Packet allocation
Hello,
Using Oracle 11.2.0.1
Using Windows XP Professional
create table approver
approver_id number(4),
working_place number(2),
hq_id number(2),
packet_no1 number(4),
packet_no2 number(4) --- if approver got 2 packets due to scarcity of approvers.
create table contents
packet_no number(4),
book_id number(5),
book_region number(2),
approver_id number(4) -- means this packet has been allotted to this approver.
create table app_rule
app_region number(2),
avoid1 number(2),
avoid2 number(2),
avoid3 number(2),
avoid4 number(2),
avoid5 number(2),
avoid6 number(2),
avoid7 number(2),
avoid8 number(2),
avoid9 number(2)
insert into approver values (34,4,1,0,0);
insert into approver values (35,5,1,0,0);
insert into approver values (36,7,1,0,0);
insert into approver values (37,9,1,0,0);
insert into approver values (38,4,1,0,0);
insert into approver values (39,2,1,0,0);
insert into approver values (40,9,1,0,0);
insert into approver values (41,11,1,0,0);
insert into approver values (42,22,1,0,0);
insert into approver values (43,14,18,0,0);
insert into approver values (44,25,18,0,0);
insert into approver values (45,17,18,0,0);
insert into approver values (46,6,18,0,0);
insert into approver values (47,22,18,0,0);
insert into approver values (48,30,18,0,0);
insert into approver values (49,7,18,0,0);
insert into approver values (50,17,18,0,0);
insert into approver values (51,25,18,0,0);
insert into approver values (52,3,11,0,0);
insert into approver values (53,2,11,0,0);
insert into approver values (54,1,11,0,0);
insert into approver values (55,5,11,0,0);
insert into approver values (56,19,11,0,0);
insert into approver values (57,26,11,0,0);
insert into approver values (58,27,11,0,0);
insert into approver values (59,31,11,0,0);
insert into approver values (60,16,11,0,0);
insert into contents values (1240,5170,5,0);
insert into contents values (1240,5178,5,0);
insert into contents values (1141,1517,1,0);
insert into contents values (1141,1507,1,0);
insert into contents values (1214,4173,4,0);
insert into contents values (1214,4070,4,0);
insert into contents values (1214,7181,7,0);
insert into contents values (1214,7178,7,0);
insert into contents values (1214,8078,8,0);
insert into contents values (1214,6678,6,0);
insert into contents values (1141,19517,19,0);
insert into contents values (1141,19507,19,0);
---If there are more than 9 different book_region in a packet then that packet
---has to manually entertained/dispatch. After allotment those packets rows should be in a seperate table.
insert into app_rule values (1,1,6,3,10,0,0,0,0,0);
insert into app_rule values (2,2,11,32,4,6,9,19,0,0);
insert into app_rule values (3,3,19,2,14,16,15,0,0,0);
insert into app_rule values (4,4,2,1,0,0,0,0,0,0);
insert into app_rule values (5,5,22,1,18,8,0,0,0,0);
insert into app_rule values (6,6,8,7,5,0,0,0,0,0);
insert into app_rule values (7,7,1,2,0,0,0,0,0,0);
insert into app_rule values (8,8,9,10,11,12,13,14,15,16);
insert into app_rule values (9,9,17,18,19,20,21,0,0,0);
insert into app_rule values (10,10,6,7,8,9,26,0,0,0);
insert into app_rule values (11,11,22,23,24,0,0,0,0,0);
insert into app_rule values (12,12,25,26,27,28,29,30,31,32);
---Upto 33 regions, means person who is belonging to app_region, will not receive any book from avoid columns.
---plus HQ ID regions.Business Rule :
Complexity Level 0 :
-Packet of books sent to approver for their reading and any correction as per rule.
Example :
First Packet No. 1240 which belongs to region 5, because all books are from region 5. First approver No. 34 whose working region is 4 and HQ is 1. Now, we will scan app_rule for app_region=4 which have 4,2,1 regions for avoid and 5 is not in 4,2,1 so can we allot this packet to this approver ? No, we can not not, because approver's HQ (1) is also in avoid list, which should not.
Ok, for 35, no it can not, more over it should not because if it happened, then it will be a blunder because approver's working region id is 5 and books are from region 5, so it should not.
for 36, 7... 7th avoid are 7,1,2.. ok, but 1 is there i.e. approver's HQ.... so it can not.
for 37 9... 9th avoid are 9,17,18,19,20,21. Yes, it is perfect, because neither 5 is in the list nor 1 (Approver's HQ).
Complexity Level 1 :
What about packet no. 1214, the complicated packet because it contains books from 4 different regions i.e. 4,7,8,6; means we will look those approver who is not working in :
for 4 : 4,2,1
for 7 : 7,1,2
for 8 : 8,9,10,11,12,13,14,15,16
for 6 : 6,8,7,5
unique : 1,2,4,5,6,7,8,9,10,11,12,13,14,15,16 regions + their HQ ids. Who is from above... ie. first approver id 44 because neither 25 is in this list nor 18.
Complexity Level 2 :
Suppose there are 10 packets and we have only say 7 approvers who have sent their consent for this year. So, allotment should be that much smart and flexible who can interchange the packet internally for best fitting the allotment and for rest 3 packets it should double-allot the packet following above rule. Something like suppose packet no. 1000 has not been allotted due to less number of approvers and if packet no. 2000 has been allotted to 100th number approver, but this 2000 packet can be allotted to 1002 too, so allotment should be smart enough like packet number 1000 to 100 and packet no. 2000 to 1002 (internally interchange the packet i.e. best fitting of allotment).
Please tell me I am clear in my question or I have to provide more clearity on business rule or I have to provide more inserts for the best checking.
Yes, you can ask me, show us your effort in this regard, this is your job/work, why WE should do your task ?
My reply will be : Basically, till now I remained busy in the admin part or you can say that I have not got more PL/SQL exposure (zero in PL/SQL) and I don't think that I can do this task without your esteem help in this forum, truly speaking I can not get the work done at my own alone. I am really very sorry, If am "giving" you my task, but its not really giving,
I am just looking how this task will be done, if you please help me. We are at the designing stage, so if you can suggests any major changes in the design or there is flaw in the design. Rather than asking the question's part, I thought that it would be better to write the question as a whole.
Regards
Girish Sharma
>
I have just posted the column's definition
>
Thanks. Now it would be good if you do not change these again since we are using them as our baseline. Also the denormalized structure and data (e.g. for app_rule) makes it easier to see the data.
I am using a normalized version of the rulel table I name app_rule1. Here is the DDL and INSERTs for region 4 which I am using to work thru your example for complexity level 0 packet 1240.
create table app_rule1
app_region number(2),
avoid number(2)
insert into app_rule1 values (4,4);
insert into app_rule1 values (4,2);
insert into app_rule1 values (4,1);I'm having trouble with your approver data for this; I think it violates the business rules but perhaps you could explain.
Approver four data is
insert into approver values (34,4,1,0,0);approver_id - 34
working_place - 4 -- should have 'region' in the name because if I understand you correctly this MUST correspond to a region number - please confirm
hq_id - 1 -- should have 'region' in the name for same reason as above - please confirm
So in your explanation as to why you cannot use approver 34 for packet 1240 you said
>
No, we can not not, because approver's HQ (1) is also in avoid list, which should not.
>
My question - since approver 34 is in the avoid list for region 4 why does this approver have '4' for working_place? This '4' is the only thing that points to the rule table but it will always point to a rule record that we cannot use. This means approve 34 as defined by your data could never be used at all.
If this is true then it should be illegal to attempt to put this approver record into the table.
Is that analysis correct? My test code blew up with the first effort to follow your packet 1240 example because it tries to link data that shouldn't be linked.
Related to that - is it your intention that an approver can only point to one 'rule' record? That seems rather limited.
This code does not work properly because I need to change it based on your comments of the above but I will explain my initial effort
-- test1
-- query regions for one packet (could use DISTINCT but may not need to)
with packet_regions as (
select book_region from contents
where packet_no = 1240
-- query regions to avoid for one approver (including the approvers hq_id)
avoid_regions as (
select approver_id, working_place, hq_id avoid_region from approver
union
select approver_id, working_place, avoid avoid_region
from approver a, app_rule1 r
where a.working_place = r.app_region
-- query possible approvers
select approver_id from avoid_regions ar
where avoid_region not in (select book_region from packet_regions)1. The first query is to query regions represented for one packet
2. Second query is to select regions to avoid for each approver
3. Third query is to use the first two to select the list of legal approvers - that is, approvers whose 'avoid' list (including their HQ) is not represented in the regions for the packet.
Perhaps you can see how much simpler it is to have the app_rule data normalized rather than column-oriented (which would require parsing of some sort).
I can continue testing when I understand your response to my questions above.
Similar Messages
-
Dear all
We hava an 10.2.0.4 RAC running on AIX 6.1, we found a lot “gc cr block lost” in awr report.
How to resolve this problem?
Event Waits Time (s) (ms) Time Wait Class
log file sync 171,333 288 2 66.1 Commit
log file parallel write 170,780 240 1 55.2 System I/O
CPU time 229 52.7
gc cr block lost 61 46 755 10.6 Cluster
db file parallel write 45,676 31 1 7.2 System I/O
flowing is result of netstat -s
#netstat -s
icmp:
1501240 calls to icmp_error
0 errors not generated because old message was icmp
Output histogram:
echo reply: 48022
destination unreachable: 1478355
echo: 3672830
0 messages with bad code fields
0 messages < minimum length
0 bad checksums
0 messages with bad length
Input histogram:
echo reply: 3671367
destination unreachable: 1586471
echo: 48049
48022 message responses generated
igmp:
0 messages received
0 messages received with too few bytes
0 messages received with bad checksum
0 membership queries received
0 membership queries received with invalid field(s)
0 membership reports received
0 membership reports received with invalid field(s)
0 membership reports received for groups to which we belong
8 membership reports sent
tcp:
74915651 packets sent
57060778 data packets (138705942737 bytes)
33462 data packets (37970884 bytes) retransmitted
5375289 ack-only packets (4239002 delayed)
0 URG only packets
5 window probe packets
11436565 window update packets
2019104 control packets
5526504 large sends
132996311078 bytes sent using largesend
2085120 bytes is the biggest largesend
107952244 packets received
61900612 acks (for 138706680574 bytes)
418658 duplicate acks
0 acks for unsent data
89624245 packets (70001950782 bytes) received in-sequence
4743 completely duplicate packets (818002 bytes)
0 old duplicate packets
17 packets with some dup. data (4248 bytes duped)
302994 out-of-order packets (30842613 bytes)
32 packets (32 bytes) of data after window
32 window probes
286783 window update packets
6552 packets received after close
0 packets with bad hardware assisted checksum
0 discarded for bad checksums
0 discarded for bad header offset fields
0 discarded because packet too short
492 discarded by listeners
0 discarded due to listener's queue full
11878766 ack packet headers correctly predicted
44728305 data packet headers correctly predicted
322438 connection requests
278463 connection accepts
556834 connections established (including accepts)
604193 connections closed (including 2346 drops)
0 connections with ECN capability
0 times responded to ECN
36 embryonic connections dropped
62169023 segments updated rtt (of 57866592 attempts)
0 segments with congestion window reduced bit set
0 segments with congestion experienced bit set
0 resends due to path MTU discovery
44036 path MTU discovery terminations due to retransmits
156798 retransmit timeouts
0 connections dropped by rexmit timeout
9058 fast retransmits
6049 when congestion window less than 4 segments
5 newreno retransmits
156 times avoided false fast retransmits
0 persist timeouts
0 connections dropped due to persist timeout
2859 keepalive timeouts
0 keepalive probes sent
0 connections dropped by keepalive
0 times SACK blocks array is extended
0 times SACK holes array is extended
0 packets dropped due to memory allocation failure
1 connection in timewait reused
0 delayed ACKs for SYN
0 delayed ACKs for FIN
0 send_and_disconnects
0 spliced connections
0 spliced connections closed
0 spliced connections reset
0 spliced connections timeout
0 spliced connections persist timeout
0 spliced connections keepalive timeout
0 TCP checksum offload disabled during retransmit
0 Connections dropped due to bad ACKs
0 Connections dropped due to duplicate SYN packets
0 fastpath loopback connections
0 fastpath loopback sent packets (0 bytes)
0 fastpath loopback received packets (0 bytes)
udp:
147486199 datagrams received
0 incomplete headers
0 bad data length fields
0 bad checksums
1562482 dropped due to no socket
5229040 broadcast/multicast datagrams dropped due to no socket
0 socket buffer overflows
140694677 delivered
144251657 datagrams output
ip:
272497723 total packets received
0 bad header checksums
0 with size smaller than minimum
0 with data size < data length
0 with header length < data size
0 with data length < header length
0 with bad options
0 with incorrect version number
14418667 fragments received
0 fragments dropped (dup or out of space)
254148 fragments dropped after timeout
2750080 packets reassembled ok
255570679 packets for this host
5112394 packets for unknown/unsupported protocol
0 packets forwarded
23568 packets not forwardable
0 redirects sent
224311858 packets sent from this host
0 packets sent with fabricated ip header
0 output packets dropped due to no bufs, etc.
0 output packets discarded due to no route
4173773 output datagrams fragmented
21581265 fragments created
0 datagrams that can't be fragmented
0 IP Multicast packets dropped due to no receiver
0 successful path MTU discovery cycles
0 path MTU rediscovery cycles attempted
0 path MTU discovery no-response estimates
0 path MTU discovery response timeouts
0 path MTU discovery decreases detected
0 path MTU discovery packets sent
0 path MTU discovery memory allocation failures
0 ipintrq overflows
0 with illegal source
0 packets processed by threads
0 packets dropped by threads
0 packets dropped due to the full socket receive buffer
0 dead gateway detection packets sent
0 dead gateway detection packet allocation failures
0 dead gateway detection gateway allocation failures
0 incoming packets dropped due to MLS filters
0 packets not sent due to MLS filters
ipv6:
122495 total packets received
Input histogram:
TCP: 14
UDP: 61243
ICMP v6: 61238
0 with size smaller than minimum
0 with data size < data length
0 with incorrect version number
0 with illegal source
0 input packets without enough memory
0 fragments received
0 fragments dropped (dup or out of space)
0 fragments dropped after timeout
0 packets reassembled ok
122495 packets for this host
0 packets for unknown/unsupported protocol
0 packets forwarded
0 packets not forwardable
0 too big packets not forwarded
120071 packets sent from this host
0 packets sent with fabricated ipv6 header
0 output packets dropped due to no bufs
0 output packets without enough memory
7858 output packets discarded due to no route
0 output datagrams fragmented
0 fragments created
0 packets dropped due to full socket receive buffer
0 packets not delivered due to bad raw IPv6 checksum
0 incoming packets dropped due to MLS filters
0 packets not sent due to MLS filters
icmpv6:
61242 calls to icmp6_error
0 errors not generated because old message was icmpv6
Output histogram:
unreachable: 61238
packets too big: 0
time exceeded: 0
parameter problems: 0
redirects: 0
echo requests: 0
echo replies: 0
group queries: 0
group reports: 0
group terminations: 0
router solicitations: 0
router advertisements: 0
neighbor solicitations: 0
neighbor advertisements: 0
0 messages with bad code fields
0 messages < minimum length
0 bad checksums
0 messages with bad length
Input histogram:
unreachable: 61238
packets too big: 0
time exceeded: 0
parameter problems: 0
echo requests: 0
echo replies: 0
group queries: 0
bad group queries: 0
group reports: 0
bad group reports: 0
our groups' reports: 0
group terminations: 0
bad group terminations: 0
router solicitations: 0
bad router solicitations: 0
router advertisements: 0
bad router advertisements: 0
neighbor solicitations: 0
bad neighbor solicitations: 0
neighbor advertisements: 0
bad neighbor advertisements: 0
redirects: 0
bad redirects: 0
mobility calls when not started: 0
home agent address discovery requests: 0
bad home agent address discovery requests: 0
bad home agent address discovery replys: 0
bad home agent address discovery replys: 0
prefix solicitations: 0
bad prefix solicitations: 0
prefix advertisements: 0
bad prefix advertisements: 0
0 message responses generatedHi,
Troubleshooting gc block lost and Poor Network Performance in a RAC Environment (Doc ID 563566.1)
Regards
Sebastian -
Class-default traffic drop in congension
Hi Guys,
Please consider the following example and share your thoughts:
In a MQC deployement, consider that there are following two classes defined:
Class1: EF marking with priority 20%
Class2: AF41 marking with bandwidth 40%
All remaining traffic except above said two classes will go to default class known as class-default.
