IPS-4270 problem with FWSM

Similar Messages

• Problem with FWSM and L3 interface in same switch

  I have two 6513s with an 802.1q trunk connecting them. Each switch has redundant Sup720s running in Native mode, IOS ver 12.2(18)SXF (they were initially running SXD3). A FWSM (ver 2.3(3), routed mode, single context) is in each switch, setup in failover mode.
  I can not get a PC, in a vlan that has the layer 3 interface defined on the switch with the active FWSM in it, to communicate with devices "behind" the FWSM. If I move the layer 3 configuration for that vlan to the other 6513, everything works fine.
  The MSFCs are on the inside of the firewall, they have a layer 3 interface configured in the same vlan as the FWSM "inside" interface. Several "same security level" interfaces are defined on the FWSM and used to protect server farms. I am using OSPF on the MSFCs and FWSM and the routing table is correct.
  The FWSM builds connections for attempts made by the PC with the layer 3 interface defined on the same switch as the active FWSM just fine, so this is not a FWSM ACL problem.
  A ping of the FWSM "inside" interface from a PC with the layer 3 interface defined on the same switch as the active FWSM fails, even though debug icmp trace on the FWSM shows the request and the response. A packet capture, using the NAM-2, shows only the request packets. I have captured on the common vlan and the FWSM backplane port channel interface.
  Just to add to the confusion, if I capture in the same places, but do the ping from a PC that is in a vlan with the layer 3 interface defined in the 6513 that does not contain the active FWSM, which works fine, I see the request and reply on the common vlan capture, but only the request on the port channel capture.
  This problem has been there from the beginning of this implementation and has not changed with IOS and FWSM software upgrades. I have experienced this with any and all vlans that I tried to define the layer 3 interface for on the switch with the active FWSM. I have MLS turned on.
  If anyone else has experienced this and solved it, or knows what is going on, I would appreciate any insight.
  Thanks.
  Keith

  I will have to get setup to record more data, but I do know the FWSM showed a ping request and a ping reply at the "inside" interface.
  I believe my problem is related to the IOS command "firewall multiple-vlan-interfaces" which I put in place to allow IPX traffic to be brought around the FWSM. The little documentation that there is for this command, states that policy routing may need to be implemented to prevent ip packets from going around the firewall. I do not have any policy routing in place.
  I also do not have any active layer three interfaces defined for any of the vlans assigned to the firewall except the "inside" interface. So my resoning was that I did not need to be concerned about ip packets having a way around the FWSM. My suspicion is that this command and the fact that I have mls on is causing some type of a problem which results in the packet being "lost" when it needs to be going through the MSFC in the switch with the active FWSM to get to the PC. Hopefully that makes some sense.
  Do you have any idea where better documention on using the "firewall multiple-vlan-interfaces" may be, or a better explanation of all that is happening inside the switch when that command is used?
  Thanks.

• Problem with FWSM 4.1

  Hi,
  I have de mars v.6.0.6. The problem is: The FWSM option is not available in Add Module  (Admin>System Setup>Sec& monitor device>add), only are available IOS, ASAs, PIX. The version FWSM is 4.1
  Appreciate your comments,
  jorge

  Hello Jorge
  You have to add the module using the 'host switch' (6500 Series) on which the module is installed, as mentioned in the device config guide:
  •If you are adding an FWSM, you must be on the main page of the Cisco switch to which you are adding it. On that page, click Add Module, and select one of the following options from the Device Type list:
  –Cisco FWSM 1.1
  –Cisco FWSM 2.2
  –Cisco FWSM 2.3
  –Cisco FWSM 3.1
  –Cisco FWSM 3.2
  If you exact version is not listed, select the latest one listed on the MARS GUI interface.
  Please see the following link for more details:
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/cfgFwall.html
  Please rate if the input provided is helpful; Regards
  Farrukh

• Cisco ips 4270 unequal cpu utilization

  I am having 2 cisco IPS 4270 devices with an IOS version 7.0(2)E4. When monitoring through IPS manager, I am able to see 4 CPU's.
  In CPU 1 the utilzation is showing near to 100 percent. CPU 2 is showing zero or very less utilsation. CPU 3 & CPU 4 are showing average utilization - nearly equal to 40 percent.
  I doubt why i am getting zero percent CPU utilization in CPU 2 and 100 percent utilisation in CPU 1?
  whether we can do a distribution of CPU among the four CPU's.?
  Hey cisco folks, please help.

