IPS-4270 problem with FWSM
Hi,
I am facing some strange issue with IPS 4270. As soon as I am connecting one interface of IPS into any free port(default configs) on 7609, after some time FWSM stops forwarding traffic for around 5 to 10 minutes. I have never seen this type of problem before. During the problem I have noticed that MSFC forwards traffic properly to other devices but traffic across FWSM halts for some time.
FWSM Code: 4.0(1)
IPS Code: 6.1(2)E3
FWSM COnfigs: Multiple Context configured
IPS Config: Only Interface Pairing configured.
Would appreciate any feedback on this.
Regards,
Akhtar
I will have to get setup to record more data, but I do know the FWSM showed a ping request and a ping reply at the "inside" interface.
I believe my problem is related to the IOS command "firewall multiple-vlan-interfaces" which I put in place to allow IPX traffic to be brought around the FWSM. The little documentation that there is for this command, states that policy routing may need to be implemented to prevent ip packets from going around the firewall. I do not have any policy routing in place.
I also do not have any active layer three interfaces defined for any of the vlans assigned to the firewall except the "inside" interface. So my resoning was that I did not need to be concerned about ip packets having a way around the FWSM. My suspicion is that this command and the fact that I have mls on is causing some type of a problem which results in the packet being "lost" when it needs to be going through the MSFC in the switch with the active FWSM to get to the PC. Hopefully that makes some sense.
Do you have any idea where better documention on using the "firewall multiple-vlan-interfaces" may be, or a better explanation of all that is happening inside the switch when that command is used?
Thanks.
Similar Messages
-
Problem with FWSM and L3 interface in same switch
I have two 6513s with an 802.1q trunk connecting them. Each switch has redundant Sup720s running in Native mode, IOS ver 12.2(18)SXF (they were initially running SXD3). A FWSM (ver 2.3(3), routed mode, single context) is in each switch, setup in failover mode.
I can not get a PC, in a vlan that has the layer 3 interface defined on the switch with the active FWSM in it, to communicate with devices "behind" the FWSM. If I move the layer 3 configuration for that vlan to the other 6513, everything works fine.
The MSFCs are on the inside of the firewall, they have a layer 3 interface configured in the same vlan as the FWSM "inside" interface. Several "same security level" interfaces are defined on the FWSM and used to protect server farms. I am using OSPF on the MSFCs and FWSM and the routing table is correct.
The FWSM builds connections for attempts made by the PC with the layer 3 interface defined on the same switch as the active FWSM just fine, so this is not a FWSM ACL problem.
A ping of the FWSM "inside" interface from a PC with the layer 3 interface defined on the same switch as the active FWSM fails, even though debug icmp trace on the FWSM shows the request and the response. A packet capture, using the NAM-2, shows only the request packets. I have captured on the common vlan and the FWSM backplane port channel interface.
Just to add to the confusion, if I capture in the same places, but do the ping from a PC that is in a vlan with the layer 3 interface defined in the 6513 that does not contain the active FWSM, which works fine, I see the request and reply on the common vlan capture, but only the request on the port channel capture.
This problem has been there from the beginning of this implementation and has not changed with IOS and FWSM software upgrades. I have experienced this with any and all vlans that I tried to define the layer 3 interface for on the switch with the active FWSM. I have MLS turned on.
If anyone else has experienced this and solved it, or knows what is going on, I would appreciate any insight.
Thanks.
KeithI will have to get setup to record more data, but I do know the FWSM showed a ping request and a ping reply at the "inside" interface.
I believe my problem is related to the IOS command "firewall multiple-vlan-interfaces" which I put in place to allow IPX traffic to be brought around the FWSM. The little documentation that there is for this command, states that policy routing may need to be implemented to prevent ip packets from going around the firewall. I do not have any policy routing in place.
I also do not have any active layer three interfaces defined for any of the vlans assigned to the firewall except the "inside" interface. So my resoning was that I did not need to be concerned about ip packets having a way around the FWSM. My suspicion is that this command and the fact that I have mls on is causing some type of a problem which results in the packet being "lost" when it needs to be going through the MSFC in the switch with the active FWSM to get to the PC. Hopefully that makes some sense.
Do you have any idea where better documention on using the "firewall multiple-vlan-interfaces" may be, or a better explanation of all that is happening inside the switch when that command is used?
