Troubleshooting VRF
Hi,
We have a VRF infrastructure in Data Center. I am pinging the host with the command:
ping vrf CUSTOMER_A ip IP_ADDRESS
it works. I would like to find out its MAC address and then its exact location (switch/mod/port), but can't find its MAC. This is Catalyst 6500 IOS platform.
Thanks for any idvices.
Michal
Finally, I found that.
show ip arp vrf CUSTOMER_A IP_ADDRESS.
You get the MAC so then you can easily find exact location of the server.
Michal
Similar Messages
-
Is there a limit to the number of static route one could use within a VRF ?
We have a large customer connected to MPLS VRF based backbone and due to various limiting factors this customer uses static routing from a PE-CE perspective.
We have been experiencing a problem where a static needsto be removed and placed back as routing to a site stops (No traffic passed) , this happes intermittently and to different sites within diffrent regions as well. All the general or expected troubleshooting procedures have been followed i.e. Check routing table , bgp , CEF tables , FIB etc. All seems fine , the only thing that reloves this is removing the static and then replacing it.
My thinking is that there might be a limit to the number of static's that one can use within a VRF and that we have reached the limit for this customer , which causes the intermittent failure.
Please advise.I know of a "maximum routes limit " command to limit the number of routes in a Vrf on a PE.
From this command reference i find there are no default values for this.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fswtch_r/xrfscmd3.htm#1032272
So I assume, the default is to allow a huge value and the only limitations would be the memory/capacity and the number of vrfs on the PE router.
If you are experiencing a problem in this regard and removing a static route is helping to overcome it, then I would only suspect a bug here.
I am also curious to know how may many static routes you have in this particular vrf. -
VRF-lite, NAT and route-leaking
Hello, community. I'm trying to reproduce setup with two customers (R1 and R2), PE router (R3) and common services (R4).
Here is configuration:
R1:
interface Loopback0
ip address 10.10.1.1 255.255.255.255
interface FastEthernet1/0
ip address 192.168.15.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.15.5
R2:
interface Loopback0
ip address 10.10.2.2 255.255.255.255
interface FastEthernet1/0
ip address 192.168.16.1 255.255.255.192
ip route 0.0.0.0 0.0.0.0 192.168.16.5
R3:
ip vrf VRF1
rd 1:1
route-target export 1:1
route-target import 1:1
ip vrf VRF2
rd 2:2
route-target export 2:2
route-target import 2:2
interface FastEthernet0/0
description R1
ip vrf forwarding VRF1
ip address 192.168.15.5 255.255.255.192
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1
description R2
ip vrf forwarding VRF2
ip address 192.168.16.5 255.255.255.192
ip nat inside
ip virtual-reassembly
interface FastEthernet1/0
description R4
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 1.1.1.2
ip route vrf VRF1 0.0.0.0 0.0.0.0 FastEthernet1/0 1.1.1.2 global
ip route vrf VRF1 10.10.0.0 255.255.0.0 192.168.15.1
ip route vrf VRF2 0.0.0.0 0.0.0.0 FastEthernet1/0 1.1.1.2 global
ip route vrf VRF2 10.10.0.0 255.255.0.0 192.168.16.1
ip nat inside source list 15 interface FastEthernet1/0 vrf VRF1 overload
ip nat inside source list 16 interface FastEthernet1/0 vrf VRF2 overload
access-list 15 permit 192.0.0.0 0.255.255.255
access-list 15 permit 10.10.0.0 0.0.255.255
access-list 16 permit 192.0.0.0 0.255.255.255
access-list 16 permit 10.10.0.0 0.0.255.255
R4:
interface Loopback0
ip address 10.10.10.10 255.255.255.255
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 1.1.1.1
The configuration is not operational.
r1#ping 192.168.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.15.5, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/89/116 ms
r1#ping 192.168.15.5 source l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.15.5, timeout is 2 seconds:
Packet sent with a source address of 10.10.1.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/86/92 ms
r1#ping 1.1.1.1 source l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.1.1
Success rate is 80 percent (4/5), round-trip min/avg/max = 292/357/400 ms
r1#ping 1.1.1.2 source l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.10.1.1
Success rate is 80 percent (4/5), round-trip min/avg/max = 160/187/216 ms
r1#ping 10.10.10.10 source l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Packet sent with a source address of 10.10.1.1
Success rate is 0 percent (0/5)
I can't ping R4's loopback address ("shared resource" or also known as "common service")
The same is with R2 ( second customer).
