Resend captured packets from cisco ios? (tcpreplay w/o WireShark)

Hello again,
As the title of the thread implies, is there a way to replay captured packets (as in a pcap file from the EPC protocol) from cisco ios? I am trying a work around by calling it from a connected computer, but I can't launch tcpreplay dynamically from an EEM script (mainly because I can't target the host OS from the EEM scope).
Basically I am capturing packets in order to delay them until some arbitrary time determined by another (or even the same) EEM script. Is there a function I don't know about that I can call to put previously captured packets (stored in a pcap file) directly back on the bus as if nothing happened?
Thanks in advance,
-Heath

You can't replay packets right now.  The upcoming onePK APIs will allow you to do this, however.  If you want to call tcpreplay from your EEM policy, you could send a trap to the host, which triggers the excution, or use the Remote Command Shell policy from http://www.cisco.com/go/easy to telnet/SSH to the host from the device to run the command.

Similar Messages

  • How to Enable IP Accounting or capture packets in Cisco ASA 5510 (8.2)

    Hi All,
    How to Enable IP Accounting or capture packets in Cisco ASA 5510 (8.2)
    Thanks
    Roopesh

    Hi Roopesh,
    Please go through this document for detailed documentation on captures:
    https://supportforums.cisco.com/docs/DOC-17814
    Hope that helps.
    Thanks,
    Varun Rao
    Security Team,
    Cisco TAC

  • Capturing packets from two server programs in single solaris box

    Hi,
    Greetings.
    I observe that snoop is not capturing packets exchanged between two server process which are running in a same solaris machine.
    Are there any options with snoop, so that it is possible to capture the
    packets between two server processes in a single machine ?
    Thanks in advance.
    BR, RK

    Snoop? No. Packets to the same machine never reach the DLPI layer which is where snoop is looking.
    There are some 'dtrace' scripts on Solaris 10 that attempt to view the contents as they go within the machine. They should work with most interfaces.
    I don't know of any good solution for Solaris 9.
    Darren

  • Authentication Failed to 2008 NPS from Cisco IOS VPN

    I'm trying to authenticate VPN connections to a Windows 2008 NPS Radius server.
    Local authentication works fine.
    Here are cisco configs:
    aaa new-model
    aaa authentication login default local
    aaa authentication login VPNauth group radius local
    aaa authorization network VPNgroup local
    aaa session-id common
    ip radius source-interface Loopback0
    radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 xxxx
    crypto map VPNMAP client authentication list VPNauth
    crypto map VPNMAP isakmp authorization list VPNgroup
    crypto map VPNMAP client configuration address respond
    crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
    ... other crypto commands
    This is the section of the log from NPS:
    Authentication Details:
        Connection Request Policy Name:    VPN
        Network Policy Name:        -
        Authentication Provider:        Windows
        Authentication Server:        x.x.x.x
        Authentication Type:        PAP
        EAP Type:            -
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            16
        Reason:                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
    I do have PAP enabled on the Network/Connection Request Policies...
    I'm stuck
    Please help

    Can you run a "teat aaa " command to see if the user can be authenticated successfully?
    I think this might be a configuration issue on NPS. You can google it. Here is one I found, refer to "irishHam" post.
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bfbbbae4-a280-4b3f-b214-02867b7d33e3

  • No ringback from cisco ip phones to alcatel Phones

    I have a CUCM 7.1.3 integrated with a Alcatel OXO PBX and when a try to place a call from cisco IP-Phones registered on CUCM to phones on PBX, I have no ringback,but  when a place a call from cisco IP-Phones registered on CUCM to PSTN using PBX as it has a PRI line to the local PSTN, I dont have that issue.
    The voice gateway connects to PBX using a PRI(E1) running MGCP and QSIG.
    interface Serial 3/1:15
    no ip address
    encapsulation hdlc
    isdn switch-type primary-qsig
    isdn timer T310 120000
    isdn protocol-emulate network
    isdn incoming-voice voice
    isdn bind-l3 ccm-manager
    no cdp enable

    You can configure COS values for the Cisco IP Phones so that the voice packets from Cisco IP phone are given more priority over the data packets from the PCs/Hosts. But the same might not be configurable for non Cisco IP Phone. I am not very sure of this. Other than that I guess, you can have all QoS features.

