Questions on CBWFQ
Hi every body
CBWFQ uses both custom based ( with a little enhancement i.e we used percentage of interface bandwidth rather than byte counts) and weighted fair queuing using class map and policy maps
Here is my confusion.
In Custom based queuing we have queues with bytes counts and scheduler uses round robin method to empty them, for example :
http traffic assigns to q1 byte count 2000
ftp traffic assigns to 2 byte count 200
q1 will be serviced first until byte count reaches zero then scheduler moves to q2 and services it until q 2 byte count reaches zero.
Here we have control as to which traffic goes toq 1 and thereby we can control which traffic get serviced first before others.
Now if we compare this with CBWFQ,specifically custom-based portion of CBWQ we do not have this control.
for example.
Class HTTP
match http
Class FTP
match ftp
policy-map NEE
class Http
bandwidth 10
class-map Ftp
bandwidth 20
int s0/0
service-policy Nee output
Above , we are saying http traffic will get upto 10 percent bandwidth of s0/0 ,ftp will get 20 percent.
But which queue will be served first? http queue? or ftp? queue? ( because my understanding is in CBWFQ, we still follow round robin algorithm to empty our queues, that means the q1 will be service first than q2. When we use CBWFQ we do not know which queue will be mapped to http or ftp in my example)
thanks.
have a great weekend
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Above , we are saying http traffic will get upto 10 percent bandwidth of s0/0 ,ftp will get 20 percent.
Yea, the policy says that, but that's only true if CBWFQ is active, all the classes are active, all the class allocations add to 100%, and all the classes are trying to exceed their allocations.
But which queue will be served first? http queue? or ftp? queue? ( because my understanding is in CBWFQ, we still follow round robin algorithm to empty our queues, that means the q1 will be service first than q2. When we use CBWFQ we do not know which queue will be mapped to http or ftp in my example)
Actually, CBWFQ for non-LLQs is very similar to custom-queuing. Queues are serviced to try to maintain the ratios between them. In your example, FTP will be dequeued such that it transmits twice as much data as HTTP; because of the 20 and 10 percentages or 2:1 ratio between the two classes.
If you wanted to know, from an "even start", which class would transmit first, I don't know, and as it isn't documented, I wouldn't count on it always being the same between platforms and/or IOS versions.
As it's packets that are transmitted, during short time intevals, if there a large size difference between the packet sizes for HTTP vs. FTP, the 2:1 ratio won't be exact, but it should average out over a longer time interval.
Similar Messages
-
Hi..
I want to ask very basic questions.
is CBWFQ is working on FR interface without FRTS enabled.
and same question with WRED.
Particulary, what i am asking is..
map-class class1
match ip add ...
policy-map qos
class class1
bandwidth 100
interface serial 0/0
encapsulation frame-rely
service out qos
is this working or not?
policy-map wred
class class-default
bandwith 100
randon-detect
interface serial 0/1
encapsulation frame-relay
service out wred
is this working?
I am not asking optimal, i am asking working or not?
thanksNo, CBWFQ is not enabled on FR interfaces without FRTS enabled at the main F.R interface. I read a document at Cisco that talks about Class-based Frame relay shaping but i did it without enabling frame-relay traffic-shaping at the main F.R interface, but did not successed.
For the first part of your configurations, it must be worked (in theory) but practically, it will not according to the valid match command at class class1. -
we config qos on mpls network.use llq in CBWFQ. i have a question.
if i config LLQ for bandwidth 1m on 2M E1 line, and business data 0.5M(CBWFQ),defautl class 0.5M(CBWFQ). can i config this llq burst to 2M if line does not congest. or can i config business data or default class burst to 2M when line does not congest.
IF line congest. can llq and business,default class get gurantee bandwith?
i find when i config llq,i can use burst parameter:
priority bandwidth burst
when i need llq to burst to 2m, Does i need config this burst parameter. or i don't need config this burst parameter, i can get burst too.
thank you!
Tom(Yet another explanation.)