In case of congestion, which traffic will drop in class-default.
As per my understanding class-default will match all traffic except EF, AF41, CS6 & CS7 (EF is defined in Class1, AF41 is defined in Class2, CS6 & CS7 will be considered as control traffic for 25% reserve bandwidth) and during congestion on all classes (including class-default) class-default will not carry the traffic marked with EF, AF41, CS6 & CS7 instead it will carry the low priority traffic (traffic from class selectors CS0, CS1, CS2, CS3 and CS4 (AF42 + AF43).
Please comment & correct if I am wrong. Do let me know if any other clarity is required on this scenerio.
Thanks.Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Actually LLQ can exceed its bandwidth allocation, if there's no interface congestion.
Class-default does not directly "consider" other class congestion. Nor do other classes directly "consider" class-default congestion.
Excluding LLQ, what happens when there's congestion, each class is dequeued proportionally to its class (actually queue) weight relative to other classes except for class-default, pre-HQF, with FQ enabled. The latter, has flow queues which get dequeued, also proportionally, relative to all the other queues.
Each queue, again excluding LLQ, will drop when the number of packets trying to be enqueued exceed the queue depth (in packets) allocated for that queue.
Specifically for your question, class-2, your AF41 marked traffic, will drop if it exceeds it allocated queue size. By default, this would be tail drop. If WRED is enabled, WRED will look at the "average" queue depth when tries to enqueue a new packet and determines, based on its settings, whether to drop that packet.
Does class-default, or other classes, have any affect? Yes, as whatever share of interface bandwidth being otherwise used will not be available to class-2, and when it's not, class-2 may enqueue when it otherwise would not. -
High CPU utilization problem,pls help!!
hi,all
i got some problems,I found the "dhcpd receive" process consume too much CPU, how can i fix it?
attached file is "show process cpu" command output. (running on WS-4507R with cat4500-entservicesk9-mz.150-2.SG1.bin)
#sh platform cpu packet statistics all
Packets Dropped In Hardware By CPU Subport (txQueueNotAvail)
CPU Subport TxQueue 0 TxQueue 1 TxQueue 2 TxQueue 3
0 0 7398 0 922470635
1 0 0 0 0
2 0 1748 0 0
3 0 0 0 0
4 0 0 0 0
5 0 0 0 0
6 0 0 0 0
7 0 0 0 0
RkiosSysPacketMan:
Packet allocation failures: 0
Packet Buffer(Software Common) allocation failures: 0
Packet Buffer(Software ESMP) allocation failures: 0
Packet Buffer(Software EOBC) allocation failures: 0
Packet Buffer(Software SupToSup) allocation failures: 0
IOS Packet Buffer Wrapper allocation failures: 0
Packets Enqueued Overall
Total 5 sec avg 1 min avg 5 min avg 1 hour avg
0 0 0 0 0
Packets Not Enqueued Overall
Total 5 sec avg 1 min avg 5 min avg 1 hour avg
0 0 0 0 0
Packets Dropped In Processing Overall
Total 5 sec avg 1 min avg 5 min avg 1 hour avg
7938572 0 0 0 0
Packets Not Enqueued by CPU event
Event Total 5 sec avg 1 min avg 5 min avg 1 hour avg
Control Packet 0 0 0 0 0
Input Acl 0 0 0 0 0
RPF Fail 0 0 0 0 0
Adjacency Same If 0 0 0 0 0
L3 Forward 0 0 0 0 0
NFL Copy To CPU 0 0 0 0 0
Output Acl 0 0 0 0 0
MTU Check Fail 0 0 0 0 0
SA Miss 0 0 0 0 0
L2 Forward 0 0 0 0 0
SPAN 0 0 0 0 0
CPU Generated 0 0 0 0 0
Unknown 0 0 0 0 0
Packets Dropped In Processing by CPU event
Event Total 5 sec avg 1 min avg 5 min avg 1 hour avg
Control Packet 0 0 0 0 0
Input Acl 7932929 0 0 0 0
RPF Fail 0 0 0 0 0
Adjacency Same If 0 0 0 0 0
L3 Forward 0 0 0 0 0
NFL Copy To CPU 0 0 0 0 0
Output Acl 90 0 0 0 0
MTU Check Fail 0 0 0 0 0
SA Miss 5538 0 0 0 0
L2 Forward 0 0 0 0 0
SPAN 0 0 0 0 0
CPU Generated 0 0 0 0 0
Unknown 0 0 0 0 0
Packets Dropped In Processing by CPU event
Event Total 5 sec avg 1 min avg 5 min avg 1 hour avg
Control Packet 0 0 0 0 0
Input Acl 7932929 0 0 0 0
RPF Fail 0 0 0 0 0
Adjacency Same If 0 0 0 0 0
L3 Forward 0 0 0 0 0
NFL Copy To CPU 0 0 0 0 0
Output Acl 90 0 0 0 0
MTU Check Fail 0 0 0 0 0
SA Miss 5538 0 0 0 0
L2 Forward 0 0 0 0 0
SPAN 0 0 0 0 0
CPU Generated 0 0 0 0 0
Unknown 0 0 0 0 0
Packets Not Enqueued by Priority
Priority Total 5 sec avg 1 min avg 5 min avg 1 hour avg
Unknown 0 0 0 0 0
Normal 0 0 0 0 0
Medium 0 0 0 0 0
High 0 0 0 0 0
Crucial 0 0 0 0 0
Super Crucial 0 0 0 0 0
Packets Dropped In Processing by Priority
Priority Total 5 sec avg 1 min avg 5 min avg 1 hour avg
Unknown 0 0 0 0 0
Normal 415 0 0 0 0
Medium 5553 0 0 0 0
High 7932619 0 0 0 0
Crucial 0 0 0 0 0
Super Crucial 0 0 0 0 0
Packets Not Enqueued by Reason
Reason Total 5 sec avg 1 min avg 5 min avg 1 hour avg
RxQueueNotAvail 0 0 0 0 0
RxNoBuffersAvail 0 0 0 0 0
RxBadCpuEvent 0 0 0 0 0
Testing 0 0 0 0 0
Packets Dropped In Processing by Reason
Reason Total 5 sec avg 1 min avg 5 min avg 1 hour avg
BadPddType 0 0 0 0 0
VlanZeroBadCrc 0 0 0 0 0
VlanZeroGoodCrc 0 0 0 0 0
ReplVlan0GoodCrc 0 0 0 0 0
NoPimPhyportMap 0 0 0 0 0
NoPimPhyport 0 0 0 0 0
UnimplementedEvt 0 0 0 0 0
SrcAddrTableFilt 1557 0 0 0 0
NoL2Vlan 0 0 0 0 0
STPDrop 3981 0 0 0 0
UnknownLyr-Bridge 0 0 0 0 0
UnknownLyr-OutAcl 90 0 0 0 0
L2DstDrop 12 0 0 0 0
L2DstDropInAcl 0 0 0 0 0
L2DstDropOutAcl 0 0 0 0 0
AclNoVlan 0 0 0 0 0
AclActionDrop 0 0 0 0 0
AclActionRedirect 0 0 0 0 0
AclActionUnsupptd 0 0 0 0 0
UnknownBridgeAct 0 0 0 0 0
NoTxInfo 0 0 0 0 0
NoDstPorts 7932932 0 0 0 0
NoFloodPorts 0 0 0 0 0
ControlNoL2DstEnt 0 0 0 0 0
InvalidAclAction 0 0 0 0 0
AclInputErr 0 0 0 0 0
OutAclEvntOnInAcl 0 0 0 0 0
AclOutputErr 0 0 0 0 0
ReservedPort 0 0 0 0 0
EsmpNoTxInfo 0 0 0 0 0
UnknownSource 0 0 0 0 0
NoDriverTxPackets 0 0 0 0 0
NoPimPort 0 0 0 0 0
RouteLookupFailed 0 0 0 0 0
FragPktAllocFailed 0 0 0 0 0
IpHdrException 0 0 0 0 0
SpanEvent 0 0 0 0 0
Dot1xUnauthCtrlPkt 0 0 0 0 0
No Sw port for ARP 0 0 0 0 0
No Sw port for ESMP 0 0 0 0 0
CtrlPktInBadEtherType 0 0 0 0 0
PortMacOperationallyDown 0 0 0 0 0
Total packet queues 16
Packets Received by Packet Queue
Queue Total 5 sec avg 1 min avg 5 min avg 1 hour avg
Esmp 2830872005 125 110 79 71
L2/L3Control 752444885 31 22 20 20
Host Learning 94862324 3 0 1 1
L3 Fwd High 439 0 0 0 0
L3 Fwd Medium 68226 0 0 0 0
L3 Fwd Low 105911724 5 0 1 1
L2 Fwd High 0 0 0 0 0
L2 Fwd Medium 9144 0 0 0 0
L2 Fwd Low 1033665357 253 232 165 76
L3 Rx High 1163622 0 0 0 0
L3 Rx Low 2379160134 243 263 194 99
RPF Failure 0 0 0 0 0
ACL fwd(snooping) 0 0 0 0 0
ACL log, unreach 33482 0 0 0 0
ACL sw processing 108494909 9 4 5 4
MTU Fail/Invalid 0 0 0 0 0
Packets Dropped by Packet Queue
Queue Total 5 sec avg 1 min avg 5 min avg 1 hour avg
Esmp 0 0 0 0 0
L2/L3Control 0 0 0 0 0
Host Learning 79 0 0 0 0
L3 Fwd High 0 0 0 0 0
L3 Fwd Medium 0 0 0 0 0
L3 Fwd Low 0 0 0 0 0
L2 Fwd High 0 0 0 0 0
L2 Fwd Medium 0 0 0 0 0
L2 Fwd Low 0 0 0 0 0
L3 Rx High 0 0 0 0 0
L3 Rx Low 2 0 0 0 0
RPF Failure 0 0 0 0 0
ACL fwd(snooping) 0 0 0 0 0
ACL log, unreach 0 0 0 0 0
ACL sw processing 0 0 0 0 0
MTU Fail/Invalid 0 0 0 0 0
Packets Transmitted from CPU per Output Interface
Interface Total 5 sec avg 1 min avg 5 min avg 1 hour avg
Fa3/1 0 0 0 0 0
Fa3/2 0 0 0 0 0
Fa3/3 0 0 0 0 0
Fa3/4 0 0 0 0 0
Fa3/5 0 0 0 0 0
Fa3/6 0 0 0 0 0
Fa3/7 0 0 0 0 0
Fa3/8 0 0 0 0 0
Fa3/9 0 0 0 0 0
Fa3/10 0 0 0 0 0
Fa3/11 0 0 0 0 0
Fa3/12 0 0 0 0 0
Fa3/13 0 0 0 0 0
Fa3/14 0 0 0 0 0
Fa3/15 0 0 0 0 0
Fa3/16 0 0 0 0 0
Fa3/17 0 0 0 0 0
Fa3/18 0 0 0 0 0
Fa3/19 0 0 0 0 0
Fa3/20 0 0 0 0 0
Fa3/21 0 0 0 0 0
Fa3/22 0 0 0 0 0
Fa3/23 0 0 0 0 0
Fa3/24 0 0 0 0 0
Fa3/25 0 0 0 0 0
Fa3/26 0 0 0 0 0
Fa3/27 0 0 0 0 0
Fa3/28 0 0 0 0 0
Fa3/29 0 0 0 0 0
Fa3/30 0 0 0 0 0
Fa3/31 0 0 0 0 0
Fa3/32 0 0 0 0 0
Fa3/33 0 0 0 0 0
Fa3/34 0 0 0 0 0
Fa3/35 0 0 0 0 0
Fa3/36 0 0 0 0 0
Fa3/37 0 0 0 0 0
Fa3/38 0 0 0 0 0
Fa3/39 0 0 0 0 0
Fa3/40 0 0 0 0 0
Fa3/41 0 0 0 0 0
Fa3/42 0 0 0 0 0
Fa3/43 0 0 0 0 0
Fa3/44 0 0 0 0 0
Fa3/45 0 0 0 0 0
Fa3/46 0 0 0 0 0
Fa3/47 0 0 0 0 0
Fa3/48 0 0 0 0 0
Fa4/1 0 0 0 0 0
Fa4/2 0 0 0 0 0
Fa4/3 0 0 0 0 0
Fa4/4 0 0 0 0 0
Fa4/5 0 0 0 0 0
Fa4/6 0 0 0 0 0
Fa4/7 0 0 0 0 0
Fa4/8 0 0 0 0 0
Fa4/9 0 0 0 0 0
Fa4/10 0 0 0 0 0
Fa4/11 0 0 0 0 0
Fa4/12 0 0 0 0 0
Fa4/13 0 0 0 0 0
Fa4/14 0 0 0 0 0
Fa4/15 0 0 0 0 0
Fa4/16 0 0 0 0 0
Fa4/17 0 0 0 0 0
Fa4/18 0 0 0 0 0
Fa4/19 0 0 0 0 0
Fa4/20 0 0 0 0 0
Fa4/21 0 0 0 0 0
Fa4/22 0 0 0 0 0
Fa4/23 0 0 0 0 0
Fa4/24 0 0 0 0 0
Fa4/25 0 0 0 0 0
Fa4/26 0 0 0 0 0
Fa4/27 0 0 0 0 0
Fa4/28 0 0 0 0 0
Fa4/29 0 0 0 0 0
Fa4/30 0 0 0 0 0
Fa4/31 0 0 0 0 0
Fa4/32 0 0 0 0 0
Fa4/33 0 0 0 0 0
Fa4/34 0 0 0 0 0
Fa4/35 0 0 0 0 0
Fa4/36 0 0 0 0 0
Fa4/37 0 0 0 0 0
Fa4/38 0 0 0 0 0
Fa4/39 0 0 0 0 0
Fa4/40 0 0 0 0 0
Fa4/41 0 0 0 0 0
Fa4/42 0 0 0 0 0
Fa4/43 0 0 0 0 0
Fa4/44 0 0 0 0 0
Fa4/45 0 0 0 0 0
Fa4/46 0 0 0 0 0
Fa4/47 0 0 0 0 0
Fa4/48 0 0 0 0 0
Gi5/1 0 0 0 0 0
Gi5/2 0 0 0 0 0
Gi5/3 0 0 0 0 0
Gi5/4 0 0 0 0 0
Gi5/5 0 0 0 0 0
Gi5/6 0 0 0 0 0
Gi1/1 0 0 0 0 0
Gi1/2 0 0 0 0 0
Packets Received at CPU per Input Interface
Interface Total 5 sec avg 1 min avg 5 min avg 1 hour avg
Fa3/1 0 0 0 0 0
Fa3/2 0 0 0 0 0
Fa3/3 0 0 0 0 0
Fa3/4 0 0 0 0 0
Fa3/5 0 0 0 0 0
Fa3/6 0 0 0 0 0
Fa3/7 0 0 0 0 0
Fa3/8 0 0 0 0 0
Fa3/9 0 0 0 0 0
Fa3/10 0 0 0 0 0
Fa3/11 0 0 0 0 0
Fa3/12 0 0 0 0 0
Fa3/13 0 0 0 0 0
Fa3/14 0 0 0 0 0
Fa3/15 0 0 0 0 0
Fa3/16 0 0 0 0 0
Fa3/17 0 0 0 0 0
Fa3/18 0 0 0 0 0
Fa3/19 0 0 0 0 0
Fa3/20 0 0 0 0 0
Fa3/21 0 0 0 0 0
Fa3/22 0 0 0 0 0
Fa3/23 0 0 0 0 0
Fa3/24 0 0 0 0 0
Fa3/25 0 0 0 0 0
Fa3/26 0 0 0 0 0
Fa3/27 0 0 0 0 0
Fa3/28 0 0 0 0 0
Fa3/29 0 0 0 0 0
Fa3/30 0 0 0 0 0
Fa3/31 0 0 0 0 0
Fa3/32 0 0 0 0 0
Fa3/33 0 0 0 0 0
Fa3/34 0 0 0 0 0
Fa3/35 0 0 0 0 0
Fa3/36 0 0 0 0 0
Fa3/37 0 0 0 0 0
Fa3/38 0 0 0 0 0
Fa3/39 0 0 0 0 0
Fa3/40 0 0 0 0 0
Fa3/41 0 0 0 0 0
Fa3/42 0 0 0 0 0
Fa3/43 0 0 0 0 0
Fa3/44 0 0 0 0 0
Fa3/45 0 0 0 0 0
Fa3/46 0 0 0 0 0
Fa3/47 0 0 0 0 0
Fa3/48 0 0 0 0 0
Fa4/1 0 0 0 0 0
Fa4/2 0 0 0 0 0
Fa4/3 0 0 0 0 0
Fa4/4 0 0 0 0 0
Fa4/5 0 0 0 0 0
Fa4/6 0 0 0 0 0
Fa4/7 0 0 0 0 0
Fa4/8 0 0 0 0 0
Fa4/9 0 0 0 0 0
Fa4/10 0 0 0 0 0
Fa4/11 0 0 0 0 0
Fa4/12 0 0 0 0 0
Fa4/13 0 0 0 0 0
Fa4/14 0 0 0 0 0
Fa4/15 0 0 0 0 0
Fa4/16 0 0 0 0 0
Fa4/17 0 0 0 0 0
Fa4/18 0 0 0 0 0
Fa4/19 0 0 0 0 0
Fa4/20 0 0 0 0 0
Fa4/21 0 0 0 0 0
Fa4/22 0 0 0 0 0
Fa4/23 0 0 0 0 0
Fa4/24 0 0 0 0 0
Fa4/25 0 0 0 0 0
Fa4/26 0 0 0 0 0
Fa4/27 0 0 0 0 0
Fa4/28 0 0 0 0 0
Fa4/29 0 0 0 0 0
Fa4/30 0 0 0 0 0
Fa4/31 0 0 0 0 0
Fa4/32 0 0 0 0 0
Fa4/33 0 0 0 0 0
Fa4/34 0 0 0 0 0
Fa4/35 0 0 0 0 0
Fa4/36 0 0 0 0 0
Fa4/37 0 0 0 0 0
Fa4/38 0 0 0 0 0
Fa4/39 0 0 0 0 0
Fa4/40 0 0 0 0 0
Fa4/41 0 0 0 0 0
Fa4/42 0 0 0 0 0
Fa4/43 0 0 0 0 0
Fa4/44 0 0 0 0 0
Fa4/45 0 0 0 0 0
Fa4/46 0 0 0 0 0
Fa4/47 0 0 0 0 0
Fa4/48 0 0 0 0 0
Gi5/1 0 0 0 0 0
Gi5/2 0 0 0 0 0
Gi5/3 0 0 0 0 0
Gi5/4 0 0 0 0 0
Gi5/5 0 0 0 0 0
Gi5/6 0 0 0 0 0
Gi1/1 0 0 0 0 0
Gi1/2 0 0 0 0 0Hello Dong,
You are having a bridging loop. Check the devices connected on gi5/4 and gi2/5
Show cdp neig gi5/4 deta
Show cdp neig gi2/5 deta
Once you know what our neighbors are, go on our neighbors and issue the following multiple times:
show mac-address address 00:0C:29:60:42:BF.