  • Ask the Expert: Packet Capture Capabilities of Cisco Routers and Switches

    With Rahul Rammanohar 
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about packet capture capabilities of Cisco routers and switches.
    In May 2013, we created a video that included packet capture capabilities across multiple Cisco routers and switches. For each product, we began with a discussion about the theory of the capabilities, followed by an explanation of the commands, and we concluded with a demo on real devices. In this Ask the Expert event, you’re encouraged to ask questions about the packet capture capabilities of these Cisco devices:
    •       7600/6500: mini protocol analyzer (MPA), ELAM, and Netdr
    •       ASR9k: network processor capture
    •       7200/ISRs: embedded packet capture
    •       Cisco Nexus 7K, 5K, and 3K: Ethanalyzer
    •       Cisco Nexus 7K: ELAM
    •       CRS: show captured packets
    •       ASR1K: embedded packet capture
    More Information
    Blog URL: Packet Capture Capabilities of Cisco Routers and Switches
    Watch the Video:  https://supportforums.cisco.com/videos/6226
    Hitesh Kumar is a customer support engineer in the High-Touch Technical Services team at Cisco specializing in routing protocols. He has been supporting major service providers and enterprise customers in routing, Multiprotocol Label Switching (MPLS), multicast, and Layer 2 VPN (L2VPN) issues on routing platforms for more than three years. He has more than six years of experience in the IT industry and holds a CCIE certification (number 38757) in service. 
    Rahul Rammanohar is a technical leader with the High-Touch Technical Support Team in India. He handles escalations in the area of routing protocols and large-scale architectures for devices running Cisco IOS, IOS-XR, and IOS-XE Software. He has been supporting major service providers and large enterprise customers for routing, MPLS, multicast, and L2VPN issues on all routing platforms. He has more than 13 years of experience and holds a CCIE certification (number 13015) in routing/switching and service provider.
    Remember to use the rating system to let Hitesh and Rahul know if you have received an adequate response.  
    Because of the volume expected during this event, Hitesh and Rahul might not be able to answer each question. Remember that you can continue the conversation in the Service Provider, sub-community forum shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

    Hello Erick
        Thanks for the topology. The trigger will be different for labelled  packet as you would need to mention the values of labels too in the  trigger.
         Below are two examples of one or two labels being  used, it depends on where you are capturing the packet in mplsvpn  scenario which will decide teh number of labels being imposed on the  packet.
    Trigger for one label. (if the router on which you are capturing the packet PHP is being performed)
    VPN label - 5678
    Source Address - 111.111.111.111
    Destination Address - 123.123.123.123
    show platform capture elam trigger dbus others if data = 0 0 0 0x88470162 0xE0000000 0 0 0x00006F6F 0x6F6F 7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
    Trigger for two labels. (for other core routers)
    IGP label - 1234
    VPN label - 5678
    Source Address - 111.111.111.111
    Destination Address - 123.123.123.123
    show platform capture elam trigger dbus others if data = 0 0 0 0x8847004D 0x20000162 0xE0000000 0 0 0x00006F6F 0x6F6F7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf000ffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
        You can check the labels being used (by using show ip cef <> details) and covert their values to hex and change the trigger accordingly.
         I have changed the colors for better understanding. If you notice carefully in the trigger the values for ip address, labels have just been converted to their respective hex values which could be replaced.
         Please let me know if this helps.
    Thanks & Regards
    Hitesh & Rahul

  • Recovering from "no cisco IOS image file" error

    I have a aironet1200 series access point, and attempted to update it to a newer IOS software release. However it never came back up after the update, and upon reboot the 3 status lights show red, green, red, which apparently means there is 'no cisco IOS image file'. Is there a way to recover from this error? It has a RJ45 style console port, can I use thi to recover?

    Got it sorted, managed to find the manual which goes through this in it's entirety!

  • IOS 12.4(15)XW not available from Cisco Web site

    Can anyone please tell me why this version is not available from Cisco Web site as I am trying to download it to test on a cisco 2851 series router .The documnet below in page 7 & 10 describe  the requirement for this version. What is the replacement version for this if that is not available?

    Well, maybe I am missing something but I do not see a 12.4(15)XW release on CCO for the 2851 platform. I see references to it in documentation but I don't see actual release notes or a download link. So, where exactly did you see this particular version for this platform?
    Based on the PDF provided by the OP I think he is trying to add a fax module. In the PDF it is stated a few times that you can use 12.4(15)XW or 12.4(20)T. What this basically means is that these are minimum IOS version levels that you need to use that module. You would not want to run the minimum in most cases because software defects are abundant and seem to be endless. IOS release trains are somewhat over complicated in my opinion but here is my quick take. The XW is a early deployment release. These releases are "one offs". Usually added to incorporate a new piece of hardware. Sometime after these releases come out (again, to get the product to market) the code is incorporated in a T-train (in this case, 12.4(20)T). The idea is that the T-train code is used to introduce features/hardware/etc. that will be rolled into the next main-line release (in our world that is 15.0).
    Back to your issue. I can't find 12.4(15)XW but apparently p.bevilacqua has been able to find it. Maybe he would be willing to provide the link. If that doesn't pan out, I suggest that you look at releases after 12.4(20)T (including the latest service release for 12.4(20)T). They go up to 12.4(24)T. T-trains are touchy so you have to do your research and testing. I have had decent success with 12.4(20)T until recently (MGCP and T.38 fax, no joy). I have also used 12.4(24)T with OK success thus far. I know that p. bevilacqua doesn't like the 12.4T train "because its buggy". My opinion is all of this software is buggy. You have to identify the minimum release that will work with your hardware. Go to the latest minor/service release and research the bug toolkit. Oh, and always test.
    OK. Down the rabbit hole I go.
    HTH.
    Regards,
    Bill
    Please remember to rate helpful posts.

