Redirecting Packets!!!
I'm trying to write a program that can read packets coming into a computer via NIC and get source and destination addresses, then redirect them to apprioprate routes.
Any help of any kind will be highly appreciated.
My email is [email protected]
Thanks.
www.sourceforge.net
Search: Visual IP.
Similar Messages
-
Hello,
I am trying to redirect packets to a bluecoat proxy sg using WCCP on a 3750x stack with IP services.
I cant get the packets to redirect.
The bluecoat device is on the same vlan as the client traffic that I am trying to redirect.
It seems that when I apply the redirect on the vlan interface, the Bluecoat can see the traffic though.
(After it is applied, I can no longer access the websites, but the bluecoat device shows some activity)
SDM prefer is enabled.
Here is the config:
SiteA#sh run
Building configuration...
Current configuration : 7699 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SiteA
boot-start-marker
boot-end-marker
enable secret 5 $1$V1w8$6bmKd6oXWk//FH7/BaoFG.
username systemsgo privilege 15 secret 5 $1$vu8O$1uMdtS1Gzk12.YT3RObZO1
no aaa new-model
switch 1 provision ws-c3750x-24
switch 2 provision ws-c3750x-24
system mtu routing 1500
ip routing
ip wccp 90 redirect-list 115 group-list 15
vtp mode transparent
track 1 ip sla 1 reachability
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 10
ip ssh version 2
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
interface GigabitEthernet1/0/1
no switchport
ip address 192.168.20.2 255.255.255.252
speed 100
duplex full
interface GigabitEthernet1/0/2
no switchport
ip address 192.168.20.9 255.255.255.252
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
interface GigabitEthernet1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
interface GigabitEthernet2/0/1
description *BlueCoat Proxy*
switchport access vlan 10
switchport mode access
interface GigabitEthernet2/0/2
switchport access vlan 10
switchport mode access
interface GigabitEthernet2/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
interface GigabitEthernet2/1/2
interface GigabitEthernet2/1/3
interface GigabitEthernet2/1/4
interface TenGigabitEthernet2/1/1
interface TenGigabitEthernet2/1/2
interface Vlan1
no ip address
interface Vlan10
ip address 10.10.20.3 255.255.255.0
standby 10 ip 10.10.20.1
standby 10 priority 110
standby 10 preempt
ip wccp 90 redirect in
router eigrp 1
network 10.10.20.0 0.0.0.255
network 192.168.10.0
network 192.168.20.0 0.0.0.3
redistribute static
ip local policy route-map IP_SLA_SiteA
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.20.10 track 1
ip sla 1
icmp-echo 4.2.2.2 source-ip 192.168.20.9
threshold 300
frequency 15
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts
logging esm config
access-list 15 permit 10.10.20.220
access-list 101 permit icmp host 192.168.20.9 host 4.2.2.2
access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq www
access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq 443
access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq 443
access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq www
access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq www
access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq 443
route-map IP_SLA_SiteA permit 10
match ip address 101
set ip next-hop 192.168.20.10
SiteA#
SiteA#show ip wccp 90
Global WCCP information:
Router information:
Router Identifier: 192.168.20.9
Protocol Version: 2.0
Service Identifier: 90
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Redirect access-list: 115
Total Packets Denied Redirect: 52389
Total Packets Unassigned: 71
Group access-list: 15
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
SiteA#show ip wccp 90 detail
WCCP Client information:
WCCP Client ID: 10.10.20.220
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: GRE
Packets Redirected: 0
Connect Time: 00:19:36
Assignment: MASK
Mask SrcAddr DstAddr SrcPort DstPort
0000: 0x00000000 0x0000003F 0x0000 0x0000
Value SrcAddr DstAddr SrcPort DstPort CE-IP
0000: 0x00000000 0x00000000 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0001: 0x00000000 0x00000001 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0002: 0x00000000 0x00000002 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0003: 0x00000000 0x00000003 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0004: 0x00000000 0x00000004 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0005: 0x00000000 0x00000005 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0006: 0x00000000 0x00000006 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0007: 0x00000000 0x00000007 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0008: 0x00000000 0x00000008 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0009: 0x00000000 0x00000009 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0010: 0x00000000 0x0000000A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0011: 0x00000000 0x0000000B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0012: 0x00000000 0x0000000C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0013: 0x00000000 0x0000000D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0014: 0x00000000 0x0000000E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0015: 0x00000000 0x0000000F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0016: 0x00000000 0x00000010 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0017: 0x00000000 0x00000011 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0018: 0x00000000 0x00000012 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0019: 0x00000000 0x00000013 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0020: 0x00000000 0x00000014 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0021: 0x00000000 0x00000015 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0022: 0x00000000 0x00000016 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0023: 0x00000000 0x00000017 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0024: 0x00000000 0x00000018 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0025: 0x00000000 0x00000019 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0026: 0x00000000 0x0000001A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0027: 0x00000000 0x0000001B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0028: 0x00000000 0x0000001C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0029: 0x00000000 0x0000001D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0030: 0x00000000 0x0000001E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0031: 0x00000000 0x0000001F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0032: 0x00000000 0x00000020 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0033: 0x00000000 0x00000021 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0034: 0x00000000 0x00000022 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0035: 0x00000000 0x00000023 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0036: 0x00000000 0x00000024 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0037: 0x00000000 0x00000025 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0038: 0x00000000 0x00000026 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0039: 0x00000000 0x00000027 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0040: 0x00000000 0x00000028 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0041: 0x00000000 0x00000029 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0042: 0x00000000 0x0000002A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0043: 0x00000000 0x0000002B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0044: 0x00000000 0x0000002C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0045: 0x00000000 0x0000002D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0046: 0x00000000 0x0000002E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0047: 0x00000000 0x0000002F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0048: 0x00000000 0x00000030 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0049: 0x00000000 0x00000031 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0050: 0x00000000 0x00000032 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0051: 0x00000000 0x00000033 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0052: 0x00000000 0x00000034 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0053: 0x00000000 0x00000035 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0054: 0x00000000 0x00000036 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0055: 0x00000000 0x00000037 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0056: 0x00000000 0x00000038 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0057: 0x00000000 0x00000039 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0058: 0x00000000 0x0000003A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0059: 0x00000000 0x0000003B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0060: 0x00000000 0x0000003C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0061: 0x00000000 0x0000003D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0062: 0x00000000 0x0000003E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0063: 0x00000000 0x0000003F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
SiteA#
SiteA#sh sdm prefer
The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 3K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 11K
number of directly-connected IPv4 hosts: 3K
number of indirect IPv4 routes: 8K
number of IPv4 policy based routing aces: 0.5K
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 1K
SiteA#Hi Jon,
There are no more throughput issues.
Everything is working well. Thanks so much!
As for the WCCP,
I put the redirect acl on the L3 ports that connect back to 3750_3, but it is still not catching the traffic from the user vlan 20 on 3750_3. (We did however get it working for the server vlan in Site1 and Site2)
I'm not sure what you meant when you said:
Then you simply use site1 or site2's devices for web traffic.
Do I need to change the gateway for the users vlan in Site 3750_3 to something else?
Right now it is pointing to 10.20.20.1 on the 3750_3.
Below is what I have so far on the 3750_3.
I tried to force the traffic via PBR to the BlueCoat device, but that didnt seem to work either.
UserSite(config)#do sh run
Building configuration...
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname UserSite
boot-start-marker
boot-end-marker
no aaa new-model
switch 1 provision ws-c3750x-48p
switch 2 provision ws-c3750x-48p
system mtu routing 1500
ip routing
vtp mode transparent
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 10
vlan 20
name clients
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
interface GigabitEthernet1/0/47
description *CERTES-MGMT-MAIN*
switchport access vlan 20
switchport mode access
interface GigabitEthernet1/0/48
description *MAN-LINE-TO-DC-MAIN*
no switchport
ip address 192.168.20.1 255.255.255.252
speed 100
duplex full
interface GigabitEthernet1/1/1
interface GigabitEthernet1/1/2
interface GigabitEthernet1/1/3
interface GigabitEthernet1/1/4
interface TenGigabitEthernet1/1/1
interface TenGigabitEthernet1/1/2
interface GigabitEthernet2/0/47
description *CERTES-MGMT-DR*
switchport access vlan 20
switchport mode access
interface GigabitEthernet2/0/48
description *MAN-LINE-TO-DC-DR*
no switchport
ip address 192.168.20.5 255.255.255.252
speed 100
duplex full
interface GigabitEthernet2/1/1
interface GigabitEthernet2/1/2
interface GigabitEthernet2/1/3
interface GigabitEthernet2/1/4
interface TenGigabitEthernet2/1/1
interface TenGigabitEthernet2/1/2
interface Vlan1
ip address 192.168.10.254 255.255.255.0
interface Vlan20
ip address 10.20.20.1 255.255.255.0
ip helper-address 10.10.20.30
router eigrp 1
network 10.20.20.0 0.0.0.255
network 192.168.10.0
network 192.168.20.0 0.0.0.7
offset-list 10 in 100 GigabitEthernet2/0/48
eigrp stub connected summary
ip local policy route-map PBR_Proxy
ip classless
ip http server
ip http secure-server
ip access-list extended Traffic2Proxy
permit tcp 10.20.20.0 0.0.0.255 eq www any
permit tcp 10.20.20.0 0.0.0.255 eq 443 any
ip sla enable reaction-alerts
route-map PBR_Proxy permit 10
match ip address Traffic2Proxy
set ip next-hop 192.168.50.220
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
login local
line vty 0 4
exec-timeout 30 0
privilege level 15
logging synchronous
login local
length 0
transport input telnet ssh
line vty 5 15
exec-timeout 30 0
privilege level 15
logging synchronous
login local
transport input telnet ssh
end -
Need some help determining what dictates how the packets are redirected (process or cef).
I have a router with 2 ethernet interfaces. CEF is running on both of them. On one of the interfaces most of the packets are Processed redirected and another interface the packets are CEF redirected. Wondering why they are different.
Any info would be appreciated.
Below is the WCCP and CEF info.
Global WCCP information:
Router information:
Router Identifier: x.x.x.x
Protocol Version: 2.0
Service Identifier: 61
Number of Service Group Clients: 2
Number of Service Group Routers: 1
Total Packets s/w Redirected: 2436488786
Process: 249998
CEF: 2436238788
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect Access-list: OPTEMAN-BYPASS-WAE
Total Packets Denied Redirect: 293564010
Total Packets Unassigned: 80064
Group Access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 349
Service Identifier: 62
Number of Service Group Clients: 2
Number of Service Group Routers: 1
Total Packets s/w Redirected: 1874932512
Process: 1871359851
CEF: 3572661
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect Access-list: OPTEMAN-BYPASS-WAE
Total Packets Denied Redirect: 404546425
Total Packets Unassigned: 113696
Group Access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 18
sho ip cef gi0/1 det
IPv4 CEF is enabled and running
VRF Default:
1611 prefixes (1611/0 fwd/non-fwd)
Default network 0.0.0.0/0
Table id 0
Database epoch: 0 (1611 entries at this epoch)
>sho ip cef gi0/2 det
IPv4 CEF is enabled and running
VRF Default:
1611 prefixes (1611/0 fwd/non-fwd)
Default network 0.0.0.0/0
Table id 0
Database epoch: 0 (1611 entries at this epoch)Daniel,
I was just looking at a site that I have a 3845 set up pretty much the same way, except I have a DS3 on the WAN side.
When I look at the WCCP on the 3845, they are all handled via cef.
Any ideas on that?
