MPLS end-peer

Similar Messages

• MPLS pseudowire Up on one side Down on the other

  Hello,
  I'm trying to setup another pseudowire between a 6509-E 12.2(17r)S4 and a 7201 12.4(12.2r)T. The 6509 says the vc is up:
  Switch#show mpls l2transport vc
  Local intf     Local circuit              Dest address    VC ID      Status
  Gi4/1           Ethernet                   172.29.255.7    77         UP
  But on the 7201 I'm getting:
  Router#show mpls l2transport vc
  Local intf     Local circuit              Dest address    VC ID      Status
  Gi0/3          Ethernet                   172.29.255.10   77         DOWN
  When I run show mpls l2transport vc detail it looks like:
  Switch:
  VC statistics:
      transit packet totals: receive 0, send 35308
      transit byte totals:   receive 0, send 2745983
      transit packet drops:  receive 0, send 0
  Router:
  VC statistics:
      packet totals: receive 35414, send 0
      byte totals:   receive 2754295, send 0
      packet drops:  receive 0, seq error 0, send 1421389
  Weird that the switch is sending but not receiving and the router is receiving but not sending.
  The topoligy is:
  [6509-E] <-> [7201transit] <-> [7201]
  The transit router has mpls ip enabled and has another functional pseudowire running across it.
  Thanks in advance I'm pretty new to MPLS, please let me know if you need more information, I can post configs etc.
  --Will

  Hey Negandra,
  Thank you for your response! How do I know if I have SIP/ES/ES+ cards?  The two types of cards I have in the chassis are:
  48  SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX
  24  CEF720 24 port 1000mb SFP
  Are either of those capable?
  --Will
  *EDIT*
  Also I have tried to terminate the pseudowire to a SVI on the 6509-E but I can't get it to come online.
  CORE#show mpls l2transport vc
  Local intf     Local circuit              Dest address    VC ID      Status
  Gi4/3          Ethernet                   172.x.x.x    2          ADMIN DOWN
  Gi3/46         Ethernet                   172.x.x.x    123        UP
  Gi4/48         Ethernet                   172.x.x.x    1337       DOWN
  Gi4/5          Ethernet                   172.x.x.x    4          ADMIN DOWN
  Vl7            Eth VLAN 7                 172.x.x.x    7          DOWN
  CORE#show run int vlan7
  Building configuration...
  Current configuration : 91 bytes
  interface Vlan7
  no ip address
  xconnect 172.29.255.7 7 encapsulation mpls
  end
  If I configure the pseudowire on a physical interface on the switch it comes up, what am I missing? Hardware limitation?
  Thanks in advance,
  --Will

• MPLS migration from IPv4 and IPv6

                     Hello,
  i have existing MPLS VPN setup using IPv4 between all devices (P,PE,CPE), i want to start to migrate to IPv6 but i want to start the migration for one link between P and PE and all other devices will be the same (IPv4). Can you please tell me how i can acheive this scenario without impcat the services because is life.
  Thanks

  Dear All,
  when i configured IPv6 between PE and CPE the neighbor between them is idle the following the configuration between PE and CPE:
  PE:
  router bgp 100
  bgp router-id 10.200.200.3
  no bgp default ipv4-unicast
  bgp log-neighbor-changes
  neighbor MPLS-Group peer-group
  neighbor MPLS-Group remote-as 100
  neighbor MPLS-Group update-source Loopback0
  neighbor MPLS-Group-IPV6 peer-group
  neighbor MPLS-Group-IPV6 remote-as 100
  neighbor MPLS-Group-IPV6 update-source Loopback0
  neighbor 10.200.200.5 peer-group MPLS-Group
  neighbor 2002:10:200:200::5 peer-group MPLS-Group-IPV6
  address-family ipv4
    no synchronization
    no auto-summary
  exit-address-family
  address-family vpnv4
    neighbor MPLS-Group send-community both
    neighbor MPLS-Group next-hop-self
    neighbor 10.200.200.5 activate
  exit-address-family
  address-family vpnv6
    neighbor MPLS-Group-IPV6 send-community both
    neighbor MPLS-Group-IPV6 next-hop-self
    neighbor 2002:10:200:200::5 activate
  exit-address-family
  address-family ipv4 vrf TEST
    no synchronization
    redistribute connected
    neighbor 10.225.0.2 remote-as 101
    neighbor 10.225.0.2 activate
  exit-address-family
  address-family ipv6 vrf TEST
    redistribute connected
    no synchronization
    neighbor 2002:10:225::2 remote-as 101
    neighbor 2002:10:225::2 activate
  exit-address-family
  ipv6 router ospf 200
  router-id 10.200.200.3
  log-adjacency-changes
  mpls ldp router-id Loopback0
  CPE:
  interface Loopback0
  ip address 10.225.100.1 255.255.255.255
  ipv6 address 2002:10:225:100::1/128
  interface FastEthernet0/0
  no ip address
  shutdown
  duplex half
  interface GigabitEthernet1/0
  ip address 10.225.0.2 255.255.255.252
  negotiation auto
  ipv6 address 2002:10:225::2/126
  router bgp 101
  no synchronization
  bgp router-id 10.225.100.1
  bgp log-neighbor-changes
  network 10.225.100.1 mask 255.255.255.255
  neighbor 10.225.0.1 remote-as 100
  neighbor 2002:10:225::1 remote-as 100
  no auto-summary
  address-family ipv6
    no synchronization
    network 2002:10:225:100::1/128
    neighbor 2002:10:225::1 activate
  exit-address-family
  CPE-1#show ip bgp summary
  BGP router identifier 10.225.100.1, local AS number 101
  BGP table version is 4, main routing table version 4
  2 network entries using 242 bytes of memory
  2 path entries using 104 bytes of memory
  3/2 BGP path/bestpath attribute entries using 228 bytes of memory
  1 BGP AS-PATH entries using 24 bytes of memory
  0 BGP route-map cache entries using 0 bytes of memory
  0 BGP filter-list cache entries using 0 bytes of memory
  BGP using 598 total bytes of memory
  BGP activity 4/0 prefixes, 4/0 paths, scan interval 60 secs
  Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
  10.225.0.1      4   100       6       5        4    0    0 00:01:50        1
  2002:10:225::1  4   100       0       0        0    0    0 never    Idle
  and i received this error:
  *Nov 24 15:40:17.715: %BGP-5-ADJCHANGE: neighbor 2002:10:225::2 vpn TEST                                                                                        Up
  *Nov 24 15:40:19.079: %BGP-5-ADJCHANGE: neighbor 10.225.0.2 vpn vrf TEST Up
  *Nov 24 15:40:23.067: %BGP-3-NOTIFICATION: sent to neighbor 2002:10:225::2 passi                                                                                        ve 2/8 (no supported AFI/SAFI) 3 bytes 000101
  Thanks

