L3 VPN on MPLS and QoS

Hi there
I've got some problems with QoS for one of our L3 VPN customers.
Our network consist of 76xx / SUP720-3B routers with SIP400 interfaces for core facing and various LAN interfaces for customer facing.
The customer VRF interfaces are configured as ordinary Vlan SVI's, e.g.
interface vlan123
ip vrf forwarding VPN
ip address 1.1.1.1 255.255.255.252
When setting up the VPN for QoS, I've done some digging and decided that "Short Pipe mode" is the right type for me. I've configred the system just as described in the manual for 7600 SR software, but I still don't get any QoS settings transferred across my network. Actually a "show mls qos" tell me, that I'm currently using "Pipe mode" for the MPLS VPN.
Anyone who might have some relevant information to share on QoS on L3 VPN MPLS.
Regards,
Lars

its been a while but Layer 2 cards are cheap cards and have no smart functionality. I thought pipe mode was for EoMPLS type functions and not layer 3 vpns.

Similar Messages

  • Load balance between MPLS and VPN

    Dear All
    There are two locations, site A and site B. I am confused with it. Any one can help to understand it? The site A and B are connected with two paths. One is MPLS and another is VPN over internet. we want MPLS as primary path and L2L VPN as backup. Only when primary path is down, VPN can be used. How can we configure it ? Can you give me suggestion ? or a link. Thank you.

    Hello yangfrank,
    You can set this with a floating static using tracking with ip sla.
    Your primary route will be via MPLS
    ip route 0.0.0.0 0.0.0.0 x.x.x.x track 1 (via MPLS)
    ip route 0.0.0.0 0.0.0.0 y.y.y.y 10 (via VPN)
    ip sla 1
    icmp-echo z.z.z.z source interface gix/x (MPLS interface)
    ip sla schedule 1 life forever start-time now
    track 1 ip sla 1 reachability
    here are examples:
    http://networklessons.com/ip-routing/reliable-static-routing-with-ip-sla/
    http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/813-cisco-router-ipsla-basic.html
    hope this helps

  • Best/stable IOS for 7206 to support MPLS and L2TP/LNS

    Hi.
    I can see many versions of IOS that can support MPLS/L2TP/LNS for 7206.
    But which is the latest recommended?
    I am eyeing the following:
    12.4.24T7(ED)
    c7200p-advipservicesk9-mz.124-24.T7.bin
    or
    12.2.33 SRE6
    c7200p-advipservicesk9-mz.122-33.SRE6.bin
    Both released March2012.
    Or should I go up to 15.1?
    thanks

    Hi Allan,
    I would recommened moving to 15.1. Multiple bug fixes + lot of code changes are present between 124 - SRE and 15.1, particularly CEF, Multicast and QoS.
    Regards

  • L2L VPN with source and destination NAT

    Hello,
    i am new with the ASA 8.4 and was wondering how to tackle the following scenario.
    The diagram is
    Customer ---->>> Firewall --->> L2L VPN --->> Me --->> MPLS ---> Server
    The server is accessible by other tunnels in place but there is no NAT needed. For the tunnel we are talking about it is
    The Customer connects the following way
    Source: 198.1.1.1
    Destination: 192.168.1.1
    It gets to the outside ASA interface which should translate the packets to:
    Source: 10.110.110.1
    Destination: 10.120.110.1
    On the way back, 10.120.110.1 should be translated to 192.168.1.1 only when going to 198.1.1.1
    I did the following configuration which I am not able to test but tomorrow during the migration
    object network obj-198.1.1.1
    host 198.1.1.1
    object network obj-198.1.1.1
    nat (outside,inside) dynamic 10.110.110.1
    For the inside to outside NAT depending on the destination:
    object network Real-IP
      host 10.120.110.1
    object-group network PE-VPN-src
    network-object host 198.1.1.1
    object network Destination-NAT
    host 192.168.1.1
    nat (inside,outside) source static Real-IP Destination-NAT destination static PE-VPN-src PE-VPN-src
    Question is if I should create also the following or not for the outside to inside flow NAT? Or the NAT is done from the inside to outside estatement even if the traffic is always initiated from outside interface?
    object network obj-192.168.1.1
    host 192.168.1.1
    object network obj-192.168.1.1
    nat (outside,inside) dynamic 10.120.110.1

    Let's use a spare ip address in the same subnet as the ASA inside interface for the NAT (assuming that 10.10.10.251 is free (pls kindly double check and use a free IP Address accordingly):
    object network obj-10.10.10.243
      host 10.10.10.243
    object network obj-77.x.x.24
      host 77.x.x.24
    object network obj-10.10.10.251
      host 10.10.10.251
    object network obj-pcA
      host 86.x.x.253
    nat (inside,outside) source static obj-10.10.10.243 obj-77.x.x.24 destination static obj-10.10.10.251 obj-86.x.x.253
    Hope that helps.