Here is the wccp info and interface configs on the 3845
#sho ip wccp
Global WCCP information:
Router information:
Router Identifier: X.X.X.X
Protocol Version: 2.0
Service Identifier: 61
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 557409875
Process: 0
CEF: 557409875
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect Access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 672
Group Access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 85
Service Identifier: 62
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 546427512
Process: 4
CEF: 546427508
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect Access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group Access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 10
interface GigabitEthernet0/0
description LAN
ip address
ip wccp 61 redirect in
ip flow ingress
ip flow egress
ip tcp adjust-mss 1360
duplex full
speed 100
media-type rj45
interface Serial2/0
description WAN
bandwidth 45000
ip address
ip wccp 62 redirect in
ip nbar protocol-discovery
load-interval 30
dsu bandwidth 44210
scramble
crypto map ZZZ -
Hi all,
I am trying to setup a web cache using a WAE-612 and a C3750 switch. The switch is configured with three interfaces:
CLIENTS ----- VLAN 1 ----- SWITCH ----- GI1/0/1 routed ---- SERVER(s)
WAE-ENGINE ---- VLAN2--|
I have configured inbound redirection on vlan 1 and inbound redirection on gi1/0/1
ip wccp web-cache redirect in
I am using L2 redirect & L2 return & my state is "enabled":
Switch#show ip wccp web-cache detail
WCCP Client information:
WCCP Client ID: 10.101.2.202
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: L2
Packets Redirected: 0
Connect Time: 02:24:08
Assignment: MASK
First, the "packets redirected" counter doesn't increment, is this normal (maybe due to hardware redirection ?)
Second, i am seeing HTTP GET requests from my clients going to my WAE-engine and i am also seeing the WAE-engine sending them back to the switch (changed mac address, L2 redirection)
Third, my cache savings are 0 %
Fourth, i don't see any traffic returning into the WAE-engine. How can the WAE cache traffic if he never sees the server return traffic ?
Fifth, i have "spoof client ip" enabled on the WAE (need this for security reasons, web server verifies source ip address)
Now i am thinking it is logical that my cache savings are 0% . The web-cache service group redirects port 80 packets and the switch supports only "inbound" direction. This means that the switches never redirects the ANSWER of the server,so how on earth can it ever "cache" the response ?
Am i correct or am i wrong ? How to solve it ?
Should i use different WCCP service groups on the interfaces (for example: based on source ip redirection, the other on destination ip redirection)
PS. I am running 12.2(44)SE6 on the switch and 5.5.9.B9 on the WAE
regards,
GeertHi Geert,
With L2 redirection 'packets redirected' counter won't increment since its Hardware redirection. You might want to
check on WAE counter 'Transparent non-GRE packets received:' by running 'show wccp gre'
With wccp ip-spoofing enabled, requests will be sent to web server with Clients IP address. So yes you will need
to configure WCCP to catch return traffic coming from web server to be redirected to WAE.
To redirect return traffic you will need to configure WCCP Dynamic Service group ,
By default web-cache service will Mask on Destination address. Since we need to make sure return traffic is sent to
same WAE as forwarding traffic, we need to Mask return traffic on Source IP address.
This will config Service group 95 and it will Mask on Source IP which will be Webservers IP address
wccp service-number 95 mask src-ip-mask 0x1741 dst-ip-mask 0x0
wccp service-number 95 router-list-num 1 port-list-num 1 application cache l2-redirect mask-assign l2-return
wccp version 2
wccp spoof-client-ip enable
You will then need to enable 'ip wccp 95 redirect in' on the WAN interface.
Hope this helps,
Best Regards,
Rahul -
WAAS WCCP 6500 ACL Redirection
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Hi All
I'm sure I'm missing something simple here on a new install and I hope some one can point it out easily. I implemented the following config which worked except it understandably broke connections as everything got redirected. I'm running the WCCP config on a 6500 running 12.2(18) SXF
This config showed total redirected packets climbing sharply in a 'show ip wccp' on the 6500 but this config broke other things.
WAE:
interface GigabitEthernet 1/0
ip address 10.254.0.251 255.255.255.248
ip default-gateway 10.254.0.249
wccp router-list 1 10.254.0.249
wccp tcp-promiscuous router-list-num 1 l2-redirect mask-assign
6500:
ip wccp 61
ip wccp 62
interface Vlan<vlans to be accelerated>
description Local VLAN to be accelerated
ip wccp 61 redirect in
interface Vlan <WAAS vlan>
description WAAS Devices(CM and WAE)
ip address 10.254.0.249 255.255.255.248
interface Vlan <Vlan for WAN transit>
description Incoming WAN VLAN
ip wccp 62 redirect in
To try and limit redirection to just LAN space I swapped this:
ip wccp 61
ip wccp 62
for this:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Ip access-list ext WAAS_Inbound
Permit ip 10.22.0.0 0.0.255.255 10.0.0.0 0.0.255.255
Ip access-l ext WAAS_Outbound
Permit ip 10.0.0.0 0.0.255.255 10.22.0.0 0.0.255.255
Ip wccp 62 redirect-list WAAS_Inbound
Ip wccp 61 redirect-list WAAS_Outbound
Once I did this, 'show ip wccp' on the 6500 stopped showing redirected packets but did start showing packets being denied redirect. Optimization stopped(according to the GUI) and I saw no hits on the access-lists(should I?).
Thanks for your help in advance.A fews questions/comments:
What type of Supervisor are you using?
What is the exact version of software you are using?
The fact that the 'packets redirected' counter is incrementing is a bad thing on the 6500. It means that the redirection is happening in software.
Can you also provide the output from the following commands:
sh ip wccp
sh ip wccp 61 det
sh ip wccp 62 det
Thanks,
Zach -
I'm trying to setup a simple WAAS setup with a Manager, Core and Edge device. The core and edge devices are seperated across an MPLS cloud. The redirect is configured on the CE routers so I don't believe the MPLS is the problem.
The Manager can see both the Core and Edge devices but no acceleration is happening. When I check the wccp status on the core I see both LAN and WAN inetrfaces are redirecting packets but the edge router is only showing redirects on the LAN.
The edge router is a Cisco 2821 with a WAAS Services Module. The router is connected to the MPLS cloud by an ATM interface. (Config Below).
service timestamps debug datetime
service timestamps log datetime
service password-encryption
hostname xxxxxxxxxxx
boot-start-marker
boot-end-marker
logging buffered 10000 debugging
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login conmethod group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization network default group tacacs+
aaa authorization network noauthor none
aaa session-id common
resource policy
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
ip wccp 61
ip wccp 62
ip telnet source-interface GigabitEthernet0/0
ip cef
interface Loopback0
description MPLS ATM Loopback Address
ip address 10.0.0.5 255.255.255.255
interface GigabitEthernet0/0
description London Corp LAN
ip address 53.253.7.250 255.255.255.0
ip access-group dealersubnets in
ip wccp 61 redirect in
duplex auto
speed auto
interface ATM0/3/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0/3/0.1 point-to-point
description MPLS WAN
bandwidth 2000
ip unnumbered Loopback0
ip wccp 62 redirect in
no snmp trap link-status
pvc 0/38
vbr-nrt 248 248
encapsulation aal5mux ppp Virtual-Template100
interface Integrated-Service-Engine1/0
ip address 192.168.1.9 255.255.255.252
ip wccp redirect exclude in
service-module ip address 192.168.1.10 255.255.255.252
service-module ip default-gateway 192.168.1.9
no keepalive
interface Virtual-Template100
ip unnumbered Loopback0
no peer default ip address
router bgp 64527
no synchronization
bgp log-neighbor-changes
network 10.0.0.5 mask 255.255.255.255
network 53.253.7.0 mask 255.255.255.0
network 192.168.1.8 mask 255.255.255.252
neighbor x.x.x.x remote-as 2856
neighbor x.x.x.x ebgp-multihop 3
neighbor x.x.x.x update-source Loopback0
no auto-summary
ip route 0.0.0.0 0.0.0.0 x.x.x.x
no ip http server
no ip http secure-server
ip tacacs source-interface GigabitEthernet0/0
access-list 120 permit tcp any any log
If anyone can help me with this I would be most greatful as I need to get WAAS working ASAP.
The IOS version is c2800nm-spservicesk9-mz.124-9.T2.bin and the WAAS module is running 4.0.3.b.9
ThanksI have implemented the above config and the wccp redirect on tcp 61 and 62 is now working. WAAS is now seeing traffic and optimising.
Why do you think that wccp want work on the atm interface? -
L2 redirection between a 3750 and WAE 674 WCCP
hi
we are using a WAE 674 on a cisco 3750 in WCCP
WCCP is configured to use L2 redirection
but we saw this on the switch
Global WCCP information:
Router information:
Router Identifier: 192.168.100.1
Protocol Version: 2.0
Service Identifier: 61
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 1
Process: 0
CEF: 1
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
Service Identifier: 62
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 11
Process: 0
CEF: 11
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
switch configuration
vlan 1 and 2 : data
vlan 3 routeurs
vlan 4 : WAE
interface Vlan1
ip address 10.0.0.1 255.255.0.0
ip wccp 61 redirect in
standby 0 preempt
standby 1 ip 10.0.0.6
standby 1 priority 150
standby 1 preempt
standby 1 name hsrp_vlan_1
interface Vlan2
ip address 10.1.0.1 255.255.0.0
ip wccp 61 redirect in
standby 2 ip 10.1.0.6
standby 2 priority 150
standby 2 preempt
standby 2 name hsrp_vlan_2
interface Vlan3
description Routage-FT
ip address 192.168.1.4 255.255.255.0
ip wccp 62 redirect in
standby 3 ip 192.168.1.6
standby 3 priority 150
standby 3 preempt
standby 3 name hsrp_vlan_3
interface Vlan4
description VLAN WCCP
ip address 192.168.100.1 255.255.255.0
WAE configuration
wccp router-list 8 192.168.100.1
wccp tcp-promiscuous mask src-ip-mask 0x1741 dst-ip-mask 0x0
wccp tcp-promiscuous router-list-num 8 l2-redirect mask-assign l2-return
wccp version 2Hi,
This counter on the 3750 is a software counter, but all WCCP redirection should be happening in hardware. Thus, it is expected the number of redirected packets to be zero or very low. The proper way to tell if WCCP is redirecting traffic to your WAE is to issue the command "show wccp gre" on the WAE and look for the line "transparent non-GRE packets received."
Example:
pdi-7341-19#sh wccp gre
Transparent GRE packets received: 0
Transparent non-GRE packets received: 28887345
Transparent non-GRE non-WCCP packets received: 0
Total packets accepted: 26012975
Invalid packets received: 0
Packets received with invalid service: 0
Packets received on a disabled service: 0
Packets received too small: 0
Packets dropped due to zero TTL: 0
----output omitted ------
Cheers,
Mike Korenbaum
Cisco WAAS PDI Help Desk
http://www.cisco.com/go/pdihelpdesk -
Help needed in receiving two consecutive msges from SIP Ser in UDP server!
Hi everyone,
I am Mitul Gogoi,from Assam,North-east part of India.
I am writing a SIP proxy server,which is simly a UDP server and which will sit between the Client(X-Lite softphone) and Brekeke SIP Server and just receive and send messages.
Client---------------->My UDP Server-------------------------->SIP Server (This is for requests)
again,
SIP Server---------->My UDP Server-------------------------->Client (This is for responses)
(couldnot draw the arrows together)
My server will receive any msg coming from Client in port 7000 from Client and My server will send the msg to SIP Server to its IP address and port 5060.So, I just wanted to change the port number to which Client will send msges;i.e. instead of earlier port 5060,it will now send to port 7000.
The msg sending and receiving scenerio:
1.The first msg from Client is received by My Server.
2.My server sends the msg to SIP Server.
3.My server then waits for response from SIP server.
4.One msg comes to My server and received successfully. and it closes the socket.
5.This msg is sent to Client.
6.Second msg comes from SIP server to My server.But My server is unable to receive this second msg.maybe because My server closes the socket to receive the next msg.
I am using ResponseHandler Thread in main which will listen to any msges that may come from SIP server to My server.
