Resend captured packets from cisco ios? (tcpreplay w/o WireShark)
Hello again,
As the title of the thread implies, is there a way to replay captured packets (as in a pcap file from the EPC protocol) from cisco ios? I am trying a work around by calling it from a connected computer, but I can't launch tcpreplay dynamically from an EEM script (mainly because I can't target the host OS from the EEM scope).
Basically I am capturing packets in order to delay them until some arbitrary time determined by another (or even the same) EEM script. Is there a function I don't know about that I can call to put previously captured packets (stored in a pcap file) directly back on the bus as if nothing happened?
Thanks in advance,
-Heath
You can't replay packets right now. The upcoming onePK APIs will allow you to do this, however. If you want to call tcpreplay from your EEM policy, you could send a trap to the host, which triggers the excution, or use the Remote Command Shell policy from http://www.cisco.com/go/easy to telnet/SSH to the host from the device to run the command.
Similar Messages
-
How to Enable IP Accounting or capture packets in Cisco ASA 5510 (8.2)
Hi All,
How to Enable IP Accounting or capture packets in Cisco ASA 5510 (8.2)
Thanks
RoopeshHi Roopesh,
Please go through this document for detailed documentation on captures:
https://supportforums.cisco.com/docs/DOC-17814
Hope that helps.
Thanks,
Varun Rao
Security Team,
Cisco TAC -
Capturing packets from two server programs in single solaris box
Hi,
Greetings.
I observe that snoop is not capturing packets exchanged between two server process which are running in a same solaris machine.
Are there any options with snoop, so that it is possible to capture the
packets between two server processes in a single machine ?
Thanks in advance.
BR, RKSnoop? No. Packets to the same machine never reach the DLPI layer which is where snoop is looking.
There are some 'dtrace' scripts on Solaris 10 that attempt to view the contents as they go within the machine. They should work with most interfaces.
I don't know of any good solution for Solaris 9.
Darren -
Authentication Failed to 2008 NPS from Cisco IOS VPN
I'm trying to authenticate VPN connections to a Windows 2008 NPS Radius server.
Local authentication works fine.
Here are cisco configs:
aaa new-model
aaa authentication login default local
aaa authentication login VPNauth group radius local
aaa authorization network VPNgroup local
aaa session-id common
ip radius source-interface Loopback0
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 xxxx
crypto map VPNMAP client authentication list VPNauth
crypto map VPNMAP isakmp authorization list VPNgroup
crypto map VPNMAP client configuration address respond
crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
... other crypto commands
This is the section of the log from NPS:
Authentication Details:
Connection Request Policy Name: VPN
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: x.x.x.x
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
I do have PAP enabled on the Network/Connection Request Policies...
I'm stuck
Please helpCan you run a "teat aaa " command to see if the user can be authenticated successfully?
I think this might be a configuration issue on NPS. You can google it. Here is one I found, refer to "irishHam" post.
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bfbbbae4-a280-4b3f-b214-02867b7d33e3 -
No ringback from cisco ip phones to alcatel Phones
I have a CUCM 7.1.3 integrated with a Alcatel OXO PBX and when a try to place a call from cisco IP-Phones registered on CUCM to phones on PBX, I have no ringback,but when a place a call from cisco IP-Phones registered on CUCM to PSTN using PBX as it has a PRI line to the local PSTN, I dont have that issue.
The voice gateway connects to PBX using a PRI(E1) running MGCP and QSIG.
interface Serial 3/1:15
no ip address
encapsulation hdlc
isdn switch-type primary-qsig
isdn timer T310 120000
isdn protocol-emulate network
isdn incoming-voice voice
isdn bind-l3 ccm-manager
no cdp enableYou can configure COS values for the Cisco IP Phones so that the voice packets from Cisco IP phone are given more priority over the data packets from the PCs/Hosts. But the same might not be configurable for non Cisco IP Phone. I am not very sure of this. Other than that I guess, you can have all QoS features.
-
Ask the Expert: Packet Capture Capabilities of Cisco Routers and Switches
With Rahul Rammanohar
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about packet capture capabilities of Cisco routers and switches.