  • Getting "IPSEC(epa_des_crypt): decrypted packet failed SA identity check" messages on packets from only one of two far-end sources sharing the same tunnel, the other source works fine. What exactly does this error mean?

    One computer at COMPANY-A is attempting to communicate with two
    computers located at COMPANY-B, via an IPsec tunnel between the
    two companies.
    All communications are via TCP protocol.
    All devices present public IP addresses to one another, although they
    may have RFC 1918 addresses on other interfaces, and NAT may be in use
    on the COMPANY-B side.  (NAT is not being used on the COMPANY-A side.)
    The players:(Note: first three octets have been changed for security reasons)
    COMPANY-A computer      1.2.3.161
    COMPANY-A router        1.2.3.8 (also IPsec peer)
    COMPANY-A has 1.2.3.0/24 with no subnetting.
    COMPANY-B router        4.5.6.228 (also IPsec peer)
    COMPANY-B computer #1   4.5.7.94 (this one has no issues)
    COMPANY-B computer #2   4.5.7.29 (this one fails)
    COMPANY-B has 4.5.6.0/23 subnetted in various ways.
    COMPANY-B also has 9.10.11.0/24, but it is not involved in the issue.
    What works:
    The COMPANY-A computer 1.2.3.161 can communicate via the single IPsec
    tunnel to COMPANY-B computer #1 4.5.7.94 without problems.
    The "show crypto session detail" command shows Inbound/Outbound packets
    flowing in the dec'ed and enc'ed positions.
    What doesn't:
    When the COMPANY-A computer 1.2.3.161 attempts to communicate
    via the single IPsec tunnel with the COMPANY-B computer #2 4.5.7.29,
    the COMPANY-A router eventually reports five of these messages:
    Oct  9 15:24:54.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
    Oct  9 15:24:57.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
    Oct  9 15:25:03.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
    Oct  9 15:25:15.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
    Oct  9 15:25:39.329: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
    Oct  9 15:26:27.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
    and the "show crypto session detail" shows inbound packets being dropped.
    The COMPANY-A computer that opens the TCP connection never gets past the
    SYN_SENT phase of the TCP connection whan trying to communicate with the
    COMPANY-B computer #2, and the repeated error messages are the retries of
    the SYN packet.
    On the COMPANY-A side, this IPsec configuration has been set up on a 3745,
    a 3725, and some 76xx routers were tried, all with similar behavior,
    with packets from one far-end computer passing fine, and packets from
    another far-end computer in the same netblock passing through the same
    IPsec tunnel failing with the "failed SA identity" error.
    The COMPANY-A computer directs all packets headed to COMPANY-B via the
    COMPANY-A router at 1.2.3.8 with this set of route settings:
    netstat -r -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
    4.5.7.0         1.2.3.8         255.255.255.0   UG        0 0          0 eth3
    1.2.3.8.0       0.0.0.0         255.255.255.0   U         0 0          0 eth3
    10.1.0.0        0.0.0.0         255.255.240.0   U         0 0          0 eth0
    169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth3
    10.0.0.0        10.1.1.1        255.0.0.0       UG        0 0          0 eth0
    0.0.0.0         1.2.3.1         0.0.0.0         UG        0 0          0 eth3
    The first route line shown is selected for access to both COMPANY-B computers.
    The COMPANY-A router (IPsec tunnel endpoint, 1.2.3.8) has this
    configuration:
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXX address 4.5.6.228
    crypto ipsec security-association lifetime seconds 86400
    crypto ipsec transform-set COMPANY-B01 esp-3des esp-sha-hmac
    crypto map COMPANY-BMAP1 10 ipsec-isakmp
    description COMPANY-B VPN
    set peer 4.5.6.228
    set transform-set COMPANY-B01
    set pfs group2
    match address 190
    interface FastEthernet0/0
    ip address 1.2.3.8 255.255.255.0
    no ip redirects
    ip virtual-reassembly
    duplex auto
    speed auto
    no cdp enable
    crypto map COMPANY-BMAP1
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 1.2.3.1
    ip route 10.0.0.0 255.0.0.0 10.1.1.1
    ip route 1.2.3.8.0 255.255.255.0 FastEthernet0/0
    access-list 190 permit ip host 1.2.3.161 4.5.7.0 0.0.0.255
    access-list 190 permit ip host 1.2.3.161 9.10.11.0 0.0.0.255
    bridge 1 protocol ieee
    One of the routers tried had this IOS/hardware configuration:
    Cisco IOS Software, 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.4(25c),
    RELEASE SOFTWARE (fc2)
    isco 3725 (R7000) processor (revision 0.1) with 115712K/15360K bytes of memory.
    Processor board ID XXXXXXXXXXXXXXX
    R7000 CPU at 240MHz, Implementation 39, Rev 3.3, 256KB L2 Cache
    2 FastEthernet interfaces
    4 ATM interfaces
    DRAM configuration is 64 bits wide with parity disabled.
    55K bytes of NVRAM.
    31296K bytes of ATA System CompactFlash (Read/Write)
    250368K bytes of ATA Slot0 CompactFlash (Read/Write)
    Configuration register is 0x2102
    #show crypto sess
    Crypto session current status
    Interface: FastEthernet0/0
    Session status: UP-ACTIVE
    Peer: 4.5.6.228 port 500
      IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
      IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
            Active SAs: 2, origin: crypto map
      IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
            Active SAs: 0, origin: crypto map
    #show crypto sess det
    Crypto session current status
    Code: C - IKE Configuration mode, D - Dead Peer Detection
    K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
    Interface: FastEthernet0/0
    Session status: UP-ACTIVE
    Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
          Phase1_id: 4.5.6.228
          Desc: (none)
      IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
              Capabilities:(none) connid:1 lifetime:06:26:27
      IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
            Active SAs: 2, origin: crypto map
            Inbound:  #pkts dec'ed 651 drop 16 life (KB/Sec) 4496182/23178
            Outbound: #pkts enc'ed 574 drop 2 life (KB/Sec) 4496279/23178
      IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
            Active SAs: 0, origin: crypto map
            Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
            Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
    The COMPANY-B device on their end of the IPsec VPN is a Juniper SSG1000
    Version 6.1 (ScreenOS)
    We only have a limited view into the Juniper device configuration.
    What we were allowed to see was:
    COMPANY-B-ROUTER(M)-> sh config | incl COMPANY-A
    set address "Untrust" "oss-COMPANY-A-1.2.3.161" 1.2.3.161 255.255.255.255
    set ike gateway "COMPANY-A-1-GW" address 1.2.3.8 Main outgoing-interface "ethernet2/1" preshare xxxxxxxxxxxxxxxxxxxxxx  proposal "pre-g2-3des-sha"
    set vpn "COMPANY-A-1-IKE" gateway "COMPANY-A-1-GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha-28800"
    set policy id 2539 from "Untrust" to "Trust"  "oss-COMPANY-A-1.2.3.161" "9.10.11.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2500
    set policy id 2500 from "Trust" to "Untrust"  "9.10.11.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2539
    set policy id 2541 from "Trust" to "Untrust"  "4.5.7.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2540
    set policy id 2540 from "Untrust" to "Trust"  "oss-COMPANY-A-1.2.3.161" "4.5.7.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2541
    COMPANY-B-ROUTER(M)->
    I suspect that this curious issue is due to a configuration setting on the
    Juniper device, but neither party has seen this error before.  COMPANY-B
    operates thousands of IPsec VPNs and they report that this is a new error
    for them too.  The behavior that allows traffic from one IP address to
    work and traffic from another to end up getting this error is also unique.
    As only the Cisco side emits any error message at all, this is the only
    clue we have as to what is going on, even if this isn't actually an IOS
    problem.
    What we are looking for is a description of exactly what the Cisco
    IOS error message:
    IPSEC(epa_des_crypt): decrypted packet failed SA identity check
    is complaining about, and if there are any known causes of the behavior
    described that occur when running IPsec between Cisco IOS and a Juniper
    SSG device.  Google reports many other incidents of the same error
    message (but not the "I like that IP address but hate this one" behavior),
    and not just with a Juniper device on the COMPANY-B end, but for those cases,
    not one was found where the solution was described.
    It is hoped that with a better explanation of the error message
    and any known issues with Juniper configuration settings causing
    this error, we can have COMPANY-B make adjustments to their device.
    Or, if there is a setting change needed on the COMPANY-A router,
    that can also be implemented.
    Thanks in advance for your time in reading this, and any ideas.

