NTP sync for Cisco routers through a VPN tunnel
I have a 3002 tunnel to a 3015. Behind the 3002 is a Cisco router with NTP setup on it. No NTP traffic appears to be traversing the tunnel, there are no filters on the tunnel prevent NTP (123) traffic.
Is there something in the 3015 that has to be set to allow NTP traffic to go through?
NTP working on all other non-tunnelled connections.
Make sure the 3002 is in NEM mode, and remember that the 3002 will only tunnel the directly-connected subnet's traffic. Unless that router has an interface in the 3002 private interface's subnet, and it is using that as the source address in its NTP requests, it won't work. Can you ping from that router to the NTP server across the tunnel?
Similar Messages
-
Which packets go through the VPN tunnel
Guys,
I've just added a external server ip address to go through our vpn tunnel and then out the remote site internet connection.
How can I check that this is the path the packet is taking?
If I do a tracert then I can't see the path?
ThanksWell, you could either monitor your logs on your VPN device (whatever that may be - not specified), as long as you have the appropriate logging level.
For a traceroute, assuming there's a routing device on the other end of the tunnel you would traverse, you should be able to see the last hop on your end being your VPN device, and then the router or the destination host, as the next hop (and that would indicate you're 'in' the tunnel).
A third option, and more challenging, is having a packet sniffer that knows the PSK, or has the ability to decrypt the session, and analyze the traffic from Wireshark or another packet analysis tool.
HTH!
-Chris -
ASA license for Cisco IP Phone over VPN
Hi,
Are there special licenses required on the ASA to use Cisco IP Phones (Hard phone) over SSL VPN connection?
ThanksHi,
You can purchase the phone proxy license. This elimiates the need to build a VPN tunnel for voice traffic.
It is not mandatory to purchase this license however.
From the ASA configuration guide:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/unified_comm_phoneproxy.html#wp1144845
"The Cisco Phone Proxy on the adaptive security appliance bridges IP telephony between the corporate IP telephony network and the Internet in a secure manner by forcing data from remote phones on an untrusted network to be encrypted. "
Don't forget to rate all posts that are helpful. -
How to redirect Internet traffic from RV082 to RV042 through a VPN Tunnel??
Fellows,
We have offices in USA and Venezuela.
In our USA office we have a RV042 router and in Venezuela we have a RV082 router.
We have connected a VPN tunnel (gateway-to-gateway) between both offices.
The point is:
How could we redirect the internet traffic from our Venezuela office (RV082) to the USA Office (RV042) to navigate using USA public IP's?
The reason for this is that we need to use online streaming services which are only available for IP's from USA and we can't use them from the Venezuelan IP's.
We can not use the PPTP option since the equipment which will use the streaming services (like hulu, crackle, etc.) in Venezuela is a Google TV device which doesn't allow the configuration of proxy navegation or PPTP VPN connections itself. That's the reason why we need to do that through the routers.
We will really appreciate your support on this matter.
DanielHi Daniel, this is called ESP wildcard forwarding which the router does support.
https://supportforums.cisco.com/docs/DOC-12534 <- This is older but applicable
https://supportforums.cisco.com/message/3766661
-Tom
Please mark answered for helpful posts -
Cisco ASA 5505 L2L VPN Tunnel with one Dynamic IP
Hi Rizwan,
Thanks for your response. I updated the configuration per your response below... It still doesn't work. please see my new config files below. Please help. Thanks in advance for your help....
Hi Pinesh,
Please make follow changes on host: officeasa
remove this line below highlighted.
crypto dynamic-map L2LMap 1 match address Crypto_L2L
It is only because group1 is weak, so please change it to group2
crypto dynamic-map L2LMap 1 set pfs group1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117
Please make follow changes on host: homeasa
It is only because group1 is weak, so please change it to group2
crypto map L2Lmap 1 set pfs group1
route outside 10.10.5.0 255.255.255.0 xxx.xxx.xxx.xxx default gateway on homeasa.
Hope that helps, if not please open a new thread.
Thanks
Rizwan Rafeek
New config files..