You have vmware and dell vendors involved. Check for nic teaming on the vmware side.
You should see this MAC being learned on the interface connected to gi5/4 or gi 2/5 sometimes, and another
interface the other times. Once you know which ports these respective switches are learning the MAC from, issue
the 'show cdp neighbor' and do this again.
Eventually, you should get to a pair of ports that aren't connected to a switch, and only have this MAC learned.
Once you have these ports, you should be able to figure out what kind of devices these are, and why they are sourcing
traffic from the same MAC.
You can enable to debug command to identity the top interfaces that send traffic/packets for CPU processing.
Switch#debug platform packet all count
Switch#show platform cpu packet statistics
Switch#unde all
http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a00804cef15.shtml
Haihua -
ME4900 High CPU Because of Host Learning
Hi,
I am having the following issue:
ME02#sh processes cpu history
7777777777777777777777777777777777777777777777777777777777
0000000000333332222233336666633333111115555555555444448888
100
90
80 ***** ********** ****
70 **********************************************************
60 **********************************************************
50 **********************************************************
40 **********************************************************
30 **********************************************************
20 **********************************************************
10 **********************************************************
0....5....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5
CPU% per second (last 60 seconds)
8788878888978788888898878787988887878788979889989987788899
8950988091399773949001006973018149765762091698845219738701
100 ** *
90 * * * * * * * * * * * * * * * * * * * ***** ** ****
80 #*###*#######*#######** #*# #*#####*#*###########*#***#*##
70 ##########################################################
60 ##########################################################
50 ##########################################################
40 ##########################################################
30 ##########################################################
20 ##########################################################
10 ##########################################################
0....5....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%
ME02-ANA#sh platform health
%CPU %CPU RunTimeMax Priority Average %CPU Total
Target Actual Target Actual Fg Bg 5Sec Min Hour CPU
GalChassisVp-review 3.00 0.08 10 46 100 500 0 0 0 665:48
S2w-JobEventSchedule 10.00 1.29 10 24 100 500 1 1 1 8849:22
Stub-JobEventSchedul 10.00 0.00 10 0 100 500 0 0 0 0:00
Lj-poll 1.00 0.02 2 0 100 500 0 0 0 176:21
StatValueMan Update 1.00 0.07 1 0 100 500 0 0 0 324:04
Pim-review 0.10 0.01 1 0 100 500 0 0 0 36:16
Ebm-host-review 1.00 0.00 8 4 100 500 0 0 0 943:27
Ebm-host-util-review 1.00 0.00 10 0 100 500 0 0 0 1:26
Ebm-port-review 0.10 0.00 1 0 100 500 0 0 0 3:10
Protocol-aging-revie 0.20 0.00 2 0 100 500 0 0 0 0:10
EbmHostRedundancyMan 2.00 0.00 20 0 100 500 0 0 0 0:00
Acl-Flattener 1.00 0.00 10 0 100 500 0 0 0 0:00
GalChassisVp Ondeman 2.00 0.00 2 0 100 500 0 0 0 0:00
KxAclPathMan create/ 1.00 0.00 10 5 100 500 0 0 0 8:09
KxAclPathMan update 2.00 0.00 10 0 100 500 0 0 0 0:00
KxAclPathMan reprogr 1.00 0.00 2 0 100 500 0 0 0 0:00
TagMan-RecreateMtegR 1.00 0.00 10 0 100 500 0 0 0 0:00
K2CpuMan Review 30.00 67.25 30 346 100 500 174 178 128 59991:10
K2AccelPacketMan: Tx 10.00 2.50 20 0 100 500 3 3 2 21944:07
K2AccelPacketMan: Au 0.10 0.00 0 0 100 500 0 0 0 0:00
K2AclMan-labeledFlat 1.00 0.00 10 0 100 500 0 0 0 0:00
K2AclCamMan stale en 1.00 0.00 10 0 100 500 0 0 0 0:00
K2AclCamMan consolid 1.00 0.00 10 0 100 500 0 0 0 0:00
K2AclCamMan hw stats 3.00 0.23 10 5 100 500 0 0 0 3065:15
K2AclCamMan kx stats 1.00 0.00 10 5 100 500 0 0 0 1115:31
K2AclCamMan Audit re 1.00 0.00 10 0 100 500 0 0 0 0:35
>>> K2CpuMan Review is using a lot of resource.
ME02#sh platform cpu packet statistics
Packets Dropped In Hardware By CPU Subport (txQueueNotAvail)
CPU Subport TxQueue 0 TxQueue 1 TxQueue 2 TxQueue 3
2 0 614764 0 0
RkiosSysPacketMan:
Packet allocation failures: 0
Packet Buffer(Software Common) allocation failures: 0
Packet Buffer(Software ESMP) allocation failures: 0
Packet Buffer(Software EOBC) allocation failures: 0
Packet Buffer(Software SupToSup) allocation failures: 0
IOS Packet Buffer Wrapper allocation failures: 0
Packets Dropped In Processing Overall
Total 5 sec avg 1 min avg 5 min avg 1 hour avg
1250698 0 0 0 0
Packets Dropped In Processing by CPU event
Event Total 5 sec avg 1 min avg 5 min avg 1 hour avg
Input Acl 56640 0 0 0 0
SA Miss 1194019 0 0 0 0
L2 Forward 1 0 0 0 0
CPU Generated 38 0 0 0 0
Packets Dropped In Processing by Priority
Priority Total 5 sec avg 1 min avg 5 min avg 1 hour avg
Normal 56053 0 0 0 0
Medium 1194019 0 0 0 0
High 588 0 0 0 0
Crucial 38 0 0 0 0
Packets Dropped In Processing by Reason
Reason Total 5 sec avg 1 min avg 5 min avg 1 hour avg
VlanZeroBadCrc 912338 0 0 0 0
SrcAddrTableFilt 1774 0 0 0 0
STPDrop 283895 0 0 0 0
L2DstDrop 146 0 0 0 0
L2DstDropInAcl 25322 0 0 0 0
NoDstPorts 27190 0 0 0 0
NoFloodPorts 33 0 0 0 0
Total packet queues 16
Packets Received by Packet Queue
Queue Total 5 sec avg 1 min avg 5 min avg 1 hour avg
L2/L3Control 7479130708 272 274 222 214
Host Learning 6893729252 25471 25323 20851 24412
L3 Fwd Low 378 0 0 0 0
L2 Fwd Low 6098176 0 0 0 0
L3 Rx High 24 0 0 0 0
L3 Rx Low 31697 0 0 0 0
Packets Dropped by Packet Queue
Queue Total 5 sec avg 1 min avg 5 min avg 1 hour avg
L2/L3Control 216862 0 0 0 0
Host Learning 33094924 38 35 42 139
>>>> From this output, showing that Host Learning is consuming the CPU.
I tried to find TCN by "show spanning-tree detail" but i don't find any TCN happen.
What else should i check ?The mac-move feature doesn't shows any entries. I expected to see many entries, because the Host Learning queue still shows an 1 hour average of 3819!
Regarding SPAN i don't have a SPAN Destination port at the moment.
Another question: There are two Core-Switches and some distribution switches are connected to each of the Core-Switch. On the trunks between the core-Switches and Distribution-Switches there are only some vlan allowed via "trunk allowed vlan".
Furthermore i can see that there are different spanning-tree root bridges for the same VLAN, e.g. if a VLAN is not allowed to a Distribution Switch, this Switch will be the root instead of the desired first Core-Switch. Is this a normal behaviour?
Must the trunk allowed configuration match on the link between core- and Distribution Switch? -
Switch High cpu Catalyst 4500 Version 12.2(53)SG5
I need help trying to understand the following.
%CPU %CPU RunTimeMax Priority Average %CPU Total
Target Actual Target Actual Fg Bg 5Sec Min Hour CPU
GalChassisVp-review 3.00 0.10 10 45 100 500 0 0 0 701:22
K2AclCamMan hw stats 3.00 1.48 10 5 100 500 0 0 0 3265:20
K2AclCamMan kx stats 1.00 0.10 10 5 100 500 0 0 0 1917:38
K2L2 Address Table R 2.00 72.93 12 5 100 500 95 87 66 458521:03
K2PortMan Review 3.00 4.73 15 11 100 500 5 5 4 28199:47
K2Fib Consistency Ch 1.00 0.19 5 2 100 500 0 0 0 1082:02
K2FibPbr route map r 2.00 0.21 20 5 100 500 0 0 0 2031:50
K2QosDblMan Rate DBL 2.00 0.11 7 1 100 500 0 0 0 662:26
K2 VlanStatsMan Revi 2.00 0.39 15 2 100 500 0 0 0 2062:11
K2PacketBufMonitor-P 3.00 2.76 10 1 100 500 2 2 2 13968:10
RkiosPortMan Port Re 2.00 0.30 12 29 100 500 0 0 0 1744:23
RkiosIpPbr IrmPort R 2.00 0.22 10 3 100 500 0 0 0 342:05
Grandprix 1-1 Stub R 2.00 0.17 15 5 100 500 0 0 0 1244:55
Grandprix 1-2 Stub R 2.00 0.14 15 5 100 500 0 0 0 866:57
Grandprix 1-3 Stub R 2.00 0.13 15 5 100 500 0 0 0 840:36
Grandprix 1-4 Stub R 2.00 0.16 15 5 100 500 0 0 0 846:55
Grandprix 1-5 Stub R 2.00 0.14 15 5 100 500 0 0 0 855:31
Grandprix 1-6 Stub R 2.00 0.15 15 124 100 500 0 0 0 1051:18
Grandprix 1-1 Stats 2.00 0.64 4 2 100 500 0 0 0 3151:58
Grandprix 1-2 Stats 2.00 0.48 4 2 100 500 0 0 0 675:30
Grandprix 1-3 Stats 2.00 0.20 4 2 100 500 0 0 0 567:34
Grandprix 1-6 Stats 2.00 0.35 4 2 100 500 0 0 0 2072:59
%CPU Totals 241.20 101.19
Allocation ceiling Current allocation
kbytes % in use kbytes % in use
Linecard 1's Store 258.00 62% 161.12 100%
TSM objects ------------------ ------------------
PacketInfoItem 859.37 0% 0.64 0%
VbufNodes1600 55.50 0% 5.20 0%
VbufNodes400 288.00 0% 1.12 50%
PacketBufRaw 25219.50 100% 25219.50 100%
PacketBufRawJumbo 184.29 100% 184.29 100%
Packet 2079.42 0% 54.10 0%
PimPhyports 1054.68 5% 54.84 100%
PimPorts 906.25 11% 105.12 100%
PimModules 162.00 0% 0.63 100%
PimChassis 38.37 6% 2.39 100%
EbmVlans 5088.00 1% 67.07 100%
EbmPorts 344.00 11% 38.63 100%
IrmVrfs 315.00 0% 2.46 50%
IrmFibEntries 12288.00 0% 0.75 6%
IrmMfibEntryMemMan 6656.00 0% 0.10 100%
Acl 1536.00 0% 1.87 100%
Ace24 9215.85 0% 4.92 100%
Ace48 15359.76 0% 0.35 100%
AclListNode 256.00 0% 0.30 100%
AclClassifierActionL 1152.00 0% 1.40 87%
CommandTables 48.00 22% 10.59 100%
K2FibVrfs 152.00 0% 1.18 50%
K2TxPacketInfo 256.00 0% 0.25 0%
Packets Dropped In Hardware By CPU Subport (txQueueNotAvail)
CPU Subport TxQueue 0 TxQueue 1 TxQueue 2 TxQueue 3
1 0 0 0 822
2 0 7538177 0 0
RkiosSysPacketMan:
Packet allocation failures: 0
Packet Buffer(Software Common) allocation failures: 0
Packet Buffer(Software ESMP) allocation failures: 0
Packet Buffer(Software EOBC) allocation failures: 0
Packet Buffer(Software SupToSup) allocation failures: 0
IOS Packet Buffer Wrapper allocation failures: 0
Packets Dropped In Processing Overall
Total 5 sec avg 1 min avg 5 min avg 1 hour avg
881 0 0 0 0
Packets Dropped In Processing by CPU event
Event Total 5 sec avg 1 min avg 5 min avg 1 hour avg
SA Miss 874 0 0 0 0
Packets Dropped In Processing by Priority
Priority Total 5 sec avg 1 min avg 5 min avg 1 hour avg
Normal 7 0 0 0 0
Medium 881 0 0 0 0
Packets Dropped In Processing by Reason
Reason Total 5 sec avg 1 min avg 5 min avg 1 hour avg
SrcAddrTableFilt 87 0 0 0 0
STPDrop 771 0 0 0 0
L2DstDrop 21 0 0 0 0
NoDstPorts 2 0 0 0 0
Total packet queues 16
Packets Received by Packet Queue
Queue Total 5 sec avg 1 min avg 5 min avg 1 hour avg
L2/L3Control 7269264609 236 268 214 205
Host Learning 3617387874 38 49 38 53
L3 Fwd Low 21851501 0 0 0 0
L2 Fwd Low 6786759 0 0 0 0
L3 Rx High 1582 0 0 0 0
L3 Rx Low 10306 0 0 0 0
Packets Dropped by Packet Queue
Queue Total 5 sec avg 1 min avg 5 min avg 1 hour avg
L2/L3Control 73992 0 0 0 0
Host Learning 7561249 0 0 0 0
Queue Total 5 sec avg 1 min avg 5 min avg 1 hour avg
L2/L3Control 7269264609 236 268 214 205
PacketBufRaw 25219.50 100% 25219.50 100%
PacketBufRawJumbo 184.29 100% 184.29 100%
Both of these seem a bit high don't you think?