But I can still ping R4's loopback from R3:
R3#ping 10.10.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/88/116 ms
This is routing table on R3:
R3#sh ip route | begin Gateway
Gateway of last resort is 1.1.1.2 to network 0.0.0.0
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, FastEthernet1/0
S* 0.0.0.0/0 [1/0] via 1.1.1.2
R3#sh ip route vrf VRF1 | begin Gateway
Gateway of last resort is 1.1.1.2 to network 0.0.0.0
192.168.15.0/26 is subnetted, 1 subnets
C 192.168.15.0 is directly connected, FastEthernet0/0
10.0.0.0/16 is subnetted, 1 subnets
S 10.10.0.0 [1/0] via 192.168.15.1
S* 0.0.0.0/0 [1/0] via 1.1.1.2, FastEthernet1/0
R3#sh ip route vrf VRF2 | begin Gateway
Gateway of last resort is 1.1.1.2 to network 0.0.0.0
10.0.0.0/16 is subnetted, 1 subnets
S 10.10.0.0 [1/0] via 192.168.16.1
192.168.16.0/26 is subnetted, 1 subnets
C 192.168.16.0 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 1.1.1.2, FastEthernet1/0
So the question is what is the problem cause? How to troubleshoot? What is the troubleshooting steps?Hi Eugene Khabarov
The problem here is that at the PE we have the static route for the Major Subnet 10.10.0.0/16 pointing back to the CEs of which the destination ping IP 10.10.10.10 is part of.
We need to remove the Major X /16 route from PE and configure explicit X /32 route for the CE Loopback to make this work
no ip route vrf VRF1 10.10.0.0 255.255.0.0 192.168.15.1
ip route vrf VRF1 10.10.1.1 255.255.0.0 192.168.15.1
no ip route vrf VRF2 10.10.0.0 255.255.0.0 192.168.16.1
ip route vrf VRF2 10.10.2.2 255.255.0.0 192.168.16.1
Hope this helps to answer your query.
Regards
Varma -
I provide my customers an ethernet port off my PE (ie: FastEthernet0/0 on PE from configuration below). They can connect whatever they want into the port. Most times it's simply a PC. The only thing they expect to get off that port is Internet access.
I'm trying to stick all these users into a VRF called INTERNET, but I'm having some trouble getting the global table to see the networks that I'm assigning to my customers (ie: 5.0.0.0/30 from the PE config below).
Near as I can tell, the VRF knows about the default gateway and the global table knows how to reach 5.0.0.0/30, but for some reason, there's no connectivity and I'm not sure how to begin troubleshooting this.
Anyone have any pointers?
PE#traceroute vrf INTERNET 7.7.7.7
Type escape sequence to abort.
Tracing the route to 7.7.7.7
1 * * *
PE#show ip route vrf INTERNET
Routing Table: INTERNET
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP
+ - replicated route, % - next hop override
Gateway of last resort is 10.0.0.1 to network 0.0.0.0
S* 0.0.0.0/0 [250/0] via 10.0.0.1
5.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 5.0.0.0/30 is directly connected, FastEthernet0/0
L 5.0.0.1/32 is directly connected, FastEthernet0/0
PE#show ip bgp vpnv4 vrf INTERNET
BGP table version is 40, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 21949:0 (default for vrf INTERNET)
*> 5.0.0.0/30 0.0.0.0 0 32768 ?
