PC not getting IP in transparent ASA

Similar Messages

• Unable to establish OSPFv3 neighbors through transparent ASA

  I have 2 devices running IPv6 with an ASA ver 8.4(2) in transparent mode with multiple contexts in between them.  I can ipv6 ping the devices through the ASA but can not get the 2 devices to establish OSPFv3 adjacency.  They are able to establish adjacency with ipv4 OSPF.  When running debug ipv6 ospf hello I see each of the devices sending hellos but not receiving them from the device on the other side of the ASA. I notice that the hellos are coming from the link local addresses and not the unique global addresses that I applied to the interfaces. If I connect a device directly to one of the devices I can establish OSPFv3 adjacency without a problem.
  Any thoughts?
  Bob

  Bob,
  It is expected that OSPF/EIGRP etc use link local rather than unique global ;-)
  Regarding the problem.
  - please enable
  logging buffered infologging buffer-size 1000000
  - and ASP drop capure.
  cap ASP type asp all
  Try establishing the adjacency and check
  show logg sh cap ASP
  I would also try establishing the adjacency without multicast (point-to-multipoint network should allow this).
  Marcin

• Links not getting displayed in the contextual panel

  Hi,
  I have created a contextual panel inside a transparent container. And created a method in the same view supply_values of type supply function to supply the values to the panel.Inside the method I have coded like:
  DATA TAB  TYPE WD_THIS->ELEMENTS_N_VIEW_SWITCH.
    DATA LINE TYPE WD_THIS->ELEMENT_N_VIEW_SWITCH.
    LINE-TEXT    = 'User Manual'. "#EC NOTEXT
    LINE-ENABLED = ABAP_TRUE.
    APPEND LINE TO TAB.
    LINE-TEXT    = 'Logout'. "#EC NOTEXT
    LINE-ENABLED = ABAP_TRUE.
    APPEND LINE TO TAB.
    NODE->BIND_TABLE( TAB ).
  Also in the context of the view I have created a node and supplied the method  'supply_values' in the supply function.Under the node I have 2 attributes named text and enabled. Text is of string type and enabled is of boolean type. In the properties of the contextual panel I have bound the visible property with the enabled attribute.
  Now when I am running this application , links are not getting displayed in the contextual panel. Though when I debug TAB contains the values.  Please suggest if I have missed out something or I need to look into the properties of the contextual panel. Any pointers will be really helpful.
  Regards,
  Ashutosh

  Hi,
  Can you elaborate ' ItemEnable property of ViewSwitch'.
  I have already bound the enable property of the panel with a context attribute of type wdy_boolean  but it is still not working. 
  Regards,
  Ashutosh

• AnyConnect Profiles not getting downloaded.

  Dear Team Members
  I am facing the following issue in AnyConnect VPN deployment.
  Requirement - Users should receive ANyConnect Profile, which has SCEP enabled, so that they can request a certificate from the organization Microsoft CA.
  i already have a Certificate on ASA from the same CA and i want to use certificate authentication for ANyconnect.
  ASA version is 8.4, i defined the flow as
  1: Create User > bind it with a group policy > bind group policy with tunnel-group ( Connection profile)
  2: Define a profile ( that has SCEp enabled & CA information URL etc..) and bind it with the group policy and also add it under
     webvpn
     AnyConnect Profile ....
  when i initiate https://ASA_Ip_Address i authenticate with the username/password created above, Anyconnect is installed and i am connected, but profile is no tis downloaded, because i see no change on my Anyonnect Screen to request for a certificate.  it remains the same, as no profile is available.
  have followed the standard procedure,..    Plz guide me, what could be going wrong.
  Any inputs from your side will be highly appreicated.
  Thanks
  Ahad

