Mesh AP Disruptive Traffic
Hi There,
I have a setup of 9 1522 APs. RAPs=3 and MAPS=6 WLC=4404 Qty 1 (v5.2). All the MAPS have only one hop to nearest RAP. The problem is with one of the MAPs. The MAP shows good signal strength but the client traffic (even ping to controller management interface)is very disruptive. I have checked user experience with its parent AP and everything works fine. Also the MAP is only 400 feet away from the parent RAP and the SNR of backhaul from child AP to the parent is also fine.
Please suggest what could be the possible reason for poor client traffic.
Thanks.
You might want to schedule the upgrade since it's disruptive traffic.
Similar Messages
-
Is A NonDisruptive System/Signature Upgrade Possible?
Reading the config guides I can't seem to accept that my colleague is correct in saying its possible to do a non disruptive system/signature upgrade on an ASA 5520 with an AIP-SSM-10 module.
Can you do a nondisruptive system/signature upgrade?Short answer...depends on your definitions of non-disruptive and system.
A more useful answer is that a signature update is designed to be as non-disruptive as possible to sensing. That is, traffic will continue to flow and sensing will continue to happen to as much extent as possible. It is possible that the signature update could siphon off enough processing power to start affecting sensing. If this happens, the sensor can cut in an auto bypass feature (configurable) to unload the CPU enough to get the update finished. Traffic will continue to flow, but sensing would be disrupted momentarily. When the update finishes the bypass is removed and sensing will recover.
A system update (defined as an Engine Update, Service Pack, Minor, or Major release) will have a greater level of disruptive impact. An Engine Update will invoke bypass and stop sensing activity while the sensing binary (sensorApp) is replaced and restarted. Traffic will flow via the bypass until sensorApp is restarted and then sensing will continue. Service Packs and higher typically have to invoke a system reboot, which will disrupt traffic in the lower performance sensors. The two newest sensors (4260 and 4270) have hardware bypass on the Cu NICs and can invoke that bypass to keep traffic flowing if the network design is correct (inline interface pairs on the same interface card).
Scott -
WAAS in serial clustering overload issue
Hi I have a customer that we converted for a WCCP
load balancing scenario to a inline serial clustering scenaio due to the m
igration to a vrf aware environment. The customer's network is being converted to vrf's and vrf's and WCCP
dont play nice so we had to go inline. So right now the first WAE is
connected to both swiches the switches run HSRP. The L0 and L1
of the first wae go to the switches, W0 W1 of the first WAE got to L0 L1 of the second WAE and W0 W1 go to the routers. This has been working fine, however the customer complained that on friday all traffic stopped and they had to power off the wae's to retore connectivity. Right now they are off so I can look at any of the syslogs, but the customer was saying they got a lot of overload syslog errors. These are 67'4 with 8Gb ram.
Zach in your book, you state that serial clustering wont provide "load balancing", however when the first WAE becomes overloaded, the other WAE will optimize new connections. What happens to the traffic on the first one, because it appears that it stops forwarding or significantly slows traffic. This design was based on these references in the book so I need to know if this still works the same in 4.1 code. We are on the latest greatest code. I will open a TAC next week as they are currently powered off and I cannot pull the serial or logs right now. One thing curious though is that I was able to get the CPU stats for these boxes from the Central manager and the CPU hasnt gone over 10% all last week. I would think if in overload they would be at a significantly more than that.In the serial inline clustering case, when the first WAAS device in the cluster (relative to the client) reaches the maximum number of optimized connections, they will spill over to the second WAAS device inthe cluster, which can optimize them.
Opening a TAC case is the right next step. We're going to need system reports from the devices, so you'll have to power them back on. If you're concerned about disrupting traffic again, you can power the WAAS devices back on, but shutdown the inline groups. This will cause the devices to go into bypass operating mode.
Regards,
Zach -
Can you use a 3600 for an Ethernet bridge??
Can you use a Cisco 3600 to do a P2P bridge? Using the MAP's ethernet port to connect to a remote LAN? On that remote LAN can you have lightweight APs that connect to a controller on the RAP side?
Can you use a 3600 for an Ethernet bridge??
http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_mesh.pdf
Check - Converting Indoor Access Points to Mesh Access Points
Ethernet bridging has to be enabled for the following two scenarios:
1. When you want to use the mesh nodes as bridges.
2. When you want to connect Ethernet devices such as a video camera on the MAP using its Ethernet port.
Wireless Backhaul:
In a Cisco wireless backhaul network, traffic can be bridged between MAPs and RAPs. This traffic can
be from wired devices that are being bridged by the wireless mesh or CAPWAP traffic from the mesh
access points.
