MTU Question.
Can some one please explain the two different behaviour of MTU as per below output :
In the first output why we dont see the packet loss although the packet size is bigger than the MTU size.
where as in the output 2 we notice the packet loss where as the packet size it 1481 and MTU size is 1480.
=== OutPut 1 ===
ROU#sh int t3
Tunnel3 is up, line protocol is up
Hardware is Tunnel
Description: ***Connect to Ro_03 Tunnel1 Fe0/0/0***
Internet address is 21.233.41.21/30
MTU 17920 bytes, BW 4096 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (10 sec), retries 3
Tunnel source 21.233.7.22 (GigabitEthernet0/0/4), destination
21.233.41.246
Tunnel Subblocks:
src-track:
Tunnel3 source tracking subblock associated with
GigabitEthernet0/0/4
Set of tunnels with source GigabitEthernet0/0/4, 10 members (includes iterators), on interface <OK>
Tunnel protocol/transport IP/IP
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1480 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 12000 bits/sec, 1 packets/sec
5 minute output rate 13000 bits/sec, 1 packets/sec
16274329 packets input, 3173533969 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
18686934 packets output, 8984626725 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
ITC#ping
Protocol [ip]:
Target IP address: 21.233.41.22
Repeat count [5]: 1000
Datagram size [100]: 2048
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 1000, 2048-byte ICMP Echos to 21.233.41.22, timeout is 2 seconds:
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 33/33/76 ms
=== OutPut 2==
ROU#ping
Protocol [ip]:
Target IP address: 21.233.179.241
Repeat count [5]: 1000
Datagram size [100]: 1481
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 1000, 1481-byte ICMP Echos to 21.233.179.241, timeout is 2 seconds:
Success rate is 98 percent (984/1000), round-trip min/avg/max = 69/70/175 ms
===
Best Regards,
Hi,
I think you should move this post to the appropriate section because I don't see any relationship with IPv6 here.
Hi if you had an MTU problem all your packets should be dropped and you would have to set the DF-bit in the extended ping to test because by default if the DF bit is not set the routers will fragment the packets.
Regards.
Alain.
Similar Messages
-
Hi. I owned a WRK54G for a few years and just replaced it with a WRT54GS. I'm not too knowledgeable in the area, but I've been wondering what a good MTU to start off with would be. I have most of the other settings down.
The Optimum Online website didn't have any info. So, I found a FAQ for Optimum Online on dslreports.com They stated that an MTU value of 1500 should be used as well, so I'll go with them. I have another noob question thats been bothering me. I realized that I purchased version 6 of the router, while the newest version is 7. Looking at Wikipedia, I see that version 7 has a faster clock speed. I won't be using third party firmware, so does it matter?
-
ASR - IPSEC, GRE, channel group, and MTU Questions
I have an ASR1004 and am trying to load-balance a 1.5G data rate over two 1-Gig ports using IPSEC ports, but I have a few questions.
1. Can GRE support a 9K mtu
2. Can you run IPSEC on a channel-group
3. Can the ASR load-balance per- S&D on a channel-group?
I currently have two separate tunnels, one on each outbound gig link with OSPF running. However, I can't get a 7000 mtu w/ the DF bit set through to the distant end. I am guessing this is because of the GRE interface.
So is it possible to run IPSEC on a channel-group and have this load balance per S&D? I need to use the BW of both ports.
Thanks for the help!The ASR1004 router we can only send packets with a maximum MTU size of 1438 Bytes over the encrypted tunnel.
-
MTU for AToM question...
Hi:
I have a question regarding AToM.
Say I have CE1---PE1----P1----P2----PE2-----CE2
CE1 to PE1 - Ethernet 802.1Q
CE2 to PE2 - FR
To get AToM up and working, would I need to change the mtu on the PE and P routers in the core?
And if so to what value?
What command would I use, if I had to: mtu or mpls mtu?
Thanks for your help.
Sincerely.So you would want to change the mpls mtu on the PE and P routers to accommodate a full ethernet frame plus the two mpls labels and any other additional info, like control words or vlan tag you might be transferring across the backbone, a value like 1514 would work, but if you ever decide to do straight ethernet to ethernet l2vpn with QinQ, then you would be up to 1530. If you maybe did serial links in the future, you'd maybe be up to 4480-4490.
In most SP environments I've worked it, its standard to set the mpls backbone mpls mtu to 9100 or 9192 at install time to remove any issues with the backbone mtu.