Site-A: (Office):
Hostname: asaoffice
Inside: 10.10.5.0/254
Outside e0/0: Static IP 96.xxx.xxx.118/30
Site-B: (Home):
Hostname: asahome
Inside: 10.10.6.0/254
Outside e0/0: Dynamic IP (DG: 66.xxx.xxx.1)
SIte-A:
officeasa(config)# sh config
: Saved
: Written by enable_15 at 15:34:23.899 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname officeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address 96.xxx.xxx.118 255.255.255.252
interface Vlan3
nameif inside
security-level 100
ip address 10.10.5.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 192.168.100.0 255.2
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255.255.2
access-list ormtST standard permit 10.10.5.0 255.255.255.0
access-list OCrypto_L2L extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ormtIPP 192.168.100.100-192.168.100.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 96.xxx.xxx.117 1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set OSite2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map OL2LMap 1 set pfs
crypto dynamic-map OL2LMap 1 set transform-set OSite2Site
crypto dynamic-map OL2LMap 1 set reverse-route
crypto map out_L2lMap 65535 ipsec-isakmp dynamic OL2LMap
crypto map out_L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.5.101-10.10.5.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy ormtGP internal
group-policy ormtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ormtST
address-pools value ormtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type remote-access
tunnel-group ormtProfile type remote-access
tunnel-group ormtProfile general-attributes
default-group-policy ormtGP
tunnel-group ormtProfile webvpn-attributes
group-alias OFFICE enable
tunnel-group defaultL2LGroup type ipsec-l2l
tunnel-group defaultL2LGroup ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:46d5c2e1ac91d73293f2fb1a0045180c
officeasa(config)#
Site-B:
Home ASA Configuration:
homeasa# sh config
: Saved
: Written by enable_15 at 15:48:42.479 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname homeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif inside
security-level 100
ip address 10.10.6.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list hrmtST standard permit 10.10.6.0 255.255.255.0
access-list Crypto_L2L extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool hrmtIPP 192.168.101.100-192.168.101.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 10.10.5.0 255.255.255.0 66.xxx.xxx.1 1 (IP address of the Dynamic IP from ISP)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map L2Lmap 1 match address Crypto_L2L
crypto map L2Lmap 1 set peer 96.xxx.xxx.118
crypto map L2Lmap 1 set transform-set Site2Site
crypto map L2LMap 1 set pfs
crypto map L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.6.101-10.10.6.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy hrmtGP internal
group-policy hrmtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value hrmtST
address-pools value hrmtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type admin
tunnel-group hrmtProfile type remote-access
tunnel-group hrmtProfile general-attributes
default-group-policy hrmtGP
tunnel-group hrmtProfile webvpn-attributes
group-alias hrmtCGA enable
tunnel-group 96.xxx.xxx.118 type ipsec-l2l
tunnel-group 96.xxx.xxx.118 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d16a0d49f275612dff7e404f49bcc499
homeasa#Thanks Rizwan,
Still no luck. I can't even ping the otherside (office).. I am not sure if i'm running the debug rightway. Here are my results...
homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side. I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
Success rate is 0
homeasa(config)# debug crypto isakmp 7
homeasa(config)# debug crypto ipsec 7
homeasa(config)# sho crypto isakmp 7
^
ERROR: % Invalid input detected at '^' marker.
homeasa(config)# sho crypto isakmp
There are no isakmp sas
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Global IPSec over TCP Statistics
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
There are no ipsec sas
homeasa(config)# -
Unable to print from HQ to Branch through the VPN tunnel between ASAs
We have site to site VPN configured between ASAs. The VPN tunnel is up and running as desired except for one printer in the subnet. the users in the Hq cannot print in the branch office printer. I have allowed the ip protocols for the printer subnet but still it is not working. When I do a packet trac the traffic for the printer is allwed through the tunnel.
Can anyone suggest what can be preventing from printing?When other printers in the same subnet can be reached, I would first control the IP-settings of the printer. In my experience it's most likely a wrong subnet-mask or gateway.
-
Cisco 881 ISR IPSec VPN Tunnel does not pass traffic from the vlan.
I have a cisco 881 ISR Router with a site-to-site IPsec vpn tunnel to a mikrotik device on the other end (I inherited this from my client). The tunnel is constructed properly and is up, however traffic does not pass or get routed to the FA4 interface. I see in my packet captures that it hits the vlan1 interface (vlans are required on the L2 ports) and does not pass to the tunnel.
