Traceroute issue- MPLS VPN on directly connected interfaces

Similar Messages

• Time Capsule connection issues - only VPN use will connect

  After hours of troubleshooting with Comcast and Apple trying to establish internet connection, I accidentally discovered that I could get on when connected to company's VPN. Why would this happen? I don't have VPN on my Mac and don't want to set it up on my iPhone. I need to get on the internet without it. Apple has been helpful on the phone, but they are just as stumped as I am -- we've tried everything! Help!
  I'm running 10.5.2 on Mac, and use XP on my PC's. The cable modem is an Arris through Comcast. I never had problems with my old wireless router (Netgear).

  Wired or wireless didn't matter, it was baffling.
  I did get it resolved, however. Evidently Comcast's DNS address wasn't working properly. The Apple rep was able to provide a public DNS address (not affiliated with Comcast) that did the trick. The VPN thing was what tipped him off.
  Works fine from the Mac, but my PC's give me constant warnings since they are set up with all of my company's security settings. I can live with it though! Just happy to finally get some work done!

• Interprovider MPLS VPN - "drop -- rewrite null"

  Hi,
  i have an interprovider VPN where a remote route is received on ASBR and forwarded to my AS PE but traffic coing from my PE is dropped because label forwarding is not installed:
  c2851-ASBR#sh ip bgp vpnv4 all la
  Network Next Hop In label/Out label
  Route Distinguisher: 3302:141141
  10.0.0.0/24 172.26.107.94 20/100192
  81.114.246.16/29 172.16.0.4 22/18
  192.168.0.0 172.16.0.4 21/16
  c2851-ASBR#sh mpls forwarding-table
  Local Outgoing Prefix Bytes tag Outgoing Next Hop
  tag tag or VC or Tunnel Id switched interface
  16 Pop tag 172.16.0.4/32 0 Gi0/1 172.26.0.2
  21 16 3302:141141:192.168.0.0/24 \
  0 Gi0/1 172.26.0.2
  22 18 3302:141141:81.114.246.16/29 \
  0 Gi0/1 172.26.0.2
  As you can see the label 100192 is not present in the mpls forwarding.
  If i create the vrf on the ASBR everithing works correctly:
  c2851-ASBR#sh mpls forwarding-table
  Local Outgoing Prefix Bytes tag Outgoing Next Hop
  tag tag or VC or Tunnel Id switched interface
  16 Pop tag 172.16.0.4/32 0 Gi0/1 172.26.0.2
  20 100192 10.0.0.0/24[V] 488 Gi0/0.124 172.26.107.94
  21 16 192.168.0.0/24[V] 472 Gi0/1 172.26.0.2
  22 18 81.114.246.16/29[V] \
  0 Gi0/1 172.26.0.2
  Thanks
  S.

  the lab setup is quite simple:
  AS1 PE --ibgp-- AS1 ASBR (172.26.107.94) ----ebgp---- AS2 ASBR (172.26.107.93) --ibgp-- AS2 PE (lo0 172.16.0.4)
  From the AS2 ASBR the next hop for the internal route is the lo0 of the AS2 PE and the next hop for the AS1 route is the ip address of the btb interface (the ebgp peer is built on the directed connected interface). So no problem on the ebgp next hop.
  The label swap from 22 to 18 is unidirectional and is used for the traffic coming from AS1 PE directed to the AS2 PE for destination network annouced by AS2PE.
  From the AS2PE point of view there is no problem on the traffic forwarding (label 20 is imposed to the packet and this is the right behaviour) but AS2ASBR doesn't swap it with label 100192 because it is not in the mpls forwarding table. so i think that the problem is not on the PE but in the behaviour of the ASBR.
  s.