• ATOM on dot1q sub interfaces

  Hello, networkers!
  Long time no see ;-)
  Straight on question now. Imagine a MPLS network with the following topology:
  A B C D E
  (X) --- (X) --- (X) --- (X) --- (X)
  CE PE P PE CE
  Router A & E are customer's routers.
  Router B & D are PE routers
  Let's say that we have created MPLS ATOM using Xconnect in between routers B and D. They are both using FastEthernet interfaces with sub-interfaces configured on. Router D is configured to RouterE in this way:
  interface FastEthernet0/0.15
  description ** RouterD->RouterE **
  encapsulation dot1Q 15
  no cdp enable
  xconnect 2.2.2.2 666 encapsulation mpls
  on the other end, router B is configured as follow:
  interface FastEthernet0/0.26
  description ** RouterB->RouterA **
  encapsulation dot1Q 26
  no cdp enable
  xconnect 1.1.1.1 666 encapsulation mpls
  end
  Where 1.1.1.1 is RouterD loopback and 2.2.2.2 is Router B lo0.
  What do you think about that scenario? Should it work with this configuration when the dot1q vlans differs? In my opinion this shouldn't work as expected as long as MPLS is doing just transparent transport of entire L2 frame (instead of using internetworking on IP level)
  Can anyone, please explain how does Cisco handle this? I remember that I've read somewhere during my CCIE journey that there are different types of AtOM VC's which can either carry the dot1q tag or not.
  Thank you in advance!
  Kind regards,
  Dani Petrov
  P.p. I tried it in a few different configurations and the results are very interesting but please first share your thoughts ;-)

  Hi,
  You can't force the vc-type and don't need to.
  To summarize:
  - switchport trunk mode and subinterfaces will always pop the outer tag
  - EVC interfaces do nothing by default.
  On top of that vc-type 4 will add a service-delimiter tag to the frame received from the AC. It's the responsibility of the egress router to know what to do with this tag (rewrite or remove it).
  GSR and 7200 will negotiate a vc-type 4 if the AC is a subinterface. 7600 will always negotiate a vc-type 5 except if the peer wants a vc-type 4.
  HTH
  Laurent.

• [ios pw redundancy with xr mc-lag termination]