"if i config LLQ for bandwidth 1m on 2M E1 line, and business data 0.5M(CBWFQ),defautl class 0.5M(CBWFQ). can i config this llq burst to 2M if line does not congest."
LLQ should allow up to the full 2 Mbps, if there's no congestion. If there's congestion, LLQ will police itself at the rate specified. More on bursting, below.
"or can i config business data or default class burst to 2M when line does not congest."
Either the business data or default classes should also be able to obtain full bandwidth, if there's no congestion. Excess demand will queue the excess packets.
"IF line congest. can llq and business,default class get gurantee bandwith?"
Yes, if there's congestion, LLQ will police its traffic, i.e. immediately drop excess, other classes will queue excess traffic; will drop if queues overflow (and/or WRED drop).
"i find when i config llq,i can use burst parameter:
priority bandwidth burst
when i need llq to burst to 2m, Does i need config this burst parameter. or i don't need config this burst parameter, i can get burst too."
If you specify burst, you're really adjusting the time interval the policier operates. I believe the default is based on 200ms, so if there's more than 25,000 bytes (1 Mbps * .2 sec / 8 bits/byte), the excess will be dropped. (All the non-dropped bytes will transmit at full rate.)
When to adjust burst? If your traffic's long term average is under your LLQ bandwidth setting, but short term traffic rate is very variable (e.g. many video streams), you should increase the burst size to avoid dropping packets. -
CBWFQ: Question about the output of "show policy-map interface" command
Hi everyone,
I have a question about the output of "show policy-map interface" command.
The following is the output of this command and lower side of the output shows
(total queued/total drops/no-buffer drops) 0/342/0
If the packets drop occur due to the situation of no enough buffer,
"no-buffer drops" counted up. But "no-buffer drops" has not been counted up.
The "no-buffer drops" is 0 (zero) but "total drops" are counted as 342.
I guess there are other factors except "no-buffer drops" to add "total drops".
But I can not find any information about "other factors".
So I would like to know the "other factors" added to "total drops".
reserch-3725#sh policy-map interface fastethernet0/1
FastEthernet0/1
Service-policy output: shaping
Class-map: kdpc (match-all)
146956873 packets, 115209221595 bytes
5 minute offered rate 156000 bps, drop rate 0 bps
Match: access-group name YOKOHAMA_to_CHINO
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
9360000/9360000 58500 234000 234000 25 29250
Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 0 146956724 3539850811 2960247 3851843541 no
Class-map: class-default (match-any)
552458414 packets, 249687580329 bytes
5 minute offered rate 242000 bps, drop rate 0 bps
Match: any
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
3072000/3072000 19200 76800 76800 25 9600
Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 0 552453209 573909865 30358216 2926188156 no
Service-policy : policy1
Class-map: dlsw (match-all)
979578 packets, 264843255 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name acl-dlsw
Queueing
Output Queue: Conversation 137
Bandwidth 128 (kbps) Max Threshold 64 (packets)
(pkts matched/bytes matched) 20922/17371500
(depth/total drops/no-buffer drops) 0/0/0
Class-map: telnet (match-all)
29938 packets, 1806058 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name acl-telnet
Queueing
Output Queue: Conversation 138
Bandwidth 64 (kbps) Max Threshold 64 (packets)
(pkts matched/bytes matched) 639/38900
(depth/total drops/no-buffer drops) 0/0/0
Class-map: class-default (match-any)
551448911 packets, 249420939729 bytes
5 minute offered rate 242000 bps, drop rate 0 bps
Match: any
Queueing
Flow Based Fair Queueing
Maximum Number of Hashed Queues 128
(total queued/total drops/no-buffer drops) 0/342/0
Your information would be appreciated.Details infomatiuon regarding show policy-map interface
http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a008010dd6a.shtml
http://www.cisco.com/en/US/tech/tk543/tk760/technologies_tech_note09186a0080108e2d.shtml
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/qos_r/qos_s2g.htm#wp1146884 -
QoS Questions for 3750 Switches
2x3750 switches are stacked and we are trying to simulate traffic congestion at the UTP ports by using Smartbit 6000C. The objective of the test is to see if the QoS setting works in reality even though we see from Wireshark that the packets are marked with DSCP for voice traffic.