This is my configuration:
141Kerioth#sh config
Using 3763 out of 262136 bytes
! Last configuration change at 01:02:41 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
141Kerioth#do wr mem
^
% Invalid input detected at '^' marker.
141Kerioth#wr mem
Building configuration...
[OK]
141Kerioth#sh run
Building configuration...
Current configuration : 5053 bytes
! Last configuration change at 01:38:06 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-580381394
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-580381394
revocation-check none
rsakeypair TP-self-signed-580381394
crypto pki certificate chain TP-self-signed-580381394
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35383033 38313339 34301E17 0D313430 35323231 38323333
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 30333831
33393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B001A012 2CA6970C 0648798B 2A786704 84F2D989 83974B19 9B4287F2 4503D2C9
173F23C4 FF34D160 202A7565 4A1CE08B 60B3ADAE 6E19EE6E 9CD39E72 71F9650E
930F22FE C4441F9C 2D7DD420 71F75DFC 3CCAC94E BA304685 E0E62658 A3E8D01C
D01D7D6A 5AF0B0E6 3CF6AF3A B7E51F83 9BF6D38E 65254E1F 71369718 ADADD691
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014D6 24878F12 1FFADF2F 537A438E 6DD7FB6B D79E4130 1D060355
1D0E0416 0414D624 878F121F FADF2F53 7A438E6D D7FB6BD7 9E41300D 06092A86
4886F70D 01010505 00038181 00771667 FCA66002 8AB9E5FB F210012F C50B586F
9A9640BB 45B4CEFD 030A38C0 E610AAC8 B41EF3C4 E55810F9 B2C727CF C1DEFCF1
0846E7BC 1D95420E 5DADB5F8 EFE7EB37 B5433B80 4FF787D4 B1F2A527 06F065A4
00522E97 A9D2335C E83C4AE1 E68D7A41 9D0046A7 ADCC282B 7527F84D E71CC567
14EF37EA 15E57AD0 3C5D01F3 EF
quit
ip dhcp excluded-address 10.0.16.1
ip dhcp pool ccp-pool
import all
network 10.0.16.0 255.255.255.0
default-router 10.0.16.1
dns-server 8.8.8.8
lease 0 2
ip domain name kerioth.com
ip host hostname.domain z.z.z.z
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip cef
no ipv6 cef
license udi pid CISCO881-K9 sn FTX180483DD
username admin privilege 15 secret 4 CmmfIy.RPySmo4Q2gEIZ2jlr3J.bTBAszoe5Bry0z4c
username meadowbrook privilege 0 password 0 $8UBr#Ux
username meadowbrook autocommand exit
policy-map type inspect outbound-policy
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
crypto isakmp key 141Township address z.z.z.z
crypto isakmp keepalive 10
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
crypto map mymap 10 ipsec-isakmp
set peer z.z.z.z
set transform-set TS
match address 115
interface Loopback0
no ip address
interface Tunnel1
no ip address
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description $FW_OUTSIDE_WAN$
ip address 50.y.y.y 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map mymap
interface Vlan1
description $ETH_LAN$
ip address 10.0.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 115 interface Vlan1 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 50.x.x.x
access-list 110 deny ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 110 permit ip 10.0.16.0 0.0.0.255 any
access-list 115 permit ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 144 permit icmp host c.c.c.c host 10.0.1.50
access-list 144 permit icmp host p.p.p.p host 10.0.16.105
access-list 199 permit ip a.a.a.a 0.0.0.255 any
no cdp run
route-map nonat permit 10
match ip address 100
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
transport preferred ssh
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
cns trusted-server all-agents x.x.x.x
cns trusted-server all-agents hostname
cns trusted-server all-agents hostname.domain
cns id hardware-serial
cns id hardware-serial event
cns id hardware-serial image
cns event hostname.domain 11011
cns config initial hostname.domain 80
cns config partial hostname.domain 80
cns exec 80
endWhy do you have following command on the PIX?
crypto map outside_map 40 set transform-set 165.228.x.x
Also you have this transform set on the PIX:
crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac
This does not match the transfor set on the router:
crypto ipsec transform-set tritest esp-3des esp-md5-hmac
Where are you using the access-list/route-map
101 ? -
Configure Domain Controller ( PDC emulator) as NTP source for Cisco switch 6509
Hi All,
My Org consists of 2 DC one Physical and One Virtual. All Roles are on Physical machine. I ran a W32tm /Query /Configuration command on PDC emulator and the results are confusing.My PDC is using time source VMICTimeProvider a syou can see below.