  This was mentioned in a previous post, specifically the reply by Scott Fringer.  Post here:
  https://supportforums.cisco.com/message/3065777#3065777
  In Scott's post, he quoted the E3 engine release notes regarding CPU utilization (highlighting mine):
  The E3 signature engine update contains changes from CSCsu77935
  The resolution of this defect modified the idle time algorithm of the sensor by applying additional CPU to polling of the NICs to decrease the polling interval and reduce latency. This results in the CPU usage being reported higher than in previous releases, including using external tools such as top and ps.
  You can notice this additional CPU load on single-CPU platforms, as well as the primary CPU of multi-core systems. Since the additional CPU load that is reported while polling is actually available to process packets, and reduces as inspection load goes up, it does not negatively affect the overall throughput of the IPS.
  So, what you are seeing should be considered normal, and doesn't need correction.  That is, unless you are seeing packet loss.

• Problem with Failover FWSM (With Multiple Context)

  Dear All,
  I have 2 Catalyst 6500 with FWSM module, the catalyst and FWSM is redudant. FWSM with multiple context.
  i had done with catalyst 6500, but when i try to add (Admin -> Security and Monitor Devices) module with fwsm context is always error.
  i add this context in the active context.
  this is the error message when i try to add fwsm on mars.
  The first one;
  expect: spawn id exp3 not open
  while executing
  "expect -nobrace {<--- More --->} {
  send_user "\n"
  send -- " "
  exp_continue
  } {assword: } {
  s..."
  invoked from within
  "expect {
  "<--- More --->" {
  send_user "\n"
  send -- " "
  exp_continue
  "assword: " {
  (file "./sshpix7x.exp" line 105)
  st_key
  the second:
  invoked from within
  "expect {
  "<--- More --->" {
  send_user "\n"
  send -- " "
  exp_continue
  "assword: " {
  (file "./sshpix7x.exp" line 105)
  st_key
  and sometime:
  spawn ssh -c 3des -l siem-mars 10.x.x.x
  Connection timed out
  For Information :
  The FWSM Firewall Version 4.0(6)
  and,
  CSMAERS-200
  Product Version               :    6.0.6 ( 3368 )
  Data Package Version     :     35
  IPS Signature Version     :     454
  IPS Custom Signature Version     :     0
  Anyone can help me please...
  Thanks b4,
  Best Regards,
  Naga

  Hi Teck Yong Ng,
  I am not sure about your problem, but normally what happens when we install two databases on the same host is there will be conflict between the ports connecting to the database.
  In your case the second system database might also have the same port number which you have for the first system.that is why i think you are facing this issue.
  Try to look at the port numbers.
  Regards,
  Bharath Kumar.K
  Message was edited by:
          Bharath Kumar K

• Problem with IPS-sig-S224

  I'm experiencing an issue updating my IDSM-2's. I'm currently at 5.1(1p1)S223.0V1.0, I tried applying the latest signatures (S224), but failed and got the following message:
  "Exception during sensor reimaging: Timed out while waiting for sensor to come up for SENSOR. Erorr(s) encountered during sensor update, this sensor update is aborted"
  I tried it again on another sensor and got the same result. In both cases, the sensors became unresponsive and couldn't even reboot them from IPS MC, IDM, CLI.
  Is anyone else having issues with the latest S224.

  Same or simular problem with S224 for 5.1d on IPS 4240. I can see package update script running on a sensor, it will never quit. Sensor reboot from shell helps, sensor reports 224 after reboot and working normally.

