Troubleshooting VRF

Hi,
We have a VRF infrastructure in Data Center. I am pinging the host with the command:
ping vrf CUSTOMER_A ip IP_ADDRESS
it works. I would like to find out its MAC address and then its exact location (switch/mod/port), but can't find its MAC. This is Catalyst 6500 IOS platform.
Thanks for any idvices.
Michal

Finally, I found that.
show ip arp vrf CUSTOMER_A IP_ADDRESS.
You get the MAC so then you can easily find exact location of the server.
Michal

Similar Messages

  • Static routes within VRF

    Is there a limit to the number of static route one could use within a VRF ?
    We have a large customer connected to MPLS VRF based backbone and due to various limiting factors this customer uses static routing from a PE-CE perspective.
    We have been experiencing a problem where a static needsto be removed and placed back as routing to a site stops (No traffic passed) , this happes intermittently and to different sites within diffrent regions as well. All the general or expected troubleshooting procedures have been followed i.e. Check routing table , bgp , CEF tables , FIB etc. All seems fine , the only thing that reloves this is removing the static and then replacing it.
    My thinking is that there might be a limit to the number of static's that one can use within a VRF and that we have reached the limit for this customer , which causes the intermittent failure.
    Please advise.

    I know of a "maximum routes limit " command to limit the number of routes in a Vrf on a PE.
    From this command reference i find there are no default values for this.
    http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fswtch_r/xrfscmd3.htm#1032272
    So I assume, the default is to allow a huge value and the only limitations would be the memory/capacity and the number of vrfs on the PE router.
    If you are experiencing a problem in this regard and removing a static route is helping to overcome it, then I would only suspect a bug here.
    I am also curious to know how may many static routes you have in this particular vrf.

  • VRF-lite, NAT and route-leaking

    Hello, community. I'm trying to reproduce setup with two customers (R1 and R2), PE router (R3) and common services (R4).
    Here is configuration:
    R1:
    interface Loopback0
    ip address 10.10.1.1 255.255.255.255
    interface FastEthernet1/0
    ip address 192.168.15.1 255.255.255.0
    ip route 0.0.0.0 0.0.0.0 192.168.15.5
    R2:
    interface Loopback0
    ip address 10.10.2.2 255.255.255.255
    interface FastEthernet1/0
    ip address 192.168.16.1 255.255.255.192
    ip route 0.0.0.0 0.0.0.0 192.168.16.5
    R3:
    ip vrf VRF1
    rd 1:1
    route-target export 1:1
    route-target import 1:1
    ip vrf VRF2
    rd 2:2
    route-target export 2:2
    route-target import 2:2
    interface FastEthernet0/0
    description R1
    ip vrf forwarding VRF1
    ip address 192.168.15.5 255.255.255.192
    ip nat inside
    ip virtual-reassembly
    interface FastEthernet0/1
    description R2
    ip vrf forwarding VRF2
    ip address 192.168.16.5 255.255.255.192
    ip nat inside
    ip virtual-reassembly
    interface FastEthernet1/0
    description R4
    ip address 1.1.1.1 255.255.255.0
    ip nat outside
    ip virtual-reassembly
    ip route 0.0.0.0 0.0.0.0 1.1.1.2
    ip route vrf VRF1 0.0.0.0 0.0.0.0 FastEthernet1/0 1.1.1.2 global
    ip route vrf VRF1 10.10.0.0 255.255.0.0 192.168.15.1
    ip route vrf VRF2 0.0.0.0 0.0.0.0 FastEthernet1/0 1.1.1.2 global
    ip route vrf VRF2 10.10.0.0 255.255.0.0 192.168.16.1
    ip nat inside source list 15 interface FastEthernet1/0 vrf VRF1 overload
    ip nat inside source list 16 interface FastEthernet1/0 vrf VRF2 overload
    access-list 15 permit 192.0.0.0 0.255.255.255
    access-list 15 permit 10.10.0.0 0.0.255.255
    access-list 16 permit 192.0.0.0 0.255.255.255
    access-list 16 permit 10.10.0.0 0.0.255.255
    R4:
    interface Loopback0
    ip address 10.10.10.10 255.255.255.255
    interface FastEthernet0/0
    ip address 1.1.1.2 255.255.255.0
    ip route 0.0.0.0 0.0.0.0 1.1.1.1
    The configuration is not operational.
    r1#ping 192.168.15.5
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.15.5, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 68/89/116 ms
    r1#ping 192.168.15.5 source l0
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.15.5, timeout is 2 seconds:
    Packet sent with a source address of 10.10.1.1
    Success rate is 100 percent (5/5), round-trip min/avg/max = 68/86/92 ms
    r1#ping 1.1.1.1 source l0
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
    Packet sent with a source address of 10.10.1.1
    Success rate is 80 percent (4/5), round-trip min/avg/max = 292/357/400 ms
    r1#ping 1.1.1.2 source l0
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
    Packet sent with a source address of 10.10.1.1
    Success rate is 80 percent (4/5), round-trip min/avg/max = 160/187/216 ms
    r1#ping 10.10.10.10 source l0
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
    Packet sent with a source address of 10.10.1.1
    Success rate is 0 percent (0/5)
    I can't ping R4's loopback address ("shared resource" or also known as "common service")
    The same is with R2 ( second customer).
    But I can still ping R4's loopback from R3:
    R3#ping 10.10.10.10
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 40/88/116 ms
    This is routing table on R3:
    R3#sh ip route | begin Gateway
    Gateway of last resort is 1.1.1.2 to network 0.0.0.0
         1.0.0.0/24 is subnetted, 1 subnets
    C       1.1.1.0 is directly connected, FastEthernet1/0
    S*   0.0.0.0/0 [1/0] via 1.1.1.2
    R3#sh ip route vrf VRF1 | begin Gateway
    Gateway of last resort is 1.1.1.2 to network 0.0.0.0
         192.168.15.0/26 is subnetted, 1 subnets
    C       192.168.15.0 is directly connected, FastEthernet0/0
         10.0.0.0/16 is subnetted, 1 subnets
    S       10.10.0.0 [1/0] via 192.168.15.1
    S*   0.0.0.0/0 [1/0] via 1.1.1.2, FastEthernet1/0
    R3#sh ip route vrf VRF2 | begin Gateway
    Gateway of last resort is 1.1.1.2 to network 0.0.0.0
         10.0.0.0/16 is subnetted, 1 subnets
    S       10.10.0.0 [1/0] via 192.168.16.1
         192.168.16.0/26 is subnetted, 1 subnets
    C       192.168.16.0 is directly connected, FastEthernet0/1
    S*   0.0.0.0/0 [1/0] via 1.1.1.2, FastEthernet1/0
    So the question is what is the problem cause? How to troubleshoot? What is the troubleshooting steps?