  • Frame Relay access into MPLS with QOS

    My provider is telling me that I can take my frame relay network and map it into their MPLS network. Basically all my sites would connect into the providers Frame network and then mapped into the proivders MPLS network. Now I know this will work; but my concern is VoIP and QOS. If I have a single PVC and I am marking VoIP packets with an IPPREC of 5 how will the providers frame realy network see that? And how will it be honered from CE => Provider FR => PE => P => PE => Provider FR => CE

    Todd, I doubt how would your SP provide you guranteed QOS SLA's with that setup. As there is no one to one mapping of PREC/EXP values to FR based QOS.
    But although, if he gurantees or ensures that the FR access cloud is never going to be congested and everything is fifo in there then he can provide your per hop QOS behaviour based on your PREC value across the MPLS cloud.
    HTH-Cheers,
    Swaroop

  • Site-to-Site VPN btw Pix535 and Router 2811, can't get it work

    Hi, every one,  I spent couple of days trying to make  a site-to-site VPN between PIX535 and router 2811 work but come up empty handed, I followed instructions here:
    http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml
    #1: PIX config:
    : Saved
    : Written by enable_15 at 18:05:33.678 EDT Sat Oct 20 2012
    PIX Version 8.0(4)
    hostname pix535
    interface GigabitEthernet0
    description to-cable-modem
    nameif outside
    security-level 0
    ip address X.X.138.132 255.255.255.0
    ospf cost 10
    interface GigabitEthernet1
    description inside  10/16
    nameif inside
    security-level 100
    ip address 10.1.1.254 255.255.0.0
    ospf cost 10
    access-list outside_access_in extended permit ip any any
    access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
    access-list inside_nat0_outbound extended permit ip any 10.1.1.192 255.255.255.248
    access-list outside_cryptomap_dyn_60 extended permit ip any 10.1.1.192 255.255.255.248
    access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
    pager lines 24
    ip local pool cnf-8-ip 10.1.1.192-10.1.1.199 mask 255.255.0.0
    global (outside) 10 interface
    global (outside) 15 1.2.4.5
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 15 10.1.0.0 255.255.0.0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 X.X.138.1 1
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-MD5
    crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
    crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
    crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
    crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
    crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set peer X.X.21.29
    crypto map outside_map 1 set transform-set ESP-DES-SHA
    crypto map outside_map 1 set security-association lifetime seconds 28800
    crypto map outside_map 1 set security-association lifetime kilobytes 4608000
    crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp identity hostname
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash sha
    group 1
    lifetime 86400
    crypto isakmp policy 20
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp nat-traversal 3600
    group-policy GroupPolicy1 internal
    group-policy cnf-vpn-cls internal
    group-policy cnf-vpn-cls attributes
    wins-server value 10.1.1.7
    dns-server value 10.1.1.7 10.1.1.205
    vpn-tunnel-protocol IPSec l2tp-ipsec
    default-domain value x.com
    username sean password U/h5bFVjXlIDx8BtqPFrQw== nt-encrypted
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key secret1
    radius-sdi-xauth
    tunnel-group DefaultRAGroup ppp-attributes
    authentication ms-chap-v2
    tunnel-group cnf-vpn-cls type remote-access
    tunnel-group cnf-vpn-cls general-attributes
    address-pool cnf-8-ip
    default-group-policy cnf-vpn-cls
    tunnel-group cnf-vpn-cls ipsec-attributes
    pre-shared-key secret2
    isakmp ikev1-user-authentication none
    tunnel-group cnf-vpn-cls ppp-attributes
    authentication ms-chap-v2
    tunnel-group X.X.21.29 type ipsec-l2l
    tunnel-group X.X.21.29 ipsec-attributes
    pre-shared-key SECRET
    class-map inspection_default
    match default-inspection-traffic
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:9780edb09bc7debe147db1e7d52ec39c
    : end
    #2:  Router 2811 config:
    ! Last configuration change at 09:15:32 PST Fri Oct 19 2012 by cnfla
    ! NVRAM config last updated at 13:45:03 PST Tue Oct 16 2012
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname LA-2800
    crypto pki trustpoint TP-self-signed-1411740556
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1411740556
    revocation-check none
    rsakeypair TP-self-signed-1411740556
    crypto pki certificate chain TP-self-signed-1411740556
    certificate self-signed 01