  hi, all:
  first of all, thanks in advance and please take a look at the attached diagram.
  i'm trying to setup a pseudowire redundancy setup between an ME3800 and two ASR9000s that build a mlacp etherchannel towards a cat4500, 4500-2. when primary pseudowire is up, everything works as expected. the problem is that, when you cause a switchover scenario from the primary asr9k-1 (say by shutting down the link to the 4500-2) to the secondary asr9k-2, traffic does not pass from one end of the pw to the other. if we bring up the failed link back up, primary pw works.
  all 'show' commands checkout and pw switches over as expected. as a test, i have a 3rd asr9k connected in parallel to the ME3800 and we have no problem with that. when we cause the exact same failure scenario, the primary pw switches over to the secondary and everything works exactly like i would expect. traffic passes in both pri and stby pws when using the parallel asr9k.
  as you will be able to see from attached-configs, the pw's from ME3800 and asr9k are a little different. ME3800 pw is port-based and asr9k pw is vlan-based, but since both primary pws work i see no obvious problem with that.
  now, i know both ends of the mc-lag work, because the asr9k pw redundancy setup works.
  if i build a single pw (no redundancy) from ME3800 to asr9k-1 connecivity works AND if i build a single pw from me3800 to asr9k-2 on same exact vlan, connecivity works also.
  hopefully, one of you will take the time to look at configs and let me know if you see something wrong (i think with the ME3800 config). please keep in mind that everything works perfectly when working with asr9k pw redundancy (xr on both ends of pw)
  c.
  ============
  ME3800 (pw-redundancy)
  3800#show run | section pseudowire
  pseudowire-class mpls
  encapsulation mpls
  status peer topology dual-homed
  ! tried it without above status command, didn't work either.
  3800#show run int g0/24          
  Building configuration...
  Current configuration : 175 bytes
  interface GigabitEthernet0/24
  no switchport
  no ip address
  xconnect 207.x.y.9 1100 encapsulation mpls pw-class mpls
    backup peer 207.x.y.17 1101 pw-class mpls
  end
  3800#
  3800#show xconnect all
  Legend:    XC ST=Xconnect State  S1=Segment1 State  S2=Segment2 State
    UP=Up       DN=Down            AD=Admin Down      IA=Inactive
    SB=Standby  HS=Hot Standby     RV=Recovering      NH=No Hardware
  XC ST  Segment 1                         S1 Segment 2                         S2
  ------+---------------------------------+--+---------------------------------+--
  UP pri   ac Gi0/24:78(Ethernet)          UP mpls 207.x.y.9:1100            UP
  IA sec   ac Gi0/24:78(Ethernet)          UP mpls 207.x.y.17:1101           DN
  3800_sw_pruebas#
  ============
  ASR-3 (pw-redundancy)
  RP/0/RSP1/CPU0:ASR-3#show run l2vpn
  Sat Jun 15 09:07:10.183 CST
  l2vpn
  xconnect group PRUEBAS-XXXX
    p2p ESC-MTZ
     interface Bundle-Ether1000.28
     neighbor 207.x.y.9 pw-id 1128
      backup neighbor 207.x.y.17 pw-id 1228
  RP/0/RSP1/CPU0:ASR-3#show l2vpn xconnect
  Sat Jun 15 09:20:26.183 CST
  Legend: ST = State, UP = Up, DN = Down, AD = Admin Down, UR = Unresolved,
          SB = Standby, SR = Standby Ready
  XConnect                   Segment 1                   Segment 2               
  Group      Name       ST   Description            ST   Description            ST
  PRUEBAS-XXXX
             to4500-2    UP   BE1000.28              UP   207.x.y.9    1128   UP
                                                         Backup                  
                                                         207.x.y.17   1228   DN
  RP/0/RSP1/CPU0:ASR-3#
  ============
  asr9k-1  (pw-termination)
  RP/0/RSP0/CPU0:asr9k-1#show run l2vpn
  Sat Jun 15 09:09:10.555 CST
  l2vpn
  pw-status
  pw-class mpls
    encapsulation mpls
     redundancy
      one-way
  xconnect group PRUEBAS-XXXX
    p2p toASR-3
     interface Bundle-Ether1000.28
     neighbor 207.x.y.1 pw-id 1128
    p2p toME3800
     interface Bundle-Ether1000.26
     neighbor 207.x.y.30 pw-id 1100
  RP/0/RSP0/CPU0:asr9k-1#show run redundancy
  Sat Jun 15 09:09:16.659 CST
  redundancy
  iccp
    group 1000
     mlacp node 1
     mlacp system mac 000d.000e.000f
     mlacp system priority 1
     member
      neighbor 207.x.y.17
     backbone
      interface Bundle-Ether1
  ============
  RP/0/RSP0/CPU0:asr9k-2#show run l2vpn
  Sat Jun 15 09:13:39.908 CST
  l2vpn
  pw-status
  pw-class mpls
    encapsulation mpls
     redundancy
      one-way
  xconnect group PRUEBAS-XXXX
    p2p toASR-3
     interface Bundle-Ether1000.28
     neighbor 207.x.y.1 pw-id 1228
    p2p toME3800
     interface Bundle-Ether1000.26
     neighbor 207.x.y.30 pw-id 1101
  RP/0/RSP0/CPU0:asr9k-2#show run redundancy
  Sat Jun 15 09:13:43.656 CST
  redundancy
  iccp
    group 1000
     mlacp node 2
     mlacp system mac 000d.000e.000f
     mlacp system priority 1
     member
      neighbor 207.x.y.9
     backbone
      interface Bundle-Ether1

  hard to tell where and why the traffic gets dropped if I were to guess the me might send traff still down the wrong PW
  due to mac learning so it might need to get flushed.
  I thought however that as part of the pw switchover the mac flush is instantiated.
  either case you want to set up a stream of say 1000 pps so it is easy to verify and check the np counters to see where and why these paks are getting dropped and if it is the 9k or the me in that regard.
  suspect a pw signaling and mac flushing issue here.
  xander

• Xconnect on SVI interface ES Cards on 7606

  Is it possible to configure xconnect from an SVI interface, when your core facing cards are RSP-720?
  I have configured it:
  interface Vlan290
  no ip address
  xconnect 10.10.136.129 37123712 encapsulation mpls
  end
  It does not come up:
  PE4#sh mpl l2transport vc
  Local intf Local circuit Dest address VC ID Status
  Vl290 Eth VLAN 290 10.10.136.129 37123712 DOWN
  PE4#sh mpl l2transport vc 37123712 det
  PE4#sh mpl l2transport vc 37123712 detail
  Local interface: Vl290 up, line protocol up, Eth VLAN 290 up
  Interworking type is Ethernet
  Destination address: 10.10.136.129, VC ID: 37123712, VC status: down
  Output interface: none, imposed label stack {}
  Preferred path: not configured
  Default path: no route
  No adjacency
  Create time: 00:00:49, last status change time: 00:00:03
  Signaling protocol: LDP, peer 10.10.136.129:0 up
  Targeted Hello: 10.10.136.131(LDP Id) -> 10.10.136.129
  Status TLV support (local/remote) : enabled/not supported
  Label/status state machine : remote ready, LndRru
  Last local dataplane status rcvd: no fault
  Last local SSS circuit status rcvd: AC DOWN(rx,tx faults)
  Last local SSS circuit status sent: no fault
  Last local LDP TLV status sent: no fault (withdrawn)
  Last remote LDP TLV status rcvd: not sent
  MPLS VC labels: local unassigned, remote 340
  Group ID: local unknown, remote 0
  MTU: local unknown, remote 1500
  Remote interface description: ** Test PW with PE4 ES SVI int **
  Sequencing: receive disabled, send disabled
  VC statistics:
  packet totals: receive 0, send 0
  byte totals: receive 0, send 0
  packet drops: receive 0, seq error 0, send 0
  Although when I use a physical interface it comes up?
  RSp720 does not support it??

  I moved my core facing link to ES card instead of RSP 720 and it works.
  PE4#sh mpls l2transport vc
  Local intf Local circuit Dest address VC ID Status
  Vl290 Eth VLAN 290 10.10.136.129 37123712 UP
  but now i am thinking what we can use the RSP-720 gige ports for.

