Redirections issues TSE - Cisco SMB SA 520

Hello,
I'm having troubles on a SA 520 router in Load Balancing mode (WAN1 with ADSL router, WAN2 with Wimax modem).
It seems like Load Balancing working pretty well but some terminal server connections are having stability issues. These sessions are 4 with 4 customs ports forwarding to 4 different computers.
One of them works well, others not and one doesn't work at all. 4 firewall's rules (8 in fact, 1 for each WAN) are made in the same way...
For the test connection (the one which worked well), I had to disable some "Attacks" features to improve its stability (like TCP Flood protection).
What would you advice to fix these problems and make TSE connections work well ? I forgot to mention that they work well with the ADSL router only with simply firewall rules.
Thanks in advance for you further help !

Hello,
We've made many many tests to better understand the problem. Firmware is now the last recent version : 1.1.21
Each test is realised with following settings :
- 4 remote access connections on a single WAN configuration
- protocol bindings for each
- dedicated WAN = wimax
- optional WAN = adsl behing adsl router
First test (single WAN)
With WAN1 or WAN2 working alone, with protocol bindings and redirections well set, everything's ok. Remote connections are always working greatly and don't suffer of disconnections.
Second test (double WAN)
With both WAN activated, the situation isn't the same. I've tried to test both redirections on WAN1 or WAN2 (with protocol bindings). Remote connections work randomly, a connection can work and disconnects a few minutes later without possibility of reconnection.
An interesting thing to know is that HTTP/HTTPS and some other services defined in the same way (with protocol bindings) work very well. It seems that the problem only affects inbounds connections and custom services (on custom ports to connect on local computers).
Third test (double WAN + capture packets)
Attached files are the result of capture. Redirections + protocol bindings of remote connections are set on WAN1. WAN2 capture shouldn't contain any traffic on ports used by redirections (2222/4444/4747/5679). Something may going wrong with that, as if the router redirect inbound connection on the local computer throught WAN1 and use WAN2 to get out.
I hope you'll understand the problem, sorry for my bad english. I'm avalaible to answer questions to give more details.
Thank in advance for further help.

Similar Messages

Folder Redirection not working on SMB Network Home Directories

I've setup network home directories on a 10.7.3 server. NHDs are available via SMB currently. I'm trying to setup folder redirection via MCXRedirector for both the ~/Library/Cache folder and ~/Downloads and redirect them to the local client. Client is 10.7.3 joined to OD. I'm using Login Redirection and the option to delete the existing folder and create a symlink. I used these instructions to create the redirectors: http://www.afp548.com/article.php?story=MCXRedirector
When NHDs are available via SMB, the folders are created on the local client, but the symlinks aren't created in the NHD. I can switch the NHDs to be available via AFP, and then it works fine. I can switch back to SMB and the symlink stays in place and appears to work with no issue.
Am I missing something here? I can't find any documentation that says I can't use MCXRedirector with SMB shares, and I see a number of posts where it appears that people are using it successfully... so I'm not sure what is wrong? Any help or suggestions is appreciated.

Hi James,
For folder redirection issues, we can go to Windows Logs\Application in Event Viewer to check if some related error events were logged. Besides, we can also run cmd command
gpresult/v or gpresult/z to collect group policy result to check if something goes wrong.
Regarding how to configure folder redirection, in my opinion, the following article provides a good guide.
Configuring Folder Redirection
http://technet.microsoft.com/library/cc786749.aspx
Best regards,
Frank Shen

Calling issue with Cisco 7937 conference station

Hi Friends,
I am facing issue wiht Cisco 7937 conference station, our customer have various branch offices accross the world. All branches are connected over MPLS through service provider( SIP service provider) . there is a centralized CUCM and remote office have SIP Voice gateways .
When making calls from once remote site to another using Cisco 6921 phones calls working fine
When making calls from once remote site to another using Cisco 7937 conference station to make call any phone at remote office, calls are getting disconneted, remote phone rings when calls, but its gets fast busy tone when other party picks up the phone and not able to talk.
I suspect the issue with Codec but we have configured transcoders in VG and registered with CUCM
Please help me if any one experience such issue earlier.
Regards
Siva