      3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 31343131 37343035 3536301E 170D3132 31303136 32303435
      30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34313137
      34303535 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100F75F F1BDAD9B DE9381FD 165B5188 7EAF9685 CF15A317 1B424825 9C66AA28
      C990B2D3 D69A2F0F D745DB0E 2BB4995D 73415AC4 F01B2019 84373199 C4BCF9E0
      E599B86C 17DBDCE6 47EBE0E3 8DBC90B2 9B4E217A 87F04BF7 A182501E 24381019
      A61D2C05 5404DE88 DA2A1ADC A81B7F65 C318B697 7ED69DF1 2769E4C8 F3449B33
      35AF0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
      551D1104 0B300982 074C412D 32383030 301F0603 551D2304 18301680 14B56EEB
      88054CCA BB8CF8E8 F44BFE2C B77954E1 52301D06 03551D0E 04160414 B56EEB88
      054CCABB 8CF8E8F4 4BFE2CB7 7954E152 300D0609 2A864886 F70D0101 04050003
      81810056 58755C56 331294F8 BEC4FEBC 54879FF5 0FCC73D4 B964BA7A 07D20452
      E7F40F42 8B355015 77156C9F AAA45F9F 59CDD27F 89FE7560 F08D953B FC19FD2D
      310DA96E A5F3E83B 52D515F8 7B4C99CF 4CECC3F7 1A0D4909 BD08C373 50BB53CC
      659C4246 2CB7B79F 43D94D96 586F9103 9B4659B6 5C8DDE4F 7CC5FC68 C4AD197A 4EC322
                quit
    crypto isakmp policy 1
    authentication pre-share
    crypto isakmp key SECRET address X.X.138.132 no-xauth
    crypto ipsec transform-set la-2800-trans-set esp-des esp-sha-hmac
    crypto map la-2800-ipsec-policy 1 ipsec-isakmp
    description vpn ipsec policy
    set peer X.X.138.132
    set transform-set la-2800-trans-set
    match address 101
    interface FastEthernet0/0
    description WAN Side
    ip address X.X.216.29 255.255.255.248
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    no cdp enable
    no mop enabled
    crypto map la-2800-ipsec-policy
    interface FastEthernet0/1
    description LAN Side
    ip address 10.20.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex full
    speed auto
    no mop enabled
    ip nat inside source route-map nonat interface FastEthernet0/0 overload
    access-list 10 permit X.X.138.132
    access-list 99 permit 64.236.96.53
    access-list 99 permit 98.82.1.202
    access-list 101 remark vpn tunnerl acl
    access-list 101 remark SDM_ACL Category=4
    access-list 101 remark tunnel policy
    access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
    access-list 110 deny   ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
    access-list 110 permit ip 10.20.0.0 0.0.0.255 any
    snmp-server community public RO
    route-map nonat permit 10
    match ip address 110
    webvpn gateway gateway_1
    ip address X.X.216.29 port 443
    ssl trustpoint TP-self-signed-1411740556
    inservice
    webvpn install svc flash:/webvpn/svc.pkg
    webvpn context gateway-1
    title "b"
    secondary-color white
    title-color #CCCC66
    text-color black
    ssl authenticate verify all
    policy group policy_1
       functions svc-enabled
       svc address-pool "WebVPN-Pool"
       svc keep-client-installed
       svc split include 10.20.0.0 255.255.0.0
    default-group-policy policy_1
    gateway gateway_1
    inservice
    end
    #3:  Test from Pix to router:
    Active SA:    1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    1   IKE Peer: X.X.21.29
        Type    : user            Role    : initiator
        Rekey   : no              State   : MM_WAIT_MSG2
    >>DEBUG:
    Oct 22 12:07:14 pix535:Oct 22 12:20:28 EDT: %PIX-vpn-3-713902: IP = X.X.21.29, Removing peer from peer table failed, no match!
    Oct 22 12:07:14 pix535 :Oct 22 12:20:28 EDT: %PIX-vpn-4-713903: IP = X.X.21.29, Error: Unable to remove PeerTblEntry
    #4:  test from router to pix:
    LA-2800#sh  crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id slot status
    X.X.138.132  X.X.216.29  MM_KEY_EXCH       1017    0 ACTIVE
    >>debug
    LA-2800#ping 10.1.1.7 source 10.20.1.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2 seconds:
    Packet sent with a source address of 10.20.1.1
    Oct 22 16:24:33.945: ISAKMP:(0): SA request profile is (NULL)
    Oct 22 16:24:33.945: ISAKMP: Created a peer struct for X.X.138.132, peer port 500
    Oct 22 16:24:33.945: ISAKMP: New peer created peer = 0x488B25C8 peer_handle = 0x80000013
    Oct 22 16:24:33.945: ISAKMP: Locking peer struct 0x488B25C8, refcount 1 for isakmp_initiator
    Oct 22 16:24:33.945: ISAKMP: local port 500, remote port 500
    Oct 22 16:24:33.945: ISAKMP: set new node 0 to QM_IDLE     
    Oct 22 16:24:33.945: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 487720A0
    Oct 22 16:24:33.945: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
    Oct 22 16:24:33.945: ISAKMP:(0):found peer pre-shared key matching 70.169.138.132
    Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-07 ID
    Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-03 ID
    Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-02 ID
