IPSEC EIGRP NTP issues

Similar Messages

• UCCX 8.5 HA NTP issues (virtual servers)

  Hello,
  I'm working with an UCCX HA server that is having NTP issues. It reports that it is synchronized, but at stratum 16, which is considered to be unsynchronized. Also, it's always exactly 3 seconds off. I'm not sure if this is related, yet, but every time the servers failover, agents get licensing errors and cannot log into CAD.
  PRIMARY UCCX
  admin:utils ntp status
  ntpd (pid 17380) is running...
       remote           refid      st t when poll reach   delay   offset  jitter
  ==============================================================================
  *198.147.23.5    139.78.135.14    2 u  291  512  377   37.758    5.479   0.298
  +173.203.211.73  71.252.193.25    3 u  164  512  377   14.891   -1.871   0.106
  +204.13.164.164  140.142.16.34    2 u  157  512  377   68.322   -0.486   0.053
  synchronised to NTP server (198.147.23.5) at stratum 3
     time correct to within 57 ms
     polling server every 512 s
  Current time in UTC is : Mon Mar 11 16:01:09 UTC 2013
  Current time in America/Denver is : Mon Mar 11 10:01:09 MDT 2013
  HA UCCX
  admin:utils ntp status
  ntpd (pid 16801) is running...
       remote           refid      st t when poll reach   delay   offset  jitter
  ==============================================================================
  *10.10.130.12    198.147.23.5     3 u   24   64   17   56.269  -2318.6   1.887
  synchronised to NTP server (STEP) at stratum 16
     time correct to within 251 ms
     polling server every 64 s
  Current time in UTC is : Mon Mar 11 16:01:12 UTC 2013
  Current time in America/Denver is : Mon Mar 11 10:01:11 MDT 2013
  Additionally, the following alert shows up in RTMT
  At Wed Feb 13 11:11:17 MST 2013 on node 10.10.111.12; the following SyslogSeverityMatchFound events generated: SeverityMatch : Critical MatchedEvent : Feb 13 11:11:06 MVTUCCXHA2 user 2 ntpRunningStatus.sh: The local NTP client is off by more than the acceptable threshold of 3 seconds from its remote NTP system peer. The normal remedy is for NTP Watch Dog to automatically restart NTP. However; an unusual number of automatic NTP restarts have already occurred on this node. No additional automatic NTP restarts will be done until NTP time synchronization stabilizes. This is likely due to an excessive number of VMware Virtual Machine migrations or Storage VMotions. Please consult your VMware Infrastructure Support Team. AppID : Cisco Syslog Agent ClusterID : NodeID : MVTUCCXHA2 TimeStamp : Wed Feb 13 11:11:06 MST 2013
  The servers are installed in a VMWare vSphere virtual environment on Cisco-approved IBM hosts. They have not been vmotioned or storage vmotioned.
  Originally, the servers were configured to get time from Microsoft domain controllers. Since they use SNTP and UC servers require NTPv4, I configured the primary UCCX server to use public NTPv4 servers. I have updated vmware tools on both servers and rebooted the servers and restarted ntp services, but nothing will get time to synchronize on the HA server.
  Finally, there are other UC servers (CUCM & CUC) set up to use the same NTP servers, but the HA servers cannot synchronize their time no matter what I do. I've tried different NTP servers both on the LAN and public ones. I thought I would include this detail since my gut is telling me that this issue has something to do with the virtual environment.
  HA CUC
  admin:utils ntp status
  ntpd (pid 14554) is running...
       remote           refid      st t when poll reach   delay   offset  jitter
  ==============================================================================
  10.10.111.11    204.13.164.164   3 u    -   64    1   50.504  431.491 221.689
  unsynchronised
    time server re-starting
     polling server every 64 s
  Current time in UTC is : Mon Mar 11 15:20:22 UTC 2013
  Current time in America/Denver is : Mon Mar 11 09:20:22 MDT 2013
  I can see NTP traffic between the two servers:
  admin:utils network capture port 123
  Executing command with options:
  size=128                count=1000              interface=eth0
  src=                    dest=                   port=123              
  ip=                  
  09:29:28.051951 IP MVTCUCNXHA.mvte.com.ntp > MVTCUCNXPRI.mvte.com.ntp: NTPv4, Client, length 48
  09:29:28.105679 IP MVTCUCNXPRI.mvte.com.ntp > MVTCUCNXHA.mvte.com.ntp: NTPv4, Server, length 48
  09:29:30.049773 IP MVTCUCNXHA.mvte.com.ntp > MVTCUCNXPRI.mvte.com.ntp: NTPv4, Client, length 48
  09:29:30.100371 IP MVTCUCNXPRI.mvte.com.ntp > MVTCUCNXHA.mvte.com.ntp: NTPv4, Server, length 48
  09:29:32.051282 IP MVTCUCNXHA.mvte.com.ntp > MVTCUCNXPRI.mvte.com.ntp: NTPv4, Client, length 48
  09:29:32.103161 IP MVTCUCNXPRI.mvte.com.ntp > MVTCUCNXHA.mvte.com.ntp: NTPv4, Server, length 48
  09:29:34.049279 IP MVTCUCNXHA.mvte.com.ntp > MVTCUCNXPRI.mvte.com.ntp: NTPv4, Client, length 48
  09:29:34.100112 IP MVTCUCNXPRI.mvte.com.ntp > MVTCUCNXHA.mvte.com.ntp: NTPv4, Server, length 48
  09:29:36.050723 IP MVTCUCNXHA.mvte.com.ntp > MVTCUCNXPRI.mvte.com.ntp: NTPv4, Client, length 48
  09:29:36.101990 IP MVTCUCNXPRI.mvte.com.ntp > MVTCUCNXHA.mvte.com.ntp: NTPv4, Server, length 48
  09:29:38.052193 IP MVTCUCNXHA.mvte.com.ntp > MVTCUCNXPRI.mvte.com.ntp: NTPv4, Client, length 48
  09:29:38.103854 IP MVTCUCNXPRI.mvte.com.ntp > MVTCUCNXHA.mvte.com.ntp: NTPv4, Server, length 48
  09:29:40.050156 IP MVTCUCNXHA.mvte.com.ntp > MVTCUCNXPRI.mvte.com.ntp: NTPv4, Client, length 48
  09:29:40.100831 IP MVTCUCNXPRI.mvte.com.ntp > MVTCUCNXHA.mvte.com.ntp: NTPv4, Server, length 48
  Any ideas?
  Thanks!
  Pashtoun

  Thanks for the reply Graham! I'm aware that windows does not implement NTP correctly, which is why I was trying NTPv4 and IOS time servers.The NTP issue I was troubleshooting actually ended up being a combination of a couple issues:
  1. Cisco Bug CSCtw46611
  2. The virtual UC servers need to be configured with the same NTP server as those configured on the VMWare hosts they run in.
  The time issue on CUCM and CUC was resolved by the workaround in (1) and the changes made on the hosts regarding (2). The time issue on UCCX was resolved by (2) since it is not affected by the bug. There were some really bizarre issues that went away once NTP was fixed: UCCX would lose data sync with CUCM every time CUCM was rebooted, the voice ports on the HA CUC server had terrible voice quality or would never pick up (eternal ringback), and UCCX failover didn't work (licensing errors, etc as explain in my original post).