In May 2013, we created a video that included packet capture capabilities across multiple Cisco routers and switches. For each product, we began with a discussion about the theory of the capabilities, followed by an explanation of the commands, and we concluded with a demo on real devices. In this Ask the Expert event, you’re encouraged to ask questions about the packet capture capabilities of these Cisco devices:
• 7600/6500: mini protocol analyzer (MPA), ELAM, and Netdr
• ASR9k: network processor capture
• 7200/ISRs: embedded packet capture
• Cisco Nexus 7K, 5K, and 3K: Ethanalyzer
• Cisco Nexus 7K: ELAM
• CRS: show captured packets
• ASR1K: embedded packet capture
More Information
Blog URL: Packet Capture Capabilities of Cisco Routers and Switches
Watch the Video: https://supportforums.cisco.com/videos/6226
Hitesh Kumar is a customer support engineer in the High-Touch Technical Services team at Cisco specializing in routing protocols. He has been supporting major service providers and enterprise customers in routing, Multiprotocol Label Switching (MPLS), multicast, and Layer 2 VPN (L2VPN) issues on routing platforms for more than three years. He has more than six years of experience in the IT industry and holds a CCIE certification (number 38757) in service.
Rahul Rammanohar is a technical leader with the High-Touch Technical Support Team in India. He handles escalations in the area of routing protocols and large-scale architectures for devices running Cisco IOS, IOS-XR, and IOS-XE Software. He has been supporting major service providers and large enterprise customers for routing, MPLS, multicast, and L2VPN issues on all routing platforms. He has more than 13 years of experience and holds a CCIE certification (number 13015) in routing/switching and service provider.
Remember to use the rating system to let Hitesh and Rahul know if you have received an adequate response.
Because of the volume expected during this event, Hitesh and Rahul might not be able to answer each question. Remember that you can continue the conversation in the Service Provider, sub-community forum shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.Hello Erick
Thanks for the topology. The trigger will be different for labelled packet as you would need to mention the values of labels too in the trigger.
Below are two examples of one or two labels being used, it depends on where you are capturing the packet in mplsvpn scenario which will decide teh number of labels being imposed on the packet.
Trigger for one label. (if the router on which you are capturing the packet PHP is being performed)
VPN label - 5678
Source Address - 111.111.111.111
Destination Address - 123.123.123.123
show platform capture elam trigger dbus others if data = 0 0 0 0x88470162 0xE0000000 0 0 0x00006F6F 0x6F6F 7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
Trigger for two labels. (for other core routers)
IGP label - 1234
VPN label - 5678
Source Address - 111.111.111.111
Destination Address - 123.123.123.123
show platform capture elam trigger dbus others if data = 0 0 0 0x8847004D 0x20000162 0xE0000000 0 0 0x00006F6F 0x6F6F7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf000ffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
You can check the labels being used (by using show ip cef <> details) and covert their values to hex and change the trigger accordingly.
I have changed the colors for better understanding. If you notice carefully in the trigger the values for ip address, labels have just been converted to their respective hex values which could be replaced.
Please let me know if this helps.
Thanks & Regards
Hitesh & Rahul -
Recovering from "no cisco IOS image file" error
I have a aironet1200 series access point, and attempted to update it to a newer IOS software release. However it never came back up after the update, and upon reboot the 3 status lights show red, green, red, which apparently means there is 'no cisco IOS image file'. Is there a way to recover from this error? It has a RJ45 style console port, can I use thi to recover?
Got it sorted, managed to find the manual which goes through this in it's entirety!
-
IOS 12.4(15)XW not available from Cisco Web site
Can anyone please tell me why this version is not available from Cisco Web site as I am trying to download it to test on a cisco 2851 series router .The documnet below in page 7 & 10 describe the requirement for this version. What is the replacement version for this if that is not available?
Well, maybe I am missing something but I do not see a 12.4(15)XW release on CCO for the 2851 platform. I see references to it in documentation but I don't see actual release notes or a download link. So, where exactly did you see this particular version for this platform?
Based on the PDF provided by the OP I think he is trying to add a fax module. In the PDF it is stated a few times that you can use 12.4(15)XW or 12.4(20)T. What this basically means is that these are minimum IOS version levels that you need to use that module. You would not want to run the minimum in most cases because software defects are abundant and seem to be endless. IOS release trains are somewhat over complicated in my opinion but here is my quick take. The XW is a early deployment release. These releases are "one offs". Usually added to incorporate a new piece of hardware. Sometime after these releases come out (again, to get the product to market) the code is incorporated in a T-train (in this case, 12.4(20)T). The idea is that the T-train code is used to introduce features/hardware/etc. that will be rolled into the next main-line release (in our world that is 15.0).