hi Basant,
1. Actually tow phones A and B are registerd with centralized CUCM, A and B are located in two different locations, RTP traffic between And B pass through service provider.
Call Flow --> Phone A ---->CUCMRouterpattern--> SIP trunk ----> Voice gateway--->Service provider cloud---> Respective Voice Gateway---> CUCM -- Phone B
Show Run
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.02.27 15:14:52 =~=~=~=~=~=~=~=~=~=~=~=
sh run
Building configuration...
Current configuration : 12139 bytes
! Last configuration change at 06:35:59 UTC Tue Feb 25 2014
! NVRAM config last updated at 11:16:38 UTC Mon Feb 24 2014 by administrator
! NVRAM config last updated at 11:16:38 UTC Mon Feb 24 2014 by administrator
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname eucamvgw01
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.151-4.M5.bin
boot-end-marker
card type e1 0 0
logging buffered 51200 warnings
no logging console
no aaa new-model
no network-clock-participate wic 0
no ipv6 cef
ip source-route
ip traffic-export profile cuecapture mode capture
bidirectional
ip cef
ip multicast-routing
ip domain name drreddys.eu
ip name-server 10.197.20.1
ip name-server 10.197.20.2
multilink bundle-name authenticated
stcapp ccm-group 2
stcapp
stcapp feature access-code
stcapp feature speed-dial
stcapp supplementary-services
port 0/1/0
fallback-dn 5428025
port 0/1/1
fallback-dn 5428008
port 0/1/2
fallback-dn 5421462
port 0/1/3
fallback-dn 5421463
isdn switch-type primary-net5
crypto pki token default removal timeout 0
voice-card 0
dsp services dspfarm
voice call send-alert
voice call disc-pi-off
voice call convert-discpi-to-prog
voice rtp send-recv
voice service voip
ip address trusted list
ipv4 10.198.0.0 255.255.255.0
ipv4 152.63.1.0 255.255.255.0
address-hiding
allow-connections sip to sip
no supplementary-service h225-notify cid-update
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
fax-relay ans-disable
sip
rel1xx supported "track"
privacy pstn
no update-callerid
early-offer forced
call-route p-called-party-id
voice class uri 100 sip
host 41.206.187.71
voice class codec 10
codec preference 1 g711alaw
codec preference 2 g711ulaw
codec preference 3 ilbc
codec preference 4 g729r8
codec preference 5 g729br8
voice class codec 20
codec preference 1 g729br8
codec preference 2 g729r8
voice moh-group 1
moh flash:moh/Panjo.alaw.wav
description MOH G711 alaw
multicast moh 239.1.1.2 port 16384 route 10.198.2.9
voice translation-rule 1
rule 1 /^012237280$..$/ /54280\1/
rule 2 /^012236514$..$/ /54214\1/
rule 3 /^01223651081/ /5428010/
rule 4 /^01223506701/ /5428010/
voice translation-rule 2
rule 1 /^00$.+$/ /+\1/
rule 2 /^0$.+$/ /+44\1/
rule 3 /^$[0-9].+$/ /+\1/
voice translation-rule 3
rule 1 /^9$.+$/ /\1/
rule 2 /^\+44$.+$/ /0\1/
rule 3 /^\+$.+$/ /00\1/
voice translation-rule 4
rule 1 /^54280$..$/ /12237280\1/
rule 2 /^54214$..$/ /12236514\1/
rule 3 /^\+44$.+$/ /\1/
rule 4 /^.54280$..$/ /12237280\1/
rule 5 /^.54214$..$/ /12236514\1/
voice translation-rule 9
rule 1 /^$....$/ /542\1/
voice translation-rule 10
voice translation-rule 11
rule 1 /^\+44122372$....$/ /542\1/
rule 2 /^\+44122365$....$/ /542\1/
voice translation-rule 12
voice translation-rule 13
rule 1 /^$[18]...$/ /542\1/
voice translation-rule 14
voice translation-profile MPLS-incoming
translate calling 10
translate called 9
voice translation-profile MPLS-outgoing
translate calling 11
translate called 12
voice translation-profile PSTN-incoming
translate calling 2
translate called 1
voice translation-profile PSTN-outgoing
translate calling 4
translate called 3
voice translation-profile SRST-incoming
translate calling 14
translate called 13
license udi pid CISCO2921/K9 sn FGL145110RE
hw-module ism 0
hw-module pvdm 0/0
username administrator privilege 15 secret 5 $1$syu5$DsxdOgfS7Wltx78o4PV.60
redundancy
controller E1 0/0/0
ip tcp path-mtu-discovery
ip scp server enable
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description internal LAN
ip address 10.198.2.9 255.255.255.0
duplex auto
speed auto
interface ISM0/0
ip unnumbered GigabitEthernet0/0
service-module ip address 10.198.2.8 255.255.255.0
!Application: CUE Running on ISM
service-module ip default-gateway 10.198.2.9
interface GigabitEthernet0/1
description to TATA NGN
ip address 115.114.225.122 255.255.255.252
duplex auto
speed auto
interface GigabitEthernet0/2
description SIP Trunks external
ip address 79.121.254.83 255.255.255.248
ip access-group SIP-InBound in
ip traffic-export apply cuecapture size 8000000
duplex auto
speed auto
interface ISM0/1
description Internal switch interface connected to Internal Service Module
no ip address
shutdown
interface Vlan1
no ip address
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.198.2.1
ip route 10.198.2.8 255.255.255.255 ISM0/0
ip route 41.206.187.0 255.255.255.0 115.114.225.121
ip route 77.37.25.46 255.255.255.255 79.121.254.81
ip route 83.245.6.81 255.255.255.255 79.121.254.81
ip route 83.245.6.82 255.255.255.255 79.121.254.81
ip route 95.223.1.107 255.255.255.255 79.121.254.81
ip route 192.54.47.0 255.255.255.0 79.121.254.81
ip access-list extended SIP-InBound
permit ip host 77.37.25.46 any
permit ip host 83.245.6.81 any
permit ip host 83.245.6.82 any
permit ip 192.54.47.0 0.0.0.255 any
permit icmp any any
permit ip host 95.223.1.107 any
deny ip any any log
control-plane
voice-port 0/1/0
compand-type a-law
timeouts initial 60
timeouts interdigit 60
timeouts ringing infinity
caller-id enable
voice-port 0/1/1
compand-type a-law
timeouts initial 60
timeouts interdigit 60
timeouts ringing infinity
caller-id enable
voice-port 0/1/2
compand-type a-law
timeouts initial 60
timeouts interdigit 60
