My NBAR peer-to-peer config

I built a config to rate shape P2P traffic on my network to 30k/s. I thought it would be useful for people who are looking to limit peer-peer traffic inside their company. If you have any additions or other ideas, let me know.
This is on a Cisco 1751 with IOS 12.3(4)T6. Later versions of 12.3 has newer PDLMs so you don't have to download them.
You will need to apply it to a interface by using the "service-policy output" command, also you need to have "ip nbar protocol-discovery" turned on the interface to get statistics.
ip nbar custom bittorrent tcp range 6881 6889
class-map match-any Peer2Peer
description QoS class map for Peer 2 Peer applications
match protocol gnutella
match protocol fasttrack
match protocol kazaa2
match protocol napster
match protocol bittorrent
policy-map Peer2PeerPolicy
description Throttle P2P applications
class Peer2Peer
shape peak 384000

Hi,
How do i apply this class-map to an interface?
If i have a few servers on the same vlan, can i apply it to the vlan instead of the individual switch ports?
Best Regards and thanks for any feedback.
Ezequiel

Similar Messages

Outbound Dial-Peer from CME to UC540 not working

Dear Experts,
We have a HQ UC560 and new branch with 2811 router. These sites connected via VPN using fortigate.The connectivity between the sites is up and we are able to ping both the sites and the voice networks successfully.
I have configured the dial-peers on both the sites. The calls from HQ to the local branch are successful without any problem but when we dial from branch to the HQ, we get a fast busy signal. Below is the dial peer config
HQ -
dial-peer voice 300 voip
destination-pattern 3..
session target ipv4:192.168.110.1
dtmf-relay h245-alphanumeric
no vad
Branch -
dial-peer voice 800 voip
destination-pattern 8..
session target ipv4:192.168.201.2
dtmf-relay h245-alphanumeric
no vad
Csim results from Branch -
csim start 891
csim: called number = 891, loop count = 1 ping count = 0
csim err csimDisconnected recvd DISC cid(786)
csim: loop = 1, failed = 1
csim: call attempted = 1, setup failed = 1, tone failed = 0
Kindly please advise. thanks.

Hi, It is as suspected Toll Fraud App who rejected the call from BR site.
1076043: Oct 11 14:36:29.759: //282614/B639957688BC/CCAPI/cc_api_call_setup_ind_common:
   Set Up Event Sent;
   Call Info(Calling Number=308(TON=Unknown, NPI=Unknown, Screening=Not Screened, Presentation=Allowed),
   Called Number=807(TON=Unknown, NPI=Unknown))
1076047: Oct 11 14:36:29.763: //282614/B639957688BC/CCAPI/cc_process_call_setup_ind:
   >>>>CCAPI handed cid 282614 with tag 300 to app "_ManagedAppProcess_TOLLFRAUD_APP"
1076048: Oct 11 14:36:29.763: //282614/B639957688BC/CCAPI/ccCallDisconnect:
   Cause Value=21, Tag=0x0, Call Entry(Previous Disconnect Cause=0, Disconnect Cause=0)
you need to add BR GW IP address (192.168.110.1) to under 'voice service voip> ip address trusted list' as given below.
voice service voip
ip address trusted list
ipv4 192.168.110.1
For you reference: https://supportforums.cisco.com/document/46566/understanding-toll-fraud-enhancements-1512t

Adding new peer without removing cmap from interface.

I have a frustrating issue with a dynamic VPN head end running IOS 15.2 on 2900's. I have existing keyrings, and isakmp profiles (both main and agressive) running. When I add in a new peer, by adding in a keyring prechared statement and a match identity in the isakmp profile, phase 1 biulds but phase 2 only gets right to the end and the Cisco side resets the connection because it did not get back a response to it's Phase 2 proposal.
I have tried a number of soft clear commands to remedy this (I do have 16 other production tunnels I do not want to take down) and no avail. This is very consistent. We had this happen last week in the same manner, and the TAC finally said I must reboot the system. So I removed the cmap from the interface, and reapplied it (using notepad to do it all at once). All the tunnels dropped, and after a few manual restarts on the far end for thos etunnels that are tempermental, all tunnels came back up, including my new add.
I have a pair of 3900's running 15.1 code in the US that terminate the same tunnels, and I can add and remove PEERS all day long without resetting anything. Has anyone one encountered this before? Could there be a more polite way of resetting what ever it is that removing the CMAP does to allow my new peer to get the full treatment here?
(I am not asking for VPN peer config help, as I know this tunnel template I am using works, but if you want to see it)
Nick
crypto pki token default removal timeout 0
crypto keyring Site-to-Site
pre-shared-key address a.a.a.a key lkdshjfhjkdsfkjfsjkddedswdes
pre-shared-key address b.b.b.b key lkdshjfhjkdsfkjfsjkddedswdes
pre-shared-key address c.c.c.c key lkdshjfhjkdsfkjfsjkddedswdes
pre-shared-key address d.d.d.d key lkdshjfhjkdsfkjfsjkddedswdes <- old sonicwall VPN KEY
pre-shared-key hostname BOB key lkdshjfhjkdsfkjfsjkddedswdes
pre-shared-key hostname BILL key lkdshjfhjkdsfkjfsjkddedswdes
pre-shared-key hostname JILL key lkdshjfhjkdsfkjfsjkddedswdes
crypto keyring Site-to-Site_PAN
description Keyring used for AES256 Palo Alto config, using IP's
pre-shared-key address e.e.e.e key uiopadsbfjkahfga;lkdj
pre-shared-key address f.f.f.f key uiopadsbfjkahfga;lkdj
pre-shared-key address d.d.d.d key uiopadsbfjkahfga;lkdj <- my new add for Palo
crypto isakmp policy 5
encr aes 256
hash sha256
authentication pre-share
group 2
lifetime 28800
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp policy 30
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 60 3 periodic
crypto isakmp nat keepalive 20
crypto isakmp profile Site-to-Site-Main
   keyring Site-to-Site
   self-identity user-fqdn ASIA
   match identity address a.a.a.a 255.255.255.255
   match identity address b.b.b.b 255.255.255.255
   match identity address c.c.c.c 255.255.255.255
   (Removed SonicWall peer match for d.d.d.d)
   keepalive 60 retry 3
crypto isakmp profile Site-to-Site-Aggressive
   keyring Site-to-Site
   self-identity user-fqdn ASIA
   match identity user-fqdn BOB
   match identity user-fqdn BILL
   match identity user-fqdn JILL
   keepalive 60 retry 3
   initiate mode aggressive
crypto isakmp profile Site-to-Site-Aggressive_PAN
   keyring Site-to-Site_PAN
   self-identity address
   match identity address e.e.e.e 255.255.255.255
   match identity address f.f.f.f 255.255.255.255
   match identity address d.d.d.d 255.255.255.255 <- My new add
   keepalive 10 retry 3
   initiate mode aggressive
crypto ipsec transform-set CSC-TS1 esp-3des esp-sha-hmac
crypto ipsec transform-set CSC-TS2 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set CSC-TS3 esp-des esp-md5-hmac
crypto ipsec transform-set CSC-TS4 esp-aes esp-sha-hmac
crypto ipsec transform-set CSC-TS5 esp-aes 256 esp-sha256-hmac
crypto dynamic-map CSC-DMAP 5
set security-association lifetime kilobytes disable
set security-association lifetime seconds 28800
set transform-set CSC-TS5
set reverse-route distance 240
set reverse-route tag 240
set isakmp-profile Site-to-Site-Aggressive_PAN
reverse-route
crypto dynamic-map CSC-DMAP 10
set security-association lifetime kilobytes disable
set security-association lifetime seconds 28800
set transform-set CSC-TS1 CSC-TS2 CSC-TS3 CSC-TS4
set reverse-route distance 240
set reverse-route tag 240
set isakmp-profile Site-to-Site-Aggressive
reverse-route
crypto dynamic-map CSC-DMAP 20
set security-association lifetime kilobytes disable
set security-association lifetime seconds 28800
set transform-set CSC-TS1 CSC-TS2 CSC-TS3 CSC-TS4
set reverse-route distance 240
set reverse-route tag 240
set isakmp-profile Site-to-Site-Main
reverse-route
crypto map CSC-CMAP 20 ipsec-isakmp dynamic CSC-DMAP
interface G0/0
crypto map CSC-CMAP redundancy dmzvpn <-- I just negate this and re-add and new peers start working.

This is where the connection sits...
show crypto session detail
Interface: GigabitEthernet0/0
Profile: Site-to-Site-Aggressive_PAN
Session status: UP-IDLE
Peer: d.d.d.d port 4500 fvrf: (none) ivrf: (none)
      Phase1_id: d.d.d.d
      Desc: (none)
IKEv1 SA: local 192.168.221.2/4500 remote d.d.d.d/4500 Active
          Capabilities:DN connid:1473 lifetime:07:31:02

ACE4710 - Install New FT Peer

Hello Everyone
This is my first post on the Support Community, so please allow me some room for not following etiquette. I have recently taken delivery of a replacement 4710 as one half of a pair. The unit that has been replaced was the primary in the pair. The current active 4710 was the secondary in the pair. I am looking for an installation guide that specifically deals with reconnecting peers, with reference to:
1) OS differences
2) Config sync
3) Failover timings
The working 4710 is on:- c4710ace-t1k9-mz.A4_1_1.bin
Replacement:- c4710ace-mz.A4_2_0.bin
Working
FT Group                     : 1
Configured Status            : in-service
Maintenance mode             : MAINT_MODE_OFF
My State                     : FSM_FT_STATE_ACTIVE
My Config Priority           : 50
My Net Priority              : 50
My Preempt                   : Disabled
Peer State                   : FSM_FT_STATE_UNKNOWN
Peer Config Priority         : Unknown
Peer Net Priority            : Unknown
Peer Preempt                 : Unknown
Peer Id                      : 1
No. of Contexts              : 1
ft interface vlan 1111
ip address 192.168.254.2 255.255.255.252
peer ip address 192.168.254.1 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 1111
ft group 1
peer 1
no preempt
priority 50
peer priority 99
associate-context Admin
inservice
My concern is the mismatch in OS, yet the USB ports seem to be unsupported. I could configure the replacement with a lower priority, but would like to find some information on if this OS mismatch will cause issues and how best to copy from one device to another.
And yes, as you can probably gather, these devices are not my strongpoint, they were a legacy left by someone else with no documentation or explanations.
Thanks for your time

put the same OS.
Then just configure basic connectivity, basic HA parameter and ft group for admin context only. Everything else will be synchronized.
usually I use the following file by copy/paste and I plug the box. Notice the "no preempt" in the ft group.
interface gigabitEthernet 1/1 channel-group 1 no shutdowninterface gigabitEthernet 1/2 channel-group 1 no shutdowninterface gigabitEthernet 1/3 channel-group 1 no shutdowninterface gigabitEthernet 1/4 channel-group 1 no shutdowninterface port-channel 1 ft-port vlan 98 port-channel load-balance src-dst-port no shutdownft interface vlan 98 ip address 10.123.98.251 255.255.255.0 peer ip address 10.123.98.250 255.255.255.0 no shutdownexitft peer 1 heartbeat interval 100 heartbeat count 10 ft-interface vlan 30exitft group 1 peer 1 no preempt priority 110 peer priority 120 associate-context Admin inserviceexit

