IPSEC EIGRP NTP issues
Fellow networkers,
I am having difficulty setting up my tunnel correctly and synching time. I am hoping I could get some ideas or even a solution. Thank you much.
I have two 3945s connected to each other. One 3945 (Enc1) is connected to our router and gets its time and synchs appropriately. The second 3945 (Enc2) is only connected to the first 3945 and does not synch its time nor create the tunnel. They use 15.2.1(T) Universal K9 as an OS; here are the abbreviated configs:
Update: My guess is ACL 103 needs modification because the log shows "list 103 deined eigrp from x.x.x.137" or ".138" which I believe is NTP related. But wouldnt the tunnel be created first and then eigrp traffic will just flow?
Enc1:
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 43200
crypto isakmp key three address x.x.x.138
crypto ipsec transform-set ESP_SHA_AES256_AH_MD5 ah-md5-hmac esp-aes 256 esp-sha-hmac
crypto ipsec df-bit clear
crypto ipsec profile Profile
set transform-set ESP_SHA_AES256_AH_MD5
set pfs group5
crypto map JACKSON 1 ipsec-isakmp
set peer x.x.x.138
set transform-set ESP_SHA_AES256_AH_MD5
match address 101
interface Tunnel3
ip address x.x.x.157 255.255.255.252
ip mtu 1420
tunnel source GigabitEthernet0/1
tunnel destination x.x.x.138
tunnel path-mtu-discovery
interface Loopback0
ip address x.x.x.x 255.255.255.255
interface GigabitEthernet0/1
ip address x.x.x.137 255.255.255.252
ip access-group 103 in
ip verify unicast source reachable-via any
no ip redirects
no ip unreachables
no ip proxy-arp
ip authentication mode eigrp 7 md5
ip authentication key-chain eigrp 7 REGGIE
ip route-cache flow
duplex auto
speed auto
media-type sfp
no cdp enable
no mop enabled
crypto map JACKSON
router eigrp 10
passive-interface default
no passive-interface GigabitEthernet0/1
network x.x.x.x
no auto-summary
access-list 101 permit gre any any
access-list 103 permit udp any any eq isakmp
access-list 103 permit udp any eq isakmp any
access-list 103 permit esp any any
access-list 103 deny ip any any log
Enc2:
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 43200
crypto isakmp key three address x.x.x.137
crypto ipsec transform-set ESP_SHA_AES256_AH_MD5 ah-md5-hmac esp-aes 256 esp-sha-hmac
crypto ipsec df-bit clear
crypto ipsec profile Profile
set transform-set ESP_SHA_AES256_AH_MD5
set pfs group5
crypto map ADDIE 1 ipsec-isakmp
set peer x.x.x.137
set transform-set ESP_SHA_AES256_AH_MD5
match address 101
interface Tunnel3
ip address x.x.x.158 255.255.255.252
ip mtu 1420
tunnel source GigabitEthernet0/1
tunnel destination x.x.x.137
tunnel path-mtu-discovery
interface Loopback0
ip address x.x.x.x 255.255.255.255
interface GigabitEthernet0/1
ip address x.x.x.138 255.255.255.252
ip access-group 103 in
ip verify unicast source reachable-via any
no ip redirects
no ip unreachables
no ip proxy-arp
ip authentication mode eigrp 7 md5
ip authentication key-chain eigrp 7 REGGIE
ip route-cache flow
duplex auto
speed auto
media-type sfp
no cdp enable
no mop enabled
crypto map ADDIE
router eigrp 10
passive-interface default
no passive-interface GigabitEthernet0/1
network x.x.x.x
no auto-summary
access-list 101 permit gre any any
access-list 103 permit udp any any eq isakmp
access-list 103 permit udp any eq isakmp any
access-list 103 permit esp any any
access-list 103 deny ip any any log
Hi,
Thanks for your post; however, I didn't get much further with that guide. I can indeed contact the NTP time servers so I don't believe my firewall is too restrictive (perhaps my NTP configuration is not letting me synchronize with those time servers?). I do indeed see that my laptop has the server listed as a peer, but the time is still different from that of the server.
Walter
Similar Messages
-
UCCX 8.5 HA NTP issues (virtual servers)
Hello,
I'm working with an UCCX HA server that is having NTP issues. It reports that it is synchronized, but at stratum 16, which is considered to be unsynchronized. Also, it's always exactly 3 seconds off. I'm not sure if this is related, yet, but every time the servers failover, agents get licensing errors and cannot log into CAD.
PRIMARY UCCX
admin:utils ntp status
ntpd (pid 17380) is running...
remote refid st t when poll reach delay offset jitter
==============================================================================
*198.147.23.5 139.78.135.14 2 u 291 512 377 37.758 5.479 0.298
+173.203.211.73 71.252.193.25 3 u 164 512 377 14.891 -1.871 0.106
+204.13.164.164 140.142.16.34 2 u 157 512 377 68.322 -0.486 0.053
synchronised to NTP server (198.147.23.5) at stratum 3
time correct to within 57 ms
polling server every 512 s
Current time in UTC is : Mon Mar 11 16:01:09 UTC 2013
Current time in America/Denver is : Mon Mar 11 10:01:09 MDT 2013
HA UCCX
admin:utils ntp status
ntpd (pid 16801) is running...
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.10.130.12 198.147.23.5 3 u 24 64 17 56.269 -2318.6 1.887
synchronised to NTP server (STEP) at stratum 16
time correct to within 251 ms
polling server every 64 s
Current time in UTC is : Mon Mar 11 16:01:12 UTC 2013
Current time in America/Denver is : Mon Mar 11 10:01:11 MDT 2013
Additionally, the following alert shows up in RTMT
At Wed Feb 13 11:11:17 MST 2013 on node 10.10.111.12; the following SyslogSeverityMatchFound events generated: SeverityMatch : Critical MatchedEvent : Feb 13 11:11:06 MVTUCCXHA2 user 2 ntpRunningStatus.sh: The local NTP client is off by more than the acceptable threshold of 3 seconds from its remote NTP system peer. The normal remedy is for NTP Watch Dog to automatically restart NTP. However; an unusual number of automatic NTP restarts have already occurred on this node. No additional automatic NTP restarts will be done until NTP time synchronization stabilizes. This is likely due to an excessive number of VMware Virtual Machine migrations or Storage VMotions. Please consult your VMware Infrastructure Support Team. AppID : Cisco Syslog Agent ClusterID : NodeID : MVTUCCXHA2 TimeStamp : Wed Feb 13 11:11:06 MST 2013
The servers are installed in a VMWare vSphere virtual environment on Cisco-approved IBM hosts. They have not been vmotioned or storage vmotioned.
