii) of the Rights in Technical Data and Computer
  Software clause at DFARS sec. 252.227-7013.
             cisco Systems, Inc.
             170 West Tasman Drive
             San Jose, California 95134-1706
  Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.1(3)S1, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2011 by Cisco Systems, Inc.
  Compiled Sat 08-Oct-11 01:16 by mcpre
  Cisco IOS-XE software, Copyright (c) 2005-2011 by cisco Systems, Inc.
  All rights reserved.  Certain components of Cisco IOS-XE software are
  licensed under the GNU General Public License ("GPL") Version 2.0.  The
  software code licensed under GPL Version 2.0 is free software that comes
  with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
  GPL code under the terms of GPL Version 2.0.  For more details, see the
  documentation or "License Notice" file accompanying the IOS-XE software,
  or the applicable URL provided on the flyer accompanying the IOS-XE
  software.
  % failed to initialize nvram
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  cisco ASR1002 (2RU) processor with 1700171K/6147K bytes of memory.
  4 Gigabit Ethernet interfaces
  32768K bytes of non-volatile configuration memory.
  4194304K bytes of physical memory.
  7798783K bytes of eUSB flash at bootflash:.
           --- System Configuration Dialog ---
  Would you like to enter the initial configuration dialog? [yes/no]: no
  Press RETURN to get started!
  *Dec 12 16:40:24.348: %ASR1000_RP_NV-3-NV_ACCESS_FAIL: Initial read of NVRAM contents failed
  *Dec 12 16:40:31.211: %LINK-3-UPDOWN: Interface Lsmpi0, changed state to up
  *Dec 12 16:40:31.211: %LINK-3-UPDOWN: Interface EOBC0, changed state to up
  *Dec 12 16:40:31.211: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up
  *Dec 12 16:40:31.212: %LINEPROTO-5-UPDOWN: Line protocol on Interface LI-Null0, changed state to up
  *Dec 12 16:40:31.212: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to down
  *Dec 12 16:40:31.212: %LINK-3-UPDOWN: Interface LIIN0, changed state to up
  *Dec 12 16:40:31.350: %NETCLK-5-NETCLK_MODE_CHANGE: Network clock source not available. The network clock has changed to freerun
  *Dec 12 16:40:31.440: %ASR1000_MGMTVRF-6-CREATE_SUCCESS_INFO: Management vrf Mgmt-intf created with ID 1, ipv4 table-id 0x1, ipv6 table-id 0x1E000001
  *Dec 12 16:40:31.715: %DYNCMD-7-PKGINT_INSTALLED: The command package 'platform_trace' has been succesfully installed
  *Dec 12 16:40:33.429: %LINEPROTO-5-UPDOWN: Line protocol on Interface Lsmpi0, changed state to up
  *Dec 12 16:40:33.430: %LINEPROTO-5-UPDOWN: Line protocol on Interface EOBC0, changed state to up
  *Dec 12 16:40:33.430: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
  *Dec 12 16:40:33.430: %LINEPROTO-5-UPDOWN: Line protocol on Interface LIIN0, changed state to up
  *Dec 12 16:40:23.540: %IOSXE-5-PLATFORM: R0/0: xinetd[32286]: xinetd Version 2.3.14 started with no options compiled in.
  *Dec 12 16:40:23.554: %IOSXE-5-PLATFORM: R0/0: xinetd[32286]: Started working: 1 available service
  *Dec 12 16:40:34.225: %DYNCMD-7-CMDSET_LOADED: The Dynamic Command set has been loaded from the Shell Manager
  *Dec 12 16:40:58.021: %LINK-5-CHANGED: Interface GigabitEthernet0/0/0, changed state to administratively down
  *Dec 12 16:40:58.022: %LINK-5-CHANGED: Interface GigabitEthernet0/0/1, changed state to administratively down
  *Dec 12 16:40:58.022: %LINK-5-CHANGED: Interface GigabitEthernet0/0/2, changed state to administratively down
  *Dec 12 16:40:58.023: %LINK-5-CHANGED: Interface GigabitEthernet0/0/3, changed state to administratively down
  *Dec 12 16:40:58.023: %LINK-5-CHANGED: Interface GigabitEthernet0, changed state to administratively down
  *Dec 12 16:40:59.021: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to down
  *Dec 12 16:40:59.022: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to down
  *Dec 12 16:40:59.022: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/2, changed state to down
  *Dec 12 16:40:59.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/3, changed state to down
  *Dec 12 16:41:02.525: %ASR1000_OIR-6-REMSPA: SPA removed from subslot 0/0, interfaces disabled
  *Dec 12 16:41:02.527: %SPA_OIR-6-OFFLINECARD: SPA (4XGE-BUILT-IN) offline in subslot 0/0
  *Dec 12 16:41:02.531: %ASR1000_OIR-6-INSCARD: Card (fp) inserted in slot F0
  *Dec 12 16:41:02.532: %ASR1000_OIR-6-INSCARD: Card (cc) inserted in slot 0
  *Dec 12 16:41:02.532: %ASR1000_OIR-6-ONLINECARD: Card (cc) online in slot 0
  *Dec 12 16:41:02.536: %ASR1000_OIR-6-INSSPA: SPA inserted in subslot 0/0
  *Dec 12 16:41:02.743: %SYS-5-RESTART: System restarted --
  Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.1(3)S1, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2011 by Cisco Systems, Inc.