Setup is as follows :
Smartbit<->Avaya IP Phone<->3750 switches<->6509 switch.
Please note that the configuration is set on the 3750 switch port as well as trusted on the Cat 6 switch port. However, when I set to continuous traffic with byte size of 64. Even though its a 100Mbps port, the Avaya IP Phone is already acting weird with hanged symptom. Just side note is that performing "show mls qos inter gi2/0/7 statistic" shows that data and voice traffic are marked on the different priority which seemed correct.
1) Is this the right way to test? If not, what should be the correct way?
2) The port that's connected to Smartbit is configured and it seemed that with the continuous traffic, even other IP Phones are hanged even though I have set Smartbit to hit on the IP address of the CAT6 Switch port. This is not normal right as this is supposed to be unicast traffic. Any idea what could be the reason?Hello Brandon,
I understand your concern and how you want to test, but with the VoIP services you need to understand that there are 2 points (telephones if you want) involved. Your local one, where you might have taken all the necessary steps to protect and prioritize your voice traffic, and the oposite end which also need to have the voice packets prioritized.
Now, from your description, I understand that the packets (voice and data) marked correctly (I believe on C3750), but that's not enough. You need to use CBWFQ together with LLQ to give priority to the Voice traffic over data in case of congestion. Do you have such configuration? Can you show us some excerpt from it?
Next, during the testing, you said that your phone hang-up...where you in a call?
To respond to your questions:
1. The start is ok, but we need more details. You are pushing traffic from Smarbit, this is your local end, but where is the traffic pushed to (remote end), who is receiving the traffic?
2. In theory, you shouldn't have any impact over voice if links are 100Mbit, only if you have such a power packet generator that could fill 100Mbit. What do you mean by "This is not normal right as this is supposed to be unicast traffic"? VoIP is also unicast traffic...
I can see that you are determined to solve this issue, and this is OK as it will help you back with gained knowledge, but I have to warn you that troubleshooting QoS / Voice related problems may be more tricky than you think, as it will involve a strong know-how in these areas.
We will help, but you have to come back with more precise details.
Good luck!
Calin -
CBWFQ and Priority Q Scheduling with IOS
All,
I have a question in regards to scheduling in QoS.
I have below 2 priority queues (both pri quese go into one queue we beleive), and 3 CBWFQs.
The qestion is, how are these queus scheduled. I know that priority Qs will be emtied before moving onto the CBWFQ.
On the CBWFQ side, how are these scheduled, in a round-robin way? or is the amount of time they get serviced increased, the bigger the bandwidth statement is configured (Like custom-queuing and bigger queue configured in terms of bytes equates to more time being scheduled to empty the queue before moving onto the next queue)
policy-map carrier_cos
class carrier_EF
priority
police 1605000 8000 8000 conform-action transmit exceed-action drop
class carrier_AF4
priority
police 1530000 71500 71500 conform-action transmit exceed-action drop
class carrier_AF1
bandwidth 6120
class carrier_bulk
bandwidth 5480
class class-default
bandwidth 15265
Sounds to me like CBQFQ is a mixture of priority-queueing and custom-queuing combined.
Many kind regards for you help with this question.
KenThx for that.
So, if I have a 1M/bit cct and have CBWFQ running.
CBWFQ 1 = Bandwdith 600
CBWFQ 2 = Bandwdith 200
CBWFQ 3 = Bandwdith 200 (class class-default)
assume interface is congested. How does the scheduler work?
Is it, within a time period, (let say 1second) it will spend 600ms servicing Q1, then move onto Q2 and spend 200ms on that queue before moving onto Q3 where it will spend a 200MS servicing that Queue and then go back to Q1?
Correct me if Im wrong, but is that the same as Custom Qeueing?
1 Second is a long time so what timer interval is used.
Remember is a 1M/bps circuit.
Kindest regards, and many thx.