Originally, the servers were configured to get time from Microsoft domain controllers. Since they use SNTP and UC servers require NTPv4, I configured the primary UCCX server to use public NTPv4 servers. I have updated vmware tools on both servers and rebooted the servers and restarted ntp services, but nothing will get time to synchronize on the HA server.
Finally, there are other UC servers (CUCM & CUC) set up to use the same NTP servers, but the HA servers cannot synchronize their time no matter what I do. I've tried different NTP servers both on the LAN and public ones. I thought I would include this detail since my gut is telling me that this issue has something to do with the virtual environment.
HA CUC
admin:utils ntp status
ntpd (pid 14554) is running...
remote refid st t when poll reach delay offset jitter
==============================================================================
10.10.111.11 204.13.164.164 3 u - 64 1 50.504 431.491 221.689
unsynchronised
time server re-starting
polling server every 64 s
Current time in UTC is : Mon Mar 11 15:20:22 UTC 2013
Current time in America/Denver is : Mon Mar 11 09:20:22 MDT 2013
I can see NTP traffic between the two servers:
admin:utils network capture port 123
Executing command with options:
size=128 count=1000 interface=eth0
src= dest= port=123
ip=
09:29:28.051951 IP MVTCUCNXHA.mvte.com.ntp > MVTCUCNXPRI.mvte.com.ntp: NTPv4, Client, length 48
09:29:28.105679 IP MVTCUCNXPRI.mvte.com.ntp > MVTCUCNXHA.mvte.com.ntp: NTPv4, Server, length 48
09:29:30.049773 IP MVTCUCNXHA.mvte.com.ntp > MVTCUCNXPRI.mvte.com.ntp: NTPv4, Client, length 48
09:29:30.100371 IP MVTCUCNXPRI.mvte.com.ntp > MVTCUCNXHA.mvte.com.ntp: NTPv4, Server, length 48
09:29:32.051282 IP MVTCUCNXHA.mvte.com.ntp > MVTCUCNXPRI.mvte.com.ntp: NTPv4, Client, length 48
09:29:32.103161 IP MVTCUCNXPRI.mvte.com.ntp > MVTCUCNXHA.mvte.com.ntp: NTPv4, Server, length 48
09:29:34.049279 IP MVTCUCNXHA.mvte.com.ntp > MVTCUCNXPRI.mvte.com.ntp: NTPv4, Client, length 48
09:29:34.100112 IP MVTCUCNXPRI.mvte.com.ntp > MVTCUCNXHA.mvte.com.ntp: NTPv4, Server, length 48
09:29:36.050723 IP MVTCUCNXHA.mvte.com.ntp > MVTCUCNXPRI.mvte.com.ntp: NTPv4, Client, length 48
09:29:36.101990 IP MVTCUCNXPRI.mvte.com.ntp > MVTCUCNXHA.mvte.com.ntp: NTPv4, Server, length 48
09:29:38.052193 IP MVTCUCNXHA.mvte.com.ntp > MVTCUCNXPRI.mvte.com.ntp: NTPv4, Client, length 48
09:29:38.103854 IP MVTCUCNXPRI.mvte.com.ntp > MVTCUCNXHA.mvte.com.ntp: NTPv4, Server, length 48
09:29:40.050156 IP MVTCUCNXHA.mvte.com.ntp > MVTCUCNXPRI.mvte.com.ntp: NTPv4, Client, length 48
09:29:40.100831 IP MVTCUCNXPRI.mvte.com.ntp > MVTCUCNXHA.mvte.com.ntp: NTPv4, Server, length 48
Any ideas?
Thanks!
PashtounThanks for the reply Graham! I'm aware that windows does not implement NTP correctly, which is why I was trying NTPv4 and IOS time servers.The NTP issue I was troubleshooting actually ended up being a combination of a couple issues:
1. Cisco Bug CSCtw46611
2. The virtual UC servers need to be configured with the same NTP server as those configured on the VMWare hosts they run in.
The time issue on CUCM and CUC was resolved by the workaround in (1) and the changes made on the hosts regarding (2). The time issue on UCCX was resolved by (2) since it is not affected by the bug. There were some really bizarre issues that went away once NTP was fixed: UCCX would lose data sync with CUCM every time CUCM was rebooted, the voice ports on the HA CUC server had terrible voice quality or would never pick up (eternal ringback), and UCCX failover didn't work (licensing errors, etc as explain in my original post). -
I have over 250 sites in a hub-and-spoke desing, each remote site has a frame-relay and an IPSec tunnel to the office, we are running Eigrp but ever since we deployed DMVPN we've been getting many SIA messages...is this a normal behavior for a DMVPN design? should I just decrease how often EIGRP queries are sent or increase EIGRP timers, or should I just leave it alone...has anyone seen DMVPN in over 200 sites working flawlessly using eigrp? just curious...
GTS = Generic Traffic Shaping.
We just use the easier to use, traffic-shape rate command, but the likely cisco answer would be to create policy-map/class-maps for the tunnel interfaces.
Our Tunnel interfaces have the following additional commands. cut-edited-paste.
Site with a T1
interface Tunnel111
description VPN sitea to siteb
bandwidth 1536
ip unnumbered Loopback0
ip access-group whattoblockin in
ip access-group whattoblockout out
ip mtu 1600
ip hello-interval eigrp 111 2
ip hold-time eigrp 111 8
ip pim sparse-mode
ip route-cache flow
ip tcp adjust-mss 1280
load-interval 30
delay 1001
traffic-shape rate 1536000 8192 8192 2048
cdp enable
tunnel source a.a.a.a
tunnel destination b.b.b.b
end
The traffic-shape command is just there to keep the outside interface from being over run and dropping packets after encryption. This isn't "QOS" by Cisco's book, but when we implemented this, Cisco didn't have a pre-qualify that worked properly with DMVPN.