    Hi Eugene Khabarov
    The problem here is that at the PE we have the static route for the Major Subnet 10.10.0.0/16 pointing back to the CEs of which the destination ping IP 10.10.10.10 is part of.
    We need to remove the Major X /16 route from PE and configure explicit X /32 route for the CE Loopback to make this work
    no ip route vrf VRF1 10.10.0.0 255.255.0.0 192.168.15.1
    ip route vrf VRF1 10.10.1.1 255.255.0.0 192.168.15.1
    no ip route vrf VRF2 10.10.0.0 255.255.0.0 192.168.16.1
    ip route vrf VRF2 10.10.2.2 255.255.0.0 192.168.16.1
    Hope this helps to answer your query.
    Regards
    Varma

  • VRF - Global problem

    I provide my customers an ethernet port off my PE (ie: FastEthernet0/0 on PE from configuration below).  They can connect whatever they want into the port.  Most times it's simply a PC.  The only thing they expect to get off that port is Internet access.
    I'm trying to stick all these users into a VRF called INTERNET, but I'm having some trouble getting the global table to see the networks that I'm assigning to my customers (ie: 5.0.0.0/30 from the PE config below).
    Near as I can tell, the VRF knows about the default gateway and the global table knows how to reach 5.0.0.0/30, but for some reason, there's no connectivity and I'm not sure how to begin troubleshooting this.
    Anyone have any pointers?         
    PE#traceroute vrf INTERNET 7.7.7.7
    Type escape sequence to abort.
    Tracing the route to 7.7.7.7
      1  *  *  *
    PE#show ip route vrf INTERNET
    Routing Table: INTERNET
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route, H - NHRP
           + - replicated route, % - next hop override
    Gateway of last resort is 10.0.0.1 to network 0.0.0.0
    S*    0.0.0.0/0 [250/0] via 10.0.0.1
          5.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C        5.0.0.0/30 is directly connected, FastEthernet0/0
    L        5.0.0.1/32 is directly connected, FastEthernet0/0
    PE#show ip bgp vpnv4 vrf INTERNET
    BGP table version is 40, local router ID is 1.1.1.1
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  r RIB-failure, S Stale, m multipath, b backup-path, x best-external
    Origin codes: i - IGP, e - EGP, ? - incomplete
       Network          Next Hop            Metric LocPrf Weight Path
    Route Distinguisher: 21949:0 (default for vrf INTERNET)
    *> 5.0.0.0/30       0.0.0.0                  0         32768 ?
    PE#show ip route
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route, H - NHRP
           + - replicated route, % - next hop override
    Gateway of last resort is not set
          1.0.0.0/8 is variably subnetted, 1 subnets, 1 masks
    C        1.1.1.1/32 is directly connected, Loopback0
          3.0.0.0/8 is variably subnetted, 1 subnets, 1 masks
    O        3.3.3.3/32 [110/2] via 10.0.0.1, 2d02h, FastEthernet3/0
          7.0.0.0/32 is subnetted, 1 subnets
    B        7.7.7.7 [200/0] via 3.3.3.3, 1d18h
          10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C        10.0.0.0/31 is directly connected, FastEthernet3/0
    L        10.0.0.0/32 is directly connected, FastEthernet3/0
    PE#show ip bgp
    BGP table version is 35, local router ID is 1.1.1.1
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  r RIB-failure, S Stale, m multipath, b backup-path, x best-external
    Origin codes: i - IGP, e - EGP, ? - incomplete
       Network          Next Hop            Metric LocPrf Weight Path
    *>i5.0.0.0/24       3.3.3.3                  0    100      0 i
    *>i7.7.7.7/32       3.3.3.3                  0    100      0 1 i
    PE#
    P#show ip route
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route, H - NHRP
           + - replicated route, % - next hop override
    Gateway of last resort is not set
          1.0.0.0/8 is variably subnetted, 1 subnets, 1 masks
    O        1.1.1.1/32 [110/2] via 10.0.0.0, 2d02h, FastEthernet1/0
          5.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    S        5.0.0.0/24 is directly connected, Null0
    S        5.0.0.0/30 [1/0] via 10.0.0.0, FastEthernet1/0
