PC not getting IP in transparent ASA
Hi everyone,
ASA 505 is connected to layer 3 switch.
ASA is in transparent mode.
Layer 3 switch has SVI Vlan 20 and also it has dhcp server for vlan 20.
PC connected to transparent switch is not able to get the IP address from layer switch.
I have config the ACL on outside interface of ASA to allow the DHCP reply coming from Switch.
When i assign static IP to PC connected to port eth0/1 of ASA it works fine.
ciscoasa# sh run
: Saved
ASA Version 9.1(1)
firewall transparent
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 20
interface Ethernet0/1
switchport access vlan 13
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
interface Vlan13
nameif inside
bridge-group 1
security-level 100
interface Vlan20
nameif Outside
bridge-group 1
security-level 0
interface BVI1
ip address 192.168.20.59 255.255.255.0
boot system disk0:/asa911-k8.bin
ftp mode passive
object network Broadcast
host 255.255.255.255
object network Dhcp-Server
host 192.168.20.3
access-list inside_access_in extended permit ip any any
access-list Outside_access_in extended permit udp object Dhcp-Server object Broa
dcast eq bootpc log
access-list inside_access_in_1 extended permit ip any any
pager lines 24
mtu Outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group Outside_access_in in interface Outside
access-group inside_access_in_1 in interface inside
route Outside 0.0.0.0 0.0.0.0 192.168.20.3 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:cbcb87f40ea45d3bd0b6376e92b5fe8a
: end
ciscoasa# $
ciscoasa#
Thanks
mahesh
Message was edited by: mahesh parmar
Hi Jouni,
It worked great as always.
I got this ASA Security plus license few days back so trying to learn some concepts in home lab.
Need to undertsand the reason for these 2 ACL
1>access-list OUTSIDE-IN permit icmp host any echo
i already have ICMP under global policy so why we use the above ACL?
Also this ACL has hit counts to 0
2>when we allowed ACL to allow BootPC reply from any host to broadcast address then we we need this second ACL?
access-list OUTSIDE-IN permit udp host 192.168.20.0 255.255.255.0 eq bootpc
This ACL has also hit count to 0
Thanks
mahesh
Message was edited by: mahesh parmar
Similar Messages
-
Unable to establish OSPFv3 neighbors through transparent ASA
I have 2 devices running IPv6 with an ASA ver 8.4(2) in transparent mode with multiple contexts in between them. I can ipv6 ping the devices through the ASA but can not get the 2 devices to establish OSPFv3 adjacency. They are able to establish adjacency with ipv4 OSPF. When running debug ipv6 ospf hello I see each of the devices sending hellos but not receiving them from the device on the other side of the ASA. I notice that the hellos are coming from the link local addresses and not the unique global addresses that I applied to the interfaces. If I connect a device directly to one of the devices I can establish OSPFv3 adjacency without a problem.
Any thoughts?
BobBob,
It is expected that OSPF/EIGRP etc use link local rather than unique global ;-)
Regarding the problem.
- please enable
logging buffered infologging buffer-size 1000000
- and ASP drop capure.
cap ASP type asp all
Try establishing the adjacency and check
show logg sh cap ASP
I would also try establishing the adjacency without multicast (point-to-multipoint network should allow this).
Marcin -
Links not getting displayed in the contextual panel
Hi,
I have created a contextual panel inside a transparent container. And created a method in the same view supply_values of type supply function to supply the values to the panel.Inside the method I have coded like:
DATA TAB TYPE WD_THIS->ELEMENTS_N_VIEW_SWITCH.
DATA LINE TYPE WD_THIS->ELEMENT_N_VIEW_SWITCH.
LINE-TEXT = 'User Manual'. "#EC NOTEXT
LINE-ENABLED = ABAP_TRUE.
APPEND LINE TO TAB.
LINE-TEXT = 'Logout'. "#EC NOTEXT
LINE-ENABLED = ABAP_TRUE.
APPEND LINE TO TAB.
NODE->BIND_TABLE( TAB ).