  Hello Marvin
  Thanks for your efforts for responding
  As such i am using ASA 8.4, ASDM 6.47 & Anyconnect Package -  Anyconnect-win-2.5.3055-k9.pkg ( i am using ver 2.5, because ver 3.0 does not support I Phones & Windows Mobile Phones).
  Client PC - Windows 7 - 32 bit
  1: i created Anyconnect profile using ASDM, it has simple settings to publish CA server details for SCEP, so that Anyconnect users can request the certificate through SCEP ( XML file attached)
  2: As cheked profile folder is not available in
  c:\program files \ cisco \ Cisco Anyconnect VPN Client
  that simply means that profiles are not getting downloaded.
  3: Configuration is attached & also the profile XML File.
  you could try manually copying the xml onto a test client to see if it then behaves in the way you desire. - can u explain a bit more, how this testing can be done.
  Plz let me know, what additional config is required.
  Thanks in advanced
  Ahad

• Summing command is not getting the result

  Hi All,
  I am using summing command in my script to print page total on every page.
  I have used:
  SUMMING &ITAB_TDS-BASAMT& INTO &ZTDS-BASE_AMT&
  here itab-tds is my internal table which contains the line items..and ztds is the R/3 transparent table(global) in which the field base_amt is the currency typr field.
  But when I debud the script, i find that ZTDS-BASE_AMT does not get any values(inspite that itab_tds-basamt has values).
  I have declared ZTDS in the tables stmt in the print program(tables: ztds. )
  plz tell me how to get rid of this problem?
  Regards,
  Niyati

  Hi,
  I think this will solve your problem.
  - To use command SUMMING:
  /: SUMMING PROGRAM_SYMBOL INTO TOTAL_SYMBOL
  The PROGRAM_SYMBOL is the global variable you want to sum, TOTAL_SYMBOL is a variable defined in the sapscript:
  /: DEFINE TOTAL_SYMBOL = '0'.
  You should try to define TOTAL_SYMBOL just once (for example in a window you use only once).
  Reward points to all useful answers.
  Regards,
  SaiRam

• Traffic Other than ICMP does not Get Policy NATed

  Hi Folks,
              I have applied policy based NAT on one ASA firewall. Assume that Source Inside Network is 192.168.1.0 and destination (Outside) network is 192.168.2.0. Now using Policy NAT i am translating source Subnet 192.168.1.0 to a global address 192.168.2.10.
  access-list 1 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  nat (inside) 15 access-list 1
  global (outside) 15 192.168.2.10 netmask 255.255.255.255
  Now what i observe is when i do ping to a Destination IP 192.168.2.20, the source IPs (192.168.1.0/24) get translated to 192.168.2.10.
  However when i try to take RDP of the same system, the source IPs do not get translated.
  And i am completely perturbed as to why this inconsistency.
  Kindly Help.

  Hi,
  It might be that you would need 7.2 software if I remember correctly.
  I would probably first check ASDM logs while testing the connection and see what translation and connection forming messages I see.
  I would naturally see the whole NAT configuration of the device which I could go through to see if there is anything wrong there. If there is possibly some other NAT configuration causing problems.
  I would suggest considering an update for the firewall software. If you dont want major changes to the configuration format then software 8.2(5) would probably be the newest version for you.
  - Jouni

• WCCP does not work between WSA and ASA

  I have configured WCCPv2 between WSA S160 (         6.3.1-025) and ASA5540 (8.2(1)109).
  Everything seems to be OK by "show wccp *" on ASA and showing wccp debugging messages (level 4) on S160. Despite of it, WCCP redirection does not work.
  If I use packet-capture I figure out that S160 receives GRE packets with TCP SYN from particular LAN host to WWW sites but S160 does not handle them and does not send anything back to ASA.
  It is an Exempt from authentication for this LAN host and in Forward proxy mode everything works well.
  I have attached an example of a packet-capture (S160.txt - renamed from .cap) and debugging messages from S160 & "show" from ASA.
  Does anybody have any idea what the problem is and how I can resolve it ?

  IronPort Support team helped me to find the trouble:
  If I wish to handle specific port's (80, 8080, etc.) traffic by the transparent proxy I need to configure this port like a listener for the FORWARD proxy
  ("Security Services" -> "Proxy Settings" -> "HTTP Ports to Proxy")
  The WSA guide doesn't clearly say about it.
  So the Discussion can be closed ...