    Hello Harish,
    It is believed that:
    COMPANY-B computer #1   4.5.7.94 (this one has no issues)
    COMPANY-B computer #2   4.5.7.29 (this one fails)
    both have at least two network interfaces, one with a public IP address
    (which we are supposedly conversing with) and one with a RFC 1918 type
    address.   COMPANY-B is reluctant to disclose details of their network or
    servers setup, so this is not 100% certain.
    Because of that uncertainty, it occurred to me that perhaps COMPANY-B
    computer #2 might be incorrectly routing via the RFC 1918 interface.
    In theory, such packets should have been blocked by the access-list on both
    COMPANY-A router, and should not have even made it into the IPsec VPN
    if the Juniper access settings work as it appears they should.  So I turned up
    debugging on COMPANY-A router so that I could see the encrypted and
    decrypted packet hex dumps.
    I then hand-disassembled the decoded ACK packet IP header received just
    prior to the "decrypted packet failed SA check" error being emitted and
    found the expected source and destination IP addresses (4.5.7.29 and 1.2.3.161),
    in the unecapsulated packet.  I also found the expected port numbers of the TCP
    conversation that was trying to be established in the TCP header.  So, it
    looks like COMPANY-B computer #2 is emitting the packets out the right
    interface.
    The IP packet header of the encrypted packet showed the IP addresses of the
    two routers at each terminus of the IPsec VPN, but since I don't know what triggers
    the "SA check" error message or what it is complaining about, I don't know what
    other clues to look for in the packet dumps.
    As to your second question, "can you check whether both encapsulation and
    decapsulation happening in 'show crypto ipsec sa'",   the enc'ed/dec'ed
    counters were both going up by the correct quantities.  When communicating
    with the uncooperative COMPANY-B computer #2, you would also see the
    received Drop increment for each packet decrypted.  When communicating
    with the working COMPANY-B computer #1, the Drop counters would not
    increment, and the enc'ed/dec'ed would both increment.
    #show crypto sess det
    Crypto session current status
    Code: C - IKE Configuration mode, D - Dead Peer Detection
    K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
    Interface: FastEthernet0/0
    Session status: UP-ACTIVE
    Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
          Phase1_id: 4.5.6.228
          Desc: (none)
      IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
              Capabilities:(none) connid:1 lifetime:07:59:54
      IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
            Active SAs: 2, origin: crypto map
            Inbound:  #pkts dec'ed 376 drop 5 life (KB/Sec) 4458308/28784
            Outbound: #pkts enc'ed 401 drop 3 life (KB/Sec) 4458308/28784
    Attempt a TCP communication to COMPANY-B computer #2...
    show crypto sess det
    Crypto session current status
    Code: C - IKE Configuration mode, D - Dead Peer Detection
    K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
    Interface: FastEthernet0/0
    Session status: UP-ACTIVE
    Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
          Phase1_id: 4.5.6.228
          Desc: (none)
      IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
              Capabilities:(none) connid:1 lifetime:07:59:23
      IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
            Active SAs: 2, origin: crypto map
            Inbound:  #pkts dec'ed 376 drop 6 life (KB/Sec) 4458307/28753
            Outbound: #pkts enc'ed 402 drop 3 life (KB/Sec) 4458307/28753
    Note Inbound "drop" changed from 5 to 6.  (I didn't let it sit for all
    the retries.)
    #show crypto ipsec sa
    interface: FastEthernet0/0
        Crypto map tag: COMPANY-BMAP1, local addr 1.2.3.8
       protected vrf: (none)
       local  ident (addr/mask/prot/port): (1.2.3.161/255.255.255.255/0/0)
       remote ident (addr/mask/prot/port): (4.5.7.0/255.255.255.0/0/0)
       current_peer 4.5.6.228 port 500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 402, #pkts encrypt: 402, #pkts digest: 402
        #pkts decaps: 376, #pkts decrypt: 376, #pkts verify: 376
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 3, #recv errors 6
         local crypto endpt.: 1.2.3.8, remote crypto endpt.: 4.5.6.228
         path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
         current outbound spi: 0xDF2CC59C(3744253340)
      inbound esp sas:
          spi: 0xD9D2EBBB(3654478779)
            transform: esp-3des esp-sha-hmac ,
            in use settings ={Tunnel, }
            conn id: 2004, flow_id: SW:4, crypto map: COMPANY-BMAP1
            sa timing: remaining key lifetime (k/sec): (4458307/28600)
            IV size: 8 bytes
            replay detection support: Y
            Status: ACTIVE
         inbound ah sas:
         inbound pcp sas:
         outbound esp sas:
          spi: 0xDF2CC59C(3744253340)
            transform: esp-3des esp-sha-hmac ,
            in use settings ={Tunnel, }
            conn id: 2003, flow_id: SW:3, crypto map: COMPANY-BMAP1
            sa timing: remaining key lifetime (k/sec): (4458307/28600)
            IV size: 8 bytes
            replay detection support: Y
            Status: ACTIVE
         outbound ah sas:
         outbound pcp sas:
    The "send" errors appear to be related to the tunnel reverting to a
    DOWN state after periods of inactivity, and you appear to get one
    each time the tunnel has to be re-negotiated and returned to
    an ACTIVE state.  There is no relationship between Send errors
    incrementing and working/non-working TCP conversations to the
    two COMPANY-B servers.
    Thanks for pondering this very odd behavior.