Also in the context of the view I have created a node and supplied the method 'supply_values' in the supply function.Under the node I have 2 attributes named text and enabled. Text is of string type and enabled is of boolean type. In the properties of the contextual panel I have bound the visible property with the enabled attribute.
Now when I am running this application , links are not getting displayed in the contextual panel. Though when I debug TAB contains the values. Please suggest if I have missed out something or I need to look into the properties of the contextual panel. Any pointers will be really helpful.
Regards,
AshutoshHi,
Can you elaborate ' ItemEnable property of ViewSwitch'.
I have already bound the enable property of the panel with a context attribute of type wdy_boolean but it is still not working.
Regards,
Ashutosh -
AnyConnect Profiles not getting downloaded.
Dear Team Members
I am facing the following issue in AnyConnect VPN deployment.
Requirement - Users should receive ANyConnect Profile, which has SCEP enabled, so that they can request a certificate from the organization Microsoft CA.
i already have a Certificate on ASA from the same CA and i want to use certificate authentication for ANyconnect.
ASA version is 8.4, i defined the flow as
1: Create User > bind it with a group policy > bind group policy with tunnel-group ( Connection profile)
2: Define a profile ( that has SCEp enabled & CA information URL etc..) and bind it with the group policy and also add it under
webvpn
AnyConnect Profile ....
when i initiate https://ASA_Ip_Address i authenticate with the username/password created above, Anyconnect is installed and i am connected, but profile is no tis downloaded, because i see no change on my Anyonnect Screen to request for a certificate. it remains the same, as no profile is available.
have followed the standard procedure,.. Plz guide me, what could be going wrong.
Any inputs from your side will be highly appreicated.
Thanks
AhadHello Marvin
Thanks for your efforts for responding
As such i am using ASA 8.4, ASDM 6.47 & Anyconnect Package - Anyconnect-win-2.5.3055-k9.pkg ( i am using ver 2.5, because ver 3.0 does not support I Phones & Windows Mobile Phones).
Client PC - Windows 7 - 32 bit
1: i created Anyconnect profile using ASDM, it has simple settings to publish CA server details for SCEP, so that Anyconnect users can request the certificate through SCEP ( XML file attached)
2: As cheked profile folder is not available in
c:\program files \ cisco \ Cisco Anyconnect VPN Client
that simply means that profiles are not getting downloaded.
3: Configuration is attached & also the profile XML File.
you could try manually copying the xml onto a test client to see if it then behaves in the way you desire. - can u explain a bit more, how this testing can be done.
Plz let me know, what additional config is required.
Thanks in advanced
Ahad -
Summing command is not getting the result
Hi All,
I am using summing command in my script to print page total on every page.
I have used:
SUMMING &ITAB_TDS-BASAMT& INTO &ZTDS-BASE_AMT&
here itab-tds is my internal table which contains the line items..and ztds is the R/3 transparent table(global) in which the field base_amt is the currency typr field.
But when I debud the script, i find that ZTDS-BASE_AMT does not get any values(inspite that itab_tds-basamt has values).
I have declared ZTDS in the tables stmt in the print program(tables: ztds. )
plz tell me how to get rid of this problem?
Regards,
NiyatiHi,
I think this will solve your problem.
- To use command SUMMING:
/: SUMMING PROGRAM_SYMBOL INTO TOTAL_SYMBOL
The PROGRAM_SYMBOL is the global variable you want to sum, TOTAL_SYMBOL is a variable defined in the sapscript:
/: DEFINE TOTAL_SYMBOL = '0'.
You should try to define TOTAL_SYMBOL just once (for example in a window you use only once).
Reward points to all useful answers.
Regards,
SaiRam -
Traffic Other than ICMP does not Get Policy NATed
Hi Folks,
I have applied policy based NAT on one ASA firewall. Assume that Source Inside Network is 192.168.1.0 and destination (Outside) network is 192.168.2.0. Now using Policy NAT i am translating source Subnet 192.168.1.0 to a global address 192.168.2.10.
access-list 1 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 15 access-list 1
global (outside) 15 192.168.2.10 netmask 255.255.255.255
Now what i observe is when i do ping to a Destination IP 192.168.2.20, the source IPs (192.168.1.0/24) get translated to 192.168.2.10.