PE#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP
+ - replicated route, % - next hop override
Gateway of last resort is not set
1.0.0.0/8 is variably subnetted, 1 subnets, 1 masks
C 1.1.1.1/32 is directly connected, Loopback0
3.0.0.0/8 is variably subnetted, 1 subnets, 1 masks
O 3.3.3.3/32 [110/2] via 10.0.0.1, 2d02h, FastEthernet3/0
7.0.0.0/32 is subnetted, 1 subnets
B 7.7.7.7 [200/0] via 3.3.3.3, 1d18h
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/31 is directly connected, FastEthernet3/0
L 10.0.0.0/32 is directly connected, FastEthernet3/0
PE#show ip bgp
BGP table version is 35, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i5.0.0.0/24 3.3.3.3 0 100 0 i
*>i7.7.7.7/32 3.3.3.3 0 100 0 1 i
PE#
P#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP
+ - replicated route, % - next hop override
Gateway of last resort is not set
1.0.0.0/8 is variably subnetted, 1 subnets, 1 masks
O 1.1.1.1/32 [110/2] via 10.0.0.0, 2d02h, FastEthernet1/0
5.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S 5.0.0.0/24 is directly connected, Null0
S 5.0.0.0/30 [1/0] via 10.0.0.0, FastEthernet1/0
7.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 7.0.0.0/31 is directly connected, FastEthernet0/0
L 7.0.0.0/32 is directly connected, FastEthernet0/0
B 7.7.7.7/32 [20/0] via 7.0.0.1, 2d02h
C 10.0.0.0/31 is directly connected, FastEthernet1/0
L 10.0.0.1/32 is directly connected, FastEthernet1/0
P#show ip route vrf INTERNET
Routing Table: INTERNET
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP
+ - replicated route, % - next hop override
Gateway of last resort is not set
5.0.0.0/30 is subnetted, 1 subnets
B 5.0.0.0 [200/0] via 1.1.1.1, 00:09:33
ISP#traceroute 5.0.0.2
Type escape sequence to abort.
Tracing the route to 5.0.0.2
1 7.0.0.0 40 msec 8 msec 4 msec
2 * * *
3 10.0.0.1 [AS 21949] 24 msec 16 msec 8 msec
4 * * *
5 10.0.0.1 [AS 21949] 32 msec 20 msec 12 msec
6 * * *
7 10.0.0.1 [AS 21949] 12 msec 16 msec 12 msec
8 * * *
9 10.0.0.1 [AS 21949] 28 msec 28 msec 16 msec
10 * * *
ISP#show ip route 5.0.0.0
Routing entry for 5.0.0.0/24, 1 known subnets
B 5.0.0.0 [20/0] via 7.0.0.0, 02:34:17
R7#
!PE
ip vrf INTERNET
rd 21949:0
route-target export 21949:0
route-target import 21949:0
interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface FastEthernet0/0
ip vrf forwarding INTERNET
ip address 5.0.0.1 255.255.255.252
speed 100
duplex full
interface FastEthernet3/0
ip address 10.0.0.0 255.255.255.254
speed auto
duplex auto
mpls ip
router ospf 21949
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.0.0.0 0.255.255.255 area 0
router bgp 21949
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 21949
neighbor 3.3.3.3 update-source Loopback0
address-family ipv4
no synchronization
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 next-hop-self
no auto-summary
exit-address-family
address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community both
exit-address-family
address-family ipv4 vrf INTERNET
no synchronization
redistribute connected
exit-address-family
ip route vrf INTERNET 0.0.0.0 0.0.0.0 10.0.0.1 global 250 permanent name "L3VPN Default Leak"
!P
interface Loopback0
ip address 3.3.3.3 255.255.255.255
interface FastEthernet0/0
ip address 7.0.0.0 255.255.255.254
speed 100
duplex full
interface FastEthernet1/0
ip address 10.0.0.1 255.255.255.254
speed auto
duplex auto
mpls ip
router ospf 21949
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 10.0.0.0 0.255.255.255 area 0
router bgp 21949
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 21949
neighbor 1.1.1.1 update-source Loopback0
neighbor 7.0.0.1 remote-as 1
address-family ipv4
no synchronization
network 5.0.0.0 mask 255.255.255.0
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 next-hop-self
neighbor 7.0.0.1 activate
no auto-summary
exit-address-family
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community both
neighbor 1.1.1.1 route-reflector-client
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community both
neighbor 2.2.2.2 route-reflector-client
exit-address-family
address-family ipv4 vrf INTERNET
no synchronization
redistribute connected
exit-address-family
ip route 5.0.0.0 255.255.255.0 Null0 250
ip route 5.0.0.0 255.255.255.252 FastEthernet1/0 10.0.0.0
!ISP
interface Loopback0
ip address 7.7.7.7 255.255.255.255
interface FastEthernet0/0
ip address 7.0.0.1 255.255.255.254
speed 100
full-duplex
router bgp 1
no synchronization
bgp log-neighbor-changes
network 7.7.7.7 mask 255.255.255.255
neighbor 7.0.0.0 remote-as 21949Route leakage between global/VRF is not allowed on multi-access interfaces like ethernet.