If we start having problems with a site having heavy utilization, we'll change the traffic-shape statement to smooth out the traffic and control the heavy users. (refer to effects of WFQ).
Do a search for WFQ and GTS on Cisco.com
(oh, and if anyone tells you that the ip mtu command is a bad idea, tell 'em to stick it in their ear...)
Rob -
Cisco 2620 eigrp/ospf issues
Greetings,
I'm having issues getting a Cisco 2620 and a Dell Powerconnect 6024 to redistribute via eigrp/ospf correctly which are both at a remote location. I have attached a basic diagram to better show the topology. We have been unable to access the remote site from our main site (which is using a cisco 3600) without a static route for each subnet at the remote site. Hopefully this makes sense.
Cisco 2620 Config:
Building configuration...
Current configuration:
ip subnet-zero
lane client flush
cns event-service server
interface FastEthernet0/0
ip address 10.100.187.1 255.255.255.0
duplex auto
speed auto
interface Serial0/0
ip address 10.100.181.10 255.255.255.252
no ip mroute-cache
no fair-queue
router eigrp 100
redistribute connected
redistribute ospf 1
network 10.0.0.0
no auto-summary
router ospf 1
redistribute connected
redistribute eigrp 100 subnets
network 10.100.0.0 0.0.255.255 area 0.0.0.0
ip classless
ip route 0.0.0.0 0.0.0.0 10.100.181.9
no ip http server
banner motd ^CCCTimothy
There are a couple of things that I am not clear about concerning your situation. Your diagram shows a single subnet between the Cisco and the Dell. Is everything in the Dell in that single subnet? If so I am not sure why you are running OSPF, since there will not be any OSPF routes to redistribute.
If the diagram is incomplete and there are routes in OSPF that need to redistribute to EIGRP then there is an issue in the configuration. There is no default metric configured under router EIGRP. Without a default metric routes from another protocol (OSPF) will not redistribute into EIGRP.
I think it is also an interesting question whether the 2620 and the 3600 routers are forming EIGRP neighbor relationships. Failure to form EIGRP neighbor relationships could also cause the symptoms that you describe.
HTH
Rick -
Ipsec Stateful Failover issue with Dynamic-Map
Hi all, I have an issue with a couple of Cisco ISR 2921 in Ha Ipsec Stateful Failover configuration.
With static crypto-map, stateful works good, Ipsec sessions are correctly trasmitted from Cisco Active router to Cisco Standby router.
With dynamic-map and profile, stateful fails, Ipsec sessions are not correctly trasmitted from Cisco Active router to Cisco Standby router.
I tried different IOS version:152-1.T3, 152-3.T2 and 153-1.T but I have the same behavior.
Could you help me?
MarcoYes it is supported. It is supprted on VAM, VMA2, VAM2+.
-
IPSec VPN establishment issues 887 - srp527
Hey Folks,
I'm having some problems getting an ipsec tunnel established between a cisco 887VA router and a cisco srp527w router.
I am working from a few text books and some example materials. I have worked through many combinations of what I have got and am still struggling a little bit.
I look at debug results and it appears as though the policies do not match between the devices:
Jul 23 05:44:37.759: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (R) MM_NO_STATE
broute1#
Jul 23 05:44:57.079: ISAKMP:(0):purging SA., sa=85247558, delme=85247558
broute1#
Jul 23 05:45:17.031: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (N) NEW SA
Jul 23 05:45:17.031: ISAKMP: Created a peer struct for XXX.XXX.XXX.XXX, peer port 500
Jul 23 05:45:17.035: ISAKMP: New peer created peer = 0x8838C3F8 peer_handle = 0x800021CF
Jul 23 05:45:17.035: ISAKMP: Locking peer struct 0x8838C3F8, refcount 1 for crypto_isakmp_process_block
Jul 23 05:45:17.035: ISAKMP: local port 500, remote port 500
Jul 23 05:45:17.035: ISAKMP:(0):insert sa successfully sa = 87D84664
Jul 23 05:45:17.035: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 23 05:45:17.035: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Jul 23 05:45:17.035: ISAKMP:(0): processing SA payload. message ID = 0
Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
Jul 23 05:45:17.035: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
Jul 23 05:45:17.035: ISAKMP:(0): vendor ID is DPD
Jul 23 05:45:17.035: ISAKMP:(0):No pre-shared key with XXX.XXX.XXX.XXX!
Jul 23 05:45:17.035: ISAKMP : Scanning profiles for xauth ...
Jul 23 05:45:17.035: ISAKMP:(0):Checking ISAKMP transform 0 against priority 1 policy
Jul 23 05:45:17.035: ISAKMP: life type in seconds
Jul 23 05:45:17.035: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x53
Jul 23 05:45:17.035: ISAKMP: encryption DES-CBC
Jul 23 05:45:17.035: ISAKMP: hash SHA
Jul 23 05:45:17.035: ISAKMP: auth pre-share
Jul 23 05:45:17.035: ISAKMP: default group 1
Jul 23 05:45:17.035: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jul 23 05:45:17.035: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jul 23 05:45:17.035: ISAKMP:(0):no offers accepted!
Jul 23 05:45:17.035: ISAKMP:(0): phase 1 SA policy not acceptable! (local YYY.YYY.YYY.YYY remote
XXX.XXX.XXX.XXX)
Jul 23 05:45:17.035: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
Jul 23 05:45:17.035: ISAKMP:(0): Failed to construct AG informational message.
Jul 23 05:45:17.035: ISAKMP:(0): sending packet to XXX.XXX.XXX.XXX my_port 500 peer_port 500 (R) MM_NO_STATE
Jul 23 05:45:17.035: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 23 05:45:17.035: ISAKMP:(0):peer does not do paranoid keepalives.