• Select statement failed to get data from transparent table

  Hi Experts,
                    Please let me know why my select statement is failing to get data form transparent table REGUH. My code query is as below:
  SELECT * FROM REGUH WHERE
                            LAUFD = RUN_DATE AND
                            LAUFI = ID AND
                            LIFNR = P0009-PERNR AND
                            RZAWE = 'C'.
    MOVE REGUH-RWBTR TO CASH.
        CASH = CASH * -1.
    ENDSELECT.
  REGUH table has data for the given query but it is not retreiving the data.Please let me know what is the problem with the query
  because of which it is not fetching the data.The same query is working fine in Developement but fails in production may be because one new patch is updated.please help asap.

  Hi Ankita,
  Why you are going for select *
  Try This...
  SELECT SINGLE RWBTR
                INTO v_RWBTR
                WHERE LAUFD = RUN_DATE
                 AND  LAUFI = ID
                 AND  LIFNR = P0009-PERNR
                 AND  RZAWE = 'C'.
  MOVE v_RWBTR TO CASH.
  CASH = CASH * -1.
  Regards,
  Raj.

• L2L issue, the tunnel does not getting up from one direction

  Hello,
  We have configure a L2L vpn between Asa and 1841 router. We are facing this issue.
  The tunnel is not getting up from the 1841 site never. When we are trying to generate traffic from the ASA site the tunnel is up and we can see decryps and encryps packets.
  Router 1841 Config:
  crypto isakmp policy 100
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key * address 213.249.XX.XX
  crypto ipsec transform-set XXXXX esp-3des esp-md5-hmac
  crypto map EKO_BG 100 ipsec-isakmp
  set peer 213.249.x.x
  set security-association lifetime seconds 28800
  set transform-set XXXXX
  set pfs group2
  match address 111
  interface FastEthernet0/0.2
  encapsulation dot1Q 3338
  ip address 212.200.30.130 255.255.255.252
  ip nat outside
  ip virtual-reassembly
  crypto map XXXXX
  ip nat pool nat_pool 93.87.XX.XX 93.87.XX.XX prefix-length 29
  ip nat inside source list 101 pool nat_pool overload
  ip nat inside source static 10.70.2.10 93.87.18.161
  ip nat inside source static 10.70.25.10 93.87.18.162
  ip nat inside source static 10.70.36.5 93.87.18.163
  ip nat inside source static 10.70.39.10 93.87.18.164
  ip nat inside source static 10.70.5.10 93.87.18.165
  access-list 101 deny   ip 10.70.200.0 0.0.0.255 any
  access-list 101 permit ip 10.70.0.0 0.0.255.255 any
  access-list 111 permit ip 10.70.200.0 0.0.0.255 172.40.10.100 0.0.0.3
  Asa Config:
  access-list inside_nat0_outbound extended permit ip 172.40.10.100 255.255.255.252 10.70.200.0 255.255.255.0
  access-list outside_cryptomap_320 remark xxxxxxx
  access-list outside_cryptomap_320 extended permit ip 172.40.10.100 255.255.255.252 10.70.200.0 255.255.255.0
  access-list inside_pnat_outbound_V5 extended permit ip host 10.8.x.x 10.70.200.0 255.255.255.0
  pager lines 24
  nat (inside) 9 access-list inside_pnat_outbound_V5
  crypto ipsec transform-set xxxxx esp-3des esp-md5-hmac
  crypto map mymap 150 match address
  crypto map mymap 150 set pfs
  crypto map mymap 150 set peer XXXXXX
  crypto map mymap 150 set transform-set XXX
  crypto map mymap 150 set security-association lifetime seconds 28800
  crypto map mymap 150 set security-association lifetime kilobytes 10000
  crypto map mymap 320 match address outside_cryptomap_320
  crypto map mymap 320 set pfs
  crypto map mymap 320 set peer XXXXX
  crypto map mymap 320 set transform-set XXXXX
  crypto map mymap 320 set security-association lifetime seconds 28800
  crypto map mymap 320 set security-association lifetime kilobytes 4608000
  crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map mymap interface outside
  isakmp policy 150 authentication pre-share
  isakmp policy 150 encryption 3des
  isakmp policy 150 hash md5
  isakmp policy 150 group 2
  tunnel-group 212.200.x.x type ipsec-l2l
  tunnel-group 212.200.x.x ipsec-attributes
  pre-shared-key *
  Please advise.
  Thank you.