If you have any idea as to why this is happening. Or is this normal?
ThanksHi,
This could be related to L2 issues like a loop, see that the K2L2 Address Table R process has a target of 2.00% and is currently running at 72.93%, which is way over the expected target, this can be an indication of host/mac flapping issues. Also the host learning queue seems very high and the L2/L3 control.
You can enable mac notification mac move command to see if on the logs are any flapping issues. Also below is a link which is very helpful when dealing with high cpu issues on 4500.
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-4000-series-switches/65591-cat4500-high-cpu.html
Hope this helps. -
Tracing TCP Source/Destination Addresses/Ports for ongoing connections
On Solaris 10 U4 through U7, I'm trying the following just to perform basic tracking of TCP source/destination addresses and ports, using code similar to what is available in tcpsnoop_snv and tcptop_snv.
The odd thing is that the addresses/ports appear to be zeroed out - are they being cached outside of the conn_t data structure?
#!/usr/sbin/dtrace -Cs
#pragma D option switchrate=10hz
#pragma D option bufsize=512k
#pragma D option aggsize=512k
#include <sys/file.h>
#include <inet/common.h>
#include <sys/byteorder.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
/* First pass, for all TCP Read/Write actions, collect source/destination
IP + Port - after a few secs, print them all out */
fbt:ip:tcp_send_data:entry
/* Outgoing TCP */
self->connp = (conn_t *)args[0]->tcp_connp;
fbt:ip:tcp_rput_data:entry
/* Incoming TCP */
self->connp = (conn_t *)arg0;
fbt:ip:tcp_send_data:entry,
fbt:ip:tcp_rput_data:entry
/self->connp/
/* fetch ports */
#if defined(_BIG_ENDIAN)
self->lport = self->connp->u_port.tcpu_ports.tcpu_lport;
self->fport = self->connp->u_port.tcpu_ports.tcpu_fport;
#else
self->lport = BSWAP_16(self->connp->u_port.tcpu_ports.tcpu_lport);
self->fport = BSWAP_16(self->connp->u_port.tcpu_ports.tcpu_fport);
#endif
/* fetch IPv4 addresses */
this->fad12 =
(int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[12];
this->fad13 =
(int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[13];
this->fad14 =
(int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[14];
this->fad15 =
(int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[15];
this->lad12 =
(int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[12];
this->lad13 =
(int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[13];
this->lad14 =
(int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[14];
this->lad15 =
(int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[15];
/* At this point, this->{f|l}ad1{2345}->connua_v6addr.connua_{f|l}addr._S6_un.S6_u8
are empty - where is this data? */
}http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.50/command/reference/CmdGrpC.html#wp1139667
portmap [base-port base_number|disable|enable|number-of-ports number|vip-address-range number]
disable
Instructs the CSS to perform Network Address Translation (NAT) only on the source IP addresses and not on the source ports of UDP traffic hitting a particular source group. This option does not affect TCP flows.
For applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups. Destination services cause the CSS to NAT the client source ports, but not the destination ports.
Note If you disable flows for a UDP port using the flow-state table and configure the portmap disable command in a source group, traffic for that port that matches on the source group does not successfully traverse the CSS.
The CSS maintains but ignores any base-port or number-of ports (see the options above) values configured in the source group. If you later reenable port mapping for that source group, any configured base-port or number-of ports values will take effect. The default behavior for a configured source group is to NAT both the source IP address and the source port for port numbers greater than 1023.
There is no possibility to disable it for TCP.
We need to source nat the port to guarantee that the server response comes back on the same module/CPU and the internal packet allocation algorithm is based on src and dst ports.µ
Gilles: -
IPSEC packets are not encrypted
Hello (and Happy Thanksgiving to those in the USA),
We recently swapped our ASA and re-applied the saved config to the new device. There is a site-to-site VPN that works and a remote client VPN that does not. We use some Cisco VPN clients and some Shrew Soft VPN clients.I've compared the config of the new ASA to that of the old ASA and I cannot find any differences (but the remote client VPN was working on the old ASA). The remote clients do connect and a tunnel is established but they are unable to pass traffic. Systems on the network where the ASA is located are able to access the internet.
Output of sho crypto isakmp sa (ignore peer #1, that is the working site-to-site VPN)
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA d
Total IKE SA: 2
1 IKE Peer: xx.168.155.98
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: xx.211.206.48
Type : user Role : responder
Rekey : no State : AM_ACTIVE
Output of sho crypto ipsec sa (info regarding site-to-site VPN removed). Packets are decrypted but not encrypted.
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: publi
c-ip
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.20.1.100/255.255.255.255/0/0)
current_peer: xx.211.206.48, username: me
dynamic allocated peer ip: 10.20.1.100
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: public-ip/4500, remote crypto endpt.: xx.211.206.48/4
500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 7E0BF9B9
current inbound spi : 41B75CCD
inbound esp sas:
spi: 0x41B75CCD (1102535885)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28776
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
spi: 0xC06BF0DD (3228299485)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, Rekeyed}
slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28774
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x000003FF 0xFFF80001
outbound esp sas:
spi: 0x7E0BF9B9 (2114714041)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28774
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
spi: 0xCBF945AC (3422111148)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, Rekeyed}
slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28772
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Config from ASA
: Saved
: Written by me at 19:56:37.957 pst Tue Nov 26 2013
ASA Version 8.2(4)
hostname mfw01
domain-name company.int
enable password xxx encrypted
passwd xxx encrypted
names
name xx.174.143.97 cox-gateway description cox-gateway
name 172.16.10.0 iscsi-network description iscsi-network
name 192.168.1.0 legacy-network description legacy-network
name 10.20.50.0 management-network description management-network
name 10.20.10.0 server-network description server-network
name 10.20.20.0 user-network description user-network
name 192.168.1.101 private-em-imap description private-em-imap
name 10.20.10.2 private-exchange description private-exchange
name 10.20.10.3 private-ftp description private-ftp
name 192.168.1.202 private-ip-phones description private-ip-phones
name 10.20.10.6 private-kaseya description private-kaseya
name 192.168.1.2 private-mitel-3300 description private-mitel-3300
name 10.20.10.1 private-pptp description private-pptp
name 10.20.10.7 private-sharepoint description private-sharepoint
name 10.20.10.4 private-tportal description private-tportal
name 10.20.10.8 private-xarios description private-xarios
name 192.168.1.215 private-xorcom description private-xorcom
name xx.174.143.99 public-exchange description public-exchange
name xx.174.143.100 public-ftp description public-ftp
name xx.174.143.101 public-tportal description public-tportal
name xx.174.143.102 public-sharepoint description public-sharepoint
name xx.174.143.103 public-ip-phones description public-ip-phones
name xx.174.143.104 public-mitel-3300 description public-mitel-3300
name xx.174.143.105 public-xorcom description public-xorcom
name xx.174.143.108 public-remote-support description public-remote-support
name xx.174.143.109 public-xarios description public-xarios
name xx.174.143.110 public-kaseya description public-kaseya
name xx.174.143.111 public-pptp description public-pptp
name 192.168.2.0 Irvine_LAN description Irvine_LAN
name xx.174.143.98 public-ip
name 10.20.10.14 private-RevProxy description private-RevProxy
name xx.174.143.107 public-RevProxy description Public-RevProxy
name 10.20.10.9 private-XenDesktop description private-XenDesktop
name xx.174.143.115 public-XenDesktop description public-XenDesktop
name 10.20.1.1 private-gateway description private-gateway
name 192.168.1.96 private-remote-support description private-remote-support
interface Ethernet0/0
nameif public
security-level 0
ip address public-ip 255.255.255.224
interface Ethernet0/1
speed 100
duplex full
nameif private
security-level 100
ip address private-gateway 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.0.1 255.255.255.0
management-only
ftp mode passive
clock timezone pst -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name mills.int
object-group service ftp
service-object tcp eq ftp
service-object tcp eq ftp-data
object-group service DM_INLINE_SERVICE_1
group-object ftp
service-object udp eq tftp
object-group service DM_INLINE_TCP_1 tcp
port-object eq 40
port-object eq ssh
object-group service web-server
service-object tcp eq www
service-object tcp eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp eq smtp
group-object web-server
object-group service DM_INLINE_SERVICE_3
service-object tcp eq ssh
group-object web-server
object-group service kaseya
service-object tcp eq 4242
service-object tcp eq 5721
service-object tcp eq 8080
service-object udp eq 5721
object-group service DM_INLINE_SERVICE_4
group-object kaseya
group-object web-server
object-group service DM_INLINE_SERVICE_5
service-object gre
service-object tcp eq pptp
object-group service VPN
service-object gre
service-object esp
service-object ah
service-object tcp eq pptp
service-object udp eq 4500
service-object udp eq isakmp
object-group network MILLS_VPN_VLANS
network-object 10.20.1.0 255.255.255.0
network-object server-network 255.255.255.0
network-object user-network 255.255.255.0
network-object management-network 255.255.255.0
network-object legacy-network 255.255.255.0
object-group service InterTel5000
service-object tcp range 3998 3999
service-object tcp range 6800 6802
service-object udp eq 20001
service-object udp range 5004 5007
service-object udp range 50098 50508
service-object udp range 6604 7039
service-object udp eq bootpc
service-object udp eq tftp
service-object tcp eq 4000
service-object tcp eq 44000
service-object tcp eq www
service-object tcp eq https
service-object tcp eq 5566
service-object udp eq 5567
service-object udp range 6004 6603
service-object tcp eq 6880
object-group service DM_INLINE_SERVICE_6
service-object icmp
service-object tcp eq 2001
service-object tcp eq 2004
service-object tcp eq 2005
object-group service DM_INLINE_SERVICE_7
service-object icmp
group-object InterTel5000
object-group service DM_INLINE_SERVICE_8
service-object icmp
service-object tcp eq https
service-object tcp eq ssh
object-group service RevProxy tcp
description RevProxy
port-object eq 5500
object-group service XenDesktop tcp
description Xen
port-object eq 8080
port-object eq 2514
port-object eq 2598
port-object eq 27000
port-object eq 7279
port-object eq 8000
port-object eq citrix-ica
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_8 any host public-ip
access-list public_access_in extended permit object-group VPN any host public-ip
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_7 any host public-ip-phones
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_1 any host public-ftp
access-list public_access_in extended permit tcp any host public-xorcom object-group DM_INLINE_TCP_1
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_2 any host public-exchange
access-list public_access_in extended permit tcp any host public-RevProxy object-group RevProxy
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_3 any host public-remote-support
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_6 any host public-xarios
access-list public_access_in extended permit object-group web-server any host public-sharepoint
access-list public_access_in extended permit object-group web-server any host public-tportal
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_4 any host public-kaseya
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_5 any host public-pptp
access-list public_access_in extended permit ip any host public-XenDesktop
access-list private_access_in extended permit icmp any any
access-list private_access_in extended permit ip any any
access-list VPN_Users_SplitTunnelAcl standard permit server-network 255.255.255.0
access-list VPN_Users_SplitTunnelAcl standard permit user-network 255.255.255.0
access-list VPN_Users_SplitTunnelAcl standard permit management-network 255.255.255.0
access-list VPN_Users_SplitTunnelAcl standard permit 10.20.1.0 255.255.255.0
access-list VPN_Users_SplitTunnelAcl standard permit legacy-network 255.255.255.0
access-list private_nat0_outbound extended permit ip object-group MILLS_VPN_VLANS Irvine_LAN 255.255.255.0
access-list private_nat0_outbound extended permit ip object-group MILLS_VPN_VLANS 10.20.1.96 255.255.255.240
access-list private_nat0_outbound extended permit ip object-group MILLS_VPN_VLANS 10.90.2.0 255.255.255.0
access-list public_1_cryptomap extended permit ip object-group MILLS_VPN_VLANS Irvine_LAN 255.255.255.0
access-list public_2_cryptomap extended permit ip object-group MILLS_VPN_VLANS 10.90.2.0 255.255.255.0
pager lines 24
logging enable
logging list Error-Events level warnings
logging monitor warnings
logging buffered warnings
logging trap warnings
logging asdm warnings
logging mail warnings
logging host private private-kaseya
logging permit-hostdown
logging class auth trap alerts
mtu public 1500
mtu private 1500
mtu management 1500
ip local pool VPN_Users 10.20.1.100-10.20.1.110 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (public) 101 interface
nat (private) 0 access-list private_nat0_outbound
nat (private) 101 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
static (private,public) public-ip-phones private-ip-phones netmask 255.255.255.255 dns
static (private,public) public-ftp private-ftp netmask 255.255.255.255 dns
static (private,public) public-xorcom private-xorcom netmask 255.255.255.255 dns
static (private,public) public-exchange private-exchange netmask 255.255.255.255 dns
static (private,public) public-RevProxy private-RevProxy netmask 255.255.255.255 dns
static (private,public) public-remote-support private-remote-support netmask 255.255.255.255 dns
static (private,public) public-xarios private-xarios netmask 255.255.255.255 dns
static (private,public) public-sharepoint private-sharepoint netmask 255.255.255.255 dns
static (private,public) public-tportal private-tportal netmask 255.255.255.255 dns
static (private,public) public-kaseya private-kaseya netmask 255.255.255.255 dns
static (private,public) public-pptp private-pptp netmask 255.255.255.255 dns
static (private,public) public-XenDesktop private-XenDesktop netmask 255.255.255.255 dns
access-group public_access_in in interface public
access-group private_access_in in interface private
route public 0.0.0.0 0.0.0.0 cox-gateway 1
route private server-network 255.255.255.0 10.20.1.254 1
route private user-network 255.255.255.0 10.20.1.254 1
route private management-network 255.255.255.0 10.20.1.254 1
route private iscsi-network 255.255.255.0 10.20.1.254 1
route private legacy-network 255.255.255.0 10.20.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
ldap attribute-map admin-control
map-name comment Privilege-Level
ldap attribute-map allow-dialin
map-name msNPAllowDialin IETF-Radius-Class
map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin TRUE IPSecUsers
ldap attribute-map mills-vpn_users
map-name msNPAllowDialin IETF-Radius-Class
map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin True IPSecUsers
ldap attribute-map network-admins
map-name memberOf IETF-Radius-Service-Type
map-value memberOf FALSE NOACCESS
map-value memberOf "Network Admins" 6
dynamic-access-policy-record DfltAccessPolicy
aaa-server Mills protocol nt
aaa-server Mills (private) host private-pptp
nt-auth-domain-controller ms01.mills.int
aaa-server Mills_NetAdmin protocol ldap
aaa-server Mills_NetAdmin (private) host private-pptp
server-port 389
ldap-base-dn ou=San Diego,dc=mills,dc=int
ldap-group-base-dn ou=San Diego,dc=mills,dc=int
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *
ldap-login-dn cn=asa,ou=Service Accounts,ou=San Diego,dc=mills,dc=int
server-type microsoft
ldap-attribute-map mills-vpn_users
aaa-server NetworkAdmins protocol ldap
aaa-server NetworkAdmins (private) host private-pptp
ldap-base-dn ou=San Diego,dc=mills,dc=int
ldap-group-base-dn ou=San Diego,dc=mills,dc=int
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *
ldap-login-dn cn=asa,ou=Service Accounts,ou=San Diego,dc=mills,dc=int
server-type microsoft
ldap-attribute-map network-admins
aaa-server ADVPNUsers protocol ldap
aaa-server ADVPNUsers (private) host private-pptp
ldap-base-dn ou=San Diego,dc=mills,dc=int
ldap-group-base-dn ou=San Diego,dc=mills,dc=int
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *
ldap-login-dn cn=asa,ou=Service Accounts,ou=San Diego,dc=mills,dc=int
server-type microsoft
ldap-attribute-map mills-vpn_users
aaa authentication enable console ADVPNUsers LOCAL
aaa authentication http console ADVPNUsers LOCAL
aaa authentication serial console ADVPNUsers LOCAL
aaa authentication telnet console ADVPNUsers LOCAL
aaa authentication ssh console ADVPNUsers LOCAL
http server enable
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 public
http 0.0.0.0 0.0.0.0 private
snmp-server host private private-kaseya poll community ***** version 2c
snmp-server location Mills - San Diego
snmp-server contact Mills Assist
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp private
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map public_map 1 match address public_1_cryptomap
crypto map public_map 1 set pfs
crypto map public_map 1 set peer xx.168.155.98
crypto map public_map 1 set transform-set ESP-3DES-MD5 ESP-AES-128-SHA
crypto map public_map 1 set nat-t-disable
crypto map public_map 1 set phase1-mode aggressive
crypto map public_map 2 match address public_2_cryptomap
crypto map public_map 2 set pfs group5
crypto map public_map 2 set peer xx.181.134.141
crypto map public_map 2 set transform-set ESP-AES-128-SHA
crypto map public_map 2 set nat-t-disable
crypto map public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map public_map interface public
crypto isakmp enable public
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 28800
telnet 0.0.0.0 0.0.0.0 private
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 public
ssh 0.0.0.0 0.0.0.0 private
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.2-192.168.0.254 management
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 216.129.110.22 source public
ntp server 173.244.211.10 source public
ntp server 24.124.0.251 source public prefer
webvpn
enable public
svc enable
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol svc
group-policy IPSecUsers internal
group-policy IPSecUsers attributes
wins-server value 10.20.10.1
dns-server value 10.20.10.1
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Users_SplitTunnelAcl
default-domain value mills.int
address-pools value VPN_Users
group-policy Irvine internal
group-policy Irvine attributes
vpn-tunnel-protocol IPSec
username admin password Kra9/kXfLDwlSxis encrypted
tunnel-group VPN_Users type remote-access
tunnel-group VPN_Users general-attributes
address-pool VPN_Users
authentication-server-group Mills_NetAdmin
default-group-policy IPSecUsers
tunnel-group VPN_Users ipsec-attributes
pre-shared-key *
tunnel-group xx.189.99.114 type ipsec-l2l
tunnel-group xx.189.99.114 general-attributes
default-group-policy Irvine
tunnel-group xx.189.99.114 ipsec-attributes
pre-shared-key *
tunnel-group xx.205.23.76 type ipsec-l2l
tunnel-group xx.205.23.76 general-attributes
default-group-policy Irvine
tunnel-group xx.205.23.76 ipsec-attributes
pre-shared-key *
tunnel-group xx.168.155.98 type ipsec-l2l
tunnel-group xx.168.155.98 general-attributes
default-group-policy Irvine
tunnel-group xx.168.155.98 ipsec-attributes
pre-shared-key *
class-map global-class
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global-policy
class global-class
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
service-policy global-policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5d5c963680401d150bee94b3c7c85f7a
Maybe my eyes are glazing over from looking at this for too long. Does anything look wrong? Maybe I missed a command that would not show up in the config?