Jul 23 05:45:17.035: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer
XXX.XXX.XXX.XXX)
Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
Jul 23 05:45:17.035: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
Jul 23 05:45:17.035: ISAKMP:(0): processing vendor id payload
Jul 23 05:45:17.035: ISAKMP:(0): vendor ID is DPD
Jul 23 05:45:17.035: ISAKMP (0): FSM action returned error: 2
Jul 23 05:45:17.035: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 23 05:45:17.035: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Jul 23 05:45:17.039: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer
XXX.XXX.XXX.XXX)
Jul 23 05:45:17.039: ISAKMP: Unlocking peer struct 0x8838C3F8 for isadb_mark_sa_deleted(), count 0
Jul 23 05:45:17.039: ISAKMP: Deleting peer node by peer_reap for XXX.XXX.XXX.XXX: 8838C3F8
Jul 23 05:45:17.039: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jul 23 05:45:17.039: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
Here is a slightly trimmed version of my run-fig (took out things i was sure no one would need) and attached are screenshots of the IKE Policy and IPSec Policy from the srp527w
version 15.1
hostname broute1
logging buffered 65535
logging console informational
no aaa new-model
memory-size iomem 10
clock timezone ESTime 10 0
crypto pki token default removal timeout 0
ip source-route
controller VDSL 0
operating mode adsl2 annex A
ip ssh version 2
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 28800
crypto isakmp key PRE_SHARED_KEY_FOR_IKE(I_THINK) hostname REMOTE_HOST
crypto ipsec transform-set JWRE_BW-1 esp-3des esp-sha-hmac
crypto map JWRE_BW-1 10 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set JWRE_BW-1
match address 101
interface Loopback0
no ip address
interface ATM0
description --- Internode ADSL ----
no ip address
no ip route-cache
load-interval 30
no atm ilmi-keepalive
interface ATM0.1 point-to-point
no ip route-cache
pvc 8/35
tx-ring-limit 3
encapsulation aal5snap
pppoe-client dial-pool-number 1
interface Vlan1
description Management Interface
ip address AAA.AAA.AAA.AAA 255.255.255.0
ip mtu 1452
ip nat inside
ip virtual-reassembly in
no ip route-cache cef
ip tcp adjust-mss 1420
interface Dialer1
description -----INTERNODE ADSL------
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname ADSL_USERNAME
ppp chap password 7 ADSL_PASSWORD
ppp ipcp dns request accept
no cdp enable
crypto map JWRE_BW-1
logging trap debugging
access-list 101 permit ip 192.168.7.0 0.0.0.255 10.0.1.0 0.0.0.255
dialer-list 1 protocol ip permit
Some specific questions:
1) on the SRP in the example's I have used (and I have a few SRP->SRP VPN's that work) I see you need to enter the preshared key, I'm not seeing in the examples I have used anything about the IKE preshared key on the IOS box. Does anyone have any examples where you use the preshared key for IKE? I wonder if this is my primary issue as it states clearly in the log that there is no Preshared key :|
2) I have used a mish mash of names between the various sections as on the SRP the naming convention isnt the same; ie: which parts of the IPSEC negotiation come from the IKE policy section and which from the IPSEC policy section. Do the names really matter across different ends of the VPN?
3) I notice when I perform this command in the(config-crypto-map)#:
set peer FQDN
It is converted to:
set peer XXX.XXX.XXX.XXX
Is this expected? I want the device to look at the FQDN as this particular host is using DDNS and not use a static IP address.
I could ask a million questions but I will leave it for there, if someone can see anything that sticks out (or can answer Q1 in particular) please let me know.
Thanks in advance for your time and assistance folks.
BIf you use Main Mode, you can't use hostname on the isakmp key.
You can use the hostname if you are using Aggressive mode on IKE, and you would also need to configure:
crypto isakmp identity hostname
Plus your router needs to point to a dns server that can resolve the hostname.
Here is more information on:
- crypto isakmp key:
http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c4.html#GUID-E6AD0189-B773-4332-95F0-89AFE7A9E84F
- crypto isakmp identity:
http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c4.html#GUID-D3C7A306-A689-4953-9146-D4F2F861C567 -
NTP Issue on cisco 3560 switch
Hi all
Here is my ntp configuration
clock timezone GMT 4
clock summer-time UAE recurring
ntp server 192.168.10.254 version 2 prefer
end
sh ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
reference time is 00000000.00000000 (04:00:00.000 GMT Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
-SW1#sh ntp associations
address ref clock st when poll reach delay offset disp
~192.168.10.254 0.0.0.0 16 - 64 0 0.0 0.00 16000.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
-SW1#
Please help me what i have did wrong
regards
rajaYou are still not answering the question.
Is the appliance, with IP Address 192.168.10.254, synchronized with a valid SNTP/NTP address or not.
Even if you enable NTP Master (which I personally don't recommend) and your appliance is NOT synchronized to a valid NTP source, then the appliance 192.168.10.254 can potentially broadcast the WRONG time to all the appliance. Since you've forced all downstream appliances to synchronize with a source that has the wrong NTP data (using the command "ntp master") all your network equipment will be sporting the wrong time. -
For some reason ntpdate insist on setting my clock to nine hours earlier than it actually is, maybe I haven't set my timezone correctly or something, but I'm not sure what I need to do different.
Here's what I have in my rc.conf
HARDWARECLOCK="localtime"
TIMEZONE="Europe/Berlin"
I have tried both localtime and UTC for HARDWARECLOCK, but when I run
ntpdate de.pool.ntp.org
I always get the wrong time.
Do I have to do anything special after changing rc.conf so it gets reloaded or something? Because that's the only thing I can think of right now.
EDIT: I'm not sure if I put this in the right forum, if it should go somewhere else I'd be thankful if one of the mods that be would move it.Did you search the forums and try this...
http://bbs.archlinux.org/viewtopic.php? … hlight=ntp -
Hello guys.
