Monitoring IPSec Tunnel Bandwidth Utilization
We have a Cisco ASA 5520 supporting multiple VPNs - both remote-access and Lan-to-Lan. We would like to monitor the bandwidth utilization of the IPSec Lan-to-Lan tunnels. How can we do that?
Thanks,
Spr
Hi Spr,
Check out VPNTTG (VPN Tunnel Traffic Grapher) is a software for SNMP monitoring and measuring the traffic load for IPsec (Site-to-Site, Remote Access) and SSL (With Client, Clientless) VPN tunnels on a Cisco ASA. It allows the user to see traffic load on a VPN tunnel over time in graphical form.
Advantage of VPNTTG over other SNMP based monitoring software's is following: Other (commonly used) software's are working with static OID numbers, i.e. whenever tunnel disconnects and reconnects, it gets assigned a new OID number. This means that the historical data, gathered on the connection, is lost each time. However, VPNTTG works with VPN peer's IP address and it stores for each VPN tunnel historical monitoring data into the Database.
For more information about VPNTTG please visit www.vpnttg.com
Similar Messages
-
SNMP per-ipsec tunnel bandwidth monitoring
Whish oid can be used for monitoring bandwidth (bps, kbps...) per ipsec tunnel, assuming there is now logical tunel interface configured?
ios supports CISCO-IPSEC-FLOW-MONITOR-MIB, but cannot find oid in ftp://ftp.cisco.com/pub/mibs/oid/CISCO-IPSEC-FLOW-MONITOR-MIB.oid.
Tnx!Hi Spr,
Check out VPNTTG (VPN Tunnel Traffic Grapher) is a software for SNMP monitoring and measuring the traffic load for IPsec (Site-to-Site, Remote Access) and SSL (With Client, Clientless) VPN tunnels on a Cisco ASA. It allows the user to see traffic load on a VPN tunnel over time in graphical form.
Advantage of VPNTTG over other SNMP based monitoring software's is following: Other (commonly used) software's are working with static OID numbers, i.e. whenever tunnel disconnects and reconnects, it gets assigned a new OID number. This means that the historical data, gathered on the connection, is lost each time. However, VPNTTG works with VPN peer's IP address and it stores for each VPN tunnel historical monitoring data into the Database.
For more information about VPNTTG please visit www.vpnttg.com -
Cisco Network Assistant - Health Monitor Not Showing Bandwidth Utilization
Hello,
Ive setup a new network with 3x 2960 and 2x 3650 switches, trying to view the bandwidth utilization per switch in cisco network assistant in the health monitor unfortunatly it show 0%. I know there is alot of traffic passing through the switches, the other monitors are working correctly (temp, ram and cpu). Is there any special settings that are needed in the switch?
ThanksSrikanth Achanta,
Thanks for the help! Here is the output from putty.
XXX-Switch1#show controllers utilization
Port Receive Utilization Transmit Utilization
Gi0/1 0 0
Gi0/2 0 0
Gi0/3 0 0
Gi0/4 0 0
Gi0/5 0 0
Gi0/6 0 0
Gi0/7 0 0
Gi0/8 0 0
Gi0/9 0 0
Gi0/10 0 0
Gi0/11 0 0
Gi0/12 0 0
Gi0/13 0 0
Gi0/14 0 0
Gi0/15 0 0
Gi0/16 0 0
Gi0/17 0 0
Gi0/18 0 0
Gi0/19 0 0
Gi0/20 0 0
Gi0/21 0 0
Gi0/22 0 0
Gi0/23 0 0
Gi0/24 0 0
Gi1/1 0 0
Gi1/2 0 0
Gi1/3 0 0
Gi1/4 0 0
Te1/1 0 0
Te1/2 0 0
Total Ports : 30
Switch Receive Bandwidth Percentage Utilization : 0
Switch Transmit Bandwidth Percentage Utilization : 0
Switch Fabric Percentage Utilization : 0
XXX-Switch1#show interfaces | include packets
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
5934288 packets input, 546197579 bytes, 0 no buffer
308885 packets output, 112398123 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
5 minute input rate 471000 bits/sec, 109 packets/sec
5 minute output rate 191000 bits/sec, 104 packets/sec
315586906 packets input, 252876271812 bytes, 0 no buffer
0 input packets with dribble condition detected
267801306 packets output, 88017856802 bytes, 0 underruns
5 minute input rate 52000 bits/sec, 37 packets/sec
5 minute output rate 55000 bits/sec, 37 packets/sec
120529568 packets input, 27639696244 bytes, 0 no buffer
0 input packets with dribble condition detected
141742070 packets output, 32628299588 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1000 bits/sec, 1 packets/sec
5028 packets input, 468079 bytes, 0 no buffer
0 input packets with dribble condition detected
7868783 packets output, 893479978 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 2000 bits/sec, 2 packets/sec
27290987 packets input, 25279841114 bytes, 0 no buffer