timeouts ringing infinity
caller-id enable
voice-port 0/1/3
compand-type a-law
timeouts initial 60
timeouts interdigit 60
timeouts ringing infinity
caller-id enable
no ccm-manager fax protocol cisco
ccm-manager music-on-hold bind GigabitEthernet0/0
ccm-manager config server 152.63.1.19 152.63.1.100 172.27.210.5
ccm-manager sccp local GigabitEthernet0/0
ccm-manager sccp
mgcp profile default
sccp local GigabitEthernet0/0
sccp ccm 10.198.2.9 identifier 3 priority 3 version 7.0
sccp ccm 152.63.1.19 identifier 4 version 7.0
sccp ccm 152.63.1.100 identifier 5 version 7.0
sccp ccm 172.27.210.5 identifier 6 version 7.0
sccp
sccp ccm group 2
bind interface GigabitEthernet0/0
associate ccm 4 priority 1
associate ccm 5 priority 2
associate ccm 6 priority 3
associate ccm 3 priority 4
associate profile 1002 register CFB_UK_CAM_02
associate profile 1001 register XCODE_UK_CAM_02
associate profile 1000 register MTP_UK_CAM_02
dspfarm profile 1001 transcode
codec ilbc
codec g722-64
codec g729br8
codec g729r8
codec gsmamr-nb
codec pass-through
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
maximum sessions 18
associate application SCCP
dspfarm profile 1002 conference
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
codec g729r8
codec g729br8
maximum sessions 2
associate application SCCP
dspfarm profile 1000 mtp
codec g711alaw
maximum sessions software 200
associate application SCCP
dial-peer cor custom
name SRSTMode
dial-peer cor list SRST
member SRSTMode
dial-peer voice 100 voip
description *** Inbound CUCM ***
translation-profile incoming PSTN-incoming
incoming called-number .
voice-class codec 10
voice-class sip call-route p-called-party-id
dtmf-relay rtp-nte
no vad
dial-peer voice 500 voip
description *** Inbound TATA MPLS ***
translation-profile incoming MPLS-incoming
session protocol sipv2
session target sip-server
incoming called-number ....
incoming uri from 100
voice-class codec 20
dtmf-relay rtp-nte
no vad
dial-peer voice 510 voip
description *** Outbound TATA MPLS ***
translation-profile outgoing MPLS-outgoing
destination-pattern 54[013-9]....
session protocol sipv2
session target ipv4:41.206.187.71
session transport udp
voice-class codec 20
dtmf-relay rtp-nte
no vad
dial-peer voice 520 voip
description *** Outbound TATA MPLS ***
translation-profile outgoing MPLS-outgoing
destination-pattern 5[0-35-9].....
session protocol sipv2
session target ipv4:41.206.187.71
session transport udp
voice-class codec 20
dtmf-relay rtp-nte
no vad
dial-peer voice 200 voip
description *** Inbound M12 *** 01223651081, 01223651440 - 01223651489
translation-profile incoming PSTN-incoming
session protocol sipv2
session target sip-server
session transport udp
incoming called-number 0122365....
dtmf-relay rtp-nte
codec g711ulaw
no vad
dial-peer voice 201 voip
description *** Inbound M12 *** 012237280XX
translation-profile incoming PSTN-incoming
session protocol sipv2
session target sip-server
session transport udp
incoming called-number 012237280..
dtmf-relay rtp-nte
codec g711ulaw
no vad
dial-peer voice 202 voip
description *** Inbound M12 *** 01223506701
translation-profile incoming PSTN-incoming
session protocol sipv2
session target sip-server
session transport udp
incoming called-number 01223506701
dtmf-relay rtp-nte
codec g711ulaw
no vad
dial-peer voice 210 voip
description *** Outbound M12 ***
translation-profile outgoing PSTN-outgoing
destination-pattern +...T
session protocol sipv2
session target ipv4:83.245.6.81
session transport udp
dtmf-relay rtp-nte
codec g711alaw
no vad
dial-peer voice 211 voip
description *** Outbound ISDN for SRST and emergency ***
translation-profile outgoing PSTN-outgoing
destination-pattern 9.T
session protocol sipv2
session target ipv4:83.245.6.81
session transport udp
dtmf-relay rtp-nte
codec g711alaw
no vad
dial-peer voice 212 voip
description *** Outbound ISDN for emergency ***
translation-profile outgoing PSTN-outgoing
destination-pattern 11[02]
session protocol sipv2
session target ipv4:83.245.6.81
session transport udp
dtmf-relay rtp-nte
codec g711alaw
no vad
dial-peer voice 2000 voip
description *** Outbound to CUCM Primary ***
preference 1
destination-pattern 542....
session protocol sipv2
session target ipv4:152.63.1.19
voice-class codec 10
voice-class sip call-route p-called-party-id
dtmf-relay rtp-nte
no vad
dial-peer voice 2001 voip
description *** Outbound to CUCM Secondary ***
preference 2
destination-pattern 542....
session protocol sipv2
session target ipv4:152.63.1.100
voice-class codec 10
voice-class sip call-route p-called-party-id
dtmf-relay rtp-nte
no vad
dial-peer voice 2002 voip
description *** Outbound to CUCM Teritiary ***
preference 3
destination-pattern 542....
session protocol sipv2
session target ipv4:172.27.210.5
voice-class codec 10
voice-class sip call-route p-called-party-id
dtmf-relay rtp-nte
no vad
dial-peer voice 999010 pots
service stcapp
port 0/1/0
dial-peer voice 999011 pots
service stcapp
port 0/1/1
dial-peer voice 999012 pots
service stcapp
port 0/1/2
dial-peer voice 999013 pots
service stcapp
port 0/1/3
sip-ua
no remote-party-id
gatekeeper
shutdown
call-manager-fallback
secondary-dialtone 9
max-conferences 4 gain -6
transfer-system full-consult
ip source-address 10.198.2.9 port 2000
max-ephones 110
max-dn 400 dual-line no-reg
translation-profile incoming SRST-incoming
moh flash:/moh/Panjo.ulaw.wav
multicast moh 239.1.1.1 port 16384 route 10.198.2.9
time-zone 22
time-format 24
date-format dd-mm-yy
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 131
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
session-timeout 60
exec-timeout 60 0
privilege level 15
login local
transport input all
line vty 5 15