  hello Ashley,
  thank you for this info. Now from the router site the tunneling is getting up and I can see packets but althought the tunnel is up it can not make telnet to our server (172.40.10.100) on a specific port.
  We from ASA site can ping router Site and make telnet.
  Any ideas???
  Thank you all from your answers!

• Can not ping internal network from ASA

  I can not ping internal computer from ASA. Comp IP address 192.168.187.15, gateway is 192.168.187.14 which is ASA internal interface. I've got an IP Phone connected to the same ASA with Ip address 192.168.185.15 and internal ASA interface 192.168.185.14 and everything works fine. We are doing testing, do not be surprised of configuration.
  ASA Version 8.2(1)
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  dns-guard
  interface GigabitEthernet0/0
  nameif ouside3
  security-level 0
  ip address 10.254.17.25 255.255.255.248
  interface GigabitEthernet0/1
  nameif outside
  security-level 0
  ip address 10.254.17.9 255.255.255.248
  interface GigabitEthernet0/2
  nameif Lan
  security-level 100
  ip address 192.168.185.14 255.255.255.0
  interface GigabitEthernet0/3
  nameif comp
  security-level 50
  ip address 192.168.187.14 255.255.255.0
  interface Management0/0
  nameif management
  security-level 100
  no ip address
  management-only
  boot system disk0:/asa821-k8.bin
  ftp mode passive
  access-list 110 extended permit ip any any
  access-list nat extended permit ip any any
  access-list allow_ping extended permit icmp any any echo-reply
  access-list allow_ping extended permit icmp any any source-quench
  access-list allow_ping extended permit icmp any any unreachable
  access-list allow_ping extended permit icmp any any time-exceeded
  access-list allow_ping extended permit udp any any eq isakmp
  access-list allow_ping extended permit esp any any
  access-list allow_ping extended permit ah any any
  access-list allow_ping extended permit gre any any
  access-list nonat extended permit ip any any
  access-list nat2 extended permit ip any any
  access-list nonat2 extended permit ip any any
  pager lines 24
  logging asdm informational
  mtu ouside3 1500
  mtu outside 1500
  mtu Lan 1500
  mtu comp 1500
  mtu management 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (Lan) 0 access-list nonat
  nat (Lan) 1 access-list nat
  nat (comp) 0 access-list nonat
  nat (comp) 1 access-list nat
  access-group allow_ping in interface outside
  router eigrp 2008
  neighbor 10.254.17.10 interface outside
  network 10.254.17.8 255.255.255.248
  network 192.168.185.0 255.255.255.0
  network 192.168.187.0 255.255.255.0
  route outside 0.0.0.0 0.0.0.0 10.254.17.10 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map mymap 10 match address 110
  crypto map mymap 10 set peer 10.254.17.10
  crypto map mymap 10 set transform-set myset
  crypto map mymap interface outside
  crypto map mymap2 20 match address 110
  crypto map mymap2 20 set peer 10.254.17.18
  crypto map mymap2 20 set transform-set myset
  crypto map mymap2 interface comp
  crypto map mymap3 30 match address 110
  crypto map mymap3 30 set peer 10.254.17.26
  crypto map mymap3 30 set transform-set myset
  crypto map mymap3 interface ouside3
  crypto isakmp identity address
  crypto isakmp enable ouside3
  crypto isakmp enable outside
  crypto isakmp enable comp
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 28800
  no crypto isakmp nat-traversal
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  priority-queue outside
  threat-detection basic-threat