    Oct 22 16:24:33.945: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    Oct 22 16:24:33.945: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
    Oct 22 16:24:33.945: ISAKMP:(0): beginning Main Mode exchange
    Oct 22 16:24:33.945: ISAKMP:(0): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_NO_STATE
    Oct 22 16:24:33.945: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Oct 22 16:24:34.049: ISAKMP (0:0): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_NO_STATE
    Oct 22 16:24:34.049: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Oct 22 16:24:34.049: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
    Oct 22 16:24:34.049: ISAKMP:(0): processing SA payload. message ID = 0
    Oct 22 16:24:34.049: ISAKMP:(0): processing vendor id payload
    Oct 22 16:24:34.049: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Oct 22 16:24:34.049: ISAKMP:(0): vendor ID is NAT-T v2
    Oct 22 16:24:34.049: ISAKMP:(0): processing vendor id payload
    Oct 22 16:24:34.049: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
    Oct 22 16:24:34.053: ISAKMP:(0):found peer pre-shared key matching 70.169.138.132
    Oct 22 16:24:34.053: ISAKMP:(0): local preshared key found
    Oct 22 16:24:34.053: ISAKMP : Scanning profiles for xauth ...
    Oct 22 16:24:34.053: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
    Oct 22 16:24:34.053: ISAKMP:      encryption DES-CBC
    Oct 22 16:24:34.053: ISAKMP:      hash SHA
    Oct 22 16:24:34.053: ISAKMP:      default group 1
    Oct 22 16:24:34.053: ISAKMP:      auth pre-share
    Oct 22 16:24:34.053: ISAKMP:      life type in seconds
    Oct 22 16:24:34.053: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
    Oct 22 16:24:34.053: ISAKMP:(0):atts are acceptable. Next payload is 0
    Oct 22 16:24:34.053: ISAKMP:(0):Acceptable atts:actual life: 0
    Oct 22 16:24:34.053: ISAKMP:(0):Acceptable atts:life: 0
    Oct 22 16:24:34.053: ISAKMP:(0):Fill atts in sa vpi_length:4
    Oct 22 16:24:34.053: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
    Oct 22 16:24:34.053: ISAKMP:(0):Returning Actual lifetime: 86400
    Oct 22 16:24:34.053: ISAKMP:(0)::Started lifetime timer: 86400.
    Oct 22 16:24:34.053: ISAKMP:(0): processing vendor id payload
    Oct 22 16:24:34.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Oct 22 16:24:34.053: ISAKMP:(0): vendor ID is NAT-T v2
    Oct 22 16:24:34.053: ISAKMP:(0): processing vendor id payload
    Oct 22 16:24:34.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
    Oct 22 16:24:34.053: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Oct 22 16:24:34.053: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
    Oct 22 16:24:34.057: ISAKMP:(0): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_SA_SETUP
    Oct 22 16:24:34.057: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Oct 22 16:24:34.057: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Oct 22 16:24:34.057: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
    Oct 22 16:24:34.181: ISAKMP (0:0): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_SA_SETUP
    Oct 22 16:24:34.181: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Oct 22 16:24:34.181: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
    Oct 22 16:24:34.181: ISAKMP:(0): processing KE payload. message ID = 0
    Oct 22 16:24:34.217: ISAKMP:(0): processing NONCE payload. message ID = 0
    Oct 22 16:24:34.217: ISAKMP:(0):found peer pre-shared key matching X.X.138.132
    Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
    Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID is Unity
    Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
    Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID seems Unity/DPD but major 55 mismatch
    Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID is XAUTH
    Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
    Oct 22 16:24:34.217: ISAKMP:(1018): speaking to another IOS box!
    Oct 22 16:24:34.221: ISAKMP:(1018): processing vendor id payload
    Oct 22 16:24:34.221: ISAKMP:(1018):vendor ID seems Unity/DPD but hash mismatch
    Oct 22 16:24:34.221: ISAKMP:received payload type 20
    Oct 22 16:24:34.221: ISAKMP:received payload type 20
    Oct 22 16:24:34.221: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Oct 22 16:24:34.221: ISAKMP:(1018):Old State = IKE_I_MM4  New State = IKE_I_MM4
    Oct 22 16:24:34.221: ISAKMP:(1018):Send initial contact
    Oct 22 16:24:34.221: ISAKMP:(1018):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
    Oct 22 16:24:34.221: ISAKMP (0:1018): ID payload
    next-payload : 8
    type         : 1
    address      : X.X.216.29
    protocol     : 17
    port         : 500
    length       : 12
    Oct 22 16:24:34.221: ISAKMP:(1018):Total payload length: 12
    Oct 22 16:24:34.221: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    Oct 22 16:24:34.221: ISAKMP:(1018):Sending an IKE IPv4 Packet.