My question is :
Is it not possible to receive two consecutive msg from SIP server ?
If one msg comes,it then closes the socket.
My code for sending and receiving :
udpClSocket = new DatagramSocket();
packet = new DatagramPacket(buf, buf.length,InetAddress.getByName(server), port);
udpClSocket.send(packet);//it will send to SIP Server as well as Client,by changing the server and port
byte resbuf[] = new byte[msgSize];
packet = new DatagramPacket(resbuf, resbuf.length);
udpClSocket.receive(packet);//it will receive msg from SIP server only
packet = null;
udpClSocket.close();
The first msg comes to My server successfully,but the second msg is not being received.
I have tried in so many ways,such as taking two different ports :one for receiving for Client and My server ,and another port for My server and SIP server.
If anyone can help me in this ,then I will be highly grateful.
regards,
MitulWhy? Throw all this code away, and use the NIST reference implementation of JAIN-SIP. They've done all the hard work for you. All you have to do to write a stateless proxy is a little mild header processing.
Thank you ejp for your reply.Mine is a Outbound SIP proxy server,which uses a port other than default 5060 SIP server port.The client will REGISTER SIP server via my server.and moreover,I want to build my own server at least once for learning purpose.
maybe because My server closes the socket to receive the next msg.
Why?
I donot know why.may be I am very new to network programming or did not do much research in networking.But,my code should work;couldn't find out any fault.
Here is my code:
package com.ef;
import java.net.DatagramPacket;
import java.net.DatagramSocket;
import java.net.InetAddress;
import java.util.Date;
* It sends UDP packets to following destinations-
* 1. SIP Server
* 2. SIP UACs
public class OBUDPClient extends Thread {
private DatagramSocket udpClSocket;
private DatagramPacket packet;
private String server = "192.168.1.2";//IP of Brekeke SIP server
private int port = 5060;
//SIP Message Size
private int msgSize = 2048;
private byte buf[];
private boolean serFlag = true;
private OBMessage m;
* Send Request to SIP Server
* @param in_packet
* @throws Exception
public OBUDPClient(DatagramPacket in_packet) throws Exception{
super("Client-"+String.valueOf((new Date()).getTime()));
this.buf = in_packet.getData();
m = new OBMessage();
* Keep track of IP and Port of the source of this packet. Response
* from SIP Server will be redirected to this IP and Port
m.setTargetIP(in_packet.getAddress().getHostAddress());
m.setTargetPort(in_packet.getPort());
start();
* Send Request to SIP UAC (). This constructor gets call from OBResponseHandler.java
* @param server
* @param port
* @param buf
* @throws Exception
public OBUDPClient(String server, int port, byte buf[]) throws Exception{
super(String.valueOf((new Date()).getTime()));
this.server = server;
this.port = port;
this.buf = buf;
serFlag = false;
start();
public void run(){
try{
System.out.println("OBUDPClient Redirecting packet");
udpClSocket = new DatagramSocket();
//Send Request
packet = new DatagramPacket(buf, buf.length,InetAddress.getByName(server), port);
udpClSocket.send(packet);
//Receive Response
byte resbuf[] = new byte[msgSize];
packet = new DatagramPacket(resbuf, resbuf.length);
udpClSocket.receive(packet); //could not receive two consecutive msg from SIP server
if(serFlag){
* If request is sent to SIP Server we are interested for the
* response otherwise not
System.out.println("<----------------Handle Response----------------->");
System.out.println("++++++++++++++++++++++++++++++++++++++++++++++++++");
System.out.println("Response from SIP Server: "+new String(packet.getData()).trim());
System.out.println("++++++++++++++++++++++++++++++++++++++++++++++++++");
//Read SIP reseponse sent by SIP Server
m.setMessage(new String(packet.getData()).trim());
//Store the Response message in Queue
OBMain.q.push(m);
}catch(Exception ex){
ex.printStackTrace();
packet = null;
udpClSocket.close();
Note:Everything starts from the Client.First,Client makes a REGISTER request;it is passed through Outbound server to SIP server.Then,SIP server responds with 100 Trying;this is received successfully by my outbound server and sent to Client.Then,again,SIP server responds with 200 OK;this is not received by my outbound server;hence cannot reach Client,as a result of which Registration fails.
regards,
mitul -
Wccp web-cache -- can't get it working
I installed a Squid based caching appliance, by Stratacache. it supports GRE wccp redirect in transparent mode, I have it configured as wccpv2 using the Router's LAN ip address 10.250.1.2.
Every time I turn on the caching for a host (or the entire LAN) the internet breaks for whomever I turn wccp on. I have tried disabling CEF and have moved the cache to it's own router interface.
Topology of the Cisco 2801-SEC-K9 router, running 12.4(22)T advsecurity
FastE 0/0 (10.250.1.1) ---> connected directly to cache server
FastE0/1 (10.23.1.1) ---> Connected to internal LAN
MultiLink1 (12.x.x.98) ---> 4 T1 multilink to AT&T Internet Service
so here is my config,
ip wccp web-cache redirect-list 46 group-list 40 password webcache
ip wccp version 2
access-list 40 permit 10.250.1.2 (cache server)
access-list 46 permit 10.23.1.21 (test host for wccp)
interface fastethernet0/1
ip wccp web-cache redirect in
here is the output from the router
Roosevelt-2801(config)#do sh ip wccp web-cache view
WCCP Routers Informed of:
12.x.x.98
WCCP Clients Visible:
10.250.1.2
WCCP Clients NOT Visible:
-none-
Roosevelt-2801(config)#do sh ip wccp web-cache det
WCCP Client information:
WCCP Client ID: 10.250.1.2
Protocol Version: 2.0
State: Usable
Redirection: GRE
Packet Return: GRE
Assignment: HASH
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 256 (100.00%)
Packets s/w Redirected: 914
Connect Time: 1d18h
Bypassed Packets
Process: 0
CEF: 0
Errors: 0
Roosevelt-2801(config)#do sh ip wccp web
Global WCCP information:
Router information:
Router Identifier: 12.x.x.98
Protocol Version: 2.0
Service Identifier: web-cache
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 7800
Process: 94
CEF: 7706
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect Access-list: 46
Total Packets Denied Redirect: 8195426
Total Packets Unassigned: 0
Group Access-list: 40
Total Messages Denied to Group: 14
Total Authentication failures: 8
Total Bypassed Packets Received: 0
So I can see the packets redirected, the cache never sees them, the router and cache can ping each other, the cache and LAN clients can ping each other - am I missing something?so I found the problem... hopefully this helps somebody else in the future... the problem is the redirected packets were sourced from the router multilink1 interface IP address and the cache was expecting them from the router fa0/0 interface, so it dropped them.
also the cache has a "spoof client IP" option that was on, because we prefer to do this for netflow, but, I don't think client-IP-spoofing works with the standard web-cache wccp service. It was causing internet problems so I turned the spoofing off and it works fine...
hope this helps -
Connecting to Remote Desktop Published Apps through RD Web Access not working
Hello,
I have configured an RD Gateway server. My scenario is like I have a windows 2012R2 server with all RD components (Gateway, web access, connection broker, session host) configured, since this is for a poc. Externally I can access rd web access portal (https://<servername.domain.com>/rdweb)
and can connect to the target server using "Connect to a remote pc" tab without any issue.
But I can't connect to any published app from "Remote App and Desktop". The error I recieve is "unable to connect to remote pc. please provide the fully-qualified name......."
At the same time I can see below errors in event logs related to connection broker:
Error 802:
RD Connection Broker failed to process the connection request for user domain\Administrator.
Error: Element not found.
Event 1306:
Remote Desktop Connection Broker Client failed to redirect the user domain\Administrator.
Error: NULL
Error 1296:
Remote Desktop Connection Broker Client failed while getting redirection packet from Connection Broker.
User : domain\Administrator
Error: Element not found.
Googling I could see some posts related to these issues, mentioning about to check the network connectivity between RDCB and the target server. I can defenitely say it is fine and already mentioned I can connect to the same server using "connect to
remote pc" tab.
Just FYI, I have this server as Amazon EC2 instance and the domain is configured as Amazon directory service. Can someone please help me at the earliest.. This is pretty urgent as my tasks are pending due to this issue..
VysakhHi,
I have seen similar issues with Essential role installed, if it’s installed on the terminal server, please remove it.
Please also ensure involved machines are fully patched and keep port 443 of the TS server open.
When external users connect to the Web Access page, are they able to see remote apps? If not, please check whether user assignment setting is configured correctly for remote apps.
Are users able to open remote apps from internal network?
Here are some related links below for you:
RDWeb URL Access Works Successful but cannot open Apps Externally only Internally
https://social.technet.microsoft.com/Forums/en-US/144a0543-7a7c-4899-a674-0fd29dacab7a/rdweb-url-access-works-successful-but-cannot-open-apps-externally-only-internally?forum=winserverTS
RemoteApp Internet
https://social.technet.microsoft.com/Forums/windowsserver/en-US/70a819de-3338-4427-a1c3-e38ef99dd4b3/remoteapp-internet?forum=winserverTS
Configuring RD web access for public/external access
https://social.technet.microsoft.com/Forums/windowsserver/en-US/4396d3e9-2ac5-4d0b-baba-25471498a349/configuring-rd-web-access-for-publicexternal-access?forum=winserverTS
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Windows 2012: Error: No computers available in the pool.
I've got a russian versions of all the components I am talking about. But I got no help on Russian Forum so I translated my question to English to post it here. So, messages from logs are translated back to English from Russian and they may look different
to what you get in English version (not translated to Russian and then back to English).
I have got two physical servers with Windows 2012 Server installed on them, one of them is Domain Controller, the other server got Remote Desktop roles: RD Connection Broker, RD Web Access and RD Virtualization Host. I
use Hyper-V to create Virtual Machines on the second Server (server with RD roles installed).
I have created 2 collections: one Personal and one Pooled. Template
machine used for both collections is a sysprepped clean install of Windows 8.1 Pro. I connect to collections through RDP file I am getting from RD Web Access.
When I connect to Pooled Collection everything is going fine but when I attempt to connect to Personal Collection
I am getting Error "There are no computers available in the pool. Try to connect later or contact Administrator."
At that moment in Server log [translated by me from russian]:
VDI
1306
Error
Microsoft-Windows-TerminalServices-SessionBroker-Client
Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational
Connection Broker Client failed to redirect user domain\user.
Error: NULL
VDI
1296
Error
Microsoft-Windows-TerminalServices-SessionBroker-Client
Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational
On getting a redirection packet from Connection Broker an error occured in Connection Broker Client.
Пользователь: domain\user
Error: Element not found.
VDI
802
Error
Microsoft-Windows-TerminalServices-SessionBroker
Microsoft-Windows-TerminalServices-SessionBroker/Admin
Connection Broker failed to process a connection request for user domain\user. Failed to perform load balancing OR end point not found.
Error: Access denied.
VDI
804
Error
Microsoft-Windows-TerminalServices-SessionBroker
Microsoft-Windows-TerminalServices-SessionBroker/Admin
Connection Broker failed to find a personal virtual desktop assigned to user domain\user. HRESULT = 0x80070005
I have tried using different options of AutoAssignPersonalDesktop
(manual and automatic assignment), reinstalling the RD roles and even reinstalling the server with RD roles. Nothing helps. Errors remain the same.
I was using official guides when I installed RD roles on the server.Hi,
Thank you for posting in windows Server Forum.
From the error description it seems that broker connection is not established well and also there might be some permission issue with user and groups. Please verify that RDSH can communicate with RDCB servers well.
Remote Desktop Connection Broker (RD Connection Broker), formerly Terminal Services Session Broker, is a Remote Desktop Services role service in Windows Server 2008 R2 that supports session load balancing between RD Session Host servers in a farm, connections
to virtual desktops, and reconnection to an existing session in a load-balanced RD Session Host server farm.