CME dial-peer PSTN call

Hello
I have 2 CME
PSTN===>CME01===LAN==>CME02 please see attached file with dial-peer config
problem:
ip phone 1299 can call 07733XXXXX (PSTN phone)
ip phone 1484 can call 1299 but cannot dial 07733XXXXX(PSTN phone)
please can you help

Yes certainly its possible, create another specific dial-peer for the 077XX number and configure over ride on that dial-peer as per below:
dial-peer voice 4 voip
incoming called-number ^07733.....$ <<<< This for matching all calls starting with 07733
paramspace callsetup after-hours-exempt true << this should exempt this dial-peer
end
So your calls hitting dial-peer 3 we previously created will match anything other than 07733 numbers and will have call block on. This dial-peer 4 will allow exemption for this specific number.
If you want to exempt all calls from CME02 then you can have the command:
paramspace callsetup after-hours-exempt true
under the dial-peer 3 we previously created.
Let me know how you go and please do rate all helpful posts.
-Terry

Active-Active config from N5k to N2k

On the N5k-B set at priority 105, I cannot see interface 101 of the fex, but can see inter 101 on "priority 110, n5k-A" why is that? when I do a sh vpc brief, adj is up alive. I went ahead and powerdown the N5k-A and now N5k-B has inter 101....so can I assum this is normal behavior?
vpc domain 200
role priority 105 while the other N5k is set to 110
peer-keepalive destination 192.168.1.1
peer-config-check-bypass
fex 101
pinning max-links 1
description FEX0101
interface port-channel101
description ****TO-N2K-ROW-1****
switchport mode fex-fabric
untagged cos 0
fex associate 101
speed 10000
interface Ethernet1/7
description ****TO-N2K-ROW-1****
switchport mode fex-fabric
fex associate 101
channel-group 101
interface Ethernet1/8
description ****TO-N2K-ROW-1****
switchport mode fex-fabric
fex associate 101
channel-group 101

Hi,
If you are looking at configuring the N2K for so that both uplink are active-active toward the vPC peer devices, then you need to configure the interface port-channel 101 with a common vPC identifier. For example configure both interface port-channel 101 on the N5Ks to be in say 'vpc 101', without this they are not logically bound.
If you run a 'show interface fex' or 'show fex' not sure from the top of my head, but it should show the status of the fex in question from the N5K which you are unable to see the interface.
Regards
Allan.
Hope this helps, pls rate helpful posts.

Fax outdial retries consume all voice channels on SIP 484 error (Cisco 2911)

I've been seeing a nasty fax/VoIP problem on a 2911, running IOS 15.0(1r)M12. Any suggestions would be welcome.
I have a 2911 which is set up to do T.37 offramp fax delivery (SMTP message is sent to 2911, which places a VoIP call over SIP/RTP/T.38 to deliver the fax). The mainline case is set up, and working correctly - faxes are delivered without issue. If a destination address is selected such that the VoIP switch returns a SIP 484 error, then everything fails in a spectacular fashion:
The outdial is immediately retried, placing another SIP INVITE to the switch, with the same destination address, which obviously also gets the same 484 response.
Each time the outdial takes place, it consumes voice channels on the DSP, which are not released on receipt of the 484.
When there are no free voice channels, a no circuit (0x22) error is returned, and all the voice channels are finally released.
The MTA that submitted the SMTP message retries every minute (it doesn't get a permanent failure report when the 2911 fails to place the call)
This leads to a situation where no fax calls can be placed, as all the voice channels are being used up by retrying this call that can never succeed.
Some other relevant information:
The VoIP switch does not return a 484 immediately. First it sends a SIP 183, and plays early media (an announcement about how the call isn't allowed).
It takes 8 seconds before the 484 is returned. The 2911 sends a new SIP INVITE every 8 seconds (as soon as it gets a 484 for the previous attempt).
The "sip-ua" statistics show that the INVITE retry counter is not being incremented (i.e. this is not a retry at the scope of the SIP stack).
The T1 cable is looped-back to the 2911, so that the complete path for fax delivery looks like this:
MTA ---SMTP---> 2911 ---T1---> 2911 ---SIP---> VoIP switch
If I set "mta receive generate permanent-error", then I still see this retry behaviour, with all the voice channels being consumed. Once that has happened (after about 3 minutes) the MTA does get the error response, and no longer retries every minute after that (although this setting has other negative effects that I'd like to avoid).
Does anyone have any idea how I can get the 2911 to return a permanent failure to the MTA after just a single outdial has failed with a SIP 484?
Here is the dial-peer config:
dial-peer voice 1 voip
translation-profile incoming IncomingVoip
incoming called-number .
voice-class codec 1
dtmf-relay rtp-nte
fax protocol t38 version 0 ls-redundancy 3 hs-redundancy 0 fallback pass-through g711ulaw
no vad
dial-peer voice 2 pots
destination-pattern ^0005
port 1/1:23
forward-digits all
dial-peer voice 3 pots
translation-profile incoming IncomingPRI_1_0
service onramp-app
incoming called-number ^0005
direct-inward-dial
port 1/0:23
dial-peer voice 4 mmoip
service fax_on_vfc_onramp_app out-bound
destination-pattern .
information-type fax
session target mailto:$m$@<DOMAIN NAME>
image encoding MH
dial-peer voice 101 mmoip
translation-profile incoming IncomingMMoIP
service offramp-app
information-type fax
incoming called-number .
dial-peer voice 102 pots
destination-pattern .
port 1/0:23
forward-digits all
dial-peer voice 103 pots
translation-profile incoming IncomingPRI_1_1
incoming called-number ^0007
direct-inward-dial
port 1/1:23
dial-peer voice 104 voip
translation-profile outgoing OutgoingVoip
destination-pattern ^0008
session protocol sipv2
session target ipv4:<VoIP SWITCH IP ADDRESS>
voice-class codec 1
dtmf-relay rtp-nte
fax protocol t38 version 0 ls-redundancy 3 hs-redundancy 0 fallback pass-through g711ulaw
no vad

Hi Ellad.
Why don't try to use the 2811 as a SIP signalling proxy only?
In this way the media (RTP or T.38) will be handled only from the two MERA SoftSwitch.
To do this you must enable CUBE on your 2811 and use these special commands:
voice service voip
     media flow-around
     allow-connections sip to sip
     signaling forward unconditional
     sip
       rel1xx disable
       header-passing
       midcall-signaling passthru
       pass-thru headers unsupp
       pass-thru content unsupp
       pass-thru content sdp
I don't remember if we have already try this solution.
Regards.