Thanks in advance to all who take a look.Marius,
I connected via my VPN client at home and pinged a remote server, attempted to RDP by name and then attempted to RDP by IP address. All were unsuccessful. Here is the packet capture:
72 packets captured
1: 09:44:06.304671 10.20.1.100.137 > 10.20.10.1.137: udp 68
2: 09:44:06.304885 10.20.1.100.54543 > 10.20.10.1.53: udp 34
3: 09:44:07.198384 10.20.1.100.51650 > 10.20.10.1.53: udp 32
4: 09:44:07.300353 10.20.1.100.54543 > 10.20.10.1.53: udp 34
5: 09:44:07.786504 10.20.1.100.137 > 10.20.10.1.137: udp 68
6: 09:44:07.786671 10.20.1.100.137 > 10.20.10.1.137: udp 68
7: 09:44:07.786855 10.20.1.100.137 > 10.20.10.1.137: udp 68
8: 09:44:08.198399 10.20.1.100.51650 > 10.20.10.1.53: udp 32
9: 09:44:09.282608 10.20.1.100.61328 > 10.20.10.1.53: udp 32
10: 09:44:09.286667 10.20.1.100.137 > 10.20.10.1.137: udp 68
11: 09:44:09.286926 10.20.1.100.137 > 10.20.10.1.137: udp 68
12: 09:44:09.287201 10.20.1.100.137 > 10.20.10.1.137: udp 68
13: 09:44:09.300491 10.20.1.100.54543 > 10.20.10.1.53: udp 34
14: 09:44:10.199193 10.20.1.100.51650 > 10.20.10.1.53: udp 32
15: 09:44:10.282150 10.20.1.100.61328 > 10.20.10.1.53: udp 32
16: 09:44:11.286865 10.20.1.100.137 > 10.20.10.1.137: udp 68
17: 09:44:12.302993 10.20.1.100.61328 > 10.20.10.1.53: udp 32
18: 09:44:12.785054 10.20.1.100.137 > 10.20.10.1.137: udp 68
19: 09:44:13.301101 10.20.1.100.54543 > 10.20.10.1.53: udp 34
20: 09:44:14.204029 10.20.1.100.51650 > 10.20.10.1.53: udp 32
21: 09:44:14.287323 10.20.1.100.137 > 10.20.10.1.137: udp 68
22: 09:44:14.375331 10.20.1.100 > 10.20.10.1: icmp: echo request
23: 09:44:16.581589 10.20.1.100.137 > 10.20.10.1.137: udp 50
24: 09:44:18.083842 10.20.1.100.137 > 10.20.10.1.137: udp 50
25: 09:44:18.199879 10.20.1.100.137 > 10.20.10.1.137: udp 50
26: 09:44:19.224063 10.20.1.100 > 10.20.10.1: icmp: echo request
27: 09:44:19.582367 10.20.1.100.137 > 10.20.10.1.137: udp 50
28: 09:44:19.704019 10.20.1.100.137 > 10.20.10.1.137: udp 50
29: 09:44:20.288193 10.20.1.100.137 > 10.20.10.1.137: udp 68
30: 09:44:21.200307 10.20.1.100.137 > 10.20.10.1.137: udp 50
31: 09:44:21.786321 10.20.1.100.137 > 10.20.10.1.137: udp 68
32: 09:44:23.289535 10.20.1.100.137 > 10.20.10.1.137: udp 68
33: 09:44:24.204777 10.20.1.100 > 10.20.10.1: icmp: echo request
34: 09:44:29.219440 10.20.1.100 > 10.20.10.1: icmp: echo request
35: 09:44:29.287460 10.20.1.100.137 > 10.20.10.1.137: udp 68
36: 09:44:30.787617 10.20.1.100.137 > 10.20.10.1.137: udp 68
37: 09:44:32.287887 10.20.1.100.137 > 10.20.10.1.137: udp 68
38: 09:45:00.533816 10.20.1.100.137 > 10.20.10.1.137: udp 50
39: 09:45:02.018019 10.20.1.100.137 > 10.20.10.1.137: udp 50
40: 09:45:03.160239 10.20.1.100.52764 > 10.20.10.1.53: udp 34
41: 09:45:03.350354 10.20.1.100.53948 > 10.20.10.1.53: udp 38
42: 09:45:03.521960 10.20.1.100.137 > 10.20.10.1.137: udp 50
43: 09:45:04.158408 10.20.1.100.52764 > 10.20.10.1.53: udp 34
44: 09:45:04.344342 10.20.1.100.53948 > 10.20.10.1.53: udp 38
45: 09:45:06.160681 10.20.1.100.52764 > 10.20.10.1.53: udp 34
46: 09:45:06.358593 10.20.1.100.53948 > 10.20.10.1.53: udp 38
47: 09:45:10.159125 10.20.1.100.52764 > 10.20.10.1.53: udp 34
48: 09:45:10.345227 10.20.1.100.53948 > 10.20.10.1.53: udp 38
49: 09:45:14.550478 10.20.1.100.59402 > 10.20.10.1.53: udp 32
50: 09:45:15.536166 10.20.1.100.59402 > 10.20.10.1.53: udp 32
51: 09:45:17.546144 10.20.1.100.59402 > 10.20.10.1.53: udp 32
52: 09:45:21.882812 10.20.1.100.137 > 10.20.10.1.137: udp 50
53: 09:45:23.379222 10.20.1.100.137 > 10.20.10.1.137: udp 50
54: 09:45:24.893386 10.20.1.100.137 > 10.20.10.1.137: udp 50
55: 09:45:41.550035 10.20.1.100.137 > 10.20.10.1.137: udp 50
56: 09:45:43.029875 10.20.1.100.137 > 10.20.10.1.137: udp 50
57: 09:45:44.541979 10.20.1.100.137 > 10.20.10.1.137: udp 50
58: 09:46:10.767782 10.20.1.100.137 > 10.20.10.1.137: udp 68
59: 09:46:12.261934 10.20.1.100.137 > 10.20.10.1.137: udp 68
60: 09:46:13.776250 10.20.1.100.137 > 10.20.10.1.137: udp 68
61: 09:46:19.848970 10.20.1.100.137 > 10.20.10.1.137: udp 68
62: 09:46:20.113183 10.20.1.100.49751 > 10.20.10.7.3389: S 3288428077:3288428077(0) win 8192
63: 09:46:21.331251 10.20.1.100.137 > 10.20.10.1.137: udp 68
64: 09:46:22.831423 10.20.1.100.137 > 10.20.10.1.137: udp 68
65: 09:46:23.101511 10.20.1.100.137 > 10.20.10.1.137: udp 50
66: 09:46:23.123254 10.20.1.100.49751 > 10.20.10.7.3389: S 3288428077:3288428077(0) win 8192
67: 09:46:24.591705 10.20.1.100.137 > 10.20.10.1.137: udp 50
68: 09:46:26.115976 10.20.1.100.137 > 10.20.10.1.137: udp 50
69: 09:46:28.834276 10.20.1.100.137 > 10.20.10.1.137: udp 68
70: 09:46:29.125817 10.20.1.100.49751 > 10.20.10.7.3389: S 3288428077:3288428077(0) win 8192
71: 09:46:30.342816 10.20.1.100.137 > 10.20.10.1.137: udp 68
72: 09:46:31.840746 10.20.1.100.137 > 10.20.10.1.137: udp 68
72 packets shown -
Packet Loss after Reboot of ASA 5510
Hi all,
I have an ASA and a 2811 behind it and I had to replace a battery on a UPS so I had to take down the network to do it. Before doing it the network ran fine, but I did a WR MEM and a Copy RUNNING to STARTUP config thinking that the configs I had were fine. At some point in the past I must of made a change and never applied it and maybe it is causing the issue, but I am at a loss as to what is the cause. I am getting consistent packet loss from the ASA out. Any address I ping on the inside is clear and quick. Also, I do not know if it is related, but I cannot get results from TRACE ROUTES and I believe I used to.
I have confirmed the PL is related to my network, if I plug the static IP info from the provider in to a laptop, it is clear. I am at my wits end, and I know just enough to be dangerous, so any help would be appreciated.
Here are my configs:
ASA5510# sh run
: Saved
ASA Version 9.1(4)
hostname ASA5510
domain-name m.int
enable password encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd encrypted
names
dns-guard
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 68.233.x.x 255.255.255.128
interface Ethernet0/2
description DMZ
nameif DMZ
security-level 100
ip address 10.10.0.1 255.255.255.252
interface Ethernet0/3
description VOIP
nameif VOIP
security-level 100
ip address 10.10.2.1 255.255.255.252
interface Management0/0
management-only
shutdown
nameif management
security-level 0
no ip address
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Inside
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
name-server 68.233.xx.5
name-server 68.233.xx.6
domain-name m.int
same-security-traffic permit inter-interface
object network ROUTER-2811
host 10.10.1.2
object network ROUTER-2821
host 10.10.0.2
object network WEBCAM-01
host 192.168.1.5
object network DNS-SERVER
host 192.168.1.2
object network ROUTER-3745
host 10.10.2.2
object network RDP-DC1
host 192.168.1.2
object network BLUE
host 192.168.1.6
description Blue Iris Server
object network M_LAP_LEA
host 192.168.1.20
description Laptop from LEA
object-group network PAT-SOURCE
network-object 10.10.1.0 255.255.255.252
network-object 10.10.0.0 255.255.255.252
network-object 10.10.2.0 255.255.255.252
network-object 192.168.0.0 255.255.255.0
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 128.162.1.0 255.255.255.0
network-object 128.162.10.0 255.255.255.0
network-object 128.162.20.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 172.16.1.0 255.255.255.0
network-object 162.128.1.0 255.255.255.0
network-object 162.128.10.0 255.255.255.0
network-object 162.128.20.0 255.255.255.0
network-object 142.16.1.0 255.255.255.0
network-object 142.16.10.0 255.255.255.0
network-object 142.16.20.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object host 98.22.xxx
object-group network Outside_access_in
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object gre
access-list USERS standard permit 10.10.1.0 255.255.255.0
access-list Outside_access_in extended permit tcp host 98.22.xxx object ROUTER-2811 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.xxx object ROUTER-2821 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.xxx interface Outside eq https
access-list Outside_access_in extended permit tcp host 98.22.xxx object WEBCAM-01 eq www inactive
access-list Outside_access_in extended permit tcp host 98.22.xxx object RDP-DC1 eq xxxx
access-list Outside_access_in extended permit tcp host 98.22.xxx object BLUE eq xxxx
access-list Outside_access_in extended permit tcp host 98.22.xxx object ROUTER-3745 eq ssh
access-list Outside_access_in extended permit tcp any object BLUE eq xxxx
access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any
access-list dmz-access remark Permit all traffic to DC1
access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2
access-list dmz-access remark Permit only DNS traffic to DNS server
access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain
access-list dmz-access remark Permit ICMP to all devices in DC
access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list dmz-access remark Permit all traffic to DC1
access-list dmz-access remark Permit only DNS traffic to DNS server
access-list dmz-access remark Permit ICMP to all devices in DC
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu DMZ 1500
mtu VOIP 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any Outside
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network ROUTER-2811
nat (Inside,Outside) static interface service tcp ssh x
object network ROUTER-2821
nat (DMZ,Outside) static interface service tcp ssh x
object network WEBCAM-01
nat (Inside,Outside) static interface service tcp www x
object network ROUTER-3745
nat (VOIP,Outside) static interface service tcp ssh x
object network RDP-DC1
nat (Inside,Outside) static interface service tcp xxxx xxxx
object network BLUE
nat (Inside,Outside) static interface service tcp xxxx xxxx
nat (any,Outside) after-auto source dynamic any interface
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 68.233.151.1 1
route DMZ 128.162.1.0 255.255.255.0 10.10.0.2 1
route DMZ 128.162.10.0 255.255.255.0 10.10.0.2 1
route DMZ 128.162.20.0 255.255.255.0 10.10.0.2 1
route VOIP 142.16.1.0 255.255.255.0 10.10.2.2 1
route VOIP 142.16.10.0 255.255.255.0 10.10.2.2 1
route VOIP 142.16.20.0 255.255.255.0 10.10.2.2 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.10.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.20.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server PNL-RADIUS protocol radius
aaa-server PNL-RADIUS (Inside) host 192.168.1.2
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
http 98.22.xxx 255.255.255.255 Outside
snmp-server host Inside 192.168.1.2 community ***** version 2c udp-port 161
snmp-server location Lovington NM USA
snmp-server contact Mitchell Tuckness
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh 98.22.xxx 255.255.255.255 Outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 24.56.178.140 source Outside prefer
username xxxx password x encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect pptp
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
password encryption aes
hpm topN enable
Cryptochecksum:949189d67866f6c09450769d41649992
: end
C2811#sh run
Building configuration...