Guidelines For Using Voice on the Mesh Network
• Voice is supported only on indoor mesh networks in release 5.2, 6.0, 7.0, and 7.0.116.0. For
outdoors, voice is supported on a best-effort basis on a mesh infrastructure.
other factors to note:-
#you would be running on backhaul using A radio which is prone to DFS.
#CAPWAP may not tolerent enough with AWPP convergence on MAP roaming.
#CAPWAP is more latency sensitive than voice. -
UCS Firmware-2.#(##)-should I or wait ... or ...
Hi, Cisco:
I have heard a lot of horror stories after UPGRADING to Cisco UCS 2.#(##).
My customer is running 1.4(2B) and I have to perform an upgrade, so I am pondering SHOULD I upgrade to 1.4(3#) or 2.#(##). It is a production environment. SAN Booting, UCS M81KR, ESX 4.1i, etc.
i want to hear some candid feedbacks from Cisco or others.
Thanks.
SiMSiM, the IO module firmware version must always match the connected Fabric Interconnect version. The software forces this version consistency. It works just like the Nexus 5000/7000 and Nexus 2000 (FEX) relationship, a FEX will always match the version of firmware that is on the parent switch.
If you were to not leave the "set startup version" box checked on the IOM activation and reset it the IOM would reboot and then its firmware would get reset back to the version running on the FI. Then when the FI activation is performed it would also update all the conected IOM to the same version and reboot them. So there is no way around having to do it the documented way.
The way that you are propossing would actually cause more downtime because the IOM would reboot twice.
Have you read through this guide? -
http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/upgrading/from1.4/to2.0/b_UpgradingCiscoUCSFrom1.4To2.0.html
In this section it talks about the IOM activation and how it must match the FI version -
http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/upgrading/from1.4/to2.0/UpgradingCiscoUCSFrom1.4To2.0_chapter4.html#task_F0C09BC50D2048A1B0C495F7F6E6093A
It states:
"Important:
When you configure Set Startup Version Only for an I/O module, the I/O module is rebooted when the fabric interconnect in its data path is rebooted. If you do not configure Set Startup Version Only for an I/O module, the I/O module reboots and disrupts traffic. In addition, if Cisco UCS Manager detects a protocol and firmware version mismatch between the fabric interconnect and the I/O module, Cisco UCS Manager automatically updates the I/O module with the firmware version that matches the firmware in the fabric interconnect and then activates the firmware and reboots the I/O module again."
On your northbound L2/L3 switch "spanning-tree portfast trunk" for Catalyst or "spanning-tree port type edge trunk" for Nexus should be configured on the interfaces and port-channel interfaces.
As long as you folllow the upgrade guide and have all Service Profiles configured with vNICs/vHBAs in both Fabrics and have a user-acknowledged maintenance policy configured you shouln't have any noticable downtime. -
And on a different but important note, new rules for photography in NY being proposed.
This is of concern to all photographers...
Soon you will need to get a permit and liability insurance to take
photos in NY City, under rules MUCH more strict than the existing rules.
Basically if 2 people want to take photos on a public sidewalk for 30
minutes, without disrupting traffic, you still need a permit and 1
million dollars liability under the new proposed rules.
http://tinyurl.com/2scoogAnd on yet another note. Way back when in the 70's when I was a working pro, there was a $50 sidewalk tripod fee. I only had a cop say something to me once and I told him to stuff it. I ALSO told him him I would sue him PERSONALLY if he inhibited my rights and that I was more than willing to take it to the Supreme Court if he had a problem with that. I also told him I was shooting for Esquire magazine and they would kick anybody's *** that tried to interfere with what I was doing. I was nice about it but forceful. He started directing pedestrian traffic out of my way.
PK -
Large amount of traffic with 152x mesh and mac-flap
We have just had a Mesh designed by an external company, and when we plugged it in we began have large numbers of mac-flap notification and more than 700mb of traffic sent across our data network.
Our setup includes 2 5508 controllers and 9 152x APs
3 APs (RAP) with their 5.8 antennas are within close proximity on a vertical pole pointing to the other 6 about 1000mtrs away in an arc. With their ethernet ports plugged into the same switch (native vlan 111) as WLC1 (which is LAG'd to two ports)
Vlan 111 for management of Mesh
Vlan 201 for WLAN
DHCP scope on DC on Vlan 100 (helper address from router)
Q, will the closeness of the 5.8 antennas cause any problems with mac-flap or is likely to be the controllers with their LAG connections or something totally different?