0 input packets with dribble condition detected
34291062 packets output, 16098960773 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1000 bits/sec, 2 packets/sec
3431939 packets input, 1615199699 bytes, 0 no buffer
0 input packets with dribble condition detected
20491634 packets output, 4044194406 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 2000 bits/sec, 2 packets/sec
21992856 packets input, 7784577454 bytes, 0 no buffer
0 input packets with dribble condition detected
47483488 packets output, 32259133953 bytes, 0 underruns
5 minute input rate 4000 bits/sec, 2 packets/sec
5 minute output rate 4000 bits/sec, 3 packets/sec
17585313 packets input, 6353936617 bytes, 0 no buffer
0 input packets with dribble condition detected
40272645 packets output, 23412383942 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
15684208 packets input, 5064927935 bytes, 0 no buffer
0 input packets with dribble condition detected
37918769 packets output, 18601560856 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1000 bits/sec, 1 packets/sec
3150289 packets input, 734752119 bytes, 0 no buffer
0 input packets with dribble condition detected
19003285 packets output, 2764534874 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1000 bits/sec, 1 packets/sec
9029922 packets input, 2596828776 bytes, 0 no buffer
0 input packets with dribble condition detected
26350637 packets output, 9197196784 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
7064148 packets input, 2426044345 bytes, 0 no buffer
0 input packets with dribble condition detected
22569075 packets output, 8606781954 bytes, 0 underruns
5 minute input rate 2000 bits/sec, 1 packets/sec
5 minute output rate 6000 bits/sec, 3 packets/sec
17875471 packets input, 6103242910 bytes, 0 no buffer
0 input packets with dribble condition detected
36793666 packets output, 17156441845 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
19264746 packets input, 8318993561 bytes, 0 no buffer
0 input packets with dribble condition detected
40577274 packets output, 20008103681 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1073682 packets input, 524894617 bytes, 0 no buffer
0 input packets with dribble condition detected
1290197 packets output, 967649887 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 2000 bits/sec, 2 packets/sec
1434841 packets input, 399859897 bytes, 0 no buffer
0 input packets with dribble condition detected
15034817 packets output, 1988146136 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 31000 bits/sec, 1 packets/sec
18246575 packets input, 8048146812 bytes, 0 no buffer
0 input packets with dribble condition detected
34632744 packets output, 15331407257 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
12575644 packets input, 3507267403 bytes, 0 no buffer
0 input packets with dribble condition detected
27415447 packets output, 13019686162 bytes, 0 underruns
5 minute input rate 9000 bits/sec, 1 packets/sec
5 minute output rate 60000 bits/sec, 2 packets/sec
16988554 packets input, 6347935146 bytes, 0 no buffer
0 input packets with dribble condition detected
40488073 packets output, 23658053615 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1000 bits/sec, 2 packets/sec
1775464 packets input, 456920432 bytes, 0 no buffer
0 input packets with dribble condition detected
5550312 packets output, 848939175 bytes, 0 underruns
5 minute input rate 74000 bits/sec, 62 packets/sec
5 minute output rate 276000 bits/sec, 66 packets/sec
38109701 packets input, 21483991198 bytes, 0 no buffer
0 input packets with dribble condition detected
53920463 packets output, 35745966772 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 2000 bits/sec, 2 packets/sec
3905203 packets input, 1197213173 bytes, 0 no buffer
0 input packets with dribble condition detected
9322988 packets output, 3398916481 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1000 bits/sec, 1 packets/sec
31147644 packets input, 7922363688 bytes, 0 no buffer
0 input packets with dribble condition detected
64110078 packets output, 59004959626 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
5916020 packets input, 2203139928 bytes, 0 no buffer
0 input packets with dribble condition detected
17783154 packets output, 6763038614 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
XXX-Switch1#show interfaces | include line protocol
Vlan1 is up, line protocol is up