Mpls mtu only affects handling of labeled packets, not unlabeled packets. -
OSPF 'ip ospf mtu-ignore' Question
Hey Guys,
If I have a router with 3 sub interfaces off of a GigabitEthernet interface which is directly connected to a switch via a trunk, would I need to set 'ip ospf mtu-ignore'?
I'm assuming that if I'm running subinterfaces using dot1q, that the mtu in the DBD packets will be 1504 and which it hits either a router port on a L3 switch or a SVI it would be 1500?Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
John the router's subinterface and the switch's trunk should "hide" the VLAN tags. I.e. there shouldn't be any need for mtu-ignore (as least I never recall a need for it on such configurations). -
I'm not sure if I am in the correct section.
We have an MPLS network with DS3s. From what I understand (and correct me if I am wrong), MPLS puts 4 bytes on the packet. Our serial has an MTU size of 4470. Our Ethernet has an MTU size of 1500.
Do I need to change the MTU size, and if so on which interface do I need to make this change. My thinking is to change it on the serial interface (MTU => 4466).
Am I right in my assumption?Hi,
MPLS will add 4 bytes extra to the plain IP packet. Aplications of MPLS (MPLS-VPN, AToM, MPLS TE, MPLS QoS) will add stacks of labels to IP packet. So if you are running MPLS applications on your network then your Layer 2 MTU of the physical media should be capable of handling these extra stack of labels.
In your case since DS3 is having MTU of 4470 and most data packet comes from Ethernet, it is capable of carrying MPLS Labelled packets. You need to increase the MPLS MTU of your Ethernet media = Physical MTU + No. of Label stacks (depend on applications).. It is advisable to configure the MPLS MTU on ethernet interface to 1546 (1500 bytes + 46 bytes extra ...though it is more for basic MPLS, MPLS VPN considering the future development it will be better to keep the MPLS MTU to a higher value).
Note: MPLS MTU command is applicable only for the labelled packets. If any unlabelled packet with MTU more than of 1500 bytes is entering Ethernet interface then it ll get fragmented or dropped (depends on DF bit flag in IP header)
int ethernet0
mpls mtu 1546
HTH.... -
Hi All
The question is pretty simple. I can successfully connect to my ASA 5505 firewall via cisco vpn client 64 bit , i can ping any ip address on the LAN behind ASA but none of the LAN computers can see or ping the IP Address which is assigned to my vpn client from the ASA VPN Pool.
The LAN behind ASA is 192.168.0.0 and the VPN Pool for the cisco vpn client is 192.168.30.0
I would appreciate some help pls
Here is the config:
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password J7NxNd4NtVydfOsB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.11 EXCHANGE
name x.x.x.x WAN
name 192.168.30.0 VPN_POOL2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address WAN 255.255.255.252
interface Ethernet0/0
switchport access vlan 2
<--- More --->
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list nk-acl extended permit tcp any interface outside eq smtp
access-list nk-acl extended permit tcp any interface outside eq https
access-list customerVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN_POOL2 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list VPN_NAT extended permit ip VPN_POOL2 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL2 192.168.30.10-192.168.30.90 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list VPN_NAT outside
static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
static (inside,outside) tcp interface https EXCHANGE https netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group nk-acl in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
snmp-server host inside 192.168.0.16 community public
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd dns 217.27.32.196
dhcpd address 192.168.0.100-192.168.0.200 inside
dhcpd dns 192.168.0.10 interface inside
dhcpd enable inside
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy customerVPN internal
group-policy customerVPN attributes
dns-server value 192.168.0.10
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value customerVPN_splitTunnelAcl
default-domain value customer.local
username xxx password 8SYsAcRU4s6DpQP1 encrypted privilege 0
username xxx attributes
vpn-group-policy TUNNEL1
username xxx password C6M4Xy7t0VOLU3bS encrypted privilege 0
username xxx attributes
vpn-group-policy PAPAGROUP
username xxx password RU2zcsRqQAwCkglQ encrypted privilege 0
username xxx attributes
vpn-group-policy customerVPN
username xxx password zfP8z5lE6WK/sSjY encrypted privilege 15
tunnel-group customerVPN type ipsec-ra
tunnel-group customerVPN general-attributes
address-pool VPN_POOL2
default-group-policy customerVPN
tunnel-group customerVPN ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:a4dfbb82008f78756fe4c7d029871ec1
: end
ciscoasa#Well lots of new features have been hinted at for ASA 9.2 but I've not seen anything as far as an Engineering Commit or Customer Commit for that feature.
Site-site VPN in multiple context mode was added in 9.0(1) and I have customers have been asking for the remote access features as well.