Thanks. -
Hi,
I have de mars v.6.0.6. The problem is: The FWSM option is not available in Add Module (Admin>System Setup>Sec& monitor device>add), only are available IOS, ASAs, PIX. The version FWSM is 4.1
Appreciate your comments,
jorgeHello Jorge
You have to add the module using the 'host switch' (6500 Series) on which the module is installed, as mentioned in the device config guide:
•If you are adding an FWSM, you must be on the main page of the Cisco switch to which you are adding it. On that page, click Add Module, and select one of the following options from the Device Type list:
–Cisco FWSM 1.1
–Cisco FWSM 2.2
–Cisco FWSM 2.3
–Cisco FWSM 3.1
–Cisco FWSM 3.2
If you exact version is not listed, select the latest one listed on the MARS GUI interface.
Please see the following link for more details:
http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/cfgFwall.html
Please rate if the input provided is helpful; Regards
Farrukh -
Cisco ips 4270 unequal cpu utilization
I am having 2 cisco IPS 4270 devices with an IOS version 7.0(2)E4. When monitoring through IPS manager, I am able to see 4 CPU's.
In CPU 1 the utilzation is showing near to 100 percent. CPU 2 is showing zero or very less utilsation. CPU 3 & CPU 4 are showing average utilization - nearly equal to 40 percent.
I doubt why i am getting zero percent CPU utilization in CPU 2 and 100 percent utilisation in CPU 1?
whether we can do a distribution of CPU among the four CPU's.?
Hey cisco folks, please help.This was mentioned in a previous post, specifically the reply by Scott Fringer. Post here:
https://supportforums.cisco.com/message/3065777#3065777
In Scott's post, he quoted the E3 engine release notes regarding CPU utilization (highlighting mine):
The E3 signature engine update contains changes from CSCsu77935
The resolution of this defect modified the idle time algorithm of the sensor by applying additional CPU to polling of the NICs to decrease the polling interval and reduce latency. This results in the CPU usage being reported higher than in previous releases, including using external tools such as top and ps.
You can notice this additional CPU load on single-CPU platforms, as well as the primary CPU of multi-core systems. Since the additional CPU load that is reported while polling is actually available to process packets, and reduces as inspection load goes up, it does not negatively affect the overall throughput of the IPS.
So, what you are seeing should be considered normal, and doesn't need correction. That is, unless you are seeing packet loss. -
Problem with Failover FWSM (With Multiple Context)
Dear All,
I have 2 Catalyst 6500 with FWSM module, the catalyst and FWSM is redudant. FWSM with multiple context.
i had done with catalyst 6500, but when i try to add (Admin -> Security and Monitor Devices) module with fwsm context is always error.
i add this context in the active context.
this is the error message when i try to add fwsm on mars.
The first one;
expect: spawn id exp3 not open
while executing
"expect -nobrace {<--- More --->} {
send_user "\n"
send -- " "
exp_continue
} {assword: } {
s..."
invoked from within
"expect {
"<--- More --->" {
send_user "\n"
send -- " "
exp_continue
"assword: " {
(file "./sshpix7x.exp" line 105)
st_key
the second:
invoked from within
"expect {
"<--- More --->" {
send_user "\n"
send -- " "
exp_continue
"assword: " {
(file "./sshpix7x.exp" line 105)
st_key
and sometime:
spawn ssh -c 3des -l siem-mars 10.x.x.x
Connection timed out
For Information :
The FWSM Firewall Version 4.0(6)
and,
CSMAERS-200
Product Version : 6.0.6 ( 3368 )
Data Package Version : 35
IPS Signature Version : 454
IPS Custom Signature Version : 0
Anyone can help me please...
Thanks b4,
Best Regards,
NagaHi Teck Yong Ng,
I am not sure about your problem, but normally what happens when we install two databases on the same host is there will be conflict between the ports connecting to the database.
In your case the second system database might also have the same port number which you have for the first system.that is why i think you are facing this issue.
Try to look at the port numbers.
