Router Dropping Traffic

Similar Messages

• Mountain Lion Server VPN unable to route internet traffic

  Hi! I have set up a VPN server on my home network specifically so that I could connect via a VPN client remotely and tunnel all internet traffic through my home network (It is a long story but I need to be able to access services that are specific to my home IP . . . ) I have been tearing my hair out trying to get it work but can not. The VPN connection happens OK and I can set up the remote client to send all traffic via VPN but any internet traffic just times out . . . In other words I can not get the server to share my home network via the VPN connection.

  Hi and thanks for taking the time to answer.
  As I am sure you have guessed I don't have much experience or knowledge with this. So I will try to clarify what I am trying to do.
  I do not need a VPN server for the conventional reasons of being able to access a private network (i.e my home network) remotely, although this is a nice additional benefit. I need the VPN server so that I can log in remotely (when I am using my mobile broadband or when I am overseas for example) and make it look like the machine I am using is on my home network.
  The reason for this is that I have access to web services that are IP specific. That is I can ONLY log in if I am logging in from my registered home IP (which is static for this exact reason).
  I have been told on similar support sites that if I route ALL traffic through the VPN, then when I use my browser on the remote machine all web traffic will go through the VPN as well and it will look like the traffic is coming from the subnet of my home IP.
  I guess in other words I am trying to use my VPN as an "anonymous" proxy (anonymous in the sense that although the traffic is coming form somewhere else, it still looks like it is coming from my home IP).
  I know this will cripple the speed due to the narrow upstream bandwidth but I am willing to pay this price.
  Now as for your questions:
  I have the server set up on a machine on my home subnet and I have enabled VPN port forwarding on the ADSL router.
  I know the connection happens as when I connect the VPN either from my iPhone using 4G or my laptop using my mobile broadband I get the "connecting . . . authenticating . . . connected" messages and when I check in properties it shows it to be connected to my home IP as VPN server and has an IP address that looks like it is on my home subnet.
  By internet traffic timing out I meant web traffic.
  As I mentioned above, I need all web traffic to go through the VPN. So indeed not ALL traffic but definitely ALL web traffic. The only way I could find to do this is to enable the "Send all traffic" option.
  Now I guess the obvious question is why am I not using a proxy. I have tried (and spent ages setting up Squid) but could never get it to "hide" the true origin of the traffic completely.
  Now having written all this, I reinstalled mountain lion and server yesterday (out of sheer frustration rather than anything else) and it seems to work this morning. So if I log in via VPN on my mobile or laptop and use an IP checker on the web it comes up with my home IP : ))
  The only thing I have now noticed is that if the VPN server stops working (which seems to be as soon as the computer I run it on goes to sleep) web traffic reverts to using the normal channels which is potentially problematic for me.
  So my questions now are -
  Any ideas what I was doing wrong in the first place?
  Any suggestions on how I could set this up better?
  Any way to set up the remote device so that it only allows web traffic via VPN (so that if the VPN connection drops, it is unable to use it's own internet connection for continuing web traffic)?
  Thanks for any suggestions : )
  Cheers

• SFR drops traffic when policy is out-of-date?

  Hi,
  We are evaluating a 5515X with FireSIGHT.
  I am routing a few guest networks through the lab ASA but are experiencing some strangeness :)
  Three times it has suddenly started dropping traffic, and I really can't pinpoint the reason..
  The things that I have noticed when I get the warning from our support staff, is that there are policies out-of-date on the ASA. (See att. img policy_out-of-date.png). And the when I apply the policies the traffic starts again..
  And when I look at the logs from the ASA the thing thats sticks out is the sudden spike of SYN Timeouts (See att. img syn_timouts.png).
  I have "Inspect traffic during policy apply = Yes", and I have read that this could stop the traffic "when applying" the policy. But should that really block traffic when the policy is out-of-date?
  Do you guys have any idea whats happening here, or noticed anything like this before?
  Is there a log that shows why the policy gets out-of-date?
  Regards Falk