However when i try to take RDP of the same system, the source IPs do not get translated.
And i am completely perturbed as to why this inconsistency.
Kindly Help.Hi,
It might be that you would need 7.2 software if I remember correctly.
I would probably first check ASDM logs while testing the connection and see what translation and connection forming messages I see.
I would naturally see the whole NAT configuration of the device which I could go through to see if there is anything wrong there. If there is possibly some other NAT configuration causing problems.
I would suggest considering an update for the firewall software. If you dont want major changes to the configuration format then software 8.2(5) would probably be the newest version for you.
- Jouni -
WCCP does not work between WSA and ASA
I have configured WCCPv2 between WSA S160 ( 6.3.1-025) and ASA5540 (8.2(1)109).
Everything seems to be OK by "show wccp *" on ASA and showing wccp debugging messages (level 4) on S160. Despite of it, WCCP redirection does not work.
If I use packet-capture I figure out that S160 receives GRE packets with TCP SYN from particular LAN host to WWW sites but S160 does not handle them and does not send anything back to ASA.
It is an Exempt from authentication for this LAN host and in Forward proxy mode everything works well.
I have attached an example of a packet-capture (S160.txt - renamed from .cap) and debugging messages from S160 & "show" from ASA.
Does anybody have any idea what the problem is and how I can resolve it ?IronPort Support team helped me to find the trouble:
If I wish to handle specific port's (80, 8080, etc.) traffic by the transparent proxy I need to configure this port like a listener for the FORWARD proxy
("Security Services" -> "Proxy Settings" -> "HTTP Ports to Proxy")
The WSA guide doesn't clearly say about it.
So the Discussion can be closed ... -
Select statement failed to get data from transparent table
Hi Experts,
Please let me know why my select statement is failing to get data form transparent table REGUH. My code query is as below:
SELECT * FROM REGUH WHERE
LAUFD = RUN_DATE AND
LAUFI = ID AND
LIFNR = P0009-PERNR AND
RZAWE = 'C'.
MOVE REGUH-RWBTR TO CASH.
CASH = CASH * -1.
ENDSELECT.
REGUH table has data for the given query but it is not retreiving the data.Please let me know what is the problem with the query
because of which it is not fetching the data.The same query is working fine in Developement but fails in production may be because one new patch is updated.please help asap.Hi Ankita,
Why you are going for select *
Try This...
SELECT SINGLE RWBTR
INTO v_RWBTR
WHERE LAUFD = RUN_DATE
AND LAUFI = ID
AND LIFNR = P0009-PERNR
AND RZAWE = 'C'.
MOVE v_RWBTR TO CASH.
CASH = CASH * -1.
Regards,
Raj. -
L2L issue, the tunnel does not getting up from one direction
Hello,
We have configure a L2L vpn between Asa and 1841 router. We are facing this issue.
The tunnel is not getting up from the 1841 site never. When we are trying to generate traffic from the ASA site the tunnel is up and we can see decryps and encryps packets.