          7.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
    C        7.0.0.0/31 is directly connected, FastEthernet0/0
    L        7.0.0.0/32 is directly connected, FastEthernet0/0
    B        7.7.7.7/32 [20/0] via 7.0.0.1, 2d02h
    C        10.0.0.0/31 is directly connected, FastEthernet1/0
    L        10.0.0.1/32 is directly connected, FastEthernet1/0
    P#show ip route vrf INTERNET
    Routing Table: INTERNET
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route, H - NHRP
           + - replicated route, % - next hop override
    Gateway of last resort is not set
          5.0.0.0/30 is subnetted, 1 subnets
    B        5.0.0.0 [200/0] via 1.1.1.1, 00:09:33
    ISP#traceroute 5.0.0.2
    Type escape sequence to abort.
    Tracing the route to 5.0.0.2
      1 7.0.0.0 40 msec 8 msec 4 msec
      2  *  *  *
      3 10.0.0.1 [AS 21949] 24 msec 16 msec 8 msec
      4  *  *  *
      5 10.0.0.1 [AS 21949] 32 msec 20 msec 12 msec
      6  *  *  *
      7 10.0.0.1 [AS 21949] 12 msec 16 msec 12 msec
      8  *  *  *
      9 10.0.0.1 [AS 21949] 28 msec 28 msec 16 msec
    10  *  *  *
    ISP#show ip route 5.0.0.0
    Routing entry for 5.0.0.0/24, 1 known subnets
    B       5.0.0.0 [20/0] via 7.0.0.0, 02:34:17
    R7#
    !PE
    ip vrf INTERNET
    rd 21949:0
    route-target export 21949:0
    route-target import 21949:0
    interface Loopback0
    ip address 1.1.1.1 255.255.255.255
    interface FastEthernet0/0
    ip vrf forwarding INTERNET
    ip address 5.0.0.1 255.255.255.252
    speed 100
    duplex full
    interface FastEthernet3/0
    ip address 10.0.0.0 255.255.255.254
    speed auto
    duplex auto
    mpls ip
    router ospf 21949
    log-adjacency-changes
    network 1.1.1.1 0.0.0.0 area 0
    network 10.0.0.0 0.255.255.255 area 0
    router bgp 21949
    bgp log-neighbor-changes
    neighbor 3.3.3.3 remote-as 21949
    neighbor 3.3.3.3 update-source Loopback0
    address-family ipv4
      no synchronization
      neighbor 3.3.3.3 activate
      neighbor 3.3.3.3 next-hop-self
      no auto-summary
    exit-address-family
    address-family vpnv4
      neighbor 3.3.3.3 activate
      neighbor 3.3.3.3 send-community both
    exit-address-family
    address-family ipv4 vrf INTERNET
      no synchronization
      redistribute connected
    exit-address-family
    ip route vrf INTERNET 0.0.0.0 0.0.0.0 10.0.0.1 global 250 permanent name "L3VPN Default Leak"
    !P
    interface Loopback0
    ip address 3.3.3.3 255.255.255.255
    interface FastEthernet0/0
    ip address 7.0.0.0 255.255.255.254
    speed 100
    duplex full
    interface FastEthernet1/0
    ip address 10.0.0.1 255.255.255.254
    speed auto
    duplex auto
    mpls ip
    router ospf 21949
    log-adjacency-changes
    network 3.3.3.3 0.0.0.0 area 0
    network 10.0.0.0 0.255.255.255 area 0
    router bgp 21949
    bgp log-neighbor-changes
    neighbor 1.1.1.1 remote-as 21949
    neighbor 1.1.1.1 update-source Loopback0
    neighbor 7.0.0.1 remote-as 1
    address-family ipv4
      no synchronization
      network 5.0.0.0 mask 255.255.255.0
      neighbor 1.1.1.1 activate
      neighbor 1.1.1.1 next-hop-self
      neighbor 7.0.0.1 activate
      no auto-summary
    exit-address-family
    address-family vpnv4
      neighbor 1.1.1.1 activate
      neighbor 1.1.1.1 send-community both
      neighbor 1.1.1.1 route-reflector-client
      neighbor 2.2.2.2 activate
      neighbor 2.2.2.2 send-community both
      neighbor 2.2.2.2 route-reflector-client
    exit-address-family
    address-family ipv4 vrf INTERNET
      no synchronization
      redistribute connected
    exit-address-family
    ip route 5.0.0.0 255.255.255.0 Null0 250
    ip route 5.0.0.0 255.255.255.252 FastEthernet1/0 10.0.0.0
    !ISP
    interface Loopback0
    ip address 7.7.7.7 255.255.255.255
    interface FastEthernet0/0
    ip address 7.0.0.1 255.255.255.254
    speed 100
    full-duplex
    router bgp 1
    no synchronization
    bgp log-neighbor-changes
    network 7.7.7.7 mask 255.255.255.255
    neighbor 7.0.0.0 remote-as 21949