VPN L2TP to CISCO 837

Hi,
I'm trying to use the native VPN L2TP in Leopard to connect to a small, cheap CISCO 837 adsl router, to test IOS as a VPN appliance.
So I'm just trying to connect from the leopard in 192.168.1.10 to the cisco in 192.168.1.70 with this conf:
Current configuration : 9751 bytes
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname door
memory-size iomem 15
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5 $1$kI1f$BuT4.zkAIwccDS93oszF//
enable password 7 0459580A032A435C0C4B51
username dooruser password 7 15140E5D557A3C37203A257040
username dooradmin privilege 15 secret 5 $1$qo91$ZzsCF7Loo6BLqV7.YrGQQ1
username doortest password 7 03005404141B245F5A491416141A0A1C
aaa new-model
aaa authentication login local_auth local
aaa authentication login LOGIN local
aaa authorization network AUTORIZ local
aaa session-id common
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip domain name domain.com
no ip bootp server
ip cef
ip audit notify log
ip audit po max-events 100
ip ssh authentication-retries 5
no ftp-server write-enable
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group PRUEBA
key 0 cisco123
domain domain.com
pool VPNPOOL
acl 150
crypto ipsec transform-set MISET esp-3des esp-sha-hmac
mode transport
crypto dynamic-map DINAMICO 10
set transform-set MISET
reverse-route
crypto map CLIENTMAP local-address Ethernet0
crypto map CLIENTMAP client authentication list LOGIN
crypto map CLIENTMAP isakmp authorization list AUTORIZ
crypto map CLIENTMAP client configuration address initiate
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DINAMICO
interface Ethernet0
ip address 192.168.1.70 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
pppoe enable group PRUEBA
no cdp enable
crypto map CLIENTMAP
hold-queue 100 out
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
interface FastEthernet1
no ip address
speed auto
full-duplex
crypto map CLIENTMAP
interface FastEthernet2
no ip address
speed auto
half-duplex
interface FastEthernet3
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
ip local pool VPNPOOL 192.168.1.120 192.168.1.125
ip default-gateway 192.168.1.100
ip classless
ip default-network 198.168.1.0
ip route 0.0.0.0 0.0.0.0 192.168.1.100
ip route 192.168.1.0 255.255.255.0 192.168.1.100
ip http server
ip http authentication local
ip http secure-server
ip access-list extended autoseccompletebogon
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 7.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 36.0.0.0 0.255.255.255 any
deny ip 37.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 41.0.0.0 0.255.255.255 any
deny ip 42.0.0.0 0.255.255.255 any
deny ip 49.0.0.0 0.255.255.255 any
deny ip 50.0.0.0 0.255.255.255 any
deny ip 58.0.0.0 0.255.255.255 any
deny ip 59.0.0.0 0.255.255.255 any
deny ip 60.0.0.0 0.255.255.255 any
deny ip 70.0.0.0 0.255.255.255 any
deny ip 71.0.0.0 0.255.255.255 any
deny ip 72.0.0.0 0.255.255.255 any
deny ip 73.0.0.0 0.255.255.255 any
deny ip 74.0.0.0 0.255.255.255 any
deny ip 75.0.0.0 0.255.255.255 any
deny ip 76.0.0.0 0.255.255.255 any
deny ip 77.0.0.0 0.255.255.255 any
deny ip 78.0.0.0 0.255.255.255 any
deny ip 79.0.0.0 0.255.255.255 any
deny ip 83.0.0.0 0.255.255.255 any
deny ip 84.0.0.0 0.255.255.255 any
deny ip 85.0.0.0 0.255.255.255 any
deny ip 86.0.0.0 0.255.255.255 any
deny ip 87.0.0.0 0.255.255.255 any
deny ip 89.0.0.0 0.255.255.255 any
deny ip 90.0.0.0 0.255.255.255 any
deny ip 91.0.0.0 0.255.255.255 any
deny ip 92.0.0.0 0.255.255.255 any
deny ip 93.0.0.0 0.255.255.255 any
deny ip 94.0.0.0 0.255.255.255 any
deny ip 95.0.0.0 0.255.255.255 any
deny ip 96.0.0.0 0.255.255.255 any
deny ip 97.0.0.0 0.255.255.255 any
deny ip 98.0.0.0 0.255.255.255 any
deny ip 99.0.0.0 0.255.255.255 any
deny ip 100.0.0.0 0.255.255.255 any
deny ip 101.0.0.0 0.255.255.255 any
deny ip 102.0.0.0 0.255.255.255 any
deny ip 103.0.0.0 0.255.255.255 any
deny ip 104.0.0.0 0.255.255.255 any
deny ip 105.0.0.0 0.255.255.255 any
deny ip 106.0.0.0 0.255.255.255 any
deny ip 107.0.0.0 0.255.255.255 any
deny ip 108.0.0.0 0.255.255.255 any
deny ip 109.0.0.0 0.255.255.255 any
deny ip 110.0.0.0 0.255.255.255 any
deny ip 111.0.0.0 0.255.255.255 any
deny ip 112.0.0.0 0.255.255.255 any
deny ip 113.0.0.0 0.255.255.255 any
deny ip 114.0.0.0 0.255.255.255 any
deny ip 115.0.0.0 0.255.255.255 any
deny ip 116.0.0.0 0.255.255.255 any
deny ip 117.0.0.0 0.255.255.255 any
deny ip 118.0.0.0 0.255.255.255 any
deny ip 119.0.0.0 0.255.255.255 any
deny ip 120.0.0.0 0.255.255.255 any
deny ip 121.0.0.0 0.255.255.255 any
deny ip 122.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 124.0.0.0 0.255.255.255 any
deny ip 125.0.0.0 0.255.255.255 any
deny ip 126.0.0.0 0.255.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 15.255.255.255 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list
ip access-list extended autoseciana_reservedblock
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 7.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 36.0.0.0 0.255.255.255 any
deny ip 37.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 41.0.0.0 0.255.255.255 any
deny ip 42.0.0.0 0.255.255.255 any
deny ip 49.0.0.0 0.255.255.255 any
deny ip 50.0.0.0 0.255.255.255 any
deny ip 58.0.0.0 0.255.255.255 any
deny ip 59.0.0.0 0.255.255.255 any
deny ip 60.0.0.0 0.255.255.255 any
deny ip 70.0.0.0 0.255.255.255 any
deny ip 71.0.0.0 0.255.255.255 any
deny ip 72.0.0.0 0.255.255.255 any
deny ip 73.0.0.0 0.255.255.255 any
deny ip 74.0.0.0 0.255.255.255 any
deny ip 75.0.0.0 0.255.255.255 any
deny ip 76.0.0.0 0.255.255.255 any
deny ip 77.0.0.0 0.255.255.255 any
deny ip 78.0.0.0 0.255.255.255 any
deny ip 79.0.0.0 0.255.255.255 any
deny ip 83.0.0.0 0.255.255.255 any
deny ip 84.0.0.0 0.255.255.255 any
deny ip 85.0.0.0 0.255.255.255 any
deny ip 86.0.0.0 0.255.255.255 any
deny ip 87.0.0.0 0.255.255.255 any
deny ip 88.0.0.0 0.255.255.255 any
deny ip 89.0.0.0 0.255.255.255 any
deny ip 90.0.0.0 0.255.255.255 any
deny ip 91.0.0.0 0.255.255.255 any
deny ip 92.0.0.0 0.255.255.255 any
deny ip 93.0.0.0 0.255.255.255 any
deny ip 94.0.0.0 0.255.255.255 any
deny ip 95.0.0.0 0.255.255.255 any
deny ip 96.0.0.0 0.255.255.255 any
deny ip 97.0.0.0 0.255.255.255 any
deny ip 98.0.0.0 0.255.255.255 any
deny ip 99.0.0.0 0.255.255.255 any
deny ip 100.0.0.0 0.255.255.255 any
deny ip 101.0.0.0 0.255.255.255 any
deny ip 102.0.0.0 0.255.255.255 any
deny ip 103.0.0.0 0.255.255.255 any
deny ip 104.0.0.0 0.255.255.255 any
deny ip 105.0.0.0 0.255.255.255 any
deny ip 106.0.0.0 0.255.255.255 any
deny ip 107.0.0.0 0.255.255.255 any
deny ip 108.0.0.0 0.255.255.255 any
deny ip 109.0.0.0 0.255.255.255 any
deny ip 110.0.0.0 0.255.255.255 any
deny ip 111.0.0.0 0.255.255.255 any
deny ip 112.0.0.0 0.255.255.255 any
deny ip 113.0.0.0 0.255.255.255 any
deny ip 114.0.0.0 0.255.255.255 any
deny ip 115.0.0.0 0.255.255.255 any
deny ip 116.0.0.0 0.255.255.255 any
deny ip 117.0.0.0 0.255.255.255 any
deny ip 118.0.0.0 0.255.255.255 any
deny ip 119.0.0.0 0.255.255.255 any
deny ip 120.0.0.0 0.255.255.255 any
deny ip 121.0.0.0 0.255.255.255 any
deny ip 122.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 124.0.0.0 0.255.255.255 any
deny ip 125.0.0.0 0.255.255.255 any
deny ip 126.0.0.0 0.255.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
permit ip any any
remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list
ip access-list extended autosecprivateblock
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit ip any any
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
access-list 150 permit ip host 0.0.0.0 any
dialer-list 1 protocol ip permit
no cdp run
line con 0
exec-timeout 5 0
login authentication local_auth
no modem enable
transport output telnet
deny ip 121.0.0.0 0.255.255.255 any
deny ip 122.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 124.0.0.0 0.255.255.255 any
deny ip 125.0.0.0 0.255.255.255 any
deny ip 126.0.0.0 0.255.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
permit ip any any
remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list
ip access-list extended autosecprivateblock
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit ip any any
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
access-list 150 permit ip host 0.0.0.0 any
dialer-list 1 protocol ip permit
no cdp run
line con 0
exec-timeout 5 0
login authentication local_auth
no modem enable
transport output telnet
line aux 0
login authentication local_auth
transport output telnet
line vty 0 4
password 7 15045A081325242F7B626C74
login authentication local_auth
transport input telnet ssh
scheduler max-task-time 5000
end
and the DEBUG in the cisco is:
015933: *Mar 2 05:13:34.748 UTC: %SYS-5-CONFIG_I: Configured from console by dooruser on vty0 (192.168.1.10)
door#
door#
015934: *Mar 2 05:14:18.096 UTC: ISAKMP (0:0): received packet from 192.168.1.10 dport 500 sport 500 Global (N) NEW SA
015935: *Mar 2 05:14:18.096 UTC: ISAKMP: Created a peer struct for 192.168.1.10, peer port 500
015936: *Mar 2 05:14:18.096 UTC: ISAKMP: Locking peer struct 0x816C55CC, IKE refcount 1 for cryptoikmp_config_initializesa
015937: *Mar 2 05:14:18.096 UTC: ISAKMP (0:0): Setting client config settings 813B63E8
015938: *Mar 2 05:14:18.096 UTC: ISAKMP (0:0): (Re)Setting client xauth list and state
015939: *Mar 2 05:14:18.096 UTC: ISAKMP: local port 500, remote port 500
015940: *Mar 2 05:14:18.100 UTC: ISAKMP: insert sa successfully sa = 815825EC
015941: *Mar 2 05:14:18.100 UTC: ISAKMP (0:1): processing SA payload. message ID = 0
015942: *Mar 2 05:14:18.100 UTC: ISAKMP (0:1): processing ID payload. message ID = 0
015943: *Mar 2 05:14:18.100 UTC: ISAKMP (0:1): peer matches none of the profiles
015944: *Mar 2 05:14:18.100 UTC: ISAKMP (0:1): processing vendor id payload
015945: *Mar 2 05:14:18.100 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 69 mismatch
015946: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): processing vendor id payload
015947: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 198 mismatch
015948: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): processing vendor id payload
015949: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 29 mismatch
015950: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): processing vendor id payload
015951: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 245 mismatch
015952: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): processing vendor id payload