• IPS 4270 with 6509 VSS in Promiscous mode

  Dear all,
  I am trying to figure out how to configure 2x IPS 4270 in promiscous mode with Cisco 6509 VSS:
  I have attached the LLD core datacenter design including the IPS physical placement in my network.
  The following points are my concerns in this design:
  Shall I connect each of the IPS 4270's into VSS Chassis A and B, or I keep each IPS connected to different Chassis? (considering the SPAN port configuration on VSS and if I could encounted Asymmetric routing issue or not).
  Can I use Etherchannel in either case (keep in mind it's promiscous mode), that means the destination interface on the VSS will be an Etherchannel interface, but does the Cisco IPS 4270 support Etherchannel while in promiscous mode?
  I really appreciate your input on this matter guys.
  Cheers
  Mohammed Khair

  Hi,
  1.You can Connect the each IPS into Chasis A and B  That is Not  aproblem .But While Configuring the RSPAN Monitor From A to B and B to A should monitor the both vlans ( i mean RSAPN A and B also vice versa in your config then it will give both out put even connectivity between IPs and chasisi one fails also)
  2.IPS Supports the Etherchannel while in promiscous mode as well.

• Problem using static IPs on PCs with BT Home Hub 2

  Hi
  Have today just been upgraded to BT Infinity using the new VDSL modem and BT Home Hub.
  I have a server running Ubuntu and several PCs and laptops, mostly connected via ethernet.
  Prior to the upgrade I was using the 10.x.x.x range for the network with most of the devices using static IPs.  However, it seems that the 10.* range is not acceptable when configuring the IP address and Subnet mask on the Home Hub.  Great! .... Not.
  Anyway, so decided to switch to using the 192.168.x.x range (subnet 255.255.0.0).  Have configured the router as .1.1 and my server as .3.1.  However, the server is unable to ping virtually all sites on the Internet (I say all as some times www.google.com works ok.)
  Also all PCs will not work with static IP configurations (using IPs like .4.1, .5.1, etc.).  The only way I can get the PCs and laptops to work is to use the DHCP setting (Obtain IP from server).  This is configured on the home hub as .100.1 - .100.254
  I really need the PCs and laptops to work with static IPs.
  Am I missing something or is this a known problem with the Home Hub?  It seems that the Home Hub will only connect to the Internet if it is configured to grab an IP from DHCP on the Home Hub.
  Thanks for any help in advance.
  Sarah

  Ok.  I think I have found a work-around for this, which shows that the problem is the BT home hub.
  Delete all the devices showing on the hub (in the Advnaced Settings).
  Configure each PC with a static IP address with the required IP. Reboot the PC.  After logging in, go to the router and enter the device showing in the home hub and set the device so that it always uses the IP address (as it will have registered the IP - even though it is outside the DHCP range).  Save this.  Go back to the PC and reconfigure the network settings to use DHCP and reboot the PC.  The PC will then continue to re-use the original IP address, which allows this to be used as a static IP address, thus allowing it to be used for apps that need to have a fixed IP.
  Repeat for each PC.
  Although this works I have a feeling that the IPs used may only be retained as long as the home hub is not rebooted.
  It shows that it is possible to use "static" IPs outside the 192.168.1.* range and outside the DHCP range (I was using 192.168.100.* and it worked ok).  Therefore there is no reason why this should not work as static IPs, other than that the firmware on the home hub does not allow it.  What rubbish.
  I cannot wait until some of the other manufacturers (like Linksys, Netgear, Belkin) jump on the VDSL bandwagon and produce compatiable routers.
  Regards
  Sarah

• Firefox 5 prevents my symantic ips 2.0: any problem with AV?

  I'm seeing a Firefox message that FF5.0 is not compatible with Symantec IPS 2.0. Norton AV is my anti-viral program. Is its function altered by my using FireFox 5.0?

  Airport Utility 5.3.2 is quite harmless. More people having problem with OS X 10.5.3 update, which is making the AirDisk very slow and unresponsive. I end up re-formating the USB hard disk to solve the problem.