  As far as getting the package in the repo updated as mentioned above it all depends on the maintainer for that particular package. What you can do to help is go to the homepage, search for the package and flag it as out of date. FYI this has already been done for mythtv.
  To upgrade on your own the best way to do it is start from the same PKGBUILD that is used to build the official package through abs. You can find all the info you need on the wiki page.
  Typically the PKGBUILDs in the AUR have some different functionality from the main version in the repo, and aren't usually what you are looking for if all you want is a version bump.
  It is usually best to remove your installed version before using a version from AUR. Most AUR PKGBUILDs will have conflicts (and provides) for other versions of the same package and thus pacman will give an error when trying to install it. If you are just bumping the version of the same package you will not need to remove it first.
  EDIT: You can use pacman -Rd to remove (and replace) a package if others depend on it.
  Last edited by quigybo (2010-06-18 04:51:24)

• Router drops connection

  Hi, I have a WRT300N that acts as a router/DHCP in a small home network. I have a p2p program, DC++, which requires port forwarding to work correctly. I have setup this in the router, port 1412 and the computer ip address to forward to. The problem is that the router drops connection to internet now and then, with 1-2 hrs. intervals which disconnects all hubs and downloads/uploads in DC++. Very annoying indeed. This has never happened with previous routers including a 3com and a Zyxel, so it has to be something with the WRT300N. What can cause this? I'm not sure what information to send with this message, so it's better if you tell me what you need. Thanks in advance, Mattias Sarling

  hi... try upgrading latest firmware on the router, go to www.linksys.com/download and download the latest firmware for the router, after upgrading firmware on the router, reset the router back to factory default settings and reconfigure it according to ISP settings, reduce MTU to 1458, try reducing connection on p2p program... also you can enable QoS to manage bandwidth.

• Wireless Bridge dropping traffic

  Hi,
  We have 2 x AIR-BR1310 setup with a point to point bridge between 2 offices, see below.
  Office2---Bridge2------Bridge1---Office1
  At random periods of the day the link drops and office1 is unable to contact office2. Upon further inspection the Bridges report that the wireless association is still active and this is confirmed as Bridge1 can still ping the BVI interface on Bridge2.
  I telneted to the console on Bridge2 and attempted to ping hosts in Office2, all ping attempts failed. The BVI and Fastethernet interfaces on Bridge2 are both up and there are no errors on the interfaces.
  To resolve the issue we have to perform a hard reboot on Bridge2, as soon as the bridge comes back up traffic passes as normal. We have tried rebooting the switches and Bridge1 but the network still drops traffic, its only when Bridge2 is rebooted that operation returns to normal.
  Any ideas?

  If the bridge link stays up, and you can get to the BVI interface, then this isn't a wireless problem. The problem should be on the other side of the radio interface.
  What do you have installed on the other side? Does the bridge connect directly to a switch? Can Bridge 2 ping its default-gateway?

• IPhone makes my wifi router drop it's signal

  When I drain my iPhone completly & plug it in to charge (USB wall charger not USB port on laptop), after the 5-10 mins with the red lightening screen when the phone comes back on my wifi router drops it's signal, this has been happening for a while now so I got into the habit of turning wifi off on iPhone just before it was due to completly die so when it came back on the router didn't drop it's signal & it wasn't that much of a problem doing this once a week.
  However things are getting worse now, if I leave my house & my wifi is on, when I return home it's doing the same thing & making the router drop out. I can't be messing around turning wifi on & off everytime I return home.
  I have also just had to reset my iPhone & once again when it turned back on the router dropped out.
  Anyone any idea why it's doing this & how to stop it other than turning wifi on & off?

  Thanks for that, just checked & I'm running the latest firmware version already
  for info it's a Belkin wireless G plus router, model number FSD7231-4 version 1212uk

• RV042 - Priority Routing HTTP Traffic Over WAN2?