FastEthernet0 is down, line protocol is down
GigabitEthernet0/1 is up, line protocol is up (connected)
GigabitEthernet0/2 is up, line protocol is up (connected)
GigabitEthernet0/3 is up, line protocol is up (connected)
GigabitEthernet0/4 is up, line protocol is up (connected)
GigabitEthernet0/5 is up, line protocol is up (connected)
GigabitEthernet0/6 is up, line protocol is up (connected)
GigabitEthernet0/7 is up, line protocol is up (connected)
GigabitEthernet0/8 is up, line protocol is up (connected)
GigabitEthernet0/9 is up, line protocol is up (connected)
GigabitEthernet0/10 is up, line protocol is up (connected)
GigabitEthernet0/11 is up, line protocol is up (connected)
GigabitEthernet0/12 is up, line protocol is up (connected)
GigabitEthernet0/13 is up, line protocol is up (connected)
GigabitEthernet0/14 is down, line protocol is down (notconnect)
GigabitEthernet0/15 is down, line protocol is down (notconnect)
GigabitEthernet0/16 is up, line protocol is up (connected)
GigabitEthernet0/17 is up, line protocol is up (connected)
GigabitEthernet0/18 is up, line protocol is up (connected)
GigabitEthernet0/19 is up, line protocol is up (connected)
GigabitEthernet0/20 is up, line protocol is up (connected)
GigabitEthernet0/21 is up, line protocol is up (connected)
GigabitEthernet0/22 is up, line protocol is up (connected)
GigabitEthernet0/23 is up, line protocol is up (connected)
GigabitEthernet0/24 is down, line protocol is down (notconnect)
GigabitEthernet1/1 is down, line protocol is down (notconnect)
GigabitEthernet1/2 is down, line protocol is down (notconnect)
GigabitEthernet1/3 is down, line protocol is down (notconnect)
GigabitEthernet1/4 is down, line protocol is down (notconnect)
TenGigabitEthernet1/1 is down, line protocol is down (notconnect)
TenGigabitEthernet1/2 is down, line protocol is down (notconnect)
XXX-Switch1#show interfaces | include line errors
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 2 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 1 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 0 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 0 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 0 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 0 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 0 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 0 interface resets
Dave -
Cisco Prime LMS 4.2- Bandwidth utilization
Dear Experts,
Is it possible to monitor port level bandwidth utilization like how much b/w currently using.?
If we generate report, it gives only percentage, can we change it to bps or mbps.?.Hi Enea,
The size of the DB is huge now, you can try to do a Force Purge
go to Admin > Network > Purge Settings >IPSLA data Purge Settings
see if it helps.
If not then the last resort is to Re-initialize the IPM database.
here are the steps:
1.stop the daemon manager
2.
/opt/CSCOpx/bin/dbRestoreOrig.pl dsn=ipm dmprefix=Ipm (linux/solaris)
NMSROOT\bin\perl.exe NMSROOT\bin\dbRestoreOrig.pl dsn=ipm dmprefix=Ipm (windows)
3.start the daemon manager
Note: If you Re-initialize the database then you need to create the collectors again .
Thanks-
Afroz
***Ratings Encourages Contributors **** -
PIX - Monitoring Bandwidth Utilization?
I have PIX running 6.3 software with a few site to site VPN tunnels. Is there any way to monitor the bandwidth utilization of a particular tunnel?
Same question goes with ASAs and using ASDM...no plans to get CSM here...
Thanks,
JasonTry PRTG - Paessler Router Traffic Grapher
www.paessler.com -
Why is there no updates to the firefox throttle add-ons ? Is there an alternative? throttle is Bandwidth utilization throttling and monitoring extension for Firefox
Well, it's probably one of two things: either the awesome dude(tte) who developed this awesome extension was tired of updating or the changes in FFox software architecture carried out between version 3.x and 4+ created challenges that were too difficult for him to surmount or a combination of both. Honestly, I love Mozilla but I think they dropped the ball on the throttle issue. It's such an obvious and necessary function and it's so easy to implement. They should have included it a long time ago as in built feature. And, if you are browsing and looking at this post and you agree. Add a suggestion in mozilla.org. The more of us asking for this function, the better.