session-timeout 60
exec-timeout 60 0
privilege level 15
login local
transport input all
scheduler allocate 20000 1000
ntp server 10.1.30.1
end
eucamvgw01#
Sh SCCP
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.03.03 17:57:44 =~=~=~=~=~=~=~=~=~=~=~=
SCCP Admin State: UP
Gateway Local Interface: GigabitEthernet0/0
IPv4 Address: 10.198.2.9
Port Number: 2000
IP Precedence: 5
User Masked Codec list: None
Call Manager: 10.198.2.9, Port Number: 2000
Priority: 3, Version: 7.0, Identifier: 3
Call Manager: 152.63.1.19, Port Number: 2000
Priority: N/A, Version: 7.0, Identifier: 4
Trustpoint: N/A
Call Manager: 152.63.1.100, Port Number: 2000
Priority: N/A, Version: 7.0, Identifier: 5
Trustpoint: N/A
Call Manager: 172.27.210.5, Port Number: 2000
Priority: N/A, Version: 7.0, Identifier: 6
Trustpoint: N/A
MTP Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 152.63.1.19, Port Number: 2000
TCP Link Status: CONNECTED, Profile Identifier: 1000
Reported Max Streams: 400, Reported Max OOS Streams: 0
Supported Codec: g711alaw, Maximum Packetization Period: 30
Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30
Supported Codec: rfc2833 pass-thru, Maximum Packetization Period: 30
Supported Codec: inband-dtmf to rfc2833 conversion, Maximum Packetization Period: 30
TLS : ENABLED
Transcoding Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 152.63.1.19, Port Number: 2000
TCP Link Status: CONNECTED, Profile Identifier: 1001
Reported Max Streams: 36, Reported Max OOS Streams: 0
Supported Codec: ilbc, Maximum Packetization Period: 120
Supported Codec: g722r64, Maximum Packetization Period: 30
Supported Codec: g729br8, Maximum Packetization Period: 60
Supported Codec: g729r8, Maximum Packetization Period: 60
Supported Codec: gsmamr-nb, Maximum Packetization Period: 60
Supported Codec: pass-thru, Maximum Packetization Period: N/A
Supported Codec: g711ulaw, Maximum Packetization Period: 30
Supported Codec: g711alaw, Maximum Packetization Period: 30
Supported Codec: g729ar8, Maximum Packetization Period: 60
Supported Codec: g729abr8, Maximum Packetization Period: 60
Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30
Supported Codec: rfc2833 pass-thru, Maximum Packetization Period: 30
Supported Codec: inband-dtmf to rfc2833 conversion, Maximum Packetization Period: 30
Conferencing Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 152.63.1.19, Port Number: 2000
TCP Link Status: CONNECTED, Profile Identifier: 1002
Reported Max Streams: 16, Reported Max OOS Streams: 0
Supported Codec: g711ulaw, Maximum Packetization Period: 30
Supported Codec: g711alaw, Maximum Packetization Period: 30
Supported Codec: g729ar8, Maximum Packetization Period: 60
Supported Codec: g729abr8, Maximum Packetization Period: 60
Supported Codec: g729r8, Maximum Packetization Period: 60
Supported Codec: g729br8, Maximum Packetization Period: 60
Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30
Supported Codec: rfc2833 pass-thru, Maximum Packetization Period: 30
Supported Codec: inband-dtmf to rfc2833 conversion, Maximum Packetization Period: 30
TLS : ENABLED
Alg_Phone Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 152.63.1.19, Port Number: 2000
TCP Link Status: CONNECTED, Device Name: AN71FEF7F070080
Reported Max Streams: 1, Reported Max OOS Streams: 0
Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30
Supported Codec: g711ulaw, Maximum Packetization Period: 20
Supported Codec: g711alaw, Maximum Packetization Period: 20
Supported Codec: g729r8, Maximum Packetization Period: 220Supported Codec: g729ar8, Maximum Packetization Period: 220
Supported Codec: g729br8, Maximum Packetization Period: 220
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: ilbc, Maximum Packetization Period: 120
Alg_Phone Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 152.63.1.19, Port Number: 2000
TCP Link Status: CONNECTED, Device Name: AN71FEF7F070081
Reported Max Streams: 1, Reported Max OOS Streams: 0
Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30
Supported Codec: g711ulaw, Maximum Packetization Period: 20
Supported Codec: g711alaw, Maximum Packetization Period: 20
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: g729ar8, Maximum Packetization Period: 220
Supported Codec: g729br8, Maximum Packetization Period: 220
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: ilbc, Maximum Packetization Period: 120
Alg_Phone Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 152.63.1.19, Port Number: 2000
TCP Link Status: CONNECTED, Device Name: AN71FEF7F070082
Reported Max Streams: 1, Reported Max OOS Streams: 0
Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30
Supported Codec: g711ulaw, Maximum Packetization Period: 20Supported Codec: g711alaw, Maximum Packetization Period: 20
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: g729ar8, Maximum Packetization Period: 220
Supported Codec: g729br8, Maximum Packetization Period: 220
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: ilbc, Maximum Packetization Period: 120
Alg_Phone Oper State: ACTIVE - Cause Code: NONE
Active Call Manager: 152.63.1.19, Port Number: 2000
TCP Link Status: CONNECTED, Device Name: AN71FEF7F070083
Reported Max Streams: 1, Reported Max OOS Streams: 0
Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30
Supported Codec: g711ulaw, Maximum Packetization Period: 20
Supported Codec: g711alaw, Maximum Packetization Period: 20
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: g729ar8, Maximum Packetization Period: 220
Supported Codec: g729br8, Maximum Packetization Period: 220
Supported Codec: g729r8, Maximum Packetization Period: 220
Supported Codec: ilbc, Maximum Packetization Period: 120
eucamvgw01#

