Slow throughput of tftp traffic through FWSM
I have FWSM ver 3.2 (L2 multiple contexts).
We get a very low performance for tftp traffic. We are implementing remote boot for PCs. TFTP server is behind the firewall. The throughput of tftp is about 0,5 - 2,5Mbps depending on the inspection of TFTP is on or off.
The same file is downloaded with windows file sharing protocols 100 times faster.
What are the reasons?
Thanks.
We have been tried a few tests. Below are some of the results:
The file of 100 Mb was transmitted without FWSM by tftp for 29 sec.
The same file of 100 Mb was transmitted with FWSM (tftp inspection is off) by tftp for 62 sec.
Sniffer shows that every packet is 1408 byte. Each packet is acknowledging during transmission.
So the file of 100MB is transmitted with using 100000000/1408 =71000 packes.
33sec/71000 = 0,46 ms – this is two way delay introduced by FWSM. One way delay is 0,23 ms.
Is it normal delay or not?
Similar Messages
-
HI,
I've built a site-to-site VPNs between a PIX and an ASA with traffic passing through an FWSM.
This is the architecture:
LAN1---PIX--------(dmz interface)FWSM(otuside interface)--------ASA----LAN2
The VPNs go up regurarly but I am experencing some performance issue so I am trying to look into the logs.
In the FWSM log I can see a lots of these entries regarding esp protocol traffic between end point peer:
6|Jan 29 2014|13:07:56|302022|||||Built IP protocol 50 connection 144547910545237602 for outside:x.x.x.x(x.x.x.x) to dmz:y.y.y.y (y.y.y.y)
6|Jan 29 2014|13:07:56|302022|||||Built IP protocol 50 connection 144547910545237601 for dmz:x.x.x.x(x.x.x.x) to outside:y.y.y.y (y.y.y.y)
x.x.x.x and y.y.y.y are the vpn peers ip addresses, but I am suspecting some strange behaviour because I see x.x.x.x an y.y.y.y respectively at the same time on outiside interface and on dmz interface during the build of ip protocol 50 connection.
Do you think it is a normal behaviour or it means that it's a fault?
Pls any suggestion will be very appreciated.
Thanks
angeloHi Marcin, thanks for you reply.
Yes I know, I expected two flows for inbound and outbound, it's correct but I don't understand why the FWSM see the same IP incoming both interfaces, dmz and outside. That seems strange. If x.x.x.x is on dmz and y.y.y.y on outside, what does this entry means? :
6|Jan 29 2014|13:07:56|302022|||||Built IP protocol 50 connection 144547910545237602 for outside:x.x.x.x(x.x.x.x) to dmz:y.y.y.y (y.y.y.y).
Hi
angelo -
Slowness problem sending traffic through CX module
People in the remote site access a SharePoint site via HTTP with Internet Explorer and open Microsoft documents. When I configure the ASA to send HTTP traffic through the CX module it slows opening documents to a crawl (Over 5 minutes to open) but everything else works fine. When I don’t send traffic through the CX module the documents open quickly (seconds) with no issue. So what I need to do is HTTP traffic going to and from the remote site needs to bypass the CX module or set it up so only HTTP traffic coming from the main site and site A going only to the internet goes through the CX module. How can I set this up to accomplish this?
I have attached a topology diagram.That is what I needed help with but here is what I was thinking.
! Create needed groups
object-group network CX-BYPASS-SITE2SITE
net 192.168.170.0 255.255.255.0
! from CX-BYPASS-SITE2SITE to ANY via HTTP - bypass
access-list CX_BYPASS deny tcp object-group CX-BYPASS-SITE2SITE any eq 80
! from any to CX-BYPASS-SITE2SITE via HTTP - bypass
access-list CX_BYPASS deny tcp any object-group CX-BYPASS-SITE2SITE eq 80
! CX inspects everything else
access-list CX_BYPASS permit ip any any
! Config traffic through the CX
class-map CX_REDIRECT
no match any
match access-list CX_BYPASS
policy-map global_policy
class CX_REDIRECT
cxsc fail-open
But I really only want to send HTTP traffic through the CX from the Main site and Site A to the internet, but this...
! CX inspects everything else
access-list CX_BYPASS permit ip any any
would send everything. How can I change that to just send HTTP traffic?
! CX inspects just HTTP traffic
access-list CX_BYPASS permit tcp any any eq 80
Would that would?