    Oct 22 16:24:34.225: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Oct 22 16:24:34.225: ISAKMP:(1018):Old State = IKE_I_MM4  New State = IKE_I_MM5
    Oct 22 16:24:38.849: ISAKMP:(1017):purging node 198554740
    Oct 22 16:24:38.849: ISAKMP:(1017):purging node 812380002
    Oct 22 16:24:38.849: ISAKMP:(1017):purging node 773209335..
    Success rate is 0 percent (0/5)
    LA-2800#
    Oct 22 16:24:44.221: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
    Oct 22 16:24:44.221: ISAKMP (0:1018): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
    Oct 22 16:24:44.221: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
    Oct 22 16:24:44.221: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    Oct 22 16:24:44.221: ISAKMP:(1018):Sending an IKE IPv4 Packet.
    Oct 22 16:24:44.317: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
    Oct 22 16:24:44.317: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
    Oct 22 16:24:44.321: ISAKMP:(1018): retransmission skipped for phase 1 (time since last transmission 96)
    Oct 22 16:24:48.849: ISAKMP:(1017):purging SA., sa=469BAD60, delme=469BAD60
    Oct 22 16:24:52.313: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
    Oct 22 16:24:52.313: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
    Oct 22 16:24:52.313: ISAKMP:(1018): retransmitting due to retransmit phase 1
    Oct 22 16:24:52.813: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
    Oct 22 16:24:52.813: ISAKMP (0:1018): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
    Oct 22 16:24:52.813: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
    Oct 22 16:24:52.813: ISAKMP:(1018): sending packet to X.X138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    Oct 22 16:24:52.813: ISAKMP:(1018):Sending an IKE IPv4 Packet.
    Oct 22 16:24:52.913: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
    Oct 22 16:24:52.913: ISAKMP:(1018): retransmission skipped for phase 1 (time since last transmission 100)
    Oct 22 16:25:00.905: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
    Oct 22 16:25:00.905: ISAKMP: set new node 422447177 to QM_IDLE     
    Oct 22 16:25:03.941: ISAKMP:(1018):SA is still budding. Attached new ipsec request to it. (local 1X.X.216.29, remote X.X.138.132)
    Oct 22 16:25:03.941: ISAKMP: Error while processing SA request: Failed to initialize SA
    Oct 22 16:25:03.941: ISAKMP: Error while processing KMI message 0, error 2.
    Oct 22 16:25:12.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
    Oct 22 16:25:12.814: ISAKMP (0:1018): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
    Oct 22 16:25:12.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
    Oct 22 16:25:12.814: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    Oct 22 16:25:12.814: ISAKMP:(1018):Sending an IKE IPv4 Packet.
    Oct 22 16:25:22.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
    Oct 22 16:25:22.814: ISAKMP (0:1018): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
    Oct 22 16:25:22.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
    Oct 22 16:25:22.814: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    Oct 22 16:25:22.814: ISAKMP:(1018):Sending an IKE IPv4 Packet.
    Oct 22 16:25:32.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
    Oct 22 16:25:32.814: ISAKMP:(1018):peer does not do paranoid keepalives.
    Oct 22 16:25:32.814: ISAKMP:(1018):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 70.169.138.132)
    Oct 22 16:25:32.814: ISAKMP:(1018):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 70.169.138.132)
    Oct 22 16:25:32.814: ISAKMP: Unlocking peer struct 0x488B25C8 for isadb_mark_sa_deleted(), count 0
    Oct 22 16:25:32.814: ISAKMP: Deleting peer node by peer_reap for X.X.138.132: 488B25C8
    Oct 22 16:25:32.814: ISAKMP:(1018):deleting node 1112432180 error FALSE reason "IKE deleted"
    Oct 22 16:25:32.814: ISAKMP:(1018):deleting node 422447177 error FALSE reason "IKE deleted"
    Oct 22 16:25:32.814: ISAKMP:(1018):deleting node -278980615 error FALSE reason "IKE deleted"
    Oct 22 16:25:32.814: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    Oct 22 16:25:32.814: ISAKMP:(1018):Old State = IKE_I_MM5  New State = IKE_DEST_SA
    Oct 22 16:26:22.816: ISAKMP:(1018):purging node 1112432180
    Oct 22 16:26:22.816: ISAKMP:(1018):purging node 422447177
    Oct 22 16:26:22.816: ISAKMP:(1018):purging node -278980615
    Oct 22 16:26:32.816: ISAKMP:(1018):purging SA., sa=487720A0, delme=487720A0
    ****** The PIX is also used    VPN client access  , such as  Cicso VPN client  5.0, working fine ; Router is  used as  SSL VPN server, working too
    I know there are lots of data here, hopefully these data may be useful for   diagnosis purpose.
    Any suggestions and advices are greatly appreciated.
    Sean