  Hi,
  I have an RV042 set to load balancing.  WAN1 is a T1 and WAN2 is an ADSL connection.  It seems that more often than not web traffic is going out over the slower WAN1, so I'd like to try to route http traffic over the ADSL before the T1 due to the higher download speed.
  Is there a way to do this?
  Thanks!

  blasty,
  Yes it is possible. It is called protocol binding, and the configuration steps for this can be found on page 23 of this guide:
  http://www.cisco.com/en/US/docs/routers/csbr/rv042/admin/guide/RV042_V10_UG_C-WEB.pdf
  If you have any problems please post them in as much detail as possible.
  Bill

• Can OS X Server 10.6 reverse proxy be setup to route port traffic 5003 (FileMaker Server) to 2 seperate servers (FM 11 and FM 12)?

  Can OS X Server 10.6 reverse proxy be setup to route port traffic 5003 (FileMaker Server) to 2 seperate servers (FM 11 and FM 12)?

  In your scenario, how is the 'OS X 10.6 Server' supposed to identify which FM machine to proxy the connection to?
  The FM client uses a proprietary protocol, so it's not something simple like HTTP.  Off hand I don't know of any way the server can accept arbitrary connections on port 5003 and know which FM server to relay it to.
  Two options come to mind. One is to nix the OS 10.6 Server altogether - I don't understand this machine's purpose in your network - the second is to setup different ports on the OS X 10.6 Server machine and map each port to a different FM server, e.g. 5003 -> FM11, 5004 -> FM12, then you configure the remote client to connect to a different port number based on the server they want to connect to. I haven't used FM client in a long time to know if this is supported on the client side, but I'm guessing it is.
  Either way, using a proprietary protocol, there's no way for the proxy machine to be able to filter the traffic on any given ports.

• Router dropping fairytale...

  Once apon a time...There was a Befsw1134v4 router who gave good connection for 3 years straight. Then one day it decided to drop my connection (To all my wireless and wired equipment hooked up to the router) every 2 hours, then 1 hour and 30 minutes, then 1 hour and 20 minutes. Till finally it decided to drop my connection to the main computer(Which has never happened and only started a few days ago) and all other computers and did not come back unless you did a power cycle. And the angry man lived angrily every day.
                                                           The End
  hope you enjoyed the story but to break it down I'd like to know why my router drops the connection(if it is the router), and why know all of a sudden when ever my connection drops know it takes every computer with it(including the main one which has everything hooked up to it.
  If more detail is necessary just let me know and any help or comments and thank for in advance.

  There are several things that can cause a working router to suddenly start dropping connections.
  The most common cause is using peer-to-peer (P2P) software.  If you are using any P2P programs, open the programs, and reduce the number of connections that the software is making.
  Another cause is running an unsecured network.  If your network is unsecured, your neighbors may be running P2P programs over your router.  In this case, secure your router.
  Another cause is problems with electrical noise.  Routers seem to be sensitive to electrical noise and surges.   To protect your router, keep it connected to a good quality surge suppressor with RFI/EMI filtering, such as the Belkin Gold Series.  A surge suppressor alone is not enough, because it does not stop anything less than 330 volts.
  If these are not your problem, upgrade your router to the latest firmware, and see if that fixes the problem.

• Routing VLAN traffic

  Is it possible to route VLAN traffic?
  We have two buildings, each with several Catalyst 2950s and a 2651 router hosting several VLANS.
  Can we connect the 2651s together and expand the VLANs into the other building?

  HI
  Can u give info about how these two buildings are connected to each-other.and as far routing in concerned u can configure sub-interfaces under u r physical inteface on u r router.Are this 2950's connected in 2651,if they how r u r vlans spread.r u using any sort of vtp.if u r 2950's are connected to 2651 then u can go for sub-interfaces per vlan.
  for example if u r having 3 vlans then u can configure the the physical interface on u r router as
  interface f0/0.1
  encapsulation dot1q 1
  ip address 192.168.1.1 255.255.255.0
  and so on
  Thanks
  Mahmood