I will remember to ask about that at Cisco Live next month. -
ASA 5505 Interface Security Level Question
I am wondering if someone can shed some light on this for me. I have a new ASA 5505 with a somewhat simple config. I want to set up a guest VLAN on it for a guest wireless connection.
I set up the ASA with the VLAN, made a trunk port, set up DHCP (on the ASA) on the guest VLAN, configured NAT, etc. Everything seem to be working with that. Guests are getting address on the correct subnet, etc.
The only issue I have is that the Guest VLAN (192.168.22.0) can get to the secure (VLAN1 - 172.16.0.0). I set up the guest VLAN (VLAN 5) with a security level of 10, the secure with a level of 100. I figured that would be enough. To stop the guest from accessing the secure, I had to throw on an ACL (access-list Guest-VLAN_access_in line 1 extended deny ip any 172.16.0.0 255.255.255.0)
Can someone show me what I did wrong?
Thank you for any help!
To create the VLAN, I did the following:
int vlan5
nameif Guest-VLAN
security-level 10
ip address 192.168.22.1 255.255.255.0
no shutdown
int Ethernet0/1
switchport trunk allowed vlan 1 5
switchport trunk native vlan 1
switchport mode trunk
no shutdown
below is the whole config.
Result of the command: "sho run"
: Saved
ASA Version 9.1(3)
hostname ciscoasa
enable password zGs7.eQ/0VxLuSIs encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport trunk allowed vlan 1,5
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address <External IP/Mask>
interface Vlan5
nameif Guest-VLAN
security-level 10
ip address 192.168.22.1 255.255.255.0
boot system disk0:/asa913-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside_Server1_80
host <Inside_server1_IP>
object network Inside_Server1_25
host <Inside_server1_IP>
object network Inside_Server1_443
host <Inside_server1_IP>
object network Inside_Server1_RDP
host <Inside_server1_IP>
object service RDP
service tcp destination eq 3389
object network Outside_Network1
host <Outside_Network_IP>
object network Outside_Network2
host <Outside_Network_IP>
object network Outside_Network2
host <Outside_Network_IP>
object network TERMINALSRV_RDP
host <Inside_server2_IP>
object network Inside_Server2_RDP
host <Inside_Server2_IP>
object-group network Outside_Network
network-object object Outside_Network1
network-object object Outside_Network2
object-group network RDP_Allowed
description Group used for hosts allowed to RDP to Inside_Server1
network-object object <Outside_Network_3>
group-object Outside_Network
object-group network SBS_Services
network-object object Inside_Server1_25
network-object object Inside_Server1_443
network-object object Inside_Server1_80
object-group service SBS_Service_Ports
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq smtp
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group SBS_Service_Ports any object-group SBS_Services
access-list outside_access_in extended permit object RDP any object TERMINALSRV_RDP
access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server1_RDP
access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server2_RDP
access-list Guest-VLAN_access_in extended deny ip any 172.16.0.0 255.255.255.0
access-list Guest-VLAN_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest-VLAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network Inside_Server1_80
nat (inside,outside) static interface service tcp www www
object network Inside_Server1_25
nat (inside,outside) static interface service tcp smtp smtp
object network Inside_Server1_443
nat (inside,outside) static interface service tcp https https
object network Inside_Server1_RDP
nat (inside,outside) static interface service tcp 3389 3389
object network TERMINALSRV_RDP
nat (inside,outside) static <TerminalSRV_outside)IP> service tcp 3389 3389
object network Inside_Server2_RDP
nat (inside,outside) static interface service tcp 3389 3390
nat (Guest-VLAN,outside) after-auto source dynamic obj_any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Guest-VLAN_access_in in interface Guest-VLAN
route outside 0.0.0.0 0.0.0.0 <Public_GW> 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.22.50-192.168.22.100 Guest-VLAN
dhcpd dns 8.8.8.8 4.2.2.2 interface Guest-VLAN
dhcpd lease 43200 interface Guest-VLAN
dhcpd enable Guest-VLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.30 prefer
username <Username> VAn7VeaGHX/c7zWW encrypted privilege 15
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect icmp
inspect icmp error
inspect pptp
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7f5d70668ebeb94f49f312612f76c943
: endHi,
To my understanding they should not be able to connect to the more secure network IF you DONT have an interface ACL configured.
One very important thing to notice and which I think is the most likely reason this happened is the fact that as soon as you attach an interface ACL to an interface then the "security-level" looses its meaning. The "security-level" has meaning as long as the interface is without an ACL. This makes the "security-level" only usable in very simple setups.