  Compiled Sat 08-Oct-11 01:16 by mcpre
  *Dec 12 16:41:05.577: %SPA_OIR-6-ONLINECARD: SPA (4XGE-BUILT-IN) online in subslot 0/0
  Router>
  Router>en
  Router#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  Router(config)#in
  Router(config)#int
  Router(config)#interface lo
  Router(config)#interface loo
  Router(config)#interface loopback 0
  Router(config-if)#ip ad
  Router(config-if)#ip address 19
  *Dec 12 16:42:04.778: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up2.1
  Router(config-if)#ip address 192.168.0.1 255.255.255.0
  Router(config-if)#exit
  Router(config)#exit
  Router#sho
  Router#show run
  Router#show running-config int
  Router#show running-config interface 
  *Dec 12 16:42:18.204: %SYS-5-CONFIG_I: Configured from console by consolelo
  Router#show running-config interface lo0
  Router#show running-config interface loo
  Router#show running-config interface loopback 0
  Building configuration...
  Current configuration : 65 bytes
  interface Loopback0
   ip address 192.168.0.1 255.255.255.0
  end
  Router#ping 192.168.0.1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
  Success rate is 0 percent (0/5)
  Router#sho
  Router#show in
  Router#show in
  Router#show inte
  Router#show interfaces lo
  Router#show interfaces loo
  Router#show interfaces loopback 0
  Loopback0 is up, line protocol is up 
    Hardware is Loopback
    Internet address is 192.168.0.1/24
    MTU 1514 bytes, BW 8000000 Kbit/sec, DLY 5000 usec, 
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation LOOPBACK, loopback not set
    Keepalive set (10 sec)
    Last input never, output never, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/0 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       0 packets input, 0 bytes, 0 no buffer
       Received 0 broadcasts (0 IP multicasts)
       0 runts, 0 giants, 0 throttles 
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       0 packets output, 0 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  Router# 
  Router#
  *Dec 12 16:43:06.922: %TRANSCEIVER-6-INSERTED: SIP0/0: transceiver module inserted in GigabitEthernet0/0/0
  Router#sho
  Router#show run
  Router#show running-config in
  Router#show running-config interface gi0/0/
  % Incomplete command.
  Router#show running-config interface gi0/0 
  % Incomplete command.
  Router#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  Router(config)#in
  Router(config)#int
  Router(config)#interface gi0/0
  % Incomplete command.
  Router(config)#interface gi0/0/0
  Router(config-if)#no shu
  Router(config-if)#no shutdown 
  Router(config-if)#ip ad
  Router(config-if)#ip address 192.1
  *Dec 12 16:43:44.764: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to down68.2.
  *Dec 12 16:43:43.813: %LINK-3-UPDOWN: SIP0/0: Interface GigabitEthernet0/0/0, changed state to down1
  *Dec 12 16:43:47.440: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to up
  *Dec 12 16:43:46.437: %LINK-3-UPDOWN: SIP0/0: Interface GigabitEthernet0/0/0, changed state to up 
  *Dec 12 16:43:48.440: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to up
  Router(config-if)#ip address 192.168.2.1 255.255.255.0
  Router(config-if)#exit
  Router(config)#exit
  Router#sho
  Router#show run
  Router#show running-config int
  Router#show running-config interface 
  *Dec 12 16:43:56.015: %SYS-5-CONFIG_I: Configured from console by consolegi
  Router#show running-config interface gigabitEthernet 0/0/0
  Building configuration...