Router 1841 Config:
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key * address 213.249.XX.XX
crypto ipsec transform-set XXXXX esp-3des esp-md5-hmac
crypto map EKO_BG 100 ipsec-isakmp
set peer 213.249.x.x
set security-association lifetime seconds 28800
set transform-set XXXXX
set pfs group2
match address 111
interface FastEthernet0/0.2
encapsulation dot1Q 3338
ip address 212.200.30.130 255.255.255.252
ip nat outside
ip virtual-reassembly
crypto map XXXXX
ip nat pool nat_pool 93.87.XX.XX 93.87.XX.XX prefix-length 29
ip nat inside source list 101 pool nat_pool overload
ip nat inside source static 10.70.2.10 93.87.18.161
ip nat inside source static 10.70.25.10 93.87.18.162
ip nat inside source static 10.70.36.5 93.87.18.163
ip nat inside source static 10.70.39.10 93.87.18.164
ip nat inside source static 10.70.5.10 93.87.18.165
access-list 101 deny ip 10.70.200.0 0.0.0.255 any
access-list 101 permit ip 10.70.0.0 0.0.255.255 any
access-list 111 permit ip 10.70.200.0 0.0.0.255 172.40.10.100 0.0.0.3
Asa Config:
access-list inside_nat0_outbound extended permit ip 172.40.10.100 255.255.255.252 10.70.200.0 255.255.255.0
access-list outside_cryptomap_320 remark xxxxxxx
access-list outside_cryptomap_320 extended permit ip 172.40.10.100 255.255.255.252 10.70.200.0 255.255.255.0
access-list inside_pnat_outbound_V5 extended permit ip host 10.8.x.x 10.70.200.0 255.255.255.0
pager lines 24
nat (inside) 9 access-list inside_pnat_outbound_V5
crypto ipsec transform-set xxxxx esp-3des esp-md5-hmac
crypto map mymap 150 match address
crypto map mymap 150 set pfs
crypto map mymap 150 set peer XXXXXX
crypto map mymap 150 set transform-set XXX
crypto map mymap 150 set security-association lifetime seconds 28800
crypto map mymap 150 set security-association lifetime kilobytes 10000
crypto map mymap 320 match address outside_cryptomap_320
crypto map mymap 320 set pfs
crypto map mymap 320 set peer XXXXX
crypto map mymap 320 set transform-set XXXXX
crypto map mymap 320 set security-association lifetime seconds 28800
crypto map mymap 320 set security-association lifetime kilobytes 4608000
crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap interface outside
isakmp policy 150 authentication pre-share
isakmp policy 150 encryption 3des
isakmp policy 150 hash md5
isakmp policy 150 group 2
tunnel-group 212.200.x.x type ipsec-l2l
tunnel-group 212.200.x.x ipsec-attributes
pre-shared-key *
Please advise.
Thank you.hello Ashley,
thank you for this info. Now from the router site the tunneling is getting up and I can see packets but althought the tunnel is up it can not make telnet to our server (172.40.10.100) on a specific port.
We from ASA site can ping router Site and make telnet.
Any ideas???
Thank you all from your answers! -
Can not ping internal network from ASA
I can not ping internal computer from ASA. Comp IP address 192.168.187.15, gateway is 192.168.187.14 which is ASA internal interface. I've got an IP Phone connected to the same ASA with Ip address 192.168.185.15 and internal ASA interface 192.168.185.14 and everything works fine. We are doing testing, do not be surprised of configuration.
ASA Version 8.2(1)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface GigabitEthernet0/0
nameif ouside3
security-level 0
ip address 10.254.17.25 255.255.255.248
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.254.17.9 255.255.255.248
interface GigabitEthernet0/2
nameif Lan
security-level 100
ip address 192.168.185.14 255.255.255.0
interface GigabitEthernet0/3
nameif comp
security-level 50
ip address 192.168.187.14 255.255.255.0
interface Management0/0
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list 110 extended permit ip any any
access-list nat extended permit ip any any
access-list allow_ping extended permit icmp any any echo-reply
access-list allow_ping extended permit icmp any any source-quench
access-list allow_ping extended permit icmp any any unreachable
access-list allow_ping extended permit icmp any any time-exceeded
access-list allow_ping extended permit udp any any eq isakmp
access-list allow_ping extended permit esp any any
access-list allow_ping extended permit ah any any
access-list allow_ping extended permit gre any any
access-list nonat extended permit ip any any
access-list nat2 extended permit ip any any
access-list nonat2 extended permit ip any any
pager lines 24
logging asdm informational
mtu ouside3 1500
mtu outside 1500
mtu Lan 1500
mtu comp 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (Lan) 0 access-list nonat
nat (Lan) 1 access-list nat
nat (comp) 0 access-list nonat
nat (comp) 1 access-list nat
access-group allow_ping in interface outside
router eigrp 2008
neighbor 10.254.17.10 interface outside
network 10.254.17.8 255.255.255.248
network 192.168.185.0 255.255.255.0
network 192.168.187.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 10.254.17.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address 110
crypto map mymap 10 set peer 10.254.17.10
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
crypto map mymap2 20 match address 110
crypto map mymap2 20 set peer 10.254.17.18
crypto map mymap2 20 set transform-set myset
crypto map mymap2 interface comp
crypto map mymap3 30 match address 110
crypto map mymap3 30 set peer 10.254.17.26
crypto map mymap3 30 set transform-set myset
crypto map mymap3 interface ouside3
crypto isakmp identity address
crypto isakmp enable ouside3
crypto isakmp enable outside
crypto isakmp enable comp
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
priority-queue outside
threat-detection basic-threatThis is what I get, looks like ASA does not reply. Why?