• Please Help!! - Ping to and from MPLS/VPN

  I am having strange ping results and cannot understand why. My gut feeling is that this stems from a lack of understanding of the technology.
  First, I have leaked a Vrf subnet into the global vrf so that I can have reachability to some devices in the vrf and the devices themselves can have reachability to services outside of the cloud.
  I know this design is going to seem a little convoluted so bear with me. I have built a model of my providers network whereby the connected routes between the CE and PE are public addresses, the internal routes are private addresses in the 10.0.0.0/8 network. I am running BGP between the PE and CE, and then redistributing static routesinto OSPF for the actual MPLS network routing.
  Then of the backbone (Area 0) of the OSPF network, I have a connection to what I will call my Services network where resources such as DNS/DHCP, Internet, and Call Manager reside.(See diagram).
  What happens is that on the PE that is directly connected to the CE, I cannot ping the network contained in the CE unless I actually specify an interface other than the address of the directly connected interface.
  If I go to the P router I can ping just fine. Even if I go to the Services network I am successful so I know that I have been somewhat successful in leaking the subnet located in the VPN vrf.
  On the flip side, When I am in the CE, I cannot ping to the Services network, or any network that is in the 10.0.0.0/8 space, so I am almost certain there is a routing principle that I am missing here.
  Sorry for the long post, but I am trying to include the pertinent information that I hope will lead to some assistance.

  Lejoe,
  You were correct in discovering that the route was missing from the 3750 metro point back to the connected route between the PE and CE. I added this and I am not able to ping the services network from the CE router. Thanks very much for this. I am glad it was a simple resolution.
  As far as the duplicate address on the 3750 Metro and the PE, the interface on the 3750 was left over from a previous design and is inactive. Thanks for catching as I would need to clean it up regardless.
  You were also correct in saying that if I source the ping from within the vrf, then I am able to ping. However, I thought that I took care of this by leaking the route to the global config. Here is the global ruoting table on the PE router.
  S 68.139.201.28/30 is directly connected, FastEthernet1/0
  C 68.1.1.4/30 is directly connected, FastEthernet0/0
  O IA 68.2.1.4/30 [110/12] via 68.1.1.5, 23:30:42, FastEthernet0/0
  O IA 68.1.2.4/30 [110/2] via 68.1.1.5, 23:30:42, FastEthernet0/0
  O IA 68.1.0.1/32 [110/2] via 68.1.1.5, 23:30:42, FastEthernet0/0
  C 68.1.1.1/32 is directly connected, Loopback0
  O IA 68.0.1.0/30 [110/2] via 68.1.1.5, 23:30:42, FastEthernet0/0
  O IA 68.2.1.1/32 [110/13] via 68.1.1.5, 23:30:42, FastEthernet0/0
  O IA 68.0.2.0/30 [110/3] via 68.1.1.5, 23:30:42, FastEthernet0/0
  O IA 68.2.0.1/32 [110/3] via 68.1.1.5, 23:30:42, FastEthernet0/0
  O IA 68.255.1.0/30 [110/2] via 68.1.1.5, 23:30:42, FastEthernet0/0
  10.0.0.0/16 is subnetted, 1 subnets
  S 10.152.0.0 [1/0] via 68.139.201.30, FastEthernet1/0
  O*E2 0.0.0.0/0 [110/1] via 68.1.1.5, 23:30:42, FastEthernet0/0
  If you take a look at the configs, I have placed the directly connected route into the global table by using a static route on the PE router:
  ip route 68.139.201.28 255.255.255.252 FastEthernet1/0
  I would like to understand why I cannot ping the directly connected route from the PE, especially when it is in the routing table. Would you know why this is?

• Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??