• DMVPN and Eigrp SIA issues

  I have over 250 sites in a hub-and-spoke desing, each remote site has a frame-relay and an IPSec tunnel to the office, we are running Eigrp but ever since we deployed DMVPN we've been getting many SIA messages...is this a normal behavior for a DMVPN design? should I just decrease how often EIGRP queries are sent or increase EIGRP timers, or should I just leave it alone...has anyone seen DMVPN in over 200 sites working flawlessly using eigrp? just curious...

  GTS = Generic Traffic Shaping.
  We just use the easier to use, traffic-shape rate command, but the likely cisco answer would be to create policy-map/class-maps for the tunnel interfaces.
  Our Tunnel interfaces have the following additional commands. cut-edited-paste.
  Site with a T1
  interface Tunnel111
  description VPN sitea to siteb
  bandwidth 1536
  ip unnumbered Loopback0
  ip access-group whattoblockin in
  ip access-group whattoblockout out
  ip mtu 1600
  ip hello-interval eigrp 111 2
  ip hold-time eigrp 111 8
  ip pim sparse-mode
  ip route-cache flow
  ip tcp adjust-mss 1280
  load-interval 30
  delay 1001
  traffic-shape rate 1536000 8192 8192 2048
  cdp enable
  tunnel source a.a.a.a
  tunnel destination b.b.b.b
  end
  The traffic-shape command is just there to keep the outside interface from being over run and dropping packets after encryption. This isn't "QOS" by Cisco's book, but when we implemented this, Cisco didn't have a pre-qualify that worked properly with DMVPN.
  If we start having problems with a site having heavy utilization, we'll change the traffic-shape statement to smooth out the traffic and control the heavy users. (refer to effects of WFQ).
  Do a search for WFQ and GTS on Cisco.com
  (oh, and if anyone tells you that the ip mtu command is a bad idea, tell 'em to stick it in their ear...)
  Rob

• Cisco 2620 eigrp/ospf issues

  Greetings,
  I'm having issues getting a Cisco 2620 and a Dell Powerconnect 6024 to redistribute via eigrp/ospf correctly which are both at a remote location. I have attached a basic diagram to better show the topology. We have been unable to access the remote site from our main site (which is using a cisco 3600) without a static route for each subnet at the remote site. Hopefully this makes sense.
  Cisco 2620 Config:
  Building configuration...
  Current configuration:
  ip subnet-zero
  lane client flush
  cns event-service server
  interface FastEthernet0/0
  ip address 10.100.187.1 255.255.255.0
  duplex auto
  speed auto
  interface Serial0/0
  ip address 10.100.181.10 255.255.255.252
  no ip mroute-cache
  no fair-queue
  router eigrp 100
  redistribute connected
  redistribute ospf 1
  network 10.0.0.0
  no auto-summary
  router ospf 1
  redistribute connected
  redistribute eigrp 100 subnets
  network 10.100.0.0 0.0.255.255 area 0.0.0.0
  ip classless
  ip route 0.0.0.0 0.0.0.0 10.100.181.9
  no ip http server
  banner motd ^CCC

  Timothy
  There are a couple of things that I am not clear about concerning your situation. Your diagram shows a single subnet between the Cisco and the Dell. Is everything in the Dell in that single subnet? If so I am not sure why you are running OSPF, since there will not be any OSPF routes to redistribute.
  If the diagram is incomplete and there are routes in OSPF that need to redistribute to EIGRP then there is an issue in the configuration. There is no default metric configured under router EIGRP. Without a default metric routes from another protocol (OSPF) will not redistribute into EIGRP.
  I think it is also an interesting question whether the 2620 and the 3600 routers are forming EIGRP neighbor relationships. Failure to form EIGRP neighbor relationships could also cause the symptoms that you describe.
  HTH
  Rick

• Ipsec Stateful Failover issue with Dynamic-Map

  Hi all, I have an issue with a couple of Cisco ISR 2921 in Ha Ipsec Stateful Failover configuration.
  With static crypto-map, stateful works good, Ipsec sessions are correctly trasmitted from Cisco Active router to Cisco Standby router.
  With dynamic-map and profile, stateful fails, Ipsec sessions are not correctly trasmitted from Cisco Active router to Cisco Standby router.
  I tried different IOS version:152-1.T3, 152-3.T2 and 153-1.T but I have the same behavior.
  Could you help me?
  Marco

  Yes it is supported. It is supprted on VAM, VMA2, VAM2+.

