Troubleshooting MPLS L2 and L3 VPNs

Similar Messages

• Performance end to end testing and comparison between MPLS VPN and VPLS VPN

  Hi,
  I am student of MSc Network Security and as for my project which is " Comparison between MPLS L3 VPN and VPLS VPN, performance monitoring by end to end testing " I have heard a lot of buzz about VPLS as becoming NGN, I wanted to exppore that and produce a comparison report of which technology is better. To accomplish this I am using GNS3, with respect to the MPLS L3 VPN lab setup that is not a problem but I am stuck at the VPLS part how to setup that ? I have searched but unable to find any cost effective mean, even it is not possible in the university lab as we dont have 7600 series
  I would appreciate any support, guidence, advice.
  Thanks
  Shahbaz

  Hi Shahbaz,
  I am not completely sure I understand your request.
  MPLS VPN and VPLS are 2 technologies meant to address to different needs, L3 VPN as opposed as L2 VPN. Not completely sure how you would compare them in terms of performance. Would you compare the performance of a F1 racing car with a Rally racing car?
  From the ISP point of view there is little difference (if we don't want to consider the specific inherent peculiarities of each technology) , as in the very basic scenarios we can boil down to the following basic operations for both:
  Ingress PE impose 2 labels (at least)
  Core Ps swap top most MPLS label
  Egress PE removes last label exposing underlying packet or frame.
  So whether the LSRs deal with underlying L2 frames or L3 IP packets there is no real difference in terms of performance (actually the P routers don't even notice any difference).
  About simulators, I am not aware of anyone able to simulate a L2 VPN (AtoM or VPLS).
  Riccardo

• Design Help with MPLS/BGP and Point to Point VPNs using OSPF as backup

  I need some advice on the configuration I want to implement. Basically we have a MPLS cloud using BGP. We are using OSPF for internal routing. Everything is working fine. Now we want to add a Point to Point VPN using new Cisco ASA's for a backup path at all of our remote locations. We want it to be on standby. I want to use OSPF for this. Miami and LA are datacenters. I want the VPN's to go into both datacenters if possible running OSPF for backups. I have a feeling this will be very tricky. I also wanted to use floating routes. Now I know I get the VPN's up and running using OSPF with no problem. Here are my questions:
  But being that I am using different areas, will OSPF through the VPN work correctly? I have the Cisco PDF on setting this up but it looks like they are using the same, AREA0, in the example.
  Can I get both VPN's to work with no problems? Or will it be too much of a pain?
  What would you guys suggest?
  Thanks.

  We are implementing the same solution, and was only able to make this work using HSRP one router for the MPLS connection and one for the VPN tunnel. I opened a TAC case and the tech couldn't get it to work either. I was able to establish the Lan-2-lan tunnel but triggering the route update was the problem. We ended up pulling our ASA5505's out and putting in 1841 routers.

• I have two location one is Delhi(IP-192.168.100.*) and another is Mumbai(IP-192.168.1.*) and both are connected by MPLS line and ping with each other. We have one DC in Delhi location and domain name is CAPLDC and Delhi location all PC is member of this

  I have two location one is Delhi(IP-192.168.100.*) and another is Mumbai(IP-192.168.1.*) and both are connected by MPLS line and ping with each other.
  We have one DC in Delhi location and domain name is CAPLDC and Delhi location all PC is member of this domain and working properly.
  now i am trying join the Mumbai location PC with my Domain(CAPLDC) but they are not join with my DC and generate the error.
  I have chek the DNS and nslookup all are correct but this is generate error. 
   Is this possible Mumbai location join with this Domain(CAPLDC)???
  One more thing when i have created another DC with this name (papldc.com) then Mumbai location is joined properly.
  Pls find the error message below and also find the attachment.
  Note: This information is intended for a network administrator.  If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.
  The domain name "capldc" might be a NetBIOS domain name.  If this is the case, verify that the domain name is properly registered with WINS.
  If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.
  DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "capldc":
  The query was for the SRV record for _ldap._tcp.dc._msdcs.capldc
  The following domain controllers were identified by the query:
  capldcserver.capldc
  win-dyfq2poc88q.capldc
  However no domain controllers could be contacted.
  Common causes of this error include:
  - Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.
  - Domain controllers registered in DNS are not connected to the network or are not running.
  Pankaj Kumar