  Hii frnds,
  here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
  Below is the out put from the router
  r1#sh run
  Building configuration...
  Current configuration : 3488 bytes
  ! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
  ! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
  version 15.1
  service config
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname r1
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
  aaa new-model
  aaa authentication login local-console local
  aaa authentication login userauth local
  aaa authorization network groupauth local
  aaa session-id common
  dot11 syslog
  ip source-route
  ip cef
  ip domain name r1.com
  multilink bundle-name authenticated
  license udi pid CISCO1841 sn FHK145171DM
  username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
  username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
  redundancy
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group ra-vpn
  key xxxxxx
  domain r1.com
  pool vpn-pool
  acl 150
  save-password
    include-local-lan
  max-users 10
  crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
  crypto dynamic-map RA 1
  set transform-set my-vpn
  reverse-route
  crypto map ra-vpn client authentication list userauth
  crypto map ra-vpn isakmp authorization list groupauth
  crypto map ra-vpn client configuration address respond
  crypto map ra-vpn 1 ipsec-isakmp dynamic RA
  interface Loopback0
  ip address 10.2.2.2 255.255.255.255
  interface FastEthernet0/0
  bandwidth 8000000
  ip address 117.239.xx.xx 255.255.255.240
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map ra-vpn
  interface FastEthernet0/1
  description $ES_LAN$
  ip address 192.168.10.252 255.255.255.0 secondary
  ip address 10.10.10.1 255.255.252.0 secondary
  ip address 172.16.0.1 255.255.252.0 secondary
  ip address 10.10.7.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip local pool vpn-pool 172.18.1.1   172.18.1.100
  ip forward-protocol nd
  ip http server
  ip http authentication local
  no ip http secure-server
  ip dns server
  ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
  ip nat inside source list 100 pool INTERNETPOOL overload
  ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
  access-list 100 permit ip 10.10.7.0 0.0.0.255 any
  access-list 100 permit ip 10.10.10.0 0.0.1.255 any
  access-list 100 permit ip 172.16.0.0 0.0.3.255 any
  access-list 100 permit ip 192.168.10.0 0.0.0.255 any
  access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
  access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
  access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
  control-plane
  line con 0
  login authentication local-console
  line aux 0
  line vty 0 4
  login authentication local-console
  transport input telnet ssh
  scheduler allocate 20000 1000
  end
  r1>sh ip route
  Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route, + - replicated route
  Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via 117.239.xx.xx
        10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
  C        10.2.2.2/32 is directly connected, Loopback0
  C        10.10.7.0/24 is directly connected, FastEthernet0/1
  L        10.10.7.1/32 is directly connected, FastEthernet0/1
  C        10.10.8.0/22 is directly connected, FastEthernet0/1
  L        10.10.10.1/32 is directly connected, FastEthernet0/1
        117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C        117.239.xx.xx/28 is directly connected, FastEthernet0/0
  L        117.239.xx.xx/32 is directly connected, FastEthernet0/0
        172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
  C        172.16.0.0/22 is directly connected, FastEthernet0/1
  L        172.16.0.1/32 is directly connected, FastEthernet0/1
        172.18.0.0/32 is subnetted, 1 subnets
  S        172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
        192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
  C        192.168.10.0/24 is directly connected, FastEthernet0/1
  L        192.168.10.252/32 is directly connected, FastEthernet0/1
  r1#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  117.239.xx.xx   49.206.59.86    QM_IDLE           1043 ACTIVE
  IPv6 Crypto ISAKMP SA
  r1 #sh crypto ipsec sa
  interface: FastEthernet0/0
      Crypto map tag: giet-vpn, local addr 117.239.xx.xx
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
     remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
     current_peer 49.206.59.86 port 50083
       PERMIT, flags={}
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
       local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
       path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
       current outbound spi: 0x550E70F9(1427009785)
       PFS (Y/N): N, DH group: none
       inbound esp sas:
        spi: 0x5668C75(90606709)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
          sa timing: remaining key lifetime (k/sec): (4550169/3437)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0x550E70F9(1427009785)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
          sa timing: remaining key lifetime (k/sec): (4550170/3437)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       outbound ah sas:
       outbound pcp sas:

  hi  Maximilian Schojohann..
  First i would like to Thank you for showing  interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF "  Router cpu processer goes to 99% and hangs...
  In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
  so plz give me an alternate solution ....thanks in advance....