Current configuration : 3925 bytes
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname C2811
boot-start-marker
boot system flash
boot-end-marker
enable secret 4 DWJfYBf6KhkIRmhhIhx8ibAAXVGQWjwfuyzfaX4Im8M
aaa new-model
aaa session-id common
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip domain name maladomini.int
ip name-server 192.168.1.2
ip name-server 8.8.8.8
ip name-server 68.233.xxx.x
ip name-server 68.233.xxx.x
no vlan accounting input
multilink bundle-name authenticated
password encryption aes
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1290569776
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1290569776
revocation-check none
rsakeypair TP-self-signed-1290569776
crypto pki certificate chain TP-self-signed-1290569776
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323930 35363937 3736301E 170D3134 30313035 30363130
33395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32393035
36393737 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B18F F63C5121 00785DE0 854601BA EE77DAA3 21286D8C 6E700C37 237CC1BE
611023AF FBE04BBE 7B4B3233 E4E129DD A74604E5 62AA39BF 77F98D5D D63944E9
2345AE37 D93C5753 E425E85A EB22C2C9 CFC5D1A0 F800449B 0419A5C8 A0A101EC
02928172 7B30A609 71ADA3D4 68F4F484 AF2B3249 0E225DB2 C72C136A E670D761
DDE30203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1461F6DE 8EF50F7B 0E46359F 421EA106 9375F65F 30301D06
03551D0E 04160414 61F6DE8E F50F7B0E 46359F42 1EA10693 75F65F30 300D0609
2A864886 F70D0101 05050003 81810049 BA55F695 8525265F ED2D77EE 8706BF10
63A7E644 202F6663 9EA5551F 47F7FC50 D4021EDD E3DC5A80 39FD161A C337D20D
71B98875 0F1FE887 649E81D3 F93F7A1B A1E18B99 A77B1A59 84DB4711 867913FD
044084FB 651ECA6E C6EDF35C E43A2946 8C01781E 26DB9484 C8740A82 4A7CA266
A0655526 CBCB4982 F30D68E9 D70753
quit
license udi pid CISCO2811 sn FTX1041A07T
username admin secret 5 $1$iBeC$8dqYMcpTex8gtUfannzox.
username xxxx privilege 15 secret 4 DWJfYBf6KhkIRmhhIhx8ibAAXVGQWjwfuyzfaX4Im8M
redundancy
ip ssh time-out 60
ip ssh authentication-retries 5
ip ssh version 2
interface FastEthernet0/0
description CONNECTION TO INSIDE INT. OF ASA
ip address 10.10.1.2 255.255.255.252
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
no ip address
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1.1
description VLAN 10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip helper-address 192.168.1.2
ip virtual-reassembly in
interface FastEthernet0/1.2
description VLAN 20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip helper-address 192.168.1.2
ip virtual-reassembly in
interface FastEthernet0/1.3
description Trunk Interface VLAN 1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.1.2
ip virtual-reassembly in
interface Dialer0
no ip address
ip default-gateway 10.10.1.1
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip dns server
ip route 0.0.0.0 0.0.0.0 10.10.1.1
ip ospf name-lookup
access-list 1 permit any
dialer-list 1 protocol ip permit
snmp-server community Maladomini-RW RW
tftp-server system:running-config 1
control-plane
line con 0
exec-timeout 0 0
password 7 101D58415D361606050A147A
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 0527031B2C49470758
transport input ssh
scheduler allocate 20000 1000
end
2821:
C2821#sh run
Building configuration...
Current configuration : 4128 bytes
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname C2821
boot-start-marker
boot system flash
boot-end-marker
enable secret 4 x
aaa new-model
aaa session-id common
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip domain name maladomini.int
ip name-server 192.168.1.2
ip name-server 8.8.8.8
ip name-server 68.233.xxx.x
ip name-server 68.233.xxx.x
no vlan accounting input
multilink bundle-name authenticated
password encryption aes
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-3335929422
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3335929422
revocation-check none
rsakeypair TP-self-signed-3335929422
crypto pki certificate chain TP-self-signed-3335929422
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333335 39323934 3232301E 170D3134 30313135 30333537
32385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33333539
32393432 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AF6D 8C23745E 80AA83AC BE0243DD C8F8EC56 85BBE495 EF790354 B7E81921
4C46CE35 F840420A 8385D3E3 B7B14EDF F4A8DB51 1A29E0ED A2704F69 9632ED7E
5F66E546 486B2821 FB77266F 950D351E 13AA18FE 687643F6 FB9BF95F E56A0195
19B8A7B6 7A582357 2517F08E 5E3BA197 2CD71E3E 32AB4B96 412E9AE3 1932A218
7A1F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14A86115 C2CA9E15 399B2A9C 21585323 1E2F3D98 45301D06
03551D0E 04160414 A86115C2 CA9E1539 9B2A9C21 5853231E 2F3D9845 300D0609
2A864886 F70D0101 05050003 81810028 81D8F701 D6AFDC54 94A93185 1E5F4DAC
4DBF50B7 30B57ABD D1612E69 D964B77A A379F55C 7E823F42 4D01440C B237DED9
6B8047B7 0496D8BB BD7EAC18 E6ACA1B1 3B527172 4A7B0D7B 4A031168 F99B171D
D217CB06 2F31E4DF FD9AC1C9 1199869A 34E90671 5611A6DA 7CC6A7B0 A39F78FB
B3932E37 4B302779 E761DB00 AFA7CC
quit
license udi pid CISCO2821 sn FTX1327AH7A
username x privilege 15 secret 4 x
redundancy
ip ssh time-out 60
ip ssh authentication-retries 5
ip ssh version 2
interface GigabitEthernet0/0
description CONNECTION TO INSIDE INT. OF ASA
ip address 10.10.0.2 255.255.255.252
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1.1
description VLAN 10
encapsulation dot1Q 10
ip address 128.162.10.1 255.255.255.0
ip helper-address 192.168.1.2
ip virtual-reassembly in
interface GigabitEthernet0/1.2
description VLAN 20
encapsulation dot1Q 20
ip address 128.162.20.1 255.255.255.0
ip helper-address 192.168.1.2
ip virtual-reassembly in
interface GigabitEthernet0/1.3
description Trunk Interface VLAN1
encapsulation dot1Q 1 native
ip address 128.162.1.1 255.255.255.0
ip helper-address 192.168.1.2
ip virtual-reassembly in
interface Serial0/0/0
no ip address
shutdown
interface Serial0/1/0
no ip address
shutdown
interface Serial0/2/0
no ip address
shutdown
interface Dialer0
no ip address
ip default-gateway 10.10.0.1
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip dns server
ip route 0.0.0.0 0.0.0.0 10.10.0.1
ip ospf name-lookup
access-list 1 permit any
dialer-list 1 protocol ip permit
snmp-server community Maladomini-RW RW
snmp-server host 192.168.1.2 version 2c Maladomini-RW envmon cpu snmp
control-plane
line con 0
exec-timeout 0 0
password 7 101D58415D361606050A147A
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 15415A545C0B2F29213D0B73
transport input ssh
scheduler allocate 20000 1000
end
POE Switch:
C3560#sh run
Building configuration...
Current configuration : 7368 bytes
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname C3560
boot-start-marker
boot-end-marker
enable secret 5 $1$wzS5$Kl0aHmGjOrfNL8H8QN9gJ1
enable password 7 091F1F514124131F02023A7B
username mtuckness privilege 15 secret 5 $1$j68Z$ObA6K7Qc2Vsmyu479Hlh6/
aaa new-model
aaa session-id common
clock timezone MST -7
system mtu routing 1500
ip domain-name maladomini.int
password encryption aes
crypto pki trustpoint TP-self-signed-2488747392
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2488747392
revocation-check none
rsakeypair TP-self-signed-2488747392
crypto pki certificate chain TP-self-signed-2488747392
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32343838 37343733 3932301E 170D3933 30333031 30303031
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34383837
34373339 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B715 1CCA0EFB 6D550F27 A4B9F403 7D1CBCCE AB363F89 61AF4773 64351010
AB866AA6 411463BC A7D9C6E3 0CA4EEEC 47C50D33 2F904AD1 8FC5B10B 8F204157
FB5B3A4C 78BD4BDF 14F79CCC D9A0E10B 909BF5BA 095BB9AC 722197D4 3C2CB70B
15D2A221 5FF8BC03 6A642B36 437B9E22 858BF597 F1844026 5DAF2114 EF75718D
EC3B0203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 14433335 36302E6D 616C6164 6F6D696E 692E696E 74301F06
03551D23 04183016 8014D364 9162E0D2 C7936513 1E1C677C 73D675EC 37FF301D
0603551D 0E041604 14D36491 62E0D2C7 9365131E 1C677C73 D675EC37 FF300D06
092A8648 86F70D01 01040500 03818100 2DE49969 2E9C7A81 E96B97A8 7E15BC69
2DA62233 C958092D 2E51DD59 526DA795 CBFE219E 3536852A 5F71A90A BF5016E0
F93FA6F7 55D9BA23 52A2858E B927E0FB B3DC6B20 28FBD64C 6FA956EC 3E6E8756
F12F7182 538D13AE E343674E 41A1BDE1 A42579F2 8070FC92 5C805995 7BA25FA5
3A89C4E5 C6B2D76F FF2C1CF9 6A8DF631
quit
spanning-tree mode pvst
spanning-tree portfast bpduguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
vlan internal allocation policy ascending
ip ssh time-out 60
ip ssh authentication-retries 5
ip ssh version 2
interface FastEthernet0/1
switchport mode access
spanning-tree portfast
interface FastEthernet0/2
switchport mode access
spanning-tree portfast
Removed interfaces
interface GigabitEthernet0/1
description CONNECTION TO 2821 ROUTER - TRUNK
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20
switchport mode trunk
interface GigabitEthernet0/2
interface GigabitEthernet0/3
interface GigabitEthernet0/4
interface Vlan1
ip address 128.162.1.3 255.255.255.0
ip helper-address 192.168.1.2
no ip route-cache
no ip mroute-cache
interface Vlan10
ip address 128.162.10.3 255.255.255.0
ip helper-address 192.168.1.2
interface Vlan20
ip address 128.192.20.3 255.255.255.0
ip helper-address 192.168.1.2
ip default-gateway 10.10.0.2
no ip classless
ip http server
ip http authentication local
ip http secure-server
access-list 1 permit any
snmp-server community Maladomini-RW RO
snmp-server location Lovington NM USA
line con 0
exec-timeout 0 0
password 7 075C701416281D081E1C355D
line vty 0 4
password 7 0527031B2C49470758
transport input ssh
line vty 5 15
exec-timeout 0 0
password 7 05585757796D4A04100B2943
endI located the issue of the packet loss. I have a security system that uploads FTP images of the cameras and after the reboot of the network, the only computer that wasn't shut down was the security camera PC.
So I think what happened was after I brought everything back up, it was saturating the outgoing bandwidth, causing packet loss and high latency. Once I determined what it was and shut off the FTP image upload, the pings stabilized and it is working fine now. Trace routes are still not functioning, but I can live without that for now. -
802.1x port authentication failing after getting a access-accept packet
Hi all,
Im not 100% sure what the hell is going on here.
Any idea's or help will be appreciated.
Heres the topology.
1 x windows 2012 NPS
1x 3750X
1x Windows 7 x64
data flow
<laptop> - - [gi 1/0/13]<3750X>[gi 1/0/48]- -[gi 5/39]<6513>[po 1] - - [po 4]<6509><5/1> - - <VMWARE>[NPS Server]
The switch that is doing the authentication is the 3750X. Here is the IOS version.
Switch Ports Model SW Version SW Image
* 1 54 WS-C3750X-48 15.2(1)E C3750E-UNIVERSALK9-M
A wireshark trace on the NPS server shows that the packets are arriving and being sent back
Wireshark on a mirror of the trunk port connecting the 6513. It also shows packets being sent and arriving. access-accept packets are being recieved.
As you can see in the debug output, the switch is getting a access-accept, then it is stating a AAA failure.
here is a debug output as you plug in the laptop.
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:45.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:46.641: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:47.538: dot1x-ev:[Gi1/0/13] Interface state changed to UP
Oct 24 10:53:47.564: dot1x-packet:[6431.500e.9b00, Gi1/0/13] queuing an EAPOL pkt on Auth Q
Oct 24 10:53:47.572: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/13
Oct 24 10:53:47.572: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x1
Oct 24 10:53:47.572: dot1x-packet: length: 0x0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 0,TYPE= 0,LEN= 0
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Couldn't find the supplicant in the list
Oct 24 10:53:47.572: dot1x-ev:[6431.500e.9b00, Gi1/0/13] New client detected, sending session start event for 6431.500e.9b00
Oct 24 10:53:47.572: AAA/BIND(00000047): Bind i/f
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Sending create new context event to EAP for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: EAP-EVENT: Received context create from LL (Dot1x-Authenticator) (0x15000045)
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received AAA ID 0x00000047 from LL
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: Assigning AAA ID 0x00000047
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: CTS not enabled on interface Gi1/0/13
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received Session ID "C0A846660000004700DF6030" from LL
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Setting authentication mode: Passthrough
Oct 24 10:53:47.580: eap_authen : initial state eap_auth_initialize has enter
Oct 24 10:53:47.580: EAP-EVENT: Allocated new EAP context (handle = 0xE8000047)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Created a client entry (0x15000045)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Dot1x authentication started for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: %AUTHMGR-5-START: Starting 'dot1x' for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.580: EAP-EVENT: Received EAP event 'EAP_AUTHENTICATOR_START' on handle 0xE8000047
Oct 24 10:53:47.580: eap_authen : during state eap_auth_initialize, got event 25(eapStartTmo)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_initialize -> eap_auth_select_action
Oct 24 10:53:47.580: eap_authen : during state eap_auth_select_action, got event 20(eapDecisionPropose)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_select_action -> eap_auth_propose_method
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_propose_method
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_propose_method -> eap_auth_method_request
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_method_request
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_method_request -> eap_auth_tx_packet
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Current method = Identity
Oct 24 10:53:47.580: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_ID_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_tx_packet
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_tx_packet -> eap_auth_idle
Oct 24 10:53:47.589: EAP-AUTH-TX-PAK: Code:REQUEST ID:0x1 Length:0x0005 Type:IDENTITY
Oct 24 10:53:47.589: EAP-EVENT: Started 'Authenticator ReqId Retransmit' timer (30s) for EAP sesion handle 0xE8000047
Oct 24 10:53:47.589: EAP-EVENT: Started EAP tick timer
Oct 24 10:53:47.589: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_TX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.597: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.597: dot1x-packet: length: 0x0005
Oct 24 10:53:47.597: dot1x-packet:EAP code: 0x1 id: 0x1 length: 0x0005
Oct 24 10:53:47.597: dot1x-packet: type: 0x1
Oct 24 10:53:47.597: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL packet sent to client 0x15000045
Oct 24 10:53:47.606: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Queuing an EAPOL pkt on Authenticator Q
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 2,TYPE= 1,LEN= 31
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001f
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Response sent to the server from 0x15000045
Oct 24 10:53:47.606: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_RX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-RX-PAK: Code:RESPONSE ID:0x1 Length:0x001F Type:IDENTITY
Oct 24 10:53:47.606: Payload: 47454E4552414C5C72616E64792E636F ...