  Why are you using a single labeled domain? I would recommend renaming the domain name to be something like domain.com.
  Please refer to the articles below to fix your current issue:
  http://www.wincert.net/tips/networking/1614-cant-join-pc-to-a-domain-with-single-label.html
  http://www.itgeared.com/articles/1128-using-single-label-dns-names-for-active/
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• 6500 sup 720 with MPLS, GRE and FWSM problem

  We have 6500 sup 720 with MPLS configured and FWSM in transparent  mode. We also terminate GRE tunnels on the same 6500.
  After implementing the command “mls mpls tunnel-recir” GRE tunnels are hardware switched (which we want them to be), but we don’t have any more connection from locations thru GRE tunnels to servers behind FWSM.
  Does anybody have idea how to solve this problem?

  Hi,
  not sure what you mean exactly.
  the command “mls mpls tunnel-recir” is needed to avoid packets corruption in cases where the Supervisor engine is handling both the GRE header encapsulation and the MPLS label stack imposition. Since it cannot do it in one single shot (without causing random corruption) recirculation is needed. Nevertheless its presence does not influence whether the GRE traffic is handled in hardware or in software. Even without it, IF THE GRE TUNNELS ARE CORRECTLY CONFIGURED (meaning that each GRE tunnels has its unique source address etc.), the traffic is handled in hardware.
  However since you say that after you enabled it you don't have connectivty anymore I suppose that some issue related to recirculation is happening (i.e. traffic ends up in the wrong internal vlan after recirculation).
  Unfortunately the support forum is not meant to help in this case as in-depth troubleshooting is required. For that you need a TAC case.
  regards,
  Riccardo

• Difference between L2 and L3 VPN

  could any one tell me the difference between the l2 and l3 vpn
  regards,
  Mahesh.

  L2 MPLS VPN works on switching infrastructure as we all known and also has some limitations like works only point-to-point links, only for shorter disance etc. Likewise, L3 MPLS VPN works on routing infrastructure which has protocol support of MP-BGP,EIGRP and OSPF. More details on the following PDF.
  http://www.netcraftsmen.net/welcher/seminars/mplscon05-buyersguide.pdf

• ASA 5505 site-to-site VPN tunnel and client VPN sessions

  Hello all
  I have several years of general networking experience, but I have not yet had to set up an ASA from the ground up, so please bear with me.
  I have a client who needs to establish a VPN tunnel from his satellite office (Site A) to his corporate office (Site Z).  His satellite office will have a single PC sitting behind the ASA.  In addition, he needs to be able to VPN from his home (Site H) to Site A to access his PC.
  The first question I have is about the ASA 5505 and the various licensing options.  I want to ensure that an ASA5505-BUN-K9 will be able to establish the site-to-site tunnel as well as allow him to use either the IPsec or SSL VPN client to connect from Site H to Site A.  Would someone please confirm or deny that for me?
  Secondly, I would like to verify that no special routing or configuration would need to take place in order to allow traffic not destined for Site Z (i.e., general web browsing or other traffic to any resource that is not part of the Site Z network) to go out his outside interface without specifically traversing the VPN tunnel (split tunneling?)
  Finally, if the client were to establish a VPN session from Site H to Site A, would that allow for him to connect directly into resources at Site Z without any special firewall security rules?  Since the VPN session would come in on the outside interface, and the tunnel back to Site Z goes out on the same interface, would this constitute a split horizon scenario that would call for a more complex config, or will the ASA handle that automatically without issue?
  I don't yet have the equipment in-hand, so I can't provide any sample configs for you to look over, but I will certainly do so once I've got it.
  Thanks in advance for any assistance provided!