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
My first Question is that Is it Ok for PDC emulator to use this time source or should I change to some Other source like pool.ntp.org or time.windows.com,0x1.
My Second Question is that I have a core switch cisco 6509 and I want this switch to use my NTP server (PDC emulator ) as NTP source,but at present I cannot as I am getting this error on switch.(no select intersectionTP )
Can Any one help ... Its is urgent
Thanks in Advance
EagleAshYou should not make your DCs sync their time with your Hypervisor. This usually ends with time synchronization problem so I would recommend to disable that on your DCs and domain joined VMs and use an external NTP server to sync time on your PDC while using
your AD forest topology for time sync on other DCs and domain-joined computers.
I have already started a Wiki article that describes how to configure time sync in an AD domain and you might consider using the GPO configuration option that is stated: http://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx
For the CISCO switch, I would recommend asking them in CISCO forums.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password -
Privilege mode authentication using Tacacs for Cisco Routers
I am trying to set up a test environment where I need to be able to be asked for both a username and password while entering enable mode from exec mode on a cisco IOS router. I was told the only way to do that is through Tacacs. But I've not seen any such configuration options on Tacacs in order to set it up right. Has someone ever did a setup like this before. I would appreciate any help on this. Thanks.
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
hostname 2621-3
boot-start-marker
boot system flash c2600-i-mz.123-26.bin
boot-end-marker
logging buffered 5001 debugging
no logging console
no logging monitor
enable password cisco
memory-size iomem 10
clock timezone CST -7
clock summer-time CST recurring
aaa new-model
aaa authentication login default local
aaa authentication enable default group tacacs+
aaa authorization exec default group tacacs+ local
aaa session-id common
ip subnet-zero
ip cef
no ip domain lookup
ip domain name int.voyence.com
ip name-server 192.168.21.5
!key chain jetef
key 10
key-string c1sco
modemcap entry ZOOM
modemcap entry ZOOM
username jeff password 0 jeff
tacacs-server host 192.168.21.230 key cisco
tacacs-server host 10.6.230.32
tacacs-server directed-request
tacacs-server key dakey
line con 0
exec-timeout 15 0
logging synchronous
speed 115200
line aux 0
exec-timeout 15 0
password 7 104D000A0618
logging synchronous
modem InOut
modem autoconfigure discovery
terminal-type monitor
transport input all
stopbits 1
flowcontrol hardware
line vty 0 4
exec-timeout 15 0
password cisco
private
logging synchronous -
Video/Voice Conference -8 Error Explained for Cisco Routers
I cannot tell you how long I have spent trying to figure out this problem. We have a bunch of macs sitting behind a NATed Cisco 2811 router, and iChat will just never work, throwing the good ole' -8 error.
Having a good understanding of SIP, I decided to get down an dirty with the investigation of why iChat doesn't work behind some routers, while it does on others.
iChat uses SIP, but as I have found, Apple's implementation of it does not completely honor the RFC. This is the root cause of iChat not working behind enterprise grade routers that have SIP ALG activated (details later).
Apple uses its own flavor of NAT traversal: SNATMAP. This is an Apple service that is utilized every time a video/voice conference is created from iChat. For those of you familiar with SIP, SNATMAP essentially performs the same function as a STUN server. This service abstracts the port specifications necessary to get around NATs to a server on the public Internet.
With some routers, this SNATMAP seems to work fine. With others, not so much. I honestly don't have too deep of an understanding of SNATMAP so I cannot get into too much detail as to why it doesn't work with some routers. If anyone knows, please chime in!
I can, however, clearly indicate why it doesn't work behind routers that have a SIP ALG, which essentially has the intelligence to pick apart to SIP packet to make them NAT friendly. Basically, there is a portion of SIP packets called the SDP (Session Description Protocol) that provides all of the information necessary to set up the voice and video stream. The SIP RFC calls for this section to include information like the connection IP address, port, video codec, audio codec, etc. HOWEVER, Apple's implementation of iChat DOES NOT INCLUDE THE PORT IN THE SDP. Therefore, when a SIP ALG tries to intelligently convert the port, it isn't there to change. Even if it does manage to insert a port number into the SDP, the iChat client receiving the SIP packet doesn't respect that port number and just dumbly sends the request back to the default SIP port (5060).