  Current configuration : 94 bytes
  interface GigabitEthernet0/0/0
   ip address 192.168.2.1 255.255.255.0
   negotiation auto
  end
  Router#ping 192.168.2.2
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
  Success rate is 0 percent (0/5)
  Router#sho
  Router#show in
  Router#show inte
  Router#show interfaces gi
  Router#show interfaces gigabitEthernet 0/0/0
  GigabitEthernet0/0/0 is up, line protocol is up 
    Hardware is 4XGE-BUILT-IN, address is 8843.e100.7300 (bia 8843.e100.7300)
    Internet address is 192.168.2.1/24
    MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, 
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    Keepalive not supported 
    Full Duplex, 1000Mbps, link type is auto, media type is LX
    output flow-control is off, input flow-control is off
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input never, output 00:00:27, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       17 packets input, 2015 bytes, 0 no buffer
       Received 0 broadcasts (0 IP multicasts)
       0 runts, 0 giants, 0 throttles 
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
       0 watchdog, 17 multicast, 0 pause input
       0 packets output, 0 bytes, 0 underruns
       0 output errors, 0 collisions, 4 interface resets
       0 unknown protocol drops
       0 babbles, 0 late collision, 0 deferred
       0 lost carrier, 0 no carrier, 0 pause output
       0 output buffer failures, 0 output buffers swapped out
  Router#sho
  Router#show pl
  Router#show platform 
  Chassis type: ASR1002             
  Slot      Type                State                 Insert time (ago) 
  0         ASR1002-SIP10       ok                    00:06:40      
   0/0      4XGE-BUILT-IN       ok                    00:03:56      
  R0        ASR1002-RP1         ok, active            00:06:40      
  F0                            unknown               00:06:40      
  P0        ASR1002-PWR-AC      ok                    00:05:28      
  P1        ASR1002-PWR-AC      ps, fail              00:05:28      
  Slot      CPLD Version        Firmware Version                        
  0         07120202            12.2(33r)XNC                        
  R0        08011017            12.2(33r)XNC                        
  F0        N/A                 N/A                                 
  Router#
  System Bootstrap, Version 12.2(33r)XNC, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 2009 by cisco Systems, Inc.
  Current image running: Boot ROM0
  Last reset cause: PowerOn
  Last reset at: Fri Dec 12 16:48:51 UTC 2014
  ASR1002-RP1 platform with 4194303 Kbytes of main memory
  Warning: filesystem is not clean
  Located asr1000rp1-adventerprisek9.03.04.01.S.151-3.S1.bin 
  Image size 312873272 inode num 13, bks cnt 76386 blk size 8*512
  Boot image size = 312873272 (0x12a61138) bytes
  Missing or illegal ip address for variable DEFAULT_GATEWAY
  Using midplane macaddr
  Missing or illegal ip address for variable IP_ADDRESS
  Missing or illegal ip address for variable IP_SUBNET_MASK
  Package header rev 0 structure detected
  Calculating SHA-1 hash...done
  validate_package: SHA-1 hash:
          calculated 61d80af0:032b96a1:6b3b2b5c:667f969a:ad8e4c9f
          expected   61d80af0:032b96a1:6b3b2b5c:667f969a:ad8e4c9f
  Image validated
  %IOSXEBOOT-4-FILESYS_ERRORS_CORRECTED: (rp/0): bootflash contained errors which were auto-corrected.
                Restricted Rights Legend
  Use, duplication, or disclosure by the Government is
  subject to restrictions as set forth in subparagraph
  (c) of the Commercial Computer Software - Restricted
  Rights clause at FAR sec. 52.227-19 and subparagraph
  (c) (1) (ii) of the Rights in Technical Data and Computer
  Software clause at DFARS sec. 252.227-7013.
             cisco Systems, Inc.
             170 West Tasman Drive
             San Jose, California 95134-1706
  Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.1(3)S1, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2011 by Cisco Systems, Inc.
  Compiled Sat 08-Oct-11 01:16 by mcpre
  Cisco IOS-XE software, Copyright (c) 2005-2011 by cisco Systems, Inc.
  All rights reserved.  Certain components of Cisco IOS-XE software are
  licensed under the GNU General Public License ("GPL") Version 2.0.  The
  software code licensed under GPL Version 2.0 is free software that comes
  with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
  GPL code under the terms of GPL Version 2.0.  For more details, see the
  documentation or "License Notice" file accompanying the IOS-XE software,
  or the applicable URL provided on the flyer accompanying the IOS-XE
  software.
  % failed to initialize nvram
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  cisco ASR1002 (2RU) processor with 1700171K/6147K bytes of memory.
  4 Gigabit Ethernet interfaces
  32768K bytes of non-volatile configuration memory.
  4194304K bytes of physical memory.
  7798783K bytes of eUSB flash at bootflash:.
           --- System Configuration Dialog ---
  Would you like to enter the initial configuration dialog? [yes/no]: 
  % Please answer 'yes' or 'no'.
  Would you like to enter the initial configuration dialog? [yes/no]: 
  % Please answer 'yes' or 'no'.