• IPSec VPN establishment issues 887 - srp527

  Hey Folks,
  I'm having some problems getting an ipsec tunnel established between a cisco 887VA router and a cisco srp527w router.
  I am working from a few text books and some example materials. I have worked through many combinations of what I have got and am still struggling a little bit.
  I look at debug results and it appears as though the policies do not match between the devices:
  Jul 23 05:44:37.759: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (R) MM_NO_STATE
  broute1#
  Jul 23 05:44:57.079: ISAKMP:(0):purging SA., sa=85247558, delme=85247558
  broute1#
  Jul 23 05:45:17.031: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (N) NEW SA
  Jul 23 05:45:17.031: ISAKMP: Created a peer struct for XXX.XXX.XXX.XXX, peer port 500
  Jul 23 05:45:17.035: ISAKMP: New peer created peer = 0x8838C3F8 peer_handle = 0x800021CF
  Jul 23 05:45:17.035: ISAKMP: Locking peer struct 0x8838C3F8, refcount 1 for crypto_isakmp_process_block
  Jul 23 05:45:17.035: ISAKMP: local port 500, remote port 500
  Jul 23 05:45:17.035: ISAKMP:(0):insert sa successfully sa = 87D84664
  Jul 23 05:45:17.035: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Jul 23 05:45:17.035: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1
  Jul 23 05:45:17.035: ISAKMP:(0): processing SA payload. message ID = 0
  Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
  Jul 23 05:45:17.035: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
  Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
  Jul 23 05:45:17.035: ISAKMP:(0): vendor ID is DPD
  Jul 23 05:45:17.035: ISAKMP:(0):No pre-shared key with XXX.XXX.XXX.XXX!
  Jul 23 05:45:17.035: ISAKMP : Scanning profiles for xauth ...
  Jul 23 05:45:17.035: ISAKMP:(0):Checking ISAKMP transform 0 against priority 1 policy
  Jul 23 05:45:17.035: ISAKMP:      life type in seconds
  Jul 23 05:45:17.035: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x53
  Jul 23 05:45:17.035: ISAKMP:      encryption DES-CBC
  Jul 23 05:45:17.035: ISAKMP:      hash SHA
  Jul 23 05:45:17.035: ISAKMP:      auth pre-share
  Jul 23 05:45:17.035: ISAKMP:      default group 1
  Jul 23 05:45:17.035: ISAKMP:(0):Encryption algorithm offered does not match policy!
  Jul 23 05:45:17.035: ISAKMP:(0):atts are not acceptable. Next payload is 0
  Jul 23 05:45:17.035: ISAKMP:(0):no offers accepted!
  Jul 23 05:45:17.035: ISAKMP:(0): phase 1 SA policy not acceptable! (local YYY.YYY.YYY.YYY remote
  XXX.XXX.XXX.XXX)
  Jul 23 05:45:17.035: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
  Jul 23 05:45:17.035: ISAKMP:(0): Failed to construct AG informational message.
  Jul 23 05:45:17.035: ISAKMP:(0): sending packet to XXX.XXX.XXX.XXX my_port 500 peer_port 500 (R) MM_NO_STATE
  Jul 23 05:45:17.035: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Jul 23 05:45:17.035: ISAKMP:(0):peer does not do paranoid keepalives.
  Jul 23 05:45:17.035: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer
  XXX.XXX.XXX.XXX)
  Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
  Jul 23 05:45:17.035: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
  Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
  Jul 23 05:45:17.035: ISAKMP:(0): vendor ID is DPD
  Jul 23 05:45:17.035: ISAKMP (0): FSM action returned error: 2
  Jul 23 05:45:17.035: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Jul 23 05:45:17.035: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1
  Jul 23 05:45:17.039: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer
  XXX.XXX.XXX.XXX)
  Jul 23 05:45:17.039: ISAKMP: Unlocking peer struct 0x8838C3F8 for isadb_mark_sa_deleted(), count 0
  Jul 23 05:45:17.039: ISAKMP: Deleting peer node by peer_reap for XXX.XXX.XXX.XXX: 8838C3F8
  Jul 23 05:45:17.039: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  Jul 23 05:45:17.039: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA
  Here is a slightly trimmed version of my run-fig (took out things i was sure no one would need) and attached are screenshots of the IKE Policy and IPSec Policy from the srp527w
  version 15.1
  hostname broute1
  logging buffered 65535
  logging console informational
  no aaa new-model
  memory-size iomem 10
  clock timezone ESTime 10 0
  crypto pki token default removal timeout 0
  ip source-route
  controller VDSL 0
  operating mode adsl2 annex A
  ip ssh version 2
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  lifetime 28800
  crypto isakmp key PRE_SHARED_KEY_FOR_IKE(I_THINK) hostname REMOTE_HOST
  crypto ipsec transform-set JWRE_BW-1 esp-3des esp-sha-hmac
  crypto map JWRE_BW-1 10 ipsec-isakmp
  set peer XXX.XXX.XXX.XXX
  set transform-set JWRE_BW-1
  match address 101
  interface Loopback0
  no ip address
  interface ATM0
  description --- Internode ADSL ----
  no ip address
  no ip route-cache
  load-interval 30
  no atm ilmi-keepalive
  interface ATM0.1 point-to-point
  no ip route-cache
  pvc 8/35
    tx-ring-limit 3
    encapsulation aal5snap
    pppoe-client dial-pool-number 1
  interface Vlan1
  description Management Interface
  ip address AAA.AAA.AAA.AAA 255.255.255.0
  ip mtu 1452
  ip nat inside
  ip virtual-reassembly in
  no ip route-cache cef
  ip tcp adjust-mss 1420
  interface Dialer1
  description -----INTERNODE ADSL------
  mtu 1492
  ip address negotiated
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp chap hostname ADSL_USERNAME
  ppp chap password 7 ADSL_PASSWORD
  ppp ipcp dns request accept
  no cdp enable
  crypto map JWRE_BW-1
  logging trap debugging
  access-list 101 permit ip 192.168.7.0 0.0.0.255 10.0.1.0 0.0.0.255
  dialer-list 1 protocol ip permit
  Some specific questions:
  1) on the SRP in the example's I have used (and I have a few SRP->SRP VPN's that work) I see you need to enter the preshared key, I'm not seeing in the examples I have used anything about the IKE preshared key on the IOS box. Does anyone have any examples where you use the preshared key for IKE? I wonder if this is my primary issue as it states clearly in the log that there is no Preshared key :|
  2) I have used a mish mash of names between the various sections as on the SRP the naming convention isnt the same; ie: which parts of the IPSEC negotiation come from the IKE policy section and which from the IPSEC policy section. Do the names really matter across different ends of the VPN?
  3) I notice when I perform this command in the(config-crypto-map)#:
       set peer FQDN
  It is converted to:
       set peer XXX.XXX.XXX.XXX
  Is this expected? I want the device to look at the FQDN as this particular host is using DDNS and not use a static IP address.
  I could ask a million questions but I will leave it for there, if someone can see anything that sticks out (or can answer Q1 in particular) please let me know.
  Thanks in advance for your time and assistance folks.
  B

  If you use Main Mode, you can't use hostname on the isakmp key.
  You can use the hostname if you are using Aggressive mode on IKE, and you would also need to configure:
  crypto isakmp identity hostname
  Plus your router needs to point to a dns server that can resolve the hostname.
  Here is more information on:
  - crypto isakmp key:
  http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c4.html#GUID-E6AD0189-B773-4332-95F0-89AFE7A9E84F
  - crypto isakmp identity:
  http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c4.html#GUID-D3C7A306-A689-4953-9146-D4F2F861C567