Few common solutions to the problem you are facing -
1. put the internet interface on router P in a VRF lets say ISP, and use the conventional vpnv4 import/export between INTERNET and ISP VRFs.
2. use VRF NAT on PE
3. use other methods to leak routes - e.g. cable loop, gre based leakage etc.
HTH
Swap
#19804x2 -
Display VRF description in Syslogs (Can it be done?)
Hello everyone,
I'm rather new to the forums and my searching hasn't been quite as successful as I had hoped.
As the title suggests, I'm trying to collect additional information in my syslogs.
Below is the output of one to be used as an example:
Device:
Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)
"The Router named R1 with IP 1.1.1.1 sent the following syslog at 08:07:01 PM:
PassiveMonitor.Payload.Message=<1>11111: 111111: Dec 20 20:06:56.333 CST: %BGP-5-ADJCHANGE: neighbor 2.2.2.2 vpn vrf 333 Down BGP Notification received"
(I've modified the output just a little, but the situation stays the same.)
From what I've read, it seems like I could do this via scripting but I'm rather unfamiliar the scripting that can be used in IOS. I'm currently reading about TCL and its capabilities but I was curious of this is the right path or if I could get the same results in an easier way.
The reasoning behind this is that this device has 300+ VRFs configured and each one is quite specific to its own environment. We've assisted configuration by adding descriptions to each one, but when it's not included in a syslog it makes troubleshooting that much harder. It would be nice to know which environment is in question when these logs are received.
Many thanks as this is something that's been troubling me for quite some time.Thank you for the assistance on this!
Here is what I came up with after reading your suggestion:
(I've created two. One to alert that it's down, the other to alert that it's back up.)
This is my first completed EEM, could you verify it for accuracy?
event manager applet vrf_down
event syslog pattern "vpn vrf ([0-9]+) Down"
action 1.0 regexp "vpn vrf ([0-9]+)" $_syslog_msg match vnum
action 2.0 if $_regexp_result eq 1
action 3.0 cli command "show ip vrf detail $vnum | sec Description"
action 4.0 regexp "Description: (.*)" $_cli_result match desc
action 5.0 syslog msg "BGP for VRF: $vnum - ( $desc ) has been dropped."
action 6.0 end
event manager applet vrf_up
event syslog pattern "vpn vrf ([0-9]+) Up"
action 1.0 regexp "vpn vrf ([0-9]+)" $_syslog_msg match vnum
action 2.0 if $_regexp_result eq 1
action 3.0 cli command "show ip vrf detail $vnum | sec Description"
action 4.0 regexp "Description: (.*)" $_cli_result match desc
action 5.0 syslog msg "BGP for VRF: $vnum - ( $desc ) has recovered."
action 6.0 end -
Troubleshooting of MPLS VPN 2 Network
I am at service provider. A user complains on Link down issue for MPLS L2VPN Link. And i log-in to user connected PE router and run the below mentioned command.
sh mpls l2transport vc 3407
Local intf Local circuit Dest address VC ID Status
Gi0/2.3407 Eth VLAN 3407 202.148.199.106 3407 UP
Guide me in analysing the output and further troubleshooting. Define the parameters observed for o\p of a command.Hi,
The P routers do not need VRFs or VPN labels because they are only transporting the packets towards the PEs. They do this by looking at the IGP label. This label is advertised by LDP. This is sometimes referred to as BGP free core. Although you will often have BGP running for other purposes on the P router.
Daniel Dib
CCIE #37149
Please rate helpful posts. -
VRF Collector Job Failing (LMS 4.0)
My VRF Collector job has started failing.
I have attached the contents of the vnmcollector.log file after setting debug level to DEBUG.
I cannot see for the life of me what the problem is - has anyone got any ideas on this as I cannot see from the debug log what the problem is.
Many thanks
SteveThis may or may not be relevant.