Ken -
Questions on Print Quote report
Hi,
I'm fairly new to Oracle Quoting and trying to get familiar with it. I have a few questions and would appreciate if anyone answers them
1) We have a requirement to customize the Print Quote report. I searched these forums and found that this report can be defined either as a XML Publisher report or an Oracle Reports report depending on a profile option. Can you please let me know what the name of the profile option is?
2) When I select the 'Print Quote' option from the Actions drop down in the quoting page and click Submit I get the report printed and see the following URL in my browser.
http://<host>:<port>/dev60cgi/rwcgi60?PROJ03_APPS+report=/proj3/app/appltop/aso/11.5.0/reports/US/ASOPQTEL.rdf+DESTYPE=CACHE+P_TCK_ID=23731428+P_EXECUTABLE=N+P_SHOW_CHARGES=N+P_SHOW_CATG_TOT=N+P_SHOW_PRICE_ADJ=Y+P_SESSION_ID=c-RAuP8LOvdnv30grRzKqUQs:S+P_SHOW_HDR_ATTACH=N+P_SHOW_LINE_ATTACH=N+P_SHOW_HDR_SALESUPP=N+P_SHOW_LN_SALESUPP=N+TOLERANCE=0+DESFORMAT=RTF+DESNAME=Quote.rtf
Does it mean that the profile in our case is set to call the rdf since it has reference to ASOPQTEL.rdf in the above url?
3) When you click on submit button do we have something like this in the jsp code: On click call ASOPQTEL.rdf. Is the report called using a concurrent program? I want to know how the report is getting invoked?
4) If we want to customize the jsp pages can you please let me know the steps involved in making the customizations and testing them.
Thanks and Appreciate your patience
-PC1) We have a requirement to customize the Print Quote report. I searched these forums and found that this report can be defined either as a XML Publisher report or an Oracle Reports report depending on a profile option. Can you please let me know what the name of the profile option is?
I think I posted it in one of the threads2) When I select the 'Print Quote' option from the Actions drop down in the quoting page and click Submit I get the report printed and see the following URL in my browser.
http://<host>:<port>/dev60cgi/rwcgi60?PROJ03_APPS+report=/proj3/app/appltop/aso/11.5.0/reports/US/ASOPQTEL.rdf+DESTYPE=CACHE+P_TCK_ID=23731428+P_EXECUTABLE=N+P_SHOW_CHARGES=N+P_SHOW_CATG_TOT=N+P_SHOW_PRICE_ADJ=Y+P_SESSION_ID=c-RAuP8LOvdnv30grRzKqUQs:S+P_SHOW_HDR_ATTACH=N+P_SHOW_LINE_ATTACH=N+P_SHOW_HDR_SALESUPP=N+P_SHOW_LN_SALESUPP=N+TOLERANCE=0+DESFORMAT=RTF+DESNAME=Quote.rtf
Does it mean that the profile in our case is set to call the rdf since it has reference to ASOPQTEL.rdf in the above url?
Yes, your understanding is correct.3) When you click on submit button do we have something like this in the jsp code: On click call ASOPQTEL.rdf. Is the report called using a concurrent program? I want to know how the report is getting invoked?
No, there is no conc program getting called, you can directly call a report in a browser window, Oracle reports server will execute the report and send the HTTP response to the browser.4) If we want to customize the jsp pages can you please let me know the steps involved in making the customizations and testing them.
This is detailed in many threads.Thanks
Tapash -
Satellite P300D-10v - Question about warranty
HI EVERYBODY
I have these overheating problems with my laptop Satellite P300D-10v.
I did everything I could do to fix it without any success..
I get the latest update of the bios from Toshiba. I cleaned my lap with compressed air first and then disassembled it all and cleaned it better.(it was really clean insight though...)
BUT unfortunately the problem still exists...
So i made a research on the internet and I found out that most of Toshiba owners have the same exactly problem with their laptop.
Well i guess this is a Toshiba bug for many years now.
Its a really nice lap, cool sound (the best in laptop ever) BUT......