ciscoasa# sh capture cpi
5 packets captured
1: 05:20:14.494908 192.168.187.15 > 192.168.187.14: icmp: echo request
2: 05:20:19.526935 192.168.187.15 > 192.168.187.14: icmp: echo request
3: 05:20:25.026320 192.168.187.15 > 192.168.187.14: icmp: echo request
4: 05:20:30.525699 192.168.187.15 > 192.168.187.14: icmp: echo request
5: 05:20:36.025084 192.168.187.15 > 192.168.187.14: icmp: echo request -
Still not understanding radial w/ transparency gradient
I am trying to create the effect of a soft glow light behind a subject.
I must be going dumb, but part of the problem is simply not "getting" the zen of doing gradients in PE, partly because everyone's very helpful suggestions seem to vary so widely on how to do it and I'm getting more confused.
What I want to do is have one color (say dark red) where I can control its saturation, size, etc. and have everything else be transparent. I will be putting this graphic later on a website that has a colored background so I need the effect of the light being cast on that background.
The more I try to learn gradients, the farther way the knowledge seems to be.
Can anyone walk me through this?
Thanks.Tip: "delete" refers to hitting delete on the keyboard.
http://www.pixentral.com/show.php?picture=1HpboRcB57ewPTvyui1MUeb9mI4WBR0
This is as close as I can come to your request:
Select background color 0,0,155 (can be any color, but this shows up well)
File>new>blank file, 400px wide, 400px high, color mode RGB, resolution 300px/in
Access Custom shape tool. In options bar set color to white, and in shape library for this tool select the triangle shape. Click on the little triangle at the top to get the shape geometry options. Select fixed size. Enter 260 px width, 225 px height. Click on canvas to create triangle.
Now choose the oval shape in the library. Change geometry to 260 px wide, 50 px high. Click on canvas to create oval.
Access move tool, and nudge oval into position at bottom of triangle with arrow keys In layers palette, link the 2 shape layers and merge them (Layer>merge linked)
Select foreground color red
Select gradient tool, in options bar select foreground to transparent, linear gradient
In layers palette, CTRL+left click the cone layer thumbnail to select it - should see marching ants
Drag from south to north within the selection to to apply the gradient
Select>deselect
Here is a print screen to demonstrate the layer structure:
http://www.pixentral.com/show.php?picture=10Hst6bjMVa0qFttqIBp9CI6ry5id
Note the linked layers referred to above - #5
If you finally need to delete the blue background for your purpose, you can do this readily utilizing the magic wand tool.
HTH -
Guests are not getting IP & webpage
Guests are not getting IP & webpage.
I have a 4400 ( 6.0.199.4 ) WLC configured with a guest wlan using web authentication & DHCP is configured on ASA . & ADSL line is connected to ASA ( for internet)...this was working , from last 2 days it is not working. guest users are not to get the IP address & login web page. Error message is Limitted connectivty.
My observation.