  • Capture packet / ip logging

    What is the best way to capture packets as well as display them for signatures.
    I need to see the packets that cuase the ICMP hard DoS sig 2157 to fire. From the Cisco IDS Install and Configuration guide version 4.x it talks about enabling packet capture to true as well as Event action, but no clear instructions on which to use or if both need to be configured.

    If you want to capture the packets that caused the signature to fire, then you must enable the "log" option as the EventAction in the signature. When the IDS detects an attack based on this signature, it creates an IP log.
    There is also an "IP logging" feature in the IDS that is used to capture the packets for a duration of time. This capture is time or size (bytes) based and is not based on signature.

  • DHCP issue on Cisco IOS router

    Hi experts,
    I recently got complaints that some clients can't get IP address through the DHCP server configured on a Cisco IOS router. I turned on debugging on DHCP events and packets and I see the following logs.
    Mar 22 15:33:41: DHCPD: DHCPREQUEST received from client 0100.1b63.f246.8c.
    Mar 22 15:33:41: DHCPD: Finding a relay for client 0100.1b63.f246.8c on interface FastEthernet1/0.10.
    Mar 22 15:33:41: DHCPD: Seeing if there is an internally specified pool class:
    Mar 22 15:33:41:   DHCPD: htype 1 chaddr 001b.63f2.468c
    Mar 22 15:33:41:   DHCPD: remote id 020a0000cf6050011000000a
    Mar 22 15:33:41:   DHCPD: circuit id 00000000
    Mar 22 15:34:02: DHCPD: DHCPREQUEST received from client 0100.1b63.f246.8c.
    Mar 22 15:34:02: DHCPD: Finding a relay for client 0100.1b63.f246.8c on interface FastEthernet1/0.10.
    Mar 22 15:34:02: DHCPD: Seeing if there is an internally specified pool class:
    Mar 22 15:34:02:   DHCPD: htype 1 chaddr 001b.63f2.468c
    Mar 22 15:34:02:   DHCPD: remote id 020a0000cf6050011000000a
    Mar 22 15:34:02:   DHCPD: circuit id 00000000
    Then it will repeat and repeat for this MAC. Any reason why the router is not assigning an IP to it? It actually happens to some other MACs as well... They are from different vendors and located on different switches... I can't really find a pattern for this problem... The DHCP pool hasn't run out and it still has available IPs in it.
    Thanks

    Hi Alain, thanks for quick reply. The followings contain the output that you required. I hided the prefix of the IP with a.b.c. Thanks!
    interface FastEthernet1/0.10
    description : DHCP for EXHIBITION VLAN
    encapsulation dot1Q 10
    ip address a.b.c.1 255.255.255.128
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    end
    r#sh ip dhcp pool
    Pool EXHIBIT :
    Utilization mark (high/low)    : 100 / 0
    Subnet size (first/next)       : 0 / 0
    Total addresses                : 126
    Leased addresses               : 47
    Pending event                  : none
    1 subnet is currently in the pool :
    Current index        IP address range                    Leased addresses
    a.b.c.118        a.b.c.1      - a.b.c.126     47
    #sh run | in/be dhcp
    no ip dhcp use vrf connected
    ip dhcp excluded-address a.b.c.1 a.b.c.11
    ip dhcp excluded-address a.b.c.126
    ip dhcp excluded-address a.b.c.100 a.b.c.101
    ip dhcp excluded-address a.b.c.51
    ip dhcp pool EXHIBIT
       network a.b.c.0 255.255.255.128
       default-router a.b.c.1
       dns-server 207.172.3.8 207.172.3.9
       domain-name xyz.com
    #sh ip dhcp binding
    Bindings from all pools not associated with VRF:
    IP address          Client-ID/              Lease expiration        Type
                        Hardware address/
                        User name