Back to your issue. I can't find 12.4(15)XW but apparently p.bevilacqua has been able to find it. Maybe he would be willing to provide the link. If that doesn't pan out, I suggest that you look at releases after 12.4(20)T (including the latest service release for 12.4(20)T). They go up to 12.4(24)T. T-trains are touchy so you have to do your research and testing. I have had decent success with 12.4(20)T until recently (MGCP and T.38 fax, no joy). I have also used 12.4(24)T with OK success thus far. I know that p. bevilacqua doesn't like the 12.4T train "because its buggy". My opinion is all of this software is buggy. You have to identify the minimum release that will work with your hardware. Go to the latest minor/service release and research the bug toolkit. Oh, and always test.
OK. Down the rabbit hole I go.
HTH.
Regards,
Bill
Please remember to rate helpful posts. -
One computer at COMPANY-A is attempting to communicate with two
computers located at COMPANY-B, via an IPsec tunnel between the
two companies.
All communications are via TCP protocol.
All devices present public IP addresses to one another, although they
may have RFC 1918 addresses on other interfaces, and NAT may be in use
on the COMPANY-B side. (NAT is not being used on the COMPANY-A side.)
The players:(Note: first three octets have been changed for security reasons)
COMPANY-A computer 1.2.3.161
COMPANY-A router 1.2.3.8 (also IPsec peer)
COMPANY-A has 1.2.3.0/24 with no subnetting.
COMPANY-B router 4.5.6.228 (also IPsec peer)
COMPANY-B computer #1 4.5.7.94 (this one has no issues)
COMPANY-B computer #2 4.5.7.29 (this one fails)
COMPANY-B has 4.5.6.0/23 subnetted in various ways.
COMPANY-B also has 9.10.11.0/24, but it is not involved in the issue.
What works:
The COMPANY-A computer 1.2.3.161 can communicate via the single IPsec
tunnel to COMPANY-B computer #1 4.5.7.94 without problems.
The "show crypto session detail" command shows Inbound/Outbound packets
flowing in the dec'ed and enc'ed positions.
What doesn't:
When the COMPANY-A computer 1.2.3.161 attempts to communicate
via the single IPsec tunnel with the COMPANY-B computer #2 4.5.7.29,
the COMPANY-A router eventually reports five of these messages:
Oct 9 15:24:54.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:24:57.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:03.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:15.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:39.329: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:26:27.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
and the "show crypto session detail" shows inbound packets being dropped.
The COMPANY-A computer that opens the TCP connection never gets past the
SYN_SENT phase of the TCP connection whan trying to communicate with the
COMPANY-B computer #2, and the repeated error messages are the retries of
the SYN packet.
On the COMPANY-A side, this IPsec configuration has been set up on a 3745,
a 3725, and some 76xx routers were tried, all with similar behavior,
with packets from one far-end computer passing fine, and packets from
another far-end computer in the same netblock passing through the same
IPsec tunnel failing with the "failed SA identity" error.
The COMPANY-A computer directs all packets headed to COMPANY-B via the
COMPANY-A router at 1.2.3.8 with this set of route settings:
netstat -r -n
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
4.5.7.0 1.2.3.8 255.255.255.0 UG 0 0 0 eth3
1.2.3.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
10.1.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth3
10.0.0.0 10.1.1.1 255.0.0.0 UG 0 0 0 eth0
0.0.0.0 1.2.3.1 0.0.0.0 UG 0 0 0 eth3
The first route line shown is selected for access to both COMPANY-B computers.
The COMPANY-A router (IPsec tunnel endpoint, 1.2.3.8) has this
configuration:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXX address 4.5.6.228
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set COMPANY-B01 esp-3des esp-sha-hmac
crypto map COMPANY-BMAP1 10 ipsec-isakmp
description COMPANY-B VPN
set peer 4.5.6.228
set transform-set COMPANY-B01
set pfs group2
match address 190
interface FastEthernet0/0
ip address 1.2.3.8 255.255.255.0
no ip redirects
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map COMPANY-BMAP1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.2.3.1
ip route 10.0.0.0 255.0.0.0 10.1.1.1
ip route 1.2.3.8.0 255.255.255.0 FastEthernet0/0
access-list 190 permit ip host 1.2.3.161 4.5.7.0 0.0.0.255
access-list 190 permit ip host 1.2.3.161 9.10.11.0 0.0.0.255
bridge 1 protocol ieee
One of the routers tried had this IOS/hardware configuration:
Cisco IOS Software, 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.4(25c),
RELEASE SOFTWARE (fc2)
isco 3725 (R7000) processor (revision 0.1) with 115712K/15360K bytes of memory.