• IPS 4270 placement @ Internet Edge

  Given that I have same topology as shown in Internet Edge Cisco IPS Design Best Practices  and basically inserting 4270 Appliance into an INLINE mode.
  Core and Distribution Switch  = Layer-3 routed links
  Distribution Switch and ASA = Layer-2 access port
  I'm wondering how IPS sensors be configured? I think I understand belows method but since my Core/Distrib is a layer-3 links, not sure which method gonna work since most require two vlans ...
  1. Interface Pairing
  2. VLAN Pairing
  3. VLAN Group
  Anyone has same experience?
  Thanks in advance ...
  Gerard

  I have a 4270-20 positioned at the edge of my network.  It sits between the outside of the firewall and our Internet router.  The only problem with this model is that it makes tracking down threats very difficult, as the only thing you will ever see are the NAT'd public IPs for all your traffic.
  To get around this limitation, we created an addition interface in promiscuous mode and we SPAN the traffic on the link between our core switch and the internal interface of our firewall to it.  This gives us complete outside protection and inside visibility.  This is still not an ideal setup and we are in the process of re-architechting our internal traffic so that we can run two in-line pairs on the IPS.  One internal, and one external.
  The best way to go, is having the IPS in the firewall itself, but throughput on firewalls is often a concern, and unfortunately for Cisco, quite a limitation.