  This is what I get, looks like ASA does not reply. Why?
  ciscoasa# sh capture cpi
  5 packets captured
  1: 05:20:14.494908 192.168.187.15 > 192.168.187.14: icmp: echo request
  2: 05:20:19.526935 192.168.187.15 > 192.168.187.14: icmp: echo request
  3: 05:20:25.026320 192.168.187.15 > 192.168.187.14: icmp: echo request
  4: 05:20:30.525699 192.168.187.15 > 192.168.187.14: icmp: echo request
  5: 05:20:36.025084 192.168.187.15 > 192.168.187.14: icmp: echo request

• Still not understanding radial w/ transparency gradient

  I am trying to create the effect of a soft glow light behind a subject.
  I must be going dumb, but part of the problem is simply not "getting" the zen of doing gradients in PE, partly because everyone's very helpful suggestions seem to vary so widely on how to do it and I'm getting more confused.
  What I want to do is have one color (say dark red) where I can control its saturation, size, etc. and have everything else be transparent. I will be putting this graphic later on a website that has a colored background so I need the effect of the light being cast on that background.
  The more I try to learn gradients, the farther way the knowledge seems to be.
  Can anyone walk me through this?
  Thanks. 

  Tip: "delete" refers to hitting delete on the keyboard.
  http://www.pixentral.com/show.php?picture=1HpboRcB57ewPTvyui1MUeb9mI4WBR0
  This is as close as I can come to your request:
  Select background color 0,0,155 (can be any color, but this shows up well)
  File>new>blank file, 400px wide, 400px high, color mode RGB, resolution 300px/in
  Access Custom shape tool. In options bar set color to white, and in shape library for this tool select the triangle shape. Click on the little triangle at the top to get the shape geometry options. Select fixed size. Enter 260 px width, 225 px height. Click on canvas to create triangle.
  Now choose the oval shape in the library. Change geometry to 260 px wide, 50 px high. Click on canvas to create oval.
  Access move tool, and nudge oval into position at bottom of triangle with arrow keys  In layers palette, link the 2 shape layers and merge them (Layer>merge linked)
  Select foreground color red
  Select gradient tool, in options bar select foreground to transparent, linear gradient
  In layers palette, CTRL+left click the cone layer thumbnail to select it - should see marching ants
  Drag from south to north within the selection to to apply the gradient
  Select>deselect
  Here is a print screen to demonstrate the layer structure:
  http://www.pixentral.com/show.php?picture=10Hst6bjMVa0qFttqIBp9CI6ry5id
  Note the linked layers referred to above - #5
  If you finally need to delete the blue background for your purpose, you can do this readily utilizing the magic wand tool.
  HTH

• Guests are not getting IP & webpage

  Guests are not getting IP & webpage.
  I have a 4400  ( 6.0.199.4 ) WLC configured with a guest wlan using web authentication & DHCP is configured on ASA . & ADSL line is connected to ASA ( for internet)...this was working , from last 2 days it is not working. guest users are not to get the IP address & login web page. Error message is Limitted connectivty.
  My observation.
  ADSL linterent connetion is working fine & from ASA to switch connection is fine & VLAN is also up.
  from WLAN end, all parameter are looks good, nothing changed.

  please see the log, which I took from WCS ..it look WLC is receving request from client ...i think it is not getting responce from DHCP ...
  it make sence ?
  ime :11/24/2011 13:27:11 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information. processing DHCP DISCOVER (1)
  Time :11/24/2011 13:27:11 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information.   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
  Time :11/24/2011 13:27:11 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information.   xid: 0x41839660 (1099142752), secs: 5247, flags: 0
  Time :11/24/2011 13:27:11 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information.   chaddr: d8:2a:7e:d2:d9:92
  Time :11/24/2011 13:27:11 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information.   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
  Time :11/24/2011 13:27:11 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information.   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
  Time :11/24/2011 13:27:15 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information. processing DHCP DISCOVER (1)
  Time :11/24/2011 13:27:15 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information.   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
  Time :11/24/2011 13:27:15 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information.   xid: 0xd4b2de62 (3568492130), secs: 5251, flags: 0
  Time :11/24/2011 13:27:15 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information.   chaddr: d8:2a:7e:d2:d9:92
  Time :11/24/2011 13:27:15 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information.   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
  Time :11/24/2011 13:27:15 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information.   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
  Time :11/24/2011 13:27:17 CET Severity :INFO Controller IP :10.45.235.4 Message :Dhcp Information. processing DHCP DISCOVER (1)