Mike -
Forcing traffic through load balancer rather than zone to zone
I have several T5140s with 2 LDOMs. Within each LDOM I have multiple zones which contain 2 environments. Each environment comprises the following, an apache instance behind a BigIP load balancer, a JBoss instance, and several misc. The jboss zone has three IP address assigned for multiple applications. Each server is configured identically as far as zone and LDOM layout. We use mod_cluster to cluster our apache and Jboss environment. What I'm trying to accomplish is forcing the apache zone's traffic through the BigIP rather than zone to zone.
Referring to the information below, server2ldom1jboss is one jboss node which needs to connect to both server2ldom1japache and server1ldom1apache. server2ldom1jboss connects to server2ldom1apache via its DNS name which is a NAT address. So webserver2 resolves to 10.10.2.5 which NATs to 10.10.1.5 behind the BigIP. webserver2 responds directly to the jboss zone rather than through the BigIP. Not good. server1ldom1apache works correctly as it's not a local zone.
Referring to this document, https://blogs.oracle.com/solarium/resource/solaris-container-guide-en-v3.1.pdf
section 5.2.7.8
"Connection of zones via external routers using the shared IP instance"
I've created the following routes
route add 10.10.2.5 10.10.1.5
route add 10.10.0.34 10.10.1.5 -interface -reject
route add 10.10.0.35 10.10.1.5 -interface -reject
route add 10.10.0.87 10.10.1.5 -interface -reject
route add 10.10.1.5 10.10.0.87 -interface -reject
route add 10.10.1.5 10.10.0.34 -interface -reject
route add 10.10.1.5 10.10.0.35 -interface -reject
This does prevent the zone to zone traffic, but it also preventing any response. I've tried other options as well, but have not been successful yet. What concerns me is this "These interfaces must not be used elsewhere in the global zone." The 5140 has 4 ethernet ports, which are configured into two port channels. vnet0 and vnet1. The apache instances use vnet1. The remaining zones use vnet0, including the global zone (server2ldom1 10.10.0.21). I think this may be the issue, but do not see an easy resolution without breaking my port channels and losing redundancy and fail-over.
If there is anything I'm missing or a better/different way to do this, I would greatly appreciate any input on this matter.
Thank you.
webserver2 10.10.2.5 NATs to 10.10.1.5
jboss apps 10.10.0.34, 10.10.0.35, 10.10.0.87
10.10.0.0/24 is the lan
10.10.1.0/24 is the network behind the BigIP
10.10.2.0/24 is the webserver network (in front of the BigIP)
[1658]root@server2:~# ldm list-bindings
NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME
primary active -n-cv- SP 4 2G 1.1% 138d 5h
MAC
00:14:4f:ec:20:ff
HOSTID
0x84ec20b8
VCPU
VID PID UTIL STRAND
0 0 2.0% 100%
1 1 1.4% 100%
2 2 0.7% 100%
3 3 2.1% 100%
MAU
ID CPUSET
0 (0, 1, 2, 3, 4, 5, 6, 7)
MEMORY
RA PA SIZE
0x8000000 0x8000000 2G
VARIABLES
boot-device=/pci@0/pci@0/pci@2/scsi@0/disk@0,0:a disk net
keyboard-layout=US-English
nvramrc=devalias rootdisk /pci@0/pci@0/pci@2/scsi@0/disk@0,0:a devalias rootmirror /pci@0/pci@0/pci@2/scsi@0/disk@1,0:a
security-mode=none
security-password=
use-nvramrc?=true
IO
DEVICE PSEUDONYM OPTIONS
pci@0 pci
niu@80 niu
VCC
NAME PORT-RANGE
primary-vcc0 5000-5010
CLIENT PORT
group1@primary-vcc0 5000
group1@primary-vcc0 5000
VSW
NAME MAC NET-DEV DEVICE DEFAULT-VLAN-ID PVID VID MODE
primary-vsw0 00:14:4f:f9:ff:ff aggr1 switch@0 1 1
PEER MAC PVID VID
vnet0@ldom2 00:14:4f:fb:7b:ff 1
vnet0@ldom1 00:14:4f:fb:1a:ff 1
NAME MAC NET-DEV DEVICE DEFAULT-VLAN-ID PVID VID MODE