Here is a little flow of the process:
1. A SIP packet is sent out from iChat to the cisco router
2. Cisco intercepts the packet, changes the private IP address of my computer to the public IP address of the interface, and changes the port to one that it assigns on the public interface. So, basically the SIP packet enters the cisco with the SDP info like 192.168.100.137:5060 and leaves the Cisco like <public IP>:1877.
3. On the receiving end, the SIP packet and SDP section is read with our DSL connection's public IP address, so when it tries to make contact back, requests are sent to the DSL public IP address and not an unrouteable private IP. Also, it sends to the port specified in the SDP section.
4. When a packet comes in from the peer, the destination is something like <public IP>:1877. The cisco NAT translation table remembers that things destined to port 1877 should be converted to 192.168.100.137 on port 5060. The SDP section of the SIP packet is modified and things are peachy.
5. This happens back and forth for all SIP messages that traverse the NAT.
iChat is not SIP RFC compliant which is why we are having these natting issues. iChat does not specify a port in the SDP portion of the SIP messages it is sending out: a big no-no. Therefore, when the recipient iChat is sending back its requests to 207.182.233.32, it is sending it to port 5060 instead of assigned port 1877. The public port 5060 is blocked, and is not routed to any specific computer, resulting in a timeout. Here is the Cisco output 'debug ip nat sip'
001892: .Oct 2 22:53:04.108 PCTime: NAT: SIP: [0] processing INVITE message
001893: .Oct 2 22:53:04.108 PCTime: NAT: SIP: [0] register:0 door_created:0
001894: .Oct 2 22:53:04.108 PCTime: NAT: SIP: [0] translated embedded address 192.168.100.138-><public IP>
001895: .Oct 2 22:53:04.108 PCTime: NAT: SIP: [0] No port present. Use new port 5060->1210
As you can see, it is processing the INVITE request and translating the internal IP address to the public one.
However, it reports no port present, meaning that the port specification in the SDP section of the SIP packet is not present. It does a port translation because it feels obligated to, but iChat doesn't respect that on the other end and sends to 5060 anyway which is not mapped to any specific internal IP addess, so, alas, it doesn't work.
Now, that being, said, this explains why iChat doesn't work behind SIP ALGs. However, if you are able to disable the SIP ALG (on cisco: 'no ip nat service sip udp 5060'), it still doesn't work. With the ALG turned off, the SDP translations don't occur, but for some reason SNATMAP still doesn't work either. I am thinking that could be due to a nat issue, but I haven't figured that out yet. Anyone's insight would be appreciated!
Hope this helps anyone out there seeking help / console with iChat Error -8 issues behind an enterprise grade router.
Hopefully we can figure out why iChat's SNATMAP implementation doesn't work with a Cisco NAT next...Hi
Ok for the Homehub's.
UPnP should be enabled.
Set the Quicktime streaming setting, goto sys prefs/quicktime/streaming/streaming speed, set to 1.5mbps(dont use automatic)
In ichats prefs click on video and change bandwidth limit to NONE.
Goto to sys prefs/sharing/firewall and turn on(dont add any ports for ichat, leave anything that is ticked ticked).
Restart ichat.
And try connecting to me defcom1 .mac account.
Tony -
[solved] ntp sync for more than 24 hours
What I am trying to do:
I discovered that my server was out by about 8 minutes the other day. I have run ntpd -qg but I'd like a solution to stop this happening in the future.
I've read:
https://wiki.archlinux.org/index.php/Time
https://wiki.archlinux.org/index.php/Ne … e_Protocol
I'm confused. Surely the ntp daemon does exactly the same as this:
Running "ntpd -qg" as a cron event is to be completely avoided, unless you are perfectly aware of how your running applications would react to instantaneous system time changes.
Thanks for your help.
Last edited by pedro_sland (2011-03-08 17:31:14)I did but I re-read it. I think I've got the relevant bit.