ADSL linterent connetion is working fine & from ASA to switch connection is fine & VLAN is also up.
from WLAN end, all parameter are looks good, nothing changed.please see the log, which I took from WCS ..it look WLC is receving request from client ...i think it is not getting responce from DHCP ...
it make sence ?
ime :11/24/2011 13:27:11 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information. processing DHCP DISCOVER (1)
Time :11/24/2011 13:27:11 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information. op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
Time :11/24/2011 13:27:11 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information. xid: 0x41839660 (1099142752), secs: 5247, flags: 0
Time :11/24/2011 13:27:11 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information. chaddr: d8:2a:7e:d2:d9:92
Time :11/24/2011 13:27:11 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information. ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
Time :11/24/2011 13:27:11 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information. siaddr: 0.0.0.0, giaddr: 0.0.0.0
Time :11/24/2011 13:27:15 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information. processing DHCP DISCOVER (1)
Time :11/24/2011 13:27:15 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information. op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
Time :11/24/2011 13:27:15 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information. xid: 0xd4b2de62 (3568492130), secs: 5251, flags: 0
Time :11/24/2011 13:27:15 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information. chaddr: d8:2a:7e:d2:d9:92
Time :11/24/2011 13:27:15 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information. ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
Time :11/24/2011 13:27:15 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information. siaddr: 0.0.0.0, giaddr: 0.0.0.0
Time :11/24/2011 13:27:17 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information. processing DHCP DISCOVER (1) -
VTP (revision numbers) and one client not getting updates
Hello.
Somewhere along the line one of our switches (3750x) got messed up. Once they were finally configured about 6 months ago we never touched them again.
I noticed yesterday when I created a new vlan it was not getting populated to one of our switches. For some reason I did not notice that the domain name on the switch not receiving updates was not our domain.
So I switched the domain on this switch to the correct domain and it still does not show any updates and also has a revision # of 7.
So on this switch I then unplugged all trunk ports and did "vtp mode transparent". I then switched it back to "vtp mode client vlan".
It still showed revision 7.
So I tried "vtp domain bogus" and "vtp mode transparent" and then did "vtp domain mydomain" and "vtp mode client vlan".
It still showed revision 7.
So I tried "vtp domain bogus" and "vtp mode transparent vlan" and then did "vtp domain mydomain" and "vtp mode client vlan".
It still showed revision 7.
I am at a loss as to how to fix this problem other than rebuilding the switch. I have a vtp server at revision 10 and two other switches also at revision 10 that are getting updates from the vtp server. Only one switch is not. Please note that this one switch that is not working at some point did since it has all the vlans we created on our initial installation.
-- Thanks
// GOOD switch
GOODSWITCH#show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : mydomain
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 7426.acad.de00
Feature VLAN:
VTP Operating Mode : Client
Number of existing VLANs : 15
Number of existing extended VLANs : 6
Maximum VLANs supported locally : 1005
Configuration Revision : 10
Primary ID : b838.61aa.5880
Primary Description : lab-desk
MD5 digest : 0xB8 0x3E 0x2C 0xB7 0x85 0xB5 0x5D 0xA6
0x4A 0x4E 0xFC 0x5E 0x5A 0xA1 0xAF 0xCC
Feature MST:
VTP Operating Mode : Transparent
Feature UNKNOWN:
VTP Operating Mode : Transparent
// BAD switch
BADSWITCH#show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : mydomain
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 7426.acad.ee80
Feature VLAN:
VTP Operating Mode : Client
Number of existing VLANs : 12
Number of existing extended VLANs : 6
Maximum VLANs supported locally : 1005
Configuration Revision : 7
Primary ID : b000.b4b0.f200
Primary Description : lab-desk
MD5 digest : 0x7A 0x5C 0x2E 0x05 0xF2 0x80 0x6F 0x2F
0x4E 0xE1 0x34 0x07 0x01 0x7F 0xB9 0x2B
Feature MST:
VTP Operating Mode : Transparent
Feature UNKNOWN:
VTP Operating Mode : TransparentOutput from the switch NOT getting updates.