primary-vsw1 00:14:4f:fb:8e:ff aggr2 switch@1 1 1
PEER MAC PVID VID
vnet1@ldom1 00:14:4f:f8:17:ff 1
vnet1@ldom2 00:14:4f:f8:c2:ff 1
VDS
NAME VOLUME OPTIONS MPGROUP DEVICE
primary-vds0 ldom2_swap /ldoms/swap/server2ldom2
ldom2_root /dev/dsk/c4t600601601CE1210018F9E37BD2AADD11d0s2
ldom1_swap /ldoms/swap/server2ldom1
ldom1_root /dev/dsk/c4t600601601CE121007E02166CD2AADD11d0s2
CLIENT VOLUME
ldom2_swap@ldom2 ldom2_swap
ldom2_root@ldom2 ldom2_root
ldom1_swap@ldom1 ldom1_swap
ldom1_root@ldom1 ldom1_root
VCONS
NAME SERVICE PORT
SP
NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME
ldom1 active -n---- 5000 30 15G 3.7% 192d 6h
MAC
00:14:4f:f8:a5:ff
HOSTID
0x84f8a5f5
VCPU
VID PID UTIL STRAND
0 4 0.4% 100%
1 5 0.3% 100%
2 6 0.1% 100%
3 7 4.4% 100%
4 8 0.2% 100%
5 9 0.2% 100%
6 10 14% 100%
7 11 0.1% 100%
8 12 8.1% 100%
9 13 0.1% 100%
10 14 0.1% 100%
11 15 0.1% 100%
12 16 0.3% 100%
13 17 0.1% 100%
14 18 0.1% 100%
15 19 0.1% 100%
16 20 0.3% 100%
17 21 0.6% 100%
18 22 0.3% 100%
19 23 0.1% 100%
20 54 1.0% 100%
21 55 0.5% 100%
22 56 1.2% 100%
23 57 0.2% 100%
24 58 4.5% 100%
25 59 0.9% 100%
26 60 0.0% 100%
27 61 0.1% 100%
28 62 0.1% 100%
29 63 0.3% 100%
MAU
ID CPUSET
1 (8, 9, 10, 11, 12, 13, 14, 15)
2 (16, 17, 18, 19, 20, 21, 22, 23)
6 (48, 49, 50, 51, 52, 53, 54, 55)
7 (56, 57, 58, 59, 60, 61, 62, 63)
MEMORY
RA PA SIZE
0x8000000 0x88000000 10G
0x401800000 0x6b1800000 5G
VARIABLES
auto-boot?=true
boot-device=ldom1_root:b
NETWORK
NAME SERVICE DEVICE MAC MODE PVID VID
vnet0 primary-vsw0@primary network@0 00:14:4f:fb:1a:ff 1
PEER MAC MODE PVID VID
primary-vsw0@primary 00:14:4f:f9:ff:ff 1
vnet0@ldom2 00:14:4f:fb:7b:ff 1
NAME SERVICE DEVICE MAC MODE PVID VID
vnet1 primary-vsw1@primary network@1 00:14:4f:f8:17:ff 1
PEER MAC MODE PVID VID
primary-vsw1@primary 00:14:4f:fb:8e:ff 1
vnet1@ldom2 00:14:4f:f8:c2:ff 1
DISK
NAME VOLUME TOUT DEVICE SERVER MPGROUP
ldom1_swap ldom1_swap@primary-vds0 disk@0 primary
ldom1_root ldom1_root@primary-vds0 disk@1 primary
VCONS
NAME SERVICE PORT
group1 primary-vcc0@primary 5000
NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME
ldom2 active -n---- 5000 30 15000M 0.8% 192d 6h
MAC
00:14:4f:fa:e8:ff
HOSTID
0x84fae839
VCPU
VID PID UTIL STRAND
0 24 1.0% 100%
1 25 1.0% 100%
2 26 0.0% 100%
3 27 0.0% 100%
4 28 0.1% 100%
5 29 0.3% 100%
6 30 0.0% 100%
7 31 0.0% 100%
8 32 0.0% 100%
9 33 0.1% 100%
10 34 1.3% 100%
11 35 0.0% 100%
12 36 0.1% 100%
13 37 1.0% 100%
14 38 1.9% 100%
15 39 0.0% 100%
16 40 0.0% 100%
17 41 0.0% 100%
18 42 0.1% 100%
19 43 0.5% 100%
20 44 0.2% 100%
21 45 0.0% 100%
22 46 0.2% 100%
23 47 0.4% 100%
24 48 0.2% 100%
25 49 0.0% 100%
26 50 0.0% 100%
27 51 0.0% 100%
28 52 0.0% 100%
29 53 0.0% 100%
MAU
ID CPUSET
3 (24, 25, 26, 27, 28, 29, 30, 31)
4 (32, 33, 34, 35, 36, 37, 38, 39)
5 (40, 41, 42, 43, 44, 45, 46, 47)
MEMORY
RA PA SIZE
0x8000000 0x308000000 15000M
VARIABLES
auto-boot?=true
boot-device=/virtual-devices@100/channel-devices@200/disk@1:b ldom2_root
keyboard-layout=US-English
NETWORK
NAME SERVICE DEVICE MAC MODE PVID VID
vnet0 primary-vsw0@primary network@0 00:14:4f:fb:7b:ff 1
PEER MAC MODE PVID VID
primary-vsw0@primary 00:14:4f:f9:ff:ff 1
vnet0@ldom1 00:14:4f:fb:1a:ff 1
NAME SERVICE DEVICE MAC MODE PVID VID
vnet1 primary-vsw1@primary network@1 00:14:4f:f8:c2:ff 1
PEER MAC MODE PVID VID
primary-vsw1@primary 00:14:4f:fb:8e:ff 1
vnet1@ldom1 00:14:4f:f8:17:ff 1
DISK
NAME VOLUME TOUT DEVICE SERVER MPGROUP
ldom2_swap ldom2_swap@primary-vds0 disk@0 primary
ldom2_root ldom2_root@primary-vds0 disk@1 primary
VCONS
NAME SERVICE PORT
group1 primary-vcc0@primary 5000
[1657]root@server2ldom1:~# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