Regards,
Bharath Kumar.K
Message was edited by:
Bharath Kumar K -
I'm experiencing an issue updating my IDSM-2's. I'm currently at 5.1(1p1)S223.0V1.0, I tried applying the latest signatures (S224), but failed and got the following message:
"Exception during sensor reimaging: Timed out while waiting for sensor to come up for SENSOR. Erorr(s) encountered during sensor update, this sensor update is aborted"
I tried it again on another sensor and got the same result. In both cases, the sensors became unresponsive and couldn't even reboot them from IPS MC, IDM, CLI.
Is anyone else having issues with the latest S224.Same or simular problem with S224 for 5.1d on IPS 4240. I can see package update script running on a sensor, it will never quit. Sensor reboot from shell helps, sensor reports 224 after reboot and working normally.
-
IPS 4270 with 6509 VSS in Promiscous mode
Dear all,
I am trying to figure out how to configure 2x IPS 4270 in promiscous mode with Cisco 6509 VSS:
I have attached the LLD core datacenter design including the IPS physical placement in my network.
The following points are my concerns in this design:
Shall I connect each of the IPS 4270's into VSS Chassis A and B, or I keep each IPS connected to different Chassis? (considering the SPAN port configuration on VSS and if I could encounted Asymmetric routing issue or not).
Can I use Etherchannel in either case (keep in mind it's promiscous mode), that means the destination interface on the VSS will be an Etherchannel interface, but does the Cisco IPS 4270 support Etherchannel while in promiscous mode?
I really appreciate your input on this matter guys.
Cheers
Mohammed KhairHi,
1.You can Connect the each IPS into Chasis A and B That is Not aproblem .But While Configuring the RSPAN Monitor From A to B and B to A should monitor the both vlans ( i mean RSAPN A and B also vice versa in your config then it will give both out put even connectivity between IPs and chasisi one fails also)
2.IPS Supports the Etherchannel while in promiscous mode as well. -
Problem using static IPs on PCs with BT Home Hub 2
Hi
Have today just been upgraded to BT Infinity using the new VDSL modem and BT Home Hub.
I have a server running Ubuntu and several PCs and laptops, mostly connected via ethernet.
Prior to the upgrade I was using the 10.x.x.x range for the network with most of the devices using static IPs. However, it seems that the 10.* range is not acceptable when configuring the IP address and Subnet mask on the Home Hub. Great! .... Not.
Anyway, so decided to switch to using the 192.168.x.x range (subnet 255.255.0.0). Have configured the router as .1.1 and my server as .3.1. However, the server is unable to ping virtually all sites on the Internet (I say all as some times www.google.com works ok.)
Also all PCs will not work with static IP configurations (using IPs like .4.1, .5.1, etc.). The only way I can get the PCs and laptops to work is to use the DHCP setting (Obtain IP from server). This is configured on the home hub as .100.1 - .100.254
I really need the PCs and laptops to work with static IPs.
Am I missing something or is this a known problem with the Home Hub? It seems that the Home Hub will only connect to the Internet if it is configured to grab an IP from DHCP on the Home Hub.
Thanks for any help in advance.
SarahOk. I think I have found a work-around for this, which shows that the problem is the BT home hub.
Delete all the devices showing on the hub (in the Advnaced Settings).
Configure each PC with a static IP address with the required IP. Reboot the PC. After logging in, go to the router and enter the device showing in the home hub and set the device so that it always uses the IP address (as it will have registered the IP - even though it is outside the DHCP range). Save this. Go back to the PC and reconfigure the network settings to use DHCP and reboot the PC. The PC will then continue to re-use the original IP address, which allows this to be used as a static IP address, thus allowing it to be used for apps that need to have a fixed IP.
Repeat for each PC.
Although this works I have a feeling that the IPs used may only be retained as long as the home hub is not rebooted.
It shows that it is possible to use "static" IPs outside the 192.168.1.* range and outside the DHCP range (I was using 192.168.100.* and it worked ok). Therefore there is no reason why this should not work as static IPs, other than that the firmware on the home hub does not allow it. What rubbish.
I cannot wait until some of the other manufacturers (like Linksys, Netgear, Belkin) jump on the VDSL bandwagon and produce compatiable routers.
Regards
Sarah -
Firefox 5 prevents my symantic ips 2.0: any problem with AV?
I'm seeing a Firefox message that FF5.0 is not compatible with Symantec IPS 2.0. Norton AV is my anti-viral program. Is its function altered by my using FireFox 5.0?