I am having issues with NTP syncing on one of my ASA's. I configured the NTP server that is behind another ASA and both ASA's exchange routes via EIGRP. Any help on this would greatly be apreciated.
thanks
NTP Server IP address: 172.31.254.4 behind ASA 2 inside interface (security lvl 100)
ASA 1 cant sync time:
Fort-ASA01(config)# sh ntp assoc
address ref clock st when poll reach delay offset disp
~172.31.254.4 0.0.0.0 16 - 64 0 0.0 0.00 16000.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
Fort-ASA01(config)# sh route | inc 172.31.254.0
D 172.31.254.0 255.255.255.0 [90/28928] via 20.20.20.1, 831:57:30, ospf2
Packet tracer from ASA 1 to ASA 2 Ntp Server
Fort-ASA01(config)# packet-tracer input inside udp 2.2.1.7 1234 172.31.254.4 ntp detailed
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x729dd918, priority=12, domain=capture, deny=false
hits=39403537059, user_data=0x72d14358, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x734e8ee8, priority=1, domain=permit, deny=false
hits=24235320824, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.31.254.0 255.255.255.0 ospf2
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x72669f08, priority=500, domain=permit, deny=true
hits=5, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=2.2.1.7, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: ospf2
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured ruleJust the nameif states OSPF but its running EIGRP actually. Its strange because i can go into the asa that is having NTP issues and i ping 172.31.254.3 and i get a reply but when i ping 172.31.254.4 nothing. i checked for the rules on the asa's and made sure that there are no specific entries denying any access to the NTP server...
which part of the configuration you need to see ?
thanks -
Hi expert,
I am facing a eigrp routing issues , Has anyone kindly assist...
The topology as below, each router only has two tunnels and run in same eigrp AS
Here is my question in red with underline :
R2: sh ip ro
D 192.168.30.0/24 [90/310172416] via 192.168.1.1, 01:08:05, Tunnel1
[90/310172416] via 192.168.0.3, 01:08:05, Tunnel0
R3: sh ip ro
D 192.168.20.0/24 [90/310172416] via 192.168.1.1, 01:12:25, Tunnel1
[90/310172416] via 192.168.0.2, 01:12:25, Tunnel0
The result see above is not my expect , as i understand :
at R2 192.168.30.0 learn from Tunnel1 should be via192.168.1.3 not red one
at R3 192.168.20.0 learn from Tunnel1 should be via 192.168.1.2 not red one
because of via 192.168.1.1 , that's mean the traffic must through R1 (spoke to HUB) not Spoke to Spoke , am i right ?
I hope the route between R2 and R3 can always use spoke to spoke tunnel
I also checked nhrp and ipsec status , anything looks work properly except the eigrp route i mention above.
Here is configuration:
R1:
interface Loopback0
ip address 192.168.10.254 255.255.255.0
interface Tunnel0
ip address 192.168.0.1 255.255.255.0
no ip redirects
ip accounting output-packets
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 10
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.16.15.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
interface Tunnel1
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip accounting output-packets
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 10
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.17.15.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
router eigrp 1
network 192.168.0.0
network 192.168.1.0
network 192.168.10.0
no auto-summary
R2:
interface Tunnel0
ip address 192.168.0.2 255.255.255.0
no ip redirects
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map 192.168.0.1 172.16.15.2
ip nhrp map multicast 172.16.15.2
ip nhrp network-id 1
ip nhrp holdtime 10
ip nhrp nhs 192.168.0.1
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.16.25.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
interface Tunnel1
ip address 192.168.1.2 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map 192.168.1.1 172.17.15.2
ip nhrp map multicast 172.17.15.2
ip nhrp network-id 2
ip nhrp holdtime 10
ip nhrp nhs 192.168.1.1
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.17.25.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
router eigrp 1
network 192.168.0.0
network 192.168.1.0
network 192.168.20.0
no auto-summary
R3
interface Loopback0
ip address 192.168.30.254 255.255.255.0
interface Tunnel0
ip address 192.168.0.3 255.255.255.0
no ip redirects
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map 192.168.0.1 172.16.15.2
ip nhrp map multicast 172.16.15.2
ip nhrp network-id 1
ip nhrp holdtime 10
ip nhrp nhs 192.168.0.1
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.16.35.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
interface Tunnel1
ip address 192.168.1.3 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map 192.168.1.1 172.17.15.2
ip nhrp map multicast 172.17.15.2
ip nhrp network-id 2
ip nhrp holdtime 10
ip nhrp nhs 192.168.1.1
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.17.35.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
router eigrp 1
network 192.168.0.0
network 192.168.1.0
network 192.168.30.0Hi AllertGen ,
Each each router's tunnel0 and tunnel1 are work well , they all can ping each other ip as well via tunnel 0 and tunnel 1 (192.168.0.0/24 & 192.168.1.0/24)
and also at each router has two physical interface connect to different ISP.
In this topology ,my purpose is when spoke to spoke , they will has two routes via two NHRP cloulds , i keep the same eigrp priority at each router just for equal cost load sharing ,the more important thing is the next hop IP.
Actually , The ipsec function is not my concern so far, i just try your suggestion add the "shared" at the end of the line , its still has same result , but as i understand , if there is any wrong with ipsec profile, the tunnel won't work well , am i right ?
Thanks for your kind assist
Here is some show result at each router , hope that's helpful.