• Traceroute issue - CE router replys 2 hops on ingress & egress interfaces

  Hi Guys,
  Please help to explain the following traceroute issue :
  I have 2 Cisco Routers R1 & R2 on two sites, both of them are connecting to Telco MPLS/VPN cloud. When I do traceroute from R1 to R2, I found the first 2 hops reflect the ingress and egress interfaces on the same CE router, which is connecting to R1. Please see following details:
  Traceroute path (on R1, do traceroute R2's loopback address):
  R1 -- CE1 -- PE1 -- PE2 -- CE2 -- R2
  Tracing output:
  1. CE1_ingress_int
  2. CE1_egress_int
  3. CE2_ingress_int
  4. R2_ingress_int
  FYI: the /30 link route between CE1 & PE1 is not advertised to R1. not sure if this affects or not.
  I have no access to to the Telco CEs & PEs , I assume it might be related to CE1's MPLS traceroute configuration. Or it might be related to the ttl propagation between the IP & MPLS domain?
  Your help is highly appreciated!
  Thanks and best regards
  Jerry

  It is hard to figure out what the issue is without having a look at CE1.
  Are you certain that the second entry you are seeing is CE1 egress interface IP address and not PE1 ingress interface IP address?
  The fact that the CE-PE /30 subnet is not known by R1 has nothing to do with the behavior you are seeing.
  Hope this helps,

• Central Site Internet Connectivity for MPLS VPN User

  What are the solutions of Central site Internet connectivity for a MPLS VPN user, and what is the best practice?

  Hello,
  Since you mentioned that Internet Access should be through a central site, it is clear that all customer sites (except the central) will somehow have a default (static/dynamic) to reach the central site via the normal VPN path for unknown destinations. Any firewall that might be needed, would be placed at the central site (at least). So, the issue is how the central site accesses the Internet.
  Various methods exist to provide Internet Access to an MPLS VPN. I am not sure if any one of them is considered the best. Each method has its pros and cons, and since you have to balance various factors, those factors might conflict at some point. It is hard to get simplicity, optimal routing, maximum degree of security (no matter how you define "security"), reduced memory demands and cover any other special requirements (such as possibility for overlapping between customer addresses) from a single solution. Probably the most secure VPN is the one which is not open to the Internet. If you open it to the Internet, some holes also open inevitably.
  One method is to create a separate Internet_Access VPN and have other VPNs create an extranet with that Internet_Access VPN. This method is said to be very secure (at least in terms of backbone exposure). However, if full routing is a requirement, the increased memory demands of this solution might lead you to prefer to keep the internet routing table in the Global Routing Table (GRT). You might have full routing in the GRT of PEs and Ps or in PEs only (second is probably better).
  Some names for solutions that exist are: static default routing, dynamic default routing, separate BGP session between PE and CE (via separate interface, subinterface or tunnel), extranet with internet VRF (mentioned earlier), extranet with internet VRF + VRF-aware NAT.
  The choice will depend on the requirements of your environment. I cannot possibly describe all methods here and I do not know of a public document that does. If you need an analysis of MPLS VPN security, you may want to take a look at Michael Behringer's great book with M.Morrow "MPLS VPN Security". Another book that describes solutions is "MPLS and VPN Architectures" by Ivan Pepelnjak. There is a Networkers session on MPLS VPNs that lists solutions. There is also a relevant document in CCO:
  http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801445fb.shtml (covering static default routing option).
  Kind Regards,
  M.

• MPLS-VPN w/NAT for Internet connectivity.

  We have implemented MPLS-VPN and site-to-site connectivity seems to be working fairly well. However, we are having strange issue when trying to access the Internet. For some odd reason, we are not able to get to some sites such as ebay.com, latimes.com, nytimes.com, moviefone.com. We are running dynamic NAT and the topology looks like this:
  Laptop----CE-------PE-----NAT------BR-----Internet
  This is a simple layout of what we have currently in the lab. NAT router is not running MPLS but we are using VRF to create sub-interfaces on FE connecting PE and NAT router for each customers. I have access-list allowing 10.x.x.x/8.
  Laptop-CE - 10.0.0.8/30
  CE-PE - 10.0.0.0/30
  PE-NAT - 10.0.1.0/30
  Also, we are able to ping, trace, ftp, use remote desktop, pcanywhere. It seems to be only affecting http. We've been working on this for couple of days now and we've hit a wall. Any help will be greatly appreciated.
  JK