• Two Cisco ASA 5505, IPSec Multiple Subnets, Problem with Phase2, DSL

  Hi all.
  we have following IPSec configuration:
  ASA Site 1:
  Cisco Adaptive Security Appliance Software Version 9.1(1)
  crypto ipsec ikev1 transform-set TSAES esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set TSMD5 esp-3des esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal PropAES256
  access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.97.0 255.255.255.0
  access-list SITE_2 extended permit ip 172.28.60.0 255.255.254.0 172.27.97.0 255.255.255.0
  access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.97.0 255.255.255.0
  access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.99.0 255.255.255.0
  access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.99.0 255.255.255.0
  crypto map CMVPN 5 match address SITE_2
  crypto map CMVPN 5 set peer IP_SITE2
  crypto map CMVPN 5 set ikev2 ipsec-proposal PropAES256
  crypto map CMVPN interface OUTSIDE
  route OUTSIDE 172.27.97.0 255.255.255.0 citic-internet-gw 255
  route OUTSIDE 172.27.99.0 255.255.255.0 citic-internet-gw 255
  tunnel-group IP_SITE2 type ipsec-l2l
  tunnel-group IP_SITE2 general-attributes
  default-group-policy VPN_S2S_WAN
  tunnel-group IP_SITE2 ipsec-attributes
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  ASA Site 2:
  Cisco Adaptive Security Appliance Software Version 9.1(4)
  access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.28.60.0 255.255.254.0
  access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.27.0.0 255.255.0.0
  access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.22.0.0 255.255.0.0
  access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.27.0.0 255.255.0.0
  access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.22.0.0 255.255.0.0
  crypto map CMVPN 10 match address SITE_1
  crypto map CMVPN 10 match address SITE_1
  crypto map CMVPN 10 set peer IP_SITE1
  crypto map CMVPN 10 set ikev2 ipsec-proposal IKEV2AES
  crypto map CMVPN 10 set reverse-route
  crypto map CMVPN interface OUTSIDE
  tunnel-group IP_SITE1 type ipsec-l2l
  tunnel-group IP_SITE1 general-attributes
  default-group-policy VPN_S2S_WAN
  tunnel-group IP_SITE1 ipsec-attributes
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  We are not able to reach from 172.22.20.x ips 172.27.99.x.
  It seems so that the phase2 for this subnet is missing…...... as long as we try to reach from 172.27.99.x any ip in 172.22.20.x.
  We are using similar configuration on many sites and it works correctly expect sites with DSL line.
  We can exclude problem with NAT,ACL or routing. The connection is working fine as long as “we open all phase 2 manually” . After re-open (idle timeout) the tunnel the problem comes back.
  Thanks in advance for your help.
  Regards.
  Jan
  ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
  Session Type: LAN-to-LAN Detailed
  Connection   : IP ASA Site 2
  Index        : 3058                   IP Addr      : IP ASA Site 2
  Protocol     : IKEv2 IPsec
  Encryption   : IKEv2: (1)AES256  IPsec: (3)AES256
  Hashing      : IKEv2: (1)SHA512  IPsec: (3)SHA1
  Bytes Tx     : 423634                 Bytes Rx     : 450526
  Login Time   : 19:59:35 HKT Tue Apr 29 2014
  Duration     : 1h:50m:45s
  IKEv2 Tunnels: 1
  IPsec Tunnels: 3
  IKEv2:
    Tunnel ID    : 3058.1
    UDP Src Port : 500                    UDP Dst Port : 500
    Rem Auth Mode: preSharedKeys
    Loc Auth Mode: preSharedKeys
    Encryption   : AES256                 Hashing      : SHA512
    Rekey Int (T): 86400 Seconds          Rekey Left(T): 79756 Seconds
    PRF          : SHA512                 D/H Group    : 5
    Filter Name  :
    IPv6 Filter  :
  IPsec:
    Tunnel ID    : 3058.2
    Local Addr   : 172.22.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.97.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 22156 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607648 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 312546                 Bytes Rx     : 361444
    Pkts Tx      : 3745                   Pkts Rx      : 3785
  IPsec:
    Tunnel ID    : 3058.3
    Local Addr   : 172.27.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.97.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 22165 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607952 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 50014                  Bytes Rx     : 44621
    Pkts Tx      : 496                    Pkts Rx      : 503
  IPsec:
    Tunnel ID    : 3058.4
    Local Addr   : 172.27.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.99.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 22324 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607941 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 61074                  Bytes Rx     : 44461
    Pkts Tx      : 402                    Pkts Rx      : 437
  NAC:
    Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
    SQ Int (T)   : 0 Seconds              EoU Age(T)   : 6648 Seconds
    Hold Left (T): 0 Seconds              Posture Token:
    Redirect URL :
  ....  after ping from 172.27.99.x any ip in 172.22.20.x.
  ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
  Session Type: LAN-to-LAN Detailed
  Connection   : IP ASA Site 2
  Index        : 3058                   IP Addr      : IP ASA Site 2
  Protocol     : IKEv2 IPsec
  Encryption   : IKEv2: (1)AES256  IPsec: (4)AES256
  Hashing      : IKEv2: (1)SHA512  IPsec: (4)SHA1
  Bytes Tx     : 784455                 Bytes Rx     : 1808965
  Login Time   : 19:59:35 HKT Tue Apr 29 2014
  Duration     : 2h:10m:48s
  IKEv2 Tunnels: 1
  IPsec Tunnels: 4
  IKEv2:
    Tunnel ID    : 3058.1
    UDP Src Port : 500                    UDP Dst Port : 500
    Rem Auth Mode: preSharedKeys
    Loc Auth Mode: preSharedKeys
    Encryption   : AES256                 Hashing      : SHA512
    Rekey Int (T): 86400 Seconds          Rekey Left(T): 78553 Seconds
    PRF          : SHA512                 D/H Group    : 5
    Filter Name  :
    IPv6 Filter  :
  IPsec:
    Tunnel ID    : 3058.2
    Local Addr   : 172.22.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.97.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 20953 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4606335 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 652492                 Bytes Rx     : 1705136
    Pkts Tx      : 7419                   Pkts Rx      : 7611
  IPsec:
    Tunnel ID    : 3058.3
    Local Addr   : 172.27.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.97.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 20962 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607942 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 60128                  Bytes Rx     : 52359
    Pkts Tx      : 587                    Pkts Rx      : 594
  IPsec:
    Tunnel ID    : 3058.4
    Local Addr   : 172.27.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.99.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 21121 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607931 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 70949                  Bytes Rx     : 50684
    Pkts Tx      : 475                    Pkts Rx      : 514
  IPsec:
    Tunnel ID    : 3058.5
    Local Addr   : 172.22.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.99.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 28767 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4608000 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 961                    Bytes Rx     : 871
    Pkts Tx      : 17                     Pkts Rx      : 14
  NAC:
    Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
    SQ Int (T)   : 0 Seconds              EoU Age(T)   : 7852 Seconds
    Hold Left (T): 0 Seconds              Posture Token:
    Redirect URL :

  Hi,
  on 212 is see
  tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
  tunnel-group 195.xxx.xxx.xxx ipsec-attributes
  pre-shared-key
  When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
  If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
  Regards,
  Abaji.