Guest Anchor - Web Passthrough - Apple device web redirect issue

Hi All,
I've setup a Guest Mobility Anchor at DMZ with 5508 WLC. I've setup the EoIP mobility tunnel and everything works so far.
Now, I was testing multiple clients to connect to the Guest SSID and observed that Apple devices are not redirecting url, resulting unsuccessful connection.
I looked Cisco docs and added the command "config network web-auth captive-bypass enable" on the Anchor as recommended.
Even after executing the command, I'm still facing web redirect issue with Apple Devices. I don't have any issues with other devices, except Apple.
My controller running code AirOS 7.6.130.0. I'm using DMZ controller as DHCP server for Guests and public DNS servers as 8.8.8.8 & 8.8.4.4
How to solve this web redirect issue? Will a Third-party generated CSR solves the problem?
Thanks,
CJ

Hi All,
The issue was with WISPr Protocol with iOS Clients. After upgrading the AirOS Code on the controller to 8.0.100.0; the issue with Web Redirect is resolved.
Jagan

Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

Directory Caching issue with Cisco Jabber client for Windows

Hi ,
I am facing cache issue with Cisco Jabber client for Windows. If I do any change related to modification or deletion of contacts in Active Directory/ Callmanager, it does not reflect in the Jabber. Because jabber takes the contacts from the locally stored cache file in the Windows system.
Every time I have to remove the cache file to overcome this issue, practically it's not possible to do the same with all the Widows users. As, if any employee leaves the company and still I can see his contact appears in the "Cisco Jabber client". I have not seen this issue with Android/Apple iOS.
Is there any automated way to remove the cache file?
Here is the detail of CUCM,Presence and Jabber.
CUCM version: 9.1.x
Presence : 9.1.X
Jabber : 10.5 and 10.6

Hello
On our environment we had to install a dedicated Microsoft Certificate Authority "just for Cisco Jabber usage" to house the
Network Device Enrollment Service.
Our certificate for the CUPS were generated on this Certification Authority too.
I discussed this certificate matter with my colleagues this afternoon and nobody seems to remember how these certificates were deployed into the
Enterprise Trust store for the users.
But I think they asked all 400 users to accept the 3 certificates by answering "yes" to the popup instead of using a script deployed by GPO...
I wish you success with that deployment and really hope you have a technical partner that *Knows* this subject.
Our partner left us alone with that unfortunately.
Florent
EDIT: If the "Certutil script method" works, please let me know. This could be useful in our own deployment.

Routing issue between Cisco Nexus and Cisco 4510 R+E Chassis

We have configured Cisco Nexus 7K9 as core and Cisco 4510 R+E as access switches for Server connectivity.
We are experiencing problem in terms of ARP learning and Ping issues between Cisco Nexus and end hosts.

Hi,
So you have N7k acting as L3 with servers connected to 4510?.
Do you see the MAC associated with failing ARP in 4510?. Is it happening with all or few servers?. Just to verify if it is connectivity issue between N7k and 4510, you can configure an SVI on 4510 and assign address from same raneg (server/core range) and perform a ping.
This will help narrow down if issue is between server to 4510 or 4510 to N7k.
Thanks,
Nagendra

MacBook and MacBook Pro with 10.6: Wireless Airport Issues with Cisco

Long Story but please bear with me:
Loaded SL on my daughters MacBook and my MacBook Pro. Internet worked flawlessly at our house (WEP encrypted) and on other public wifi. When my daughter went back to her sorority house at college 24 hours later, she could not access the internet using the sorority house network (Cisco Aironet 1800 router and Cisco Airo Access Points).
Her Airport on the MacBook appeared connected at full strength yet no internet. Two calls to Apple support (they were very nice) did not help. All the following were tried:
1. Reset PRAM
2. Deleted Airport and Safari plists
3. Edited locations
4. Removed Battery
5. Others I cannot now remember
Still no net. However, she could 'pirate' and hop on line with other identified public wifi adjacent to the sorority house. I drove to the sorority house today and tried to get on the network wirelessly using my MacBook Pro with SL. Same identical results to hers. Another MacBook without SL works great and gets right on the network.
Is this some SL influenced issue with the Airport card and the Cisco system? Weird that both of our laptops work great with several other wifi networks but not the one at the sorority house.
Could much of what we all our seeing with the internet access problem lie not with issues within our software or computers but with the routers and access points not being compatible? I have very little understanding of this stuff (as you all can probably tell) but the Apple Support people acted like it was a old firmware issue with Cisco and not with SL. Not actually what I wanted to hear.
Any ideas or suggestions?