Processor board ID XXXXXXXXXXXXXXX
R7000 CPU at 240MHz, Implementation 39, Rev 3.3, 256KB L2 Cache
2 FastEthernet interfaces
4 ATM interfaces
DRAM configuration is 64 bits wide with parity disabled.
55K bytes of NVRAM.
31296K bytes of ATA System CompactFlash (Read/Write)
250368K bytes of ATA Slot0 CompactFlash (Read/Write)
Configuration register is 0x2102
#show crypto sess
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
Active SAs: 0, origin: crypto map
#show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:06:26:27
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 651 drop 16 life (KB/Sec) 4496182/23178
Outbound: #pkts enc'ed 574 drop 2 life (KB/Sec) 4496279/23178
IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
The COMPANY-B device on their end of the IPsec VPN is a Juniper SSG1000
Version 6.1 (ScreenOS)
We only have a limited view into the Juniper device configuration.
What we were allowed to see was:
COMPANY-B-ROUTER(M)-> sh config | incl COMPANY-A
set address "Untrust" "oss-COMPANY-A-1.2.3.161" 1.2.3.161 255.255.255.255
set ike gateway "COMPANY-A-1-GW" address 1.2.3.8 Main outgoing-interface "ethernet2/1" preshare xxxxxxxxxxxxxxxxxxxxxx proposal "pre-g2-3des-sha"
set vpn "COMPANY-A-1-IKE" gateway "COMPANY-A-1-GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha-28800"
set policy id 2539 from "Untrust" to "Trust" "oss-COMPANY-A-1.2.3.161" "9.10.11.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2500
set policy id 2500 from "Trust" to "Untrust" "9.10.11.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2539
set policy id 2541 from "Trust" to "Untrust" "4.5.7.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2540
set policy id 2540 from "Untrust" to "Trust" "oss-COMPANY-A-1.2.3.161" "4.5.7.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2541
COMPANY-B-ROUTER(M)->
I suspect that this curious issue is due to a configuration setting on the
Juniper device, but neither party has seen this error before. COMPANY-B
operates thousands of IPsec VPNs and they report that this is a new error
for them too. The behavior that allows traffic from one IP address to
work and traffic from another to end up getting this error is also unique.
As only the Cisco side emits any error message at all, this is the only
clue we have as to what is going on, even if this isn't actually an IOS
problem.
What we are looking for is a description of exactly what the Cisco
IOS error message:
IPSEC(epa_des_crypt): decrypted packet failed SA identity check
is complaining about, and if there are any known causes of the behavior
described that occur when running IPsec between Cisco IOS and a Juniper
SSG device. Google reports many other incidents of the same error
message (but not the "I like that IP address but hate this one" behavior),
and not just with a Juniper device on the COMPANY-B end, but for those cases,
not one was found where the solution was described.
It is hoped that with a better explanation of the error message
and any known issues with Juniper configuration settings causing
this error, we can have COMPANY-B make adjustments to their device.
Or, if there is a setting change needed on the COMPANY-A router,
that can also be implemented.
Thanks in advance for your time in reading this, and any ideas.Hello Harish,
It is believed that:
COMPANY-B computer #1 4.5.7.94 (this one has no issues)
COMPANY-B computer #2 4.5.7.29 (this one fails)
both have at least two network interfaces, one with a public IP address
(which we are supposedly conversing with) and one with a RFC 1918 type
address. COMPANY-B is reluctant to disclose details of their network or
servers setup, so this is not 100% certain.
Because of that uncertainty, it occurred to me that perhaps COMPANY-B
computer #2 might be incorrectly routing via the RFC 1918 interface.
In theory, such packets should have been blocked by the access-list on both
COMPANY-A router, and should not have even made it into the IPsec VPN
if the Juniper access settings work as it appears they should. So I turned up
debugging on COMPANY-A router so that I could see the encrypted and
decrypted packet hex dumps.