Meanwhile, I have the following solution for you:
Solution 0.6.9.23.11 (DIY Version of my Solution ):
Setting Up a Separate Portable Firefox 3.6.x that runs independently of and simultaneously to your latest version of Firefox
Get FireFox Portable 3.6.24:
http://portableapps.com/apps/internet/firefox_portable/localization#legacy36
It's a portable app, meaning that it's got all it's profiles and preference and application files in the same directory. It won't compete with your current installation of Firefox, has it's own separate extension folder etc...
Get Firefox Throttle 1.1.6
http://firefox-throttle.en.softonic.com/ (I couldn't find it in the official mozilla site)
It will be flagged as incompatible with even that old version of firefox (but it isn't). You just need to turn off compatibility checking. You can do that with this extension:
https://addons.mozilla.org/en-US/firefox/addon/add-on-compatibility-reporter/?src=search
If you have Bookmarks you want to port to the portable (bad pun intend), backup them up to bookmarks.json file on your desktop and import them to the portable version. You can export/import more stuff using FEBE addon but that's a whole world of headaches if you don't your doing.
Many of your extensions favourites extensions will no longer work on FFox 3.6.x but if, in that same addon's page, you look around until you find a link to previous versions of the addon, you will notice that the compatibility info is right below the version numbers. Just download and install the latest version that is compatible with you 3.6.x....
Voila mon ami! Your FFox 3.6 portable has just become your own private Download Mule whom you can throttle to your hearts content (ever throttle a real Mule??? I wouldn't try it, personally...) Do your regular browsing in another (unthrottled) browser and do your big downloads in the Mule...
If you want to keep using your brand spanking new Firefox for other types of browsing while using this portable Mule edition for the downloads, just add -p -no-remote to the shortcut leading to your Firefox Portable Mule edition.
For example, my taskbar shortcut to my Firefox Portable is:
""C:\Program Files (x86)\FirefoxPortableLegacy36\FirefoxPortable.exe"
I just changed it to:
"C:\Program Files (x86)\FirefoxPortableLegacy36\FirefoxPortable.exe" -p -no-remote
This will make it occupy it's own independent instance and I can use the both my Firefox Nightly and the Firefox Portable editions at the same time (each one, using a different profile ie. extensions, cookies, password, cache etc).
If you're on Linux, you can just run this on Wine and set the Windows Version to Windows 2000 in the Wine config,
If you want to get rid of the Portable Apps splash screen, click here:
http://www.ghacks.net/2011/06/06/getting-rid-of-portableapps-splash-screens/
Solution 0.6.9.23.11 (Non-DIY Version of my Solution):
Download my preconfigured but SWAGGED-THE-HECK-UP PortableFirefox 3.6
Having realized that some of you may find the above to be daunting. I took my own customize firefox portable, took out all my data and compressed the folder (it's portable, so it'll run as soon as you unzip it).
Here is a screenshot:
http://www.mediafire.com/?o95nkwo8y6q535j
Here is the download link:
http://www.mediafire.com/?xdw87ivf3184u2s
Don't forget to modify your Start/Taskbar shortcuts:
"C:\wherever you decide to put it\FirefoxPortableLegacy36-Swagged-UP!\FirefoxPortable.exe"
I just changed it to:
"C:\wherever you decide to put it\FirefoxPortableLegacy36-Swagged-UP!\FirefoxPortable.exe" -p -no-remote -
Ipqos to monitor bandwidth utilization in zones?
I'd like to use IPQos and the extended accounting features in the global zone to monitor bandwidth utilization in my zones - ie, keep a simple count of amount of traffic each zone's IPs use.
I can't quite figure out how to do it, though. The IPQos docs are extensive, but complex.
Anyone got a simple 'howto' for it??not really using ipqos, but i have a dtrace script that tracks socket traffic per pid and uid, you can probably change it to meet your needs.