What I think happend is that you have "permit ip any any" ACL on the interface that allowed all the traffic.
Your option is to either remove the interface ACL completely or have the ACL configured like you have now. I mean first block traffic to your secure LAN and then allow all other traffic which would allow the traffic to Internet
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni -
Question in asa site-site vpn about "ident" ??
hi all ,
i have a topology as
(192.168.0.0/24)LAN1----------------asa1---------------internet-----------------------asa2------------------LAN2(192.168.2.0/24)
now , lan 1 can reach lan 2 by site to site vpn
but i have a question :
when i have
#sh crypto ipsec sa
====================================================================
interface: outside
Crypto map tag: Azure_IPSecCryptoMap, seq num: 2, local addr: xxxx
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 any
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: xxxxx
#pkts encaps: 294823, #pkts encrypt: 294823, #pkts digest: 294823
#pkts decaps: 208795, #pkts decrypt: 208795, #pkts verify: 208795
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 294823, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xxxxxxxxxx/0, remote crypto endpt.: xxxxxxxx/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 81F3ABF6
current inbound spi : FAE91312
inbound esp sas:
spi: 0xFAE91312 (4209578770)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 10670080, crypto-map: Azure_IPSecCryptoMap
sa timing: remaining key lifetime (kB/sec): (4373327/621)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x81F3ABF6 (2180230134)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 10670080, crypto-map: Azure_IPSecCryptoMap
sa timing: remaining key lifetime (kB/sec): (4370375/621)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
================================================================================
my problem is ,
that my asa1 lan1 only reach asa2 if its destination was to subnet 192.168.2.0/24 , i mean if requested internet i cant reach it !!!
note that the crypto_map acl says destination "any" will go to asa2 , but why when i requested the destioantion of lan2 it responce , and if i requested 8.8.8.8 it dont reach asa2 ??
i used packet tracer to investigate , it seems as a stuck !!!
how to change the remote idnet as in the red line above ??? i think it is the issue that preventing mefrom reaching internet by asa2
agian ,
what issue in the asa has relation to the remote idnet and how i can change it ?
any help ?
regardsCSCO,
The lines below, match the interesting traffic for this VPN. You will not see a specific host address unless, you configure that within you crypto ACL. Basically you have some host in network 192.168.0.0/24(LOCAL) going to 192.168.2.0/24(REMOTE). The REMOTE IDENT is the remote network where the remote host relies, which matches your interesting traffic.
So lon story short, you have some local host in the 192.168.1.0/24 range going to some host in the 192.168.2.0/24 range.
This ACL has to do with the address you map to the match address line of you crypto map.
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 any
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0) -
Clientless SSL VPN and ActiveX question
Hey All,
First post for me here, so be gentle. I'll try to be as detailed as possible.
With the vast majority of my customers, I am able to configure an IPSEC L2L VPN, and narrow the traffic down to a very minimal set of ports. However, I have a customer that does not want to allow a L2L VPN tunnel between their remote site, and their NOC center. I thought this might be a good opportunity to get a clientless (they don't want to have to launch and log into a separate client) SSL VPN session setup. Ultimately, this will be 8 individual sites, so setting up SSL VPN's at each site would be cost prohibitive from a licensing perspective. My focus has been on using my 5510 (v8.2(5)) at my corp site as the centralized portal entrance, and creating bookmarks to each of the other respective sites, since I already have existing IPSEC VPN's via ASA5505, (same rev as the 5510 )setup with each of the sites.
First issue I've run into is that I can only access bookmarks that point to the external address for the remote web-server (the site has a static entry mapping an external address to the internal address of the web server). I am unable to browse (via bookmark) to the internal address of the remote web server. Through my browser at the office, I can access the internal address fine, just not through the SSL VPN portal. I am testing this external connectivity using a cell card to be able to simulate outside access. Is accessing the external IP address by design, or do I have something hosed?
Second issue I face is when I access the external address through the bookmark, I am ultimately able to log onto my remote website, and do normal browsing and javascript-type functions. I am not able to use controls that require my company's ActiveX controls (video, primarily). I did enable ActiveX relay, and that did allow the browser to start prompting me to install the controls as expected, but that still didn't allow the video stream through. The stream only runs at about 5 fps, so it's not an intense stream.