If I go to Monitor> Troubleshooting Tools> VRF Lite> Show Commands, click 'Select' against source device and then expand 'All Devices' nothing is listed. -
Hi,
We are building two DC which are connected by 2x10G L2 fibers.We are plannig to implement VPLS for DCI(see attached diagram).We would extend some VLANS for L2 connectivity ( Hearbeat,VMotion etc etc).But there is also a requirment to run L3 routing between two DC'S.
My question is,
Insted of run L3 routing over streached VLAN , will it be possible to run separate VRF inside VPLS between two DC's and enable L3 routing ?
Regards,Narayan, you can try couple to steps as below to troubleshoot.
1) I suspect there is 192.168.111.1 and 192.168.111.2 in the global routing table as well, have this checked.
2) To confirm that you have not established the tunnel with your MVRF CE enable tunnel keepalives so it will come down as there is no way it can establish a tunnel with your CE using a source from the VRF without the "tunnel vrf" command.
3) I believe your 7600 must be having the default IOS which it was shipped with 12.2SX, the SX doesnt have this command. You may have to migrate to SRA.
Following the above steps you can verify and solve your problem.
HTH-Cheers,
Swaroop -
IPsec over GRE in ASR 1000 with VRF
Hi
I´m trying to configure IPsec over GRE tunnel between Cisco 819G remote router and ASR 1002 central router using crypto maps. Currently ASR router has two vrf´s (management vrf and EXTERNOS2 vrf) and in the future we are going to deploy different "virtual" routers from this box. I don´t know why it doesn´t work, tunnel interface doesn´t go up. Taking a view to debugs obtained from ASR router (debug crypto isakmp and debug crypto ipsecI see the following errors:
Oct 3 13:11:33: IPSEC(validate_proposal_request): proposal part #1
Oct 3 13:11:33: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.255.68.246:0, remote= 10.200.25.106:0,
local_proxy= 10.255.68.246/255.255.255.255/256/0,
remote_proxy= 10.200.25.106/255.255.255.255/256/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Oct 3 13:11:33: Crypto mapdb : proxy_match
src addr : 10.255.68.246
dst addr : 10.200.25.106
protocol : 0
src port : 0
dst port : 0
Oct 3 13:11:33: map_db_check_isakmp_profile profile did not match
Oct 3 13:11:33: Crypto mapdb : proxy_match
src addr : 10.255.68.246
dst addr : 10.200.25.106
protocol : 0
src port : 0
dst port : 0
Oct 3 13:11:33: map_db_check_isakmp_profile profile did not match
Oct 3 13:11:33: map_db_find_best did not find matching map
Oct 3 13:11:33: IPSEC(ipsec_process_proposal): proxy identities not supported
Oct 3 13:11:33: ISAKMP:(35001): IPSec policy invalidated proposal with error 32
Oct 3 13:11:33: ISAKMP:(35001): phase 2 SA policy not acceptable! (local 10.255.68.246 remote 10.200.25.106)
anybody could help me to troubleshoot why it doesn´t work?
I post you involved configuration sections from ASR and 819G routers
B.R.Ops!! I forgot to paste involved routes from both devices.
ASR router
ip route vrf EXTERNOS2 10.200.24.0 255.255.248.0 10.255.68.245 tag 6
ip route vrf EXTERNOS2 185.1.1.0 255.255.255.0 Tunnel21 tag 6 <--- c819G LAN network
Cisco 819G
ip route 0.0.0.0 0.0.0.0 Tunnel1
ip route 10.255.68.246 255.255.255.255 Cellular0
B.R. -
Hi Team,
I have one issue with WCCP redirection inside VRF. Here is my scenario:
PE router config (MPLS edge)
ip vrf aaa
rd 10:1
route-target both 10:1
int facing CE router
ip vrf forwarding aaa
ip address x.x.x.x x.x.x.x
mpls bgp forwarding
router bgp 10
<classic MP-BGP config>
address-family vpnv4 vrf aaa
neighbor <CE router> remote-as 100
neighbor <CE router> activate
neighbor <CE router> send-label
CE router (using VRF lite)
ip vrf aaa
rd 100:1
route-target both 100:1
ip wccp vrf aaa 61
ip wccp vrf aaa 62
int facing PE router
ip vrf forwarding aaa
ip address c.c.c.c c.c.c.c
ip wccp vrf aaa 62 redirect in
ip bgp mpls forwarding
int facing WAAS
ip vrf forwarding aaa
ip address w.w.w.w w.w.w.w
int LAN
ip vrf forwarding aaa
ip address l.l.l.l l.l.l.l
ip wccp vrf aaa 61 redirect in
router bgp 100
address-family vpnv4 vrf aaa
neighbor <PE router> remote-as 10
neighbor <PE router> activate
neighbor <PE router> send-label
<classic network advertising>
WAE config is classis WCCP with hash assignment and negotiated GRE return method. CE router does not have any issues detecting WAE appliance.