  I had a slightly different yet similar problem a few months ago on our mpls network with the CE devices, and turned out the DF bit had to be set to 0 to enable fragmentation _prior_ to traffic entering the core.
  Fixed it right up by setting a policy on the ethernet port.
  -Jeff

• 8350i direct connect messages issue

  Hi I was wondering if there was a solution for the messages popping up in the messages folder when someone direct connects me?  Yes I have turned off the forward to none and really could not make heads or tails of the one post there is on this issue.  I am assuming that us 8350 owners have to wait for a software upgrade.  Is this correct or has this issue been solved in another way.
  Thanks

  I have the 8350i and a Mac.
  I have my info on iCal and Address Book.
  When I sync, everything is ok, except 2 problems.
  The Direct Connect ID's and the BB PIN's do not sync.
  In the Mac's Address Book, I have them under:
  DCID  =  'Home 2' 
  BB PIN =   'Home Fax'
  I have them labeled like that because that's how Entourage/Address Book syncs them.
  For example,
  When I create a new contact on my BB that has email, phone, address, direct connect#, PIN, company...  and then I sync with my mac... I will see in the Mac's Address Book the new contact with the email, phone, address, company... but no direct connect# and no PIN.
  In short, there is no field that corresponds to Direct Connect# and PIN#  when trying to sync with BlackBerry Desktop Manager for Mac and a BlackBerry Curve 8350i.  Is this true?
  THX
  Message Edited by framal on 10-05-2009 02:19 PM

• HT201210 you are running the latest version of iTunes, have no other USB devices attached, have no security software installed, and are directly connected to your ISP source, simply restarting the computer and the iOS device can clear up certain issues th

  you are running the latest version of iTunes, have no other USB devices attached, have no security software installed, and are directly connected to your ISP source, simply restarting the computer and the iOS device can clear up certain issues that could prevent you from restoring. After restarting the computer and iOS device, attempt to restore again.

  How big is your library?  I would recommend the following troubleshooting steps:
  - Backup your library.  Always a good idea before messing with things.  
  - Create a new library.   Refer to this article for details:  http://support.apple.com/kb/HT1589.  This won't delete your old library, you're just creating a new empty one.  Also refer to this article to get back to your old library later.
  - Add a few albums into this new library.  Not everything, just a small sampling, as a test.
  - Activate Match on this new library.  You shouldn't have to re-pay, it should just say "Add Computer" or similar.
  - At this point, Match should run again. With just a few albums it should complete in just a few minutes.
  If iTunes doesn't crash at this point, then likely there's something about your original library that Match doesn't like - what that is I don't know, but at least you'll know it's not your PC.   If iTunes still crashes, then if could be a number of other things, but probably not your library.   My next suggestion (if you haven't already done this) is to uninstall / reinstall iTunes.   If that doesn't work, then my next ideas you won't like.   

• MPLS VPNs alongwith T1 and sub-rate SONET/SDH connections

  Hi,
  I know this question might seem out of place in this particular forum, I apologize for that.
  We currently offer MPLS VPN services on my Cisco 7600 platform with supported FE/GE modules.
  Coming to my question, can I offer DS0/T1 services without adding a new optical (SONET/SDH) box and on the same 7600 (I have enough slots available)
  I was thinking of this particular module for delivering the required additional services:
  http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/Prtn.html
  and
  http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/crns.html
  Is anyone of you guys doing something similar?
  I would request for some inputs w.r.t. stability and/or other factors I should consider before I start to seriously think of them as an alternative option instead of going for separate Optical devices.
  P.S.: This is not MPLS VPNs on subrate interfaces but subrate/T1 'IPLC' service by itself.
  Thanks
  Cheers
  ~sultan

  No, you will need to put an additional module to support DS0/T1 services on your 7600. Following link may help you
  http://www.cisco.com/en/US/products/hw/modules/ps2831/products_data_sheet09186a008015cfe9.html

• L3 MPLS-VPN with ATM Interfaces

  Hi
  I tacked a L3 MPLS-VPN from a MPLS service provider.My VPN have three points.
  In first point, I have a PA-A3-OC3 over cisco router 7206. how can I config to place PVC1/2 into VPN?