I have researched hairpinning for this situation, and "believe" that I have the NAT properly defined - even going as far as doing an ANY ANY, just for testing purposes to no avail. I do see a decent number of "no translates" from a show nat:
match ip inside any outside any
NAT exempt
translate_hits = 8915, untranslate_hits = 6574
access-list nonat extended permit ip any any log notifications
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.254.0 255.255.255.0
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.8.0 255.255.254.0
access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.8.0 255.255.254.0
access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host A-172.16.9.34
access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
access-list External_VPN extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
access-list External_VPN extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
access-list outside_in extended permit icmp any any log notifications
access-list outside_in extended permit tcp any any log notifications
pager lines 24
logging enable
logging asdm informational
logging ftp-server 192.168.16.34 / syslog *****
mtu inside 1500
mtu outside 1500
ip local pool Remote 172.16.254.1-172.16.254.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.16.32 255.255.255.224
nat (inside) 1 192.168.17.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
192.168.2.0 is my corp network range
192.168.2.171 is my internal IP for corp ASA5510
97.x.x.x is the external interface for my corp ASA5510
192.168.16.34 is the internal interface for the remote ASA5505
64.x.x.x is the external interface for the remote ASA5505
192.168.17.0, and 192.168.18.0 are two other private LANS behind the remote 5505
As you can see, I have things reasonably wide open - with no port restrictions on this one yet - this is for troubleshooting purposes, and it will get restrictive as soon as I figure this out Right now, the ASA5510 is pretty restrictive, and to be brutally honest, I'm not certain I'm even using the packet tracer 100% proper to be able to simulate coming from the outside of the network through my ASA5510, out to a remote ASA5505, and to a web server behind that 5505. I'm sure that the issue is probably going to be a mix of ACL's between the 5510, and the 5505.
I guess the main question, is Clientless SSL VPN really a good choice for this, or are there other real alternatives - especially since my client doesn't want to have to install, or use an actual client (like AnyConnect), nor do they want to have an always-on IPSEC VPN. Am I going about this the right way? Anyone have any suggestions, or do I have my config royally hosed?
Thanks much for any and all ideas!Hey All, I appreciate all of the views on this post. I would appreciate any input - even if you think it might be far-fetched. I'm grasping at straws, and am super-hesitant to tell my customer this is even remotely possible if I can't have a POC myself. Thanks, in advance!!
-
Netboot will not working, getting globe, then flashing folder with question mark.
I just created a netboot image which went off without any problems. I copied the two .nbi folders to my NetBootSP0 folder, and enabled them within netboot. My OS X server which is my netboot server and dhcp server. When I boot using N or Option N, I get the flashing globe for several seconds, the request goes through to the server and gets ACK {SELECT} however a few more seconds after, I get the flashing folder and question mark before it does a normal boot. I have read the other posts about DHCP and Subnets. My server and and clients are all 255.255.0.0. Any suggestions would be very helpful as I need this to work for several buildings.
This might work for some:
I had the same problem of the netboot image not mounting/opening, spinning globe then booting back to the Mac HD on the client and it was only when I remembered that we had manually experimented with jumbo frame rates and the MTU settings for our 32TB RAID in the Hardware settings for Ethernet ports on our servers. I turned the settings back to "Automatic" and 1000baseT on, then the whole NetInstall and Neboot was working perfectly again. -
DNS and Static IP Address Question on Solaris v10 X86
I�ve recently installed Solaris v10 X86 and have two questions. The system is a Dell E521 with 4GB RAM and 1GB SysKonnect NIC, and internet is provided via a cable modem, that�s plugged into a Netgear router, and the Solaris 10 box is plugged into the Netgear router via a CAT5 ethernet cable.
1. I can connect to my router login page using the following URL:
http://192.168.1.1/start.htm and I can also connect to various web pages such as yahoo, if I first "ping yahoo.com" (on another machine that�s internet enabled) and then plug the web site�s ip address into the Solaris/Mozilla browser. So it appears that I haven�t been successful at pointing the Solaris x86 at a DNS server to resolve the DNS name.