• Still having problems with VPN access

  Hello!
  I am having problems with my VPN clients getting access to the networks over a MPLS infrastruture. I can reach these resources form my Core network (172.17.1.0/24) and my Wifi (172.17.100.0/24) but not from my VPN network (172.17.200.0/24). From the VPN I can reach the Wifi network (which is behind a router) and the rule that allows that also allows access to the other networks but for some reason it is not working.
  When I ping inside the core network from VPN I can connect and get responses. When I ping to the Wifi network, I can get responses and connect to resources there. A tracert to the wifi network shows it hitting the core switch (a 3750 stack) @ 172.17.1.1, then the Wifi router (172.17.1.3) and then the host. A tracert to a resource on the MPLS network from the VPN shows a single entry (the destination host) and then 29 time outs but will not ping that resource nor connect.
  I've posted all the info I can think of below. Any help appreciated.
  *** Here is a tracert from a core network machine to the resource we need on the MPLS:
  C:\Windows\system32>tracert 10.2.0.125
  Tracing route to **************** [10.2.0.125]
  over a maximum of 30 hops:
    1     1 ms    <1 ms    <1 ms  172.17.1.1
    2     1 ms    <1 ms    <1 ms  172.17.1.10
    3     5 ms     5 ms     5 ms  192.168.0.13
    4    31 ms    30 ms    31 ms  192.168.0.5
    5    29 ms    30 ms    29 ms  192.168.0.6
    6    29 ms    29 ms    29 ms  192.168.20.4
    7    29 ms    29 ms    29 ms  RV-TPA-CRMPROD [10.2.0.125]
  Trace complete.
  172.17.1.10 is the mpls router.
  **** Here is the routing table (sh ip route) from the 3750 @ 172.17.1.1
  Gateway of last resort is 172.17.1.2 to network 0.0.0.0
  S    192.168.30.0/24 [1/0] via 172.17.1.10
       172.17.0.0/24 is subnetted, 3 subnets
  S       172.17.200.0 [1/0] via 172.17.1.2
  C       172.17.1.0 is directly connected, Vlan20
  S       172.17.100.0 [1/0] via 172.17.1.3
       172.18.0.0/24 is subnetted, 1 subnets
  S       172.18.1.0 [1/0] via 172.17.1.10
  S    192.168.11.0/24 [1/0] via 172.17.1.10
       10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
  S       10.2.0.0/24 [1/0] via 172.17.1.10
  S       10.10.10.0/24 [1/0] via 172.17.1.10
  S       10.20.0.0/24 [1/0] via 172.17.1.10
  S       10.3.0.128/25 [1/0] via 172.17.1.10
  S    192.168.1.0/24 [1/0] via 172.17.1.10
  S*   0.0.0.0/0 [1/0] via 172.17.1.2
  *** Here is the firewall config (5510):
  ASA Version 8.4(1)
  hostname RVGW
  domain-name ************
  enable password b5aqRk/6.KRmypWW encrypted
  passwd 1ems91jznlfZHhfU encrypted
  names
  interface Ethernet0/0
  nameif Outside
  security-level 10
  ip address 5.29.79.10 255.255.255.248
  interface Ethernet0/1
  nameif Inside
  security-level 100
  ip address 172.17.1.2 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 172.19.1.1 255.255.255.0
  management-only
  banner login RedV GW
  ftp mode passive
  dns server-group DefaultDNS
  domain-name RedVector.com
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network WiFi
  subnet 172.17.100.0 255.255.255.0
  description WiFi 
  object network inside-net
  subnet 172.17.1.0 255.255.255.0
  object network NOSPAM
  host 172.17.1.60
  object network BH2
  host 172.17.1.60
  object network EX2
  host 172.17.1.61
  description Internal Exchange / Outbound SMTP
  object network Mail2
  host 5.29.79.11
  description Ext EX2
  object network NETWORK_OBJ_172.17.1.240_28
  subnet 172.17.1.240 255.255.255.240
  object network NETWORK_OBJ_172.17.200.0_24
  subnet 172.17.200.0 255.255.255.0
  object network VPN-CLIENT
  subnet 172.17.200.0 255.255.255.0
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq www
  port-object eq https
  object-group network DM_INLINE_NETWORK_1
  network-object object BH2
  network-object object NOSPAM
  object-group network VPN-CLIENT-PAT-SOURCE
  description VPN-CLIENT-PAT-SOURCE
  network-object object VPN-CLIENT
  object-group network LAN-NETWORKS
  network-object 10.10.10.0 255.255.255.0
  network-object 10.2.0.0 255.255.255.0
  network-object 10.3.0.0 255.255.255.0
  network-object 172.17.100.0 255.255.255.0
  network-object 172.18.1.0 255.255.255.0
  network-object 192.168.1.0 255.255.255.0
  network-object 192.168.11.0 255.255.255.0
  network-object 192.168.30.0 255.255.255.0
  object-group network VPN-POOL
  network-object 172.17.200.0 255.255.255.0
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object icmp
  access-list Outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq smtp
  access-list Outside_access_in extended permit tcp any object BH2 object-group DM_INLINE_TCP_1
  access-list global_mpc extended permit ip any any