Your description there, particularly the last part, sounds like my problem. At home, we connect using Airport and ADSL which was OK, once SL had sorted out passwords.
At my office, where there are two wifi systems, I could not get on either, although did have IP numbers on both. The link to the outside world is via a proxy which uses a PAC file. Network Diagnostics reported each time (whatever I did) that the link to the server was OK, but the Internet was not.
I created a new Location with identical settings (typing them in and not copying) and the only visible difference is that the new location has no DNS numbers -- I had not noticed that before. The moment I pressed, Apply, the computer was online.
I was guessing that there was a conflict in a .plist file somewhere; but now I wonder if DNS might have been the reason (the DNS number usually used is the one from the router itself).

Issue with cisco ONS 15310. Slot with Ethernet ports, designed for bridging.

Hi, guys. I’ve got an issue with cisco ONS 15310 sdh optical network. I’ve got a special slot with Ethernet ports, designed for bridging. Assume, we’ve got to multiplexers, named A and B with ports A0 and B0 respectively. The ios console of these slots says, the configuration is as follows:
no ip address set on these ports
Ports are administratively up
Auto mdix
Bridge groups are the same on these ports.
Dot1q tunnel.
I’m trying to monitor a device with an ip-address connected to port B0. It answers ping if I connect the notebook directly to a device. But if I connect the notebook to port A0 and ping the device pluged in port B0 through the optical network, it doesn’t answer. I tried connections with straight and cross cable.
Guys, who set the network said, it should work as a point to point bridge with no extra configuration. But it doesn’t. I used wireshark sniffer to lookup what’s happening on port A0. All I see is cdp-s from port A0 and self-announcements of the notebook.
Any suggestions? Thank you in advance.

B
Building configuration...
Current configuration : 3712 bytes
! Last configuration change at
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname B
boot-start-marker
boot-end-marker
enable password -
clock timezone -
ip subnet-zero
no ip domain-lookup
no mpls traffic-eng auto-bw timers frequency 0
bridge 100 protocol ieee
bridge 140 protocol ieee
bridge 141 protocol ieee
bridge 142 protocol ieee
bridge 143 protocol ieee
bridge 144 protocol ieee
interface Loopback0
ip address 192.x.0.x 255.255.255.255
interface FastEthernet0
description -
no ip address
mode dot1q-tunnel
bridge-group 140
bridge-group 140 spanning-disabled
interface FastEthernet1
description --- B0 ---
no ip address
mode dot1q-tunnel
bridge-group 141
bridge-group 141 spanning-disabled
interface FastEthernet2
description -
no ip address
mode dot1q-tunnel
bridge-group 142
bridge-group 142 spanning-disabled
interface FastEthernet3
description -
no ip address
mode dot1q-tunnel
bridge-group 143
bridge-group 143 spanning-disabled
interface FastEthernet4
description -
no ip address
mode dot1q-tunnel
bridge-group 144
bridge-group 144 spanning-disabled
interface FastEthernet5
no ip address
shutdown
interface FastEthernet6
no ip address
shutdown
interface FastEthernet7
description -
no ip address
shutdown
mode dot1q-tunnel
bridge-group 100
bridge-group 100 spanning-disabled
interface POS0
description -
no ip address
crc 32
interface POS0.1
encapsulation dot1Q 141
no snmp trap link-status
bridge-group 141
interface POS0.2
encapsulation dot1Q 142
no snmp trap link-status
bridge-group 142
interface POS0.3
encapsulation dot1Q 143
no snmp trap link-status
bridge-group 143
interface POS0.4
encapsulation dot1Q 144
no snmp trap link-status
bridge-group 144
interface POS0.5
description -
encapsulation dot1Q 140
no snmp trap link-status
bridge-group 140
interface POS1
no ip address
crc 32
interface POS1.1
encapsulation dot1Q 100
no snmp trap link-status
bridge-group 100
router ospf 100
log-adjacency-changes
network 192.x.0.x 0.0.0.0 area 0
ip default-gateway [x.x.x.x]
ip classless
no ip http server
snmp-server community public RO
snmp-server ifindex persist
snmp-server trap link ietf
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server enable traps entity
snmp-server enable traps syslog
snmp-server enable traps hsrp
snmp-server enable traps config-copy
snmp-server enable traps bridge
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps bgp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps ipmulticast
snmp-server enable traps rtr
snmp-server enable traps mpls traffic-eng
snmp-server enable traps mpls ldp
snmp-server enable traps rsvp
snmp-server enable traps l2tun session
snmp-server enable traps mpls vpn
snmp-server host x.x.x.x public
control-plane
line con 0
line vty 0 4
password -
logging synchronous level 4
login
end