  You need that pvc to be under a separate sub-interface and then you can configure "ip vrf for " under that sub-interface.
  Hope this helps,

• MPLS VPN / BGP Netflow Issue

  I have followed all of the configuration steps given for egress accounting with netflow on a MPLS VPN link. However, it is only showing flows coming into the router. I need to be able to account both ways- any recommendations? Config below:
  interface Multilink12
  mtu 1580
  ip address XX.XX.XX.XX 255.255.255.252
  no ip redirects
  no ip unreachables
  ip pim sparse-mode
  ip route-cache flow
  mpls netflow egress
  mpls label protocol ldp
  mpls ip
  ppp multilink
  ppp multilink group 12
  ip flow-export source FastEthernet0/0/0.10
  ip flow-export version 5
  ip flow-export destination XX.XX.XX.XX 9996
  IP packet size distribution (10730093 total packets):
  1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
  .000 .098 .645 .011 .016 .012 .009 .010 .000 .001 .000 .001 .000 .000 .000
  512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
  .000 .000 .000 .002 .185 .000 .000 .000 .000 .000 .000
  IP Flow Switching Cache, 4456704 bytes
  4 active, 65532 inactive, 464700 added
  6109192 ager polls, 0 flow alloc failures
  Active flows timeout in 1 minutes
  Inactive flows timeout in 15 seconds
  IP Sub Flow Cache, 336520 bytes
  0 active, 16384 inactive, 20706 added, 20706 added to flow
  0 alloc failures, 0 force free
  1 chunk, 1 chunk added
  last clearing of statistics never
  Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
  -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
  TCP-Telnet 7 0.0 20 233 0.0 7.0 11.3
  TCP-FTP 3 0.0 1 40 0.0 0.4 1.6
  TCP-WWW 5757 0.0 6 389 0.0 1.1 3.0
  TCP-SMTP 7 0.0 1 40 0.0 0.7 1.6
  TCP-X 244 0.0 1 54 0.0 0.0 1.5
  TCP-other 304762 0.2 7 346 1.6 2.2 4.8
  UDP-DNS 346 0.0 1 127 0.0 0.0 15.4
  UDP-NTP 3323 0.0 1 80 0.0 0.0 15.4
  UDP-other 131041 0.0 62 341 5.4 17.6 13.2
  ICMP 64291 0.0 1 79 0.0 0.0 15.4
  Total: 509781 0.3 21 341 7.1 5.9 8.3
  SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
  Mu12 10.50.66.218 Null 10.105.0.1 11 0675 00A1 84
  Mu12 10.50.66.218 Null 10.105.19.10 11 0675 00A1 2
  Mu12 10.50.66.218 Null 10.105.19.3 11 0675 00A1 4
  Mu12 10.50.66.42 Null 10.105.19.10 06 0B3C 01BD 12

  Update on this- Im now receiving all traffic incoming into the interface, but am tracking only about 10% of the outgoing traffic- revised config below:
  ip flow-cache timeout active 1
  ip flow-cache mpls label-positions 1 2 3
  ipv6 flow-cache mpls label-positions 1 2 3
  interface Multilink12
  mtu 1580
  ip address XX.XX.XX.XX 255.255.255.252
  no ip redirects
  no ip unreachables
  ip flow ingress
  ip flow egress
  ip pim sparse-mode
  ip route-cache flow
  mpls netflow egress
  mpls label protocol ldp
  mpls ip
  ppp multilink
  ppp multilink group 12
  service-policy output cbwfq-voice20per
  ip flow-export source FastEthernet0/0/0.10
  ip flow-export version 9 origin-as
  ip flow-export destination XX.XX.XX.XX 9996