Airport Utility 5.3.2 is quite harmless. More people having problem with OS X 10.5.3 update, which is making the AirDisk very slow and unresponsive. I end up re-formating the USB hard disk to solve the problem.
-
IPS 4270 placement @ Internet Edge
Given that I have same topology as shown in Internet Edge Cisco IPS Design Best Practices and basically inserting 4270 Appliance into an INLINE mode.
Core and Distribution Switch = Layer-3 routed links
Distribution Switch and ASA = Layer-2 access port
I'm wondering how IPS sensors be configured? I think I understand belows method but since my Core/Distrib is a layer-3 links, not sure which method gonna work since most require two vlans ...
1. Interface Pairing
2. VLAN Pairing
3. VLAN Group
Anyone has same experience?
Thanks in advance ...
GerardI have a 4270-20 positioned at the edge of my network. It sits between the outside of the firewall and our Internet router. The only problem with this model is that it makes tracking down threats very difficult, as the only thing you will ever see are the NAT'd public IPs for all your traffic.
To get around this limitation, we created an addition interface in promiscuous mode and we SPAN the traffic on the link between our core switch and the internal interface of our firewall to it. This gives us complete outside protection and inside visibility. This is still not an ideal setup and we are in the process of re-architechting our internal traffic so that we can run two in-line pairs on the IPS. One internal, and one external.
The best way to go, is having the IPS in the firewall itself, but throughput on firewalls is often a concern, and unfortunately for Cisco, quite a limitation. -
Two Cisco ASA 5505, IPSec Multiple Subnets, Problem with Phase2, DSL
Hi all.
we have following IPSec configuration:
ASA Site 1:
Cisco Adaptive Security Appliance Software Version 9.1(1)
crypto ipsec ikev1 transform-set TSAES esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TSMD5 esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal PropAES256
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.28.60.0 255.255.254.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.99.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.99.0 255.255.255.0
crypto map CMVPN 5 match address SITE_2
crypto map CMVPN 5 set peer IP_SITE2
crypto map CMVPN 5 set ikev2 ipsec-proposal PropAES256
crypto map CMVPN interface OUTSIDE
route OUTSIDE 172.27.97.0 255.255.255.0 citic-internet-gw 255
route OUTSIDE 172.27.99.0 255.255.255.0 citic-internet-gw 255
tunnel-group IP_SITE2 type ipsec-l2l
tunnel-group IP_SITE2 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
ASA Site 2:
Cisco Adaptive Security Appliance Software Version 9.1(4)
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.28.60.0 255.255.254.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.22.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.22.0.0 255.255.0.0
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 set peer IP_SITE1
crypto map CMVPN 10 set ikev2 ipsec-proposal IKEV2AES
crypto map CMVPN 10 set reverse-route
crypto map CMVPN interface OUTSIDE
tunnel-group IP_SITE1 type ipsec-l2l
tunnel-group IP_SITE1 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
We are not able to reach from 172.22.20.x ips 172.27.99.x.
It seems so that the phase2 for this subnet is missing…...... as long as we try to reach from 172.27.99.x any ip in 172.22.20.x.
We are using similar configuration on many sites and it works correctly expect sites with DSL line.
We can exclude problem with NAT,ACL or routing. The connection is working fine as long as “we open all phase 2 manually” . After re-open (idle timeout) the tunnel the problem comes back.
Thanks in advance for your help.
Regards.
Jan
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (3)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (3)SHA1
Bytes Tx : 423634 Bytes Rx : 450526
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 1h:50m:45s
IKEv2 Tunnels: 1
IPsec Tunnels: 3
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 79756 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22156 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607648 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 312546 Bytes Rx : 361444
Pkts Tx : 3745 Pkts Rx : 3785
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22165 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607952 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 50014 Bytes Rx : 44621
Pkts Tx : 496 Pkts Rx : 503
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22324 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607941 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 61074 Bytes Rx : 44461
Pkts Tx : 402 Pkts Rx : 437
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 6648 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
.... after ping from 172.27.99.x any ip in 172.22.20.x.