I then hand-disassembled the decoded ACK packet IP header received just
prior to the "decrypted packet failed SA check" error being emitted and
found the expected source and destination IP addresses (4.5.7.29 and 1.2.3.161),
in the unecapsulated packet. I also found the expected port numbers of the TCP
conversation that was trying to be established in the TCP header. So, it
looks like COMPANY-B computer #2 is emitting the packets out the right
interface.
The IP packet header of the encrypted packet showed the IP addresses of the
two routers at each terminus of the IPsec VPN, but since I don't know what triggers
the "SA check" error message or what it is complaining about, I don't know what
other clues to look for in the packet dumps.
As to your second question, "can you check whether both encapsulation and
decapsulation happening in 'show crypto ipsec sa'", the enc'ed/dec'ed
counters were both going up by the correct quantities. When communicating
with the uncooperative COMPANY-B computer #2, you would also see the
received Drop increment for each packet decrypted. When communicating
with the working COMPANY-B computer #1, the Drop counters would not
increment, and the enc'ed/dec'ed would both increment.
#show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:07:59:54
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 376 drop 5 life (KB/Sec) 4458308/28784
Outbound: #pkts enc'ed 401 drop 3 life (KB/Sec) 4458308/28784
Attempt a TCP communication to COMPANY-B computer #2...
show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:07:59:23
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 376 drop 6 life (KB/Sec) 4458307/28753
Outbound: #pkts enc'ed 402 drop 3 life (KB/Sec) 4458307/28753
Note Inbound "drop" changed from 5 to 6. (I didn't let it sit for all
the retries.)
#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: COMPANY-BMAP1, local addr 1.2.3.8
protected vrf: (none)
local ident (addr/mask/prot/port): (1.2.3.161/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (4.5.7.0/255.255.255.0/0/0)
current_peer 4.5.6.228 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 402, #pkts encrypt: 402, #pkts digest: 402
#pkts decaps: 376, #pkts decrypt: 376, #pkts verify: 376
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 3, #recv errors 6
local crypto endpt.: 1.2.3.8, remote crypto endpt.: 4.5.6.228
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xDF2CC59C(3744253340)
inbound esp sas:
spi: 0xD9D2EBBB(3654478779)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: COMPANY-BMAP1
sa timing: remaining key lifetime (k/sec): (4458307/28600)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDF2CC59C(3744253340)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: COMPANY-BMAP1
sa timing: remaining key lifetime (k/sec): (4458307/28600)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
The "send" errors appear to be related to the tunnel reverting to a
DOWN state after periods of inactivity, and you appear to get one
each time the tunnel has to be re-negotiated and returned to
an ACTIVE state. There is no relationship between Send errors
incrementing and working/non-working TCP conversations to the
two COMPANY-B servers.
Thanks for pondering this very odd behavior. -
Capture packet / ip logging
What is the best way to capture packets as well as display them for signatures.
I need to see the packets that cuase the ICMP hard DoS sig 2157 to fire. From the Cisco IDS Install and Configuration guide version 4.x it talks about enabling packet capture to true as well as Event action, but no clear instructions on which to use or if both need to be configured.If you want to capture the packets that caused the signature to fire, then you must enable the "log" option as the EventAction in the signature. When the IDS detects an attack based on this signature, it creates an IP log.
There is also an "IP logging" feature in the IDS that is used to capture the packets for a duration of time. This capture is time or size (bytes) based and is not based on signature. -
DHCP issue on Cisco IOS router
Hi experts,
I recently got complaints that some clients can't get IP address through the DHCP server configured on a Cisco IOS router. I turned on debugging on DHCP events and packets and I see the following logs.
Mar 22 15:33:41: DHCPD: DHCPREQUEST received from client 0100.1b63.f246.8c.
Mar 22 15:33:41: DHCPD: Finding a relay for client 0100.1b63.f246.8c on interface FastEthernet1/0.10.
Mar 22 15:33:41: DHCPD: Seeing if there is an internally specified pool class:
Mar 22 15:33:41: DHCPD: htype 1 chaddr 001b.63f2.468c
Mar 22 15:33:41: DHCPD: remote id 020a0000cf6050011000000a
Mar 22 15:33:41: DHCPD: circuit id 00000000
Mar 22 15:34:02: DHCPD: DHCPREQUEST received from client 0100.1b63.f246.8c.
Mar 22 15:34:02: DHCPD: Finding a relay for client 0100.1b63.f246.8c on interface FastEthernet1/0.10.