    Hi Sean,
    Current configuration:
    On the PIX:
    crypto isakmp policy 5
          authentication pre-share
          encryption 3des
          hash sha
          group 2
          lifetime 86400
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set peer X.X.21.29
    crypto map outside_map 1 set transform-set ESP-DES-SHA
    crypto map outside_map 1 set security-association lifetime seconds 28800
    crypto map outside_map 1 set security-association lifetime kilobytes 4608000
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
    tunnel-group X.X.21.29 type ipsec-l2l
    tunnel-group X.X.21.29 ipsec-attributes
         pre-shared-key SECRET
    On the Router:
    crypto isakmp policy 1
          authentication pre-share
    crypto map la-2800-ipsec-policy 1 ipsec-isakmp
          description vpn ipsec policy    
          set peer X.X.138.132
          set transform-set la-2800-trans-set
          match address 101
    access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
    crypto ipsec transform-set la-2800-trans-set esp-des esp-sha-hmac
    crypto isakmp key SECRET address X.X.138.132 no-xauth
    Portu.
    Please rate any helpful posts
    Message was edited by: Javier Portuguez

  • VPN load balancing and ASA !!!

    Hi netpros,
    I have a couple of questions about this and hope you might be able to assist me.
    1.- Are VPN load balancing and failover (Active/Active) mutually exclusive ..? I mean they can't be used at the same time correct ..?
    2.- How does the ASA handle the return traffic from the Internal LAN towards the remote client .. Because the cluster only requires ONE public virtual IP address, which will work for incoming packets .. but what about the return traffic which has knowledge of the DHCP scope's default gateway IP address only .. ? How gets the returned packet redirected from the default gateway IP address to the respective ASA internal IP address .?
    3.- VPN load balancing only applies to remote clients using easy VPN technology (easy vpn client, hardware client , pIX using easy vpn client etc ) and does not work with static LAN-LAN tunnel .. correct ..?
    Your comments are much appreciated

    Hi Gilbert ..
    1.- Thanks I wanted to make sure.
    2.- I know that .. my question is in regards the return packets .. for example if I have the below IP schema:
    ASA1: Public 20.20.20.20
    Private 192.168.1.1
    ASA2: Public 20.20.20.21
    Private 192.168.1.2
    Cluster virutal IP: 20.20.20.10
    Default gateway for segment 192.168.1.0 is 192.168.1.1
    Let's say that a vpn client tries to connect and the cluster instructs the client to connect to ASA2 20.20.20.21. The packets reach the internal server at 192.168.1.100. The internal server then sends the return packets back to the client by forwarding them to its default gateway which is 192.168.1.1 (ASA1). Here is my question .. how does the cluster handles this because the return packet are supposed to be directed to ASA2 192.168.1.2
    3.- Any idea about this one ..?
    Cheers,

  • What does VPN DO? And how to use it ?

    What does VPN DO? And how to use it?

    http://en.wikipedia.org/wiki/Vpn
    Or Google 'what is a vpn' or 'how to use a vpn' many people have explained this better than me.
    In short it wraps your traffic in to an encrypted link to a server (normally on the internet). Then the traffic leaves that server & goes onto the public internet. It is possible for the link to reveal information about you, but a VPN can protect you on open wifi or on bad networks etc.
    Sometimes the VPN terminates inside a corporate network, so users can do work at home securely.
    It is similar to using https for web browsing (secure http makes traffic difficult to intercept & read).

  • SNA and QOS

    Subject: SNA/QOS
    I AM CURRENTLY RUNNING 12.1(11a) IOS ON A ROUTER BASED NETWORK WITH FOUR
    7500 ROUTERS. I AM CURRENTLY RUNNING CUSTOMER QUEUEING AS MY QOS. I AM
    NOW LOOKING TO USING LLQ W/ CBWFQ AND DISTRIBUTED MODES, AS WELL. I HAVE
    VIP-40 CARDS IN ALL ROUTER. HOWEVER, MY NETWORK IS COMPOSED OF --
    TP0 - BATCH TRAFFIC
    TP1- INTERACTIVE TRAFFIC
    TP2-CONTROLLED TRAFFIC - HIGH AMOUNTS
    I HAVE BEEN TOLD THAT CISCO'S QOS WILL SUPPORT TP1 TRAFFIC SO, I AM
    CONCERNED ABOUT MY TP2 (CONTROLLED TRAFFIC) AND IF I CAN IMPLEMENT LLQ/CBWFQ
    INTO MY NETWORK.
    I WOULD LIKE TO IMPLEMENT THIS FOR MY CRITICAL APPS SUCH AS SNA, AND HTTP
    WEB BASED APPS. THUS, LIMITING MY SQL, FTP AND TELNET TRAFFIC.
    THANKS IN ADVANCE.
    ANY PPT FILES WOULD BE APPRECIATED.