• NTP Issue on cisco 3560 switch

  Hi all 
  Here is my ntp configuration 
  clock timezone GMT 4
  clock summer-time UAE recurring
  ntp server 192.168.10.254 version 2 prefer
  end
  sh ntp status 
  Clock is unsynchronized, stratum 16, no reference clock
  nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
  reference time is 00000000.00000000 (04:00:00.000 GMT Mon Jan 1 1900)
  clock offset is 0.0000 msec, root delay is 0.00 msec
  root dispersion is 0.00 msec, peer dispersion is 0.00 msec
  -SW1#sh ntp associations
        address         ref clock     st  when  poll reach  delay  offset    disp
   ~192.168.10.254   0.0.0.0          16     -    64    0     0.0    0.00  16000.
   * master (synced), # master (unsynced), + selected, - candidate, ~ configured
  -SW1#
  Please help me what i have did wrong 
  regards
  raja

  You are still not answering the question.  
  Is the appliance, with IP Address 192.168.10.254, synchronized with a valid SNTP/NTP address or not. 
  Even if you enable NTP Master (which I personally don't recommend) and your appliance is NOT synchronized to a valid NTP source, then the appliance 192.168.10.254 can potentially broadcast the WRONG time to all the appliance.  Since you've forced all downstream appliances to synchronize with a source that has the wrong NTP data (using the command "ntp master") all your network equipment will be sporting the wrong time.

• Clock with ntp issues

  For some reason ntpdate insist on setting my clock to nine hours earlier than it actually is, maybe I haven't set my timezone correctly or something, but I'm not sure what I need to do different.
  Here's what I have in my rc.conf
  HARDWARECLOCK="localtime"
  TIMEZONE="Europe/Berlin"
  I have tried both localtime and UTC for HARDWARECLOCK, but when I run
  ntpdate de.pool.ntp.org
  I always get the wrong time.
  Do I have to do anything special after changing rc.conf so it gets reloaded or something? Because that's the only thing I can think of right now.
  EDIT: I'm not sure if I put this in the right forum, if it should go somewhere else I'd be thankful if one of the mods that be would move it.

  Did you search the forums and try this...
  http://bbs.archlinux.org/viewtopic.php? … hlight=ntp

• NTP Sync issues

  Hello guys.
  I am having issues with NTP syncing on one of my ASA's. I configured the NTP server that is behind another ASA and both ASA's exchange routes via EIGRP.  Any help on this would greatly be apreciated.
  thanks
  NTP Server IP address: 172.31.254.4 behind ASA 2 inside interface (security lvl 100)
  ASA 1 cant sync time:
  Fort-ASA01(config)# sh ntp assoc
        address         ref clock     st  when  poll reach  delay  offset    disp
  ~172.31.254.4     0.0.0.0          16     -    64    0     0.0    0.00  16000.
  * master (synced), # master (unsynced), + selected, - candidate, ~ configured
  Fort-ASA01(config)# sh route | inc 172.31.254.0
  D    172.31.254.0 255.255.255.0 [90/28928] via 20.20.20.1, 831:57:30, ospf2
  Packet tracer from ASA 1 to ASA 2 Ntp Server
  Fort-ASA01(config)# packet-tracer input inside udp 2.2.1.7 1234 172.31.254.4 ntp detailed
  Phase: 1
  Type: CAPTURE
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x729dd918, priority=12, domain=capture, deny=false
          hits=39403537059, user_data=0x72d14358, cs_id=0x0, l3_type=0x0
          src mac=0000.0000.0000, mask=0000.0000.0000
          dst mac=0000.0000.0000, mask=0000.0000.0000
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x734e8ee8, priority=1, domain=permit, deny=false
          hits=24235320824, user_data=0x0, cs_id=0x0, l3_type=0x8
          src mac=0000.0000.0000, mask=0000.0000.0000
          dst mac=0000.0000.0000, mask=0100.0000.0000
  Phase: 3
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   172.31.254.0    255.255.255.0   ospf2
  Phase: 4
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x72669f08, priority=500, domain=permit, deny=true
          hits=5, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
          src ip=2.2.1.7, mask=255.255.255.255, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  output-interface: ospf2
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule

  Just the nameif states OSPF but its running EIGRP actually. Its strange because i can go into the asa that is having NTP issues and i ping 172.31.254.3 and i get a reply but when i ping 172.31.254.4 nothing. i checked for the rules on the asa's and made sure that there are no specific entries denying any access to the NTP server...
  which part of the configuration you need to see ?
  thanks