Oct 24 10:53:47.606: eap_authen : during state eap_auth_idle, got event 1(eapRxPacket)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_idle -> eap_auth_received
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response received by context 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response type = Identity
Oct 24 10:53:47.606: EAP-EVENT: Stopping 'Authenticator ReqId Retransmit' timer for EAP sesion handle 0xE8000047
Oct 24 10:53:47.606: eap_authen : during state eap_auth_received, got event 10(eapMethodData)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_received -> eap_auth_method_response
Oct 24 10:53:47.606: EAP-AUTH-EVENT: Received peer identity: GENERAL\randy.coburn.admin
Oct 24 10:53:47.606: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_IDENTITY' on handle 0xE8000047
Oct 24 10:53:47.606: eap_authen : during state eap_auth_method_response, got event 13(eapMethodEnd)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_method_response -> eap_auth_select_action
Oct 24 10:53:47.606: eap_authen : during state eap_auth_select_action, got event 19(eapDecisionPass)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_select_action -> eap_auth_passthru_init
Oct 24 10:53:47.606: eap_authen : during state eap_auth_passthru_init, got event 22(eapPthruIdentity)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_passthru_init -> eap_auth_aaa_req
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_GET_PEER_MAC_ADDRESS' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding Audit-Session-ID "C0A846660000004700DF6030" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added Audit-Session-ID
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding IDB "0x070B90F8" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added IDB
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_AAA_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: eap_auth_aaa_authen_request_shim aaa_service 19, eap aaa_list handle 0, mlist handle 0
Oct 24 10:53:47.614: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Request sent successfully
Oct 24 10:53:47.614: eap_authen : during state eap_auth_aaa_req, got event 24(eapAAAReqOk)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_aaa_req -> eap_auth_aaa_idle
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute hwidb
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-type
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-service
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute clid-mac-addr
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute target-scope
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-unique-id
Oct 24 10:53:47.614: RADIUS(00000000): Config NAS IP: 0.0.0.0
Oct 24 10:53:47.614: RADIUS(00000000): sending
Oct 24 10:53:47.614: RADIUS/ENCODE: Best Local IP-Address 192.168.70.102 for Radius-Server 192.168.19.121
Oct 24 10:53:47.614: RADIUS(00000000): Send Access-Request to 192.168.19.121:1645 id 1645/21, len 288
Oct 24 10:53:47.614: RADIUS: authenticator F1 BA E5 31 71 54 BF 1A - A2 B1 5E 1A 63 72 1E 72
Oct 24 10:53:47.614: RADIUS: User-Name [1] 28 "GENERAL\randy.coburn.admin"
Oct 24 10:53:47.614: RADIUS: Service-Type [6] 6 Framed [2]
Oct 24 10:53:47.614: RADIUS: Vendor, Cisco [26] 27
Oct 24 10:53:47.614: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"
Oct 24 10:53:47.614: RADIUS: Framed-MTU [12] 6 1500
Oct 24 10:53:47.614: RADIUS: Called-Station-Id [30] 19 "AC-F2-C5-75-7D-0D"
Oct 24 10:53:47.614: RADIUS: Calling-Station-Id [31] 19 "64-31-50-0E-9B-00"
Oct 24 10:53:47.614: RADIUS: EAP-Message [79] 33
Oct 24 10:53:47.614: RADIUS: 02 01 00 1F 01 47 45 4E 45 52 41 4C 5C 72 61 6E 64 79 2E 63 6F [GENERAL\randy.co]
Oct 24 10:53:47.622: RADIUS: 62 75 72 6E 2E 61 64 6D 69 6E [ burn.admin]
Oct 24 10:53:47.622: RADIUS: Message-Authenticato[80] 18
Oct 24 10:53:47.622: RADIUS: EE 52 4D ED B9 06 F3 CE 63 AC 9D 73 24 1B A7 ED [ RMcs$]
Oct 24 10:53:47.622: RADIUS: EAP-Key-Name [102] 2 *
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco [26] 49
Oct 24 10:53:47.622: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A846660000004700DF6030"
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco [26] 20
Oct 24 10:53:47.622: RADIUS: Cisco AVpair [1] 14 "method=dot1x"
Oct 24 10:53:47.622: RADIUS: NAS-IP-Address [4] 6 192.168.70.102
Oct 24 10:53:47.622: RADIUS: NAS-Port [5] 6 60000
Oct 24 10:53:47.622: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/13"
Oct 24 10:53:47.622: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Oct 24 10:53:47.622: RADIUS(00000000): Sending a IPv4 Radius Packet
Oct 24 10:53:47.622: RADIUS(00000000): Started 10 sec timeout
Oct 24 10:53:47.622: RADIUS: Received from id 1645/21 192.168.19.121:1645, Access-Accept, len 66
Oct 24 10:53:47.622: RADIUS: authenticator 92 F6 07 AF C1 AB 0B 4C - 1D 9E A0 D1 01 36 27 26
Oct 24 10:53:47.622: RADIUS: Class [25] 46
Oct 24 10:53:47.622: RADIUS: 76 E3 06 66 00 00 01 37 00 01 02 00 C0 A8 13 79 00 00 00 00 00 00 00 00 00 00 00 00 01 CE CF F8 1F 7B 75 41 00 00 00 00 00 00 00 50 [ vf7y{uAP]
Oct 24 10:53:47.622: RADIUS(00000000): Received from id 1645/21
Oct 24 10:53:47.622: EAP-EVENT: eap_aaa_reply
Oct 24 10:53:47.622: EAP-AUTH-AAA-EVENT: Reply received session_label 72000033
Oct 24 10:53:47.622: EAP-EVENT: Received AAA event 'EAP_AAA_FAIL' on handle 0xE8000047
Oct 24 10:53:47.622: eap_authen : during state eap_auth_aaa_idle, got event 8(eapAAAFail)
Oct 24 10:53:47.622: @@@ eap_authen : eap_auth_aaa_idle -> eap_auth_failure
Oct 24 10:53:47.631: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.631: EAP-AUTH-TX-PAK: Code:FAILURE ID:0x1 Length:0x0004
Oct 24 10:53:47.631: EAP-AUTH-EVENT: FAIL for EAP method ID: 1, name: , on handle 0xE8000047
Oct 24 10:53:47.631: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_FAIL' on handle 0xE8000047
Oct 24 10:53:47.631: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Received an EAP Fail
Oct 24 10:53:47.639: %DOT1X-5-FAIL: Authentication failed for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Added username in dot1x
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Dot1x did not receive any key data
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Processing client delete for hdl 0x15000045 sent by Auth Mgr
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] 6431.500e.9b00: sending canned failure due to method termination
Oct 24 10:53:47.639: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.639: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.639: dot1x-packet: length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:EAP code: 0x4 id: 0x1 length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL canned status packet sent to client 0x15000045
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Deleting client 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.639: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client 6431.500e.9b00 on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.648: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Delete auth client (0x15000045) message
Oct 24 10:53:47.648: EAP-EVENT: Received free context (0xE8000047) from LL (Dot1x-Authenticator)
Oct 24 10:53:47.648: dot1x-ev:Auth client ctx destroyed
Oct 24 10:53:47.648: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_DELETE' on handle 0xE8000047
Oct 24 10:53:47.648: EAP-AUTH-EVENT: Freed EAP auth context
Oct 24 10:53:47.648: EAP-EVENT: Freed EAP context
Oct 24 10:53:48.621: EAP-EVENT: Stopped EAP tick timer
Oct 24 10:53:49.485: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:50.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:54.518: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:55.524: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to downHi Jatin,
See below the data that you have requested.
show run bits.
aaa new-model
aaa authentication dot1x default group radius
aaa session-id common
clock timezone BST 0 0
clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
dot1x system-auth-control
interface GigabitEthernet1/0/13
switchport access vlan 80
switchport mode access
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface GigabitEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 70
switchport mode trunk
radius server NPS1
address ipv4 192.168.19.121 auth-port 1645 acct-port 1646
timeout 10
key thesecret
ip default-gateway 192.168.70.1
SW1-randy#show auth sessions interface gig 1/0/13
Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/13 803f.5d09.189e N/A UNKNOWN Unauth C0A846660000002F00251DBC
SW1-randy#Show mac address-table Interface GigabitEthernet1/0/13
Mac Address Table
Vlan Mac Address Type Ports
80 803f.5d09.189e DYNAMIC Drop
SW1-randy#ping 192.168.19.121
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.19.121, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Here is a wireshark of the accept packet.
Message was edited by: randy coburn
Added wireshark trace -
INST-08010: Error in validating the port range for auto port allocation
Hello guys, I am using the installer to install OBIEE 11.1.7.0 on my machine. When I get to step 6, I receive the error messages below:
INST-08010: Error in validating the port range for auto port allocation. At least 2 ports should be free within the range 7000-7500 for the Adminserver and Adminserver SSL.
Ensure that a minimum of 2 ports are free within the range 7000-7500 for auto port allocation to work correctly for the Adminserver and Adminserver SSL.
INST-08010: Error in validating the port range for auto port allocation. At least 3 ports should be free within the range 9500-9699 for the Weblogic Components for BI (WLS Managed Server, Managed Server SSL and NodeManager).
Ensure that a minimum of 3 ports are free within the range 9500-9699 for auto port allocation to work correctly for the Weblogic Components for BI (WLS Managed Server, Managed Server SSL and NodeManager).
INST-08012: Error in validating the port range for auto port allocation. At least 3 consecutive ports should be free within the range 9500-9699 for the OPMN, in addition to 3 free ports required for Weblogic Components for BI (WLS Managed Server, Managed Server SSL and NodeManager).
Ensure that a minimum of 3 consecutive ports are free within the range 9500-9699 for auto port allocation to work correctly for the OPMN, in addition to 3 free ports required for Weblogic Components for BI (WLS Managed Server, Managed Server SSL and NodeManager).
My Operating System below:
Linux Red Hat 5.9 X86 64bit
My uname -a are below:
Linux redhat59 2.6.18-348.el5 #1 SMP Wed Nov 28 21:22:00 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
My /etc/hosts file are below:
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
10.10.80.19 redhat59
My /etc/sysconfig/network are below:
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=redhat59
GATEWAY=10.174.27.228
My /etc/sysconfig/iptables are below:
# Generated by iptables-save v1.3.5 on Tue Dec 3 17:01:17 2013
*filter
:INPUT ACCEPT [425:33860]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [307:40164]
COMMIT
# Completed on Tue Dec 3 17:01:17 2013
My ifconfig are below:
eth0 Link encap:Ethernet HWaddr 52:54:00:55:9B:C9
inet addr:10.174.27.233 Bcast:10.174.27.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:200216 errors:0 dropped:0 overruns:0 frame:0
TX packets:95849 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:110668992 (105.5 MiB) TX bytes:209784134 (200.0 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:109200 errors:0 dropped:0 overruns:0 frame:0
TX packets:109200 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:257845896 (245.9 MiB) TX bytes:257845896 (245.9 MiB)
my /etc/sysconfig/network-scripts/ifcfg-eth0 are below:
# Virtio Network Device
DEVICE=eth0
BOOTPROTO=static
BROADCAST=10.174.27.255
HWADDR=52:54:00:55:9B:C9
IPADDR=10.174.27.233
NETMASK=255.255.255.0
NETWORK=10.174.27.0
ONBOOT=yes
Have any suggestion please?
Many Thanks
DIn setDomainEnv.sh set debugFlag=false or you can just remove it.
NodeManager is a charm after that. it can take any number of ports.
Cheers !! -
System crash attempting to use the packet filtering on Solaris 10, MU7
I have been attempting to port my kernel module to run on Solaris 10, MU7 (from MU6). Some changes to the packet filtering hooks interface requires me to make code changes and linker option changes i.e -Nmisc/neti -Nmisc/hook
I now have my module loading successfully and "hooking" packets. However, I am seeing instability and after processing in the order of 100-200 packets the system crashes. See stack dump beow for details.
Also note that initially my callback hook function is very simple i.e returns 0.
I require assistance on identifying the root cause. The key code fragements are as follows:
int _init()
// allocated a control block using net_instance_alloc
// populated the nin_name, nin_create, nin_destroy, and nin_shutdown fields with valid callback functions
// registered the control block using net_instance_register
static int _attach(dip, cmd)
dev_info_t *dip;
ddi_attach_cmd_t cmd;
// initialised a hook control block using HOOK_INIT
// performed a protocol lookup (using net_protocol_lookup) on the net_id provided by the nin_create function callback
// registered the hook with the net_id protocol using net_hook_register
static int
myipf_hook4_in (hook_event_token_t tok, hook_data_t info, void *arg) {
// simple callback function for test purposes
return 0;
System Stack trace:
Boot device: /virtual-devices@100/channel-devices@200/disk@0:a File and args:
SunOS Release 5.10 Version Generic_139555-08 64-bit
Copyright 1983-2009 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
Hostname: bfs-t5440-03-ldm12
NIS domain name is bfs.nis
Reading ZFS config: done.
bfs-t5440-03-ldm12 console login:
panic[cpu9]/thread=2a100a67ca0: BAD TRAP: type=9 rp=2a100a67630 addr=7b6e8d48 mmu_fsr=0
sched: trap type = 0x9
addr=0x7b6e8d48
pid=0, pc=0x7b6e8d48, sp=0x2a100a66ed1, tstate=0x1606, context=0x0
g1-g7: 1910, 18b0, 2a100a678f0, 60010776b14, 1910, 0, 2a100a67ca0
000002a100a67350 unix:die+9c (9, 2a100a67630, 7b6e8d48, 0, 2a100a67410, 182b400)
%l0-3: 000000000100954c 0000000000000009 0000060020ac1620 00000000010523ac
%l4-7: 00000000018a3c78 0000060020ac1848 000003000481dbe0 00000000010ac400
000002a100a67430 unix:trap+6cc (2a100a67630, 10000, 0, 0, 30004028000, 2a100a67ca0)
%l0-3: 0000000000000000 000000000185b480 0000000000000009 0000000000000000
%l4-7: 0000000000000000 0000000000000000 0000000000001606 0000000000010200
000002a100a67580 unix:ktl0+64 (300014c8e40, 2a100a67890, 600114fb428, 3, 1, 0)
%l0-3: 0000030004028000 0000000000000048 0000000000001606 0000000001021604
%l4-7: 00000000003c0000 0000000000000001 0000000000000000 000002a100a67630
000002a100a676d0 hook:hook_run+7c (30001b039c0, 300014c8e40, 2a100a67890, 60012566ea8, 7b6e8d48, 1)
%l0-3: 0000030001b039c8 00000600117df3c0 0000000001878888 0000000000000000
%l4-7: 0000000000000000 000000000000003c 0000000000000000 0000000000000000
000002a100a67780 ip:ip_input+3b4 (0, 600135ca040, 0, 6001359bc28, 0, 0)
%l0-3: 0000000000000000 0000000000000000 0000000000000000 0000060011562000
%l4-7: 00000000e0000000 0000000000000001 0000000000000000 0000000000000000
000002a100a67910 dls:soft_ring_drain+78 (600135d1f00, 60011dfa940, 2, 2000000, 2, 0)
%l0-3: 0000000000000000 0000000000000000 0000000000000004 0000000000000005
%l4-7: 000006001359bc28 00000600135ca040 000000007be1c238 000000000000fffe
000002a100a679c0 dls:soft_ring_worker+64 (600135d1f00, 0, 2, 600135d1f4c, 0, 2a100a67a8a)
%l0-3: 000002a100a67a88 0000000000000000 000002a10001fca0 000002a10001fca0
%l4-7: 0000000000000002 0000000000000000 0000000000000002 00000000018f1000
syncing file systems... [1] 104 [1] 95 [1] 4 [1] 4 [1] 4 [1] 4 [1] 4 [1] 4 [1] 4 [1] 4 [1] 4 [1] 4 [1] 4 [1] 4 [1] 4 [1] 4 [1] 4 [1] 4 [1] 4 [1] 4 [1] 4 [1] 4 [1] 4 done (not all i/o completed)
dumping to /dev/dsk/c0d0s1, offset 644284416, content: kernel
100% done: 118970 pages dumped, compression ratio 10.00, dump succeeded
rebooting...
Resetting...
-eugene
Edited by: emonagh on Aug 25, 2009 1:54 AM
Edited by: emonagh on Aug 25, 2009 1:56 AMI have checked weblogic download link.
Currently webloigc is only available only for below mentioned platforms:-
1. Windows (32 bit jvm)
2. Linux (32 bit jvm)
3. sun solaris (only SPARC) (32 bit JVM)
There is no generic installer available for weblogic 9.2
Thus what I want is weblogic 9.2 setup for x86 machine.