Thanks for any helpAndrew,
the proximity of the antennas shouldn't cause the mac-flap notification, nor should the LAG connection cause this. That's more and indication that the client is flopping between ports on the switch, which generally happens when you are not configured for LAG on the WLC, nor a port-channel on the switch.
the mac address that is being reported in the mac-flap. Is it a client or is it the MAPs?
If it's one of hte MAPs, you may want to check the antennas of the RAPs, since the MAPs sholdl stabliaze once AWPP has run and optimized the path to the network. If they are flapping I would look at possible RF or antenna issues.
HTH,
Steve
Please remember to rate helpful posts or to mark the question as answered so that it can be found later. -
Wireless Traffic Disrupts Wired Traffic. Why
I've got an AirPort Extreme wired to two computers and to an AirPort Express using CAT 6A cables. One of the computers streams Pandoras desktop app to the AirPort Express via AirFoil so I can listen on my stereo.
This set up has worked very well for years. Now suddenly, sometimes when the AirPort Extreme gets a WiFi signal, it stops transmitting via Ethernet (or WiFi as I've tried both) to the AirPort Extreme. Turning off all WiFi on the Extreme fixes the problem, but obviously I'd like to have some WiFi in my home.
Any idea what needs to be done? I've swapped Extremes with a friend and his does it too. I've also swapped Expresses, computers, OSes, and even Windows and Mac versions of AirFoil.
Any help would be very much appreciated.
JimI've got an AirPort Extreme wired to two computers and to an AirPort Express using CAT 6A cables. One of the computers streams Pandoras desktop app to the AirPort Express via AirFoil so I can listen on my stereo.
This set up has worked very well for years. Now suddenly, sometimes when the AirPort Extreme gets a WiFi signal, it stops transmitting via Ethernet (or WiFi as I've tried both) to the AirPort Extreme. Turning off all WiFi on the Extreme fixes the problem, but obviously I'd like to have some WiFi in my home.
Any idea what needs to be done? I've swapped Extremes with a friend and his does it too. I've also swapped Expresses, computers, OSes, and even Windows and Mac versions of AirFoil.
Any help would be very much appreciated.
Jim -
Unable to pass traffic for new vpn connection
Scenario:
I have three sites all connected ( full mesh) with IPsec/GRE tunnels and these work fine. I attempted to add a satellite office to one our sites. The sat device is a 3rd party device and is behind a rotuer/fw device. The IPSec tunnel (non-gre) appears to come up but no traffic passes.
When I ping 192.168.3.1 from the sat device (monitored using tcpdump), it cause the tunnel to come up but I don't see the Cisco side replying back.
The 192.168.180.0/24 network is at the Sat office and the 192.168.3.0/24 network is at the main office.
If I initiate a ping from the Cisco side, it doesn't prompt the tunnel to come up. ???? Any ideas?
Cisco config
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key secret address x.x.x.x
crypto isakmp key secret address x.x.x.x
crypto isakmp key secret address 7.7.7.7
crypto isakmp keepalive 10 5 periodic
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association replay window-size 1024
crypto ipsec transform-set vpn_set esp-3des esp-md5-hmac
crypto ipsec transform-set f5_set esp-3des esp-sha-hmac
crypto map vpnmap 31 ipsec-isakmp
set peer x.x.x.x
set transform-set vpn_set
match address 131
crypto map vpnmap 32 ipsec-isakmp
set peer x.x.x.x
set transform-set vpn_set
match address 132
crypto map vpnmap 33 ipsec-isakmp
set peer 7.7.7.7
set transform-set f5_set
match address 133
interface Tunnel31
bandwidth 1200000
ip address 172.16.31.34 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 5.5.5.5
tunnel destination x.x.x.x
interface Tunnel32
bandwidth 1200000
ip address 172.16.31.57 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 5.5.5.5
tunnel destination x.x.x.x
interface FastEthernet0/1
bandwidth 51200
ip address 50.50.50.1
ip access-group 101 in
ip flow ingress
ip flow egress
ip nat outside
ip inspect ISP2-cbac out
ip virtual-reassembly
duplex auto
speed auto
crypto map vpnmap
ip nat inside source route-map nonat interface FastEthernet0/1 overload
partial acl
access-list 101 permit udp host 7.7.7.7 any eq isakmp
access-list 101 permit udp host 7.7.7.7 eq isakmp any
access-list 101 permit esp host 7.7.7.7 any
route-map nonat permit 41
match ip address 175
access-list 133 permit ip 192.168.3.0 0.0.0.255 192.168.180.0 0.0.0.255
access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.180.0 0.0.0.255
access-list 175 permit ip 192.168.3.0 0.0.0.255 any
ip route 0.0.0.0 0.0.0.0 50.50.50.x
ip route 10.1.0.0 255.255.0.0 Tunnel32