• Cisco Ace asymetric routing - DNS traffic

  Hi,
  I am wondering if Ace supports asymetric routing.
  In my setup Ace is connected to router with two transit L3 interface. Interface on the router side belongs to different VRFs (e.g. VRF-A & VRF-B). Router is running MPLS in order to connect to internet-border gateway router then to internet.
  Now issue is Ace got the default route with the next hop as the router's interface in VRF-A. However the server's subnet (SVI on Ace) is advertised on router in VRF-B.
  So the outbound traffic(DNS query) from servers to internet takes the default route with next hop of router's int in VRF-A and inbound traffic (DNS response) comes back via MPLS using the VRF-B. That is because server's subnet is just advertised in VRF-B so remote internet broder-gateway will see the server's subnet with route-target applied to it in VRF-B.
  When I enabled the reverse-path forwarding on the transit interface I could clearly see in the Ace logs that DNS response is getting dropped on the ace. I have evn removed the reverse-path forwarding(nothing in the logs - but DNS response from internet still cant reach the servers). I think logically its still asymetrical routing from Ace's point of view but not sure.
  Please can anyone confirm the solution to this issue. I am thinking if I advertise server's subnet in VRF-A as well then it will be symterical routing but not 100% sure if it will fix it.
  So just wondering if there are any other options advisable ?
  Thanks

  Is it not possible to have a host route added to the destination server ? This would allow the traffic to be routed back the same way it came and thus the connection work ?
  Try adding a static route onto the destination server along the lines of ...
  route add [source address of server] mask 255.255.255.255 [IP address of ACE interface]
  This would cause the traffic to be routed between the two hosts via the ACE module which is good because the ACE is acting as a router between the two network segments.
  That's just what I would do but I understand that it may not be the option you want.
  Good luck

• Autoroute Announce is dropping traffic

  I'm running 15.3(3)S on a group of three ME3600X switches and I'm having some issues testing autoroute announce. I've built a tunnel from one of my ME3600X switches to a remote router and the tunnel is up and accepts traffic from the local switch:
  P2P TUNNELS/LSPs:
  TUNNEL NAME                     DESTINATION     UP IF     DOWN IF   STATE/PROT
  me3600-4.lab_to_cr3_lab         10.10.8.3     -         Vl100     up/up    
  ME3600X-4.lab#ping 10.10.8.3
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.10.8.3, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
  ME3600X-4.lab#sh int tun1 | inc pack
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
       0 packets input, 0 bytes, 0 no buffer
       5 packets output, 520 bytes, 0 underruns
  However, as soon as I add 'tunnel mpls traffic-eng autoroute announce' to the tunnel configuration, IP traffic to destinations that are preferred through the tunnel drop from anywhere behind this ME3600:
  ME3600X-4.lab#sh ip route 10.10.8.11
  Routing entry for 10.10.8.11/32
  Known via "isis", distance 115, metric 600, type level-2
  Redistributing via isis lab-test
  Last update from 10.10.8.3 on Tunnel1, 00:10:06 ago
  Routing Descriptor Blocks:
  * 172.16.24.149, from 10.10.8.11, 00:10:06 ago, via Vlan100
       Route metric is 600, traffic share count is 1
     10.10.8.3, from 10.10.8.11, 00:10:06 ago, via Tunnel1
       Route metric is 600, traffic share count is 1
  Here's a ping from a switch behind the ingress ME3600:
  ME3600X-1.lab#ping 10.10.8.11
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.10.8.11, timeout is 2 seconds:
  Success rate is 0 percent (0/5)
  Traffic is not making it into the tunnel at all, according to the tunnel stats, unless I ping from the ingress ME3600 switch:
  ME3600X-4.lab#sh int tun1 | inc pack
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
       0 packets input, 0 bytes, 0 no buffer
       0 packets output, 0 bytes, 0 underruns
  Traceroutes show the traffic dying at the ingress switch and packet captures on the upstream link from the ingress switch show no packets, plain IP or otherwise, exiting its upstream interface:
  ME3600X-1.lab#traceroute 10.10.8.11
  Type escape sequence to abort.
  Tracing the route to 10.10.8.11
  VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.32.1 [MPLS: Label 27 Exp 0] 0 msec 0 msec 0 msec
  2 * * *
  3
  I'm just wondering what it is I'm doing wrong, it has to be something simple. A cluebat upside the head would be much appreciated. Here's the relevant config of the ingress switch:
  ME3600X-4.lab#sh run int vl100
  Building configuration...
  Current configuration : 223 bytes
  interface Vlan100
  mtu 9000
  ip address 172.16.24.150 255.255.255.252
  ip mtu 1500
  ip router isis lab-test
  mpls ip
  mpls traffic-eng tunnels
  isis circuit-type level-2-only
  isis metric 100
  isis hello-interval 3
  end
  ME3600X-4.lab#sh run int vl4000
  Building configuration...
  Current configuration : 279 bytes
  interface Vlan4000
  mtu 9000
  ip address 172.16.32.1 255.255.255.0
  ip mtu 1500
  ip router isis lab-test
  mpls ip
  mpls mtu 1546
  mpls traffic-eng tunnels
  isis metric 200
  isis hello-interval 3
  end
  ME3600X-4.lab#sh run int tun1
  Building configuration...
  Current configuration : 242 bytes
  interface Tunnel1
  description me3600-4.lab_to_cr3_lab
  ip unnumbered Loopback1
  tunnel mode mpls traffic-eng
  tunnel destination 10.10.8.3
  tunnel mpls traffic-eng autoroute announce
  tunnel mpls traffic-eng path-option 1 dynamic
  end
  ME3600X-4.lab#sh run partition router isis lab-test
  Building configuration...
  Current configuration : 343 bytes
  Configuration of Partition - router isis lab-test
  router isis lab-test
  net 47.0000.0101.8820.8024.00
  is-type level-2-only
  metric-style wide
  passive-interface Loopback1
  mpls traffic-eng router-id Loopback1
  mpls traffic-eng level-1
  mpls traffic-eng level-2
  end