R1
R1#sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.15.2 YES NVRAM up up
FastEthernet0/1 172.17.15.2 YES NVRAM up up
Loopback0 192.168.10.254 YES NVRAM up up
Tunnel0 192.168.0.1 YES NVRAM up up
Tunnel1 192.168.1.1 YES NVRAM up up
R1#sh dmvpn
Tunnel0, Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 172.16.25.2 192.168.0.2 UP never D
1 172.16.35.2 192.168.0.3 UP never D
Tunnel1, Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 172.17.25.2 192.168.1.2 UP never D
1 172.17.35.2 192.168.1.3 UP never D
R1#sh ip eigrp top
P 192.168.10.0/24, 1 successors, FD is 128256
via Connected, Loopback0
P 192.168.0.0/24, 1 successors, FD is 297244416
via Connected, Tunnel0
P 192.168.1.0/24, 1 successors, FD is 297244416
via Connected, Tunnel1
P 192.168.30.0/24, 2 successors, FD is 297372416
via 192.168.0.3 (297372416/128256), Tunnel0
via 192.168.1.3 (297372416/128256), Tunnel1
P 192.168.20.0/24, 2 successors, FD is 297372416
via 192.168.0.2 (297372416/128256), Tunnel0
via 192.168.1.2 (297372416/128256), Tunnel1
R1#sh ip nhrp
192.168.0.2/32 via 192.168.0.2, Tunnel0 created 20:53:39, expire 00:00:07
Type: dynamic, Flags: unique nat registered used
NBMA address: 172.16.25.2
192.168.0.3/32 via 192.168.0.3, Tunnel0 created 20:53:38, expire 00:00:08
Type: dynamic, Flags: unique nat registered used
NBMA address: 172.16.35.2
192.168.1.2/32 via 192.168.1.2, Tunnel1 created 4d17h, expire 00:00:07
Type: dynamic, Flags: unique nat registered used
NBMA address: 172.17.25.2
192.168.1.3/32 via 192.168.1.3, Tunnel1 created 4d17h, expire 00:00:08
Type: dynamic, Flags: unique nat registered used
NBMA address: 172.17.35.2
R2
R2#sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.25.2 YES NVRAM up up
FastEthernet0/1 172.17.25.2 YES NVRAM up up
Loopback0 192.168.20.254 YES NVRAM up up
Tunnel0 192.168.0.2 YES NVRAM up up
Tunnel1 192.168.1.2 YES NVRAM up up
R2#sh dmvpn
Tunnel0, Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 172.16.15.2 192.168.0.1 UP 4d17h S
1 172.16.35.2 192.168.0.3 UP never D
Tunnel1, Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 172.17.15.2 192.168.1.1 UP 4d17h S
1 172.17.35.2 192.168.1.3 UP never D
R2#sh ip eigrp topology
P 192.168.10.0/24, 2 successors, FD is 297372416
via 192.168.0.1 (297372416/128256), Tunnel0
via 192.168.1.1 (297372416/128256), Tunnel1
P 192.168.0.0/24, 1 successors, FD is 297244416
via Connected, Tunnel0
P 192.168.1.0/24, 1 successors, FD is 297244416
via Connected, Tunnel1
P 192.168.30.0/24, 2 successors, FD is 310172416
192.168.0.3 via 192.168.0.1 (310172416/297372416), Tunnel0
via 192.168.1.1 (310172416/297372416), Tunnel1
P 192.168.20.0/24, 1 successors, FD is 128256
via Connected, Loopback0
R2#sh ip nhrp
192.168.0.1/32 via 192.168.0.1, Tunnel0 created 4d20h, never expire
Type: static, Flags: nat used
NBMA address: 172.16.15.2
192.168.0.3/32 via 192.168.0.3, Tunnel0 created 00:00:14, expire 00:00:51
Type: dynamic, Flags: router nat
NBMA address: 172.16.35.2
192.168.1.1/32 via 192.168.1.1, Tunnel1 created 4d20h, never expire
Type: static, Flags: nat used
NBMA address: 172.17.15.2
192.168.1.3/32 via 192.168.1.3, Tunnel1 created 00:00:12, expire 00:00:53
Type: dynamic, Flags: router nat
NBMA address: 172.17.35.2
R3
R3#sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.35.2 YES NVRAM up up
FastEthernet0/1 172.17.35.2 YES NVRAM up up
Loopback0 192.168.30.254 YES NVRAM up up
Tunnel0 192.168.0.3 YES NVRAM up up
Tunnel1 192.168.1.3 YES NVRAM up up
R3#sh dmvpn
Tunnel0, Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 172.16.15.2 192.168.0.1 UP 4d17h S
1 172.16.25.2 192.168.0.2 UP never D
Tunnel1, Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 172.17.15.2 192.168.1.1 UP 4d17h S
1 172.17.25.2 192.168.1.2 UP never D
R3#sh ip eigrp topology
P 192.168.10.0/24, 2 successors, FD is 297372416
via 192.168.0.1 (297372416/128256), Tunnel0
via 192.168.1.1 (297372416/128256), Tunnel1
P 192.168.0.0/24, 1 successors, FD is 297244416
via Connected, Tunnel0
P 192.168.1.0/24, 1 successors, FD is 297244416
via Connected, Tunnel1
P 192.168.30.0/24, 1 successors, FD is 128256
via Connected, Loopback0
P 192.168.20.0/24, 2 successors, FD is 310172416
192.168.0.2 via 192.168.0.1 (310172416/297372416), Tunnel0
via 192.168.1.1 (310172416/297372416), Tunnel1
R3#sh ip nhrp
192.168.0.1/32 via 192.168.0.1, Tunnel0 created 4d17h, never expire
Type: static, Flags: nat used
NBMA address: 172.16.15.2
192.168.0.2/32 via 192.168.0.2, Tunnel0 created 00:00:43, expire 00:00:22
Type: dynamic, Flags: router nat
NBMA address: 172.16.25.2
192.168.1.1/32 via 192.168.1.1, Tunnel1 created 4d17h, never expire
Type: static, Flags: nat used
NBMA address: 172.17.15.2
192.168.1.2/32 via 192.168.1.2, Tunnel1 created 00:01:02, expire 00:00:48
Type: dynamic, Flags: router nat implicit used
NBMA address: 172.17.25.2 -
IpSec VPN and NAT don't work togheter on HP MSR 20 20
Hi People,
I'm getting several issues, let me explain:
I have a Router HP MSR with 2 ethernet interfaces, Eth 0/0 - WAN (186.177.159.98) and Eth 0/1 LAN (192.168.100.0 /24). I have configured a VPN site to site thru the internet, and it works really well. The other site has the subnet 10.10.10.0 and i can reache the network thru the VPN Ipsec. The issue is that the network 192.168.100.0 /24 needs to reach internet with the same public address, so I have set a basic NT configuration, when I put the nat configuration into Eth 0/0 all network 192.168.100.0 can go to internet, but the VPN goes down, when I remove the NAT from Eth 0/0 the VPN goes Up, but the network 192.168.100.0 Can't go to internet.
I'm missing something but i don't know what it is !!!!, See below the configuration.
Can anyone help me qith that, I need to send te traffic with target 10.10.10.0 thru the VPN, and all other traffic to internet, Basically I need that NAT and VPN work fine at same time.