    Hi Connie,
    You open the door to an interesting discussion, by including both SNA and QoS in your question. As you know, a variety of QoS mechanisms have been available for SNA traffic for quite a while. I can't tell from your description what sort of traffic is contained in "TP2-CONTROLLED", so I will assume it is voice and video traffic, and not the "TP2" from OSI Transport Protocols.
    The quick answer is that you can definitely support TP1 traffic while protecting the quality of your TP2 traffic. Essentially you decide what percentage of the available bandwidth to allocate to each class of traffic, providing a minimum guaranteed value. In addition, there is a special class, Low Latency Queuing (LLQ), available for delay and jitter sensitive traffic such as voice. Within each traffic class, IOS will then provide Weighted Fair Queuing (WFQ) for each unique flow (session). This becomes a bit more interesting when combined with different WAN types such as frame relay and ATM, you can take advantage of the VIPs that you mention, and there are considerations for low speed circuits. So here are a couple of URLs that provide more information.
    http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/qos_c/qcprt2/qcdconmg.htm
    http://www.cisco.com/univercd/cc/td/doc/product/voice/ip_tele/avvidqos/qoswan.htm
    Coming back to the SNA traffic, I assume you're currently using custom queuing with DLSw+, using the priority parameter to create four TCP connections, and classifying traffic using one of the three available methods. In moving to a CBWFQ model, you will want to map the existing custom queues into the newly created classes. In other words, you can continue to use the same classification techniques, while changing to the easier to define, and more efficient WFQ for output queue processing.
    The absolute best traffic classification comes with using the Enterprise Extender (EE) feature of SNASw. When SNA traffic is sent across an EE link, the precedence bits in the IP packets are automatically marked with the same values that are used in the SNA Class of Service (CoS). Since SNASw is our APPN node implementation, propagating the precedence markings from SNASw to DLSw+ also provides an automatic means of classifying the SNA traffic.
    Rgds, Dan

  • Configuring Netgear FVS318 VPN for iPhone and Mac OS X clients.

    Hi,
              I am trying to configure the FVS318 VPN for iPhone and Mac clients to connect to. I have been able to set it up that all hard wired and wireless connections with in the network to connect seemlessly, but when it comes to VPN I am not able to get any connection from outside the network. I have set all the usernames, passwords and shared secrets multiple times and I am unable to connect even after reseting it. Any help setting this would be great.
    Thanks

    Are you using your external IP address to set this up? This works while on the network, as in at the office but not from any connection outside? What IP scheme are you using on the Netgear? If you are using something like 192.168.1.1 and starbucks uses the same scheme it wont work. Try setting your Netgear to something like 192.168.33.1

  • What happens to VPN , Wifi settings and Email accounts on iPad if synced with a new computer and itunes account?

    I have an Ipad with VPN,Wifi connections and email accounts already created . Now I want to sync it with another computer using a new account as this device is to be given to someone else. I want to know what will happen to the settings already made as I do not want them to change ?. Deletion of Apps and other media files is ok but the settings like VPN,Email account and Wi Fi shoudl not be reset.

    Wickedweapon-
    Pre-installed Apps such as Mail, Camera, Photo Booth, Notes, et cetera, are kept.  Any iOS updates are retained.  Otherwise, the iPad is returned to its factory default settings.
    If you planned to sell an iPad, you might go ahead and do the reset manually.  Go to Settings-General-Reset-Erase All Content and Settings.  Doing this would ensure that any sensitive personal data is erased.
    Fred

  • ASA shun hosts and QoS

    Hi, I'm having trouble configuring Threat-detection and QoS polices at the same time.
    The problem is that if I have QoS rules enabled, this is policing a traffic defined by ACLs, I can't enable at the same time the threat-detection feature "Shun hosts detected by scanning threat" because it shuns the hosts on which there is applying the policing.
    I suppose this is because the policing is based in hits on ACL's so the ASA thinks this is an attack.
    So, how can I resolve this? How can I have policing and shunnig enabled at the same time?
    Thanks

    Hi,
    Weird stuff, one feature doesnt necessarily has to do anything with the Other. Scannig threat what is does is to take statistics of a host in specific and determine if it is sweeping the network or trying to find out if there is a host checking which ports/networks are available.  You have to check what is the factor that is causing the shun to be tiggered. There are a lot of thresholds on scanning theat detection that you will need to modify if it is causing an issue.
    By the thresholds I mean the following table:
    Packet Drop Reason Trigger Settings
    Average Rate Burst Rate
    •DoS attack detected
    •Bad packet format
    •Connection limits exceeded
    •Suspicious ICMP packets detected
    100 drops/sec over the last 600 seconds.
    400 drops/sec over the last 20 second period.
    80 drops/sec over the last 3600 seconds.
    320 drops/sec over the last 120 second period.
    Scanning attack detected
    5 drops/sec over the last 600 seconds.
    10 drops/sec over the last 20 second period.
    4 drops/sec over the last 3600 seconds.
    8 drops/sec over the last 120 second period.
    Incomplete session detected such as TCP SYN attack detected or no data UDP session attack detected (combined)
    100 drops/sec over the last 600 seconds.
    200 drops/sec over the last 20 second period.
    80 drops/sec over the last 3600 seconds.
    160 drops/sec over the last 120 second period.
    Denial by access lists
    400 drops/sec over the last 600 seconds.
    800 drops/sec over the last 20 second period.
    320 drops/sec over the last 3600 seconds.
    640 drops/sec over the last 120 second period.
    •Basic firewall checks failed
    •Packets failed application inspection
    400 drops/sec over the last 600 seconds.
    1600 drops/sec over the last 20 second period.
    320 drops/sec over the last 3600 seconds.
    1280 drops/sec over the last 120 second period.
    Interface overload
    2000 drops/sec over the last 600 seconds.
    8000 drops/sec over the last 20 second period.
    1600 drops/sec over the last 3600 seconds.
    6400 drops/sec over the last 120 second period.
    As you can see on the following document:
    http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html#wp1072953
    Scanning threat is based on the threat detection statistics. So you will need to modify those in order to avoid the host to be shunned.
    That being said, I think if you only enable threat detection alone, it would probably to the same thing as if it was configured in conjunction with QoS.
    Bottom line (and sorry for all the info), modify the threat detection rate values and you should be ok.
    Mike