Mar 22 15:34:02: DHCPD: Seeing if there is an internally specified pool class:
Mar 22 15:34:02: DHCPD: htype 1 chaddr 001b.63f2.468c
Mar 22 15:34:02: DHCPD: remote id 020a0000cf6050011000000a
Mar 22 15:34:02: DHCPD: circuit id 00000000
Then it will repeat and repeat for this MAC. Any reason why the router is not assigning an IP to it? It actually happens to some other MACs as well... They are from different vendors and located on different switches... I can't really find a pattern for this problem... The DHCP pool hasn't run out and it still has available IPs in it.
ThanksHi Alain, thanks for quick reply. The followings contain the output that you required. I hided the prefix of the IP with a.b.c. Thanks!
interface FastEthernet1/0.10
description : DHCP for EXHIBITION VLAN
encapsulation dot1Q 10
ip address a.b.c.1 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
end
r#sh ip dhcp pool
Pool EXHIBIT :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 126
Leased addresses : 47
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
a.b.c.118 a.b.c.1 - a.b.c.126 47
#sh run | in/be dhcp
no ip dhcp use vrf connected
ip dhcp excluded-address a.b.c.1 a.b.c.11
ip dhcp excluded-address a.b.c.126
ip dhcp excluded-address a.b.c.100 a.b.c.101
ip dhcp excluded-address a.b.c.51
ip dhcp pool EXHIBIT
network a.b.c.0 255.255.255.128
default-router a.b.c.1
dns-server 207.172.3.8 207.172.3.9
domain-name xyz.com
#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
a.b.c.19 0168.7f74.6260.9b Mar 23 2011 01:56 PM Automatic
a.b.c.52 0100.4854.897d.17 Mar 23 2011 12:53 PM Automatic
a.b.c.56 0100.4063.e7b5.b2 Mar 23 2011 03:33 PM Automatic
a.b.c.57 0100.1b63.f246.8c Mar 23 2011 03:34 PM Automatic
a.b.c.68 015c.5948.0b97.d6 Mar 22 2011 05:59 PM Automatic
a.b.c.69 0168.7f74.626d.67 Mar 23 2011 07:07 AM Automatic
a.b.c.70 0198.fc11.5027.1d Mar 22 2011 07:04 PM Automatic
a.b.c.71 01dc.2b61.04ba.af Mar 22 2011 10:26 PM Automatic
a.b.c.72 017c.c537.58e6.64 Mar 22 2011 08:37 PM Automatic
a.b.c.73 017c.6d62.3303.57 Mar 23 2011 03:54 AM Automatic
a.b.c.74 0124.ab81.cda4.68 Mar 23 2011 05:01 AM Automatic
a.b.c.75 0100.1e52.8f11.a5 Mar 23 2011 02:47 PM Automatic
a.b.c.76 0100.264a.5fc8.e3 Mar 23 2011 07:13 AM Automatic
a.b.c.77 017c.6d62.38cd.40 Mar 23 2011 02:06 PM Automatic
a.b.c.78 0100.1d4f.f647.79 Mar 23 2011 02:37 PM Automatic
a.b.c.79 0100.26b0.8637.3d Mar 23 2011 01:16 PM Automatic
a.b.c.81 0130.694b.e9de.82 Mar 23 2011 03:19 PM Automatic
a.b.c.82 0100.21e9.6864.80 Mar 23 2011 12:04 PM Automatic
a.b.c.83 0124.ab81.63e6.b5 Mar 23 2011 09:38 AM Automatic
a.b.c.84 0100.16b6.0455.c2 Mar 23 2011 09:42 AM Automatic
a.b.c.85 0100.1302.4c96.9e Mar 23 2011 09:49 AM Automatic
a.b.c.86 0140.a6d9.741c.e0 Mar 23 2011 12:12 PM Automatic
a.b.c.87 0100.264a.b8e9.50 Mar 23 2011 10:16 AM Automatic
a.b.c.88 0140.a6d9.4911.67 Mar 23 2011 03:19 PM Automatic
a.b.c.89 013c.7437.1e32.96 Mar 23 2011 10:27 AM Automatic
a.b.c.90 01d8.3062.689c.4b Mar 23 2011 11:55 AM Automatic
a.b.c.91 0158.946b.4df8.bc Mar 23 2011 10:49 AM Automatic
a.b.c.92 0100.2215.7368.26 Mar 23 2011 10:23 AM Automatic
a.b.c.93 0100.23df.76ea.90 Mar 23 2011 02:33 PM Automatic
a.b.c.94 0124.ab81.708d.83 Mar 23 2011 03:58 PM Automatic
a.b.c.95 0100.1cb3.163d.5a Mar 23 2011 03:13 PM Automatic
a.b.c.96 01cc.08e0.2aeb.96 Mar 23 2011 01:27 PM Automatic
a.b.c.97 0188.c663.d0d0.55 Mar 23 2011 01:57 PM Automatic
a.b.c.98 0100.1b77.08bb.89 Mar 23 2011 01:15 PM Automatic
a.b.c.99 0100.1ec2.47d7.19 Mar 23 2011 12:43 PM Automatic