• VTP (revision numbers) and one client not getting updates

  Hello.
  Somewhere along the line one of our switches (3750x) got messed up. Once they were finally configured about 6 months ago we never touched them again.
  I noticed yesterday when I created a new vlan it was not getting populated to one of our switches. For some reason I did not notice that the domain name on the switch not receiving updates was not our domain.
  So I switched the domain on this switch to the correct domain and it still does not show any updates and also has a revision # of 7.
  So on this switch I then unplugged all trunk ports and did "vtp mode transparent". I then switched it back to "vtp mode client vlan".
  It still showed revision 7.
  So I tried "vtp domain bogus" and "vtp mode transparent" and then did "vtp domain mydomain" and "vtp mode client vlan".
  It still showed revision 7.
  So I tried "vtp domain bogus" and "vtp mode transparent vlan" and then did "vtp domain mydomain" and "vtp mode client vlan".
  It still showed revision 7.
  I am at a loss as to how to fix this problem other than rebuilding the switch. I have a vtp server at revision 10 and two other switches also at revision 10 that are getting updates from the vtp server. Only one switch is not.  Please note that this one switch that is not working at some point did since it has all the vlans we created on our initial installation.
  -- Thanks
  // GOOD switch
  GOODSWITCH#show vtp status
  VTP Version capable             : 1 to 3
  VTP version running             : 3
  VTP Domain Name                 : mydomain
  VTP Pruning Mode                : Disabled
  VTP Traps Generation            : Disabled
  Device ID                       : 7426.acad.de00
  Feature VLAN:
  VTP Operating Mode                : Client
  Number of existing VLANs          : 15
  Number of existing extended VLANs : 6
  Maximum VLANs supported locally   : 1005
  Configuration Revision            : 10
  Primary ID                        : b838.61aa.5880
  Primary Description               : lab-desk
  MD5 digest                        : 0xB8 0x3E 0x2C 0xB7 0x85 0xB5 0x5D 0xA6
                                      0x4A 0x4E 0xFC 0x5E 0x5A 0xA1 0xAF 0xCC
  Feature MST:
  VTP Operating Mode                : Transparent
  Feature UNKNOWN:
  VTP Operating Mode                : Transparent
  // BAD switch
  BADSWITCH#show vtp status
  VTP Version capable             : 1 to 3
  VTP version running             : 3
  VTP Domain Name                 : mydomain
  VTP Pruning Mode                : Disabled
  VTP Traps Generation            : Disabled
  Device ID                       : 7426.acad.ee80
  Feature VLAN:
  VTP Operating Mode                : Client
  Number of existing VLANs          : 12
  Number of existing extended VLANs : 6
  Maximum VLANs supported locally   : 1005
  Configuration Revision            : 7
  Primary ID                        : b000.b4b0.f200
  Primary Description               : lab-desk
  MD5 digest                        : 0x7A 0x5C 0x2E 0x05 0xF2 0x80 0x6F 0x2F
                                      0x4E 0xE1 0x34 0x07 0x01 0x7F 0xB9 0x2B
  Feature MST:
  VTP Operating Mode                : Transparent
  Feature UNKNOWN:
  VTP Operating Mode                : Transparent