Note: I just have only One public Ip address.
version 5.20, Release 2207P41, Standard
sysname HP
nat address-group 1 186.177.159.93 186.177.159.93
domain default enable system
dns proxy enable
telnet server enable
dar p2p signature-file cfa0:/p2p_default.mtd
port-security enable
acl number 2001
rule 0 permit source 192.168.100.0 0.0.0.255
rule 5 deny
acl number 3000
rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
vlan 1
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
ike proposal 10
encryption-algorithm 3des-cbc
dh group2
ike peer vpn-test
proposal 1
pre-shared-key cipher wrWR2LZofLx6g26QyYjqBQ==
remote-address <Public Ip from VPN Peer>
local-address 186.177.159.93
nat traversal
ipsec proposal vpn-test
esp authentication-algorithm sha1
esp encryption-algorithm 3des
ipsec policy vpntest 30 isakmp
connection-name vpntest.30
security acl 3000
pfs dh-group2
ike-peer vpn-test
proposal vpn-test
dhcp server ip-pool vlan1 extended
network mask 255.255.255.0
user-group system
group-attribute allow-guest
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
service-type web
cwmp
undo cwmp enable
interface Aux0
async mode flow
link-protocol ppp
interface Cellular0/0
async mode protocol
link-protocol ppp
interface Ethernet0/0
port link-mode route
nat outbound 2001 address-group 1
nat server 1 protocol tcp global current-interface 3389 inside 192.168.100.20 3389
ip address dhcp-alloc
ipsec policy vpntest
interface Ethernet0/1
port link-mode route
ip address 192.168.100.1 255.255.255.0
interface NULL0
interface Vlan-interface1
undo dhcp select server global-pool
dhcp server apply ip-pool vlan1ewaller wrote:
What is under the switches tab?
Oh -- By the way, that picture is over the size limit defined in the forum rules in tems of pixels, but the file size is okay. I'll let it slide. Watch the bumping as well.
If you want to post the switches tab, upload it to someplace like http://img3.imageshack.us/, copy the thumbnail (which has the link to the original) back here, and you are golden.
I had a bear of a time getting the microphone working on my HP DV4, but it does work. I'll look at the set up when I get home tonight [USA-PDT].
Sorry for the picture and the "bumping"... I have asked in irc in arch and alsa channels and no luck yet... one guy from alsa said I had to wait for the alsa-driver-1.0.24 package (currently I have alsa-driver-1.0.23) but it is weird because the microphone worked some months ago...
So here is what it is under the switches tab -
Cisco ASA 5505 VPN connection issue ("Unable to add route")
I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.
Setup:
* Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)
* PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM
NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.
I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.
First I tried with the built-in ASDM IPSec Wizard, instructions found here.
VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).
Client logs show following error messages:
1 15:53:09.363 02/11/12 Sev=Warning/3 IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
2 15:53:13.593 02/11/12 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.16.1.1
Interface 172.16.1.101
3 15:53:13.593 02/11/12 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.
4 15:54:30.425 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
5 15:54:31.433 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
6 15:54:32.445 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
7 20:50:45.355 02/11/12 Sev=Warning/3 IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
8 20:50:50.262 02/11/12 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.16.1.1
Interface 172.16.1.100
9 20:50:50.262 02/11/12 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.
I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).
A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)
Result of the command: "sh run"
: Saved
ASA Version 8.2(5)
hostname AsaDWD
enable password kLu0SYBETXUJHVHX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DW-VPDN
ip address pppoe setroute
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group DW-VPDN request dialout pppoe
vpdn group DW-VPDN localname fa******@SKYNET
vpdn group DW-VPDN ppp authentication pap
vpdn username fa******@SKYNET password *****
dhcpd auto_config outside
dhcpd address 192.168.2.5-192.168.2.36 inside
dhcpd domain DOMAIN interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DWD internal
group-policy DWD attributes
vpn-tunnel-protocol IPSec
username test password ******* encrypted privilege 0
username test attributes
vpn-group-policy DWD
tunnel-group DWD type remote-access
tunnel-group DWD general-attributes
address-pool DWD-VPN-Pool
default-group-policy DWD
tunnel-group DWD ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4
: end
I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.
Following commands have been entered:
ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
username *** password ****
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp nat-traversal
sysopt connection permit-ipsec
sysopt connection permit-vpn
group-policy dwdvpn internal
group-policy dwdvpn attributes
vpn-tunnel-protocol IPSec
default-domain value DWD
tunnel-group dwdvpn type ipsec-ra
tunnel-group dwdvpn ipsec-attributes
pre-shared-key ****
tunnel-group dwdvpn general-attributes
authentication-server-group LOCAL
default-group-policy dwdvpn
Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.
I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...
The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.
Does anyone know what's going on?Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.
Please find my renewed config below:
DWD-ASA(config)# sh run: Saved:ASA Version 8.2(5) !hostname DWD-ASAenable password ******* encryptedpasswd ****** encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.2.254 255.255.255.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group DWD ip address pppoe setroute !ftp mode passiveaccess-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.2.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400telnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh timeout 5console timeout 0vpdn group DWD request dialout pppoevpdn group DWD localname *****@SKYNETvpdn group DWD ppp authentication papvpdn username *****@SKYNET password ***** dhcpd auto_config outside!dhcpd address 192.168.2.10-192.168.2.40 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn enable outside svc enablegroup-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpngroup-policy dwdipsec internalgroup-policy dwdipsec attributes vpn-tunnel-protocol IPSec default-domain value DWDDOMusername user1 password ***** encrypted privilege 0username user1 attributes vpn-group-policy dwdipsectunnel-group dwdipsec type remote-accesstunnel-group dwdipsec general-attributes address-pool vpnpool default-group-policy dwdipsectunnel-group dwdipsec ipsec-attributes pre-shared-key *****tunnel-group dwdssl type remote-accesstunnel-group dwdssl general-attributes address-pool vpnpool!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:f5c8dd644aa2a27374a923671da1c834: endDWD-ASA(config)# -
Hi everybody,
I need help about ntp issue on my Cisco MDS (m9100-s2ek9-kickstart-mz.5.0.1a.bin , m9100-s2ek9-mz.5.0.1a.bin)
All my Cisco network equipements synchronises to my ntp server (Cisco catalyst 6500) without any problem except Cisco MDS equipement.
i have these informations:
ntpd[1213]: ntp:frequency error 512 PPM exceeds tolerance 500 PPM
2010 Sep 28 09:35:10 LV2-SWS-MDS1B ntpd[1355]: ntp:time reset +2.829312 s
and this is my configuration on my Cisco MDS:
ntp server 192.168.7.12
ntp source-interface mgmt0
on my Catalyst 6500, i just define "ntp master" and "ntp source vlan 7"
Could you give me some informations to resolve this issue.