Event ID 1296 — RD Connection Broker Communication
http://technet.microsoft.com/en-us/library/ee891061(v=ws.10).aspx
Also you can check how the connection works from “A user is connected to a personal virtual desktop in the following way” this part from below article.
Deploying Personal Virtual Desktops by Using Remote Desktop Web Access Step-by-Step Guide
http://technet.microsoft.com/en-us/library/dd883277(v=ws.10).aspx
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support -
Ipfilter: does policy routing work on Solaris 10?
Hello,
- Does the ipf redirection (aka policy routing) feature work with the
ipfilter that comes with Solaris 10?
I would like to use the the ipf redirection statements "to
interface:router_ip" or "reply-to interface:router_ip" as decribed in
http://coombs.anu.edu.au/~avalon/ipf.new.txt
(The syntax is mentionned in the BNF of the Solaris 10 ipf(4) man
page, but the explanations there are lacking.)
On a machine that has two interfaces, the purpose is to send output
reply packets of a TCP session to the same interface that the input
packets came from. The idea to use ipfilter to do this comes from the
blog entry:
Packets out of the wrong interface
http://blogs.sun.com/carlson/entry/packets_out_of_the_wrong
My first try was to use "reply-to" in a "keep state" rule:
pass in quick on e1000g305000 reply-to e1000g305000:10.13.5.1 proto tcp from any to any port = 443 keep state keep frags group i_sso-test1
Which I understand as "once a connection to port 443 starts on
interface e1000g305000 send all reply packets to the same interface to
the gateway 10.13.5.1"
But it does not work; in the ipf log it shows that the rule matched:
22:56:32.770690 e1000g305000 @i_sso-test1:1 p 10.194.17.11,5648 -> 10.13.5.181,443 PR tcp len 20 60 -S K-S K-F IN
22:56:32.770783 e1000g0 @i_sso-test1:1 p 10.13.5.181,443 -> 10.194.17.11,5648 PR tcp len 20 44 -AS K-S K-F OUT
But the reply packet is not seen on the router (10.13.5.1), nor does
it get to 10.194.17.11 through another route (no firewall on that
machine).
My second try was to use two stateless rules, and to do "source port
routing" for outgoing packets:
pass in quick proto tcp from any to any port = 443 group i_sso-test1
pass out quick on e1000g0 to e1000g305000:10.13.5.1 proto tcp from any port = 443 to any group o_sso-test1
pass out quick proto tcp from any port = 443 to any group o_sso-test1
Which I understand as "incoming packets to port 443 are allowed and
outgoing packets from port 443, if passing on interface e1000g0, are
redirected through interface e1000g305000 via the gateway 10.13.5.1,
if not, are just allowed".
It does not work either; in the ipf log it shows that both the in and
the first out rules matched:
23:09:00.591163 e1000g305000 @i_sso-test1:1 p 10.194.17.11,26080 -> 10.13.5.181,443 PR tcp len 20 60 -S IN
23:09:00.591363 e1000g0 @o_sso-test1:1 p 10.13.5.181,443 -> 10.194.17.11,26080 PR tcp len 20 44 -AS OUT
But again the reply packet seems to be lost in thin air.
I have tried various other rules to no avail.
- Should this work with ipfilter v4.1.9 (592) coming with Solaris 10
u7?
- Am I missing something in the configuration?
- Shouldn't the ipf log show the outgoing reply packet twice? (Once on
the "wrong" interface e1000g0 and once on the interface it is
redirected to e1000g305000.) Or indicate in another manner that the
redirection occurred (like it indicates K-S for "keep state")?
Context:
# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
default 10.194.7.1 UG 1 2407
default 10.194.7.1 UG 1 5104 e1000g0
10.13.5.0 10.13.5.181 U 1 5 e1000g305000:1
10.194.7.0 10.194.7.81 U 1 3 e1000g0:2
224.0.0.0 10.194.7.81 U 1 0 e1000g0:2
127.0.0.1 127.0.0.1 UH 1 7 lo0:7
# cat /etc/release
Solaris 10 5/09 s10s_u7wos_08 SPARC
Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 30 March 2009
# ipf -V
ipf: IP Filter: v4.1.9 (592)
Kernel: IP Filter: v4.1.9
Running: yes
Log Flags: 0x70000000 = pass, block, nomatch
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x107
If it matters, this is occuring in a Solaris 10 zone, whith virtual
interfaces one of which uses 801.q tagging (vlan 305, subnet
10.13.5.0/24), and the "router" is a Cisco ACE load balancer with
interface 10.13.5.1 on the server side.
Thanks in advance for your help in this matter!
Best regards,
Dominique
Mr Dominique Petitpierre Email: User@Domain
Division Informatique User=Dominique.Petitpierre
University of Geneva Domain=unige.chI was saying
If it matters, this is occurring in a Solaris 10 zone, whith virtual
interfaces one of which uses 801.q tagging (vlan 305, subnet
10.13.5.0/24),...Well, it turns out that 802.1q tagging does matter: packets redirected
by an ipf policy based routing rule to an interface with tagging are
not transmitted.
In order to better see what was happening the ipf rules were extended
like this (stateless case):
@1 pass in quick on e1000g0 proto tcp from any to any port = 443 group i_sso-test1
@2 pass in quick on e1000g305000 proto tcp from any to any port = 443 group i_sso-test1
@1 pass out quick on e1000g0 to e1000g305000:10.13.5.1 proto tcp from 10.13.5.181/32 port = 443 to any group o_sso-test1
@2 pass out quick on e1000g305000 to e1000g0:10.194.7.1 proto tcp from 10.194.7.81/32 port = 443 to any group o_sso-test1
@3 pass out quick on e1000g305000 proto tcp from any port = 443 to any group o_sso-test1
@4 pass out quick on e1000g0 proto tcp from any port = 443 to any group o_sso-test1Also, for the purpose of the demonstration, the zone configuration was
modified to direct all packets to the same interface with tagging,
thus having just one default route:
zonecfg -z sso-test1 info net
net:
address: 10.13.5.181/24
physical: e1000g305000
defrouter: 10.13.5.1
net:
address: 10.194.7.81/24
physical: e1000g305000
defrouter: 10.13.5.1
netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
default 10.194.7.1 UG 1 2867
default 10.13.5.1 UG 1 86 e1000g305000
10.13.5.0 10.13.5.181 U 1 2 e1000g305000:1
10.194.7.0 10.194.7.81 U 1 0 e1000g305000:3
224.0.0.0 10.13.5.181 U 1 0 e1000g305000:1
127.0.0.1 127.0.0.1 UH 1 7 lo0:7 (In this peculiar case the default route to 10.194.7.1 is an artifact
displayed by netstat due to the zone isolation mechanism, but it is
not actually used for routing at the zone level; the interface without
tagging, e1000g0, is only displayed on the global zone where ipfilter
operates)
When testing from 10.194.17.11 with "telnet 10.13.4.180 443", it
works. And one can see in the ipf logs that it is the third out rule
that matched (@o_sso-test1:3), i.e. there was no redirection on
another interface (proof that there is nothing wrong with the context
setup):
16:59:30.479660 e1000g305000 @i_sso-test1:2 p 10.194.17.11,2111 -> 10.13.5.181,443 PR tcp len 20 60 -S IN
16:59:30.479844 e1000g305000 @o_sso-test1:3 p 10.13.5.181,443 -> 10.194.17.11,2111 PR tcp len 20 44 -AS OUT
16:59:30.480182 e1000g305000 @i_sso-test1:2 p 10.194.17.11,2111 -> 10.13.5.181,443 PR tcp len 20 40 -A INWhen testing from 10.194.17.11 with "telnet 10.194.7.81 443", it works
also. This time one can see in the ipf logs that it is the second out
rule that matched (@o_sso-test1:2), i.e. there was redirection from
e1000g305000 to e1000g0.
16:59:41.247101 e1000g0 @i_sso-test1:1 p 10.194.17.11,3851 -> 10.194.7.81,443 PR tcp len 20 60 -S IN
16:59:41.247206 e1000g305000 @o_sso-test1:2 p 10.194.7.81,443 -> 10.194.17.11,3851 PR tcp len 20 64 -AS OUT
16:59:41.247508 e1000g0 @i_sso-test1:1 p 10.194.17.11,3851 -> 10.194.7.81,443 PR tcp len 20 52 -A INA packet capture confirms this and one can see in the capture the
SYN-ACK reply packet go out on e1000g0.
The reverse case, essentially the original setup shown in my first
post, where the default route is the interface without tagging
(e1000g0) and the reply packet matches the redirection rule from
e1000g0 to the interface with tagging e1000g305000, the packet is lost
(i.e. is not visible in the packet capture on either interface).
Further tests with stateful redirection ("reply-to") show the same
pattern (does not work when packets are redirected to an interface
with tagging).
It looks like it is a bug: may be ipfilter injects the redirected
packet at a processing stage where it should already have a 802.1q tag
but does not, or something similar; in the working case, ipfilter acts
on a not yet tagged packet which can be used "as is" at the same
processing stage on the non tagging interface, and thus is correctly
transmitted.
Conclusion: ipfilter policy based routing does work on Solaris 10u7,
but, at least in my setup, not when redirection occurs to a 802.1q
tagging interface.
- Could somebody confirm this?
- Is this a known bug? (I didn't find anything relevant on sunsolve or
on the ipfilter mailing list)
Edited by: kleinstein on Oct 1, 2009 4:22 AM
Edited by: kleinstein on Oct 1, 2009 4:25 AM
Edited by: kleinstein on Oct 1, 2009 4:30 AM
Edited by: kleinstein on Oct 1, 2009 4:32 AM
Edited by: kleinstein on Oct 1, 2009 4:37 AM
Edited by: kleinstein on Oct 1, 2009 4:40 AM
Edited by: kleinstein on Oct 1, 2009 4:41 AM -
Hello
We're setting up an scenario with datacenter with three WAEs using WCCP to distribute the load.
The core switches are catalyst 6500 so we're using redirect in. L2 redirection and mask to optimize forwarding of redirected packet.
the problem is that the three WAEs are not equal. Two are 612-2GB and the other is a 7341, so we want to use the weight parameter of the wccp tcp-promiscuous command, but I'm not sure if this parameter works also with the mask mode or only with hash mode. And couldn' t find a definitive answer in the documentation.
It's possible?
Regards, FernandoFernando,
Typically we don't see/ nor recommend using such different devices, especially in the data center. The 7341 can handle up to 12000 concurrent optimized connections, and the 612-2GB can only handle up 4800 concurrent optimized connections. So, in the event of a 7341 failure you will lose more than half of the connection capacity you data center can handle.