  Looks like the switch 24 is not able to either impose a tag or swap the tag and send out to next hop.
  That's what I thought, too, as the traffic is not even leaving the 24 switch, according to packet captures taken between the 24 switch and the 12 router.
  1. "show ip route 10.10.8.3" from switch 21 and 24 before and after the command addition.
  Switch 21 before the command addition:
  ME3600X-1.lab#sh ip route 10.10.8.3
  Routing entry for 10.10.8.3/32
    Known via "isis", distance 115, metric 700, type level-2
    Redistributing via isis
    Last update from 172.16.32.1 on Vlan4000, 3d09h ago
    Routing Descriptor Blocks:
    * 172.16.32.1, from 10.10.8.3, 3d09h ago, via Vlan4000
        Route metric is 700, traffic share count is 1
  ME3600X-1.lab#sh ip cef 10.10.8.3 detail
  10.10.8.3/32, epoch 0
    local label info: global/23
    nexthop 172.16.32.1 Vlan4000 label 39
  ME3600X-1.lab#sh ip cef 10.10.8.3 internal
  10.10.8.3/32, epoch 0, RIB[I], refcount 5, per-destination sharing
    sources: RIB, LTE
    feature space:
     IPRM: 0x00028000
     LFD: 10.10.8.3/32 1 local label
     local label info: global/23
          contains path extension list
          disposition chain 0x12BB5E40
          label switch chain 0x12BB5E40
    ifnums:
     Vlan4000(4144): 172.16.32.1
    path 1291D528, path list 12A78CDC, share 1/1, type attached nexthop, for IPv4
      MPLS short path extensions: MOI flags = 0x0 label 39
    nexthop 172.16.32.1 Vlan4000 label 39, adjacency IP adj out of Vlan4000, addr 172.16.32.1 12841840
    output chain: label 39 TAG adj out of Vlan4000, addr 172.16.32.1 128413E0
  ME3600X-1.lab#sh ip cef exact-route 10.10.8.21 10.10.8.3
  10.10.8.21 -> 10.10.8.3 => label 39 TAG adj out of Vlan4000, addr 172.16.32.1
  Switch 24 before the command addition:
  ME3600X-4.lab#sh ip route 10.10.8.3
  Routing entry for 10.10.8.3/32
    Known via "isis", distance 115, metric 500, type level-2
    Redistributing via isis
    Last update from 172.16.24.149 on Vlan100, 00:03:44 ago
    Routing Descriptor Blocks:
    * 172.16.24.149, from 10.10.8.3, 00:03:44 ago, via Vlan100
        Route metric is 500, traffic share count is 1
  ME3600X-4.lab#sh ip cef 10.10.8.3 detail
  10.10.8.3/32, epoch 0
    local label info: global/39
    nexthop 172.16.24.149 Vlan100 label 302032
  ME3600X-4.lab#sh ip cef 10.10.8.3 internal
  10.10.8.3/32, epoch 0, RIB[I], refcount 5, per-destination sharing
    sources: RIB, LTE
    feature space:
     IPRM: 0x00028000
     LFD: 10.10.8.3/32 1 local label
     local label info: global/39
          contains path extension list
          disposition chain 0x12B16A58
          label switch chain 0x12B16A58
    ifnums:
     Vlan100(244): 172.16.24.149
    path 124EF1A0, path list 12504414, share 1/1, type attached nexthop, for IPv4
      MPLS short path extensions: MOI flags = 0x0 label 302032
    nexthop 172.16.24.149 Vlan100 label 302032, adjacency IP adj out of Vlan100, addr 172.16.24.149 128322A0
    output chain: label 302032 TAG adj out of Vlan100, addr 172.16.24.149 12831E40
  ME3600X-4.lab#sh ip cef exact-route 10.10.8.21 10.10.8.3
  10.10.8.21 -> 10.10.8.3 => label 302032 TAG adj out of Vlan100, addr 172.16.24.149
  Switch 21 after the command addition:
  ME3600X-1.lab#sh ip route 10.10.8.3                       
  Routing entry for 10.10.8.3/32
    Known via "isis", distance 115, metric 700, type level-2
    Redistributing via isis atlantech
    Last update from 172.16.32.1 on Vlan4000, 3d09h ago
    Routing Descriptor Blocks:
    * 172.16.32.1, from 10.10.8.3, 3d09h ago, via Vlan4000
        Route metric is 700, traffic share count is 1
  ME3600X-1.lab#sh ip cef 10.10.8.3 detail                  
  10.10.8.3/32, epoch 0
    local label info: global/23
    nexthop 172.16.32.1 Vlan4000 label 39
  ME3600X-1.lab#sh ip cef 10.10.8.3 internal                
  10.10.8.3/32, epoch 0, RIB[I], refcount 5, per-destination sharing
    sources: RIB, LTE
    feature space:
     IPRM: 0x00028000
     LFD: 10.10.8.3/32 1 local label
     local label info: global/23
          contains path extension list
          disposition chain 0x12BB5E40
          label switch chain 0x12BB5E40
    ifnums:
     Vlan4000(4144): 172.16.32.1
    path 1291D528, path list 12A78CDC, share 1/1, type attached nexthop, for IPv4
      MPLS short path extensions: MOI flags = 0x0 label 39
    nexthop 172.16.32.1 Vlan4000 label 39, adjacency IP adj out of Vlan4000, addr 172.16.32.1 12841840
    output chain: label 39 TAG adj out of Vlan4000, addr 172.16.32.1 128413E0
  ME3600X-1.lab#sh ip cef exact-route 10.10.8.21 10.10.8.3
  10.10.8.21 -> 10.10.8.3 => label 39 TAG adj out of Vlan4000, addr 172.16.32.1
  Switch 24 after the command addition:
  ME3600X-4.lab#sh ip route 10.10.8.3                        
  Routing entry for 10.10.8.3/32
    Known via "isis", distance 115, metric 500, type level-2
    Redistributing via isis
    Last update from 10.10.8.3 on Tunnel1, 00:02:01 ago
    Routing Descriptor Blocks:
    * 10.10.8.3, from 10.10.8.3, 00:02:01 ago, via Tunnel1
        Route metric is 500, traffic share count is 1
  ME3600X-4.lab#sh ip cef 10.10.8.3 detail                   
  10.10.8.3/32, epoch 0
    local label info: global/39
    nexthop 10.10.8.3 Tunnel1
  ME3600X-4.lab#sh ip cef 10.10.8.3 internal                 
  10.10.8.3/32, epoch 0, RIB[I], refcount 5, per-destination sharing
    sources: RIB, LTE
    feature space:
     IPRM: 0x00028000
     LFD: 10.10.8.3/32 1 local label
     local label info: global/39
          contains path extension list
          disposition chain 0x12B18078
          label switch chain 0x12B16A58
    ifnums:
     Tunnel1(4303)
    path 124EEB80, path list 125042D4, share 1/1, type attached nexthop, for IPv4
      MPLS short path extensions: MOI flags = 0x1 label implicit-null
    nexthop 10.10.8.3 Tunnel1, adjacency IP midchain out of Tunnel1 12832FC0
    output chain: IP midchain out of Tunnel1 12832FC0 label 302096 TAG adj out of Vlan100, addr 172.16.24.149 12831E40
  ME3600X-4.lab#sh ip cef exact-route 10.10.8.21 10.10.8.3
  10.10.8.21 -> 10.10.8.3 => label 302096 TAG adj out of Vlan100, addr 172.16.24.149
  5. sho mpls forwarding-table 10.10.8.3 from switch 24
  ME3600X-4.lab#show mpls forwarding-table 10.10.8.3 detail
  Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop   
  Label      Label      or Tunnel Id     Switched      interface             
  39         Pop Label  10.10.8.3/32  126           Tu1        point2point
          MAC/Encaps=14/18, MRU=9000, Label Stack{302096}, via Vl100
          009069C7FC3E5017FF5A18408847 49C10000
          No output feature configured
  3. Are the interfaces from 21 switch is MPLS enabled until 24 or it is like plain IP and then converted to MPLS on 24 switch?
  The interface connecting the 21, 22, and 24 switches is an SVI, VLAN4000, and has 'mpls ip' configured on it.  I've tried disabling MPLS on the SVI on each switch with no change.
  Thanks for these commands, as some of them are new ones to me that can help me in the future.