    a.b.c.19        0168.7f74.6260.9b       Mar 23 2011 01:56 PM    Automatic
    a.b.c.52        0100.4854.897d.17       Mar 23 2011 12:53 PM    Automatic
    a.b.c.56        0100.4063.e7b5.b2       Mar 23 2011 03:33 PM    Automatic
    a.b.c.57        0100.1b63.f246.8c       Mar 23 2011 03:34 PM    Automatic
    a.b.c.68        015c.5948.0b97.d6       Mar 22 2011 05:59 PM    Automatic
    a.b.c.69        0168.7f74.626d.67       Mar 23 2011 07:07 AM    Automatic
    a.b.c.70        0198.fc11.5027.1d       Mar 22 2011 07:04 PM    Automatic
    a.b.c.71        01dc.2b61.04ba.af       Mar 22 2011 10:26 PM    Automatic
    a.b.c.72        017c.c537.58e6.64       Mar 22 2011 08:37 PM    Automatic
    a.b.c.73        017c.6d62.3303.57       Mar 23 2011 03:54 AM    Automatic
    a.b.c.74        0124.ab81.cda4.68       Mar 23 2011 05:01 AM    Automatic
    a.b.c.75        0100.1e52.8f11.a5       Mar 23 2011 02:47 PM    Automatic
    a.b.c.76        0100.264a.5fc8.e3       Mar 23 2011 07:13 AM    Automatic
    a.b.c.77        017c.6d62.38cd.40       Mar 23 2011 02:06 PM    Automatic
    a.b.c.78        0100.1d4f.f647.79       Mar 23 2011 02:37 PM    Automatic
    a.b.c.79        0100.26b0.8637.3d       Mar 23 2011 01:16 PM    Automatic
    a.b.c.81        0130.694b.e9de.82       Mar 23 2011 03:19 PM    Automatic
    a.b.c.82        0100.21e9.6864.80       Mar 23 2011 12:04 PM    Automatic
    a.b.c.83        0124.ab81.63e6.b5       Mar 23 2011 09:38 AM    Automatic
    a.b.c.84        0100.16b6.0455.c2       Mar 23 2011 09:42 AM    Automatic
    a.b.c.85        0100.1302.4c96.9e       Mar 23 2011 09:49 AM    Automatic
    a.b.c.86        0140.a6d9.741c.e0       Mar 23 2011 12:12 PM    Automatic
    a.b.c.87        0100.264a.b8e9.50       Mar 23 2011 10:16 AM    Automatic
    a.b.c.88        0140.a6d9.4911.67       Mar 23 2011 03:19 PM    Automatic
    a.b.c.89        013c.7437.1e32.96       Mar 23 2011 10:27 AM    Automatic
    a.b.c.90        01d8.3062.689c.4b       Mar 23 2011 11:55 AM    Automatic
    a.b.c.91        0158.946b.4df8.bc       Mar 23 2011 10:49 AM    Automatic
    a.b.c.92        0100.2215.7368.26       Mar 23 2011 10:23 AM    Automatic
    a.b.c.93        0100.23df.76ea.90       Mar 23 2011 02:33 PM    Automatic
    a.b.c.94        0124.ab81.708d.83       Mar 23 2011 03:58 PM    Automatic
    a.b.c.95        0100.1cb3.163d.5a       Mar 23 2011 03:13 PM    Automatic
    a.b.c.96        01cc.08e0.2aeb.96       Mar 23 2011 01:27 PM    Automatic
    a.b.c.97        0188.c663.d0d0.55       Mar 23 2011 01:57 PM    Automatic
    a.b.c.98        0100.1b77.08bb.89       Mar 23 2011 01:15 PM    Automatic
    a.b.c.99        0100.1ec2.47d7.19       Mar 23 2011 12:43 PM    Automatic
    a.b.c.102       0100.1310.8e74.78       Mar 23 2011 12:41 PM    Automatic
    a.b.c.103       0100.24d6.58b0.82       Mar 23 2011 01:44 PM    Automatic
    a.b.c.104       0100.2608.7df2.68       Mar 23 2011 03:23 PM    Automatic
    a.b.c.106       01c8.bcc8.1a86.41       Mar 23 2011 03:56 PM    Automatic
    a.b.c.107       01a4.6706.1e54.94       Mar 23 2011 04:08 PM    Automatic
    a.b.c.108       017c.c537.46ac.0e       Mar 23 2011 02:41 PM    Automatic
    a.b.c.111       0100.037f.0ea2.19       Mar 23 2011 02:47 PM    Automatic
    a.b.c.112       01d8.3062.75c5.9c       Mar 23 2011 03:33 PM    Automatic
    a.b.c.113       0021.9116.449e          Mar 23 2011 03:36 PM    Automatic
    a.b.c.114       0100.1ff3.46d9.a9       Mar 23 2011 03:40 PM    Automatic
    a.b.c.116       0104.1e64.4a0d.a3       Mar 23 2011 04:21 PM    Automatic
    a.b.c.117       0190.27e4.4ae8.94       Mar 23 2011 04:24 PM    Automatic
    Thanks!