  access-list Inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
  pager lines 24
  logging enable
  logging asdm informational
  no logging message 106015
  no logging message 313001
  no logging message 313008
  no logging message 106023
  no logging message 710003
  no logging message 106100
  no logging message 302015
  no logging message 302014
  no logging message 302013
  no logging message 302018
  no logging message 302017
  no logging message 302016
  no logging message 302021
  no logging message 302020
  flow-export destination Inside 172.17.1.52 9996
  mtu Outside 1500
  mtu Inside 1500
  mtu management 1500
  ip local pool VPN 172.17.1.240-172.17.1.250 mask 255.255.255.0
  ip local pool VPN2 172.17.200.100-172.17.200.200 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (Inside,Outside) source static EX2 Mail2
  nat (Inside,Outside) source static any any destination static NETWORK_OBJ_172.17.1.240_28 NETWORK_OBJ_172.17.1.240_28
  nat (Inside,Outside) source static any any destination static NETWORK_OBJ_172.17.200.0_24 NETWORK_OBJ_172.17.200.0_24
  nat (Inside,Outside) source static inside-net inside-net destination static NETWORK_OBJ_172.17.1.240_28 NETWORK_OBJ_172.17.1.240_28
  nat (Inside,Outside) source static LAN-NETWORKS LAN-NETWORKS destination static VPN-POOL VPN-POOL
  object network inside-net
  nat (Inside,Outside) dynamic interface
  object network NOSPAM
  nat (Inside,Outside) static 5.29.79.12
  nat (Outside,Outside) after-auto source dynamic VPN-CLIENT-PAT-SOURCE interface
  access-group Outside_access_in in interface Outside
  access-group Inside_access_in in interface Inside
  route Outside 0.0.0.0 0.0.0.0 5.29.79.9 1
  route Inside 10.2.0.0 255.255.255.0 172.17.1.1 1
  route Inside 10.3.0.0 255.255.255.128 172.17.1.1 1
  route Inside 10.10.10.0 255.255.255.0 172.17.1.1 1
  route Inside 172.17.100.0 255.255.255.0 172.17.1.3 1
  route Inside 172.18.1.0 255.255.255.0 172.17.1.1 1
  route Inside 192.168.1.0 255.255.255.0 172.17.1.1 1
  route Inside 192.168.11.0 255.255.255.0 172.17.1.1 1
  route Inside 192.168.30.0 255.255.255.0 172.17.1.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server RedVec protocol ldap
  aaa-server RedVec (Inside) host 172.17.1.41
  ldap-base-dn DC=adrs1,DC=net
  ldap-group-base-dn DC=adrs,DC=net
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password *****
  ldap-login-dn CN=Hanna\, Roger,OU=Humans,OU=WPLAdministrator,DC=adrs1,DC=net
  server-type microsoft
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  http 172.17.1.0 255.255.255.0 Inside
  http 24.32.208.223 255.255.255.255 Outside
  snmp-server host Inside 172.17.1.52 community *****
  snmp-server location Server Room 3010
  snmp-server contact Roger Hanna
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map Outside_map interface Outside
  crypto ikev1 enable Outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 172.17.1.0 255.255.255.0 Inside
  telnet timeout 5
  ssh 172.17.1.0 255.255.255.0 Inside
  ssh timeout 5
  console timeout 0
  dhcpd address 172.17.1.100-172.17.1.200 Inside
  dhcpd dns 172.17.1.41 172.17.1.42 interface Inside
  dhcpd lease 100000 interface Inside
  dhcpd domain adrs1.net interface Inside
  threat-detection basic-threat
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  group-policy RedV internal
  group-policy RedV attributes
  wins-server value 172.17.1.41
  dns-server value 172.17.1.41 172.17.1.42
  vpn-tunnel-protocol ikev1
  default-domain value ADRS1.NET
  group-policy RedV_1 internal
  group-policy RedV_1 attributes
  wins-server value 172.17.1.41
  dns-server value 172.17.1.41 172.17.1.42
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  default-domain value adrs1.net
  username rparker password FnbvAdOZxk4r40E5 encrypted privilege 15
  username rparker attributes
  vpn-group-policy RedV
  username mhale password 2reWKpsLC5em3o1P encrypted privilege 0
  username mhale attributes
  vpn-group-policy RedV
  username dcoletto password g53yRiEqpcYkSyYS encrypted privilege 0
  username dcoletto attributes
  vpn-group-policy RedV
  username rhanna password Pd3E3vqnGmV84Ds2 encrypted privilege 15
  username rhanna attributes
  vpn-group-policy RedV
  tunnel-group RedV type remote-access
  tunnel-group RedV general-attributes
  address-pool VPN2
  authentication-server-group RedVec
  default-group-policy RedV
  tunnel-group RedV ipsec-attributes
  ikev1 pre-shared-key *****
  class-map global-class
  match access-list global_mpc
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  class global-class
    flow-export event-type all destination 172.17.1.52
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  hpm topN enable
  Cryptochecksum:202ad58ba009fb24cbd119ed6d7237a9