zone server2ldom1z3
inet 127.0.0.1 netmask ff000000
lo0:2: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
zone server2ldom1z2
inet 127.0.0.1 netmask ff000000
lo0:3: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
zone server2ldom1z6
inet 127.0.0.1 netmask ff000000
lo0:4: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
zone server2ldom1jboss
inet 127.0.0.1 netmask ff000000
lo0:5: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
zone server2ldom1apache
inet 127.0.0.1 netmask ff000000
lo0:6: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
zone server2ldom1z1
inet 127.0.0.1 netmask ff000000
vnet0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 10.10.0.21 netmask ffffff00 broadcast 10.10.0.255
ether 0:14:4f:fb:1a:ff
vnet0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
zone server2ldom1z2
inet 10.10.0.33 netmask ffffff00 broadcast 10.10.0.255
vnet0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
zone server2ldom1z6
inet 10.10.0.36 netmask ffffff00 broadcast 10.10.0.255
vnet0:3: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
zone server2ldom1jboss
inet 10.10.0.34 netmask ffffff00 broadcast 10.10.0.255
vnet0:4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
zone server2ldom1jboss
inet 10.10.0.35 netmask ffffff00 broadcast 10.10.0.255
vnet0:5: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
zone server2ldom1z1
inet 10.10.0.32 netmask ffffff00 broadcast 10.10.0.255
vnet0:6: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
zone server2ldom1z1
inet 10.10.0.74 netmask ffffff00 broadcast 10.10.0.255
vnet0:7: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
zone server2ldom1jboss
inet 10.10.0.87 netmask ffffff00 broadcast 10.10.0.255
vnet1: flags=1000842<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 0.0.0.0 netmask 0
ether 0:14:4f:f8:17:ff
vnet1:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
zone server2ldom1z3
inet 10.10.1.101 netmask fffffc00 broadcast 10.10.47.255
vnet1:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
zone server2ldom1apache
inet 10.10.1.5 netmask fffffc00 broadcast 10.10.47.255
[1701]root@server2ldom1:~# zonecfg -z server2ldom1jboss info
zonename: server2ldom1jboss
zonepath: /zones/server2ldom1jboss
brand: native
autoboot: true
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: shared
inherit-pkg-dir:
dir: /lib
inherit-pkg-dir:
dir: /platform
inherit-pkg-dir:
dir: /sbin
inherit-pkg-dir:
dir: /usr
inherit-pkg-dir:
dir: /opt/sfw
inherit-pkg-dir:
dir: /opt/
net:
address: 10.10.0.34
physical: vnet0
defrouter: 10.10.0.1
net:
address: 10.10.0.35
physical: vnet0
defrouter: 10.10.0.1
net:
address: 10.10.0.87
physical: vnet0
defrouter: 10.10.0.1
attr:
name: comment
type: string
value: server2ldom1jboss
[1702]root@server2ldom1:~# zonecfg -z server2ldom1apache info
zonename: server2ldom1apache
zonepath: /zones/server2ldom1apache
brand: native
autoboot: true
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: shared
inherit-pkg-dir:
dir: /lib
inherit-pkg-dir:
dir: /platform
inherit-pkg-dir:
dir: /sbin
inherit-pkg-dir:
dir: /usr
inherit-pkg-dir:
dir: /opt/sfw
inherit-pkg-dir:
dir: /opt/
net:
address: 10.10.1.5/22
physical: vnet1
defrouter not specified
attr:
name: comment
type: string
value: server2ldom1apache
Edited by: coreyva on Feb 18, 2012 11:36 AMAfter further research, I think the best course of action will be to create a VLAN for the zone behind the BigIP and then create the corresponding interface in the vlan and zone. Using this links as my references in case anyone is interested. I'll post what I come up with.