The Linux kernel keeps track of the system clock by counting timer interrupts. ... NTP will adjust the interrupt frequency and the number of ticks per second to decrease system clock drift.
So ntpd -qg jumps to the right time and ntp running as a daemon will speed up the clock to make it right? If that is the case, I understand why running that as a cron job is not recommended.
To satisfy my curiosity, why does the kernel skip interrupts? -
Remote Command Tool for Cisco Routers/Switches
Is anyone aware of any tools or scripts out there which allow preconfigured commands to be remotely run again Cisco Router/Switches and display the output result?
I'm looking for a tool which I can give our Service Desk personnel that will allow them to select from a list of commands enter a target IP Address of a router/switch and then the tool will display the vlan table or the running config of a particular switch-port so they can see if its configured on the correct data vlan or its missing its voice vlan etc.
For example a Service Desk Operator needs to check what vlan a switch-port is on. So they open the tool, enter the switches IP address and the port number and select an option like "display a switch-ports vlan" and the tool will login into the switch in the background run a show command on the switch and then output the result.
Thanks.Check out rConfig. You will be able to run multiple instances of it i.e. one instance for your standard configuration backups and another for more specific configuration downloads info like show vlan bri commands etc for service desk staff to view.
You could also use the IOS menu function and create menus or role based access on each of your devices for your users.
Regards
Stephen
==========================
http://www.rConfig.com
A free, open source network device configuration management tool, customizable to your needs!
- Always vote on an answer if you found it helpful -
How increase flash memory for cisco routers in GNS3?
I have GNS3 simulator and I am trying to increase the flash memory. I've changed the memory in the GNS3 -> R1 -> Configure -> Memories and disks -> PCMCIA disk slot to 124 MiB.
I created a new topology and set the memory. Still it shows the same 8MiB (default).
How to fix it?
RajaHello!!
Can you use routers like 3725 and try to increase the memory in node configuration.
You can change the size of PCMCIA Disk0.
This kind of routers works for me.
Thanks, -
Connecting through SonicWall VPN
Has anyone managed to connect to a file server through a SonicWall VPN? The only vpn connection profiles are for Cisco routers.
Yes, I'll go into the SonicWall tomorrow and see what I can finds out, or call thier tech support if I can't figure it out.
Thanks for your help. -
Hi everyone.
This is my first post. I have a user who is connected through wireless sync through the BES but he wants to be setup to sync his calendar from his pc since he is connected to the domain through a vpn tunnel. Everytime I set his handheld to disable wireless sync for the calendar it works, but when I hook it up to the machine and configure the sync options for the calendar it doesnt work. It says it is disabling it because wireless sync is configured.
Any help is appreciated.
Thanks!So you go into the Calendar Options and set the wireless sync to No, and it still gives you that error?
Can you try first starting by leaving the BlackBerry disconnected from the computer, then changing the setting to No, then do into the Desktop Manager and make the change?
If someone has been helpful please consider giving them kudos by clicking the star to the left of their post.
Remember to resolve your thread by clicking Accepted Solution.
Maybe you are looking for
-
Is trim() useful for splitting up a string that has a delimiter?
Hi all below is an example of my data Col 1 abc_ijk a_xyz pq_b I need to split up abc_ijk into 'abc' and 'ikj' and store them into another table. Can i use trim? I know that i can specify the number of characters to split it up, but my number of char
-
PS 2014 SLOW on Mac Yosemite 10.10
I have a real problem with many CC applications. They are VERY slow on my Mac. I realize it is near EOL but Dreamweaver runs acceptably. Pshop is terribly slow. Most other CC programs are like molasses IF they run at all (Illustrator only crashe
-
Bright Spot on Macbook Display
My Macbook is just over 3 months old and has developed a bright spot in the display - where the pixilation color is a faded and does not show full color, creating a white spot when viewing certain colors. Has anyone ran into this problem before? Shou
-
Customizing server.name and server.port in services-config.xml
Hi How can i find out what does BlazeDs use for server.name and server.port in url="http://{server.name}:{server.port}/{context.root}/messagebroker/amf" can i customize those values? thank you
-
Shut down and restarted computer, "browser error" still pops up when trying to access documents using Google doc's. Holding shift key and clicking refresh does not clear window. What else can be done to clear the window and gain access to my document