  Hi Roger,
  I bet you already checked it, but does the MPLS end router has route to VPN client subnet 172.17.200.x (or default) pointing to core rtr)?
  Also, if the MPLS link has any /30 subnet assigned, you may need to include that as well in Object group LAN-NETWORKS.
  Thx
  MS

• PTP (Precision Time Protocol) configuration

  Hi,
  Is there anyone has configured PTP on IE-3000 switches? I have some problems with the configuration and operation. Below is the summary of what I've done and the porblems.
  There are two IE-3000 switches with ip services 15.0 (2) SE4 IOS. One has configured in the boundary mode to become master clock and the other one has left in the e2etransparent mode. There are two inter-connection links (via Cat6 ethernet cable) on Gi1/1 and Gi1/2 interfaces on both switches. All inter-connect ports are up and running. Both switches have same IOS, same hardware almost identical except IP configuration etc. Main problem is SW2 is not able to sync with SW1 as master clock (this is my understanding), and also it seems PTP on SW1 has wrong reading of local clock time. But in fact I have NTP server in the network and NTP is syncd. I've included some of the configuration and output here, if someone has experience in configuring and running PTP I would be thankful to give me some help here.
  Regards,
  Tohid
  Configuration on SW1:
  ptp mode boundary
  ptp priority1 10
  ptp priority2 128
  ptp time-property persist 300
  SW1#show ptp clock
  PTP CLOCK INFO
    PTP Device Type: Boundary clock
    Clock Identity: 0x8:CC:68:FF:FE:7F:73:80
    Clock Domain: 0
    Number of PTP ports: 10
    Priority1: 10
    Priority2: 128
    Clock Quality:
          Class: 248
          Accuracy: Unknown
          Offset (log variance): N/A
    Offset From Master: 0
    Mean Path Delay: 0
    Steps Removed: 0
    Local clock time: 00:30:30 UTC Mar 1 1993
  SW1#sh clock
  16:18:10.856 UTC Thu Feb 27 2014
  SW1#sh ntp status
  Clock is synchronized, stratum 3, reference is 10.1.1.1
  nominal freq is 119.2092 Hz, actual freq is 119.2091 Hz, precision is 2**17
  reference time is D6B9E25E.3EAA5D0E (16:12:14.244 UTC Thu Feb 27 2014)
  clock offset is 45.5794 msec, root delay is 1.42 msec
  root dispersion is 57.46 msec, peer dispersion is 5.25 msec
  loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000985 s/s
  system poll interval is 64, last update was 423 sec ago.
  SW2#sh ptp clock
  PTP CLOCK INFO
    PTP Device Type: End to End transparent clock
    Clock Identity: 0x3C:E:23:FF:FE:44:92:80
    Clock Domain: 0
    Number of PTP ports: 10
    Delay Mechanism: End to End
    Local clock time: 01:08:13 UTC Mar 4 1993
  SW2#sh ptp port gi 1/1
  PTP PORT DATASET: GigabitEthernet1/1
    Port identity: clock identity: 0x3C:E:23:FF:FE:44:92:80
    Port identity: port number: 9
    PTP version: 2
  Port state FAULTY: FALSE
  SW1#sh ptp port gi 1/1
  PTP PORT DATASET: GigabitEthernet1/1
    Port identity: clock identity: 0x8:CC:68:FF:FE:7F:73:80
    Port identity: port number: 9
    PTP version: 2
    Port state: MASTER
    Delay request interval(log mean): 5
    Announce receipt time out: 3
    Peer mean path delay: 0
    Announce interval(log mean): 1
    Sync interval(log mean): 0
    Delay Mechanism: End to End
    Peer delay request interval(log mean): 0
    Sync fault limit: 5000000004271-NET-001#sh ptp port gi 1/1
  PTP PORT DATASET: GigabitEthernet1/1
    Port identity: clock identity: 0x8:CC:68:FF:FE:7F:73:80
    Port identity: port number: 9
    PTP version: 2
    Port state: MASTER
    Delay request interval(log mean): 5
    Announce receipt time out: 3
    Peer mean path delay: 0
    Announce interval(log mean): 1
    Sync interval(log mean): 0
    Delay Mechanism: End to End
    Peer delay request interval(log mean): 0
    Sync fault limit: 500000000

  So if I have a L2 network consisting of severall access switches connected via trunks to a distribution, with PTP clients in differing VLAN's, as long as each VLAN has a connection to the PTP source then the client will receive the PTP timestamp allthough subject to switching delays?

• CAPWAP APs drop off the 7500 controller

  I have a multiple 7500 flex controller deployed with over 2000 APs each on them and I notice that APs occasionally drop off.  When I find these APs I am able to telnet to them and I have found a fix for getting them back on the controller, but I want to know why this happens and if there is a way to avoid the problem.
  Observed:
  The APs have telnet enabled so I can get to the CLI.  Once in I do a dir command and see that there is little to no memory available (512 bytes to 0 bytes) in the flash memory.  I see that there are 5 large log files, file names are in the commands below.  When I do a show logging command I see the following over and over again
  *Oct  3 20:31:44.102: %CAPWAP-3-ERRORLOG: Certificate verification failed!
  *Oct  3 20:31:44.102: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed!
  *Oct  3 20:31:44.102: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.128.5.5:5246
  *Oct  3 20:31:44.102: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.128.5.5:5246
  *Oct  3 20:31:44.103: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
  *Oct  3 20:32:48.999: %CAPWAP-3-ERRORLOG: Selected MWAR 'tc-cl-wlc01'(index 0).
  *Oct  3 20:32:48.999: %CAPWAP-3-ERRORLOG: Go join a capwap controller
  *Oct  3 20:31:44.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.128.5.5 peer_port: 5246
  *Oct  3 20:31:44.125: CRYPTO_PKI: New CRL Not Valid - expired (router time not synched to CA?)
  *Oct  3 20:31:44.125:  CRL expires: 05:29:39 UTC Mar 3 2012
  *Oct  3 20:31:44.125:  Router time: 20:31:44 UTC Oct 3 2013
  *Oct  3 20:31:44.125: %PKI-4-CRLINSERTFAIL: Trustpoint "Trustpool2" unknown (error 1804:E_VALIDITY : validity period start later than end)Peer certificate verification failed 0059
  To resolve:
  The working theory is that the flash gets filled up with log files and is unable to download the certificate from the controller during the join process.  I delete the logs with the commands below and then do a wr mem and a copy run start and then reload.  This will fix the problem every time.
  delete /force flash:ap_log_r0_0.log
  delete /force flash:ap_log_r1_0.log
  delete /force flash:ap_log_r0_1.log
  delete /force flash:ap_log_r0_2.log
  delete /force flash:ap_log_r1_1.log
  delete /force flash:ap_log_r1_2.log
  Other info
  - currently running an engineering code of 7.3.113.12 on one 7500 and 7.4.110 on another, both seem to be having this issue.  I do not have this issue on a 5508 running 7.5 code.  Currently getting 7.4 vetted for deployment.
  Good luck with this one

  I have seen this issue, but only with older model access points and it doesn't have to be flexconnect and it doesn't matter what WLC code version your running.  Problamatic access points, I always check the flash to verify if there are logs or not, and do delete them in order to get the AP back up.  Again, I have only seen this with older non-802.11n access points.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• L2VPN between ASR9000 and ME3800x