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (4)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (4)SHA1
Bytes Tx : 784455 Bytes Rx : 1808965
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 2h:10m:48s
IKEv2 Tunnels: 1
IPsec Tunnels: 4
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 78553 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20953 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4606335 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 652492 Bytes Rx : 1705136
Pkts Tx : 7419 Pkts Rx : 7611
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20962 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607942 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 60128 Bytes Rx : 52359
Pkts Tx : 587 Pkts Rx : 594
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 21121 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607931 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 70949 Bytes Rx : 50684
Pkts Tx : 475 Pkts Rx : 514
IPsec:
Tunnel ID : 3058.5
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 28767 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 961 Bytes Rx : 871
Pkts Tx : 17 Pkts Rx : 14
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 7852 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :Hi,
on 212 is see
tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
tunnel-group 195.xxx.xxx.xxx ipsec-attributes
pre-shared-key
When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
Regards,
Abaji. -
Hi All,
I am facing a strange problem with the name resolution in mac os x. I have a Lan with a cisco switch and a cisco router that serves as DHCP and DNS server.
In the router I have setup some static host names with the relevant IPs in the local Lan. When ever I try to ping or browse, from within OS X, using the names, I get "unknown host" error. The problem is only with the static hosts I have setup. The strange part is that nslookup and dig give back the correct IP as it is assigned in the Cisco router. When I use my iPhone or iPad everything works fine.
Any help would be appreciated.Hi Barsam, did you solve this issue?
I have something similar happening to me, I can ping, traceroute, nslookup even use entourage to send and receive emails, but can browse the web with any browser (safari, firefox and chrome)
Last night farefox was working, today I upgrade to the latest firefox version and now firefox stop working saying that can resolve the name, the same error as safari and chrome
I flush the cache, reboot, manually enter DNS, change DNS servers to public ones, but still can't surf the web -
[SOLVED] Problem with netctl and dhcpcd
Hi everybody,
I had a problem with netctl and dhcpcd.
I was using netctl and wifi-menu to connect to wirelless networks with dhcp.
It worked fine at home, then i went to a friend where it also worked but then i went back home and it failed at every try with those error messages:
dhcpcd[2718]: version 6.0.5 starting
dhcpcd[2718]: wlp9s0: rebinding lease of 192.168.1.154
dhcpcd[2718]: wlp9s0: reject NAK via 192.168.178.1
dhcpcd[2718]: wlp9s0: soliciting a DHCP lease
dhcpcd[2718]: wlp9s0: offered 192.168.178.44 from 192.168.178.1
dhcpcd[2718]: timed out
network[2659]: DHCP IP lease attempt failed on interface 'wlp9s0'
systemd[1]: netctl@wlp9s0\xxx.service: main process exited, code=exited, status=1/FAILURE
systemd[1]: Failed to start Automatically generated profile by wifi-menu.
systemd[1]: Unit [email protected] entered failed state.
I figured that dhcpcd tried to rebind an ip that my router rejected and didn't accept the ip that it offered instead.
The solution was to delete:
/var/lib/dhcpcd/dhcpcd-wlp9s0.lease
now how can i configure netctl and or dhcpcd so that won't happen again and that it accepts all ips offered by routers?
Last edited by Samy (2013-09-04 13:32:13)I've had this happen now and again. You can rebind the lease yourself with:
$ dhcpcd --rebind
You could also try increasing the timeout by adding
TimeoutDHCP=
to your netctl profile/s - see netctl.profile(5) as WonderWoofy suggests. Although I haven't tried the latter.
Last edited by youngdm (2013-09-01 22:01:05) -
[solved] problems with timeouts and tcp retransmission
I've recently upgraded my archlinux and am having real problems with the network.
I have checked the configuation and all seems ok.