• DMVPN Dual ISPs with EIGRP

  Hi expert,
  I am facing a eigrp routing issues , Has anyone kindly assist...
  The topology as below, each router only has two tunnels and run in same eigrp AS
  Here is my question in red with underline : 
  R2: sh ip ro 
  D    192.168.30.0/24 [90/310172416] via 192.168.1.1, 01:08:05, Tunnel1
                                        [90/310172416] via 192.168.0.3, 01:08:05, Tunnel0
  R3: sh ip ro 
  D    192.168.20.0/24 [90/310172416] via 192.168.1.1, 01:12:25, Tunnel1
                                       [90/310172416] via 192.168.0.2, 01:12:25, Tunnel0
  The result see above is not my expect , as i understand :
  at R2 192.168.30.0 learn from Tunnel1 should be via192.168.1.3 not red one
  at R3 192.168.20.0 learn from Tunnel1 should be via 192.168.1.2 not red one
  because of via 192.168.1.1 , that's mean the traffic must through R1 (spoke to HUB) not Spoke to Spoke , am i right ?
  I hope the route between R2 and R3 can always use spoke to spoke tunnel 
  I also checked nhrp and ipsec status , anything looks work properly except the eigrp route i mention above.
  Here is configuration:
  R1:
  interface Loopback0
   ip address 192.168.10.254 255.255.255.0
  interface Tunnel0
   ip address 192.168.0.1 255.255.255.0
   no ip redirects
   ip accounting output-packets
   ip hold-time eigrp 1 35
   no ip next-hop-self eigrp 1
   ip nhrp authentication cisco123
   ip nhrp map multicast dynamic
   ip nhrp network-id 1
   ip nhrp holdtime 10
   ip nhrp cache non-authoritative
   no ip split-horizon eigrp 1
   tunnel source 172.16.15.2
   tunnel mode gre multipoint
   tunnel protection ipsec profile DMVPN
  interface Tunnel1
   ip address 192.168.1.1 255.255.255.0
   no ip redirects
   ip accounting output-packets
   no ip next-hop-self eigrp 1
   ip nhrp authentication cisco123
   ip nhrp map multicast dynamic
   ip nhrp network-id 2
   ip nhrp holdtime 10
   ip nhrp cache non-authoritative
   no ip split-horizon eigrp 1
   tunnel source 172.17.15.2
   tunnel mode gre multipoint
   tunnel protection ipsec profile DMVPN
  router eigrp 1
   network 192.168.0.0
   network 192.168.1.0
   network 192.168.10.0
   no auto-summary
  R2:
  interface Tunnel0
   ip address 192.168.0.2 255.255.255.0
   no ip redirects
   ip hold-time eigrp 1 35
   no ip next-hop-self eigrp 1
   ip nhrp authentication cisco123
   ip nhrp map 192.168.0.1 172.16.15.2
   ip nhrp map multicast 172.16.15.2
   ip nhrp network-id 1
   ip nhrp holdtime 10
   ip nhrp nhs 192.168.0.1
   ip nhrp cache non-authoritative
   no ip split-horizon eigrp 1
   tunnel source 172.16.25.2
   tunnel mode gre multipoint
   tunnel protection ipsec profile DMVPN
  interface Tunnel1
   ip address 192.168.1.2 255.255.255.0
   no ip redirects
   no ip next-hop-self eigrp 1
   ip nhrp authentication cisco123
   ip nhrp map 192.168.1.1 172.17.15.2
   ip nhrp map multicast 172.17.15.2
   ip nhrp network-id 2
   ip nhrp holdtime 10
   ip nhrp nhs 192.168.1.1
   ip nhrp cache non-authoritative
   no ip split-horizon eigrp 1
   tunnel source 172.17.25.2
   tunnel mode gre multipoint
   tunnel protection ipsec profile DMVPN
  router eigrp 1
   network 192.168.0.0
   network 192.168.1.0
   network 192.168.20.0
   no auto-summary
  R3
  interface Loopback0
   ip address 192.168.30.254 255.255.255.0
  interface Tunnel0
   ip address 192.168.0.3 255.255.255.0
   no ip redirects
   ip hold-time eigrp 1 35
   no ip next-hop-self eigrp 1
   ip nhrp authentication cisco123
   ip nhrp map 192.168.0.1 172.16.15.2
   ip nhrp map multicast 172.16.15.2
   ip nhrp network-id 1
   ip nhrp holdtime 10
   ip nhrp nhs 192.168.0.1
   ip nhrp cache non-authoritative
   no ip split-horizon eigrp 1
   tunnel source 172.16.35.2
   tunnel mode gre multipoint
   tunnel protection ipsec profile DMVPN
  interface Tunnel1
   ip address 192.168.1.3 255.255.255.0
   no ip redirects
   no ip next-hop-self eigrp 1
   ip nhrp authentication cisco123
   ip nhrp map 192.168.1.1 172.17.15.2
   ip nhrp map multicast 172.17.15.2
   ip nhrp network-id 2
   ip nhrp holdtime 10
   ip nhrp nhs 192.168.1.1
   ip nhrp cache non-authoritative
   no ip split-horizon eigrp 1
   tunnel source 172.17.35.2
   tunnel mode gre multipoint
   tunnel protection ipsec profile DMVPN
  router eigrp 1
   network 192.168.0.0
   network 192.168.1.0
   network 192.168.30.0