015953: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 114 mismatch
015954: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): processing vendor id payload
015955: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 227 mismatch
015956: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): processing vendor id payload
015957: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 250 mismatch
015958: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): processing vendor id payload
015959: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
015960: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): vendor ID is NAT-T v3
015961: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): processing vendor id payload
015962: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 164 mismatch
015963: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1): processing vendor id payload
015964: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 123 mismatch
015965: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1): vendor ID is NAT-T v2
015966: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1): processing vendor id payload
015967: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1): vendor ID is DPD
015968: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1) Authentication by xauth preshared
015969: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
015970: *Mar 2 05:14:18.112 UTC: ISAKMP: life type in seconds
015971: *Mar 2 05:14:18.116 UTC: ISAKMP: life duration (basic) of 3600
015972: *Mar 2 05:14:18.116 UTC: ISAKMP: encryption 3DES-CBC
015973: *Mar 2 05:14:18.116 UTC: ISAKMP: auth pre-share
015974: *Mar 2 05:14:18.116 UTC: ISAKMP: hash SHA
015975: *Mar 2 05:14:18.116 UTC: ISAKMP: default group 2
015976: *Mar 2 05:14:18.116 UTC: ISAKMP (0:1): atts are acceptable. Next payload is 0
015977: *Mar 2 05:14:18.328 UTC: ISAKMP (0:1): processing KE payload. message ID = 0
015978: *Mar 2 05:14:18.596 UTC: ISAKMP (0:1): processing NONCE payload. message ID = 0
015979: *Mar 2 05:14:18.600 UTC: ISAKMP (0:1): processing vendor id payload
015980: *Mar 2 05:14:18.600 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 69 mismatch
015981: *Mar 2 05:14:18.600 UTC: ISAKMP (0:1): processing vendor id payload
015982: *Mar 2 05:14:18.600 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 198 mismatch
015983: *Mar 2 05:14:18.600 UTC: ISAKMP (0:1): processing vendor id payload
015984: *Mar 2 05:14:18.600 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 29 mismatch
015985: *Mar 2 05:14:18.604 UTC: ISAKMP (0:1): processing vendor id payload
015986: *Mar 2 05:14:18.604 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 245 mismatch
015987: *Mar 2 05:14:18.604 UTC: ISAKMP (0:1): processing vendor id payload
015988: *Mar 2 05:14:18.604 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 114 mismatch
015989: *Mar 2 05:14:18.604 UTC: ISAKMP (0:1): processing vendor id payload
015990: *Mar 2 05:14:18.604 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 227 mismatch
015991: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): processing vendor id payload
015992: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 250 mismatch
015993: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): processing vendor id payload
015994: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
015995: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): vendor ID is NAT-T v3
015996: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): processing vendor id payload
015997: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 164 mismatch
015998: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): processing vendor id payload
015999: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 123 mismatch
016000: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): vendor ID is NAT-T v2
016001: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): processing vendor id payload
016002: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): vendor ID is DPD
016003: *Mar 2 05:14:18.608 UTC: AAA: parse name=ISAKMP500 idb type=-1 tty=-1
016004: *Mar 2 05:14:18.612 UTC: AAA: name=ISAKMP500 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=500 channel=0
016005: *Mar 2 05:14:18.612 UTC: AAA: parse name=<no string> idb type=-1 tty=-1
016006: *Mar 2 05:14:18.612 UTC: AAA/MEMORY: create_user (0x81582C78) user='PRUEBA' ruser='NULL' ds0=0 port='ISAKMP500' rem_addr='192.168.1.10' authen_type=NONE service=LOGIN priv=0 initialtaskid='0', vrf= (id=0)
016007: *Mar 2 05:14:18.612 UTC: ISAKMP (0:1): Input = IKEMESG_FROMPEER, IKEAMEXCH
016008: *Mar 2 05:14:18.612 UTC: ISAKMP (0:1): Old State = IKE_READY New State = IKER_AM_AAAAWAIT
016009: *Mar 2 05:14:18.612 UTC: ISAKMP500 AAA/AUTHOR/CRYPTO AAA(1432144417): Port='ISAKMP500' list='AUTORIZ' service=NET
016010: *Mar 2 05:14:18.616 UTC: AAA/AUTHOR/CRYPTO AAA: ISAKMP500(1432144417) user='PRUEBA'
016011: *Mar 2 05:14:18.616 UTC: ISAKMP500 AAA/AUTHOR/CRYPTO AAA(1432144417): send AV service=ike
016012: *Mar 2 05:14:18.616 UTC: ISAKMP500 AAA/AUTHOR/CRYPTO AAA(1432144417): send AV protocol=ipsec
016013: *Mar 2 05:14:18.616 UTC: ISAKMP500 AAA/AUTHOR/CRYPTO AAA(1432144417): found list "AUTORIZ"
016014: *Mar 2 05:14:18.616 UTC: ISAKMP500 AAA/AUTHOR/CRYPTO AAA(1432144417): Method=LOCAL
016015: *Mar 2 05:14:18.620 UTC: AAA/AUTHOR (1432144417): Post authorization status = PASS_ADD
016016: *Mar 2 05:14:18.620 UTC: ISAKMP: got callback 1
016017: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV service=ike
016018: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV protocol=ipsec
016019: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV tunnel-password=cisco123
016020: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV default-domain*domain.com
016021: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV addr-pool*VPNPOOL
016022: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV key-exchange=ike
016023: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV firewall*0
016024: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV group-lock*0
016025: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV include-local-lan*0
016026: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV timeout*0
016027: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV idletime*0
016028: *Mar 2 05:14:18.628 UTC:
AAA/AUTHOR/IKE: Processing AV inacl*150
016029: *Mar 2 05:14:18.628 UTC:
AAA/AUTHOR/IKE: Processing AV dns-servers*0.0.0.0 0.0.0.0
016030: *Mar 2 05:14:18.628 UTC:
AAA/AUTHOR/IKE: Processing AV wins-servers*0.0.0.0 0.0.0.0
016031: *Mar 2 05:14:18.628 UTC:
AAA/AUTHOR/IKE: Processing AV save-password*0
016032: *Mar 2 05:14:18.632 UTC: ISAKMP (0:1): SKEYID state generated
016033: *Mar 2 05:14:18.636 UTC: ISAKMP (0:1): constructed NAT-T vendor-03 ID
016034: *Mar 2 05:14:18.636 UTC: ISAKMP (0:1): SA is doing pre-shared key authentication using id type IDIPV4ADDR
016035: *Mar 2 05:14:18.636 UTC: ISAKMP (1): ID payload
next-payload : 10
type : 1
addr : 192.168.1.70
protocol : 17
port : 0
length : 8
016036: *Mar 2 05:14:18.636 UTC: ISAKMP (1): Total payload length: 12
016037: *Mar 2 05:14:18.636 UTC: ISAKMP (0:1): constructed HIS NAT-D
016038: *Mar 2 05:14:18.636 UTC: ISAKMP (0:1): constructed MINE NAT-D
016039: *Mar 2 05:14:18.640 UTC: ISAKMP (0:1): sending packet to 192.168.1.10 my_port 500 peer_port 500 (R) AGINITEXCH
016040: *Mar 2 05:14:18.640 UTC: ISAKMP (0:1): Input = IKEMESG_FROMAAA, PRESHAREDKEYREPLY
016041: *Mar 2 05:14:18.640 UTC: ISAKMP (0:1): Old State = IKER_AM_AAAAWAIT New State = IKERAM2
016042: *Mar 2 05:14:18.640 UTC: AAA/MEMORY: free_user (0x81582C78) user='PRUEBA' ruser='NULL' port='ISAKMP500' rem_addr='192.168.1.10' authen_type=NONE service=LOGIN priv=0 vrf= (id=0)
016043: *Mar 2 05:14:18.792 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) AGINITEXCH
016044: *Mar 2 05:14:18.792 UTC: ISAKMP (0:1): processing HASH payload. message ID = 0
016045: *Mar 2 05:14:18.792 UTC: ISAKMP:received payload type 17
016046: *Mar 2 05:14:18.796 UTC: ISAKMP (0:1): Detected NAT-D payload
016047: *Mar 2 05:14:18.796 UTC: ISAKMP (0:1): recalc my hash for NAT-D
016048: *Mar 2 05:14:18.796 UTC: ISAKMP (0:1): NAT match MINE hash
016049: *Mar 2 05:14:18.796 UTC: ISAKMP:received payload type 17
016050: *Mar 2 05:14:18.796 UTC: ISAKMP (0:1): Detected NAT-D payload
016051: *Mar 2 05:14:18.796 UTC: ISAKMP (0:1): recalc his hash for NAT-D
016052: *Mar 2 05:14:18.796 UTC: ISAKMP (0:1): NAT match HIS hash
016053: *Mar 2 05:14:18.796 UTC: ISAKMP (0:1): SA has been authenticated with 192.168.1.10
016054: *Mar 2 05:14:18.796 UTC: ISAKMP: Trying to insert a peer 192.168.1.70/192.168.1.10/500/, and inserted successfully.
016055: *Mar 2 05:14:18.800 UTC: ISAKMP (0:1): peer matches none of the profiles
016056: *Mar 2 05:14:18.800 UTC: ISAKMP (0:1): Input = IKEMESG_FROMPEER, IKEAMEXCH
016057: *Mar 2 05:14:18.800 UTC: ISAKMP (0:1): Old State = IKERAM2 New State = IKEP1COMPLETE
016058: *Mar 2 05:14:18.800 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) QM_IDLE
016059: *Mar 2 05:14:18.800 UTC: ISAKMP: set new node -499921571 to CONF_XAUTH
016060: *Mar 2 05:14:18.804 UTC: ISAKMP (0:1): processing HASH payload. message ID = -499921571
016061: *Mar 2 05:14:18.804 UTC: ISAKMP (0:1): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = -499921571, sa = 815825EC
016062: *Mar 2 05:14:18.804 UTC: ISAKMP (0:1): Process initial contact,
bring down existing phase 1 and 2 SA's with local 192.168.1.70 remote 192.168.1.10 remote port 500
016063: *Mar 2 05:14:18.804 UTC: ISAKMP (0:1): returning IP addr to the address pool
016064: *Mar 2 05:14:18.808 UTC: IPSEC(key_engine): got a queue event with 1 kei messages
016065: *Mar 2 05:14:18.808 UTC: ISAKMP (0:1): deleting node -499921571 error FALSE reason "informational (in) state 1"
016066: *Mar 2 05:14:18.808 UTC: ISAKMP (0:1): Input = IKEMESG_FROMPEER, IKEINFONOTIFY
016067: *Mar 2 05:14:18.808 UTC: ISAKMP (0:1): Old State = IKEP1COMPLETE New State = IKEP1COMPLETE
016068: *Mar 2 05:14:18.808 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) QM_IDLE
016069: *Mar 2 05:14:18.812 UTC: ISAKMP: set new node -326994436 to CONF_XAUTH
016070: *Mar 2 05:14:18.812 UTC: ISAKMP (0:1): Need XAUTH
016071: *Mar 2 05:14:18.816 UTC: AAA: parse name=ISAKMP500 idb type=-1 tty=-1
016072: *Mar 2 05:14:18.816 UTC: AAA: name=ISAKMP500 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=500 channel=0