https://blogs.oracle.com/stw/entry/using_ip_instances_with_vlans
https://blogs.oracle.com/stw/entry/solaris_zones_and_networking_common
http://docs.oracle.com/cd/E19253-01/816-4554/816-4554.pdf # AdministeringVirtualLocalAreaNetworks
http://docs.oracle.com/cd/E19053-01/ldoms.mgr11/820-4913-10/820-4913-10.pdf # Assign VLANs to a Virtual Switch and Virtual
Network Device -
Policy based routing on VRF interfaces to route traffic through TE Tunnel
Hi All,
Is there a method to do policy based routing on VRF interfaces and route data traffic through one TE tunnel and non-data traffic through another TE tunnel.
The tunnel is already build up with these below config
interface Tunnel25
ip unnumbered Loopback0
tunnel destination 10.250.16.250
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng path-option 10 explicit name test
ip explicit-path name test enable
next-address x.x.x.x
next-address y.y.y.y
router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
mpls traffic-eng tunnels
nterface GigabitEthernet5/2
mpls traffic-eng tunnels
mpls ip
Is there additional config needed to work ,also in the destination end for the return traffic,we want to use the normal PATH --I mean non TE tunnel.
We tested with the above scenario,but couldn't able to reach the destination.Meantime we had a question,when the packet uses the policy map while ingress,it may not know the associatuion with VRF(Is that right? --If so ,how to make it happen)
Any help would be really appreciated
Thanks
Regards
Anantha Subramanian Natarajanhi Anantha!
I might not be the right person to comment on your first question. I have not configured MVPNs yet and not very confertable with the topic.
But I am sure that if you read through the CBTS doc thoroughly, you might be able to derive the answer yourself. One thing I notice is that " a Tunnel will be selected regularly according to the routing process (even isf it is cbts enabled). From the tunnels selected using the regular best path selection, the traffic is mapped to a perticular tunnel in the group if specific class is mapped to that tunnel.
So a master tunnel can be the only tunnel between the 2 devices over which the routing (bgp next hops) are exchanged and all other tunnels can be members of this tunnel. So your RPF might not fail.
You might have to explore on this a bit more and read about the co-existance of multicast and TE. This will be the same as that.
For your second question, the answer would be easy :
If you want a specific eompls cust to take a particular tunnel/path, just create a seperate pair of loopbacks on the PEs. Make the loopback learnt on the remote PE through the tunnel/path that you want the eompls to take. Then establish the xconnect with this loopback. I am assuming that your question is that a particular eompls session should take a particular path.
If you meant that certain traffic from the same eompls session take a different path/tunnel, then CBTS will work.
Regards,
Niranjan -
My Apple TV 2 is slow when trying to move through different menu selections. It is like a slow computer trying to catch up to mouse clicks. It eventually remembers the buttons that were pushed on the remote, but it freezes and takes a minute to catch up.
I had something similar a couple of week ago, it would scroll then stop, scroll then stop.
At some point the porblem went away.
Try unpowering and restarting your AppleTV. Rsetart iTunes too. -
RVL200 IPSEC: Channel all or some data traffic through tunnel, possible?
Is it at all possible to channel all/some data traffic through an established ipsec tunneled connection using the RVL200?
I have successfully established an ipsec connection through RVL200 and RV042 routers and are able to connect to servers/computers behind it.
Now I want to channel all or some traffic through the ipsec-tunnel for computers that reside on 192.168.1.0 subnet of RVL200 network.
Main office - RV042 router - 10.200.62.1
Remote office - RVL200 router - 192.168.1.1
I am trying to use the Advanced Routing option to add static routes but I am not 100% sure if I am configuring the routes correctly.