  Hi AllertGen ,
  Each each router's tunnel0 and tunnel1 are work well , they all can ping each other ip as well via tunnel 0 and tunnel 1 (192.168.0.0/24 & 192.168.1.0/24)
  and also at each router has two physical interface connect to different ISP.
  In this topology ,my purpose is when spoke to spoke , they will has two routes via two NHRP cloulds , i keep the same eigrp priority at each router just for equal cost load sharing ,the more important thing is the next hop IP.
  Actually , The ipsec function is not my concern so far,  i just try your suggestion add the "shared" at the end of the line , its still has same result , but as i understand , if there is any wrong with ipsec profile, the tunnel won't work well , am i right ?
  Thanks for your kind assist
  Here is some show result at each router , hope that's helpful.
  R1
  R1#sh ip int bri
  Interface                  IP-Address      OK? Method Status                Protocol
  FastEthernet0/0            172.16.15.2     YES NVRAM  up                    up      
  FastEthernet0/1            172.17.15.2     YES NVRAM  up                    up      
  Loopback0                  192.168.10.254  YES NVRAM  up                    up      
  Tunnel0                    192.168.0.1     YES NVRAM  up                    up      
  Tunnel1                    192.168.1.1     YES NVRAM  up                    up    
  R1#sh dmvpn 
  Tunnel0, Type:Hub, NHRP Peers:2, 
   # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
       1     172.16.25.2     192.168.0.2    UP    never D    
       1     172.16.35.2     192.168.0.3    UP    never D    
  Tunnel1, Type:Hub, NHRP Peers:2, 
   # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
       1     172.17.25.2     192.168.1.2    UP    never D    
       1     172.17.35.2     192.168.1.3    UP    never D 
  R1#sh ip eigrp top
  P 192.168.10.0/24, 1 successors, FD is 128256
          via Connected, Loopback0
  P 192.168.0.0/24, 1 successors, FD is 297244416
          via Connected, Tunnel0
  P 192.168.1.0/24, 1 successors, FD is 297244416
          via Connected, Tunnel1
  P 192.168.30.0/24, 2 successors, FD is 297372416
          via 192.168.0.3 (297372416/128256), Tunnel0
          via 192.168.1.3 (297372416/128256), Tunnel1
  P 192.168.20.0/24, 2 successors, FD is 297372416
          via 192.168.0.2 (297372416/128256), Tunnel0
          via 192.168.1.2 (297372416/128256), Tunnel1
  R1#sh ip nhrp 
  192.168.0.2/32 via 192.168.0.2, Tunnel0 created 20:53:39, expire 00:00:07
    Type: dynamic, Flags: unique nat registered used 
    NBMA address: 172.16.25.2 
  192.168.0.3/32 via 192.168.0.3, Tunnel0 created 20:53:38, expire 00:00:08
    Type: dynamic, Flags: unique nat registered used 
    NBMA address: 172.16.35.2 
  192.168.1.2/32 via 192.168.1.2, Tunnel1 created 4d17h, expire 00:00:07
    Type: dynamic, Flags: unique nat registered used 
    NBMA address: 172.17.25.2 
  192.168.1.3/32 via 192.168.1.3, Tunnel1 created 4d17h, expire 00:00:08
    Type: dynamic, Flags: unique nat registered used 
    NBMA address: 172.17.35.2 
  R2
  R2#sh ip int bri
  Interface                  IP-Address      OK? Method Status                Protocol
  FastEthernet0/0            172.16.25.2     YES NVRAM  up                    up      
  FastEthernet0/1            172.17.25.2     YES NVRAM  up                    up      
  Loopback0                  192.168.20.254  YES NVRAM  up                    up      
  Tunnel0                    192.168.0.2     YES NVRAM  up                    up      
  Tunnel1                    192.168.1.2     YES NVRAM  up                    up      
  R2#sh dmvpn 
  Tunnel0, Type:Spoke, NHRP Peers:2, 
   # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
       1     172.16.15.2     192.168.0.1    UP    4d17h S    
       1     172.16.35.2     192.168.0.3    UP    never D    
  Tunnel1, Type:Spoke, NHRP Peers:2, 
   # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
       1     172.17.15.2     192.168.1.1    UP    4d17h S    
       1     172.17.35.2     192.168.1.3    UP    never D    
  R2#sh ip eigrp topology 
  P 192.168.10.0/24, 2 successors, FD is 297372416
          via 192.168.0.1 (297372416/128256), Tunnel0
          via 192.168.1.1 (297372416/128256), Tunnel1
  P 192.168.0.0/24, 1 successors, FD is 297244416
          via Connected, Tunnel0
  P 192.168.1.0/24, 1 successors, FD is 297244416
          via Connected, Tunnel1
  P 192.168.30.0/24, 2 successors, FD is 310172416
         192.168.0.3 via 192.168.0.1 (310172416/297372416), Tunnel0
          via 192.168.1.1 (310172416/297372416), Tunnel1
  P 192.168.20.0/24, 1 successors, FD is 128256
          via Connected, Loopback0
  R2#sh ip nhrp 
  192.168.0.1/32 via 192.168.0.1, Tunnel0 created 4d20h, never expire 
    Type: static, Flags: nat used 
    NBMA address: 172.16.15.2 
  192.168.0.3/32 via 192.168.0.3, Tunnel0 created 00:00:14, expire 00:00:51
    Type: dynamic, Flags: router nat 
    NBMA address: 172.16.35.2 
  192.168.1.1/32 via 192.168.1.1, Tunnel1 created 4d20h, never expire 
    Type: static, Flags: nat used 
    NBMA address: 172.17.15.2 
  192.168.1.3/32 via 192.168.1.3, Tunnel1 created 00:00:12, expire 00:00:53
    Type: dynamic, Flags: router nat 
    NBMA address: 172.17.35.2
  R3
  R3#sh ip int bri
  Interface                  IP-Address      OK? Method Status                Protocol
  FastEthernet0/0            172.16.35.2     YES NVRAM  up                    up      
  FastEthernet0/1            172.17.35.2     YES NVRAM  up                    up      
  Loopback0                  192.168.30.254  YES NVRAM  up                    up      
  Tunnel0                    192.168.0.3     YES NVRAM  up                    up      
  Tunnel1                    192.168.1.3     YES NVRAM  up                    up      
  R3#sh dmvpn        
  Tunnel0, Type:Spoke, NHRP Peers:2, 
   # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
       1     172.16.15.2     192.168.0.1    UP    4d17h S    
       1     172.16.25.2     192.168.0.2    UP    never D    
  Tunnel1, Type:Spoke, NHRP Peers:2, 
   # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
       1     172.17.15.2     192.168.1.1    UP    4d17h S    
       1     172.17.25.2     192.168.1.2    UP    never D    
  R3#sh ip eigrp topology 
  P 192.168.10.0/24, 2 successors, FD is 297372416
          via 192.168.0.1 (297372416/128256), Tunnel0
          via 192.168.1.1 (297372416/128256), Tunnel1
  P 192.168.0.0/24, 1 successors, FD is 297244416
          via Connected, Tunnel0
  P 192.168.1.0/24, 1 successors, FD is 297244416
          via Connected, Tunnel1
  P 192.168.30.0/24, 1 successors, FD is 128256
          via Connected, Loopback0
  P 192.168.20.0/24, 2 successors, FD is 310172416
         192.168.0.2 via 192.168.0.1 (310172416/297372416), Tunnel0
          via 192.168.1.1 (310172416/297372416), Tunnel1
  R3#sh ip nhrp 
  192.168.0.1/32 via 192.168.0.1, Tunnel0 created 4d17h, never expire 
    Type: static, Flags: nat used 
    NBMA address: 172.16.15.2 
  192.168.0.2/32 via 192.168.0.2, Tunnel0 created 00:00:43, expire 00:00:22
    Type: dynamic, Flags: router nat 
    NBMA address: 172.16.25.2 
  192.168.1.1/32 via 192.168.1.1, Tunnel1 created 4d17h, never expire 
    Type: static, Flags: nat used 
    NBMA address: 172.17.15.2 
  192.168.1.2/32 via 192.168.1.2, Tunnel1 created 00:01:02, expire 00:00:48
    Type: dynamic, Flags: router nat implicit used 
    NBMA address: 172.17.25.2 