Now the mentioned issue:
Traffic from LAN to PE is being redirected OK. No issues here. But return traffic from PE router is not redirected to WAE appliance despite the fact that WCCP "redirect in" command is configured under CE WAN interface. When I remove "neighbor <CE router> send-label" command under "
address-family vpnv4 vrf aaa" on PE router, CE router starts to redirect traffic from PE to WAE appliance (but I loose label information on CE). When I configure this command back, redirection stops.
So my question is why this command is causing CE router not to redirect traffic from PE to LAN on its WAN interface? I was not able to find any restrictions regarding VRF lite and WCCP. I am using 15.2(3)T1 IOS version.
Many thanks for any inputs.
Regards,
Stanhi Stan,
I´m not really into VRF troubleshooting but you should check this info;
If a Cisco WAAS NME-WAE network module or Cisco WAE appliance is used at a branch location and the service provider cannot strip off the labels, WCCP can be used with a route-leaking option as long as there are no overlapping IP addresses. ( that sounds like your design)
look for WCCP Deployment
http://www.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps6870/white_paper_C11-560131.pdf
good luck! -
Troubleshooting VPN drops between 871 client and 2811
My small company uses a 2811 ISR for VPN services (among other tasks such as internet access, p2p circuits to a second site, etc). I have a couple of remote users that have 871 routers that have occasional problems with their routers dropping their VPN tunnels to the 2811. I'm not really sure where to start with the troubleshooting. There are other clients (such as my own 871W) that seem to maintain a connection for weeks. These remote routers that do drop the connection usually reconnect at their next schedule attempt (180 seconds or so.)
Most of the previous questions I've seen similar to this involve software clients but these are hardware routers as the clients and as such I'm not sure how to enable or retrieve logs for the VPN sessions.As expected, the isakmp lifetime is 86400, but for ipsec it merely reports how much time is left in the current sa.
For example:
router#show crypto isakmp policy
Global IKE policy
Protection suite of priority 3
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
router#show crypto ipsec sa
interface: Virtual-Access4
Crypto map tag: Virtual-Access4-head-0, local addr 209.XXX.XXX.82
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 75.XXX.XXX.179 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 681527, #pkts encrypt: 681527, #pkts digest: 681527
#pkts decaps: 670316, #pkts decrypt: 670316, #pkts verify: 670316
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 209.XXX.XXX.82, remote crypto endpt.: 75.XXX.XXX.179
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xF0C2D65C(4039300700)
inbound esp sas:
spi: 0x2A7171E4(712077796)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 4093, flow_id: NETGX:2093, crypto map: Virtual-Access4-head-0
sa timing: remaining key lifetime (k/sec): (4577435/1047)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF0C2D65C(4039300700)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 4094, flow_id: NETGX:2094, crypto map: Virtual-Access4-head-0
sa timing: remaining key lifetime (k/sec): (4572865/1027)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas: -
Dear Clarke,
I've read the following URL which was very useful.
https://supportforums.cisco.com/docs/DOC-9005#Preferred_Management_IP
Dsepite of all I have not found solution our problem.
We use the loopback method for discovery which is very good for remote routers. We use many VRF's also in devices. Same devices (etc. switches ) have not loopback interfaces.
So here the LMS choosed the highest IP address of devices . The problem that highest ip address are in the seperated VRF. After discovery the RME can not handle these devices. ( No config archive for example )
Why use the LMS the ip addreses from VRF's?
It will be good for us if LMS uses the "default" VRF ip addresses only. Is it possible???
What is the good, single solution for both routers and switches?
Thanks!Sorry, I missed your reply. The code that checks for reachability uses SNMP to fetch the sysObjectID. If this fails, the next address in the ipAddrTable will be tried. SNMP must be working to those chosen management addresses in order for Discovery to use them. Troubleshooting this further would require debugging to be enabled for the System discovery module. Then, the ngdiscovery.log would show the reachability checks.