So I wanted to make a question. As i am still under warranty, can i return this laptop and get my money back or change it with a different one????
If any body knows PLS let me know.
chears
Thanks in advanceHi
I have already found you other threads.
Regarding the warranty question;
If there is something wrong with the hardware then the ASP in your country should be able to help you.
The warranty should cover every reparation or replacement.
But I read that you have disasembled the laptop at your own hand... hmmm if you have disasembled the notebook then your warrany is not valid anymore :(
I think this should be clear for you that you can lose the warrany if you disasemble the laptop!
By the way: you have to speak with the notebook dealer where you have purchased this notebook if you want to return the notebook
The Toshiba ASP can repair and fix the notebook but you will not get money from ASP.
Greets -
Question regarding NULL and forms
Hi all, i have a survey that im working on that will be sent via email.
I'm having an issue though. if i have a multiple choice question, and the user only selects one of the choices, all the unselected choices return as NULL. is there a way i can filter out anytihng that says "NULL" so it only shows the selected options?
thanks.
here is the page that retrieves all the data. thanks
<body>
<p>1) Is this your first visit to xxxxxxx? <b><%=request.getParameter("stepone") %></b>
</p>
<p> </p>
<p>2) How did You Learn About xxxxxxx?</p>
<p><b><%=request.getParameter("steptwoOne") %></b>
<br>
<b><%=request.getParameter("steptwoTwo") %></b>
<br>
<b><%=request.getParameter("steptwoThree") %></b>
<br>
<b><%=request.getParameter("steptwoFour") %></b>
<br>
<b><%=request.getParameter("steptwoOther") %></b>
</p>
<p> </p>
<p>3) What was your main reason for visiting xxxxx?</p>
<p><b><%=request.getParameter("stepthreeOne") %></b>
<br>
<b><%=request.getParameter("stepthreeTwo") %></b>
<br>
<b><%=request.getParameter("stepthreeThree") %></b>
<br>
<b><%=request.getParameter("stepthreeFour") %></b>
<br>
<b><%=request.getParameter("stepthreeOther") %></b>
</p>
<p>4) did you find the information you were looking for on this site?</p>
<p><b><%=request.getParameter("stepfour") %>
<br>
<b><%=request.getParameter("stepfourOther") %></b>
</b></p>
<p>5) Do you plan on using this website in the future?</p>
<p><b><%=request.getParameter("stepfive") %></b></p>
<p>6) What is your gender</p>
<p><b><%=request.getParameter("stepsix") %></b></p>
<p>7) What is your age group</p>
<p><b><%=request.getParameter("stepseven") %></b></p>
8) Would you like to take a moment and tell us how we can improve your experience on xxxxxxxxxx?
<p><b><%=request.getParameter("stepeightFeedback") %></b></p>i was messing around and came up with this. it doesnt remove the null, but if it is null it adds ABC beside it. so i think i might be getting close. i just need to figure out how to replace the null.
code]
<b><%=request.getParameter("steptwoFour") %></b>
<% if (request.getParameter("steptwoFour") == null ) {
%>
<% out.print("abc"); %>
<% }
%> -
How do I remove Overdrive books from the library that were downloaded onto my computer then transferred to my iphone? The problem is that they do not show up in iTunes.
I see this question asked a lot when I google, but they always give answers that assumes you can find the books in iTunes either under the books tab, or the audio books tab or in the music. They do not show up anywhere for me. They do not remove from the app like the ones I downloaded directly onto my iphone.the related archived article does not answer it either. I even asked a guy working at an apple store and he could not help either. Anybody...?
Thanks!there is an app called daisydisk on mac app store which will help you see exactly where the memory is focused and consumed try using that app and see which folders are using more memory
-
Hello, i have a basic question. if i have defined 2 fields in a cube or a dso:
Name Quantity
and from the external flat file i get some characters for my quantity field. would my load fail? for standard dso and for write optimized?
NOTE: quantity field is a keyfigure defined as numeric.
and the load coming in has "VIKPATEL" for Quantity field and not numbers.
thanksHi Vik,
Yes, the load will fail.