Thanks a lot
Best regards
GeoffreyIs this initial NTP configuration on the MDS? If so, and if the MDS clock is way off, can you set the clock manually once using "clock set x" command and then let NTP synchronize?
-
Hello
I would like to make a list with Vendor IDs, their Hex values and their purpose.
I am not aware of any document that mentions their usage and values so I would like to make one.
The reason for this is that in some outputs (e.g. 'capture CAP type isakmp' or 'debug crypto ikev1 255') on ASA you see only the Hex values of the VID.
I will make the beginning by combining outputs from the above debug commands along with Wireshark captures and list some of the VIDs and their usage. Please feel free to continue the update/correction of the list:
Vendor ID
Data (In Hex): 09 00 26 89 df d6 b7 12
Name: draft-beaulieu-ike-xauth-02.txt (XAUTH)
Usage: In my opinion this VID informs the Responder that the Initiator is using Aggressive mode.
Data (In Hex): af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
Name: RFC 3706 Detecting Dead IKE Peers (DPD)
Usage: In my opinion this VID informs the Responder that the Initiator supports DPD.
Data (In Hex): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 80 00 00 00
Name: Cisco Fragmentation
Usage: ?
Data (In Hex): 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Name: draft-ietf-ipsec-nat-t-ike-02\n
Usage: Advertises the capability of the device to support NAT-T (NAT Traversal Support)
Data (In Hex): 12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
Name: CISCO-UNITY-1.0
Usage: ?
Regards
Mikis ZafeiroudisIf your connections are breaking due to NAT/IPSEC-being-blocked issues, then SSL VPNs have a better chance as 443 is rarely blocked. But if your IPSEC VPN is properly setup with NAT-T and keepalives, they should work through most networks.
You need to post more details about the existing issues to comment further.
Regards
Farrukh -
Hello all! Hope all are having a great day!
I'm trying to get caught up with NTP issues. Perhaps someone can assist me with some NTP questions that I have.
I understand what NTP is used for. And I understand the basic premises of how Cisco is using NTP. So, with that in mind, let me give you my scenario.
Our network is a switched network, with a 3750 as the "LANCORE" switch. With have about 6 distro switchs (3750s), and the rest are daisy chained off the distro switches. So, each distro has anywhere from 10-12 switchs as spokes, with the distro being the hub. That's the basics.
Now, as of late, I've become interested in reviewing the syslogs, especially since I"m working on my CCNA security. I suddenly became aware that a lot of the switches in the network have horrible time settings. So let me break down what's occurred as I think happened:
Correct time:
There are a handful of switches that have the ntp server set as the LANCORE switch, let's call it 172.16.1.1. Authentication is set up between these devices. But when you do a "sho NTP status", it shows that the clock is unsynchronized. The LANCORE switch, 172.16.1.1, is set up to point to the DC of the network as it's source. I think when you do a "sho NTP ass" on this switch, it shows the two domain controller's IP addresses in the first column, then a reference time IP address in the 2nd column. If I'm correct, isn't that what the DC is pointing to to get it's time from?
Even so, why isn't it showing the clock synchronized? The DC's, as being servers, SHOULD be using NTP so they talk to each other. Microsoft is very very touchy about the clocks being in synch. My only unanswered question would be if the DC's are set up to talk to the LANCORE switch with NTP, which since they were configured like that, I'm guessing there were.
Incorrect time:
There are a bunch of devices that are showing incorrect date and time (I'm guessing some kind of default). Their configs are pointing to a device, let's say 172.16.2.1. However, that device is no longer on the network. So I'm guessing that the switches are not contacting that device, and are defaulting to this incorrect date/time combo. It looks like I'll just have to reconfigure all of those switches to point back to the scenario above.
Any thoughts or suggestions would be appreciatedLeo's solution was what we used in a secure environment. A dedicated NTP appliance (Datum Tymserve 2100 if memory serves) connected via a rooftop antenna (with optical isolators for that input signal). I see you can pick one up on e-Bay for about US$500 if you're so inclined.
That said, I've always personally thought NTP authentication was overblown. Exactly what threat are you protecting against? I'd advocate a scheme such I used more recently - point your edge device(s) (e.g. a firewall cluster) to an external (well-known public) NTP source. Point your internal devices (routers, switches and Windows DCs to the firewall as their NTP master. A good firewall (I was using Juniper Netscreens) will report itself as Stratum 1 based on its clock stability.
Regarding load, NTP is a very low load service. Unless you have thousands (or tens of thousands) of devices all hitting the same server, load due to serving NTP should be negligible.
Do be sure to setup your devices to set their calendars as well as clocks using NTP and the other best practices as described in Cisco's various documents.
Maybe you are looking for
-
2 Issues with Curve -- Camera and Application Connectivity
I'm having 2 issues with my Curve 8300. I tried upgrading the SW to 4.5 but it didn't help. Any ideas? - The camera is no longer working. When I try taking pictures, it saves a JPG file but the file to the assigned folder but the file is smaller t
-
Need link to .exe file to re-install/update Muse
Never works when launching app in Win 8, always have to uninstall application, then come her to get a link to re-install. Please help. TX!
-
Hi suppose in text file the data is No Name 1 abc 2 xyz and a table st_rec that has attribute no and name and i want populate my form field that are no and name with text file data and populate i can store this data into database. how i can.... Thank
-
Iweb said it published but cant see website in my browser
I created a Iweb page and I have a domain name. I am using ftp server, after imputing all my info it said I was successful in publishing my website. However when I type my domain name in my browser nothing comes up. It only says website is under cons
-
Migrate iPod from Windows to Apple
Anybody knows how to migrate the iPod library from a PC to an Apple iBook? Now I have all my library in a PC, but next month I will buy an iBook. First that I will have is to format my iPod into HFS+ (file system of Apple), but how I can recuperate a