#!/usr/sbin/dtrace -Cs
/* like top but tracks pid's network transfers */
/* By James Dickens [email protected] */
#pragma D option quiet
#include<sys/uio.h>
int DR; /* Data READ */
int DW; /* Data WROTE */
int DRL; /* Data Read in the last second */
int DWL; /* Data Wrote in the last second */
int new_data; /* set when there is new data to print */
dtrace:::BEGIN { printf("Waiting for data...\n"); }
fbt:sockfs:socktpi_write:entry
self->registry=1;
self->uiop = (struct uio *) arg1;
self->request = self->uiop->uio_resid; /* MAX amount of data to send *
fbt:sockfs:socktpi_read:entry
self->registry=1;
self->uiop = (struct uio *) arg1;
self->request = self->uiop->uio_resid; /* MAX amount of data to recieve
fbt:sockfs:socktpi_read:return
/arg0 != 0 && self->registry/ /* don't grab data if an error was returned. */
size = self->request - self->uiop->uio_resid; /* update the data read *
DR +=size;
DRL += size;
@data[uid,pid, "rcv'd" ] = sum(size);
@datac[uid,pid,"rcv'd" ] = sum(size);
self->request=0;
self->registry=0;
self->uiop=0;
new_data=1 ;
fbt:sockfs:socktpi_write:return
/arg0 != 0 && self->registry / /* don't grab data if an error was returned. */
size = self->request - self->uiop->uio_resid ; /* update amount of data
sent */
DW += size;
DWL += size;
@data[uid, pid, "sent" ]= sum(size);
@datac[uid,pid,"sent" ] = sum(size);
self->request=0;
self->registery=0;
self->uiop=0;
new_data=1;
tick-1s
/new_data /
new_data=0;
printf("\nwalltime : %Y\nStats for the active last Second\nUID\tPID\tdi
retion\tBytes\n", walltimestamp);
printa("%d\t%d\t%8s\t%@d\n",@data);
printf("Totals for this second\nData Rcv'd ==%d Data Sent == %d TOTAL %d
\n",
DRL, DWL, DRL+DWL);
printf("TOTALS\nData Rcv'd == %d Data Sent ==%d Total TRANSFERRED == %d\
n",
DR , DW, DR + DW) ;
trunc(@data,0);
DRL=0; DWL=0;
dtrace:::END {
printf("\nGrand Totals\n");
printf("UID\tPID\tdiretion\tBytes\n");
printa("%d\t%d\t%8s\t%@d\t\n",@datac);
printf("TOTALS\n");
printf("Data Rcv'd == %d Data Sent ==%d TOTAL TRANSFERRED == %d", DR , D
W, DR + DW) ;
} -
Monitoring Internet Bandwidth Utilization
Dear Net Pros,
I am looking for some software which can help me monitor Internet Bandwidth Utilization in more details. Currently I am already using MRTG to monitor the Internet Bandwidth. Need something deeper than that. Can anyone suggest a suitable solution for the same??
RushabhBuying it I think.
Sorry, its a joke.
You can try download a Demo on CCO Software Library.
Well, happy new year and good luck. -
The tale of two IPSec Tunnels...
I'm trying to set up an ipsec tunnel at a particular site, and I am just stumped at this point. I have two sites I'm working with, a test site on my bench and the other actual site at another location. Both are ASA 5510's, both are running ASA v8.2(5). The test site has a 3560 off of it, and the production site has a 3750 stack off it. I don't think that part should matter, though.
I used the wizard to create the ipsec configuration on both devices, test and prod, and used the same naming on both to help compare. The test site connects and I can ssh to the 3560 behind it just fine. The production site, however, cannot connect to that 3750 or ping it to save my life. I've poured through the configs on both, and although there are just a couple of differences, the two ASA's are pretty close in configs.
At first I thought it was an acl issue, but I've filtered the logs by syslog id 106023 to watch for denys by access group. When I try to connect to the 3750, I get absolutely no entry in the log that anything is being denied, so I figure that's not it.
Then I thought it may be a routing issue. The one difference between the two sites is that the test site is using eigrp to disperse routes between the asa and switch, while the production site is using static routes. But I also didn't think that would've mattered, because on the static route switch I even put a static route in there to the vpn network which didn't make a difference.
I've also run packet traces on the firewall when doing a ping, and on the test siteI see echo requests and replies. Oon the production site I only see requests, no replies. My encap counters don't increment during pings, but the decap counters do, which make sense.
Other things to note: The test site that works also has a site-to-site vpn up and runnning, so you'll see that in the config as well. Client is Mac OS X 10.6.8, using the Cisco IPSec Config.