ip route 172.18.1.0 255.255.255.0 192.168.3.254
ip route 172.18.2.0 255.255.255.0 192.168.3.254
ip route 172.18.3.2 255.255.255.255 Service-Engine0/0
ip route 192.168.1.0 255.255.255.0 Tunnel31
ip route 192.168.2.0 255.255.255.0 Tunnel32
ip route 192.168.10.0 255.255.255.0 192.168.3.254
sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
50.50.50.1 7.7.7.7 QM_IDLE 1003 ACTIVE
sh crypto isa sa
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.180.0/255.255.255.0/0/0)
current_peer 7.7.7.7 port 35381
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 50.50.50.1, remote crypto endpt.: 7.7.7.7
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xFF024E3E(4278341182)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x8E538667(2387838567)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: FPGA:7, sibling_flags 80000046, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4493323/82118)
IV size: 8 bytes
replay detection support: Y replay window size: 1024
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xFF024E3E(4278341182)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2008, flow_id: FPGA:8, sibling_flags 80000046, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4493323/82118)
IV size: 8 bytes
replay detection support: Y replay window size: 1024
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
DEBUG
#show debug
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto ISAKMP Error debugging is on
Crypto IPSEC debugging is on
Crypto IPSEC Error debugging is on
#sh log | inc 7.7.7.7
000202: *Aug 12 02:20:16.006: ISAKMP:(1003): sending packet to 7.7.7.7 my_port 500 peer_port 35381
(R) QM_IDLE
000207: *Aug 12 02:20:16.046: ISAKMP (1003): received packet from 7.7.7.7 dport 500 sport 35381
Global (R) QM_IDLE
000211: *Aug 12 02:20:16.046: ISAKMP:(1003): DPD/R_U_THERE_ACK received from peer 7.7.7.7,
sequence 0x1C6F72FD
000287: *Aug 12 02:20:25.962: ISAKMP:(1003): sending packet to 7.7.7.7 my_port 500 peer_port 35381
(R) QM_IDLE
000292: *Aug 12 02:20:25.998: ISAKMP (1003): received packet from 7.7.7.7 dport 500 sport 35381
Global (R) QM_IDLE
000296: *Aug 12 02:20:25.998: ISAKMP:(1003): DPD/R_U_THERE_ACK received from peer 7.7.7.7,
sequence 0x1C6F72FE
000389: *Aug 12 02:20:35.542: ISAKMP:(1003): sending packet to 7.7.7.7 my_port 500 peer_port 35381
(R) QM_IDLE
000394: *Aug 12 02:20:35.578: ISAKMP (1003): received packet from 7.7.7.7 dport 500 sport 35381
Global (R) QM_IDLE
000398: *Aug 12 02:20:35.582: ISAKMP:(1003): DPD/R_U_THERE_ACK received from peer 7.7.7.7,
sequence 0x1C6F72FF
000402: *Aug 12 02:20:36.582: ISAKMP (1003): received packet from 7.7.7.7 dport 500 sport 35381
Global (R) QM_IDLE
000409: *Aug 12 02:20:36.586: ISAKMP:(1003):DPD/R_U_THERE received from peer 7.7.7.7, sequence
0x5FF
000413: *Aug 12 02:20:36.586: ISAKMP:(1003): sending packet to 7.7.7.7 my_port 500 peer_port 35381
(R) QM_IDLE
#sh log | inc 7.7.7.7
000847: *Aug 12 02:21:24.163: ISAKMP:(1003): sending packet to 7.7.7.7 my_port 500 peer_port 35381
(R) QM_IDLE
000852: *Aug 12 02:21:24.203: ISAKMP (1003): received packet from 7.7.7.7 dport 500 sport 35381
Global (R) QM_IDLE
3rd party device:
# racoonctl -l show-sa isakmp
Destination Cookies ST S V E Created Phase2
50.50.50.1.500 e1866e9ee2830764:575a7489971701ad 9 I 10 M 2013-08-11 20:04:57 1
[root@ltm1:Active:Disconnected] log # racoonctl -l show-sa isakmp
Destination Cookies ST S V E Created Phase2
50.50.50.1.500 e1866e9ee2830764:575a7489971701ad 9 I 10 M 2013-08-11 20:04:57 1
# racoonctl -l show-sa ipsec
192.168.180.5 50.50.50.1
esp mode=tunnel spi=2387838567(0x8e538667) reqid=62829(0x0000f56d)
E: 3des-cbc 74583bf5 4fe29310 07603be7 d52516d6 7269c35f 51b24a52
A: hmac-sha1 c0d2254c ea2ec11a 6a22bf41 dad35582 00d91a30
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Aug 11 20:04:59 2013 current: Aug 11 21:18:57 2013
diff: 4438(s) hard: 5184000(s) soft: 4147200(s)
last: Aug 11 21:18:56 2013 hard: 0(s) soft: 0(s)
current: 421660(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3635 hard: 0 soft: 0
sadb_seq=1 pid=8526 refcnt=0
50.50.50.1 192.168.180.5
esp mode=tunnel spi=4278341182(0xff024e3e) reqid=62828(0x0000f56c)
E: 3des-cbc 3bc26d98 0a230000 54c64896 e1a68815 6c696a15 f6779541
A: hmac-sha1 96de21a0 b5f52539 0616acfa b5a09994 03306e92
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Aug 11 20:04:59 2013 current: Aug 11 21:18:57 2013
diff: 4438(s) hard: 5184000(s) soft: 4147200(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=8526 refcnt=0Scenario:
I have three sites all connected ( full mesh) with IPsec/GRE tunnels and these work fine. I attempted to add a satellite office to one our sites. The sat device is a 3rd party device and is behind a rotuer/fw device. The IPSec tunnel (non-gre) appears to come up but no traffic passes.