May be you coud first load this data into BW (into PSA) and set both fields as characters fields. Then you can create DSO, do transformation from this PSA to the DSO, and put your logic as to what do you want to do with those Quantity that is not number (e.g. convert to 0, or 'Not assgined', etc).
You can use transfer rule, or a clean up ABAP code in the start routine.
Hope this helps. -
Mid 2010 15" i5 Battery Calibration Questions
Hi, I have a mid 2010 15" MacBook Pro 2.4GHz i5.
Question 1: I didn't calibrate my battery when I first got my MacBook Pro (it didn't say in the manual that I had to). I've had it for about a month and am doing a calibration today, is that okay? I hope I haven't damaged my battery? The calibration is only to help the battery meter provide an accurate reading of how much life it has remaining, right?
Question 2: After reading Apple's calibration guide, I decided to set the MacBook Pro to never go to sleep (in Energy Saver System Preference) and leave it on overnight so it would run out of power and go to sleep, then I'd leave it in that state for at least 5 hours before charging it. When I woke up, the light on the front wasn't illuminated. It usually pulsates when in Sleep. Expectedly, it wouldn't wake when pressing buttons on the keyboard. So, what's happened? Is this Safe Sleep? I didn't see any "Your Mac is on reserve battery and will shut down" dialogues or anything similar, as I was asleep! I've left it in this state while I'm at work and will charge it this afternoon. Was my described method okay for calibration or should I have done something different?
Question 3: Does it matter how quickly you drain your battery when doing a calibration? i.e is it okay to drain it quickly (by running HD video, Photo Booth with effects etc) or slowly (by leaving it idle or running light apps)?
Thanks.
Message was edited by: Fresh JFresh J:
A1. You're fine calibrating the battery now. You might have gotten more accurate readings during the first month if you'd done it sooner, but no harm has been done.
A2. Your machine has NOT shut down; it has done exactly what it was supposed to do. When the power became critically low, it first wrote the contents of RAM to the hard drive, then went to sleep. When the battery was completely drained some time later, the MBP went into hibernation and the slepp light stopped pulsing and turned off. In that state the machine was using no power at all, but the contents of your RAM were still saved. Once the AC adapter was connected, a press of the power button would cause those contents to be reloaded, and the machine would pick up again exactly where you left off. It is not necessary to wait for the battery to be fully charged before using the machine on AC power, but do leave the AC adapter connected for at least two hours after the battery is fully charged. Nothing that you say you've done was wrong, and nothing that you say has happened was wrong.
A3. No, it does not matter. -
Jabber/WebEx Connect SSO Questions
I've got a few questions around exactly what needs to be done to get SAML working for our Connect accounts to successfully authenticate from Jabber for Windows, Mac, iPhone, and Android.
We have both a Meeting Center and Connect account under WebEx using Loose Coupled Integration. Just this past week I enabled SAML for our Meeting Center accounts which went off without a hitch with the exception of Meeting Center integration with Jabber, which is now broken with a message about SSO enabled Meeting Sites not being supported (I think this would maybe be fixed if we had Tight Coupled Integration with our two account?).
Anyway, my questions are...
For Windows, I understand all clients will need to be reinstalled with the MSI argument for the SSO_ORG_DOMAIN switch I've read about, is that correct? Are there any other switches needed for the reinstall?
How will this work with the Mac and mobile clients? There's obviously no command line options to specify for the installations here, will they just know to kick over to my IdP for authentication once they see an email address that falls under an org with SSO enabled? If so, why does the Windows client need to be completely reinstalled and not just know to find the IdP from the Cloud Connect service like Meeting Center does with the Productivity Tools?
We're just doing this for our Connect Web IM accounts, not attempting any sort of SSO with the phone accounts/UC integration yet.