I'm hoping someone can look at my configs and tell me if they see anything I'm missing on them that could help solve my problems. I'd appreciate it! Thanks
Test Site that works
Production Site that Doesn't
testasa01-5510# sh run
: Saved
ASA Version 8.2(5)
hostname testasa01-5510
names
interface Ethernet0/0
nameif outside
security-level 0
ip address <outsideif> 255.255.255.240
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.39.194.2 255.255.255.248
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
access-list inside_access_in extended permit ip 10.39.0.0 255.255.0.0 any log disable
access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.139.0 255.255.255.240
access-list outside_cryptomap extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list remoteaccess extended permit ip 172.16.139.0 255.255.255.240 any log disable
tcp-map WSOptions
tcp-options range 24 31 allow
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn_ip_pool 172.16.139.0-172.16.139.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
global (outside) 100 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 100 10.39.0.0 255.255.0.0
access-group inside_access_in in interface inside
router eigrp 100
network 10.0.0.0 255.0.0.0
passive-interface default
no passive-interface inside
route outside 0.0.0.0 0.0.0.0 <outsideif> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs group1
crypto map outside_map1 1 set peer 209.242.145.200
crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 170
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 60
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server <server> source inside
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 8.8.8.8
vpn-filter value remoteaccess
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
split-tunnel-all-dns disable
vlan none
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_pool
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
tunnel-group 111.222.333.444 type ipsec-l2l
tunnel-group 111.222.333.444
general-attributes
default-group-policy GroupPolicy1
tunnel-group 111.222.333.444
ipsec-attributes
pre-shared-key *****
class-map WSOptions-class
match any
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class WSOptions-class
set connection advanced-options WSOptions
policy-map type inspect ip-options ip-options-map
parameters
eool action allow
nop action allow
router-alert action allow
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
mp01-5510asa# sh run
: Saved
ASA Version 8.2(5)
hostname mp01-5510asa
names
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.29.194.2 255.255.255.252
interface Ethernet0/1
nameif dmz
security-level 50
ip address 172.16.29.1 255.255.255.0
interface Ethernet0/2
description
nameif backup
security-level 0
ip address <backupif> 255.255.255.252
interface Ethernet0/3
description
speed 100
duplex full
nameif outside
security-level 0
ip address <outsideif> 255.255.255.248
interface Management0/0
nameif management
security-level 100
ip address 10.29.199.11 255.255.255.0
management-only
banner login Authorized Use Only
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object-group network DM_INLINE_NETWORK_1
network-object 10.29.1.0 255.255.255.0
network-object 10.29.15.0 255.255.255.0
network-object 10.29.199.0 255.255.255.0
network-object 10.29.200.0 255.255.255.0
network-object 10.29.31.0 255.255.255.0
access-list inside_access_in extended permit ip 10.29.0.0 255.255.0.0 any log warnings
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any log warnings
access-list inside_access_in extended permit ip 192.168.29.0 255.255.255.0 any log warnings
access-list inside_access_in extended permit ip 10.29.32.0 255.255.255.0 any log warnings
access-list outside_access_in extended permit ip any host 50.59.30.116 log warnings
access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.254.29.0 255.255.255.0 log warnings
access-list remoteaccess extended permit ip 10.254.29.0 255.255.255.0 any log warnings
access-list RemoteAccess2_splitTunnelAcl standard permit 10.29.0.0 255.255.0.0
pager lines 24
logging enable
logging list acl-messages message 106023
logging buffered acl-messages
logging asdm acl-messages
mtu inside 1500
mtu dmz 1500
mtu backup 1500
mtu outside 1500
mtu management 1500
ip local pool vpn_ip_pool3 10.254.29.0-10.254.29.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
asdm history enable
arp timeout 14400
global (inside) 201 interface
global (dmz) 101 interface
global (backup) 101 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.29.1.0 255.255.255.0
nat (inside) 101 10.29.15.0 255.255.255.0
nat (inside) 101 10.29.31.0 255.255.255.0
nat (inside) 101 10.29.32.0 255.255.255.0
nat (inside) 101 10.29.199.0 255.255.255.0
nat (inside) 101 10.29.200.0 255.255.255.0
nat (inside) 101 192.168.29.0 255.255.255.0
static (inside,outside) <outsideif> 10.29.15.10 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.59.30.113 1 track 1
route backup 0.0.0.0 0.0.0.0 205.179.122.165 254
route management 10.0.0.0 255.0.0.0 10.29.199.1 1