// we have three trunk lines
TenGigabitEthernet1/1/1
TenGigabitEthernet1/1/2
TenGigabitEthernet2/1/1
// #show interfaces trunk
Port Mode Encapsulation Status Native vlan
Te1/1/1 on 802.1q trunking 1
Te1/1/2 on 802.1q trunking 1
Gi2/0/31 auto n-802.1q trunking 1
Gi2/0/46 auto n-802.1q trunking 1
Te2/1/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Te1/1/1 1-4094
Te1/1/2 1-4094
Gi2/0/31 1-4094
Gi2/0/46 1-4094
Te2/1/1 1-4094
Port Vlans allowed and active in management domain
Te1/1/1 1,6,12,100,125-127,129,1032,1096,1128,1160,1192,1224
Te1/1/2 1,6,12,100,125-127,129,1032,1096,1128,1160,1192,1224
Gi2/0/31 1,6,12,100,125-127,129,1032,1096,1128,1160,1192,1224
Gi2/0/46 1,6,12,100,125-127,129,1032,1096,1128,1160,1192,1224
Te2/1/1 1,6,12,100,125-127,129,1032,1096,1128,1160,1192,1224
Port Vlans in spanning tree forwarding state and not pruned
Te1/1/1 1,6,12,100,125-127,129,1032,1096,1128,1160,1192,1224
Te1/1/2 1,6,12,100,125-127,129,1032,1096,1128,1160,1192,1224
Gi2/0/31 6,12,100,125-126,129,1032,1096,1128,1160,1192,1224
Gi2/0/46 1,6,12,100,125-127,129,1032,1096,1128,1160,1192,1224
Te2/1/1 none
show spanning-tree interface TenGigabitEthernet1/1/1
Vlan Role Sts Cost Prio.Nbr Type
VLAN0001 Root FWD 2 128.53 P2p
VLAN0006 Root FWD 2 128.53 P2p
VLAN0012 Root FWD 2 128.53 P2p
VLAN0100 Root FWD 2 128.53 P2p
VLAN0125 Root FWD 2 128.53 P2p
VLAN0126 Root FWD 2 128.53 P2p
VLAN0127 Root FWD 2 128.53 P2p
VLAN0129 Root FWD 2 128.53 P2p
VLAN1032 Root FWD 2 128.53 P2p
VLAN1096 Root FWD 2 128.53 P2p
VLAN1128 Root FWD 2 128.53 P2p
VLAN1160 Root FWD 2 128.53 P2p
VLAN1192 Root FWD 2 128.53 P2p
VLAN1224 Root FWD 2 128.53 P2p
show spanning-tree interface TenGigabitEthernet1/1/2
Vlan Role Sts Cost Prio.Nbr Type
VLAN0001 Desg FWD 2 128.54 P2p
VLAN0006 Desg FWD 2 128.54 P2p
VLAN0012 Desg FWD 2 128.54 P2p
VLAN0100 Desg FWD 2 128.54 P2p
VLAN0125 Desg FWD 2 128.54 P2p
VLAN0126 Desg FWD 2 128.54 P2p
VLAN0127 Desg FWD 2 128.54 P2p
VLAN0129 Desg FWD 2 128.54 P2p
VLAN1032 Desg FWD 2 128.54 P2p
VLAN1096 Desg FWD 2 128.54 P2p
VLAN1128 Desg FWD 2 128.54 P2p
VLAN1160 Desg FWD 2 128.54 P2p
VLAN1192 Desg FWD 2 128.54 P2p
VLAN1224 Desg FWD 2 128.54 P2p
show spanning-tree interface TenGigabitEthernet2/1/1
Vlan Role Sts Cost Prio.Nbr Type
VLAN0001 Altn BLK 2 128.109 P2p
VLAN0006 Altn BLK 2 128.109 P2p
VLAN0012 Altn BLK 2 128.109 P2p
VLAN0100 Altn BLK 2 128.109 P2p
VLAN0125 Altn BLK 2 128.109 P2p
VLAN0126 Altn BLK 2 128.109 P2p
VLAN0127 Altn BLK 2 128.109 P2p
VLAN0129 Altn BLK 2 128.109 P2p
VLAN1032 Altn BLK 2 128.109 P2p
VLAN1096 Altn BLK 2 128.109 P2p
VLAN1128 Altn BLK 2 128.109 P2p
VLAN1160 Altn BLK 2 128.109 P2p
VLAN1192 Altn BLK 2 128.109 P2p
VLAN1224 Altn BLK 2 128.109 P2p -
LAN was down ie Users are not getting ip from DHCP server after enabling DHCP snooping
Hi All ,
Enclosed file has network connectivity diagram.