  First question:
  Yes, 5505 will be able to establish site-to-site tunnel, and he can use IPSec vpn client, and SSL VPN (it comes with 2 default SSL VPN license).
  Second question:
  Yes, you are right. No special routing is required. All you need to configure is site-to-site VPN between Site A and Site Z LAN, and the internet traffic will be routed via Site A internet. Assuming you have all the NAT statement configured for that.
  Last question:
  This needs to be configured, it wouldn't automatically allow access to Site Z when he VPNs in to Site A.
  Here is what needs to be configured:
  1) Split tunnel ACL for VPN Client should include both Site Z and Site A LAN subnets.
  2) On site A configures: same-security-traffic permit intra-interface
  3) Crypto ACL for the site-to-site tunnel between Site Z and Site A needs to include the VPN Client pool subnet as follows:
  On Site Z:
  access-list permit ip
  On Site A:
  access-list permit ip
  4) NAT exemption on site Z needs to include vpn client pool subnet as well.
  Hope that helps.
  Message was edited by: Jennifer Halim

• ASA 5505 Site to Site and Web VPN

  Hello all, I need to add a site to site tunnel from a an ASA 5505 (ver 8.05) to a Sonic wall appliance. The problem is, the ASA already has remote access VPN and anyconnect VPN configured. I'm not sure if its possible to add another secured tunnel to the device. Ive already got one NAT 0 statement.
  Thanks for your expert opinions!

  Hi,
  There should be no problem adding a Site to Site VPN on the ASA even if it has Client VPN configured.
  If you for example have an "inside" interface which has NAT0 configuration like
  nat (inside) 0 access-list NAT0
  You just add the needed ACL lines to that existing ACL for the L2L VPN.
  On the basis of the information you provided I dont see any problem configuring the L2L VPN on the ASA.
  - Jouni

• ASA 5505 as a SSL VPN Server and Easy VPN Client at the same time?

  Is it possible to configure and operate the ASA 5505 as a SSL VPN server and Easy VPN Client at the same time? We would like to configure a few of these without having to purchase additional ASA 5505 and use a 2 device method (1 SSL VPN Server and 1 Easy VPN Client). Thanks in advance.

  I don't think it is possible. Following links may help you
  http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008068dabe.html
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008071c428.shtml

• TS3048 I am usng a bluetooth keyboard with my Mac and some of the keys are not working.  They are the numbers 1 through  9.  I have gone through the troubleshooting for mouse and keyboard and everything looks good. How can I get them to work again?

  Hi,  I am using a Mac computer that my husband set up.  I have worked on it recently with no problems.  Today, I am having problems with the bluetooth keyboard not  working properly.  The numbers 1 through 9 do not work.  I have gone through troubleshooting wireless mouse and keyboard issues and everything looks good.  Except, when I check the keys on the keyboard viewer, these keys still do not work.  The webpage guides me through and at this point I do not know what to do next, because the keyboard is still not working properly.  I sure hope there are some experienced people in the community to help me.  What should I do?

  Hi:
  I wish my suggestion had gotten you further.
  I do suggest you try to connect the keyboard again.  The request for a number is a step in it trying to pair.  If it gets by the number, it sometimes takes a little while to get connected.  If you are unable to get it connected and want a new one, I have been using Apple Bluetooth keyboards for years - and I like them. The one I have (the newest model) only uses two batteries and is very thin. 
  Speaking of batteries, if you are not already doing so, you might consider rechargeables.  I have a drawer full of them and use a 15 minute charger.  I go tired of buying batteries and rechargeables are environmentally friendly to boot. At the moment, I use 2450 mAh Energizers and a 15 minute Energizer charger (all purchased new on eBay at a very reasonable price).
  I am far from an iPad "expert," although I have one.  If my suggestion below does not help, post your question in a separate thread in the iPad forum.
  I had a terrible time syncing my iCal on my Mac with my iPad iCal (confusing - hopefully it makes sense).  I quit using iCloud as that added to the confusion. There is a facility to one-time sync items.  When you connect your computer to your iPad, iTunes opens.  The system begins a process (automatic backup and so on). After it finishes, you can click on "info."  At the bottom of the screen, there is an advanced section.  You can select any of the items and then force it to sync. The iCal information from your computer would be deposited on the iPad. 
  After all that, I do not use a Google calendar so the information may be worthless to you.
  If you want to reset the iPad to factory settings, you can do that when it is connected to iTunes (one of the options).  Me being me, I try never to erase anything. 
  Barry
  Message was edited by: Barry Hemphill