• Problem with DNS resolution

  Hi All,
  I am facing a strange problem with the name resolution in mac os x. I have a Lan with a cisco switch and a cisco router that serves as DHCP and DNS server.
  In the router I have setup some static host names with the relevant IPs in the local Lan. When ever I try to ping or browse, from within OS X, using the names, I get "unknown host" error. The problem is only with the static hosts I have setup.  The strange part is that nslookup and dig give back the correct IP as it is assigned in the Cisco router.  When I use my iPhone or iPad everything works fine.
  Any help would be appreciated.

  Hi Barsam, did you solve this issue?
  I have something similar happening to me, I can ping, traceroute, nslookup even use entourage to send and receive emails, but can browse the web with any browser (safari, firefox and chrome)
  Last night farefox was working, today I upgrade to the latest firefox version and now firefox stop working saying that can resolve the name, the same error as safari and chrome
  I flush the cache, reboot, manually enter DNS, change DNS servers to public ones, but still can't surf the web

• [SOLVED] Problem with netctl and dhcpcd

  Hi everybody,
  I had a problem with netctl and dhcpcd.
  I was using netctl and wifi-menu to connect to wirelless networks with dhcp.
  It worked fine at home, then i went to a friend where it also worked but then i went back home and it failed at every try with those error messages:
  dhcpcd[2718]: version 6.0.5 starting
  dhcpcd[2718]: wlp9s0: rebinding lease of 192.168.1.154
  dhcpcd[2718]: wlp9s0: reject NAK via 192.168.178.1
  dhcpcd[2718]: wlp9s0: soliciting a DHCP lease
  dhcpcd[2718]: wlp9s0: offered 192.168.178.44 from 192.168.178.1
  dhcpcd[2718]: timed out
  network[2659]: DHCP IP lease attempt failed on interface 'wlp9s0'
  systemd[1]: netctl@wlp9s0\xxx.service: main process exited, code=exited, status=1/FAILURE
  systemd[1]: Failed to start Automatically generated profile by wifi-menu.
  systemd[1]: Unit [email protected] entered failed state.
  I figured that dhcpcd tried to rebind an ip that my router rejected and didn't accept the ip that it offered instead.
  The solution was to delete:
  /var/lib/dhcpcd/dhcpcd-wlp9s0.lease
  now how can i configure netctl and or dhcpcd so that won't happen again and that it accepts all ips offered by routers?
  Last edited by Samy (2013-09-04 13:32:13)

  I've had this happen now and again. You can rebind the lease yourself with:
  $ dhcpcd --rebind
  You could also try increasing the timeout by adding
  TimeoutDHCP=
  to your netctl profile/s - see netctl.profile(5) as WonderWoofy suggests. Although I haven't tried the latter.
  Last edited by youngdm (2013-09-01 22:01:05)

• [solved] problems with timeouts and tcp retransmission

  I've recently upgraded my archlinux and am having real problems with the network.
  I have checked the configuation and all seems ok.
  Everything like DNS/Gateways/IPs all seem to be setup (not changed anything from when it was working before)
  I read about setting the MTU manually
  ifconfig eth0 mtu 1492
  I tried this but it doesn't seem to make any difference
  Looking at the packetflow on wireshark it seems that there are a huge amount of TCP Dup ACK and TCP Retransmission when trying to POST
  If I boot into windows everything is fine so unfortunately it seems that it might be something with linux
  Everything in linux seemed to be working ok before I upgraded
  Last edited by equilibrium (2009-12-05 15:13:14)