Icmp redirect issue

hi guys:
We have firewall that connect to the internet.We also have a 6509 switch connect to the internal lan. The client PC,6509 interface and firewall are on the same subnet. Client's gateway is on 6509. When client try to access internet, the 6509 switch should send icmp redirect to client telling them to go to firewall for internet access. However,I've found that some client were not receiving icmp redirect,therefore internet traffic send to 6509 then to fireawll.From the 6509 debug we saw it sending icmp redirect once or twice per second.Is this a security feature to prevent msfc from DOS attack?If so is there any way yo override it?Thanks for help.
regards

do you just have the pix and pc connected to the same subnet and have the pc default gateway point to the MSFC and have the MSFC default gateway point to the pix??
this would allow for the pc to get to the internet and the icmp redirect sent to the pc to inform it of the better route.
how is your icmp redirect configured? can you post configuration of switch/msfc?
do you have 'no ip redirects' command configured on the MSFC SVI for the pc vlan? if so, use the 'ip redirects' command on the MSFC SVI (vlan) that the pc connects to.
this will allow the MSFC SVI to be able to send icmp redirects.
please see the following link for more info on icmp redirects:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml

LAG configuration issue on Cisco SG300 52 Switch

Hi everybody,
I am having an issue with LAG configuration on a Cisco SG300 52 switch. I have connected four Ge ports on the switch to the four NICs of a Dell R710 Server on which I installed Windows Server 2008 R2. Without LAG configured, these ports would forward traffic to and from the Dell server fine. However, if I configure LAG on the ports with LACP enabled, then they would not forward any network traffic. Debugging shows that the ports are up but their forwarding status show N/A. Am I missing any configuration? Can I configure LAG on edgeports? Or is there any compatibility issue?
Any help from you guys will be greatly appreciated.
Thank you.
Vishal

Hi Dave,
Thank you for your quick response and sorry to have looked at it late. Well, I already resolved the issue and like you pointed out, it was the configuration of the Dell NICs. I had to configure NIC teaming and there was a bug with the Broadcom NIC management software. I had to download this piece of software again and I was then able to configure NIC teaming on it. I initially thought that it was already configured because we got the Dell server "pre-installed with pretty much everything".
Anyway thank you for your assistance. Oh I have a question though if you don't mind clearing my doubt. We have bought 7 of these SG300 Switches and I would like to use all of them
in a hierarchical design as core, distribution and access layer switches because I believe this switch has got all the qualities to be used at all the three layers. We have about 100 users in our company at the moment but expecting growth of about 10-20 employees per year. Would you think a hierarchical network design for a 100 users is a bit of an overkill? Would you think these SG300 switches can handle network traffic at the distribution and core layers? I worked out the average daily traffic is only about 4 Mbps.
Thank you for your valuable guidance.
Kind regards,
Vishal
Date: Mon, 12 Sep 2011 08:09:40 -0600
From: [email protected]
To: [email protected]
Subject: - Re: LAG configuration issue on Cisco SG300 52 Switch
Cisco Support Community
Re: LAG configuration issue on Cisco SG300 52 Switch created by David Hornstein in Small Business Switches - View the full discussion
Hi Chundunsing,
Thank you for the purchase of my switch.
Chundunsing, I love the way you worded your question ; "I am having an issue with LAG configuration on a Cisco SG300 52 switch." ,but seriously you are having a problem with interfacing the dell with my switch.
You have LAG working to the Dell R710 teamed NICs and god knows what NICs or drivers you are using to acheive this.
Now LAG is providing , load balancing between the LAG ports.
Now LAG is providing , link redundancy for connectibity to the Dell R710.
If there is a configuration issue , it sure seems the way you have it configured without LACP is still working. But you have the option when you create a LAP group to enable LACP. You can see this as a tick box in the LAG group.
But might i also install, recently firmware version 1.1.1.8, just came out.
Please be sure to;
Step 1. update the firmware on the switch and
Step 2. select it as the 'active image.'
Step 3 rebbot the switch to utilize this active image.
If you are having any trouble doing this the admin guide references how to achieve this. for your concenience I have atteched the guide to this posting.
regards Dave
Reply to this message by going to Cisco Support Community
Start a new discussion in Small Business Switches at Cisco Support Community

Issue with Cisco Meraki APs

Is there any known issues with Cisco Meraki APs with client devices which publish PMF support in probe requests ? We are seeing connectivity issues with Cisco Meraki MR12,MR16 and MX80 models . Please update if there are any known issue with these APs.

Thanks for your thoughts, Nathan. We do actually have the "Enable Fast Reconnect" option selected on our wireless profile. Good idea, though.
We did also (originally) have 2 RADIUS servers defined within our wireless network. What we discovered was that each Meraki AP will try each one in order, top-to-bottom, and then primarily use the server that responded to it first. So, if for any reason you have a short-lived issue with your local RADIUS server responding to requests, and the AP is able to talk to a remote RADIUS server (in our case, one on the other side of the world) instead, the AP will elect to use the remote RADIUS server instead. In our case, the latency is high enough between these APs and this remote RADIUS server that while a client is roaming between APs, and having to re-authenticate, the entire process breaks down because (1) the client is moving between APs faster than the remote RADIUS server can authenticate the client, and (2) the entire exchange and communication ends up timing out -- thus forcing a manual re-connect. This is not a common occurrence by any means, but I just wanted to share what made us later choose to define only 1 RADIUS server, in the network settings. Surely our circumstance here is rather unique, but I thought it might be worth mentioning. Having only 1 RADIUS server defined forces ALL of our APs to use the same RADIUS server, regardless of anything else. It has resulted in a much smoother re-auth process for our clients.
I appreciate the link you sent, however. If I come across anything else that is helpful, I'll certainly post it back here. I appreciate your input once again!