2. I've purchased a commercially available software package and it requires a static ip address for this Solaris x86 server. If the ip address changes, it�ll stop working by design and require that I reacquire the license file. When connecting through this Netgear router, how do I lock this Solaris v10 x86 server into a specific ip address? (the ip address floats presently when cycling my PC�s on/off) presently, and assume the Solaris box will too, usually through an ip range of 192.168.1.<1 through 5>
# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
skge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 192.168.1.3 netmask ffffff00 broadcast 192.168.1.255
ether 0:0:5a:9b:1f:10
# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
192.168.1.0 192.168.1.3 U 1 1 skge0
224.0.0.0 127.0.0.1 U 1 0 lo0
default 192.168.1.1 UG 1 0
127.0.0.1 127.0.0.1 UH 8 163 lo0
Some of the present Netgear router settings:
Internet IP Address
Get Dynamically From ISP (yes)
Use Static IP Address (no)
IP Address 75.185. CROSSED-OUT3
IP Subnet Mask 255.255.248.0
Gateway IP Address 75.185.CROSSED-OUT4
Domain Name Server (DNS) Address
Get Automatically From ISP (yes)
Use These DNS Servers (blank)
Primary DNS ... (blank)
Secondary DNS ... (blank)
Netgear Router Status Page:
Account Name WGT624v3
Hardware Version V3H1
Firmware Version V2.0.16_1.0.1NA
Internet Port
MAC Address 00:40:ca:a8:CROSSED-OUT2
IP Address 75.185.CROSSED-OUT3
DHCP DHCPClient
IP Subnet Mask 255.255.248.0
Domain Name Server 65.24.7.3
65.24.7.6
LAN Port
MAC Address 00:18:4D:85:CROSSED-OUT1
IP Address 192.168.1.1
DHCP ON
IP Subnet Mask 255.255.255.0
Excerpt from doing a prtconf -D command:
pci10de,26f, instance #0 (driver name: pci_pci)
pci1028,8010, instance #0 (driver name: hci1394)
pci1148,5021, instance #0 (driver name: skge)
pci1028,1ed
pci1022,1100
The NIC is a SysKonnect 9821 1GB Ethernet card. The drivers in Solaris 10 were apparently very old and didn't install drivers or configure/plumb when I installed Solaris 10, so I downloaded the
latest drivers (hard to find!), followed the instructions and got the NIC drivers installed and then plumbed.
My router's ip address appears to be 192.168.1.1 and in one of the articles I've read, there is a recommendation to create a file (touch) within /etc named defaultrouter and enter the router's ip address. I did this, and the file now contains:
192.168.1.1
I also read where another file called resolv.conf needed to be pointed to a DNS server, which in this case, according to my Netgear router, and according to ipconfig/all on another WinBox on the same network, also shows the same 192.168.1.1 address for the DNS, so I created that file too (wasn't there) and it contains:
nameserver 192.168.1.1
There is a host name file called hostname.skge0 and it contains one line:
INTHOST
There is a hosts file, and it contains:
127.0.0.1 localhost loghost homex86
192.168.1.3 INTHOST
There is a netmasks file, and other than the commented out lines, it appears to contain one relevant line:
192.168.1.0 255.255.255.0
There is a nsswitch.conf file and other than the commented out lines, it contains:
passwd: files
group: files
hosts: files
ipnodes: files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files
There is an nsswitch.dns file:
passwd: files
group: files
ipnodes: files dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files
Finally, I've also seen some advice using the folling command (and I tried it):
"route add default 192.168.1.1" as an alternative method of setting up route table
The only other command I've tried is:
"ifconfig skge0 192.168.1.1 netmask 255.255.255.0 up" but I suspect that was redundant as the plumb command I used to get the NIC functioning earlier probably already provided what was needed.
Finally, on this small network, I ran an ipconfig/all on a Windows based PC, to see what network settings were reported through the wireless connection, and this is an excerpt of that information:
C:\Documents and Settings\mark_burke>ipconfig/all
Windows IP Configuration
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
Physical Address. . . . . . . . . : (withheld)
Ethernet adapter {xxxxxxxx}:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Nortel IPSECSHM Adapter - Packet Scheduler Min
iport
Physical Address. . . . . . . . . : (withheld)
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Dell Wireless 1370 WLAN Mini-PCI Card
Physical Address. . . . . . . . . : (withheld)
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1I�ve recently installed Solaris v10 X86 and have two
questions. The system is a Dell E521 with 4GB RAM
and 1GB SysKonnect NIC, and internet is provided via
a cable modem, that�s plugged into a Netgear router,
and the Solaris 10 box is plugged into the Netgear
router via a CAT5 ethernet cable.
1. I can connect to my router login page using the
following URL:
http://192.168.1.1/start.htm and I can also connect
to various web pages such as yahoo, if I first "ping
yahoo.com" (on another machine that�s internet
enabled) and then plug the web site�s ip address into
the Solaris/Mozilla browser. So it appears that I
haven�t been successful at pointing the Solaris x86
at a DNS server to resolve the DNS name.You can either copy nsswitch.dns to nsswitch.conf, or you can modify nsswitch.conf so that 'dns' is used for hostname lookups.