    Route leakage between global/VRF is not allowed on multi-access interfaces like ethernet.
    Few common solutions to the problem you are facing -
    1. put the internet interface on router P in a VRF lets say ISP, and use the conventional vpnv4 import/export between INTERNET and ISP VRFs.
    2. use VRF NAT  on PE
    3. use other methods to leak routes - e.g. cable loop,  gre based leakage etc.
    HTH
    Swap
    #19804x2

  • Display VRF description in Syslogs (Can it be done?)

    Hello everyone,
    I'm rather new to the forums and my searching hasn't been quite as successful as I had hoped.
    As the title suggests, I'm trying to collect additional information in my syslogs.
    Below is the output of one to be used as an example:
    Device:
    Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)
    "The Router named R1 with IP 1.1.1.1 sent the following syslog at 08:07:01 PM:
    PassiveMonitor.Payload.Message=<1>11111: 111111: Dec 20 20:06:56.333 CST: %BGP-5-ADJCHANGE: neighbor 2.2.2.2 vpn vrf 333 Down BGP Notification received"
    (I've modified the output just a little, but the situation stays the same.)
    From what I've read, it seems like I could do this via scripting but I'm rather unfamiliar the scripting that can be used in IOS. I'm currently reading about TCL and its capabilities but I was curious of this is the right path or if I could get the same results in an easier way.
    The reasoning behind this is that this device has 300+ VRFs configured and each one is quite specific to its own environment. We've assisted configuration by adding descriptions to each one, but when it's not included in a syslog it makes troubleshooting that much harder. It would be nice to know which environment is in question when these logs are received.
    Many thanks as this is something that's been troubling me for quite some time.

    Thank you for the assistance on this!
    Here is what I came up with after reading your suggestion:
    (I've created two. One to alert that it's down, the other to alert that it's back up.)
    This is my first completed EEM, could you verify it for accuracy?
    event manager applet vrf_down
    event syslog pattern "vpn vrf ([0-9]+) Down"
    action 1.0 regexp "vpn vrf ([0-9]+)" $_syslog_msg match vnum
    action 2.0 if $_regexp_result eq 1
    action 3.0 cli command "show ip vrf detail $vnum | sec Description"
    action 4.0 regexp "Description: (.*)" $_cli_result match desc
    action 5.0 syslog msg "BGP for VRF: $vnum - ( $desc ) has been dropped."
    action 6.0 end
    event manager applet vrf_up
    event syslog pattern "vpn vrf ([0-9]+) Up"
    action 1.0 regexp "vpn vrf ([0-9]+)" $_syslog_msg match vnum
    action 2.0 if $_regexp_result eq 1
    action 3.0 cli command "show ip vrf detail $vnum | sec Description"
    action 4.0 regexp "Description: (.*)" $_cli_result match desc
    action 5.0 syslog msg "BGP for VRF: $vnum - ( $desc ) has recovered."
    action 6.0 end