To give an example of routing DNS requests for HOTMAIL.COM [65.55.72.183]:
Destination IP - 65.55.0.0
SM - 255.255.0.0
GW - 10.200.62.1
Hop - 1
Interface - LAN
For some reason this does not appear to work. I have also tried using the interface setting of WAN and tested - this also does not work.
Can this be done? If anyone has tried doing this I would be very interested in finding out how to configure this.
Cheers.
MPFor some reason the DNS IP settings does not seem to work.
I started looking at the option of using the Quick VPN client which appears to have a setting for enabling Remote DNS.
I have setup a test user on both the RV042 and RVL200 to test if I can overcome the Split DNS limitation. But for some reason I can't connect to either of the two routers. I have installed the client on a 64bit Windows 7 client machine which has the Windows Firewall service enabled.
I keep getting the below error, there is no conflict with the IP address scheme and the password is correct.
Could it be this new client does not support the older Linksys badged RV0xx routers? Because Split DNS is only supported on v3 hardware. The firmware on my RVL200 is v1.1.12 .1.
What should I check to enable connectivity using this client? Or is because it does not support 64bit WIndows 7? I have even exported the certificates for both Admin and User into the C:\Program Files (x86)\Cisco Small Business\QuickVPN Client folder. -
Tunnelling web traffic through ssh
for tunnelling web traffic through ssh, it says here
http://wiki.freaks-unidos.net/weblog...fox-ssh-tunnel
that i have to set only the SOCKS Host text field in the edit>preferences>advanced>network>connection>settings
to localhost and the port i used for ssh but what about the other fields like http,ftp,gopher,and ssl proxy, shouldn't i need to set those too? if not why and what are those fields for anyway?
btw, is it possible to view streaming video like youtube.com while using a proxy? if so, then how would i go about it?jordi wrote:
ssh -D 4444 (or any other port number) youruser@yourserver
see the manual:
-D [bind_address:] port
Specifies a local ''dynamic'' application-level port forwarding. This works by
allocating a socket to listen to port on the local side, optionally bound to
the specified bind_address. Whenever a connection is made to this port, the
connection is forwarded over the secure channel, and the application protocol
is then used to determine where to connect to from the remote machine. Cur‐
rently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a
SOCKS server. Only root can forward privileged ports. Dynamic port forward‐
ings can also be specified in the configuration file.
streaming videos like youtube.com will be possible... surfing the web will be the same as without socks proxy...
I suggest to use a addon like FoxyProxy if you use socks proxy's a lot.
1) I already know the ssh part, im talking about the configuration in firefox, sorry if i didn't make this clear.
for tunnelling web traffic through ssh, it says here
http://wiki.freaks-unidos.net/weblog...fox-ssh-tunnel
that i have to set only the SOCKS Host text field in the edit>preferences>advanced>network>connection>settings
to localhost and the port i used for ssh but what about the other fields like http,ftp,gopher,and ssl proxy, shouldn't i need to set those too? if not why and what are those fields for anyway?
2) and another thing about streaming videos, why is it that some proxies i have used before don't allow streaming traffic through?
ok it says here for vpn
http://searchsecurity.techtarget.com/sDefi...213324,00.html#
An additional level of security involves encrypting not only the data, but also the originating and receiving network addresses.
3) so how would the routers know where to route the data if its encrypted? and how would i go about implementing that?
4) btw, is ssh tunnelling an implementation of vpn?
5) another question i have would be that for ssh tunnelling, it works at the transport layer onwards so only applications which are designed to use the port would go through the tunnel and be encrypted right, other apps would not go through the tunnel. On the contrary, IPsec works on the network layer so all information above the network layer whether they use UDP or TCP or whatever ports for TCP would go through the tunnel and be encrypted. Are the above statements correct?
Last edited by unregistered (2008-05-11 08:39:19) -
Hi!
I have had my SRP 541w for just over a year, BUGGER! So it is out of warranty now. Bought it in September 2012. It has been working like a charm since then. A couple of days ago my network speed suddenly dropped to about 10 mbit/s. That is true of all connections LANtoLAN, WANtoLAN and LANtoWAN. All my equipment is 1 gb/s. I have upgraded the firmware to 1.2.6, set the speed of the LAN ports to 1000 FULL, rebooted, tried with only one computer attached nothing else connected. WAN disconnected and throughput between LAN ports, nothing seems to make any difference. Did a factory reset, still no change.