When I ping 192.168.3.1 from the sat device (monitored using tcpdump), it cause the tunnel to come up but I don't see the Cisco side replying back.
The 192.168.180.0/24 network is at the Sat office and the 192.168.3.0/24 network is at the main office.
If I initiate a ping from the Cisco side, it doesn't prompt the tunnel to come up. ???? Any ideas?
Cisco config
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key secret address x.x.x.x
crypto isakmp key secret address x.x.x.x
crypto isakmp key secret address 7.7.7.7
crypto isakmp keepalive 10 5 periodic
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association replay window-size 1024
crypto ipsec transform-set vpn_set esp-3des esp-md5-hmac
crypto ipsec transform-set f5_set esp-3des esp-sha-hmac
crypto map vpnmap 31 ipsec-isakmp
set peer x.x.x.x
set transform-set vpn_set
match address 131
crypto map vpnmap 32 ipsec-isakmp
set peer x.x.x.x
set transform-set vpn_set
match address 132
crypto map vpnmap 33 ipsec-isakmp
set peer 7.7.7.7
set transform-set f5_set
match address 133
interface Tunnel31
bandwidth 1200000
ip address 172.16.31.34 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 5.5.5.5
tunnel destination x.x.x.x
interface Tunnel32
bandwidth 1200000
ip address 172.16.31.57 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 5.5.5.5
tunnel destination x.x.x.x
interface FastEthernet0/1
bandwidth 51200
ip address 50.50.50.1
ip access-group 101 in
ip flow ingress
ip flow egress
ip nat outside
ip inspect ISP2-cbac out
ip virtual-reassembly
duplex auto
speed auto
crypto map vpnmap
ip nat inside source route-map nonat interface FastEthernet0/1 overload
partial acl
access-list 101 permit udp host 7.7.7.7 any eq isakmp
access-list 101 permit udp host 7.7.7.7 eq isakmp any
access-list 101 permit esp host 7.7.7.7 any
route-map nonat permit 41
match ip address 175
access-list 133 permit ip 192.168.3.0 0.0.0.255 192.168.180.0 0.0.0.255
access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.180.0 0.0.0.255
access-list 175 permit ip 192.168.3.0 0.0.0.255 any
ip route 0.0.0.0 0.0.0.0 50.50.50.x
ip route 10.1.0.0 255.255.0.0 Tunnel32
ip route 172.18.1.0 255.255.255.0 192.168.3.254
ip route 172.18.2.0 255.255.255.0 192.168.3.254
ip route 172.18.3.2 255.255.255.255 Service-Engine0/0
ip route 192.168.1.0 255.255.255.0 Tunnel31
ip route 192.168.2.0 255.255.255.0 Tunnel32
ip route 192.168.10.0 255.255.255.0 192.168.3.254
sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
50.50.50.1 7.7.7.7 QM_IDLE 1003 ACTIVE
sh crypto isa sa
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.180.0/255.255.255.0/0/0)
current_peer 7.7.7.7 port 35381
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 50.50.50.1, remote crypto endpt.: 7.7.7.7
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xFF024E3E(4278341182)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x8E538667(2387838567)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: FPGA:7, sibling_flags 80000046, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4493323/82118)
IV size: 8 bytes
replay detection support: Y replay window size: 1024
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xFF024E3E(4278341182)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2008, flow_id: FPGA:8, sibling_flags 80000046, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4493323/82118)
IV size: 8 bytes
replay detection support: Y replay window size: 1024
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
DEBUG