  Output from the switch NOT getting updates.
  // we have three trunk lines
  TenGigabitEthernet1/1/1
  TenGigabitEthernet1/1/2
  TenGigabitEthernet2/1/1
  // #show interfaces trunk
  Port        Mode             Encapsulation  Status        Native vlan
  Te1/1/1     on               802.1q         trunking      1
  Te1/1/2     on               802.1q         trunking      1
  Gi2/0/31    auto             n-802.1q       trunking      1
  Gi2/0/46    auto             n-802.1q       trunking      1
  Te2/1/1     on               802.1q         trunking      1
  Port        Vlans allowed on trunk
  Te1/1/1     1-4094
  Te1/1/2     1-4094
  Gi2/0/31    1-4094
  Gi2/0/46    1-4094
  Te2/1/1     1-4094
  Port        Vlans allowed and active in management domain
  Te1/1/1     1,6,12,100,125-127,129,1032,1096,1128,1160,1192,1224
  Te1/1/2     1,6,12,100,125-127,129,1032,1096,1128,1160,1192,1224
  Gi2/0/31    1,6,12,100,125-127,129,1032,1096,1128,1160,1192,1224
  Gi2/0/46    1,6,12,100,125-127,129,1032,1096,1128,1160,1192,1224
  Te2/1/1     1,6,12,100,125-127,129,1032,1096,1128,1160,1192,1224
  Port        Vlans in spanning tree forwarding state and not pruned
  Te1/1/1     1,6,12,100,125-127,129,1032,1096,1128,1160,1192,1224
  Te1/1/2     1,6,12,100,125-127,129,1032,1096,1128,1160,1192,1224
  Gi2/0/31    6,12,100,125-126,129,1032,1096,1128,1160,1192,1224
  Gi2/0/46    1,6,12,100,125-127,129,1032,1096,1128,1160,1192,1224
  Te2/1/1     none
  show spanning-tree interface TenGigabitEthernet1/1/1
  Vlan                Role Sts Cost      Prio.Nbr Type
  VLAN0001            Root FWD 2         128.53   P2p
  VLAN0006            Root FWD 2         128.53   P2p
  VLAN0012            Root FWD 2         128.53   P2p
  VLAN0100            Root FWD 2         128.53   P2p
  VLAN0125            Root FWD 2         128.53   P2p
  VLAN0126            Root FWD 2         128.53   P2p
  VLAN0127            Root FWD 2         128.53   P2p
  VLAN0129            Root FWD 2         128.53   P2p
  VLAN1032            Root FWD 2         128.53   P2p
  VLAN1096            Root FWD 2         128.53   P2p
  VLAN1128            Root FWD 2         128.53   P2p
  VLAN1160            Root FWD 2         128.53   P2p
  VLAN1192            Root FWD 2         128.53   P2p
  VLAN1224            Root FWD 2         128.53   P2p
  show spanning-tree interface TenGigabitEthernet1/1/2
  Vlan                Role Sts Cost      Prio.Nbr Type
  VLAN0001            Desg FWD 2         128.54   P2p
  VLAN0006            Desg FWD 2         128.54   P2p
  VLAN0012            Desg FWD 2         128.54   P2p
  VLAN0100            Desg FWD 2         128.54   P2p
  VLAN0125            Desg FWD 2         128.54   P2p
  VLAN0126            Desg FWD 2         128.54   P2p
  VLAN0127            Desg FWD 2         128.54   P2p
  VLAN0129            Desg FWD 2         128.54   P2p
  VLAN1032            Desg FWD 2         128.54   P2p
  VLAN1096            Desg FWD 2         128.54   P2p
  VLAN1128            Desg FWD 2         128.54   P2p
  VLAN1160            Desg FWD 2         128.54   P2p
  VLAN1192            Desg FWD 2         128.54   P2p
  VLAN1224            Desg FWD 2         128.54   P2p
  show spanning-tree interface TenGigabitEthernet2/1/1
  Vlan                Role Sts Cost      Prio.Nbr Type
  VLAN0001            Altn BLK 2         128.109  P2p
  VLAN0006            Altn BLK 2         128.109  P2p
  VLAN0012            Altn BLK 2         128.109  P2p
  VLAN0100            Altn BLK 2         128.109  P2p
  VLAN0125            Altn BLK 2         128.109  P2p
  VLAN0126            Altn BLK 2         128.109  P2p
  VLAN0127            Altn BLK 2         128.109  P2p
  VLAN0129            Altn BLK 2         128.109  P2p
  VLAN1032            Altn BLK 2         128.109  P2p
  VLAN1096            Altn BLK 2         128.109  P2p
  VLAN1128            Altn BLK 2         128.109  P2p
  VLAN1160            Altn BLK 2         128.109  P2p
  VLAN1192            Altn BLK 2         128.109  P2p
  VLAN1224            Altn BLK 2         128.109  P2p