However, you can use the weight keyword with mask assignment. I just confirmed in my lab two WAEs connected to a 6500 with the following config:
WAE 14.110.3.19
wccp router-list 1 14.110.3.17
wccp tcp-promiscuous mask src-ip-mask 0xf dst-ip-mask 0x0
wccp tcp-promiscuous router-list-num 1 weight 90 l2-redirect mask-assign
wccp version 2
WAE 14.110.3.20
wccp router-list 1 14.110.3.17
wccp tcp-promiscuous mask src-ip-mask 0xf dst-ip-mask 0x0
wccp tcp-promiscuous router-list-num 1 weight 10 l2-redirect mask-assign
wccp version 2
6500 output:
pdi-6500#sh ip wccp 61 det
WCCP Cache-Engine information:
Web Cache ID: 14.110.3.20
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: GRE
Packets Redirected: 0
Connect Time: 00:00:45
Assignment: MASK
Mask SrcAddr DstAddr SrcPort DstPort
0000: 0x0000000F 0x00000000 0x0000 0x0000
Value SrcAddr DstAddr SrcPort DstPort CE-IP
0014: 0x0000000E 0x00000000 0x0000 0x0000 0x0E6E0314 (14.110.3.20)
0015: 0x0000000F 0x00000000 0x0000 0x0000 0x0E6E0314 (14.110.3.20)
Web Cache ID: 14.110.3.19
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: GRE
Packets Redirected: 68
Connect Time: 00:00:39
Assignment: MASK
Mask SrcAddr DstAddr SrcPort DstPort
0000: 0x0000000F 0x00000000 0x0000 0x0000
Value SrcAddr DstAddr SrcPort DstPort CE-IP
0000: 0x00000000 0x00000000 0x0000 0x0000 0x0E6E0313 (14.110.3.19)
0001: 0x00000001 0x00000000 0x0000 0x0000 0x0E6E0313 (14.110.3.19)
0002: 0x00000002 0x00000000 0x0000 0x0000 0x0E6E0313 (14.110.3.19)
0003: 0x00000003 0x00000000 0x0000 0x0000 0x0E6E0313 (14.110.3.19)
0004: 0x00000004 0x00000000 0x0000 0x0000 0x0E6E0313 (14.110.3.19)
0005: 0x00000005 0x00000000 0x0000 0x0000 0x0E6E0313 (14.110.3.19)
0006: 0x00000006 0x00000000 0x0000 0x0000 0x0E6E0313 (14.110.3.19)
0007: 0x00000007 0x00000000 0x0000 0x0000 0x0E6E0313 (14.110.3.19)
0008: 0x00000008 0x00000000 0x0000 0x0000 0x0E6E0313 (14.110.3.19)
0009: 0x00000009 0x00000000 0x0000 0x0000 0x0E6E0313 (14.110.3.19)
0010: 0x0000000A 0x00000000 0x0000 0x0000 0x0E6E0313 (14.110.3.19)
0011: 0x0000000B 0x00000000 0x0000 0x0000 0x0E6E0313 (14.110.3.19)
0012: 0x0000000C 0x00000000 0x0000 0x0000 0x0E6E0313 (14.110.3.19)
0013: 0x0000000D 0x00000000 0x0000 0x0000 0x0E6E0313 (14.110.3.19)
So you will see the WAE with weight of 90 took 14 of the 16 available buckets.
Sorry for the confusion on the original update.
Regards,
Mike Korenbaum
Cisco WAAS PDI Help Desk
http://www.cisco.com/go/pdihelpdesk -
Migrate PPPoE/Virtual-Interface from 7206VXR to ASR 1002
Good Day,
I have been attempting to migrate services from an existing 7206VXR to a recently purchased ASR1002 and could use some help.
My mistake in assuming that the config would be similar to 7206VXR, but there are changes - mainly VRF and cisco-avpair attributes that need added to radius.
Our lab test, with the below ASR config will allow the user to authenticate successfully but does not assign IP address.
User Status
User is online
Last Connection
2012-09-21 10:27:47
Online Time
1 hours, 4 minutes, 15 seconds
Server (NAS)
206.251.40.52 (MAC: )
User Workstation
(MAC: )
User Upload
6.5 Kb
User Download
6.51 Kb
ID
HotSpot
Username
IP Address
Start Time
Stop Time
Total Time
Upload (Bytes)
Download (Bytes)
Termination
NAS IP Address
7837056
[email protected]
2012-09-21 10:27:47
1 hours, 4 minutes, 15 seconds
6.5 Kb
6.51 Kb
206.251.40.52
I have also tried assigning a static IP to the CPE, however the CPE cannot see 199.200.107.1.
No doubt the problem is something simple I appreciate any help or suggestions.
Radius Reply Attributes
Cisco-AVPair += ip:vrf-id=CV_VRF
Cisco-AVPair += ip:ip-unnumbered=Loopback 111 (generates unsupported sub-interface errors when used)
7206VXR Config-
aaa new-model
aaa authentication login default group radius
aaa authentication login con none
aaa authentication login vty line local
aaa authentication login localauth local
aaa authentication ppp default if-needed group radius
aaa authorization network default group radius
aaa authorization network noauth none
aaa accounting update periodic 5
aaa accounting network default
action-type start-stop
group radius
aaa accounting system default
action-type start-stop
group radius
bba-group pppoe 156
virtual-template 156
sessions per-vc limit 65000
sessions per-mac limit 65000
sessions per-vlan limit 65000
interface Loopback0
ip address 10.1.1.3 255.255.255.255
ip ospf network point-to-point
interface GigabitEthernet0/1
no ip address
no ip redirects
duplex full
speed 1000
media-type rj45
no negotiation auto
no cdp enable
interface GigabitEthernet0/1.20
description ROUTER GATEWAY
encapsulation dot1Q 20
ip address 206.251.40.51 255.255.255.248
no cdp enable
interface GigabitEthernet0/2
no ip address
no ip redirects
duplex full
speed 1000
media-type rj45
no negotiation auto
no cdp enable
interface GigabitEthernet0/2.156
encapsulation dot1Q 156
ip address 199.30.185.1 255.255.255.0 secondary
ip address 199.30.186.1 255.255.255.0 secondary
ip address 199.30.187.1 255.255.255.0 secondary
ip address 199.30.184.1 255.255.255.0
pppoe enable group 156
no cdp enable
interface Virtual-Template156
ip unnumbered GigabitEthernet0/2.156
no ip redirects
no ip route-cache cef
peer default ip address pool IP_POOL156
ppp mtu adaptive
ppp authentication pap
ip local pool IP_POOL156 199.30.184.2 199.30.184.254
ip local pool IP_POOL156 199.30.185.2 199.30.185.254
ip local pool IP_POOL156 199.30.186.2 199.30.186.254
ip local pool IP_POOL156 199.30.187.2 199.30.187.254
no ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 199.30.184.0 255.255.252.0 Null0 200
ip prefix-list AS19045 seq 10 permit 199.30.184.0/22
ip radius source-interface GigabitEthernet0/1.20
radius-server host x.x.x.x auth-port 1812 acct-port 1813
radius-server retransmit 1
radius-server timeout 60
radius-server key ********
radius-server vsa send accounting
radius-server vsa send authentication
ASR 1002 Config (attempt)
aaa new-model
aaa group server radius AAA_CV_VRF
server 208.98.188.6 auth-port 1812 acct-port 1813
aaa authentication login default group AAA_CV_VRF
aaa authentication login con none
aaa authentication login vty line local
aaa authentication login localauth local
aaa authentication ppp default if-needed group AAA_CV_VRF
aaa authorization network default group AAA_CV_VRF
aaa authorization network noauth none
aaa accounting update newinfo periodic 60
aaa accounting network default start-stop group AAA_CV_VRF
aaa accounting connection default start-stop group AAA_CV_VRF
aaa accounting system default
action-type start-stop
group AAA_CV_VRF
aaa accounting resource default start-stop group AAA_CV_VRF
aaa session-id common
aaa policy interface-config allow-subinterface
clock timezone MST -7 0
clock summer-time MST recurring
no ip source-route
ip vrf CV_VRF
rd 1:1
virtual-profile if-needed
multilink bundle-name authenticated
bba-group pppoe 111
description TEST
virtual-template 111
sessions per-vc limit 65000
sessions per-mac limit 65000
sessions per-vlan limit 65000
sessions auto cleanup
interface Loopback0
ip address 10.1.1.4 255.255.255.255
ip ospf network point-to-point
interface Loopback111
description TEST
ip vrf forwarding CV_VRF
ip address 199.200.107.1 255.255.255.0
interface GigabitEthernet0/0/2
no ip address
no ip redirects
no negotiation auto
interface GigabitEthernet0/0/2.20
description ROUTER GATEWAY
encapsulation dot1Q 20
ip address 206.251.40.52 255.255.255.248
interface GigabitEthernet0/0/3
no ip address
no ip redirects
no negotiation auto
interface GigabitEthernet0/0/3.111
encapsulation dot1Q 111
ip vrf forwarding CV_VRF
no ip proxy-arp
pppoe enable group 111
interface Virtual-Template111
ip unnumbered GigabitEthernet0/0/3.111
no ip redirects
no ip route-cache cef
peer default ip address pool IP_POOL111
ppp mtu adaptive
ppp authentication pap
router ospf 19045
router-id 10.1.1.4
network 10.1.1.4 0.0.0.0 area 0.0.0.0
network 199.200.107.0 0.0.0.255 area 0.0.0.0
network 206.251.40.48 0.0.0.7 area 0.0.0.0
router bgp 19045
bgp log-neighbor-changes
network 199.200.104.0 mask 255.255.252.0
network 206.251.40.0 mask 255.255.248.0
neighbor 10.1.1.1 remote-as 19045
neighbor 10.1.1.1 description IBGP_PEER_ASR
neighbor 10.1.1.1 update-source Loopback0
neighbor 10.1.1.1 next-hop-self
ip local pool IP_POOL111 199.200.107.2 199.200.107.254
no ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 206.251.40.49
ip route 199.200.104.0 255.255.252.0 Null0 200
ip prefix-list AS19045 seq 10 permit 199.200.104.0/22
ip radius source-interface GigabitEthernet0/0/2.20
radius-server host x.x.x.x auth-port 1812 acct-port 1813 key ********
radius-server retransmit 1
radius-server timeout 60
radius-server vsa send accounting
radius-server vsa send authentication
Debug Info
*Sep 20 22:03:26.677: [910]PPPoE 1911: AAA get dynamic attrs
*Sep 20 22:03:26.678: [910]PPPoE 1911: O PADT R:6468.0cf7.8546 L:f866.f287.7c83 Gi0/0/3.111
*Sep 20 22:03:26.678: [910]PPPoE 1911: Destroying R:6468.0cf7.8546 L:f866.f287.7c83 111 Gi0/0/3.111
*Sep 20 22:03:26.678: PPPoE: Returning Vaccess Virtual-Access3
*Sep 20 22:03:26.679: [910]PPPoE 1911: AAA get dynamic attrs
*Sep 20 22:03:26.679: [910]PPPoE 1911: AAA account stopped
*Sep 20 22:03:26.679: RADIUS/ENCODE(00000791):Orig. component type = PPPoE
*Sep 20 22:03:26.679: RADIUS(00000791): Config NAS IP: 0.0.0.0
*Sep 20 22:03:26.679: RADIUS(00000791): Config NAS IPv6: ::
*Sep 20 22:03:26.679: RADIUS(00000791): sending
*Sep 20 22:03:26.682: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
*Sep 20 22:03:26.682: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
*Sep 20 22:03:26.683: RADIUS/ENCODE: Best Local IP-Address 206.251.40.52 for Radius-Server 208.98.188.6
*Sep 20 22:03:26.683: RADIUS(00000791): Sending a IPv4 Radius Packet
*Sep 20 22:03:26.683: RADIUS(00000791): Send Accounting-Request to 208.98.188.6:1813 id 1646/71,len 379
*Sep 20 22:03:26.683: RADIUS: authenticator A6 50 A4 C3 2A 30 AB DA - 59 BF E8 75 8A 91 AA 9B
*Sep 20 22:03:26.683: RADIUS: Acct-Session-Id [44] 10 "00000D51"
*Sep 20 22:03:26.683: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Sep 20 22:03:26.683: RADIUS: Vendor, Cisco [26] 53
*Sep 20 22:03:26.683: RADIUS: Cisco AVpair [1] 47 "ppp-disconnect-cause=Lower Layer disconnected"
*Sep 20 22:03:26.683: RADIUS: User-Name [1] 19 "[email protected]"
*Sep 20 22:03:26.683: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
*Sep 20 22:03:26.683: RADIUS: Vendor, Cisco [26] 32
*Sep 20 22:03:26.683: RADIUS: Cisco AVpair [1] 26 "connect-progress=Call Up"
*Sep 20 22:03:26.683: RADIUS: Vendor, Cisco [26] 31
*Sep 20 22:03:26.683: RADIUS: Cisco AVpair [1] 25 "nas-tx-speed=1000000000"
*Sep 20 22:03:26.683: RADIUS: Vendor, Cisco [26] 31
*Sep 20 22:03:26.683: RADIUS: Cisco AVpair [1] 25 "nas-rx-speed=1000000000"
*Sep 20 22:03:26.683: RADIUS: Acct-Session-Time [46] 6 615
*Sep 20 22:03:26.683: RADIUS: Acct-Input-Octets [42] 6 1040
*Sep 20 22:03:26.683: RADIUS: Acct-Output-Octets [43] 6 1066
*Sep 20 22:03:26.683: RADIUS: Acct-Input-Packets [47] 6 78
*Sep 20 22:03:26.684: RADIUS: Acct-Output-Packets [48] 6 79
*Sep 20 22:03:26.684: RADIUS: Acct-Terminate-Cause[49] 6 admin-reset [6]
*Sep 20 22:03:26.684: RADIUS: Vendor, Cisco [26] 39
*Sep 20 22:03:26.684: RADIUS: Cisco AVpair [1] 33 "disc-cause-ext=Local Admin Disc"
*Sep 20 22:03:26.684: RADIUS: Acct-Status-Type [40] 6 Stop [2]
*Sep 20 22:03:26.684: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Sep 20 22:03:26.684: RADIUS: NAS-Port [5] 6 0
*Sep 20 22:03:26.684: RADIUS: NAS-Port-Id [87] 11 "0/0/3/111"
*Sep 20 22:03:26.684: RADIUS: Vendor, Cisco [26] 41
*Sep 20 22:03:26.684: RADIUS: Cisco AVpair [1] 35 "client-mac-address=6468.0cf7.8546"
*Sep 20 22:03:26.684: RADIUS: Connect-Info [77] 8 "CV_VRF"
*Sep 20 22:03:26.684: RADIUS: Service-Type [6] 6 Framed [2]
*Sep 20 22:03:26.684: RADIUS: NAS-IP-Address [4] 6 206.251.40.52
*Sep 20 22:03:26.684: RADIUS: Acct-Delay-Time [41] 6 0
*Sep 20 22:03:26.684: RADIUS(00000791): Started 60 sec timeout
*Sep 20 22:03:26.686: [910]PPPoE 1911: Segment (SSS class): UNBOUND
*Sep 20 22:03:26.686: [910]PPPoE 1911: Vi3 Block vaccess from being freed.