#show debug
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto ISAKMP Error debugging is on
Crypto IPSEC debugging is on
Crypto IPSEC Error debugging is on
#sh log | inc 7.7.7.7
000202: *Aug 12 02:20:16.006: ISAKMP:(1003): sending packet to 7.7.7.7 my_port 500 peer_port 35381
(R) QM_IDLE
000207: *Aug 12 02:20:16.046: ISAKMP (1003): received packet from 7.7.7.7 dport 500 sport 35381
Global (R) QM_IDLE
000211: *Aug 12 02:20:16.046: ISAKMP:(1003): DPD/R_U_THERE_ACK received from peer 7.7.7.7,
sequence 0x1C6F72FD
000287: *Aug 12 02:20:25.962: ISAKMP:(1003): sending packet to 7.7.7.7 my_port 500 peer_port 35381
(R) QM_IDLE
000292: *Aug 12 02:20:25.998: ISAKMP (1003): received packet from 7.7.7.7 dport 500 sport 35381
Global (R) QM_IDLE
000296: *Aug 12 02:20:25.998: ISAKMP:(1003): DPD/R_U_THERE_ACK received from peer 7.7.7.7,
sequence 0x1C6F72FE
000389: *Aug 12 02:20:35.542: ISAKMP:(1003): sending packet to 7.7.7.7 my_port 500 peer_port 35381
(R) QM_IDLE
000394: *Aug 12 02:20:35.578: ISAKMP (1003): received packet from 7.7.7.7 dport 500 sport 35381
Global (R) QM_IDLE
000398: *Aug 12 02:20:35.582: ISAKMP:(1003): DPD/R_U_THERE_ACK received from peer 7.7.7.7,
sequence 0x1C6F72FF
000402: *Aug 12 02:20:36.582: ISAKMP (1003): received packet from 7.7.7.7 dport 500 sport 35381
Global (R) QM_IDLE
000409: *Aug 12 02:20:36.586: ISAKMP:(1003):DPD/R_U_THERE received from peer 7.7.7.7, sequence
0x5FF
000413: *Aug 12 02:20:36.586: ISAKMP:(1003): sending packet to 7.7.7.7 my_port 500 peer_port 35381
(R) QM_IDLE
#sh log | inc 7.7.7.7
000847: *Aug 12 02:21:24.163: ISAKMP:(1003): sending packet to 7.7.7.7 my_port 500 peer_port 35381
(R) QM_IDLE
000852: *Aug 12 02:21:24.203: ISAKMP (1003): received packet from 7.7.7.7 dport 500 sport 35381
Global (R) QM_IDLE
3rd party device:
# racoonctl -l show-sa isakmp
Destination Cookies ST S V E Created Phase2
50.50.50.1.500 e1866e9ee2830764:575a7489971701ad 9 I 10 M 2013-08-11 20:04:57 1
[root@ltm1:Active:Disconnected] log # racoonctl -l show-sa isakmp
Destination Cookies ST S V E Created Phase2
50.50.50.1.500 e1866e9ee2830764:575a7489971701ad 9 I 10 M 2013-08-11 20:04:57 1
# racoonctl -l show-sa ipsec
192.168.180.5 50.50.50.1
esp mode=tunnel spi=2387838567(0x8e538667) reqid=62829(0x0000f56d)
E: 3des-cbc 74583bf5 4fe29310 07603be7 d52516d6 7269c35f 51b24a52
A: hmac-sha1 c0d2254c ea2ec11a 6a22bf41 dad35582 00d91a30
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Aug 11 20:04:59 2013 current: Aug 11 21:18:57 2013
diff: 4438(s) hard: 5184000(s) soft: 4147200(s)
last: Aug 11 21:18:56 2013 hard: 0(s) soft: 0(s)
current: 421660(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3635 hard: 0 soft: 0
sadb_seq=1 pid=8526 refcnt=0
50.50.50.1 192.168.180.5
esp mode=tunnel spi=4278341182(0xff024e3e) reqid=62828(0x0000f56c)
E: 3des-cbc 3bc26d98 0a230000 54c64896 e1a68815 6c696a15 f6779541
A: hmac-sha1 96de21a0 b5f52539 0616acfa b5a09994 03306e92
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Aug 11 20:04:59 2013 current: Aug 11 21:18:57 2013
diff: 4438(s) hard: 5184000(s) soft: 4147200(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=8526 refcnt=0 -
What is the Cisco tool for measuring traffic of wireless endpoint users
Hi Experts
I am looking to start a Mesh WISP utilizing Cisco Aironet products (1500 series) and would like to know what is the best Cisco (or if the case has to be "non Cisco") product for measuring the amount of traffic from wireless clients connected to my Cisco Mesh.