• LAN was down ie Users are not getting ip from DHCP server after enabling DHCP snooping

  Hi All ,
  Enclosed file has network connectivity diagram.
  1. L3 vlan's ie 2,3,4,5 and 6 are configured on ACC-CR1 and ACC-CR2. 
  2.Trunk is configured between Core switches ( CR1 and CR2) and access switches .VTP mode is transparent on all switches.L2 vlans are configured on all access switches.
  3.DHCP is server is located at different location and is reachable over MPLS.
  Without enabling dhcp snooping , users connected to access switches (Sw1,sw2,sw3 and Sw4 ) are getting ip address from DHCP server without any problem and everything is working fine.
  But users connected to Sw3 and Sw4 are getting ip address from rouge DHCP server which is not pingable from any one of the switch.
  So we have configured DHCP snooping for all vlan's on CR1 , CR2 , SW3 and SW4 and "trusted uplink ports" which are connected to WAN routers from CR1 and CR2  and also "trusted uplink ports " of Sw3 and Sw4 which are connected to CR1 and CR2.
  As soon we have enabled DHCP snooping and trusted respective uplink ports , users are not getting ip address from remote DHCP server and even users connected to Sw1 and SW2 are facing same issue.
  Note : DHCP snooping is not configured on SW1 and SW2.
  Why users are not getting ip address from remote DHCP server as soon as we enabled dhcp snooping on Core switches and two access switches ie sw3 and sw4 ? what could have caused DHCP packets to be dropped ? Any idea would be appreciated .

  Hi,
  as you say: " HSRP is configured between CR1 and CR2 and Vlans are active on CR1" does it mean there are L3 intrefaces configured in each VLAN on your CR switches and ip hepler-address pointing to the remote DHCP server is configured on each of them?
  I know it's difficult in a productive environment but IMHO you need to find out where are the DHCP offers dropped.
  Either by enabling DHCP debugging or by capturing packets via Wireshark, e.g.
  Best regards,
  Milan

• Setup Transparent ASA

  Hi,
  I'm trying to get started on setting up my first Transparent ASA.
  I understand an ASA in Transparent Mode can now have an ip address with Bridge Groups or some such mechanism. I'm looking for examples of how to set that up and other information below.
  Is the ip address associated with the device or is it interface specific? Will I be able to SSH with that ip address setup?
  Can I use ASDM if the Transparent ASA has an ip address?
  This 5512X has an IPS. Anyone who has setup an IPS on this platform knows it has some very particular requirments in order to communicate with the outside world. I need examples of how to do that with a Transparent ASA.
  How is NAT setup differently (if at all) on a Transparent ASA?
  Are ACLs done any differently?
  Any help is apprciated. Examples or links are great.
  Thanks.

  You willl now use Bridge-Groups...
  It's especific to a bridge group ( The Ip address) and yes you will be able to ssh, telnet,ASDM to that Ip.
  NAT and ACL setup is the same thing.
  Here is a quick example I did
  interface bvI 10
  ip address 192.168.12.1 255.255.255.0
  no shut
  interface gigabitEthernet 0
  nameif outside
  no shut
  interface gigabitEthernet 0
  bridge-group 10
  interface gigabitEthernet 1
  nameif inside
  no shut
  bridge-group 10