1. L3 vlan's ie 2,3,4,5 and 6 are configured on ACC-CR1 and ACC-CR2.
2.Trunk is configured between Core switches ( CR1 and CR2) and access switches .VTP mode is transparent on all switches.L2 vlans are configured on all access switches.
3.DHCP is server is located at different location and is reachable over MPLS.
Without enabling dhcp snooping , users connected to access switches (Sw1,sw2,sw3 and Sw4 ) are getting ip address from DHCP server without any problem and everything is working fine.
But users connected to Sw3 and Sw4 are getting ip address from rouge DHCP server which is not pingable from any one of the switch.
So we have configured DHCP snooping for all vlan's on CR1 , CR2 , SW3 and SW4 and "trusted uplink ports" which are connected to WAN routers from CR1 and CR2 and also "trusted uplink ports " of Sw3 and Sw4 which are connected to CR1 and CR2.
As soon we have enabled DHCP snooping and trusted respective uplink ports , users are not getting ip address from remote DHCP server and even users connected to Sw1 and SW2 are facing same issue.
Note : DHCP snooping is not configured on SW1 and SW2.
Why users are not getting ip address from remote DHCP server as soon as we enabled dhcp snooping on Core switches and two access switches ie sw3 and sw4 ? what could have caused DHCP packets to be dropped ? Any idea would be appreciated .Hi,
as you say: " HSRP is configured between CR1 and CR2 and Vlans are active on CR1" does it mean there are L3 intrefaces configured in each VLAN on your CR switches and ip hepler-address pointing to the remote DHCP server is configured on each of them?
I know it's difficult in a productive environment but IMHO you need to find out where are the DHCP offers dropped.
Either by enabling DHCP debugging or by capturing packets via Wireshark, e.g.
Best regards,
Milan -
Hi,
I'm trying to get started on setting up my first Transparent ASA.
I understand an ASA in Transparent Mode can now have an ip address with Bridge Groups or some such mechanism. I'm looking for examples of how to set that up and other information below.
Is the ip address associated with the device or is it interface specific? Will I be able to SSH with that ip address setup?
Can I use ASDM if the Transparent ASA has an ip address?
This 5512X has an IPS. Anyone who has setup an IPS on this platform knows it has some very particular requirments in order to communicate with the outside world. I need examples of how to do that with a Transparent ASA.
How is NAT setup differently (if at all) on a Transparent ASA?
Are ACLs done any differently?
Any help is apprciated. Examples or links are great.
Thanks.You willl now use Bridge-Groups...
It's especific to a bridge group ( The Ip address) and yes you will be able to ssh, telnet,ASDM to that Ip.
NAT and ACL setup is the same thing.
Here is a quick example I did
interface bvI 10
ip address 192.168.12.1 255.255.255.0
no shut
interface gigabitEthernet 0
nameif outside
no shut
interface gigabitEthernet 0
bridge-group 10
interface gigabitEthernet 1
nameif inside
no shut
bridge-group 10
Maybe you are looking for
-
I have a new laptop and want to access my itunes library but can't as I need to authorise this computer. Anyone know how to do that?
-
My friend bought on my advice a macbook pro. He has no internet connection at home. Getting started with the macbook pro, we can't skip the internet connection information box. This may seem a little strange in a www organised world, but he only want
-
Hi All , In my environment we are having exchange 2013 enterprise edition with SP1 which is installed in windows server 2012 standard edition. We have enabled mailbox auditing for few mailboxes and also we have made simple powershell script with on
-
No file size appears when I save a .pages file
When I save a .pages file there is no file size listed in the directory. In the file directory it says only -- where all the other files have a size in KB or MB listed in that column. What's going on here? The file can be opened without a problem. An
-
Dreamweaver site edit and upload not working
I use dreamweaver to edit various websites on two different hosting sites. Since yesterday, I can't upload files to any of these websites. Dreamweaver is running normally when I edit pages in my local directories, but when I try to edit a site or upo