  • HT1288 Configuring VPN on iPhone and iPad

    How do I configure VPN in iPhone and iPad - I see the answers but they are as clear as mud!  I need a "small" step-by-step guide, ie small steps, in order to fully understand please.

    go to settings-general-vpn-add vnp configuration-select the type of vpn you're using by touching one of the types across the top.  From there fill out the information provided by your vpn and click save.  then just turn it on from settings-vpn-on/off toggle.

  • MPLs and ATM configuration

    Please i need some information about configuring MPLS and ATM and the addcon command
    thanks

    Please look at the following documents and let me know if they address the questions you have.
    Integrating MPLS with IP and ATM :
    http://www.cisco.com/en/US/partner/products/sw/ps2346/ps99/products_configuration_guide_chapter09186a00800ee108.html
    Configuring MPLS with the BPX Switch and the 6400/7200/7500 Routers:
    http://www.cisco.com/en/US/partner/products/sw/ps2346/ps99/products_configuration_guide_chapter09186a00800ee112.html
    Designing MPLS for ATM:
    http://www.cisco.com/en/US/partner/products/sw/ps2346/ps99/products_configuration_guide_chapter09186a00800ee110.html
    Let me know if this helps,

  • VPN: iPAD IPSEC AND MICROSOFT TMG

    I have problem with connecting to my ipsec vpn on microsoft TMG.
    When i try connect (on ipsec with certificate) from windows xp and win7 to this vpn I dont have any problems.
    On My ipad I can only connect on L2tp with preshared key, but on ipsec with certificate still nothing.
    I try connecting on two certificates: on the same whot I have on pc, and on new only to ipad. On iphone configuration tool i install all certificates (CA root, CA sub, VPN on TMG, client cert with client authentication). In my cert i have external crl. I try to on certificate with additional SAN-s (VPN server FQDN and IP address)
    When I try connect on ipad to tmg ipsec vpn I found that error on logs:
    EventId: 4653
    An IPsec main mode negotiation failed.
    Local Endpoint:
         Local Principal Name:    -
         Network Address:    x.x.x.x
         Keying Module Port:    500
    Remote Endpoint:
         Principal Name:        -
         Network Address:    x.x.x.x
         Keying Module Port:    500
    Additional Information:
         Keying Module Name:    IKEv1
         Authentication Method:    Unknown authentication
    So maybe any one can help me ? Whot I do wrong ?
    Thanks a lot.

    Hi
    The application in Itunes is indeed free however in order to use it you will need to have a special anyconnect mobile licence loaded onto the Cisco ASA. The licence can be ordered through a Cisco registered partner with part code L-ASA-AC-M-55XX= (XX=05,10,20,40,50,80 depending on the model).
    Alex

Maybe you are looking for

  • Best app for QT on Intel Mac Mini kiosk?

    Hi all: I've sent variations of this message off to various folks and fora pertaining to Flash, Director, Livestage, etc., so I thought I'd ask here as well. I'm working on a very high profile exhibit here in NYC, which is opening to the public on Se

  • DO NOT UPDATE TO iWEB 2.0.3 - I did and I can;t publish anymore!

    Ah, crap. I should have know never to download a new iWeb update before its been out for a few days. Ever since upgrading to 2.0.3 I get the dreaded "An unknown publishing error has occured." Once again, Apple f's up iWeb. What a joke.

  • Device not seen by MediaSource n

    Yesterday I had been loading my CD's to the Zen Xtra 40GB, I had done about 5500 songs and then got RunTime error in CTCMS.exe. I got the error when trying the GET INFO button. I downloaded the lastest version and uninstalled the old one and installe

  • How to use VO attribute in a page region in valueset of flex segment

    I have a seeded oracle page - having 2 regiions The first region shows basic employee information like job, position etc The second region shows a flexfield having 4 segments. My requirement is to restrict the value in first segment based on the empl

  • Order books in an unsupported country

    I'm in a country (Greece) that doen't have an option for iPhoto books order. Is there any way to order books via iPhoto (or export them)?