Issues getting url-redirect working with Cisco ISE

Hi,
I am currently doing a Proof of Concept using Cisco's new ISE product. I am having issues getting the url-redirect raidus attribute working. I have read the troubleshooting document and everything in it points to it should be working. By debuging the radius information on the switch I can see that its passing the url-redirect to the switch which in my case is was https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa. Now to remove DNS issues etc from the equasion if I copy and paste this URL into the client browser it takes me to the correct place, and I can login and it changes VLAN's accordingly. Now as far as I know the client should automatticaly be redirected to this URL which is not working. Below I have included one of the debugs to show that the epm is in place.
DEVLABSW01#show epm session ip 10.0.1.104
    Admission feature: DOT1X
              ACS ACL: xACSACLx-IP-PRE-POSTURE-ACL-4de86e6c
     URL Redirect ACL: ACL-WEBAUTH-REDIRECT
         URL Redirect: https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa
I have also attached my switch config. Any help would be greatly appreciated.
Dan

So im also doing ISE for the first time and i knew it may have been a bit tough however i didnt forsee my following issue.
everything is working as expected other than every now and then (intermittent) the ISE Central Portal does not display on any device -android, windows, etc..... i checked and checked the configs, had probably about 10 TAC cases open..... this weekend i ripped out the main components, setup in the offfice and tried to replicate the issue....i could...what i noticed is that without Internet the ISE Portal didnt actually display....it sounds weird but thats what im seeing.....As soon as i plug into Internet Link into the equation, the portal page comes up.....im able to replicate it every time... Currently, i placed back into the customer network and im now looking down at the routing/firewall......
my issue is that i cant really explain why the Internet affects the Central Auth Page.... In any event. im working backwards, tomorrow im bringing in a second link and doing NAT on a cisco router to bypass the checkpoint firewall....ill know if its checkpoint or if im barking up the wrong tree....
if anyone can explain why, it would help out a great deal..
My setup BTW is
1. WLC 5760 - Not latest code but latest stable (recommended by the TAC Engineer)
2. ISE 1.2 - Doing simple Wireless only implementation
3. 3650 - Just acting like a switch - no ACLs etc - just a switch
4. Integrated into AD
Ill post back with any findings if i make any headway - BTW, i didnt like this at all as other solutions are so much simpler, BUT, i can now see how powerful this could potentially be for the right type of customer...
thanks again how i can get some feedback

Coa issue with Cisco ISE 1.2

Hi, i am currently implementing webauth with Cisco ISE for self register, but i am having issue coa. I was able to get non-windows machine to work but with windows i can't push out the url redirection through coa. I have enabled debug and i can see ISE trying to push out the url redirection to the port, however the url was not show when i issue a show authentication session interface gi 1/0/x command. The only issue i can see from the debugging is that the interface failed authorization first then a success authorization right after. Again, the url redirection work on non-windows machine, i have even go as far as disable dot1x supplicant on windows and it still didnt fix the issue.
please see attachment for the debugging i had mention above. If anyone know or had this issue before please let me know how i can resolve this.

finally figured it out. redirection acl was mess up.

CWA redirect issue and access across the WAN

Hello,
I am trying to get CWA working on my wireless ISE setup and am having an issue where the guest portal redirect is pointing to the wrong port. My setup is as follows:
The PSN has two connections - Gig 0 is on our management VLAN 172.24.x.x Gig 1 is on our guest network VLAN 10.190.x.x
Using a laptop I connect to the guest ssid and guest portal times out as it is pointing to 172.24.x.x instead of the guest vlan 10.190.x.x
We do not want guest traffic on the corp network for obvious reasons.
One more question - Is it possible to have guest access work across the WAN? For example, we have the admin box in Detroit and a PSN in Chicago. Detroit's guest network is routed through a tunnel to Chicago currently.
Some more info:
Here is from the radius authentication details -
cisco-av-pair=url-redirect=https://172.24.24.41:8443/guestportal/gateway?sessionId=ac18180a000024a45151d92d&action=cwa
How do I force it to 10.190.x.x and how does ISE get 172.24.24.41 for the redirect address? DNS? I guess I am unfamiliar with how cisco-av-pair attribute is determined. Any help will be greatly appreciated.

Have you ran anything such as MTR on a Linux box (or WINMTR equivalent on PC)? If so, can you find a trend in loss or high latency on a specific hop on the path? I would ensure you adjust the ICMP payload size to a higher size such as 1000Bytes and adjust the ping interval to every two seconds or so. This ensures you are not running into an issue where the provider is rate limiting your pings, which is not uncommon for some providers, if the pings (ICMP messages) are terminating on their endpoints.
Do you have QoS policies applied on interfaces on either end of these pings / traces? If so, do you have assurance that ICMP messages will not be impacted by queue based dropping or shaping latency? One solution is, move traffic from your ICMP traffic with the source or destination of your ICMP ping and trace endpoint in a priority queue with adequate bandwidth (should be a very low requirement). This may not make sense since your bandwidth utilization is low, but shaping of busy flows can actually occur long before congestion, depending on your design.
Another item that may give you better insight is running and monitoring / graphing IP-SLA probes between your routers on each end. You could then trend issues and give graphed evidence to your provider. They could then compare your lossy and high latency periods to their appliance interface, memory, and CPU loads to see if they can find a correlating trend. It can be a hard battle to get ISPs to not only admit they have issues, but allocate resources to isolate and resolve these issues. Good SLA probe data showing that their paths are not meeting delivery standards speak much louder that pings to them.

Redirections issues TSE - Cisco SMB SA 520

Similar Messages

Maybe you are looking for