*Sep 20 22:03:26.687: [910]PPPoE 1911: Segment (SSS class): UNPROVISION
*Sep 20 22:03:26.687: [910]PPPoE 1911: failed to remove session from switching hash table.
*Sep 20 22:03:26.694: PPPoE 1911: I PADT R:6468.0cf7.8546 L:f866.f287.7c83 111 Gi0/0/3.111
*Sep 20 22:03:26.758: RADIUS: Received from id 1646/71 208.98.188.6:1813, Accounting-response, len 20
*Sep 20 22:03:26.758: RADIUS: authenticator E3 A2 A1 EE B0 3F 43 1C - 03 B6 84 A8 20 0D B8 90
*Sep 20 22:03:32.713: PPPoE 0: I PADI R:6468.0cf7.8546 L:ffff.ffff.ffff 111 Gi0/0/3.111
*Sep 20 22:03:32.713: Service tag: NULL Tag
*Sep 20 22:03:32.713: PPPoE 0: O PADO, R:f866.f287.7c83 L:6468.0cf7.8546 111 Gi0/0/3.111
*Sep 20 22:03:32.713: Service tag: NULL Tag
*Sep 20 22:03:32.722: PPPoE 0: I PADR R:6468.0cf7.8546 L:f866.f287.7c83 111 Gi0/0/3.111
*Sep 20 22:03:32.722: Service tag: NULL Tag
*Sep 20 22:03:32.722: PPPoE : encap string prepared
*Sep 20 22:03:32.722: [911]PPPoE 1912: Access IE handle allocated
*Sep 20 22:03:32.722: [911]PPPoE 1912: AAA get retrieved attrs
*Sep 20 22:03:32.722: [911]PPPoE 1912: AAA get nas port details
*Sep 20 22:03:32.722: [911]PPPoE 1912: Error adjusting nas port format did
*Sep 20 22:03:32.722: [911]PPPoE 1912: AAA get dynamic attrs
*Sep 20 22:03:32.722: [911]PPPoE 1912: AAA unique ID 792 allocated
*Sep 20 22:03:32.722: [911]PPPoE 1912: AAA method list set
*Sep 20 22:03:32.722: [911]PPPoE 1912: Service request sent to SSS
*Sep 20 22:03:32.723: [911]PPPoE 1912: Created, Service: None R:f866.f287.7c83 L:6468.0cf7.8546 111 Gi0/0/3.111
*Sep 20 22:03:32.723: [911]PPPoE 1912: State NAS_PORT_POLICY_INQUIRY Event SSS MORE KEYS
*Sep 20 22:03:32.724: [911]PPPoE 1912: data path set to PPP
*Sep 20 22:03:32.724: [911]PPPoE 1912: Segment (SSS class): PROVISION
*Sep 20 22:03:32.724: [911]PPPoE 1912: State PROVISION_PPP Event SSM PROVISIONED
*Sep 20 22:03:32.724: [911]PPPoE 1912: O PADS R:6468.0cf7.8546 L:f866.f287.7c83 Gi0/0/3.111
*Sep 20 22:03:32.724: [911]PPPoE 1912 <Gi0/0/3.111:111>: Unable to add line attributes from ANCP
*Sep 20 22:03:32.724: [911]PPPoE 1912: Unable to Add ANCP Line attributes to the PPPoE Authen attributes
*Sep 20 22:03:33.845: RADIUS/ENCODE(00000792):Orig. component type = PPPoE
*Sep 20 22:03:33.845: RADIUS: DSL line rate attributes successfully added
*Sep 20 22:03:33.845: RADIUS(00000792): Config NAS IP: 0.0.0.0
*Sep 20 22:03:33.845: RADIUS(00000792): Config NAS IPv6: ::
*Sep 20 22:03:33.845: RADIUS/ENCODE(00000792): acct_session_id: 3411
*Sep 20 22:03:33.845: RADIUS(00000792): sending
*Sep 20 22:03:33.845: RADIUS/ENCODE: Best Local IP-Address 206.251.40.52 for Radius-Server 208.98.188.6
*Sep 20 22:03:33.845: RADIUS(00000792): Sending a IPv4 Radius Packet
*Sep 20 22:03:33.845: RADIUS(00000792): Send Access-Request to 208.98.188.6:1812 id 1645/56,len 124
*Sep 20 22:03:33.846: RADIUS: authenticator 3E 87 16 F9 FF 1A F8 74 - D6 7F 38 C3 F0 98 6E 6F
*Sep 20 22:03:33.846: RADIUS: User-Name [1] 10 "dcdi.net"
*Sep 20 22:03:33.846: RADIUS: User-Password [2] 18 *
*Sep 20 22:03:33.846: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Sep 20 22:03:33.846: RADIUS: NAS-Port [5] 6 0
*Sep 20 22:03:33.846: RADIUS: NAS-Port-Id [87] 11 "0/0/3/111"
*Sep 20 22:03:33.846: RADIUS: Vendor, Cisco [26] 41
*Sep 20 22:03:33.846: RADIUS: Cisco AVpair [1] 35 "client-mac-address=6468.0cf7.8546"
*Sep 20 22:03:33.846: RADIUS: Service-Type [6] 6 Outbound [5]
*Sep 20 22:03:33.846: RADIUS: NAS-IP-Address [4] 6 206.251.40.52
*Sep 20 22:03:33.846: RADIUS(00000792): Started 60 sec timeout
*Sep 20 22:03:34.868: RADIUS: Received from id 1645/56 208.98.188.6:1812, Access-Reject, len 20
*Sep 20 22:03:34.868: RADIUS: authenticator 02 CF 53 0A 6A 62 E5 DB - 2E 96 99 E4 09 D8 2E B1
*Sep 20 22:03:34.868: RADIUS(00000792): Received from id 1645/56
*Sep 20 22:03:34.869: RADIUS/ENCODE(00000792):Orig. component type = PPPoE
*Sep 20 22:03:34.869: RADIUS: DSL line rate attributes successfully added
*Sep 20 22:03:34.869: RADIUS(00000792): Config NAS IP: 0.0.0.0
*Sep 20 22:03:34.869: RADIUS(00000792): Config NAS IPv6: ::
*Sep 20 22:03:34.869: RADIUS/ENCODE(00000792): acct_session_id: 3411
*Sep 20 22:03:34.869: RADIUS(00000792): sending
*Sep 20 22:03:34.870: RADIUS/ENCODE: Best Local IP-Address 206.251.40.52 for Radius-Server 208.98.188.6
*Sep 20 22:03:34.870: RADIUS(00000792): Sending a IPv4 Radius Packet
*Sep 20 22:03:34.870: RADIUS(00000792): Send Access-Request to 208.98.188.6:1812 id 1645/57,len 139
*Sep 20 22:03:34.870: RADIUS: authenticator 8D 12 A1 E3 30 52 B0 F5 - 1C CD 8F 60 49 E9 F4 26
*Sep 20 22:03:34.870: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Sep 20 22:03:34.870: RADIUS: User-Name [1] 19 "[email protected]"
*Sep 20 22:03:34.870: RADIUS: User-Password [2] 18 *
*Sep 20 22:03:34.870: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Sep 20 22:03:34.870: RADIUS: NAS-Port [5] 6 0
*Sep 20 22:03:34.870: RADIUS: NAS-Port-Id [87] 11 "0/0/3/111"
*Sep 20 22:03:34.870: RADIUS: Vendor, Cisco [26] 41
*Sep 20 22:03:34.870: RADIUS: Cisco AVpair [1] 35 "client-mac-address=6468.0cf7.8546"
*Sep 20 22:03:34.870: RADIUS: Service-Type [6] 6 Framed [2]
*Sep 20 22:03:34.870: RADIUS: NAS-IP-Address [4] 6 206.251.40.52
*Sep 20 22:03:34.870: RADIUS(00000792): Started 60 sec timeout
*Sep 20 22:03:34.894: RADIUS: Received from id 1645/57 208.98.188.6:1812, Access-Accept, len 44
*Sep 20 22:03:34.894: RADIUS: authenticator AC 92 A9 7C 1F CB 46 6B - F6 68 03 D8 AF 0B F0 F5
*Sep 20 22:03:34.894: RADIUS: Vendor, Cisco [26] 24
*Sep 20 22:03:34.894: RADIUS: Cisco AVpair [1] 18 "ip:vrf-id=CV_VRF"
*Sep 20 22:03:34.894: RADIUS(00000792): Received from id 1645/57
*Sep 20 22:03:34.902: [911]PPPoE 1912: State LCP_NEGOTIATION Event SSS CONNECT LOCAL
*Sep 20 22:03:34.904: [911]PPPoE 1912: Segment (SSS class): UPDATED
*Sep 20 22:03:34.904: [911]PPPoE 1912: Segment (SSS class): BOUND
*Sep 20 22:03:34.904: [911]PPPoE 1912: data path set to Virtual Acess
*Sep 20 22:03:34.905: [911]PPPoE 1912: State LCP_NEGOTIATION Event SSM UPDATED
*Sep 20 22:03:34.905: [911]PPPoE 1912: AAA get dynamic attrs
*Sep 20 22:03:34.906: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
*Sep 20 22:03:34.907: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
*Sep 20 22:03:34.907: RADIUS/ENCODE(00000792):Orig. component type = PPPoE
*Sep 20 22:03:34.907: RADIUS(00000792): Config NAS IP: 0.0.0.0
*Sep 20 22:03:34.907: RADIUS(00000792): Config NAS IPv6: ::
*Sep 20 22:03:34.907: RADIUS(00000792): sending
*Sep 20 22:03:34.907: [911]PPPoE 1912: State PTA_BINDING Event STATIC BIND RESPONSE
*Sep 20 22:03:34.907: [911]PPPoE 1912: Connected PTA
*Sep 20 22:03:34.908: RADIUS/ENCODE: Best Local IP-Address 206.251.40.52 for Radius-Server 208.98.188.6
*Sep 20 22:03:34.913: RADIUS(00000792): Sending a IPv4 Radius Packet
*Sep 20 22:03:34.913: RADIUS(00000792): Send Accounting-Request to 208.98.188.6:1813 id 1646/72,len 189
*Sep 20 22:03:34.913: RADIUS: authenticator 5B 19 2B 31 5B 6C E7 46 - 5D 69 8D 66 99 13 2E F0
*Sep 20 22:03:34.913: RADIUS: Acct-Session-Id [44] 10 "00000D53"
*Sep 20 22:03:34.913: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Sep 20 22:03:34.913: RADIUS: User-Name [1] 19 "[email protected]"
*Sep 20 22:03:34.913: RADIUS: Vendor, Cisco [26] 32
*Sep 20 22:03:34.913: RADIUS: Cisco AVpair [1] 26 "connect-progress=Call Up"
*Sep 20 22:03:34.913: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
*Sep 20 22:03:34.913: RADIUS: Acct-Status-Type [40] 6 Start [1]
*Sep 20 22:03:34.913: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Sep 20 22:03:34.913: RADIUS: NAS-Port [5] 6 0
*Sep 20 22:03:34.913: RADIUS: NAS-Port-Id [87] 11 "0/0/3/111"
*Sep 20 22:03:34.913: RADIUS: Vendor, Cisco [26] 41
*Sep 20 22:03:34.913: RADIUS: Cisco AVpair [1] 35 "client-mac-address=6468.0cf7.8546"
*Sep 20 22:03:34.913: RADIUS: Connect-Info [77] 8 "CV_VRF"
*Sep 20 22:03:34.913: RADIUS: Service-Type [6] 6 Framed [2]
*Sep 20 22:03:34.913: RADIUS: NAS-IP-Address [4] 6 206.251.40.52
*Sep 20 22:03:34.914: RADIUS: Acct-Delay-Time [41] 6 0
*Sep 20 22:03:34.914: RADIUS(00000792): Started 60 sec timeout
*Sep 20 22:03:34.994: RADIUS: Received from id 1646/72 208.98.188.6:1813, Accounting-response, len 20
*Sep 20 22:03:34.994: RADIUS: authenticator 8E E3 AD 24 76 EA C2 53 - AD 0F DD 57 AC 0D F3 BAsho debug
coreASR1002#sho debugging
General OS:
AAA subscriber profile cli debugging is on
PPPoE:
PPPoE protocol events debugging is on
PPPoE protocol errors debugging is on
Radius protocol debugging is on
Radius packet protocol debugging is onGood Day Manuel,
"...client is not getting IP address even though the sessions seems to be up. Is this correct?" Correct.