  Hi,
  I'm trying to set up a L2VPN(Vlan Mode) between a trunk port on an ASR9000, and an ME3800x.
  The ASR is set up with an EFP:
  interface GigabitEthernet0/0/0/19.912 l2transport
  encapsulation dot1q 912
  rewrite ingress tag pop 1 symmetric
  mtu 1618
  l2vpn
  pw-class VlanMode
  encapsulation mpls
  transport-mode vlan
    xconnect group orkide
      p2p OrkideSurnadal
      interface GigabitEthernet0/0/0/19.912
      neighbor xxx.xxx.xxx.75 pw-id 912
       pw-class VlanMode
  On the other side I have terminated the xconnect on an ME3800x:
  interface Vlan912
     mtu 1600
     no ip address
     xconnect xxx.xxx.xxx.82 912 encapsulation mpls
  end
  The VC is UP:
  Local intf     Local circuit              Dest address    VC ID      Status
  Vl912          Eth VLAN 912               xxx.xxx.xxx.82    912        UP
  Is this the correct way to to do this?
  I can't get this to work like it should. If I should do this with switches, I would just configure a vlan from end-to-end.
  Thanks in advance,
  Jan Ove Greger

  Hi,
  I'm sorry for the confusion, but there is an MPLS network between them.
  I tried using VC5/Ethernet mode, and the xconnect is UP again:
  Group orkide, XC OrkideSurnadal, state is up; Interworking none
  AC: GigabitEthernet0/0/0/19.912, state is up
  Type VLAN; Num Ranges: 1
  VLAN ranges: [912, 912]
  MTU 1600; XC ID 0x40011; interworking none
  Statistics:
  packets: received 134, sent 12
  bytes: received 9112, sent 816
  drops: illegal VLAN 0, illegal length 0
  PW: neighbor 85.93.224.75, PW ID 912, state is up ( established )
  PW class not set, XC ID 0x40011
  Encapsulation MPLS, protocol LDP
  PW type Ethernet, control word disabled, interworking none
  PW backup disable delay 0 sec
  Sequencing not set
  MPLS         Local                          Remote
  Label        16003                          20
  Group ID     0x5c0                          0x0
  Interface    GigabitEthernet0/0/0/19.912    unknown
  MTU          1600                           1600
  Control word disabled                       disabled
  PW type      Ethernet                       Ethernet
  VCCV CV type 0x2                            0x2
  (LSP ping verification)        (LSP ping verification)
  VCCV CC type 0x6                            0x2
  (router alert label)           (router alert label)
  (TTL expiry)
  MIB cpwVcIndex: 0
  Create time: 30/01/2012 19:52:07 (00:04:34 ago)
  Last time status changed: 30/01/2012 19:52:07 (00:04:34 ago)
  Statistics:
  packets: received 12, sent 134
  bytes: received 816, sent 9112
  But still no connection or mac-adresses on vlan 912 on the trunk of the ME3800x.
  For testing we have setup a network 10.33.33.1/24 on vlan 912 of the AC on the ASR. On the trunk port of the ME3800x we have a 3560 where we also have configured 10.33.33.10/24 on vlan 912.
  So they should be able to see each other, but they don't...
  Regards,
  JoG

• Frame structure after bgp send-label

  refer to the artical of the link:
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110be9.html
  I need some infomation about the data plane. when a packet go frome one side to the other,how did the frame format changed.

  Mohammed,
  To cut the confusion short here....the orginal post was about the data plane so the explanation should not give rise to any confusion...infact fits the bill well.
  Infact giving reference to standard Inter-AS configuration or RFC would be termed inappropriate in this specific scenario.
  The logic behind giving an explanation was to elaborate on data flow where as standards only describe the control plane of the flow. The explanation would answer the question would be frame format change, No it doesnt.. Inter-AS is only means of advertising IGP and VPN labels across AS's, as MPLS end of the day is bothered only about labels to switch data.
  Hope I have been clear.
  Xiao,
  The book by Ivan is a good resource. Since you would like to know when LDP is replaced by BGP, and what is the data plane for the same. I would suggest rather than going by the standard CCO documents or RFC, you may want to try a small lab excercise below. This will help you understand the concept inside out.
  1) Form IGP adjacency between your ASBR's and enable LDP and everything will work fine.
  2) Or mutual Redistribution of IGP into local BGP and advertise to other AS and do vice versa, and run LDP on the link between both ASBR's. This will work still.
  Here the point you will note is, in real world the ISP wont allow each other to run IGP with each other (unless both the AS's are controlled by the single entity) or neither perform a IGP<->BGP mutual redistrbution.
  So exchanging the topmost labels with IPV4 BGP which supports exchange of routes with labels to be used to reach those routes is implemented.
  PS: Do note that labels are not generated by LDP for BGP routes, that is the main reason this whole jugglery is done.
  HTH-Cheers,
  Swaroop

• Still having VPN nightmares

  I'm having trouble connecting via VPN to my Mac Mini running OSX Lion Server
  I have a host name setup with dyndns
  I can ping both the domain name and external IP address fine from another machine, but trying to connect using ANYTHING except the internal IP address gives no result whatsoever
  Suggestions?

  Hi Roger,
  I bet you already checked it, but does the MPLS end router has route to VPN client subnet 172.17.200.x (or default) pointing to core rtr)?
  Also, if the MPLS link has any /30 subnet assigned, you may need to include that as well in Object group LAN-NETWORKS.
  Thx
  MS