016073: *Mar 2 05:14:18.816 UTC: AAA: parse name=<no string> idb type=-1 tty=-1
016074: *Mar 2 05:14:18.816 UTC: AAA/MEMORY: create_user (0x816C2654) user='NULL' ruser='NULL' ds0=0 port='ISAKMP500' rem_addr='192.168.1.10' authen_type=ASCII service=LOGIN priv=0 initialtaskid='0', vrf= (id=0)
016075: *Mar 2 05:14:18.816 UTC: ISAKMP (0:1): Input = IKEMESGINTERNAL, IKEPHASE1COMPLETE
016076: *Mar 2 05:14:18.816 UTC: ISAKMP (0:1): Old State = IKEP1COMPLETE New State = IKEXAUTH_AAA_START_LOGINAWAIT
016077: *Mar 2 05:14:18.820 UTC: AAA/AUTHEN/START (687144130): port='ISAKMP500' list='LOGIN' action=LOGIN service=LOGIN
016078: *Mar 2 05:14:18.820 UTC: AAA/AUTHEN/START (687144130): found list LOGIN
016079: *Mar 2 05:14:18.820 UTC: AAA/AUTHEN/START (687144130): Method=LOCAL
016080: *Mar 2 05:14:18.820 UTC: AAA/AUTHEN(687144130): Status=GETUSER
016081: *Mar 2 05:14:18.820 UTC: ISAKMP (0:1): Unknown Input: state = IKEXAUTH_AAA_START_LOGINAWAIT, major, minor = IKEMESGINTERNAL, IKEPHASE1COMPLETE
016082: *Mar 2 05:14:18.820 UTC: ISAKMP: got callback 1
016083: *Mar 2 05:14:18.820 UTC: ISAKMP: set new node 1267078368 to CONF_XAUTH
016084: *Mar 2 05:14:18.824 UTC: ISAKMP/xauth: request attribute XAUTH_TYPE
016085: *Mar 2 05:14:18.824 UTC: ISAKMP/xauth: request attribute XAUTH_MESSAGE
016086: *Mar 2 05:14:18.824 UTC: ISAKMP/xauth: request attribute XAUTHUSERNAME
016087: *Mar 2 05:14:18.824 UTC: ISAKMP/xauth: request attribute XAUTHUSERPASSWORD
016088: *Mar 2 05:14:18.824 UTC: ISAKMP (0:1): initiating peer config to 192.168.1.10. ID = 1267078368
016089: *Mar 2 05:14:18.828 UTC: ISAKMP (0:1): sending packet to 192.168.1.10 my_port 500 peer_port 500 (R) CONF_XAUTH
016090: *Mar 2 05:14:18.828 UTC: ISAKMP (0:1): Input = IKEMESG_FROMAAA, IKEAAA_STARTLOGIN
016091: *Mar 2 05:14:18.828 UTC: ISAKMP (0:1): Old State = IKEXAUTH_AAA_START_LOGINAWAIT New State = IKEXAUTH_REQSENT
016092: *Mar 2 05:14:18.836 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) CONF_XAUTH
016093: *Mar 2 05:14:18.836 UTC: ISAKMP (0:1): processing transaction payload from 192.168.1.10. message ID = 1267078368
016094: *Mar 2 05:14:18.840 UTC: ISAKMP: Config payload REPLY
016095: *Mar 2 05:14:18.840 UTC: ISAKMP/xauth: Expected attribute XAUTH_TYPE not received
016096: *Mar 2 05:14:18.840 UTC: AAA/MEMORY: free_user (0x816C2654) user='NULL' ruser='NULL' port='ISAKMP500' rem_addr='192.168.1.10' authen_type=ASCII service=LOGIN priv=0 vrf= (id=0)
016097: *Mar 2 05:14:18.840 UTC: AAA: parse name=ISAKMP500 idb type=-1 tty=-1
016098: *Mar 2 05:14:18.840 UTC: AAA: name=ISAKMP500 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=500 channel=0
016099: *Mar 2 05:14:18.840 UTC: AAA: parse name=<no string> idb type=-1 tty=-1
016100: *Mar 2 05:14:18.840 UTC: AAA/MEMORY: create_user (0x816C2654) user='NULL' ruser='NULL' ds0=0 port='ISAKMP500' rem_addr='192.168.1.10' authen_type=ASCII service=LOGIN priv=0 initialtaskid='0', vrf= (id=0)
016101: *Mar 2 05:14:18.844 UTC: ISAKMP (0:1): Input = IKEMESG_FROMPEER, IKECFGREPLY
016102: *Mar 2 05:14:18.844 UTC: ISAKMP (0:1): Old State = IKEXAUTH_REQSENT New State = IKEXAUTH_AAA_START_LOGINAWAIT
016103: *Mar 2 05:14:18.844 UTC: AAA/AUTHEN/START (741762202): port='ISAKMP500' list='LOGIN' action=LOGIN service=LOGIN
016104: *Mar 2 05:14:18.844 UTC: AAA/AUTHEN/START (741762202): found list LOGIN
016105: *Mar 2 05:14:18.844 UTC: AAA/AUTHEN/START (741762202): Method=LOCAL
016106: *Mar 2 05:14:18.844 UTC: AAA/AUTHEN(741762202): Status=GETUSER
016107: *Mar 2 05:14:18.848 UTC: ISAKMP: got callback 1
016108: *Mar 2 05:14:18.848 UTC: ISAKMP: set new node -623612407 to CONF_XAUTH
016109: *Mar 2 05:14:18.848 UTC: ISAKMP/xauth: request attribute XAUTH_TYPE
016110: *Mar 2 05:14:18.848 UTC: ISAKMP/xauth: request attribute XAUTH_MESSAGE
016111: *Mar 2 05:14:18.848 UTC: ISAKMP/xauth: request attribute XAUTHUSERNAME
016112: *Mar 2 05:14:18.848 UTC: ISAKMP/xauth: request attribute XAUTHUSERPASSWORD
016113: *Mar 2 05:14:18.852 UTC: ISAKMP (0:1): initiating peer config to 192.168.1.10. ID = -623612407
016114: *Mar 2 05:14:18.852 UTC: ISAKMP (0:1): sending packet to 192.168.1.10 my_port 500 peer_port 500 (R) CONF_XAUTH
016115: *Mar 2 05:14:18.852 UTC: ISAKMP (0:1): Input = IKEMESG_FROMAAA, IKEAAA_STARTLOGIN
016116: *Mar 2 05:14:18.852 UTC: ISAKMP (0:1): Old State = IKEXAUTH_AAA_START_LOGINAWAIT New State = IKEXAUTH_REQSENT
016117: *Mar 2 05:14:19.036 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) CONF_XAUTH
016118: *Mar 2 05:14:19.040 UTC: ISAKMP (0:1): processing transaction payload from 192.168.1.10. message ID = -623612407
016119: *Mar 2 05:14:19.040 UTC: ISAKMP: Config payload REPLY
016120: *Mar 2 05:14:19.040 UTC: ISAKMP/xauth: Expected attribute XAUTH_TYPE not received
016121: *Mar 2 05:14:19.040 UTC: AAA/MEMORY: free_user (0x816C2654) user='NULL' ruser='NULL' port='ISAKMP500' rem_addr='192.168.1.10' authen_type=ASCII service=LOGIN priv=0 vrf= (id=0)
016122: *Mar 2 05:14:19.040 UTC: AAA: parse name=ISAKMP500 idb type=-1 tty=-1
016123: *Mar 2 05:14:19.044 UTC: AAA: name=ISAKMP500 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=500 channel=0
016124: *Mar 2 05:14:19.044 UTC: AAA: parse name=<no string> idb type=-1 tty=-1
016125: *Mar 2 05:14:19.044 UTC: AAA/MEMORY: create_user (0x8156DB1C) user='NULL' ruser='NULL' ds0=0 port='ISAKMP500' rem_addr='192.168.1.10' authen_type=ASCII service=LOGIN priv=0 initialtaskid='0', vrf= (id=0)
016126: *Mar 2 05:14:19.044 UTC: ISAKMP (0:1): Input = IKEMESG_FROMPEER, IKECFGREPLY
016127: *Mar 2 05:14:19.044 UTC: ISAKMP (0:1): Old State = IKEXAUTH_REQSENT New State = IKEXAUTH_AAA_START_LOGINAWAIT
016128: *Mar 2 05:14:19.044 UTC: AAA/AUTHEN/START (3918303509): port='ISAKMP500' list='LOGIN' action=LOGIN service=LOGIN
016129: *Mar 2 05:14:19.044 UTC: AAA/AUTHEN/START (3918303509): found list LOGIN
016130: *Mar 2 05:14:19.048 UTC: AAA/AUTHEN/START (3918303509): Method=LOCAL
016131: *Mar 2 05:14:19.048 UTC: AAA/AUTHEN(3918303509): Status=GETUSER
016132: *Mar 2 05:14:19.048 UTC: ISAKMP: got callback 1
016133: *Mar 2 05:14:19.048 UTC: ISAKMP: set new node 1898470555 to CONF_XAUTH
016134: *Mar 2 05:14:19.048 UTC: ISAKMP/xauth: request attribute XAUTH_TYPE
016135: *Mar 2 05:14:19.048 UTC: ISAKMP/xauth: request attribute XAUTH_MESSAGE
016136: *Mar 2 05:14:19.048 UTC: ISAKMP/xauth: request attribute XAUTHUSERNAME
016137: *Mar 2 05:14:19.052 UTC: ISAKMP/xauth: request attribute XAUTHUSERPASSWORD
016138: *Mar 2 05:14:19.052 UTC: ISAKMP (0:1): initiating peer config to 192.168.1.10. ID = 1898470555
016139: *Mar 2 05:14:19.052 UTC: ISAKMP (0:1): sending packet to 192.168.1.10 my_port 500 peer_port 500 (R) CONF_XAUTH
016140: *Mar 2 05:14:19.056 UTC: ISAKMP (0:1): Input = IKEMESG_FROMAAA, IKEAAA_STARTLOGIN
016141: *Mar 2 05:14:19.056 UTC: ISAKMP (0:1): Old State = IKEXAUTH_AAA_START_LOGINAWAIT New State = IKEXAUTH_REQSENT
016142: *Mar 2 05:14:19.056 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) CONF_XAUTH
016143: *Mar 2 05:14:19.064 UTC: ISAKMP (0:1): processing transaction payload from 192.168.1.10. message ID = 1898470555
016144: *Mar 2 05:14:19.064 UTC: ISAKMP: Config payload REPLY
016145: *Mar 2 05:14:19.064 UTC: ISAKMP/xauth: Expected attribute XAUTH_TYPE not received
016146: *Mar 2 05:14:19.064 UTC: AAA/MEMORY: free_user (0x8156DB1C) user='NULL' ruser='NULL' port='ISAKMP500' rem_addr='192.168.1.10' authen_type=ASCII service=LOGIN priv=0 vrf= (id=0)
016147: *Mar 2 05:14:19.068 UTC: ISAKMP (0:1): peer does not do paranoid keepalives.
016148: *Mar 2 05:14:19.068 UTC: ISAKMP (0:1): deleting SA reason "XAuthenticate fail" state (R) CONF_XAUTH (peer 192.168.1.10) input queue 0
016149: *Mar 2 05:14:19.068 UTC: ISAKMP: Unlocking IKE struct 0x816C55CC for isadbmark_sadeleted(), count 0
016150: *Mar 2 05:14:19.068 UTC: ISAKMP: Deleting peer node by peer_reap for 192.168.1.10: 816C55CC
016151: *Mar 2 05:14:19.068 UTC: ISAKMP: set new node -1893737389 to QM_IDLE
016152: *Mar 2 05:14:19.072 UTC: ISAKMP (0:1): sending packet to 192.168.1.10 my_port 500 peer_port 500 (R) MMNOSTATE
016153: *Mar 2 05:14:19.072 UTC: ISAKMP (0:1): purging node -1893737389
016154: *Mar 2 05:14:19.072 UTC: ISAKMP (0:1): deleting node -326994436 error FALSE reason "XAuthenticate fail"
016155: *Mar 2 05:14:19.072 UTC: ISAKMP (0:1): deleting node 1267078368 error FALSE reason "XAuthenticate fail"
016156: *Mar 2 05:14:19.076 UTC: ISAKMP (0:1): deleting node -623612407 error FALSE reason "XAuthenticate fail"
016157: *Mar 2 05:14:19.076 UTC: ISAKMP (0:1): deleting node 1898470555 error FALSE reason "XAuthenticate fail"
016158: *Mar 2 05:14:19.076 UTC: ISAKMP (0:1): Input = IKEMESG_FROMPEER, IKECFGREPLY
016159: *Mar 2 05:14:19.076 UTC: ISAKMP (0:1): Old State = IKEXAUTH_REQSENT New State = IKEDESTSA
016160: *Mar 2 05:14:19.076 UTC: IPSEC(key_engine): got a queue event with 1 kei messages
016161: *Mar 2 05:14:19.076 UTC: IPSEC(keyengine_deletesas): rec'd delete notify from ISAKMP
016162: *Mar 2 05:14:19.076 UTC: IPSEC(keyengine_deletesas): delete all SAs shared with peer 192.168.1.10
016163: *Mar 2 05:14:28.368 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) MMNOSTATE
016164: *Mar 2 05:14:38.368 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) MMNOSTATE
016165: *Mar 2 05:15:08.808 UTC: ISAKMP (0:1): purging node -499921571
016166: *Mar 2 05:15:09.072 UTC: ISAKMP (0:1): purging node -326994436
016167: *Mar 2 05:15:09.076 UTC: ISAKMP (0:1): purging node 1267078368
016168: *Mar 2 05:15:09.076 UTC: ISAKMP (0:1): purging node -623612407
016169: *Mar 2 05:15:09.076 UTC: ISAKMP (0:1): purging node 1898470555
016170: *Mar 2 05:15:19.076 UTC: ISAKMP (0:1): purging SA., sa=815825EC, delme=815825EC
In leopard I used the doortest user (created with mschap), shared sectret cisco123, group PRUEBA.
Any CISCO CCNA out there, please?
It should work following this: http://www.macosxhints.com/article.php?story=20070827135109248
Thanks, guys.
PD: the cisco...
Cisco Internetwork Operating System Software
IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.3(1.6)T
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Thu 04-Mar-04 01:13 by ealyon
Image text-base: 0x800131E8, data-base: 0x80B93040
ROM: System Bootstrap, Version 12.2(11r)YV1, RELEASE SOFTWARE (fc1)
ROM: C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
door uptime is 1 day, 5 hours, 27 minutes
System returned to ROM by power-on
System image file is "flash:c837-k9o3y6-mz.123-2.XC2.bin"