I have tried to run weblogic 9.2 setup for linux on sun solaris x86.
But it did not run, it also gave error message that some package is missing in /lib/.. folder..... -
Hello,
I am trying to redirect packets to a bluecoat proxy sg using WCCP on a 3750x stack with IP services.
I cant get the packets to redirect.
The bluecoat device is on the same vlan as the client traffic that I am trying to redirect.
It seems that when I apply the redirect on the vlan interface, the Bluecoat can see the traffic though.
(After it is applied, I can no longer access the websites, but the bluecoat device shows some activity)
SDM prefer is enabled.
Here is the config:
SiteA#sh run
Building configuration...
Current configuration : 7699 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SiteA
boot-start-marker
boot-end-marker
enable secret 5 $1$V1w8$6bmKd6oXWk//FH7/BaoFG.
username systemsgo privilege 15 secret 5 $1$vu8O$1uMdtS1Gzk12.YT3RObZO1
no aaa new-model
switch 1 provision ws-c3750x-24
switch 2 provision ws-c3750x-24
system mtu routing 1500
ip routing
ip wccp 90 redirect-list 115 group-list 15
vtp mode transparent
track 1 ip sla 1 reachability
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 10
ip ssh version 2
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
interface GigabitEthernet1/0/1
no switchport
ip address 192.168.20.2 255.255.255.252
speed 100
duplex full
interface GigabitEthernet1/0/2
no switchport
ip address 192.168.20.9 255.255.255.252
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
interface GigabitEthernet1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
interface GigabitEthernet2/0/1
description *BlueCoat Proxy*
switchport access vlan 10
switchport mode access
interface GigabitEthernet2/0/2
switchport access vlan 10
switchport mode access
interface GigabitEthernet2/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
interface GigabitEthernet2/1/2
interface GigabitEthernet2/1/3
interface GigabitEthernet2/1/4
interface TenGigabitEthernet2/1/1
interface TenGigabitEthernet2/1/2
interface Vlan1
no ip address
interface Vlan10
ip address 10.10.20.3 255.255.255.0
standby 10 ip 10.10.20.1
standby 10 priority 110
standby 10 preempt
ip wccp 90 redirect in
router eigrp 1
network 10.10.20.0 0.0.0.255
network 192.168.10.0
network 192.168.20.0 0.0.0.3
redistribute static
ip local policy route-map IP_SLA_SiteA
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.20.10 track 1
ip sla 1
icmp-echo 4.2.2.2 source-ip 192.168.20.9
threshold 300
frequency 15
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts
logging esm config
access-list 15 permit 10.10.20.220
access-list 101 permit icmp host 192.168.20.9 host 4.2.2.2
access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq www
access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq 443
access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq 443
access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq www
access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq www
access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq 443
route-map IP_SLA_SiteA permit 10
match ip address 101
set ip next-hop 192.168.20.10
SiteA#
SiteA#show ip wccp 90
Global WCCP information:
Router information:
Router Identifier: 192.168.20.9
Protocol Version: 2.0
Service Identifier: 90
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Redirect access-list: 115
Total Packets Denied Redirect: 52389
Total Packets Unassigned: 71
Group access-list: 15
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
SiteA#show ip wccp 90 detail
WCCP Client information:
WCCP Client ID: 10.10.20.220
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: GRE
Packets Redirected: 0
Connect Time: 00:19:36
Assignment: MASK
Mask SrcAddr DstAddr SrcPort DstPort
0000: 0x00000000 0x0000003F 0x0000 0x0000
Value SrcAddr DstAddr SrcPort DstPort CE-IP
0000: 0x00000000 0x00000000 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0001: 0x00000000 0x00000001 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0002: 0x00000000 0x00000002 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0003: 0x00000000 0x00000003 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0004: 0x00000000 0x00000004 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0005: 0x00000000 0x00000005 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0006: 0x00000000 0x00000006 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0007: 0x00000000 0x00000007 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0008: 0x00000000 0x00000008 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0009: 0x00000000 0x00000009 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0010: 0x00000000 0x0000000A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0011: 0x00000000 0x0000000B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0012: 0x00000000 0x0000000C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0013: 0x00000000 0x0000000D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0014: 0x00000000 0x0000000E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0015: 0x00000000 0x0000000F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0016: 0x00000000 0x00000010 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0017: 0x00000000 0x00000011 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0018: 0x00000000 0x00000012 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0019: 0x00000000 0x00000013 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0020: 0x00000000 0x00000014 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0021: 0x00000000 0x00000015 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0022: 0x00000000 0x00000016 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0023: 0x00000000 0x00000017 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0024: 0x00000000 0x00000018 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0025: 0x00000000 0x00000019 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0026: 0x00000000 0x0000001A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0027: 0x00000000 0x0000001B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0028: 0x00000000 0x0000001C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0029: 0x00000000 0x0000001D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0030: 0x00000000 0x0000001E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0031: 0x00000000 0x0000001F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0032: 0x00000000 0x00000020 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0033: 0x00000000 0x00000021 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0034: 0x00000000 0x00000022 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0035: 0x00000000 0x00000023 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0036: 0x00000000 0x00000024 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0037: 0x00000000 0x00000025 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0038: 0x00000000 0x00000026 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0039: 0x00000000 0x00000027 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0040: 0x00000000 0x00000028 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0041: 0x00000000 0x00000029 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0042: 0x00000000 0x0000002A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0043: 0x00000000 0x0000002B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0044: 0x00000000 0x0000002C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0045: 0x00000000 0x0000002D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0046: 0x00000000 0x0000002E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0047: 0x00000000 0x0000002F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0048: 0x00000000 0x00000030 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0049: 0x00000000 0x00000031 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0050: 0x00000000 0x00000032 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0051: 0x00000000 0x00000033 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0052: 0x00000000 0x00000034 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0053: 0x00000000 0x00000035 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0054: 0x00000000 0x00000036 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0055: 0x00000000 0x00000037 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0056: 0x00000000 0x00000038 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0057: 0x00000000 0x00000039 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0058: 0x00000000 0x0000003A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0059: 0x00000000 0x0000003B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0060: 0x00000000 0x0000003C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0061: 0x00000000 0x0000003D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0062: 0x00000000 0x0000003E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0063: 0x00000000 0x0000003F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
SiteA#
SiteA#sh sdm prefer
The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 3K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 11K
number of directly-connected IPv4 hosts: 3K
number of indirect IPv4 routes: 8K
number of IPv4 policy based routing aces: 0.5K
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 1K
SiteA#Hi Jon,
There are no more throughput issues.
Everything is working well. Thanks so much!
As for the WCCP,
I put the redirect acl on the L3 ports that connect back to 3750_3, but it is still not catching the traffic from the user vlan 20 on 3750_3. (We did however get it working for the server vlan in Site1 and Site2)
I'm not sure what you meant when you said:
Then you simply use site1 or site2's devices for web traffic.
Do I need to change the gateway for the users vlan in Site 3750_3 to something else?
Right now it is pointing to 10.20.20.1 on the 3750_3.
Below is what I have so far on the 3750_3.
I tried to force the traffic via PBR to the BlueCoat device, but that didnt seem to work either.
UserSite(config)#do sh run
Building configuration...
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname UserSite
boot-start-marker
boot-end-marker
no aaa new-model
switch 1 provision ws-c3750x-48p
switch 2 provision ws-c3750x-48p
system mtu routing 1500
ip routing
vtp mode transparent
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 10
vlan 20
name clients
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
interface GigabitEthernet1/0/47
description *CERTES-MGMT-MAIN*
switchport access vlan 20
switchport mode access
interface GigabitEthernet1/0/48
description *MAN-LINE-TO-DC-MAIN*
no switchport
ip address 192.168.20.1 255.255.255.252
speed 100
duplex full
interface GigabitEthernet1/1/1
interface GigabitEthernet1/1/2
interface GigabitEthernet1/1/3
interface GigabitEthernet1/1/4
interface TenGigabitEthernet1/1/1
interface TenGigabitEthernet1/1/2
interface GigabitEthernet2/0/47
description *CERTES-MGMT-DR*
switchport access vlan 20
switchport mode access
interface GigabitEthernet2/0/48
description *MAN-LINE-TO-DC-DR*
no switchport
ip address 192.168.20.5 255.255.255.252
speed 100
duplex full
interface GigabitEthernet2/1/1
interface GigabitEthernet2/1/2
interface GigabitEthernet2/1/3
interface GigabitEthernet2/1/4
interface TenGigabitEthernet2/1/1
interface TenGigabitEthernet2/1/2
interface Vlan1
ip address 192.168.10.254 255.255.255.0
interface Vlan20
ip address 10.20.20.1 255.255.255.0
ip helper-address 10.10.20.30
router eigrp 1
network 10.20.20.0 0.0.0.255
network 192.168.10.0
network 192.168.20.0 0.0.0.7
offset-list 10 in 100 GigabitEthernet2/0/48
eigrp stub connected summary
ip local policy route-map PBR_Proxy
ip classless
ip http server
ip http secure-server
ip access-list extended Traffic2Proxy
permit tcp 10.20.20.0 0.0.0.255 eq www any
permit tcp 10.20.20.0 0.0.0.255 eq 443 any
ip sla enable reaction-alerts
route-map PBR_Proxy permit 10
match ip address Traffic2Proxy
set ip next-hop 192.168.50.220
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
login local
line vty 0 4
exec-timeout 30 0
privilege level 15
logging synchronous
login local
length 0
transport input telnet ssh
line vty 5 15
exec-timeout 30 0
privilege level 15
logging synchronous
login local
transport input telnet ssh
end -
WEC7 DHCP Allocator not sending ACK for a DHCP client
Hi All,
I have a WEC7 device configured as DHCP Allocator.
My PC (windows 7) will get ip from DHCP allocator successfully.
WEC7 ip settings:
ip: 169.254.0.1
subnet: 255.255.0.0
DNS: 0.0.0.0
My PC Ip after got ip from WEC7 DHCP Allocator:
ip : 169.254.0.3
net mask: 255.255.0.0
DHCP server: 169.254.0.1
DNS server : 169.254.0.1
Default Gateway: 169.254.0.1
I have another device (Ethernet based energy Meter), I am getting below problem
-> Meter will send DHCP DISCOVER Command (Broadcast)
-> DHCP Allocator Sends DHCP OFFER command back (Broadcast)
-> Meter will send DHCP Request to DHCP Allocator (Broadcast)
Now meter expects DHCP ACK command but DHCP allocator not sending any command.
within ~3 sec Meter start sending DHCP DISCOVER Command. this will happen continuously.
some time DHCP server will send ACK, but by that time Meter start sending DHCP DISCOVER command.
I Tried testing this meter by connecting to my PC directly and running a simple DHCP Server on my PC, here Meter connected to sample server and got ip from server.
The DHCP Concept is working with WEC7DHCP Allocator to PC client, Meter to PC as server but not with WEC7 server and Meter.
I compared the packets, only the difference i can identify is PC client is configured with Host name and Meter not have nay host name.
Any idea on whats wrong with WEC7 and Meter combination?
Do you know any third party DHCP server?
Please suggest me,
rakeshHi All,
The problem is not yest solved.
As I mentioned in last post, only the difference between My PC and Meter is Meter don't have Device Name and we are not able to configure it.
Device Name is the real Problem? If yes how can i eliminate this dependency?
For Static ip allocation at HKEY_LOCAL_MACHINE\Comm\ConnectionSharing\Addresses\Address, aslo there is dependency on Device name, is it possible to map the ip to MAC instead of Device name?
One more thing I observer that, DHCP allocator will send response for DISCOVER or REQUEST after 3 seconds. As Meter will send next discover before getting ACK, please check below log.
But in PC the entire DHCP registration will finish within 1 sec, I am not understanding why DHCP Allocator delaying for responding
Any suggestions will be really appreciated. Please recommend any third party DHCP Server if any available (we are ready to purchase also)
Thanks in Advance
DHCP Allocator (WEC7) Ip: 169.254.0.1
ip allocated from WEC7 for my PC : 169.254.0.15
Meter ip : 0.0.0.0
rakesh -
Hi All,
My wireless network system is consisting with 7.5 virtuall wireless controller and few 3600i APs.
All SSIDs & APs have been configured in flexconnect & flexconnect groups.
APs acquire IP address & controller IP address via DHCP option 43.
My problem is,
After I created a new SSID & pushed it. APs don't reboot itself but disconnecting from the controller and never come up back until give a manuall power reboot for each APs.
* DHCP server has not been configured any authentication mechanism for APs.*
I got below console outputs:
*Dec 5 16:56:42.830: %DOT11-7-AUTH_FAILED: Station c023.4921.2100 Authentication failed%Unknown DHCP problem.. No allocation possible
*Dec 5 16:56:54.226: %DOT11-7-AUTH_FAILED: Station c023.4921.2100 Authentication failed
*Dec 21 06:15:03.251: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Dec 21 06:15:03.283: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Dec 21 06:15:04.283: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Dec 21 06:15:14.135: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Dec 21 06:15:14.539: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 21 06:15:15.135: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Dec 21 06:15:15.375: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 21 06:15:15.387: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Dec 21 06:15:15.395: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Dec 21 06:15:16.375: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Dec 21 06:15:16.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Dec 21 06:15:16.423: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Dec 21 06:15:16.435: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Dec 21 06:15:16.451: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 21 06:15:17.451: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Dec 21 06:15:17.451: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Dec 21 06:15:17.491: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
., 26)1 06:15:17.983: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST
*Dec 21 06:15:18.587: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Dec 21 06:15:24.427: %EVT-4-WRN: Write of flash:/event.capwap done
*Dec 21 06:15:24.447: %LWAPP-3-CLIENTERRORLOG: Switching to Standalone mode
*Dec 21 06:15:24.459: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
*Dec 21 06:15:24.459: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.15.2:5246
*Dec 21 06:15:24.459: %CAPWAP-3-ERRORLOG: Invalid event 46 & state 4 combination.
*Dec 21 06:15:24.459: %CAPWAP-3-ERRORLOG: SM handler: Failed to process timer message. Event 46, state 4
*Dec 21 06:15:24.459: %CAPWAP-3-ERRORLOG: Failed to handle timer message.
*Dec 21 06:15:24.459: %CAPWAP-3-ERRORLOG: Failed to process Periodic Echo timer message.
*Dec 21 06:15:24.507: %WIDS-6-DISABLED: IDS Signature is removed and disabled.
*Dec 21 06:15:26.419: %CLEANAIR-6-STATE: Slot 0 down
*Dec 21 06:15:26.419: %CLEANAIR-6-STATE: Slot 1 down
Anybody know the reason for this behavior ?
Thanks,
CharithHi Charith,
It's looks like AP goes into Standalone mode due to it cannot reach your WLC. In flexconnect when it cannot reach WLC, it will go into standalone mode without rebooting AP. (in local mode AP will reboot unless it can find a WLC)
Can you check your AP has reahability to your WLC all the time ? Where the DHCP configured for users ?
HTH
Rasika
Maybe you are looking for
-
Display malfunction- vertical lines on screen - blue, green, and white lines
My 3 week old passort shut down after running out of battery. After recharging, lines appeared on the display and won't go away. I tried serveral restarts. There are blue and green vertical lines on the left edge of the display and four our so whit
-
Hi Guys Have exported still from premiere pro 5.5. Opened it in photoshop to deinterlace. When imported back into premiere its went from 16:9 to 4:3 I assume its the pixel aspect ratio that photoshop has changed. How do i get the stills to stay 16:9
-
Hi to all, there was many changes in security profiles in 11g. like the number of times connection attempts failed, etc ... How to rollback these new features back to 10g? I remember that someone told me there are a script that can be used, but don't
-
Photo library preview application to save photos
What is, how do I use "iphoto library preview application to save photos? I made an error with my external hard drive while disconnectiong it. I cannot access the iphoto library on that drive. Can you help? Larry
-
Replica Not Allowing Logins-Is the Replica really a Replica?
Hi All, This is a new 10.5.2 setup in an od-ad configuration. The od master seems to be working fine. Users are using their ad accounts to login and od for workgroup management. I have a second xserver ready to be ad od replica. The replication seem