Any ideas on getting the Meeting Center integration into Jabber working again?I'd suggest posting your question over on the Jabber Pilot forum, as this forum is specific to Jabber Guest questions:
https://supportforums.cisco.com/community/4551/jabber-pilot-support
-jim -
Every time I try to download an app it tells me I need to update my security questions, but once I click to make the questions the box goes white. So I'm not sure how to fix it
The new questions show on your account on http://appleid.apple.com ? If they do then try logging out and back into your account on your phone (assuming that is where you are trying to purchase from) and see if the new questions then show on it.
-
Hi All
The question is pretty simple. I can successfully connect to my ASA 5505 firewall via cisco vpn client 64 bit , i can ping any ip address on the LAN behind ASA but none of the LAN computers can see or ping the IP Address which is assigned to my vpn client from the ASA VPN Pool.
The LAN behind ASA is 192.168.0.0 and the VPN Pool for the cisco vpn client is 192.168.30.0
I would appreciate some help pls
Here is the config:
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password J7NxNd4NtVydfOsB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.11 EXCHANGE
name x.x.x.x WAN
name 192.168.30.0 VPN_POOL2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address WAN 255.255.255.252
interface Ethernet0/0
switchport access vlan 2
<--- More --->
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list nk-acl extended permit tcp any interface outside eq smtp
access-list nk-acl extended permit tcp any interface outside eq https
access-list customerVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN_POOL2 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list VPN_NAT extended permit ip VPN_POOL2 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL2 192.168.30.10-192.168.30.90 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list VPN_NAT outside
static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
static (inside,outside) tcp interface https EXCHANGE https netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group nk-acl in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
snmp-server host inside 192.168.0.16 community public
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd dns 217.27.32.196
dhcpd address 192.168.0.100-192.168.0.200 inside
dhcpd dns 192.168.0.10 interface inside
dhcpd enable inside
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy customerVPN internal
group-policy customerVPN attributes
dns-server value 192.168.0.10
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value customerVPN_splitTunnelAcl
default-domain value customer.local
username xxx password 8SYsAcRU4s6DpQP1 encrypted privilege 0
username xxx attributes
vpn-group-policy TUNNEL1
username xxx password C6M4Xy7t0VOLU3bS encrypted privilege 0
username xxx attributes
vpn-group-policy PAPAGROUP
username xxx password RU2zcsRqQAwCkglQ encrypted privilege 0
username xxx attributes
vpn-group-policy customerVPN
username xxx password zfP8z5lE6WK/sSjY encrypted privilege 15
tunnel-group customerVPN type ipsec-ra
tunnel-group customerVPN general-attributes
address-pool VPN_POOL2
default-group-policy customerVPN
tunnel-group customerVPN ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:a4dfbb82008f78756fe4c7d029871ec1
: end
ciscoasa#Well lots of new features have been hinted at for ASA 9.2 but I've not seen anything as far as an Engineering Commit or Customer Commit for that feature.
Site-site VPN in multiple context mode was added in 9.0(1) and I have customers have been asking for the remote access features as well.
I will remember to ask about that at Cisco Live next month.
Maybe you are looking for
-
Is there a way to stop the B8550 and D7560 printers from wasting ink?(Black)
I am having serious ink problems on two new HP printers. A little history, have always had HP printers. First was a 600 series desk jet one of the first consumer models. Used 2 years and never had to replace ink cartridge. Then I bought an 895 de
-
ITunes update wont load. asking for Drive F. There is no drive F.
Tried to load iTunes update. I proceeds and gives a window that says that there is no room on Drive F. I do not have a Drive F. iTunes should load to the C drive.
-
The control panel will not let me activate either Cointacts or Calendar as it says I do not have a default profile active, which I do have. I have checked over and over again, but it will still NOT let me activate it. I am using Office 2010 on a PC r
-
Pricing in SRM when coming from Ariba
Hi All, We're having an issue at a customer regarding the different ways that Ariba and SRM calculate price formula. Ariba has the ability to show the Unit Price in one UoM, but have the Qty ordered in a different UoM. They utilize a "conversion" fac
-
OK, I am a complete newbee to Dreamweaver. I just bought DW MX 2004 and am trying to create a simple website. The header of the main index page will simply be my name at the top with a line underneath my name that stretches across the entire page, th