• Error with Ericsson h5321gw and IPSEC VPN-Connections

  There is an error in the Lenovo drivers [7.x] for the Ericsson h5321gw UMTS module.
  Symptoms on Windows 7 x64:
  UMTS is working fine. When you connect a vpn ipsec connection though the UMTS , the internet connection (and the vpn as well) gets unstable and has a packet loss of 30% to 50%.
  Solution:
  Install the UMTS drivers in the NDIS 5.0 mode on Windows 7. (The only problem is, that the system boot takes about 1 minute longer with the ndis 5 drivers).
  Further Reading: Message 5: http://forums.lenovo.com/t5/T400-T500-and-newer-T-series/Outlook-Exchange-connection-unstable-on-T52...
  Howto form the Lenovo Forum:
  Force the installation to install Ericsson's vista driver instead of win7 driver. Vista driver is NDIS 5. Installation can be done.
  -> extract the Ericsson drivers package but don't let it install the driver. There should be extracted a setup.exe file
  -> do the installation with command: setup.exe /zFORCEVISTA
  This helped for us.
  Tip:
  If you want to install the win7 driver back, it can be done with command: setup.exe /zFORCEWIN7
  Otherwise using the setup.exe will install the vista ndis 5 when since it once have been told to to install it by /zFORCEVISTA
  I hope, Lenovo can solve this issue quickly.
  Greetings

  I’m not sure this is the same issue you guys are running into, but I’m using the built-in Ericsson h5321gw and ATT SIM on an i7 X1 Carbon. I am required to use a Cisco VPN Client and after connecting successfully to my VPN endpoint via ATT WWAN, I could not get any data in/out the tunnel.
  I tried in both Windows 7 and Windows 8 OS, even trying the setup.exe /zFORCEWIN7 work around to no avail.
  After doing some searching, I came across a blog post describing the same issue I had.
  There is an update to Windows’ DNE that actually solved the issue for me using the standard Erricson W8 (and W7) drivers. (I also performed the h5321gw fireware update from Lenovo, but I did that before the DNEUpdate – that alone did _not_ fix it)
  DNEUpdate x64: ftp://files.citrix.com/dneupdate64.msi
  DNEUpdate x86: ftp://files.citrix.com/dneupdate.msi
  Hope this helps.
  Credit from: http://stenby.wordpress.com/2012/10/03/cisco-vpn-client-and-built-in-lenovo-h5321gw-3g-card/

• Border Manager 3.8.5 and S2S VPN

  I have a couple of questions with Border Manager and S2S VPN. Everything
  is up and running, we can ping both servers (Netware 6.5.6), we can ping
  workstations attached to each others network, we can access programs from
  each others network. Everything seems to be working great. The question I
  have is this - on both servers, under Remote Manager, VPN Monitoring, both
  show as 'Being Configured'. I do not think that this is an issue but there
  is another error in the Audit Log. The error -
  "Proposal Mismatch - Quick Mode: ESP - transform mismatch mine: esp des
  his: esp 3des dst: xx.xx.xx.xx src: xx.xx.xx.xx cookies
  my-his:17B2D88772DE1D61 - 4F15FFD50824F821".
  This appears on both servers Audit Log.
  Is this a legit error or a information error? I used Craig Johnson's 'A
  Beginner's Guide To BorderManager 3.x' but ended up making both VPN's
  masters as per Novell TID - 10095268.
  If anyone has an insight as to what these errors are and if there is a
  fix it would be greatly appreciated.
  Kelly