Nobody using VPNs out there?
Are CISCO VPN concentrators old fashioned?
C'mon!

ACE10 Strange behaviour

Hello,
Its strange to see the big difference in the system uptime and the kernel uptime. The ACE had caused a production impact for around 8 minutes and the standby ace didn't took over during that time frame although the FT/query vlan is configured perfectly fine.
Since there was no log generated on the 6500 switch for the module reset, i suspect that the module would have got hung and recovered by itself.
I also dont find any thing strange in the ft history * outputs.
I suspect that this might be a bug since the image is very old (Version A2(1.0))
`show system uptime`
System start time:          Tue Jun 12 10:41:12 2012
System uptime:              0 days, 20 hours, 5 minutes, 6 seconds
Kernel uptime:              5 days, 1 hours, 6 minutes, 8 seconds
last boot reason: Unknown
configuration register: 0x1
ACE-1 kernel uptime is 5 days 1 hours 6 minute(s) 8 second(s)
`show ft peer detail`
Peer Id                      : 1
State                        : FSM_PEER_STATE_COMPATIBLE
Maintenance mode             : MAINT_MODE_OFF
FT Vlan                      : 503
FT Vlan IF State             : UP
My IP Addr                   : 2.2.2.1
Peer IP Addr                 : 2.2.2.2
Query Vlan                   : 502
Query Vlan IF State          : UP
Peer Query IP Addr           : 5.5.5.2
Heartbeat Interval           : 200
Heartbeat Count              : 20
Tx Packets                   : 14870
Tx Bytes                     : 3459966
Rx Packets                   : 14674
Rx Bytes                     : 3443749
Rx Error Bytes               : 0
Tx Keepalive Packets         : 14520
Rx Keepalive Packets         : 14520
TL_CLOSE count               : 0
FT_VLAN_DOWN count           : 0
PEER_DOWN count              : 0
SRG Compatibility            : COMPATIBLE
License Compatibility        : COMPATIBLE
FT Groups                    : 9
`show ft group detail`
FT Group                     : 1
No. of Contexts              : 1
Context Name                 : Admin
Context Id                   : 0
Configured Status            : in-service
Maintenance mode             : MAINT_MODE_OFF
My State                     : FSM_FT_STATE_ACTIVE
My Config Priority           : 250
My Net Priority              : 250
My Preempt                   : Enabled
Peer State                   : FSM_FT_STATE_STANDBY_HOT
Peer Config Priority         : 100
Peer Net Priority            : 100
Peer Preempt                 : Enabled
Peer Id                      : 1
Last State Change time       : Tue Jun 12 10:43:20 2012
Running cfg sync enabled     : Enabled
Running cfg sync status      : Running configuration sync has completed
Startup cfg sync enabled     : Enabled
Startup cfg sync status      : Startup configuration sync has completed
Bulk sync done for ARP: 0
Bulk sync done for LB: 0
Bulk sync done for ICM: 0
FT Group                     : 2
No. of Contexts              : 1
Context Name                 : Microsoft
Context Id                   : 2
Configured Status            : in-service
Maintenance mode             : MAINT_MODE_OFF
My State                     : FSM_FT_STATE_ACTIVE
My Config Priority           : 250
My Net Priority              : 250
My Preempt                   : Enabled
Peer State                   : FSM_FT_STATE_STANDBY_HOT
Peer Config Priority         : 100
Peer Net Priority            : 100
Peer Preempt                 : Enabled
Peer Id                      : 1
Last State Change time       : Tue Jun 12 10:43:20 2012
Running cfg sync enabled     : Enabled
Running cfg sync status      : Running configuration sync has completed
Startup cfg sync enabled     : Enabled
Startup cfg sync status      : Startup configuration sync has completed
Bulk sync done for ARP: 0
Bulk sync done for LB: 0
Bulk sync done for ICM: 0
Switch logs:
%SVCLC-5-SVCLCNTP: Could not update clock on the module 11, rc is -1
Regards,
Akhtar

Hello Akhtar,
As you said, probably the device might have started hunging at that moment then that´s why the failover was never fired, it would have been good to force a manual reset of the module.
There are some bugs which show: "last reboot reason: unknown" and they are called: "silent bugs" however the ACE might have had a process which was stuck at that moment. Do you have a high logging level?
Also you can check with: # dir core: to see if the device generated any core dump, here you have the link about it:
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide_--_Overview_of_ACE_Troubleshooting#Copying_Core_Dumps
Anyway, if the device did not generate any core dump, it will be good if you proceed with a proactive upgrade to the version:a2.3.3 or higher and monitor the behavior, in case you experience the same behavior, please try to collect #show tech-support if it is possible, if not hopefully the ACE will failover to its peer but it does not happen, force the reboot and trigger the failover and avoid further outage, but please be aware that as much information we got it will be better to determine the root cause.
Here you have the link where you can get the software from:
http://www.cisco.com/cisco/software/release.html?mdfid=280557289&softwareid=280836740&release=A2%283.6a%29&flowid=3314
Here you have a link about the upgrade process:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/upgrade.html#wp1008104
Jorge

Facing Issue in ACE 4710 ..Secondary ACE showing as FSM_FT_STATE_STANDBY_COLD ...

Hi All ,
I am facing problem with my ACE 4710 in active-standby environment . When I check Show ft group detail on my Active ACE , it shows peer state as
FSM_FT_STATE_STANDBY_COLD for Admin context . Below is the output :
Primary_ACE/Admin#sh ft group detail
FT Group                     : 1
No. of Contexts              : 1
Context Name                 : Admin
Context Id                   : 0
Configured Status            : in-service
Maintenance mode             : MAINT_MODE_OFF
My State                     : FSM_FT_STATE_ACTIVE
My Config Priority           : 120
My Net Priority              : 120
My Preempt                   : Enabled
Peer State                   : FSM_FT_STATE_STANDBY_COLD
Peer Config Priority         : 100
Peer Net Priority            : 100
Peer Preempt                 : Enabled
Peer Id                      : 1
Last State Change time       : Tue Jan 1 05:32:55 2002
Running cfg sync enabled     : Enabled
Running cfg sync status      : Peer in Cold State. Error on Standby device when
applying configuration file replicated from active
Startup cfg sync enabled     : Enabled
Startup cfg sync status      : Peer in Cold State. Startup configuration sync ha
[7m--More--[m
s completed
Bulk sync done for ARP: 0
Bulk sync done for LB: 0
Bulk sync done for ICM: 0
FT Group                     : 2
No. of Contexts              : 1
Context Name                 : APP_Context
Context Id                   : 1
Configured Status            : in-service
Maintenance mode             : MAINT_MODE_OFF
My State                     : FSM_FT_STATE_ACTIVE
My Config Priority           : 120
My Net Priority              : 120
My Preempt                   : Enabled
Peer State                   : FSM_FT_STATE_STANDBY_HOT
Peer Config Priority         : 100
Peer Net Priority            : 100
Peer Preempt                 : Enabled
Peer Id                      : 1
Last State Change time       : Tue Jan 1 05:32:56 2002
Running cfg sync enabled     : Enabled
[7m--More--[m
Running cfg sync status      : Running configuration sync has completed
Startup cfg sync enabled     : Enabled
Startup cfg sync status      : Startup configuration sync has completed
Bulk sync done for ARP: 0
Bulk sync done for LB: 0
Bulk sync done for ICM: 0
Also when I give show ft config-errors on my secondary ACE it gives the following result .
Secondary_ACE/Admin#sh ft config-error
Mon Jun 10 00:04:11 IST 2002
`no 3 match virtual-address 10.40.3.15 tcp eq https`
Error: LB action requires match vip command
`no 3 match virtual-address 10.40.3.15 tcp eq 8082`
Error: LB action requires match vip command
`no 3 match virtual-address 10.40.3.21 tcp eq www`
Error: LB action requires match vip command
`no 3 match virtual-address 10.40.3.21 tcp eq https`
Error: LB action requires match vip command
`2 match virtual-address 10.40.3.21 tcp eq https`
Error: This configuration already exists
`2 match virtual-address 10.40.3.21 tcp eq www`
Error: This configuration already exists
`2 match virtual-address 10.40.3.15 tcp eq 8082`
Error: This configuration already exists
`2 match virtual-address 10.40.3.15 tcp eq https`
Error: This configuration already exists
Error(s) while applying config.
I am attaching the running configuration of both the ACE's . Kindly help me in resolving the issue .
Also I noticed one thing . There is configuration difference in Primary and Secondary ACE . I guess this is causing the issue .
Need help to fix this asap .
Following configuration is missing on the secondary ACE .
======================================================================
class-map match-all WEB_FARM_VIP-80
3 match virtual-address 10.40.3.15 tcp eq www
policy-map type loadbalance first-match WEB_FARM_VIP-80-l7slb
class class-default
    serverfarm HTTP-2-HTTPS
class WEB_FARM_VIP-80
    loadbalance vip inservice
    loadbalance policy WEB_FARM_VIP-80-l7slb
Thanks ,
Tushar