Everything like DNS/Gateways/IPs all seem to be setup (not changed anything from when it was working before)
I read about setting the MTU manually
ifconfig eth0 mtu 1492
I tried this but it doesn't seem to make any difference
Looking at the packetflow on wireshark it seems that there are a huge amount of TCP Dup ACK and TCP Retransmission when trying to POST
If I boot into windows everything is fine so unfortunately it seems that it might be something with linux
Everything in linux seemed to be working ok before I upgraded
Last edited by equilibrium (2009-12-05 15:13:14)seems that I am still unable to post from my arch system
$ dmesg | grep sky2
sky2 driver version 1.23
sky2 0000:02:00.0: PCI INT A -> GSI 19 (level, low) -> IRQ 19
sky2 0000:02:00.0: setting latency timer to 64
sky2 0000:02:00.0: Yukon-2 EC chip revision 2
sky2 0000:02:00.0: irq 29 for MSI/MSI-X
sky2 eth0: addr xx:xx:xx:xx:xx:xx
sky2 eth0: enabling interface
sky2 eth0: Link is up at 100 Mbps, full duplex, flow control both
$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:17:31:F4:ED:A2
inet addr:192.168.1.20 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1170 errors:0 dropped:0 overruns:0 frame:0
TX packets:1362 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1101154 (1.0 Mb) TX bytes:197742 (193.1 Kb)
Interrupt:19
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4595 errors:0 dropped:0 overruns:0 frame:0
TX packets:4595 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:541498 (528.8 Kb) TX bytes:541498 (528.8 Kb)
/etc/rc.conf
eth0="eth0 192.168.1.20 netmask 255.255.255.0 broadcast 192.168.1.255"
INTERFACES=(eth0)
gateway="default gw 192.168.1.1"
ROUTES=(gateway) -
I have a problem with the synchronisation of my iPhone and iPad with Outlook 2007 on my 64-bit Windows 7 PC. For several years,
I have had no problems with the synchronisation by cord connection and iTunes between these programmes. However, a few months ago I decided to use Mobile Me. However, there were problems with duplication of calendars and then “rogue events” – which could not be deleted – even if deleted on Outlook and on the iPhone (or both at the same time) – they would just reappear after the next synchronisation. All other synchronisation areas (eg Contacts, Notes etc) work fine.
I have looked for help through the Apple Support Community and tried many things. I have repaired my Outlook. I have repaired my .pst file in Windows. I have re-installed the latest version of iTunes on my PC. I have re-installed the firmware on my iPhone. I have tried many permutations on my iPhone. I have closed down all Mobile Me functions on the iPhone. I have spent upwards of 24 hours trying to solve this problem.
What am I left with? Outlook works seamlessly on my PC. My iPhone calendar now has no events from my calendar, but does not synchronise through iTunes. Nor does it send events initiated on the iPhone to the Outlook. I am at the point of abandoning iPhones and iPads altogether. I need to have a properly synchronising calendar on my phone. Do you have any suggestions?In the control panel goto the "Lenovo - Power Manager" and click the battery tab, there is a maintenance button in there that will let you change the charging profile for your battery. (from memory, so exact wording may be off)
The lower the numbers you use there, the longer the battery *should* last. These batteries degrade faster at higher charge levels, however storing them at too low of levels is also not good for them... I've read that 40% is optimal, but just not realistic if you use your computer.
--- ThinkPad T61 / Win 7 / Core 2 / 4gb RAM / Nvidia / Still used daily --- ThinkPad Edge 15/ i5 / Win 7 / TrueCrypt / 8gb RAM / Hated it, died at 1 yr 1 mo old --- ThinkPad T510 / Win 7 / TrueCrypt / i5 / 8gb RAM / Nvidia / Current primary machine --- ThinkPad X220 / i7 / IPS / 4gb / TrueCrypt / My Road Machine
Maybe you are looking for
-
How can I allow a user (client) to choose a local image file (on his hard d
How can I allow a user (client) to choose a local image file (on his hard drive) and modify it using an applet from his browser ? I am trying to develop a web page that enables the user to choose an Image file, manipulate the image using a java apple
-
How to track changes on the directory server using the ChangeLog facility?
-
All kinds of problems... can't enter bios, etc
Hey all, hoping you can help. I only have one system at home which is now not working, so pardon me if I'm a little slight on details. I got a K8T Neo m/b with an athlon 64 3000 and 1gb of Kingston RAM. It was all acquired as a bundle from Mwave.co
-
Lumia 920 completely frozen after Cyan WP 8.1 upda...
Phone was working fine until I updated to cyan firmware wp 8.1. The upgrade went well, then when the phone rebooted it just froze on the AT&T flash screen (white circle with blue rings on white background). Did numerous soft and hard resets on my Lum
-
Add field Quatity and UoM in Maintain and display settlement rule(SAPLKOBS)
Hi all experts, Is there got any BAPI for function module for me to use for bump in data from Quantity (BMENG) and Unit of measurement (BEINH) at customized selection screen and updating it at COBRB table? Best Regards, Chee Boon