  seems that I am still unable to post from my arch system
  $ dmesg | grep sky2
  sky2 driver version 1.23
  sky2 0000:02:00.0: PCI INT A -> GSI 19 (level, low) -> IRQ 19
  sky2 0000:02:00.0: setting latency timer to 64
  sky2 0000:02:00.0: Yukon-2 EC chip revision 2
  sky2 0000:02:00.0: irq 29 for MSI/MSI-X
  sky2 eth0: addr xx:xx:xx:xx:xx:xx
  sky2 eth0: enabling interface
  sky2 eth0: Link is up at 100 Mbps, full duplex, flow control both
  $ ifconfig
  eth0 Link encap:Ethernet HWaddr 00:17:31:F4:ED:A2
  inet addr:192.168.1.20 Bcast:192.168.1.255 Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  RX packets:1170 errors:0 dropped:0 overruns:0 frame:0
  TX packets:1362 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:1101154 (1.0 Mb) TX bytes:197742 (193.1 Kb)
  Interrupt:19
  lo Link encap:Local Loopback
  inet addr:127.0.0.1 Mask:255.0.0.0
  UP LOOPBACK RUNNING MTU:16436 Metric:1
  RX packets:4595 errors:0 dropped:0 overruns:0 frame:0
  TX packets:4595 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:541498 (528.8 Kb) TX bytes:541498 (528.8 Kb)
  /etc/rc.conf
  eth0="eth0 192.168.1.20 netmask 255.255.255.0 broadcast 192.168.1.255"
  INTERFACES=(eth0)
  gateway="default gw 192.168.1.1"
  ROUTES=(gateway)

• I  have a problem with the synchronisation of my iPhone and iPad with Outlook 2007 on my 64-bit Windows 7  PC. For several years, I have had no problems with the synchronisation by cord connection and iTunes between these programmes. However, a few months

  I  have a problem with the synchronisation of my iPhone and iPad with Outlook 2007 on my 64-bit Windows 7  PC. For several years,
  I have had no problems with the synchronisation by cord connection and iTunes between these programmes. However, a few months ago I decided to use Mobile Me. However, there were problems with duplication of calendars and then “rogue events” – which could not be deleted – even if deleted on Outlook and on the iPhone (or both at the same time) – they would just reappear after the next synchronisation.  All other synchronisation areas (eg Contacts, Notes etc) work fine.
  I have looked for help through the Apple Support Community and tried many things.  I have repaired my Outlook. I have repaired my .pst file in Windows. I have re-installed the latest version of iTunes on my PC. I have re-installed the firmware on my iPhone. I have tried many permutations on my iPhone. I have closed down all Mobile Me functions on the iPhone. I have spent upwards of 24 hours trying to solve this problem.
  What am I left with? Outlook works seamlessly on my PC. My iPhone calendar now has no events from  my calendar, but does not synchronise through iTunes. Nor does it send events initiated on the iPhone to the Outlook. I am at the point of abandoning iPhones and iPads altogether.  I need to have a properly synchronising calendar on my phone.  Do you have any suggestions?

  In the control panel goto the "Lenovo - Power Manager" and click the battery tab, there is a maintenance button in there that will let you change the charging profile for your battery.   (from memory, so exact wording may be off)
   The lower the numbers you use there, the longer the battery *should* last.    These batteries degrade faster at higher charge levels, however storing them at too low of levels is also not good for them... I've read that 40% is optimal, but just not realistic if you use your computer.
  --- ThinkPad T61 / Win 7 / Core 2 / 4gb RAM / Nvidia / Still used daily --- ThinkPad Edge 15/ i5 / Win 7 / TrueCrypt / 8gb RAM / Hated it, died at 1 yr 1 mo old --- ThinkPad T510 / Win 7 / TrueCrypt / i5 / 8gb RAM / Nvidia / Current primary machine --- ThinkPad X220 / i7 / IPS / 4gb / TrueCrypt / My Road Machine