route inside 10.29.0.0 255.255.0.0 10.29.194.1 1
route inside 192.168.29.0 255.255.255.0 10.29.194.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 74.125.239.16 interface outside
num-packets 3
frequency 10
sla monitor schedule 100 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 100 reachability
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.200.1.41 source inside
webvpn
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 8.8.8.8
vpn-filter value remoteaccess
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
split-tunnel-all-dns disable
vlan none
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_pool3
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
testasa01-5510# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.139.1/255.255.255.255/0/0)
current_peer: <peer ip>, username: blah
dynamic allocated peer ip: 172.16.139.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 0A7F396F
current inbound spi : E87AF806
inbound esp sas:
spi: 0xE87AF806 (3900372998)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3587
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x7FFFFFFF
outbound esp sas:
spi: 0x0A7F396F (176109935)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3587
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
mp01-5510asa# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.254.29.1/255.255.255.255/0/0)
current_peer: <peer ip>, username: blah
dynamic allocated peer ip: 10.254.29.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 096265D4
current inbound spi : F5E4780C
inbound esp sas:
spi: 0xF5E4780C (4125390860)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3576
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x001FFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x096265D4 (157443540)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3576
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Config (non working site) looks fine(unless I missed something:)) . You may want to add :
access-list RemoteAccess_splitTunnelAcl standard permit 192.168.29.0 255.255.255.0
Try by taking out vpnfilter : vpn-filter value remoteaccess
To further t-shoot, try using packet tracer from ASA to the client...
https://supportforums.cisco.com/docs/DOC-5796
Thx
MS -
Bandwidth utilization on topology diagram of LMS 4.2
Hi,
I am running LMS 4.2 , using that i am monitering some switches . I am using topology services also . In that i am getting veiw of all connected devices with links. But bandwidth utilization is for those links are not showning in topology veiw .
Is there any settings to be done in LMS 4.2.2 or any configuration changes to done on my switches ?? to find the traffic flow bandwidth utiliztion.
thanks ,
pandian .Hi
You have to enable RMON to measure bandwidth utilization.
Take a look on the Monitoring and Troubleshooting With Cisco Prime LAN Management Solution 4.2 guide.
Begining on the page 7-43 you can find the procedure.
Hope you can set it -
Ciscoworks 4.0, Bandwidth Utilization
Hello!
I haven't worked with Ciscoworks in a long time and see v4.0 is out. Does anyone if this app is a good tool to monitor bandwidth utilization? We need a good product that can monitor utilization on our WAN circuits and also doing regular backups of our configs for a variety of routers, switches.
Your opinions are appreciated!
BenMy opinion may be biased, but LMS 4.0 can do what you want. It has performance management capabilities that can graph and report on interface, CPU, and memory utilization as well as allows for custom MIB object pollers to be defined. LMS also does configuration collection for a wide variety of devices.
If you really want to get a good idea if this is the right product suite for you, download the 90-day eval from http://www.cisco.com/go/nmsevals (click on the Network Management Software link). You will be able to test the full functionality of LMS 4.0 on up to 100 devices for 90 days. -
Hi all,
i am a newbie here. Currently i am working as net admin which is i need to monitoring and manage my workplace network( education center )
I got a few question about network traffic flow. Here is the issued.
I got high bandwidth utilization so high after office hours which is only on night. as we know, after office hours there is no person at the office but the traffic flow on bandwidth utilization is high.
what are the possibilities of this issued? If there any possibilities that cause the event, I'd like to know everything that may cause it.
ThanksWhat switches do you have?
What router are you using?
What servers do you have?
What time does the high utilization start and what time does it end?
Are you running backup across the WAN links? -
Measuring Bandwidth utilization on 3005 Concentrator
I am looking for an easy way to measure utilization on a site to site vpn configured on a 3005 concentrator.
Help?This can be done using MIBS. The two MIBS listed below give you the total number of octets sent out or received every 5 minutes. You can manually calculate the difference to figure out the utilization.