Basically I want to be able to say User xyz has this IP xxx.xxx.xxx.xxx how much have they uploaded and how much have they downloaded this month.
This also then allows me to integrate multiple business mobile devices into their broadband plans which is something no-one yet offers in my City.
From what I have read Netflow is the measurement technology but how do I take this data and aggregate it by IP / User for billing purposes. Is there something better at it than Netflow? Your expert opinions and suggestions are much appreciated.
Regards
TyThat sounds like Cisco Wireless Control System (WCS).
Cisco Wireless Control System (WCS) Data Sheet
http://www.cisco.com/en/US/prod/collateral/wireless/ps5755/ps6301/ps6305/product_data_sheet0900aecd802570d0.html
Please don't forget to rate useful posts. Thanks. -
WGB attached to Mesh doesn't forward Ethernet broadcasts
Hello all,
We have a requirement for our WGB attached clients to receive regular broadcasts across the mesh. Based on my current configuration this doesn't appear to be working. I have no idea why this isn't working.
My mesh is based around 1552E Mesh Access Points, and a 5508 Controller running 7.0.220.0 software
The Work Group Bridges are Autonomous Cisco 1261 APs running 12.4(25d)JA1, attached to a Moxa L2 switch
To complicate matters, the AP and switch are in a network management VLAN (the same as the controller management interface), and the client device is in a seperate VLAN.
There are no problems with unicast traffic to and from the client device. It is registered correctly on the controller against the right VLAN / controller interface. I know the broadcasts are present in the VLAN on the LAN side, however they are not received by the client device.
I have enabled Ethernet Broadcast on the controller, in unicast mode (all multicast modes are default)
I have tried the Work group bridges in both infrastructure-client and normal client mode
Can anyone suggest any tests I can confirm to try and track the problem to either the controller or the WGB?
Thanks,
MichaelI am assuming you were referring to the Multicast Containment? I have tried it int in-out and regular mode, to no avail. I got the impression it was more dealing with bridged traffic between the MAPs themselves?
Would it matter that I am using a static interface (the management interface) for the WGB itself, and a dynamic interface for the end host? -
Is moving all active ports to another VSAN disruptive?..
Hi! I moved all active ports to another VSAN and this caused a server to failure. I know that this can be because of the small time-out values at the operating system or bad multipathing, but how large a time-out can be in a such reconfiguration?.. What if the server can't survive any storage loss and we move server and storage array ports to another VSAN? I wonder if it can be done without any traffic interruption...
Hi Artem,
Changing server from VSAN is a disruptive process for each path you're acting on: that means if you're not having dual fabrics and proper multipathing configuration, the server will lose access to its LUN for a certain amount of time. Depending on the operating system you might expect various behaviors (kernel panic, SCSI errors, CPU in I/O wait until timeouts,...). Consider it even more restrictive when booting on SAN or when swap memory is also on a SAN LUN.
It's always good practice to work one one fabric at a time by disabling the path attached to it from the OS perspective (if multipath software is not set in a failover mode).
Changing VSAN membership for a FC port on the MDS9000 means that the initiator HBA has to log (FLOGI) into a new VSAN where the DomainID is different from previous VSAN, so its FCID will change also. It is same effect as moving fibers to another physical SAN from the host perspective. -
Broadcast traffic with LCD Projector
Hi all,
Please help...
how to enable broadcast traffic on WiSM on same VLAN/Interface...
i have a LCD Projector that when the client do automatic search.. the client will broadcast to 255.255.255.255 and somehow the the LCD Projetor do not respond for the broadcast traffic by the client...
I already configured the WiSM to forward broadcast traffic...
i already tested it using cisco autonomous AP and have the LCD Projector and Laptop joining the same ssid and successfully do the automatic search...
anyone can help...??
regards
Robinhey... i have good news.....
the problem is on the AP Multicast Mode...not on the ethernet multicast mode...