  Would you like to enter the initial configuration dialog? [yes/no]: no
  Press RETURN to get started!
  *Dec 12 16:52:16.032: %ASR1000_RP_NV-3-NV_ACCESS_FAIL: Initial read of NVRAM contents failed
  *Dec 12 16:52:24.113: %LINK-3-UPDOWN: Interface Lsmpi0, changed state to up
  *Dec 12 16:52:24.114: %LINK-3-UPDOWN: Interface EOBC0, changed state to up
  *Dec 12 16:52:24.114: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up
  *Dec 12 16:52:24.115: %LINEPROTO-5-UPDOWN: Line protocol on Interface LI-Null0, changed state to up
  *Dec 12 16:52:24.11
  Router>5: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to down
  *Dec 12 16:52:24.115: %LINK-3-UPDOWN: Interface LIIN0, changed state to up
  *Dec 12 16:52:24.361: %NETCLK-5-NETCLK_MODE_CHANGE: Network clock source not available. The network clock has changed to freerun
  *Dec 12 16:52:24.656: %ASR1000_MGMTVRF-6-CREATE_SUCCESS_INFO: Management vrf Mgmt-intf created with ID 1, ipv4 table-id 0x1, ipv6 table-id 0x1E000001
  *Dec 12 16:52:25.151: %LINEPROTO-5-UPDOWN: Line protocol on Interface Lsmpi0, changed state to up
  *Dec 12 16:52:25.152: %LINEPROTO-5-UPDOWN: Line protocol on Interface EOBC0, changed state to up
  *Dec 12 16:52:25.152: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
  *Dec 12 16:52:25.152: %LINEPROTO-5-UPDOWN: Line protocol on Interface LIIN0, changed state to up
  *Dec 12 16:52:25.546: %DYNCMD-7-PKGINT_INSTALLED: The command package 'platform_trace' has been succesfully installed
  *Dec 12 16:52:28.680: %DYNCMD-7-CMDSET_LOADED: The Dynamic Command set has been loaded from the Shell Manager
  *Dec 12 16:52:15.830: %IOSXE-5-PLATFORM: R0/0: xinetd[31943]: xinetd Version 2.3.14 started with no options compiled in.
  *Dec 12 16:52:15.844: %IOSXE-5-PLATFORM: R0/0: xinetd[31943]: Started working: 1 available service
  *Dec 12 16:52:50.090: %LINK-5-CHANGED: Interface GigabitEthernet0/0/0, changed state to administratively down
  *Dec 12 16:52:50.091: %LINK-5-CHANGED: Interface GigabitEthernet0/0/1, changed state to administratively down
  *Dec 12 16:52:50.091: %LINK-5-CHANGED: Interface GigabitEthernet0/0/2, changed state to administratively down
  *Dec 12 16:52:50.091: %LINK-5-CHANGED: Interface GigabitEthernet0/0/3, changed state to administratively down
  *Dec 12 16:52:50.092: %LINK-5-CHANGED: Interface GigabitEthernet0, changed state to administratively down
  *Dec 12 16:52:51.090: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to down
  *Dec 12 16:52:51.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to down
  *Dec 12 16:52:51.092: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/2, changed state to down
  *Dec 12 16:52:51.092: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/3, changed state to down
  *Dec 12 16:52:57.608: %ASR1000_OIR-6-REMSPA: SPA removed from subslot 0/0, interfaces disabled
  *Dec 12 16:52:57.609: %SPA_OIR-6-OFFLINECARD: SPA (4XGE-BUILT-IN) offline in subslot 0/0
  *Dec 12 16:52:57.613: %ASR1000_OIR-6-INSCARD: Card (cc) inserted in slot 0
  *Dec 12 16:52:57.613: %ASR1000_OIR-6-ONLINECARD: Card (cc) online in slot 0
  *Dec 12 16:52:57.615: %ASR1000_OIR-6-INSSPA: SPA inserted in subslot 0/0
  *Dec 12 16:52:57.819: %SYS-5-RESTART: System restarted --
  Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.1(3)S1, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2011 by Cisco Systems, Inc.
  Compiled Sat 08-Oct-11 01:16 by mcpre
  *Dec 12 16:53:00.828: %SPA_OIR-6-ONLINECARD: SPA (4XGE-BUILT-IN) online in subslot 0/0
  Router>en
  Router#sho
  Router#show pla
  Router#show platform 
  Chassis type: ASR1002             
  Slot      Type                State                 Insert time (ago) 
  0         ASR1002-SIP10       ok                    00:02:40      
   0/0    

  Are you able to download and install other applications for your Mac?
  Try following along with this Apple doc -> Troubleshooting iTunes installation on Mac OS X