• Direct Connect Migration Issues

  So I'm about to get my MacBook Pro in the mail soon and I was looking at Apple's Great Migration page. Here is what I want to do (direct connect):
  Direct connect
  To move files by connecting your Mac directly to your PC:
  1. Connect your Mac to your PC using a standard Ethernet cable.
  2. Make sure that both computers are turned on.
  3. In the Finder on your Mac, choose Connect to Server from the Go menu to open the window.
  4. Type your PC's network address in the Server Address text box using one of these formats:
  * smb://DNSname/ShareName
  * smb://IPaddress/ShareName
  5. Click Connect.
  6. Follow the onscreen instructions to enter your PC's workgroup name, user name, password, and the volume or folder you wish to access.
  7. Your PC volume should appear on your Mac Desktop.
  8. Open the volume and drag and drop files directly from it to anywhere on your Mac.
  9. When finished, drag your PC volume to the Trash to unmount it.
  For #4, what do I enter in for this?:
  * smb://DNSname/ShareName
  * smb://IPaddress/ShareName
  Thanks so much!

  There are several BDE replacements that allow you to connect to
  Oracle from Delphi with out BDE or ODBC
  DOA- Direct Oracle Access from Allaround Automation ~$200.00
  http://www.allroundautomations.nl/index.html
  NCOCI8 is freeware.
  Goto to www.kylecords.com and they list BDE replacements.
  I use DOA and their PL/SQL developer systems from Allaround
  Automations and they are both excellent systems with excellent
  support.

• Remote access VPN client gets connected fails on hosts in LAN

  Hi,
  VPN client gets connected fine, I have a inter VLAN routing happening on the switch in the LAN so all the LAN hosts have gateway IP on the switch, I have the defult route pointing to ASA inside interface on the switch, the switch I can reach after Remote Access VPN is connected how ever I cannot ping/connect to other hosts in the LAN and if I make the gateway point to the ASA then that host is accessible, any suggestions? I really want to have gateway to be the Switch as I have other networks reachable through the Switch (Intranet routing)

  Hi Mashal,
  Thanks for your time,
  VPN Pool(Client) 192.168.100.0/24
  Internal Subnets 192.9.200.0/24(VLAN 4000) and 192.168.2.0/24 (VLAN 1000)
  =============
  On the Switch
  =============
  Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route
  Gateway of last resort is 192.168.2.5 to network 0.0.0.0
       172.32.0.0/24 is subnetted, 1 subnets
  C       172.32.0.0 is directly connected, Vlan101
  C    192.168.200.0/24 is directly connected, Vlan2000
  C    192.9.200.0/24 is directly connected, Vlan4000
  S    192.168.250.0/24 [1/0] via 192.9.200.125
  S    192.168.1.0/24 [1/0] via 192.9.200.125
  C    192.168.2.0/24 is directly connected, Vlan1000
  S    192.168.252.0/24 [1/0] via 192.9.200.125
  S*   0.0.0.0/0 [1/0] via 192.168.2.5
  ===============
  On ASA
  ===============
  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
         i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
         * - candidate default, U - per-user static route, o - ODR
         P - periodic downloaded static route
  Gateway of last resort is 172.32.0.2 to network 0.0.0.0
  C    172.32.0.0 255.255.255.0 is directly connected, outside
  C    192.9.200.0 255.255.255.0 is directly connected, inside
  C    192.168.168.0 255.255.255.0 is directly connected, failover
  C    192.168.2.0 255.255.255.0 is directly connected, MGMT
  S    192.168.100.2 255.255.255.255 [1/0] via 172.32.0.2, outside
  S    192.168.100.3 255.255.255.255 [1/0] via 172.32.0.2, outside
  S*   0.0.0.0 0.0.0.0 [1/0] via 172.32.0.2, outside
  We don't need route print on the PC for now as I can explain what is happening I can get complete access to the 192.168.2.0/24 (VLAN 1000) but for 192.9.200.0/24 (VLAN 4000) above from the switch I can only ping IP's on the switches/pair but cannot have any tcp connections, which explains the default route being pointed on the switch is on VLAN 1000, now my issue is How do I get access to VLAN 4000 as you can see these two are on different Interfaces/zones on the ASA and please note with default gateway pointing to ASA I will have access to both the VLAN's it is only when I move the gateway pointing to Switch I loose tcp connections to one VLAN depending on the default route  on the being pointing to on the switch.
  So we are left to do with how to on the switch with default route.