• MST BPDU via EoMPLS Pseudowire Connections

  Hi All,
  I've been trying to change the STP  mode of my MPLS aggrigation switches to MST due to many reasons but without success. (Currently all switches are working on PVST+.)
  Below given my sample network topology, configurations on both switches and pseudowire configurations and error message.
  ME3750(SW1) --- 7609 (EoMPLS pseudowire - VLAN 2500) 12406 -- ME3750(SW2)
  Configurations
  ==========
  ME3750(SW1)
  =============
  spanning-tree mode mst
  spanning-tree extend system-id
  spanning-tree mst configuration
  name MPLS
  revision 10
  instance 10 vlan 2-99
  instance 20 vlan 100-1999
  instance 30 vlan 2000-4094
  spanning-tree mst 0,10,20,30 priority 24576
  vlan 3,100,850,2500,3030
  7609-PE
  =======
  interface GigabitEthernet0/1.2500
  description *** MST_TEST ***
  encapsulation dot1Q 2500
  xconnect 10.2.0.5 2500 encapsulation mpls
  end
  ME3750(SW2)
  ===========
  spanning-tree mode mst
  spanning-tree extend system-id
  spanning-tree mst configuration
  name MPLS
  revision 10
  instance 10 vlan 2-99
  instance 20 vlan 100-1999
  instance 30 vlan 2000-4094
  12406-PE
  =======
  interface GigabitEthernet2/1/0.2500
  description *** MST_TEST ***
  encapsulation dot1Q 2500
  xconnect 10.1.0.8 2500 encapsulation mpls
  end
  There is a VLAN bsed EoMPLS configuration on VLAN 2500 on MPLS edges.
  When the MST configuration done; the uplink trunk port of the ME3750(SW1) blocked with following erroe.
  *Mar  1 02:45:11.920: %SPANTREE-2-PVSTSIM_FAIL: Blocking designated port Gi0/1: Inconsitent superior PVST BPDU received on VLAN 2500, claiming root 24576:001a.a2b5.7d00
  While I googled, i found one post saying to change the priority of the MST regions to higher, hence forcing  one switch to become ROOT. Accordingly I changed the priority of ME3750(SW1) but still problem remains.
  Can anyone of you experts help me out to get this sorted?
  Note: I've not enabled native VLAN on both switches towards MPLE PEs and also hasn't enable any L2 protocols via speudowire connection.
  Thank you all,
  Chaminda

  Hi Laurant,
  Thanks for your reply.
  Actually  my requirement is to have local MST reigions per MPLS PE. That is why I  psecificaly block native VLAN passing through the PW and did not enable  any L2 protocols via PW.( believe this is a good practice.. ;-) )
  BTW  I'll clear STP protocol as you suggested and see the results.
  Also I can not configure port mode PW, since all my L2 & L3 customers interface with MPLS PE via this Gig interface.
  My  understanding on MST BPDUs are passing through native VLAN. Hence in my  scenarion, if i'm not passing native VLAN throught the PW, what could  be the reason for blocking the entire port due to the "inconsistance  superior BPDU receive via VLAN 2500"?
  Do I need to block STP on 7609 box itself? (read on one blog asking to disable STP on SUP720 on 7609)
  Pl clarify.
  Thank You,
  Chaminda

• Cross-site Layer2 VPN

  In the diagram i have 2 sites. In site 1 i have 2 PE devices with Vlan 3,33 in VTP database and couple of servers in both vlans. Need to extend both vlans broadcast domain to site 2 access layer switches. MPLS/LDP enable on PE's. I am assuming that without another access layer attached to PE3/PE4 with a tunk interface i cannot enable psedowire on PE3/PE3! since i need an (L3 - without an ip address) interface to enable xconnect on. Will vlan-base psedowire work? but will need a SIP card on the PE's since they are 6509!!
  Any comment? Let me know you need more clarification..
  Francisco.

  Hi Francisco,
  You're right. You need a SIP card for your uplinks if you want to apply the xconnect to an SVI interface.
  You could try creating a trunk for VLAN 3 and 33 between PE3 and PE4. Assuming all the servers are connected to PE3 (there are 2x PE3 on your drawing ;-) ), you could apply the xconnect on PE4 trunk interface only to PE1 as primary and PE2 as secondary:
  xconnect 192.168.124.1 10 encapsulation mpls
  backup peer 192.168.124.2 20
  HTH
  Laurent.

• Can't get L2L VPN up between ASA and Fortinet (IKEv2)

  Hi,
  I'm having issues getting a L2L tunnel up between a Cisco ASA and a Fortinet. This is the first tunnel being setup with IKEv2. The ASA is complaining that it can't find a matching policy.
  The Fortinet device is configured by other party and I have confirmed that they are using the agreed settings.
  Configuration from the ASA:
  crypto ipsec ikev2 ipsec-proposal AES-3DES-SHA1
   protocol esp encryption 3des
   protocol esp integrity sha-1
  crypto map VPN 100 match address ABC
  crypto map VPN 100 set pfs group5
  crypto map VPN 100 set peer x.x.x.x
  crypto map VPN 100 set ikev2 ipsec-proposal AES-3DES-SHA1
  crypto map VPN 100 set security-association lifetime seconds 28800
  crypto map VPN interface outside
  crypto ikev2 policy 10
   encryption aes-256 3des
   integrity sha256 sha
   group 5
   prf sha256
   lifetime seconds 86400
  crypto ikev2 enable outside
  tunnel-group x.x.x.x type ipsec-l2l
  tunnel-group x.x.x.x ipsec-attributes
   ikev2 remote-authentication pre-shared-key blablabla
   ikev2 local-authentication pre-shared-key blablabla
  Debugs say that there is no matching policy:
  IKEv2-PROTO-3: (97): Get peer authentication method
  IKEv2-PROTO-3: (97): Get peer's preshared key for x.x.x.x
  IKEv2-PROTO-3: (97): Verify authentication data
  IKEv2-PROTO-3: (97): Use preshared key for id x.x.x.x, key len 15
  IKEv2-PROTO-2: (97): Processing auth message
  IKEv2-PROTO-1: (97): Failed to find a matching policy
  IKEv2-PROTO-1: (97): Received Policies:
  ESP: Proposal 1:  3DES SHA96
  IKEv2-PROTO-1: (97): Failed to find a matching policy
  IKEv2-PROTO-1: (97): Expected Policies:
  IKEv2-PROTO-5: (97): Failed to verify the proposed policies
  IKEv2-PROTO-1: (97): Failed to find a matching policy

  Dear Robert,
  The above error from ASA indicates there may be a problem with your preshared key..Both Local and remotre sites...or an Out of Synce problem to the remote end/peer. Give more details about ur Watchguard version with what application it is running..Send the complete log of
  1. sh crypto ipsec sa
  2. sh crypto isakmp sa
  3. debug crypto isa 255
  4. debug crypto ipsec 255