  Kelly Burnside wrote:
  > I have a couple of questions with Border Manager and S2S VPN. Everything
  > is up and running, we can ping both servers (Netware 6.5.6), we can ping
  > workstations attached to each others network, we can access programs
  > from each others network. Everything seems to be working great. The
  > question I have is this - on both servers, under Remote Manager, VPN
  > Monitoring, both show as 'Being Configured'.
  Sometimes the imanager snapin can not get the current status of the
  connection from vpinf so it shows 'Being Configured'. It can take some
  times, maybe days to change the status.
  I do not think that this is
  > an issue but there is another error in the Audit Log. The error -
  > "Proposal Mismatch - Quick Mode: ESP - transform mismatch mine: esp des
  > his: esp 3des dst: xx.xx.xx.xx src: xx.xx.xx.xx cookies
  > my-his:17B2D88772DE1D61 - 4F15FFD50824F821".
  This is not an error, it is an information message.
  > This appears on both servers Audit Log. Is this a legit error or a
  > information error? I used Craig Johnson's 'A Beginner's Guide To
  > BorderManager 3.x' but ended up making both VPN's masters as per Novell
  > TID - 10095268. If anyone has an insight as to what these errors are
  > and if there is a fix it would be greatly appreciated.
  > Kelly
  Everything is fine, nothing to be worry about.
  gonzalo

• Since I upgraded to Lion, my RSA securid token and Cisco VPN client doesn't work any longer. Anyone have suggestions on how to fix that?

  Since upgrading to Lion, I can no longer use VPN because my RSA securid token and CIsco VPN Client won't load. Any suggestioins out there?

  .

• [svn] 3777: Bug fix SDK-17677 Update to include MPL license and third-party notices.

  Revision: 3777
  Author: [email protected]
  Date: 2008-10-21 10:20:27 -0700 (Tue, 21 Oct 2008)
  Log Message:
  Bug fix SDK-17677 Update to include MPL license and third-party notices.
  QE Notes:
  Doc Notes:
  Bugs: SDK-17677
  Reviewer: Matt Chotin
  Ticket Links:
  http://bugs.adobe.com/jira/browse/SDK-17677
  http://bugs.adobe.com/jira/browse/SDK-17677
  Modified Paths:
  flex/sdk/trunk/modules/webtier/readme.txt

  Step by step, how did you arrive at seeing this agreement?

• IPad and PPTP VPN - Internet access (e-mail & Safari) not working

  Hi there!
  I've got an iPad2 (WiFi only) and need to configure it to use Witopia PPTP VPN, which is the VPN provider I've been using for a long time on my desktop and netbook.
  Configure the iPad was an easy task, and I was able to successfuly authenticate and establish a PPTP session with any of the Witopia servers.
  The problem is that once established the PPTP session, if the "send all traffic" option is ON, I have no Internet access at all (no e-mail neither browsing with Safari). Then, if I stop VPN, turn OFF the "send all traffic" option in the iPad, and start VPN again, I have Internet communication back and everything starts working fine. I've been fiddling with this in my home network (D-Link Dir-655 router using the IP 192.168.0.1 addressing scheme for my LAN).
  Obviously, I decided to leave the "send all traffic" option OFF, but then I discovered that doing this my Safari traffic is not encrypted and my IP is not masked, i.e. the VPN is up and running, I have normal Internet traffic, but the service to be provided by the VPN for some inknown reason is not happening.
  Does anyone have a clue about what's going on ?
  TIA
  RTadeu

  Have you tried a battery pull?  If not, give that a try and then try again. 
  1. Please thank those who help you by clicking the "Like" button at the bottom of the post that helped you.
  2. If your issue has been solved, please resolve it by marking the post "Solution?" which solved it for you!