What I am seeing and suspecting is the problem has to do with 'ip:ip-unnumbered=interface'.
Trying with the ip:ip-unnumbered=Loopback111 or GigabitEthernet0/0/3.111 (for testing) debugging reports "Session creation failed due to full virtual-access interfaces not being supported...", as soon as the attribute is removed in radius the client authenticates but does not get an IP address. I would rather not use Loopback if possible.
GE0/0/3.111 is basically the client egress and GE0/0/2.20 is the ingress/router gateway
Also seeing this debug message, "...Unable to add line attributes from ANCP ... Unable to Add ANCP Line attributes to the PPPoE Authen attributes" which may or may not relate to ip-unnumbered attribute.
I hope the information isn't too much or confusing, sure appreciate the help.
debugging with ip:vrf-id=CV_VRF w/o ip:ip-unnumbered
*Sep 26 17:04:57.395: Vi3 PPP DISC: Lower Layer disconnected
*Sep 26 17:04:57.396: Vi3 PPP: Sending Acct Event[Down] id[5FB]
*Sep 26 17:04:57.396: PPP: NET STOP send to AAA.
*Sep 26 17:04:57.396: Vi3 LCP: O TERMREQ [Open] id 4 len 4
*Sep 26 17:04:57.396: Vi3 LCP: Event[CLOSE] State[Open to Closing]
*Sep 26 17:04:57.396: Vi3 PPP: Phase is TERMINATING
*Sep 26 17:04:57.397: Vi3 PPP: Block vaccess from being freed [0x10]
*Sep 26 17:04:57.398: Vi3 LCP: Event[DOWN] State[Closing to Initial]
*Sep 26 17:04:57.399: Vi3 PPP: Unlocked by [0x10] Still Locked by [0x0]
*Sep 26 17:04:57.399: Vi3 PPP: Free previously blocked vaccess
*Sep 26 17:04:57.399: Vi3 PPP: Phase is DOWN
*Sep 26 17:04:57.400: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
*Sep 26 17:04:57.401: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
*Sep 26 17:05:03.440: PPP: Alloc Context [38E95CFC]
*Sep 26 17:05:03.440: ppp514 PPP: Phase is ESTABLISHING
*Sep 26 17:05:03.440: ppp514 PPP: Using vpn set call direction
*Sep 26 17:05:03.440: ppp514 PPP: Treating connection as a callin
*Sep 26 17:05:03.440: ppp514 PPP: Session handle[1D0005EB] Session id[514]
*Sep 26 17:05:03.440: ppp514 LCP: Event[OPEN] State[Initial to Starting]
*Sep 26 17:05:03.441: ppp514 PPP LCP: Enter passive mode, state[Stopped]
*Sep 26 17:05:04.522: ppp514 LCP: I CONFREQ [Stopped] id 180 len 10
*Sep 26 17:05:04.522: ppp514 LCP: MagicNumber 0x0669ECAE (0x05060669ECAE)
*Sep 26 17:05:04.522: ppp514 LCP: O CONFREQ [Stopped] id 1 len 18
*Sep 26 17:05:04.522: ppp514 LCP: MRU 1492 (0x010405D4)
*Sep 26 17:05:04.522: ppp514 LCP: AuthProto PAP (0x0304C023)
*Sep 26 17:05:04.522: ppp514 LCP: MagicNumber 0x6ABFFB9F (0x05066ABFFB9F)
*Sep 26 17:05:04.522: ppp514 LCP: O CONFACK [Stopped] id 180 len 10
*Sep 26 17:05:04.522: ppp514 LCP: MagicNumber 0x0669ECAE (0x05060669ECAE)
*Sep 26 17:05:04.522: ppp514 LCP: Event[Receive ConfReq+] State[Stopped to ACKsent]
*Sep 26 17:05:04.525: ppp514 LCP: I CONFACK [ACKsent] id 1 len 18
*Sep 26 17:05:04.526: ppp514 LCP: MRU 1492 (0x010405D4)
*Sep 26 17:05:04.526: ppp514 LCP: AuthProto PAP (0x0304C023)
*Sep 26 17:05:04.526: ppp514 LCP: MagicNumber 0x6ABFFB9F (0x05066ABFFB9F)
*Sep 26 17:05:04.526: ppp514 LCP: Event[Receive ConfAck] State[ACKsent to Open]
*Sep 26 17:05:04.528: ppp514 PPP: Queue PAP code[1] id[15]
*Sep 26 17:05:04.529: ppp514 PPP: Phase is AUTHENTICATING, by this end
*Sep 26 17:05:04.529: ppp514 PAP: Redirect packet to ppp514
*Sep 26 17:05:04.529: ppp514 PAP: I AUTH-REQ id 15 len 31 from "[email protected]"
*Sep 26 17:05:04.529: ppp514 PAP: Authenticating peer [email protected]
*Sep 26 17:05:04.529: ppp514 PPP: Phase is FORWARDING, Attempting Forward
*Sep 26 17:05:04.529: ppp514 LCP: State is Open
*Sep 26 17:05:05.553: ppp514 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Sep 26 17:05:05.553: ppp514 PPP: Sent PAP LOGIN Request
*Sep 26 17:05:05.584: ppp514 PPP: Received LOGIN Response PASS
*Sep 26 17:05:05.584: ppp514 PPP: Phase is FORWARDING, Attempting Forward
*Sep 26 17:05:05.594: Vi3 PPP: Phase is AUTHENTICATING, Authenticated User
*Sep 26 17:05:05.594: Vi3 PAP: O AUTH-ACK id 15 len 5
*Sep 26 17:05:05.595: Vi3 PPP: Phase is UP
*Sep 26 17:05:05.595: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
*Sep 26 17:05:05.596: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
*Sep 26 17:05:05.606: Vi3 IPCP: I CONFREQ [UNKNOWN] id 44 len 22
*Sep 26 17:05:05.606: Vi3 IPCP: Address 0.0.0.0 (0x030600000000)
*Sep 26 17:05:05.606: Vi3 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
*Sep 26 17:05:05.606: Vi3 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
*Sep 26 17:05:05.606: Vi3 LCP: O PROTREJ [Open] id 2 len 28 protocol IPCP
*Sep 26 17:05:05.606: Vi3 LCP: (0x012C0018030600000000810600000000)
*Sep 26 17:05:05.606: Vi3 LCP: (0x830600000000)
*Sep 26 17:05:05.607: Vi3 IPV6CP: I CONFREQ [UNKNOWN] id 26 len 14
*Sep 26 17:05:05.607: Vi3 IPV6CP: Interface-Id 5421:6C1B:5DCE:401A (0x010A54216C1B5DCE401A)
*Sep 26 17:05:05.607: Vi3 LCP: O PROTREJ [Open] id 3 len 20 protocol IPV6CP (0x011A0010010A54216C1B5DCE401A) debugging w/o ip:vrf-id=CV_VRF w/o ip:ip-unnumbered
*Sep 26 17:13:12.424: Vi3 PPP DISC: Lower Layer disconnected
*Sep 26 17:13:12.424: Vi3 PPP: Sending Acct Event[Down] id[5FE]
*Sep 26 17:13:12.425: PPP: NET STOP send to AAA.