Dear all,
Pls help me out in this regard, I dont have much idea about ACE.
Regards,
Sashi

Need Urgent Help on Meeting Place Integration with CUCM 7.1 and AS5400 PSTN Gateway

Hi,
This is first time I am on this forum.
I have already tried going through a lot of docs on docwiki.cisco.com but couldn't find complete configuration help.
I have to integrate Meeting Place 8.X with an existing CUCM and an E1 gateway (PSTN Gateway) AS5400.
The CUCM is already part of a Telepresence Environment. I need to create a SIP trunk between AS5400 and CUCM 7.1 and then create a Trunk between AS5400 and Cisco Unified MP 8.X and then between CUMP and CUCM.
I need help on AS5400 SIP Configs as well as parameters I need to cover on CUCM (Though I have done some basic dial-peer configs but they haven't been of much help).
Then I also need help on AS5400 SIP configs with CUMP 8.0
Any docs on Integration between CUMP and TP3000 will be of great help too.
Rgds,
Asim

I can get the Ricoh to register as sip endpoint, it answeres then imediatly disconnects. Doing a monitor with Wireshark looks like it attempts to negotiate t38 but fails. Any idea why this fails?
|160.260684000|         INVITE SDP (g711U)            |                   |SIP From:
|         |(5060)   ------------------> (5060)   |                   |
|160.338806000|         INVITE SDP (t38)              |                   |SIP Request
|         |(5060)   <------------------ (63435) |                   |
|160.339545000|         491 Request Pending           |                   |SIP Status
|         |(5060)   ------------------> (5060)   |                   |
|160.547894000|         406 Not Acceptable            |                   |SIP Status
|         |(5060)   <------------------ (63435) |                   |

VPC + SVI problem

Hello,
We have the topology in Attachement. and we have problem with SVI and VPC
The configuration:
N5K1:
vpc domain 100
peer-switch
role priority 100
system-priority 1024
peer-keepalive destination 192.168.21.1
peer-config-check-bypass
delay restore 150
peer-gateway
auto-recovery
ip arp synchronize
vlan 801
name DEV_WAN
interface Vlan801
description IP DEV
no shutdown
no ip redirects
interface Vlan1000
no shutdown
no ip redirects
ip address 192.168.22.5/30
interface port-channel1000
switchport mode trunk
spanning-tree port type network
spanning-tree guard loop
vpc peer-link
interface port-channel401
description LACP-SRV1
switchport mode trunk
speed 1000
duplex full
vpc 401
interface Ethernet1/1
description "TRUNK VPC"
no cdp enable
switchport mode trunk
spanning-tree port type network
spanning-tree bpdufilter enable
channel-group 1000 mode active
interface Ethernet1/2
description "TRUNK VPC"
switchport mode trunk
spanning-tree port type network
channel-group 1000 mode active
interface Ethernet1/5
description SRV1_GB2
switchport mode trunk
speed 1000
duplex full
channel-group 401 mode active
interface Ethernet1/29
description Uplink N5K3
switchport mode trunk
N5K2:
vpc domain 100
peer-switch
role priority 110
system-priority 1024
peer-keepalive destination 192.168.21.2
peer-config-check-bypass
delay restore 150
peer-gateway
auto-recovery
ip arp synchronize
vlan 801
name DEV_WAN
interface Vlan801
no shutdown
ip address 202.168.72.1/29
interface Vlan1000
description VPC-N5K
no shutdown
no ip redirects
ip address 192.168.22.6/30
interface port-channel1000
switchport mode trunk
spanning-tree port type network
spanning-tree guard loop
vpc peer-link
interface port-channel401
description LACP-SRV1
switchport mode trunk
speed 1000
duplex full
vpc 401
interface Ethernet1/1
description "TRUNK VPC"
switchport mode trunk
spanning-tree port type network
channel-group 1000 mode active
interface Ethernet1/2
description "TRUNK VPC"
switchport mode trunk
spanning-tree port type network
channel-group 1000 mode active
interface Ethernet1/5
description SRV1_GB4
switchport mode trunk
speed 1000
duplex full
channel-group 401 mode active
SRV1 IP: 202.168.72.2/29
When i plug the cable from SRV1 to N5K1 and N5K2 i can't ping SRV1 from ADM
when i unplug the cable from SRV1 to N5K2 i can't ping SRV1 from ADM
when i unplug the cable from SRV1 to N5K1 i CAN ping SRV1 from ADM
between N5K1, N5K2 and N5K3 we have OSPF
Thks !

n5k01# sh vpc brief
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 100
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 8
Peer Gateway : Enabled
Peer gateway excluded VLANs : -
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Enabled (timeout = 240 seconds)
vPC Peer-link status
id Port Status Active vlans
1 Po1000 up 1-3,101-102,110,700-703,705,710,730,801,803,1000,3
001-3008,3400-3401
vPC status
id Port Status Consistency Reason Active vlans
1 Po1 up success success 1-3,101-102
,110,700-70
3,705,710,7
30,801,803,
1000,300....
401 Po401 down* success success -
(The cable is unplug)
n5K02# sh vpc brief
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 100
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : secondary
Number of vPCs configured : 8
Peer Gateway : Enabled
Peer gateway excluded VLANs : -
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Enabled (timeout = 240 seconds)
vPC Peer-link status
id Port Status Active vlans
1 Po1000 up 1-3,101-102,110,700-703,705,710,730,801,803,1000,3
001-3008,3400-3401
vPC status
id Port Status Consistency Reason Active vlans
1 Po1 up success success 1-3,101-102
,110,700-70
3,705,710,7
30,801,803,
1000,300....
401 Po401 up success success 1-3,101-102
,110,700-70
3,705,710,7
30,801,803,
1000,300....

ASR1002 EasyVPN termination on vrf (fvrf)

Hi,
I need to terminate easyVPN on vrf interface, because Internet is on vrf only.
On Windows client looks like password error.
I didn't try to terminate EasyVPN in vrf before.
Can You help me?
With Best Regards,
Ugis
*Dec 29 11:35:45.518: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
*Dec 29 11:35:45.518: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
*Dec 29 11:35:45.519: ISAKMP:(35007):deleting node -1674984011 error FALSE reason "Done with xauth request/reply exchange"
*Dec 29 11:35:45.519: ISAKMP:(35007):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
*Dec 29 11:35:45.519: ISAKMP:(35007):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
*Dec 29 11:35:45.519: ISAKMP: set new node -1291909677 to CONF_XAUTH
*Dec 29 11:35:45.519: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
*Dec 29 11:35:45.519: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
*Dec 29 11:35:45.519: ISAKMP:(35007): initiating peer config to 4.3.2.1. ID = 3003057619
*Dec 29 11:35:45.519: ISAKMP:(35007): sending packet to 4.3.2.1 my_port 4500 peer_port 56966 (R) CONF_XAUTH
*Dec 29 11:35:45.519: ISAKMP:(35007):Sending an IKE IPv4 Packet.
*Dec 29 11:35:45.520: ISAKMP:(35007):Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN
*Dec 29 11:35:45.520: ISAKMP:(35007):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_REQ_SENT
*Dec 29 11:35:52.528: ISAKMP (35007): received packet from 4.3.2.1 dport 4500 sport 56966 inet (R) CONF_XAUTH
*Dec 29 11:35:52.529: ISAKMP:(35007):processing transaction payload from 4.3.2.1. message ID = -1291909677
*Dec 29 11:35:52.529: ISAKMP: Config payload REPLY
*Dec 29 11:35:52.529: ISAKMP/xauth: reply attribute XAUTH_STATUS_V2 unexpected.
*Dec 29 11:35:52.529: ISAKMP:(35007):peer does not do paranoid keepalives.
*Dec 29 11:35:52.529: ISAKMP:(35007):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
*Dec 29 11:35:52.530: ISAKMP:(35007):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_REQ_SENT
*Dec 29 11:35:52.530: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Dec 29 11:35:52.530: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Dec 29 11:35:52.530: IPSEC(key_engine_delete_sas): delete all SAs shared with peer 4.3.2.1
*Dec 29 11:35:52.532: ISAKMP (35007): received packet from 4.3.2.1 dport 4500 sport 56966 inet (R) CONF_XAUTH
*Dec 29 11:35:52.532: ISAKMP: set new node 1500321808 to CONF_XAUTH
*Dec 29 11:35:52.533: ISAKMP:(35007): processing HASH payload. message ID = 1500321808
*Dec 29 11:35:52.533: ISAKMP:received payload type 18
*Dec 29 11:35:52.533: ISAKMP:(35007):Processing delete with reason payload
*Dec 29 11:35:52.533: ISAKMP:(35007):delete doi = 0
*Dec 29 11:35:52.534: ISAKMP:(35007):delete protocol id = 1
*Dec 29 11:35:52.534: ISAKMP:(35007):delete spi_size = 16
*Dec 29 11:35:52.534: ISAKMP:(35007):delete num spis = 1
*Dec 29 11:35:52.534: ISAKMP:(35007):delete_reason = 2
*Dec 29 11:35:52.534: ISAKMP:(35007): processing DELETE_WITH_REASON payload, message ID = 1500321808, reason: DELETE_BY_USER_COMMAND
*Dec 29 11:35:52.534: ISAKMP:(35007):peer does not do paranoid keepalives.
*Dec 29 11:35:52.534: ISAKMP:(35007):peer does not do paranoid keepalives.
*Dec 29 11:35:52.534: ISAKMP:(35007):deleting SA reason "BY user command" state (R) CONF_XAUTH (peer 4.3.2.1)
*Dec 29 11:35:52.534: ISAKMP:(35007):deleting node 1500321808 error FALSE reason "Informational (in) state 1"
*Dec 29 11:35:52.534: IPSEC(key_engine): got a queue event with 1 KMI message(s)
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp client configuration group ezvpngroup
key xxxremote
pool ezvpn
netmask 255.255.255.192
crypto isakmp profile ezvpn
vrf inet (tried with and without this line)
match identity group ezvpngroup
client authentication list ez
isakmp authorization list ez
client configuration address respond
virtual-template 3
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set AES256_SHA esp-aes 256 esp-sha-hmac
mode tunnel