That said, if SNMP is working to these addresses, but TFTP/telnet/SSH do not, an alternative woud be to use resolve by sysName, resolve by name, or none. None might be an acceptable option as that will use the address by which the device was discovered. -
My computer runs on Windows 7, and I've installed and updated the latest versions of itunes etc, but still to no avail! I've tried different usb ports, troubleshooting, etc... But it still says "One of the USB decuces arrached to this omputer has malfunctioned and windows does not recognize it".
The iPod is brand new, sent to me by Apple as part of the 1st gen replacement programme. I've been using the cable that came with the 1st gen iPod (I bought the first gen second hand) It always worked on my computer with the 1st gen iPod. So I was wondering, do you think I need to replace my cable in order for my PC to recognize my iPod or is it something else?
ThanksTry a different cable. And are you connecting directly to your computer or through a USB hub?
-
Need help? Some of my Ipods are not recognized by Itunes with my Windows 8 PC. (Ipod Nano 4th gen and Ipod Nano 6th gen), but on my Windows 7 PC, they work fine. My Ipod 3rd gen and Ipod shuffle work both on Windows 8 and 7 PC's. On the non-working Ipods, the Device sync test says "No device found". Already performed all of the Ipod device troubleshooting including reload Itunes, stop start Ipod device, changed drive letter...
any help is appreciated. Chris4sailHello there, chris4sail.
The following Knowledge Base article offers up some great step-by-step instructions on troubleshooting your iPod not being recognized in iTunes:
iPod not recognized in My Computer and in iTunes for Windows
http://support.apple.com/kb/ts1369
Thanks for reaching out to Apple Support Communities.
Cheers,
Pedro. -
IPod not recognized by Windows or iTunes, troubleshooting didn't help.
I have an 80 gig iPod classic. When I plug it into my computer it is not recognized by either Windows or iTunes. However, it does charge while connected. I have gone through every troubleshooting tip on the Apple website and nothing has worked. The only thing I was unable to try was restoring it because it needs to be recognized in iTunes in order to do so. Any suggestions?
I had the same problem.......
OK, after 8 hours.. It worked..... I was installling and uninstalling only itunes 9 but not all the apple components in my computer....... uninstall itunes 9 and all its components: Apple Mobile Device Support, Apple Software Update, Bonjour, iPod for Windows, iTunes, QuickTime.
Under the folder c:\Program Files delete the following folders:
Apple Software Update, Bonjour, iPod, iTunes, QuickTime
Search for any hidden folders named "Apple Computer" or "Apple" These may appear under AppData or Local/AppData, Delete these folders.
Restart your Windows machine and install itunes 9 and quicktime again..... good luck!!!!!
Maybe you are looking for
-
Doubt in conversion of SQL query to oracle
Hi guys, I'm new to oracle. I have a SQL query like the following, Select * From my_table With(Index(PK_my_key)) I want to convert this to oracle. How can I specify the syntax *'With(Index(PK_my_key)) '* in oracle. Please advice. Ram
-
Adobe form in Web Dynpro Submit Button Problem
Hi all, I've created an Adobe form as a UI element in Web Dynpro as a development component. In this Adobe form, I've included a "Submit to SAP" button from the Web Dynpro Library. My whole purpose is to expose this DC as a callable object into Guide
-
Certain fillable PDFs will not open correctly in Acrobat DC
An example of a problem form: http://armypubs.army.mil/eforms/pdf/A31.PDF This can be used in Acrobat for Windows, but on Android it just gives you a warning page saying something like "If this message is not eventually replaced..." It won't open in
-
hi experts, i am trying to open a swf(previously created dashboard) file from another dashboard.i used an url shown below. http://server:port/OpenDocument/opendoc/openDocument.jsp?iDocID=123456&sIDType=CUID&sType=swf&sKind=Flash the child dashboard i
-
BAPI or Function to update Billing Plan in Sales Order Items
Hello all ! I have to update some fields in the billing plan data in sales order's item (VA02) with a program (receiving it's data form csv files). I've searched a BAPI but infortunately there are no "Billing Plan" data structure to update