Web Mode.................................... Enable
Secure Web Mode............................. Disable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Enable
Secure Shell (ssh).......................... Enable
Telnet...................................... Enable
Ethernet Multicast Mode..................... Enable Mode: Ucast
Ethernet Broadcast Mode..................... Enable
AP Multicast Mode........................... Unicast
IGMP snooping............................... Enabled
IGMP timeout................................ 60 seconds
User Idle Timeout........................... 300 seconds
ARP Idle Timeout............................ 300 seconds
Cisco AP Default Master..................... Disable
AP Join Priority............................ Disable
Mgmt Via Wireless Interface................. Enable
Mgmt Via Dynamic Interface.................. Disable
Bridge MAC filter Config.................... Disable
Bridge Security Mode........................ EAP
Mesh Full Sector DFS........................ Enable
--More-- or (q)uit
Apple Talk ................................. Disable
AP Fallback ................................ Enable
Web Auth Redirect Ports .................... 80
Fast SSID Change ........................... Enabled
802.3 Bridging ............................. Disable
IP/MAC Addr Binding Check .................. Enabled
does it mean that the wlc will receiving multicast traffic from the ethernet and will forward the multicast traffic on the wireless side in unicast mode.... -
How does WLC prevent layer 2 loops between mesh and different wired networks
hi all,
i have a question in regards to layer 2 loops. in my network i have clients devices moving between 2 separated mesh networks. from WLC prespective, the mac addresses should've moved between multiple bridge group and wired network.
can someone please enlighten me how WLC prevent layer 2 loops?
i understand spanning tree in the wired network, but WLC is not using SPT in mesh
thank youThanks for your help! This really helps a lot! We actually only want to replace the autonmous access point with the controller solution and make one WLAN available at another site. From what I can see, this is possible with our current solution - we just need to switch from Layer 2 to Layer 3 and purchase the corresponding amount of supported Access Points (I think we should be able to get some refurbished ones).
Am I correct in assuming that the Access Points we want to replace (AIR-AP1230B-E-K9 with 802.11b radio only) cannot be upgraded to lightweight ones? Since if I understood document http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html correctly, this is not possible with access points that only have 802.11b radios.
Regarding the switch from Layer 2 to Layer 3: Do we really only need to perform the steps I described in my first post?
And one last question regarding REAP. As far as I understood this is only needed when local traffic needs to be maintained in case the connection to the WLC becomes unavailable. So we really don't need it if we want to access resources that are only available over the WLC?
Thanks again for your help!
Michael -
Mesh Ethernet Bridging with VLAN Tagging Issue
Hi all.
I'm a little stuck with a 4400 7.0.220.0 + RAP 1550 + MAP 1260 Ethernet bridging issue. I'm using the VLAN tagging functionality and I'm finding that periodically a VLAN that I've tagged on the MAP will deregister from the backhaul and stop passing traffic. If I go into the Mesh tab on the MAP, select the wired interface, remove the VLAN from the list of tagged VLAN IDs and then add it right back to the list, its starts passing traffic again.
Has anyone else seen this? I can't find any relevant bugs.
JustinHi Saravanan,
It is one RAP and three MAPs. After a TAC call and 30 hours of monitoring, my VLANs have remained registered. I think the issue was mismatched VLANs to bridge groups an it looks like the mesh bridge may be stable for now. Here is what I was seeing on the RAP and MAPs when the VLANs were deregistering unexpectedly. Notice how VLANs 2 and 10 are mapped to opposite bridge groups on the RAP and MAP:
After I removed all the VLAN IDs from the Trunk configuration on the MAPs (through each AP's Mesh tab -- Ethernet Bridging config) and then rebuilt the VLAN IDs, I ran the same commands and now see this:
My very unscientific theory here is that the mismatching was causing consistency checks to fail, so the RAP was just tearing down the registrations after getting bogus or non- responses from the MAPs during the periodic VLAN registration maintenance checks (debug mesh ethernet registration).
If I have continued issues, I'll post back with updates.
Thanks for the response!
Justin
Maybe you are looking for
-
Add a new line using an old verizon phone
want to add a new line to existing contract using a previously purchased Verizon smartphone.
-
Quick Question - Setting up Personal Domain with godaddy
Hi there Just a quick question to make sure I've done this correctly? Ok, I've published my iWeb website. I've purchased a personal domain with godaddy. I've set up the personal domain in my mobile me account. I then logged into my godaddy account an
-
Iphoto does not recognize certain people
I have started identifying faces in iphoto. It recognizes a lot, and when rescanning will normally come back and say XXX might be in the following 8000 photos. But in one case (me) it shows the 700 identified ones, but then says there might be more i
-
Oracle universal installer erro
Hi Friends I'm trying to install Oracle 10g client database on my a windowsl os but while installing 10g i'm getting oracle universal installer error. error in writing to directory c:\document and settings\allusers\local settings\temp. can anyone ass
-
How to update all projects data (checkout-edit-save&publish-checkin)?
Hi every one, we have more that 400 projects in pwa and it will take too much time to update status date for all of them one by one mounthly so I'm looking for a solution (probably VBA) for opening all projects and set the status date to a specified