• Randomly Dropping Traffic - Bad Tech Support - Should I Switch ISP?

  Summary
  I replaced the Verizon router with a Cisco router that support being an IPSec VPN Tunnel end-point. I switched from the coax to the Ethernet port on the ONT as the router doesn't have a coax port. Next I configured the IPSec Tunnel on the router, and I was a happy camper because I now have access to the company LAN.
  [Fast forward a week.]
  Phone calls started sounding choppy so I investigated. It now seems like there is a ~15% packet loss for VPN traffic. How did that happen? I spent 2 full days triaging the issue ... I'll spare the details ... and I narrowed down the packet drops to somewhere between the local Verizon ONT and the remote site modem.
  As a test, I temporarily switch my Internet connection to my handy iPhone 4 hotspot (thanks AT&T  )
  To my surprise ... no packet loss. So that narrows it down to the ONT and the Verizon network. So I contacted tech support and wasted almost an hour with someone who was absolutely no help. To top it off, he tried to sell me on some Expert Care package -- apparently he himself is neither an expert nor does he care -- for me to get my service issues resolved.
  Now the question for me is, should I continue struggling with this subpar support service, or should I switch to another more helpful ISP?
  Solved!
  Go to Solution.

  Physical Connections:
  PC----[Router A]--(Ethernet Port)[ONT]===={{{{Verizon Cloud}}}}==={{{{Time Warner Cloud}}}}====[Modem]----[Router B]
  The central VPN point is Router B.
  Router A is a remote VPN client. Alternatively, if VPN is disabled on the router, the PC behind Router A can also connect with a software VPN client.
  No.
  The configuration is fine.
  The IPSec tunnel gets established.
  The VPN has worked fine for two weeks.
  Starting yesterday, random IPSec encapsulated packets from Router A to Router B are getting dropped.
  ~30% packet loss.
  This happens with either the PC or Router A as VPN client.
  (Please note that Router A is not the Verizon supplied Router.)
  Also, pings from Router A to Router B outside the VPN tunnel have 100% success rate.
  I narrowed down the packet drop to somewhere from the ONT to maybe the Verizon clould (packet filtering or inspection?).
  Can you reload the ONT?
  Thanks.
  Will do.
  Done.
  There only is a 3rd party router.
  There is no Verizon supplied router.
  PC----[Cisco UC520 Router]====[ONT]

• How can I route internet traffic over IPSec point to point?

  I have a remote site that connects by IPSEC with the end points on a router and ASA. The connection is working fine and the remote site can access my other networks at the main headquarters. The problem is, currently this remote site is accessing the internet via the same link that is supposed to VPN everything back to headquarters. I need to figure out how to VPN their internet traffic to my main headquarters. There's an IPrism behind the firewall to filter web access so it seems like I need to point the remote sites default gateway to my routing device that's behind my Iprism? 
  Also, currently the outside interface on the remote site's router does not have an ACL applied, can someone suggest what that ACl should look like? Thank you for your help! Here is a sample configuration of the remote site's router:
  crypto isakmp policy 20
  (encryption parameters here)
  crypto isakmp key password address x.x.x.x (Public ASA IP) no-xauth
  crypto ipsec transform-set remotesite (encryption parameters here)
  crypto ipsec df-bit clear
  crypto map Mainsite 1 ipsec-isakmp
   set peer x.x.x.x (Public ASA IP)
   set transform-set remotesite
   match address 100
  interface FastEthernet0/0
   description $ETH-LAN$
   ip address 10.1.1.1 255.255.0.0
   ip nbar protocol-discovery
  interface FastEthernet0/1
   description ISP Interface
   ip address x.x.x.x (public IP) 255.255.255.0
   crypto map Mainsite
   crypto ipsec df-bit clear
  ip route 0.0.0.0 0.0.0.0 x.x.x.x (ISP's default gateway)
  access-list 100 remark Access list Mainsite Access
  access-list 100 permit ip 10.1.0.0 0.0.255.255 10.3.0.0 0.0.255.255
  and other various headquarter networks...

  Hi Mark, you can modify your crypto acl to permit any any on your remote site which will make all traffic goes through the tunnel. Then on ASA you need to do hairpinning on the outside interface. This will make users on remote site to access internet via HQ. But if you do it this way the internet traffic goes straight to internet without having them filtered by your iPrism. 
  What I am not sure about is if there is a way to do it if you want those traffics to be filtered by the iPrism before going out to internet. 
  HTH

• WRT160N Router drops connection

  I have a couple laptops connected to a brand new WRT160N. Previous to putting in the new router, I never had any problems. Now that I have the new router, one of my laptops keeps dropping the connection. I have to open the wireless settings and disconnect/reconnect to get it to work. Oddly, sometimes when I do that there is no password in the connection information, but if I close it and start it again it generally works. I am using WPA2 encryption and windows XP machines.
  Any thoughts?

  I have the WRT160N router, running a mixed g/n standard (though both computers connect through g) with WPA2 security. Both laptops are Windows XP, though on the one that loses connection I did upgrade from SP2 to SP3 to see if it made a difference (none). I have a NAS drive attached, but I just put that on last night. Also have an iPod docking station attached (internet radio to my stereo), but have not used it and unplugging did not seem to impact. Other than that, I think its pretty vanilla.
  I am not a real tech guy, so if I missed anything important (and I assume I did) let me know.
  Any help is appreciated.