• IpSec VPN and NAT don't work togheter on HP MSR 20 20

  Hi People,
  I'm getting several issues, let me explain:
  I have a Router HP MSR with 2 ethernet interfaces, Eth 0/0 - WAN (186.177.159.98) and Eth 0/1 LAN (192.168.100.0 /24). I have configured a VPN site to site thru the internet, and it works really well. The other site has the subnet 10.10.10.0 and i can reache the network thru the VPN Ipsec. The issue is that the network 192.168.100.0 /24 needs to reach internet with the same public address, so I have set a basic NT configuration, when I put the nat configuration into Eth 0/0 all network 192.168.100.0 can go to internet, but the VPN goes down, when I remove the NAT from Eth 0/0 the VPN goes Up, but the network 192.168.100.0 Can't go to internet.
  I'm missing something but i don't know what it is !!!!, See below the configuration.
  Can anyone help me qith that, I need to send te traffic with target 10.10.10.0 thru the VPN, and all other traffic to internet, Basically I need that NAT and VPN work fine at same time.
  Note: I just have only One public Ip address.
  version 5.20, Release 2207P41, Standard
  sysname HP
  nat address-group 1 186.177.159.93 186.177.159.93
  domain default enable system
  dns proxy enable
  telnet server enable
  dar p2p signature-file cfa0:/p2p_default.mtd
  port-security enable
  acl number 2001
  rule 0 permit source 192.168.100.0 0.0.0.255
  rule 5 deny
  acl number 3000
  rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
  vlan 1
  domain system
  access-limit disable
  state active
  idle-cut disable
  self-service-url disable
  ike proposal 1
  encryption-algorithm 3des-cbc
  dh group2
  ike proposal 10
  encryption-algorithm 3des-cbc
  dh group2
  ike peer vpn-test
  proposal 1
  pre-shared-key cipher wrWR2LZofLx6g26QyYjqBQ==
  remote-address <Public Ip from VPN Peer>
  local-address 186.177.159.93
  nat traversal
  ipsec proposal vpn-test
  esp authentication-algorithm sha1
  esp encryption-algorithm 3des
  ipsec policy vpntest 30 isakmp
  connection-name vpntest.30
  security acl 3000
  pfs dh-group2
  ike-peer vpn-test
  proposal vpn-test
  dhcp server ip-pool vlan1 extended
  network mask 255.255.255.0
  user-group system
  group-attribute allow-guest
  local-user admin
  password cipher .]@USE=B,53Q=^Q`MAF4<1!!
  authorization-attribute level 3
  service-type telnet
  service-type web
  cwmp
  undo cwmp enable
  interface Aux0
  async mode flow
  link-protocol ppp
  interface Cellular0/0
  async mode protocol
  link-protocol ppp
  interface Ethernet0/0
  port link-mode route
  nat outbound 2001 address-group 1
  nat server 1 protocol tcp global current-interface 3389 inside 192.168.100.20 3389
  ip address dhcp-alloc
  ipsec policy vpntest
  interface Ethernet0/1
  port link-mode route
  ip address 192.168.100.1 255.255.255.0
  interface NULL0
  interface Vlan-interface1
  undo dhcp select server global-pool
  dhcp server apply ip-pool vlan1

  ewaller wrote:
  What is under the switches tab?
  Oh -- By the way, that picture is over the size limit defined in the forum rules in tems of pixels, but the file size is okay.  I'll let it slide.  Watch the bumping as well.
  If you want to post the switches tab, upload it to someplace like http://img3.imageshack.us/, copy the thumbnail (which has the link to the original)  back here, and you are golden.
  I had a bear of a time getting the microphone working on my HP DV4, but it does work.  I'll look at the set up when I get home tonight [USA-PDT].
  Sorry for the picture and the "bumping"... I have asked in irc in arch and alsa channels and no luck yet... one guy from alsa said I had to wait for the alsa-driver-1.0.24 package (currently I have alsa-driver-1.0.23) but it is weird because the microphone worked some months ago...
  So here is what it is under the switches tab

• Cisco ASA 5505 VPN connection issue ("Unable to add route")

  I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.
  Setup:
  * Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)
  * PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM
  NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.
  I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.
  First I tried with the built-in ASDM IPSec Wizard, instructions found here.
  VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).
  Client logs show following error messages:
  1 15:53:09.363 02/11/12 Sev=Warning/3     IKE/0xA300005F
  Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
  2 15:53:13.593 02/11/12 Sev=Warning/2     CVPND/0xE3400013
  AddRoute failed to add a route with metric of 0: code 160
  Destination     192.168.1.255
  Netmask     255.255.255.255
  Gateway     172.16.1.1
  Interface     172.16.1.101
  3 15:53:13.593 02/11/12 Sev=Warning/2     CM/0xA3100024
  Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.
  4 15:54:30.425 02/11/12 Sev=Warning/2     CVPND/0xA3400015
  Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
  5 15:54:31.433 02/11/12 Sev=Warning/2     CVPND/0xA3400015
  Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
  6 15:54:32.445 02/11/12 Sev=Warning/2     CVPND/0xA3400015
  Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
  7 20:50:45.355 02/11/12 Sev=Warning/3     IKE/0xA300005F
  Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
  8 20:50:50.262 02/11/12 Sev=Warning/2     CVPND/0xE3400013
  AddRoute failed to add a route with metric of 0: code 160
  Destination     192.168.1.255
  Netmask     255.255.255.255
  Gateway     172.16.1.1
  Interface     172.16.1.100
  9 20:50:50.262 02/11/12 Sev=Warning/2     CM/0xA3100024
  Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.
  I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).
  A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)
  Result of the command: "sh run"
  : Saved
  ASA Version 8.2(5)
  hostname AsaDWD
  enable password kLu0SYBETXUJHVHX encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group DW-VPDN
  ip address pppoe setroute
  ftp mode passive
  access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  vpdn group DW-VPDN request dialout pppoe
  vpdn group DW-VPDN localname fa******@SKYNET
  vpdn group DW-VPDN ppp authentication pap
  vpdn username fa******@SKYNET password *****
  dhcpd auto_config outside
  dhcpd address 192.168.2.5-192.168.2.36 inside
  dhcpd domain DOMAIN interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DWD internal
  group-policy DWD attributes
  vpn-tunnel-protocol IPSec
  username test password ******* encrypted privilege 0
  username test attributes
  vpn-group-policy DWD
  tunnel-group DWD type remote-access
  tunnel-group DWD general-attributes
  address-pool DWD-VPN-Pool
  default-group-policy DWD
  tunnel-group DWD ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4
  : end
  I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.
  Following commands have been entered:
  ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
  username *** password ****
  isakmp policy 1 authentication pre-share
  isakmp policy 1 encryption 3des
  isakmp policy 1 hash sha
  isakmp policy 1 group 2
  isakmp policy 1 lifetime 43200
  isakmp enable outside
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 10 set reverse-route
  crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
  crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp nat-traversal
  sysopt connection permit-ipsec
  sysopt connection permit-vpn
  group-policy dwdvpn internal
  group-policy dwdvpn attributes
  vpn-tunnel-protocol IPSec
  default-domain value DWD
  tunnel-group dwdvpn type ipsec-ra
  tunnel-group dwdvpn ipsec-attributes
  pre-shared-key ****
  tunnel-group dwdvpn general-attributes
  authentication-server-group LOCAL
  default-group-policy dwdvpn
  Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.
  I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...
  The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.
  Does anyone know what's going on?

  Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.
  Please find my renewed config below:
  DWD-ASA(config)# sh run: Saved:ASA Version 8.2(5) !hostname DWD-ASAenable password ******* encryptedpasswd ****** encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.2.254 255.255.255.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group DWD ip address pppoe setroute !ftp mode passiveaccess-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.2.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400telnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh timeout 5console timeout 0vpdn group DWD request dialout pppoevpdn group DWD localname *****@SKYNETvpdn group DWD ppp authentication papvpdn username *****@SKYNET password ***** dhcpd auto_config outside!dhcpd address 192.168.2.10-192.168.2.40 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn enable outside svc enablegroup-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpngroup-policy dwdipsec internalgroup-policy dwdipsec attributes vpn-tunnel-protocol IPSec default-domain value DWDDOMusername user1 password ***** encrypted privilege 0username user1 attributes vpn-group-policy dwdipsectunnel-group dwdipsec type remote-accesstunnel-group dwdipsec general-attributes address-pool vpnpool default-group-policy dwdipsectunnel-group dwdipsec ipsec-attributes pre-shared-key *****tunnel-group dwdssl type remote-accesstunnel-group dwdssl general-attributes address-pool vpnpool!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters  message-length maximum client auto  message-length maximum 512policy-map global_policy class inspection_default  inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:f5c8dd644aa2a27374a923671da1c834: endDWD-ASA(config)#

• NTP Problem

  Hi everybody,
  I need help about ntp issue on my Cisco MDS (m9100-s2ek9-kickstart-mz.5.0.1a.bin ,  m9100-s2ek9-mz.5.0.1a.bin)
  All my Cisco network equipements synchronises to my ntp server (Cisco catalyst 6500) without any problem except Cisco MDS equipement.
  i have these informations:
  ntpd[1213]: ntp:frequency error 512 PPM exceeds tolerance 500 PPM
  2010 Sep 28 09:35:10 LV2-SWS-MDS1B ntpd[1355]: ntp:time reset +2.829312 s
  and this is my configuration on my Cisco MDS:
  ntp server 192.168.7.12
  ntp source-interface  mgmt0
  on my Catalyst 6500, i just define "ntp master" and "ntp source vlan 7"
  Could you give me some informations to resolve this issue.
  Thanks a lot
  Best regards
  Geoffrey

  Is this initial NTP configuration on the MDS? If so, and if the MDS clock is way off, can you set the clock manually once using "clock set x" command and then let NTP synchronize?

• IPsec VIDs

  Hello
  I would like to make a list with Vendor IDs, their Hex values and their purpose.
  I am not aware of any document that mentions their usage and values so I would like to make one.
  The reason for this is that in some outputs (e.g. 'capture CAP type isakmp' or 'debug crypto ikev1 255') on ASA you see only the Hex values of the VID.
  I will make the beginning by combining outputs from the above debug commands along with Wireshark captures and list some of the VIDs and their usage. Please feel free to continue the update/correction of the list:
  Vendor ID
  Data (In Hex): 09 00 26 89 df d6 b7 12
  Name: draft-beaulieu-ike-xauth-02.txt (XAUTH)
  Usage: In my opinion this VID informs the Responder that the Initiator is using Aggressive mode.
  Data (In Hex): af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
  Name: RFC 3706 Detecting Dead IKE Peers (DPD)
  Usage: In my opinion this VID informs the Responder that the Initiator supports DPD.
  Data (In Hex): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 80 00 00 00
  Name: Cisco Fragmentation
  Usage: ?
  Data (In Hex): 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
  Name: draft-ietf-ipsec-nat-t-ike-02\n
  Usage: Advertises the capability of the device to support NAT-T (NAT Traversal Support)
  Data (In Hex): 12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
  Name: CISCO-UNITY-1.0
  Usage: ?
  Regards
  Mikis Zafeiroudis

  If your connections are breaking due to NAT/IPSEC-being-blocked issues, then SSL VPNs have a better chance as 443 is rarely blocked. But if your IPSEC VPN is properly setup with NAT-T and keepalives, they should work through most networks.
  You need to post more details about the existing issues to comment further.
  Regards
  Farrukh

• NTP help

  Hello all! Hope all are having a great day!
  I'm trying to get caught up with NTP issues. Perhaps someone can assist me with some NTP questions that I have.
  I understand what NTP is used for. And I understand the basic premises of how Cisco is using NTP. So, with that in mind, let me give you my scenario.
  Our network is a switched network, with a 3750 as the "LANCORE" switch. With have about 6 distro switchs (3750s), and the rest are daisy chained off the distro switches. So, each distro has anywhere from 10-12 switchs as spokes, with the distro being the hub. That's the basics.
  Now, as of late, I've become interested in reviewing the syslogs, especially since I"m working on my CCNA security. I suddenly became aware that a lot of the switches in the network have horrible time settings. So let me break down what's occurred as I think happened:
  Correct time:
  There are a handful of switches that have the ntp server set as the LANCORE switch, let's call it 172.16.1.1. Authentication is set up between these devices. But when you do a "sho NTP status", it shows that the clock is unsynchronized. The LANCORE switch, 172.16.1.1, is set up to point to the DC of the network as it's source. I think when you do a "sho NTP ass" on this switch, it shows the two domain controller's IP addresses in the first column, then a reference time IP address in the 2nd column. If I'm correct, isn't that what the DC is pointing to to get it's time from?
  Even so, why isn't it showing the clock synchronized? The DC's, as being servers, SHOULD be using NTP so they talk to each other. Microsoft is very very touchy about the clocks being in synch. My only unanswered question would be if the DC's are set up to talk to the LANCORE switch with NTP, which since they were configured like that, I'm guessing there were.
  Incorrect time:
  There are a bunch of devices that are showing incorrect date and time (I'm guessing some kind of default). Their configs are pointing to a device, let's say 172.16.2.1. However, that device is no longer on the network. So I'm guessing that the switches are not contacting that device, and are defaulting to this incorrect date/time combo. It looks like I'll just have to reconfigure all of those switches to point back to the scenario above.
  Any thoughts or suggestions would be appreciated

  Leo's solution was what we used in a secure environment. A dedicated NTP appliance (Datum Tymserve 2100 if memory serves) connected via a rooftop antenna (with optical isolators for that input signal). I see you can pick one up on e-Bay for about US$500 if you're so inclined.
  That said, I've always personally thought NTP authentication was overblown. Exactly what threat are you protecting against? I'd advocate a scheme such I used more recently - point your edge device(s) (e.g. a firewall cluster) to an external (well-known public) NTP source. Point your internal devices (routers, switches and Windows DCs to the firewall as their NTP master. A good firewall (I was using Juniper Netscreens) will report itself as Stratum 1 based on its clock stability.
  Regarding load, NTP is a very low load service. Unless you have thousands (or tens of thousands) of devices all hitting the same server, load due to serving NTP should be negligible.
  Do be sure to setup your devices to set their calendars as well as clocks using NTP and the other best practices as described in Cisco's various documents.