.1.3.6.1.2.1.2.2.1.10
ifInOctets OBJECT-TYPE
-- FROM RFC1213-MIB
SYNTAX Counter
MAX-ACCESS read-only
STATUS Mandatory
DESCRIPTION "The total number of octets received on the
interface, including framing characters."
::= { iso(1) org(3) dod(6) internet(1) mgmt(2) mib-2(1) interfaces(2) ifTable(2) ifEntry(1) 10 }
.1.3.6.1.2.1.2.2.1.16
ifOutOctets OBJECT-TYPE
-- FROM RFC1213-MIB
SYNTAX Counter
MAX-ACCESS read-only
STATUS Mandatory
DESCRIPTION "The total number of octets transmitted out of the
interface, including framing characters."
::= { iso(1) org(3) dod(6) internet(1) mgmt(2) mib-2(1) interfaces(2) ifTable(2) ifEntry(1) 16 }
On tunnel interfaces, a different set of MIBS called "ALTIGA-MIB" need to be used. I feel you should also have a look at the document "How To Calculate Bandwidth Utilization Using SNMP".
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a008009496e.shtml -
Hello,
Is there a way to look at the bandwidth utilization on a per port basis on the 3750 switches? Trying to track down a possible issue remote;y and nothing like WireShark is onsite.
Thanks in advance.
All replies rated.You can enter "show interface summary" to see the tx rate and rx rate for each port. Very easy to read format.
To use wireshark remotely, you could always use ERSPAN, which would send the monitor session to a remote switch. If I'm not sure of the commands I'm entering on a remote switch, I normally do a "reload in 15". In case I lose connectivity, it will reload in x number of minutes to restore service. Save you a commute to the remote site to restore service. Just don't forget to cancel the reload when you are finished.
https://supportforums.cisco.com/document/139236/understanding-spanrspanand-erspan#comment-10119266
If you have network monitoring software, it should show the top talker along with the ip address.
show arp | i x.x.xx
this will return the mac
then enter show mac address-table address xxxx.xxxx.xxxx
this will show the interface that learned the mac.
show cdp neigh to verify the port isn't connected to another switch.
Keep entering sh mac and sh cdp until you locate the port with the mac of the top talker.
You can shut the port and see if the trouble goes away.
Just be careful when shutting ports. Its easy to shut the wrong port and lose connectivity. -
Can Operations Manager discover and monitor IPSEC VPN state
Hello everyone
Can Operations Manager discover and monitor IPSEC VPN state?
We use Vyatta routers in different locations, these are connected over GRE IPSEC VPN tunnels, SCOM has discovered the tunnels successfully which is great, but the technical team informed me that the tunnels state always UP even when the IPSEC VPN
goes down "I believe they configured keep alive option on the tunnels, I don't know why" hence i have to monitor the IPSEC VPN health state instead of the tunnels themselves, any idea, if you inform me the steps required to create new management
pack i will try this..
Thank you
Mohammad
Mohammad, IT NOC TeamThe IPsec status info is provided by SNMP trap. You need to make sure the SNMP trap is enabled on the router.
Also, you can verify it by SNMP Trap Viewer.
Juke Chou
TechNet Community Support
Maybe you are looking for
-
Sky Go on MacBook Air to TV?
I want a new laptop, and one reason is to wire to a tv and view Sky Go. I can't do this currently with a Windows laptop as Sky Go isn't supported by Windows 8 and quite frankly I would like a MacBook Air. However I have read that on the ipad you are
-
Camera uses too much power error.
I have the iPad connection kit but get error camera uses too much power. How do I resolve this?
-
Any suggestions for forcing a DVD out of my computer? I tried the eject button on my key board (the drives makes a noise like it will open, but doesn't), tried holding down the eject button when I reboot, and tried the paper clip trick. Nothing works
-
Hardware Architecture of Real Application Cluster (RAC)
I'll implement Oracle 9i with Real Application Cluster (RAC). I now have two Sun SF280R servers. Can I use ONE common storage to build RAC? SF280R - Storage - SF280R OR is it necessary to have TWO storages? SF280R SF280R |..........\/..........| Stor
-
ITune do not work with Windows XP x64 ?
Hi I try some version of iTune (new/old/x32/x64) but it looks like none of them are working with xp x64. Can someone tell me witch version of iTune i have to download for Windows XP x64 plz ? Or is there a way to upload music on my iPod without iTune