I would really appreciate help on this! I really hope it has not stopped working properly. Not good advertisment for CISCO in that case, One month over warranty and suddenly BANG.
Any ideas?
Regards,
Sven GustavssonGot my hands on a multi adatper and plugged that in as well. No change, powerlight flashes and extremly slow throughput.
If it is of any use, the power light flashes 3 times then a few seconds delay, then flashes 3 times then few seconds delay and repeat. This does seem lik an error code of some kind that we have no documentation for. Maybe its time for someone from Cisco to enlighten us as to the nature of the powerlight flashing? -
Hi Guys,
This is a little bit of an odd request however I need to allow a sync routing due to some legacy routing to pass through my ASA.
I have allowed IP any any between the particular hosts involved to allow for high ports etc..
However the ASA is tearing down the session as it never see's the ACK.
Hence is there a way to turn off the ip inspection or some other way to get this traffic through the firewall.
Thanks
ScottOn an iPad I don't believe that you can. If you made the iPad tunnel through your laptop or desktop computer is may be possible to specify what traffic you want sent through the VPN or otherwise. But I have a feeling that would be very complicated to setup and keep working well.
-
I've got an EA6900 set up for routing duties on a Virgin Media 120Mbps cable connection. I'm seeing incredibly slow throughput on the Linksys router and after looking for obvious causes i'm stumpted.
The EA6900 is plugged into the Virgin Media 'Superhub' which is set to modem-mode. In this configuration, a single wired device with a gigabit ethernet card is seeing download speeds of around 9Mbps. However, when a switch the Superhb into router-mode and connect the same one device directly to that, the download speeds jump to 100Mbps.
I've tried several different network cables between the modem and EA6900, but the results are the same. I've also been in touch with Virgin Media who said there were no issues with the upstream connection.
It would suggest the cause is something to do with the EA6900. Any suggestions would be greatly appreciated.
Ben
Solved!
Go to Solution.fleggster1701 wrote:
Unfortunately this hasn't worked for me. I have a very similar problem in regards I have a 120Mbps Virgin broadband connection and with the Linksys connected my connection maxes out at 20Mbps Down and 10Mbps up. This slowly degrades over time down to 2Mbps until the router is rebooted.
I did have Media Prioritisation on with a Bandwidth limit of 0. When I disabled it, the speed went up to around 37Mbps but still nowhere near 120Mbps. With Media Priotisation enabled but no specificed devices or protocols it still maxes out at 20Mbps.
I've replaced cables and contacted Virgin. Virgin have confirmed it's the Router as when my PC is connected directly to the SuperHub I get 124Mbps without issues.
I haven't tried the SuperHub in standard mode, this is only in Modem mode.
I hope someone can help!
I recommend:
Enable Media Prioritization and WMM support
Set Downstream Bandwidth to 120Mbps
Keep all devices and apps normal priority to start
Please remember to Kudo those that help you.
Linksys
Communities Technical Support -
Direct all traffic through a socks proxy
is this possible to direct all tcp/ip traffic through a socks proxy. how about just one application. can i socksify an application? tia
You want to utilize an upstream SOCKS proxy? I doubt it, you'd be better off setting up a VPN and routing your outbound traffic through that.
-
CSS: Allow non loadbalanced traffic through; Bridge mode
Hi,
Can the CSS, on bridge mode (Client VLAN10, Server VLAN10) just allow traffic through without load balancing.
(I did this in ACE by defining access rules. I'm not sure about CSS.)
Please point to a document where I can read about this too.
Kind regards
SS
Thank youThis forum is dedicated for Cisco MARS (Security product) dicussion.
Please ask your CSS-related queries here:
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Data%20Center&topic=Application%20Networking&CommCmd=MB%3Fcmd%3Ddisplay_messages%26mode%3Dnew%26location%3D.ee7814f
Regards
Farrukh -
Hi Experts,
Please have a look in the following pic regarding the deployment of FWSM will traffic move from 7613 to 6513 as it use to be now after deploying FWSM by this way ,currently FWSM is in 7613 chasis.
Actually I need to know some points.
1.If we change Gi0/1 routed port to L2 port by switch port cmmd and assign to VLAN 10 and create SVI interface VLAN 10 on MSFC of 7613 and assign IP of Gi0/1 i.e 192.168.1.10 to it will the traffic move from interfaces of my router to this interface (Gi0/1) currently we have static routes , I am not very much clear about this issue.