Here is log from client:
Cisco Systems VPN Client Version 5.0.07.0410
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
506    21:50:03.799 12/29/12 Sev=Info/4     CM/0x63100002
Begin connection process
507    21:50:03.799 12/29/12 Sev=Info/4     CM/0x63100004
Establish secure connection
508    21:50:03.799 12/29/12 Sev=Info/4     CM/0x63100024
Attempt connection with server "1.2.3.4"
509    21:50:03.835 12/29/12 Sev=Info/6     IKE/0x6300003B
Attempting to establish a connection with 1.2.3.4.
510    21:50:03.835 12/29/12 Sev=Info/4     IKE/0x63000001
Starting IKE Phase 1 Negotiation
511    21:50:03.835 12/29/12 Sev=Info/4     IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 1.2.3.4
512    21:50:03.884 12/29/12 Sev=Info/5     IKE/0x6300002F
Received ISAKMP packet: peer = 1.2.3.4
513    21:50:03.884 12/29/12 Sev=Info/4     IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 1.2.3.4
514    21:50:03.884 12/29/12 Sev=Info/5     IKE/0x63000001
Peer is a Cisco-Unity compliant peer
515    21:50:03.884 12/29/12 Sev=Info/5     IKE/0x63000001
Peer supports DPD
516    21:50:03.884 12/29/12 Sev=Info/5     IKE/0x63000001
Peer supports DWR Code and DWR Text
517    21:50:03.884 12/29/12 Sev=Info/5     IKE/0x63000001
Peer supports XAUTH
518    21:50:03.884 12/29/12 Sev=Info/5     IKE/0x63000001
Peer supports NAT-T
519    21:50:03.900 12/29/12 Sev=Info/6     IKE/0x63000001
IOS Vendor ID Contruction successful
520    21:50:03.900 12/29/12 Sev=Info/4     IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 1.2.3.4
521    21:50:03.900 12/29/12 Sev=Info/6     IKE/0x63000055
Sent a keepalive on the IPSec SA
522    21:50:03.900 12/29/12 Sev=Info/4     IKE/0x63000083
IKE Port in use - Local Port = 0xD7B9, Remote Port = 0x1194
523    21:50:03.900 12/29/12 Sev=Info/5     IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This   end IS behind a NAT device
524    21:50:03.900 12/29/12 Sev=Info/4     CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
525    21:50:03.933 12/29/12 Sev=Info/5     IKE/0x6300002F
Received ISAKMP packet: peer = 1.2.3.4
526    21:50:03.933 12/29/12 Sev=Info/4     IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 1.2.3.4
527    21:50:03.933 12/29/12 Sev=Info/5     IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
528    21:50:03.933 12/29/12 Sev=Info/5     IKE/0x63000047
This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now
529    21:50:03.936 12/29/12 Sev=Info/5     IKE/0x6300002F
Received ISAKMP packet: peer = 1.2.3.4
530    21:50:03.936 12/29/12 Sev=Info/4     IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 1.2.3.4
531    21:50:03.936 12/29/12 Sev=Info/4     CM/0x63100015
Launch xAuth application
532    21:50:04.032 12/29/12 Sev=Info/4     IPSEC/0x63700008
IPSec driver successfully started
533    21:50:04.032 12/29/12 Sev=Info/4     IPSEC/0x63700014
Deleted all keys
534    21:50:08.598 12/29/12 Sev=Info/4     CM/0x63100017
xAuth application returned
535    21:50:08.598 12/29/12 Sev=Info/4     IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.3.4
536    21:50:08.635 12/29/12 Sev=Info/5     IKE/0x6300002F
Received ISAKMP packet: peer = 1.2.3.4
537    21:50:08.635 12/29/12 Sev=Info/4     IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 1.2.3.4
538    21:50:08.635 12/29/12 Sev=Info/4     CM/0x63100015
Launch xAuth application

DMVPN - One Spoke VPN tunnel flap - deleting SA reason "IKMP_ERR_NO_RETRANS"

Dear All,
Please help to find the reason for below DMVPN IP sec tunnel flap.
#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
x.x.x.x y.y.y.y   MM_NO_STATE       4983 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
#sh log | i 4984
04:58:47.155: ISAKMP:(4984): OU = DE_FRA_ASR1001_R2
Feb 12 04:58:47.155: ISAKMP:(4984): processing SIG payload. message ID = 0
Feb 12 04:58:47.159: ISAKMP:(4984):SA authentication status:
Feb 12 04:58:47.159: ISAKMP:(4984):SA has been authenticated with x.x.x.x
Feb 12 04:58:47.159: ISAKMP:(4984):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 12 04:58:47.159: ISAKMP:(4984):Old State = IKE_I_MM5 New State = IKE_I_MM6
Feb 12 04:58:47.159: ISAKMP:(4984):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 12 04:58:47.159: ISAKMP:(4984):Old State = IKE_I_MM6 New State = IKE_I_MM6
Feb 12 04:58:47.163: ISAKMP:(4984):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 12 04:58:47.163: ISAKMP:(4984):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Feb 12 04:58:47.163: ISAKMP:(4984):Need XAUTH
Feb 12 04:58:47.163: ISAKMP:(4984): initiating peer config to x.x.x.x 0. ID = -847734916
Feb 12 04:58:47.163: ISAKMP:(4984): sending packet to x.x.x.x my_port 500 peer_port 500 (I) CONF_XAUTH
Feb 12 04:58:47.163: ISAKMP:(4984):Sending an IKE IPv4 Packet.
Feb 12 04:58:47.167: ISAKMP:(4984):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Feb 12 04:58:47.167: ISAKMP:(4984):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
Feb 12 04:58:47.203: ISAKMP (4984): received packet from x.x.x.x dport 500 sport 500 Global (I) CONF_XAUTH
Feb 12 04:58:47.207: ISAKMP:(4984): processing HASH payload. message ID = -1617704027
Feb 12 04:58:47.207: ISAKMP:(4984):Processing delete with reason payload
Feb 12 04:58:47.207: ISAKMP:(4984):delete doi = 1
Feb 12 04:58:47.207: ISAKMP:(4984):delete protocol id = 1
Feb 12 04:58:47.207: ISAKMP:(4984):delete spi_size = 16
Feb 12 04:58:47.207: ISAKMP:(4984):delete num spis = 1
Feb 12 04:58:47.207: ISAKMP:(4984):delete_reason = 28
Feb 12 04:58:47.207: ISAKMP:(4984): processing DELETE_WITH_REASON payload, message ID = -1617704027, reason: Unknown delete reason!
Feb 12 04:58:47.207: ISAKMP:(4984):peer does not do paranoid keepalives.
Feb 12 04:58:47.207: ISAKMP:(4984):peer does not do paranoid keepalives.
Feb 12 04:58:47.207: ISAKMP:(4984):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) CONF_XAUTH    (peer x.x.x.x)
Feb 12 04:58:47.207: ISAKMP:(4984):deleting node -1617704027 error FALSE reason "Informational (in) state 1"
Feb 12 04:58:47.211: ISAKMP:(4984): sending packet to x.x.x.x my_port 500 peer_port 500 (I) CONF_XAUTH
Feb 12 04:58:47.211: ISAKMP:(4984):Sending an IKE IPv4 Packet.
Feb 12 04:58:47.211: ISAKMP:(4984):purging node 20363770
Feb 12 04:58:47.211: ISAKMP:(4984):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Feb 12 04:58:47.211: ISAKMP:(4984):Old State = IKE_XAUTH_REQ_SENT New State = IKE_DEST_SA
Feb 12 04:58:47.211: ISAKMP:(4984):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) CONF_XAUTH    (peer x.x.x.x)
Feb 12 04:58:47.215: ISAKMP:(4984):deleting node 1519432799 error FALSE reason "IKE deleted"
Feb 12 04:58:47.215: ISAKMP:(4984):deleting node -847734916 error FALSE reason "IKE deleted"
Feb 12 04:58:47.215: ISAKMP:(4984):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 12 04:58:47.215: ISAKMP:(4984):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Thanks for your kind response

I gave up on fixing what was there and rebuilt from scratch including regenerating the key with the same modulus. And now it works. I don't know what fixed it, could even have been curruption of the startup-config since I replaced that, but it's working and right now that's all I care about.

ACE Cold Standby

Hi,
I've got an question about ACE modules in HA, when one of the switch is reloaded a couple of the ACE contexts come up in cold standby. I've check the config in the contexts to confirm that they match and the same ft interface is used by all contexts. When I do a switchover them come up in hot standby, has anybody seen this before ? I've looked at a couple of bugs in the standby area but can't see one to match.
After reload.
FT Group : 3
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
Peer State : FSM_FT_STATE_STANDBY_COLD
Peer Id : 1
No. of Contexts : 1
After switchover.
FT Group : 3
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
My Config Priority : 100
My Net Priority : 100
My Preempt : Disabled
Peer State : FSM_FT_STATE_STANDBY_HOT
Peer Config Priority : 200
Peer Net Priority : 200
Peer Preempt : Enabled
Peer Id : 1
The software version is 3.0(0)A1(4

do you have any files like script probes or ssl certificates/keys being used in the config ?
The files are not synchronized between the 2 ACE module, so if you copy a file on the active and use it, the standby will not accept the config if you do not upload the same file first.
Also, if you copy the file on the standby after changing the config, the ACE will stop auto-synch.
if this is not the case and you can reproduce the problem, you should open a service request with the TAC so that troubleshooting can be done.
Gilles.

My NBAR peer-to-peer config

Similar Messages

Maybe you are looking for