2. I've purchased a commercially available software
package and it requires a static ip address for this
Solaris x86 server. If the ip address changes, it�ll
stop working by design and require that I reacquire
the license file. When connecting through this
Netgear router, how do I lock this Solaris v10 x86
server into a specific ip address? (the ip address
floats presently when cycling my PC�s on/off)
presently, and assume the Solaris box will too,
usually through an ip range of 192.168.1.<1 through
5>One method is setting the router so that the server's MAC address is tied to a specific IP.
Otherwise you can edit /etc/hostname.<interface> and place a static address there, forgoing DHCP services from the router. You may want the address to appear outside the router's DHCP range.
Darren -
Essentially, I've been studying for the CCNA and I've decided to purchase some older equipment to set up in my house so I can get some additional practice with the IOS interface. I've been looking at 1760 routers on ebay, and it seems like a pretty good place to start as I would like to actually use the devices in my current LAN, rather than simply setting up a lab.
My question is, could I take a 1760 and connect it to my cable modem, and then connect a switch (say a 2950 that I'll purchase a later date) to another interface? What add-in cards will I need to make this possible?
Here's a graphic representation of what I'd like to do.
If the 1760 isn't a good choice for this sort of setup, what would you reccomend? I'd prefer 100Mbit/sec capable routers if possible.
Thanks for the help/suggestions.Taylor,
if you have a VLAN capable switch and proper IOS support, you can configure PPPoE client on a subinterface hence you can use the 1760 (or any other router) to connect to the ISP and route between VLANs.
This is my current setup:
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
interface GigabitEthernet0/1.4
encapsulation dot1Q 4
ip pim dense-mode
ip igmp query-interval 125
pppoe enable group global
pppoe-client dial-pool-number 9
interface Dialer9
mtu 1490
bandwidth 4672
bandwidth receive 480
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip policy route-map RM-loop1
dialer pool 9
crypto map CM-1
crypto ipsec client ezvpn witopia_IAD
As you can see I use a subinterface to do PPPoE client and have the Dialer 9 interface receive the public IP address then I route traffic to other dubinterfaces. I used to do that on a 1751 nd on a 1721 this is now a 1921.
You need to ensure the pppoe client on 803.1q subinterfaces is supported in the ios version you run and obviously that 803.1q subinterfaces are supported.
You can do all of that in the cisco feature nav.
Enjoy
Fabio -
DMVPN w/ Multicasting setup/questions
Hello
I have a lot of questions, so bare with me as i puke them out of my head.
I have been doing some testing with DMVPN inconjuction with multicasting video (Hub and spoke, w/ no spoke to spoke). The test setup is using 2 cisco 2811 w/out the vpn module. I understand the performance hit with not having the module. With that being said here are my questions.
1. With encryption on both the HUB and spoke routers are using 90-97% cpu (8Mb multicast stream). With encryption off, the Hub is around 60%, and spoke around 75%. Here is where i'm confused. If i send that same stream as a unicast stream, w/ encryption on, both the Hub and spoke are only using around 30-35% cpu. Why is there so much more cpu need when its a multicast stream?
2. In the current config i'm seeing input, throttles, and ignore errors on the Hub and spoke. The Hub has these errors on the LAN interface, and the spoke has these errors on the WAN interface. All other interfaces are totally clean. I have checked and there are no duplex or speed mismatches. Any ideas?