2.As mentioned in figure if create VLAN 10 and put Gi0/1 and inside interface ofFWSM will they communicate through SVI interface of VLAN 10 created on 7613 router with IP 192.168.1.10 and same concern for outside interface of FWSM and Gi0/2 of 6513 which are connected through SVI VLAN 20 on 6513 MSFC
please guide me know what correction I have to make in this plan.
Regards
Ambivert skillDear members I am really waiting for your valuable comments on this deployment plan.
Thanks -
Slow TCP performance for traffic routed by ACE module
Hi,
the customer uses two ACE20 modules in active-standby mode. The ACE load-balances servers correctly. But there is a problem with communication between servers in the different ACE contexts. When the customer uses FTP from one server in one context to the other server in other context the throughput through ACE is about 23 Mbps. It is routed traffic in ACE:-( See:
server1: / #ftp server2
Connected to server2.cent.priv.
220 server2.cent.priv FTP server (Version 4.2 Wed Apr 2 15:38:27 CDT 2008) ready.
Name (server2:root):
331 Password required for root.
Password:
230 User root logged in.
ftp> bin
200 Type set to I.
ftp> put "|dd if=/dev/zero bs=32k count=5000 " /dev/null
200 PORT command successful.
150 Opening data connection for /dev/null.
5000+0 records in.
5000+0 records out.
226 Transfer complete.
163840000 bytes sent in 6.612 seconds (2.42e+04 Kbytes/s)
local: |dd if=/dev/zero bs=32k count=5000 remote: /dev/null
ftp>
The output from show resource usage doesn't show any drops:
conc-connections 0 0 800000 1600000 0
mgmt-connections 10 54 10000 20000 0
proxy-connections 0 0 104858 209716 0
xlates 0 0 104858 209716 0
bandwidth 0 46228 50000000 225000000 0
throughput 0 1155 50000000 100000000 0
mgmt-traffic rate 0 45073 0 125000000 0
connections rate 0 9 100000 200000 0
ssl-connections rate 0 0 500 1000 0
mac-miss rate 0 0 200 400 0
inspect-conn rate 0 0 600 1200 0
acl-memory 7064 7064 7082352 14168883 0
sticky 6 6 419430 0 0
regexp 47 47 104858 209715 0
syslog buffer 794624 794624 418816 431104 0
syslog rate 0 31 10000 20000 0
There is parameter map configured with rebalance persistant for cookie insertion in the context.
Do you know how can I increase performance for TCP traffic which is not load-balanced, but routed by ACE? Thank you very much.
RomanDefault inactivity timeouts used by ACE are
icmp 2sec
tcp 3600sec
udp 120sec
With your config you will change inactivity for every protocol to 7500sec.If you want to change TCP timeout to 7500sec and keep the
other inactivity timeouts as they are now use following
parameter-map type connection GLOBAL-TCP
set timeout inactivity 600
parameter-map type connection GLOBAL-UDP
set timeout inactivity 120
parameter-map type connection GLOBAL-ICMP
set timeout inactivity 2
class-map match-all ALL-TCP
match port tcp any
class-map match-all ALL-UDP
match port tcp any
class-map match-all ALL-ICMP
match port tcp any
policy-map multi-match TIMEOUTS
class ALL-TCP
connection advanced GLOBAL-TCP
class ALL-UDP
connection advanced GLOBAL-UDP
class ALL-TCP
connection advanced GLOBAL-ICMP
and apply service-policy TIMEOUTS globally
Syed Iftekhar Ahmed
Maybe you are looking for
-
I spent some time organizing my photo's into album folders, the following day i opened the albums and saw some new pictures. On closer inspection as a resize the image while in the folder the pictures change. Its as if there is a shaddow picture. a c
-
What is the Best Price(Place to Buy) For 13" MB Pro(non-retina display)
What is the Best Price(Place to Buy) For 13" MB Pro(non-retina display)? I am in PA, but close to Delaware, which is tax-free shopping. Thanks!
-
How to have Having clause in Group by
Hi All, While using aggregated function (max,min etc) on columns, the SQL generated automatically has the non aggregated columns in the group by clause. How to specify the Having condition ? select a , max(b) from t group by a having <condition> TIA.
-
It will not restore my last session when i click on the icon
i am trying to restore my last session and it will not let me
-
JAVA Upgrade from CRM 5.0 to CRM 2007
Hi, I need help. I'm trying to upgrade our CRM 5.0 to CMR2007 and encountered a problem during the JAVA Prepare Phase. Here is the error I received. The execution of ended in error.