a.b.c.102 0100.1310.8e74.78 Mar 23 2011 12:41 PM Automatic
a.b.c.103 0100.24d6.58b0.82 Mar 23 2011 01:44 PM Automatic
a.b.c.104 0100.2608.7df2.68 Mar 23 2011 03:23 PM Automatic
a.b.c.106 01c8.bcc8.1a86.41 Mar 23 2011 03:56 PM Automatic
a.b.c.107 01a4.6706.1e54.94 Mar 23 2011 04:08 PM Automatic
a.b.c.108 017c.c537.46ac.0e Mar 23 2011 02:41 PM Automatic
a.b.c.111 0100.037f.0ea2.19 Mar 23 2011 02:47 PM Automatic
a.b.c.112 01d8.3062.75c5.9c Mar 23 2011 03:33 PM Automatic
a.b.c.113 0021.9116.449e Mar 23 2011 03:36 PM Automatic
a.b.c.114 0100.1ff3.46d9.a9 Mar 23 2011 03:40 PM Automatic
a.b.c.116 0104.1e64.4a0d.a3 Mar 23 2011 04:21 PM Automatic
a.b.c.117 0190.27e4.4ae8.94 Mar 23 2011 04:24 PM Automatic
Thanks! -
Unable to capture packets on ASA(ASDM)
Hi all,
We have site to site VPN connection to one of our client. From which we both are accessing our applications and other resources. Now client needs to acccess two of our internal server. So we have created Static NAT in our ASA. For one server they are accessing without any issues. But the other server they are not able to connect. Since its vpn tunnel we havent blocked any ports and its open to all traffic. But their side they have restricted and we need to see whether the packets hitting our ASA or not. Once we observes this, its easy for us to escalate them. I tried packet capture wizard in ASDM. But its not showing anything. Can anyone tell me how to capture packets realated to Static NAT. Please let me know if you want anyother details?
local 20.0.0.0/24 -->this will get natted to --->12.0.6.0/24 when going in for tunnel
we have created
static(outside,inside) 12.0.6.10 20.0.0.10 255.255.255.255 working
static(outside,inside) 12.0.6.11 20.0.0.11 255.255.255.255 not working, we need to check whether its hitting 12.0.6.11
Kindly advise...
Regards,
BalaWhere are you trying to initiate the connection from?
If they are trying to initiate the connection towards your end, and the traffic doesn't reach your end, then there will be nothing on your ASA packet capture.
Please share what you have configured to capture the traffic?
To check if the traffic is reaching the inside interface, just configure ACL between source (real IP) and destination (remote IP), and apply the capture on the inside interface. This will confirm if the traffic is coming inbound towards the inside interface.
To check if the traffic is leaving the inside interface towards the host behind your ASA, configure ACL between source (remote IP), and destination (host real IP), and apply the capture on the inside interface. This will confirm if the traffic is leaving your ASA inside interface towards the host. -
Basic questions about CISCO IOS
Hi everybody, Jack here,
I have some basic questions about the Cisco IOS, could someone help me addressing some of them please? Any feedback would be greatly appreciated.
Basically, I have two IP addresses assigned by our Cable ISP. From what I understood you can configure a Cisco router for multiple IP addresses using the IOS, thereby allowing someone like myself to take advantage of having multiple IP addresses. This may seem unnecessary to some, but I've always wanted to put the 2nd IP address to use, since after all, I've been paying for it.
I was just wondering if someone could confirm that what I'm hoping to accomplish is indeed within the capability of the Cisco IOS (i.e. Fully utilize my 2 IP addresses). As well, if someone could kindly suggest a decent CISCO router for online gaming home use that would be super awesome!