HUB:
Current configuration : 1837 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Hub
boot-start-marker
boot-end-marker
logging message-counter syslog
enable password
no aaa new-model
clock timezone Central -6
dot11 syslog
ip source-route
ip cef
no ip domain lookup
ip name-server 8.8.8.8
ip multicast-routing
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
archive
log config
hidekeys
interface Tunnel1
bandwidth 100000
ip address 192.168.11.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 450
no ip route-cache cef
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel bandwidth transmit 100000
tunnel bandwidth receive 100000
interface FastEthernet0/0 (WAN)
ip address 216.x.x.x 255.255.255.192
ip pim sparse-mode
load-interval 30
duplex auto
speed auto
interface FastEthernet0/1 (LAN)
ip address 128.112.64.5 255.255.248.0
ip pim sparse-mode
load-interval 30
duplex auto
speed auto
router eigrp 1
network 128.112.0.0
network 192.168.11.0
auto-summary
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 216.x.x.x
ip http server
ip http authentication local
ip http secure-server
ip pim rp-address 128.112.64.5 10
access-list 10 permit 239.10.0.0 0.0.255.255
snmp-server community public RO
Spoke:
Current configuration : 1857 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Spoke
boot-start-marker
boot-end-marker
logging message-counter syslog
enable password
no aaa new-model
clock timezone central -6
dot11 syslog
ip source-route
ip cef
no ip domain lookup
ip multicast-routing
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
archive
log config
hidekeys
interface Tunnel1
bandwidth 100000
ip address 192.168.11.2 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip nhrp map 192.168.11.1 216.x.x.x
ip nhrp map multicast 216.x.x.x
ip nhrp network-id 1
ip nhrp holdtime 450
ip nhrp nhs 192.168.11.1
no ip route-cache cef
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
delay 1000
tunnel source FastEthernet0/0
tunnel destination 216.x.x.x
tunnel key 100000
tunnel bandwidth transmit 100000
tunnel bandwidth receive 100000
interface FastEthernet0/0 (WAN)
ip address 65.x.x.x 255.255.255.192
ip pim sparse-mode
load-interval 30
duplex auto
speed auto
interface FastEthernet0/1 (LAN)
ip address 128.124.64.1 255.255.248.0
ip pim sparse-mode
ip igmp join-group 239.10.10.10
load-interval 30
duplex auto
speed auto
router eigrp 1
network 128.124.0.0
network 192.168.11.0
auto-summary
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 65.x.x.x
no ip http server
no ip http secure-server
ip pim rp-address 128.112.64.5 10
access-list 10 permit 239.10.0.0 0.0.255.255
snmp-server community public ROJoe,
You ask the right question.
CPU ultization = CPU consumed by processes + IO operations (in a huge simplification - CEF)
Typically when a packet is processed by router we expect it to be be processed by CEF, i.e. very fast.
Packet is not processed by CEF:
- when there is something missing to route the packet properly (think missing ARP/CAM entry) i.e. additional lookup needs to be done.
- a feature requests that a packet is for processing/mangling
- Packet is destined to the router
(And several other, but those are the major ones).
When a packet is recived, but cannot be processed by CEF, we "punt the packet to CPU" this in turn will cause the CPU for processes to go up.
Now on the spoke this seems to be the problem:
Spoke#show ip cef switching stati Reason Drop Punt Punt2HostRP LES Packet destined for us 0 1723 0RP LES Encapsulation resource 0 1068275 0
There were also some failures on one of the buffer outputs you've attached.
Typically at this stage I would suggest:
1) "Upgrade" the device to 15.0(1)M6 or 12.4(15)T (latest image in this branch) and check if the problem persists there.
2) If it does, swing it by TAC. I don't see any obvious mistakes, but I'm just a guy in a chair same as you ;-)
Marcin -
A question about Performance Settings
Dear all.
Hi all,I want add a performance poller about Environmental Temperature.
There is an error as shown in the figur:
The device is Nexus 7010. Is it support this poller ?
If support,how to setting ?
Thank you very muchPeanuts
Thank you for your time and help.
Dumb question Reflash the firm ware
Means Install the new firm ware list on this web site
my old is v3.0.02 build 003 june 4, 2009
The new one is v3.0.02 build 4 12/10/09
The MTU thing Ican figure out. click save OK. But what the heck is
Power cycle the router
Un-plug it ?
Sorry to a pain. Ready to throw this out the window. It works good/great then very poor or not at all. In wireless mode.
The other day on the lap top a friend was connected to a inter-active training video. for about 30 minutes, worked great.
Then today the Dell with windows 7 lost the wireless conection.
Thanks
Maybe you are looking for
-
I use Windows 7 with XP Pro I have received no error messages and have plenty of free disc space. I have not a clue as to what has happened. I see the ticket with a bar code on my computer screen but when I try to print it the bad code will not prin
-
My Keychain has turned itself on...
And i have no intention of using keychain...no matter how good it is.... I installed Skype and all of a sudden Keychain started to appear and asking for a password all the time. Also can't install Skype fully without Keychain password. Earlier I had
-
Implementing SSL on Fusion Middleware
Hi, Kindly share the knowledge how to implement SSL on Fusion Middleware. Thansks in Advance.
-
Problem with OracleBI Dicoverer for OLAP
Hi, I installed my OLAP Catalog, but I have one problem: I can't see my business area created in EUL Objects. Do you have any ideas? Note : I follwed all instructions in Meatalink note id 296187.1 for dbatabase objects and this article to install my
-
Forms runtime argument: which form module to run
dear friends, i set multiple users parameter in formsweb.cfg file thats [user1] userid=shifa12/shifa12@orcl [user2] userid=shifa_heaven/shifaheaven@orcl [user3] userid=fatima_tower/fatimatower@orcl and link used http://shafa:8889//forms/frmservlet?co