  • Unable to capture packets on ASA(ASDM)

    Hi all,
    We have site to site VPN connection to one of our client. From which we both are accessing our applications and other resources. Now client needs to acccess two of our internal server. So we have created Static NAT in our ASA. For one server they are accessing without any issues. But the other server they are not able to connect. Since its vpn tunnel we havent blocked any ports and its open to all traffic. But their side they have restricted and we need to see whether the packets hitting our ASA or not. Once we observes this, its easy for us to escalate them. I tried packet capture wizard in ASDM. But its not showing anything. Can anyone tell me how to capture packets realated to Static NAT. Please let me know if you want anyother details?
    local 20.0.0.0/24 -->this will get natted to --->12.0.6.0/24 when going in for tunnel
    we have created
    static(outside,inside) 12.0.6.10 20.0.0.10 255.255.255.255 working
    static(outside,inside) 12.0.6.11 20.0.0.11 255.255.255.255 not working, we need to check whether its hitting 12.0.6.11
    Kindly advise...
    Regards,
    Bala

    Where are you trying to initiate the connection from?
    If they are trying to initiate the connection towards your end, and the traffic doesn't reach your end, then there will be nothing on your ASA packet capture.
    Please share what you have configured to capture the traffic?
    To check if the traffic is reaching the inside interface, just configure ACL between source (real IP) and destination (remote IP), and apply the capture on the inside interface. This will confirm if the traffic is coming inbound towards the inside interface.
    To check if the traffic is leaving the inside interface towards the host behind your ASA, configure ACL between source (remote IP), and destination (host real IP), and apply the capture on the inside interface. This will confirm if the traffic is leaving your ASA inside interface towards the host.