Thank you all so much for reading through the wall of text:)
JackJack
Certainly using multiple IP addresses is in the capability of Cisco IOS routers. How they can be used depends on the relationship of the IP addresses. I am assuming that we are talking about IP addresses assigned for the user to use and that the IP address for the ISP connection is not one of these that we are talking about.
If both of the IP addresses that you have been assigned are within the same subnet then you would assign one of the addresses to the router interface to establish IP communication between the router and the ISP and to enable Internet connectivity for the devices inside your network that will use the router as their gateway to the Internet. The other address that is assigned can be used for address translation and in particular for static address translation which would make one of your devices inside to be reachable for connections initiated from the Internet (if that is something that you might want to do).
If the addresses that are assigned to you are in different subnets then you could assign one address to the outside router interface and assign the other address to the router inside interface. Or you could use the second address for address translation.
I do not have much expertise with online gaming, but I would think that either the Cisco 881 router or the 890 router might be appropriate for you. If 100 Mb connection is sufficient then probably the 881 would be the one to look at. If you need Gig connection then look at the 890.
HTH
Rick -
Cisco IOS based IPS Services Licensing Query
Hi Experts,
We have a Cisco 3945 router at one of our location. Our requirement is to enable the IOS based IPS engine within in the router and would like to load new signature files from cisco website to the router. But i am not much familiar with the licensing part. show version and show ip ips license output has been attached for the reference. Following are my queries.
1) Is this platform and IOS is capable for enabling IPS Engine?
2) Is there any extra IPS Services Contract is required (other than the smartnet Coverage) for this router to enable IPS engine and to load new IPS Signature files from Cisco?
Advanced Thanks and Regards,
Sihanu N1) Is this platform and IOS is capable for enabling IPS Engine?
Yes, it is (3945 with a security IOS image will be able to do it)
2)Is there any extra IPS Services Contract is required (other than the smartnet Coverage) for this router to enable IPS engine and to load new IPS Signature files from Cisco?
No, you are good to go.
I will write a future articule about how to enable this feature on an IOS router so stay tune in my website at http:laguiadelnetworking.com for further information as I will cover all of the details,
Cheers,
Julio Carvajal Segura -
Configure Cisco Mediatrace, Cisco IOS IP SLA, and Performance Monitoring
Hi all,
I am implementing Cisco Prime Collaboration to monitor the quality of the VoIP call.
I am following all the steps that I have to do to accomplish this task at this link:
http://docwiki.cisco.com/wiki/Setting_up_Devices_for_Prime_Collaboration_Assurance#Configuring_Unified_Contact_Center_Enterprise_Devices
And now I am arrived on this step:
Configure Cisco Mediatrace, Cisco IOS IP SLA, and Performance Monitoring
Not all the Cisco devices that I have on the network are "Mediatrace, IP SLA and Performance Monitoring" capabilities. The core switch is one of them.
What will happen if some devices are configured with these capabilities and some are not?
Are the data provided from Cisco Collaboration still reliable?
Thanks in advance.
LuigiI can't see a reason why the 2 features won't work together. The 2 features will work just fine with each other.
Unfortunately there is no sample config with both feature in the same document, but it will work just fine.
Maybe you are looking for
-
ACS 5.3 Radius authentication with ASA and DACL
Hi, I am trying to do Radius authentication on the ACS 5.3 for VPN access (cisco client) using a downloadable ACL with AD identity Clients are connecting to an ASA 5510 with image asa843-K8.bin I followed the configuration example on the Cisco site,
-
Query Designer : change in charactristic
Hi Experts, I have changed long text and short text of one charactristic but it is not reflecting the new name in reports.when i checked it in query designer on the left hand side under Dimensions it is showing me the new name but in Free charactrist
-
Hi, I am using SAPUI5 I installed it from following path The toolset can be downloaded from the SAP Service Marketplace (SMP). Go to https://service.sap.com -> SAP Support Portal -> SAP Software Download Center -> Support Packages and Patches -> A -
-
Insert and edit screen shots in RH
I am using RoboHelp HTML 6 to write a help document which requires lot of images. I am reluctant about the imaging part as I really don't know what would be the best way to insert the images in RH. I have these options - Using Word or Paint of then R
-
Configure vps network with systemd-networkd
I got a vps and installed archlinux on it, but I can't get the network working using systemd-networkd. The mail from the provider have the ip address and gateway (in the rest of the post are redacted respectively 1.2.3.4 and 5.6.7.8), and a note to r