*Sep 26 17:13:12.425: Vi3 LCP: O TERMREQ [Open] id 4 len 4
*Sep 26 17:13:12.425: Vi3 LCP: Event[CLOSE] State[Open to Closing]
*Sep 26 17:13:12.425: Vi3 PPP: Phase is TERMINATING
*Sep 26 17:13:12.426: Vi3 PPP: Block vaccess from being freed [0x10]
*Sep 26 17:13:12.426: Vi3 LCP: Event[DOWN] State[Closing to Initial]
*Sep 26 17:13:12.428: Vi3 PPP: Unlocked by [0x10] Still Locked by [0x0]
*Sep 26 17:13:12.428: Vi3 PPP: Free previously blocked vaccess
*Sep 26 17:13:12.428: Vi3 PPP: Phase is DOWN
*Sep 26 17:13:12.429: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
*Sep 26 17:13:12.430: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
*Sep 26 17:13:18.485: PPP: Alloc Context [38E95CFC]
*Sep 26 17:13:18.485: ppp515 PPP: Phase is ESTABLISHING
*Sep 26 17:13:18.486: ppp515 PPP: Using vpn set call direction
*Sep 26 17:13:18.486: ppp515 PPP: Treating connection as a callin
*Sep 26 17:13:18.486: ppp515 PPP: Session handle[AC0005EC] Session id[515]
*Sep 26 17:13:18.486: ppp515 LCP: Event[OPEN] State[Initial to Starting]
*Sep 26 17:13:18.486: ppp515 PPP LCP: Enter passive mode, state[Stopped]
*Sep 26 17:13:19.572: ppp515 LCP: I CONFREQ [Stopped] id 181 len 10
*Sep 26 17:13:19.572: ppp515 LCP: MagicNumber 0x171E542B (0x0506171E542B)
*Sep 26 17:13:19.572: ppp515 LCP: O CONFREQ [Stopped] id 1 len 18
*Sep 26 17:13:19.572: ppp515 LCP: MRU 1492 (0x010405D4)
*Sep 26 17:13:19.572: ppp515 LCP: AuthProto PAP (0x0304C023)
*Sep 26 17:13:19.572: ppp515 LCP: MagicNumber 0x6AC78AB2 (0x05066AC78AB2)
*Sep 26 17:13:19.572: ppp515 LCP: O CONFACK [Stopped] id 181 len 10
*Sep 26 17:13:19.572: ppp515 LCP: MagicNumber 0x171E542B (0x0506171E542B)
*Sep 26 17:13:19.572: ppp515 LCP: Event[Receive ConfReq+] State[Stopped to ACKsent]
*Sep 26 17:13:19.576: ppp515 LCP: I CONFACK [ACKsent] id 1 len 18
*Sep 26 17:13:19.576: ppp515 LCP: MRU 1492 (0x010405D4)
*Sep 26 17:13:19.576: ppp515 LCP: AuthProto PAP (0x0304C023)
*Sep 26 17:13:19.576: ppp515 LCP: MagicNumber 0x6AC78AB2 (0x05066AC78AB2)
*Sep 26 17:13:19.576: ppp515 LCP: Event[Receive ConfAck] State[ACKsent to Open]
*Sep 26 17:13:19.579: ppp515 PPP: Queue PAP code[1] id[16]
*Sep 26 17:13:19.601: ppp515 PPP: Phase is AUTHENTICATING, by this end
*Sep 26 17:13:19.601: ppp515 PAP: Redirect packet to ppp515
*Sep 26 17:13:19.601: ppp515 PAP: I AUTH-REQ id 16 len 31 from "[email protected]"
*Sep 26 17:13:19.601: ppp515 PAP: Authenticating peer [email protected]
*Sep 26 17:13:19.601: ppp515 PPP: Phase is FORWARDING, Attempting Forward
*Sep 26 17:13:19.601: ppp515 LCP: State is Open
*Sep 26 17:13:20.625: ppp515 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Sep 26 17:13:20.625: ppp515 PPP: Sent PAP LOGIN Request
*Sep 26 17:13:20.650: ppp515 PPP: Received LOGIN Response PASS
*Sep 26 17:13:20.650: ppp515 PPP: Phase is FORWARDING, Attempting Forward
*Sep 26 17:13:20.657: Vi3 PPP: Phase is AUTHENTICATING, Authenticated User
*Sep 26 17:13:20.657: Vi3 PAP: O AUTH-ACK id 16 len 5
*Sep 26 17:13:20.658: Vi3 PPP: Phase is UP
*Sep 26 17:13:20.658: Vi3 IPCP: Protocol configured, start CP. state[Initial]
*Sep 26 17:13:20.658: Vi3 IPCP: Event[OPEN] State[Initial to Starting]
*Sep 26 17:13:20.658: Vi3 IPCP: O CONFREQ [Starting] id 1 len 10
*Sep 26 17:13:20.658: Vi3 IPCP: Address 199.200.107.1 (0x0306C7C86B01)
*Sep 26 17:13:20.658: Vi3 IPCP: Event[UP] State[Starting to REQsent]
*Sep 26 17:13:20.658: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
*Sep 26 17:13:20.660: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
*Sep 26 17:13:20.666: Vi3 IPCP: I CONFREQ [REQsent] id 45 len 22
*Sep 26 17:13:20.666: Vi3 IPCP: Address 0.0.0.0 (0x030600000000)
*Sep 26 17:13:20.666: Vi3 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
*Sep 26 17:13:20.666: Vi3 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
*Sep 26 17:13:20.666: Vi3 IPCP AUTHOR: Start. Her address 0.0.0.0, we want 0.0.0.0
*Sep 26 17:13:20.666: Vi3 IPCP AUTHOR: Done. Her address 0.0.0.0, we want 0.0.0.0
*Sep 26 17:13:20.666: Vi3 IPCP: Pool returned 199.200.107.20
*Sep 26 17:13:20.667: Vi3 IPCP: O CONFNAK [REQsent] id 45 len 22
*Sep 26 17:13:20.667: Vi3 IPCP: Address 199.200.107.20 (0x0306C7C86B14)
*Sep 26 17:13:20.667: Vi3 IPCP: PrimaryDNS 208.98.188.81 (0x8106D062BC51)
*Sep 26 17:13:20.667: Vi3 IPCP: SecondaryDNS 8.8.8.8 (0x830608080808)
*Sep 26 17:13:20.667: Vi3 IPCP: Event[Receive ConfReq-] State[REQsent to REQsent]
*Sep 26 17:13:20.667: Vi3 IPV6CP: I CONFREQ [UNKNOWN] id 27 len 14
*Sep 26 17:13:20.667: Vi3 IPV6CP: Interface-Id 096D:2933:E6FE:523D (0x010A096D2933E6FE523D)
*Sep 26 17:13:20.667: Vi3 LCP: O PROTREJ [Open] id 2 len 20 protocol IPV6CP (0x011B0010010A096D2933E6FE523D)
*Sep 26 17:13:20.668: Vi3 IPCP: I CONFACK [REQsent] id 1 len 10
*Sep 26 17:13:20.668: Vi3 IPCP: Address 199.200.107.1 (0x0306C7C86B01)
*Sep 26 17:13:20.668: Vi3 IPCP: Event[Receive ConfAck] State[REQsent to ACKrcvd]
*Sep 26 17:13:20.672: Vi3 IPCP: I CONFREQ [ACKrcvd] id 46 len 22
*Sep 26 17:13:20.672: Vi3 IPCP: Address 199.200.107.20 (0x0306C7C86B14)
*Sep 26 17:13:20.672: Vi3 IPCP: PrimaryDNS 208.98.188.81 (0x8106D062BC51)
*Sep 26 17:13:20.672: Vi3 IPCP: SecondaryDNS 8.8.8.8 (0x830608080808)
*Sep 26 17:13:20.672: Vi3 IPCP: O CONFACK [ACKrcvd] id 46 len 22
*Sep 26 17:13:20.672: Vi3 IPCP: Address 199.200.107.20 (0x0306C7C86B14)
*Sep 26 17:13:20.672: Vi3 IPCP: PrimaryDNS 208.98.188.81 (0x8106D062BC51)
*Sep 26 17:13:20.672: Vi3 IPCP: SecondaryDNS 8.8.8.8 (0x830608080808)
*Sep 26 17:13:20.672: Vi3 IPCP: Event[Receive ConfReq+] State[ACKrcvd to Open]
*Sep 26 17:13:20.689: Vi3 IPCP: State is Open
*Sep 26 17:13:20.691: %FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces. swidb= 0x41F07370, ifnum= 22
*Sep 26 17:13:20.691: Vi3 Added to neighbor route AVL tree: topoid 0, address 199.200.107.20
*Sep 26 17:13:20.691: Vi3 IPCP: Install route to 199.200.107.20
*Sep 26 17:13:20.693: Vi3 PPP DISC: Lower Layer disconnected
*Sep 26 17:13:20.693: Vi3 PPP: Sending Acct Event[Down] id[5FF]
*Sep 26 17:13:20.693: PPP: NET STOP send to AAA.
*Sep 26 17:13:20.694: Vi3 IPCP: Event[DOWN] State[Open to Starting]
*Sep 26 17:13:20.694: Vi3 IPCP: Event[CLOSE] State[Starting to Initial]
*Sep 26 17:13:20.694: Vi3 LCP: O TERMREQ [Open] id 3 len 4
*Sep 26 17:13:20.694: Vi3 LCP: Event[CLOSE] State[Open to Closing]
*Sep 26 17:13:20.694: Vi3 PPP: Phase is TERMINATING
*Sep 26 17:13:20.695: Vi3 PPP: Block vaccess from being freed [0x10]
*Sep 26 17:13:20.695: Vi3 Deleted neighbor route from AVL tree: topoid 0, address 199.200.107.20
*Sep 26 17:13:20.695: Vi3 IPCP: Remove route to 199.200.107.20
*Sep 26 17:13:20.696: Vi3 LCP: Event[DOWN] State[Closing to Initial]
*Sep 26 17:13:20.696: Vi3 PPP: Unlocked by [0x10] Still Locked by [0x0]
*Sep 26 17:13:20.696: Vi3 PPP: Free previously blocked vaccess
*Sep 26 17:13:20.696: Vi3 PPP: Phase is DOWN
*Sep 26 17:13:20.696: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
*Sep 26 17:13:20.698: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down -
PLEASE Help on two network cards in server
Hi all,
(Sorry my spelling Im danish)
We have a 10.4.5 server with 2 network cards in it. How does I get the server to route betwin the two networks so that mac's on net 1 (en0) can see mac's and printers on net 2 (en1) and visa versa
The mac's on net 1 can see and use the server (but not print on net 2) The mac's on net 2 cant see or use the server!
The mac's on net 1 get backuped by Retospect on the server. Retospect can't see the mac's on net 2
How does I get this to work?"sudo sysctl -w net.inet.ip.forwarding=1"
That will start forwariding immediately but woun't survive a reboot.
In Tiger Server Admin NAT setup you can make this permanent by choosing "start Ipforwarding Only".
(Or by adding a line to /etc/hostconfig:
IPFORWARDING=-YES-
Or by adding a new file /etc/sysctl.conf
with this line in it:
net.inet.ip.forwarding=1)
"Devices on each network need to know how to get to the other network, and that's usually done by editing the routing table on each system."
Not necessary. What's necessary is a static route in each Internet router that use the server IP for each LAN as the gateway/router for the other LAN.
Example network 1: 192.168.100.0/24
Internet router 192.168.100.1
Server IP for that LAN 192.168.100.254
Static route in Internet router: 192.168.200/24 gw 192.168.100.254
Example network 2: 192.168.200.0/24
Internet router 192.168.200.1
Server IP for that LAN 192.168.200.254
Static route in Internet router: 192.168.100/24 gw 192.168.200.254
"In addition it's not common for a printer to have an option to manipulate the route table in this way"
Correct, but you need to add the correct gw/router and netmask to the printer IP settings for this setup. This is sometimes achievable via Telneting to the printer in question to set it up (older Apple printers).
For performance reason it could be better using a static route in each machine if the internet router doesn't send out route redirect packets.
Some DHCP servers should be able to send out a static route to it's clients with the rest of the IP info thus making it easier to provide each machine with a static route.
Maybe you are looking for
-
Problem with 2004S (N4S) test drive license
Hi - I've installed n4S for a number of years now, and have struck a problem with renewing the 90 day license. I go and register again at http://www.sap.com/minisap, give my HWID and specify the MaxDB flavour. I receive my license key file, and uplo
-
GLOBAL_NAMES setting in 4 nodes RAC
Hi Experts, I have a 4 nodes RAC with 10.2.0.4 database at red hat 5.1 I find that global_name is nor enforced as NAME VALUE global_names FALSE For stream, I need to change to true. I want to know which default value for global_name at RAC. If I chan
-
Webgalleries from iPhoto to Aperture
Hi, I imported my library from iPhoto to Aperture however the webgalleries weren't copied so I have no way of adding to them. Under webgalleries in preferences there is nothing showing up... Any ideas? thanks
-
Important question to Steve about passivateState() method
<br> <font size="2">Hello Steve, <br><br>I want to store information about application user in oracle.jbo.Session hastable. It's stored as pair KEY --> VALUE. To be sure that these informations will be accessible after passivation AM I have overreade
-
Having problems accessing itunes on Windows 7
Have been trying to access itunes and authorise my computer so that purchases can be transferred from the phone. Is the itunes store currently not available? OR Is it a problem with my upgrading the laptop to Windows 7. Any idea how to authorise the