  • Basic questions about CISCO IOS

    Hi everybody, Jack here,
    I have some basic questions about the Cisco IOS, could someone help me addressing some of them please? Any feedback would be greatly appreciated.
    Basically, I have two IP addresses assigned by our Cable ISP. From what I understood you can configure a Cisco router for multiple IP addresses using the IOS, thereby allowing someone like myself to take advantage of having multiple IP addresses. This may seem unnecessary to some, but I've always wanted to put the 2nd IP address to use, since after all, I've been paying for it.
    I was just wondering if someone could confirm that what I'm hoping to accomplish is indeed within the capability of the Cisco IOS (i.e. Fully utilize my 2 IP addresses). As well, if someone could kindly suggest a decent CISCO router for online gaming home use that would be super awesome!
    Thank you all so much for reading through the wall of text:)
    Jack

    Jack
    Certainly using multiple IP addresses is in the capability of Cisco IOS routers. How they can be used depends on the relationship of the IP addresses. I am assuming that we are talking about IP addresses assigned for the user to use and that the IP address for the ISP connection is not one of these that we are talking about.
    If both of the IP addresses that you have been assigned are within the same subnet then you would assign one of the addresses to the router interface to establish IP communication between the router and the ISP and to enable Internet connectivity for the devices inside your network that will use the router as their gateway to the Internet. The other address that is assigned can be used for address translation and in particular for static address translation which would make one of your devices inside to be reachable for connections initiated from the Internet (if that is something that you might want to do).
    If the addresses that are assigned to you are in different subnets then you could assign one address to the outside router interface and assign the other address to the router inside interface. Or you could use the second address for address translation.
    I do not have much expertise with online gaming, but I would think that either the Cisco 881 router or the 890 router might be appropriate for you. If 100 Mb connection is sufficient then probably the 881 would be the one to look at. If you need Gig connection then look at the 890.
    HTH
    Rick

  • Cisco IOS based IPS Services Licensing Query

    Hi Experts,
    We have a Cisco 3945 router at one of our location. Our requirement is to enable the IOS based IPS engine within in the router and would like to load new signature files from cisco website to the router. But i am not much familiar with the licensing part. show version and show ip ips license output has been attached for the reference. Following are my queries.
    1) Is this platform and IOS is capable for enabling IPS Engine?
    2) Is there any extra IPS Services Contract is required (other than the smartnet Coverage) for this router to enable IPS engine and to load new IPS Signature files from Cisco?
    Advanced Thanks and Regards,
    Sihanu N

    1) Is this platform and IOS is capable for enabling  IPS Engine?
    Yes, it is (3945 with a security IOS image will be able to do it)
    2)Is there any extra  IPS Services Contract is required (other than the smartnet Coverage) for this router to enable IPS engine and to load new IPS Signature files from Cisco?
    No, you are good to go.
    I will write a future articule about how to enable this feature on an IOS router so stay tune in my website at http:laguiadelnetworking.com for further information as I will cover all of the details,
    Cheers,
    Julio Carvajal Segura

  • Configure Cisco Mediatrace, Cisco IOS IP SLA, and Performance Monitoring

    Hi all,
    I am implementing Cisco Prime Collaboration to monitor the quality of the VoIP call.
    I am following all the steps that I have to do to accomplish this task at this link:
    http://docwiki.cisco.com/wiki/Setting_up_Devices_for_Prime_Collaboration_Assurance#Configuring_Unified_Contact_Center_Enterprise_Devices
    And now I am arrived on this step:
    Configure Cisco Mediatrace, Cisco IOS IP SLA, and Performance Monitoring
    Not all the Cisco devices that I have on the network are "Mediatrace, IP SLA and Performance Monitoring" capabilities. The core switch is one of them.
    What will happen if some devices are configured with these capabilities and some are not?
    Are the data provided from Cisco Collaboration still reliable?
    Thanks in advance.
    Luigi

    I can't see a reason why the 2 features won't work together. The 2 features will work just fine with each other.
    Unfortunately there is no sample config with both feature in the same document, but it will work just fine.

Maybe you are looking for

  • ACS 5.3 Radius authentication with ASA and DACL

    Hi, I am trying to do Radius authentication on the ACS 5.3 for VPN access (cisco client) using a downloadable ACL with AD identity Clients are connecting to an ASA 5510 with image asa843-K8.bin I followed the configuration example on the Cisco site,

  • Query Designer : change in charactristic

    Hi Experts, I have changed long text and short text of one charactristic but it is not reflecting the new name in reports.when i checked it in query designer on the left hand side under Dimensions it is showing me the new name but in Free charactrist

  • Creation of Table in UI5

    Hi, I am using SAPUI5 I installed it from following path The toolset can be downloaded from the SAP Service Marketplace (SMP). Go to https://service.sap.com -> SAP Support Portal -> SAP Software Download Center -> Support Packages and Patches -> A -

  • Insert and edit screen shots in RH

    I am using RoboHelp HTML 6 to write a help document which requires lot of images. I am reluctant about the imaging part as I really don't know what would be the best way to insert the images in RH. I have these options - Using Word or Paint of then R

  • Configure vps network with systemd-networkd

    I got a vps and installed archlinux on it, but I can't get the network working using systemd-networkd. The mail from the provider have the ip address and gateway (in the rest of the post are redacted respectively 1.2.3.4 and 5.6.7.8), and a note to r