  • Troubleshooting of MPLS VPN 2 Network

    I am at service provider. A user complains on Link down issue for MPLS L2VPN Link. And i log-in to user connected PE router and run the below mentioned command.
    sh mpls l2transport vc 3407
    Local intf     Local circuit              Dest address    VC ID      Status
    Gi0/2.3407     Eth VLAN 3407              202.148.199.106 3407       UP
    Guide me in analysing the output and further troubleshooting. Define the parameters observed for o\p of a command.

    Hi,
    The P routers do not need VRFs or VPN labels because they are only transporting the packets towards the PEs. They do this by looking at the IGP label. This label is advertised by LDP. This is sometimes referred to as BGP free core. Although you will often have BGP running for other purposes on the P router.
    Daniel Dib
    CCIE #37149
    Please rate helpful posts.

  • VRF Collector Job Failing (LMS 4.0)

    My VRF Collector job has started failing.
    I have attached the contents of the vnmcollector.log file after setting debug level to DEBUG.
    I cannot see for the life of me what the problem is - has anyone got any ideas on this as I cannot see from the debug log what the problem is.
    Many thanks
    Steve

    This may or may not be relevant.
    If I go to Monitor> Troubleshooting Tools> VRF Lite> Show Commands, click 'Select' against source device and then expand 'All Devices' nothing is listed.

  • Strach VRF over VPLS

               Hi,
    We are building two DC which are connected by 2x10G L2 fibers.We are plannig to implement VPLS for DCI(see attached diagram).We would extend some VLANS for L2 connectivity ( Hearbeat,VMotion etc etc).But there is also a requirment to run L3 routing between two DC'S.
    My question is,
    Insted of run L3 routing over streached VLAN , will it be possible to   run separate VRF inside VPLS between two DC's and enable L3 routing ?
    Regards,  

    Narayan, you can try couple to steps as below to troubleshoot.
    1) I suspect there is 192.168.111.1 and 192.168.111.2 in the global routing table as well, have this checked.
    2) To confirm that you have not established the tunnel with your MVRF CE enable tunnel keepalives so it will come down as there is no way it can establish a tunnel with your CE using a source from the VRF without the "tunnel vrf" command.
    3) I believe your 7600 must be having the default IOS which it was shipped with 12.2SX, the SX doesnt have this command. You may have to migrate to SRA.
    Following the above steps you can verify and solve your problem.
    HTH-Cheers,
    Swaroop

  • IPsec over GRE in ASR 1000 with VRF

                       Hi
    I´m trying to configure IPsec over GRE tunnel between Cisco 819G remote router and ASR 1002 central router using crypto maps. Currently ASR router has two vrf´s (management vrf and EXTERNOS2 vrf) and in the future we are going to deploy different "virtual" routers from this box. I don´t know why it doesn´t work, tunnel interface doesn´t go up. Taking a view to debugs obtained from ASR router (debug crypto isakmp and debug crypto ipsecI see the following errors:
    Oct  3 13:11:33: IPSEC(validate_proposal_request): proposal part #1
    Oct  3 13:11:33: IPSEC(validate_proposal_request): proposal part #1,
      (key eng. msg.) INBOUND local= 10.255.68.246:0, remote= 10.200.25.106:0,
        local_proxy= 10.255.68.246/255.255.255.255/256/0,
        remote_proxy= 10.200.25.106/255.255.255.255/256/0,
        protocol= ESP, transform= NONE  (Transport),
        lifedur= 0s and 0kb,
        spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
    Oct  3 13:11:33: Crypto mapdb : proxy_match
            src addr     : 10.255.68.246
            dst addr     : 10.200.25.106
            protocol     : 0
            src port     : 0
            dst port     : 0
    Oct  3 13:11:33: map_db_check_isakmp_profile profile did not match
    Oct  3 13:11:33: Crypto mapdb : proxy_match
            src addr     : 10.255.68.246
            dst addr     : 10.200.25.106
            protocol     : 0
            src port     : 0
            dst port     : 0
    Oct  3 13:11:33: map_db_check_isakmp_profile profile did not match
    Oct  3 13:11:33: map_db_find_best did not find matching map
    Oct  3 13:11:33: IPSEC(ipsec_process_proposal): proxy identities not supported
    Oct  3 13:11:33: ISAKMP:(35001): IPSec policy invalidated proposal with error 32
    Oct  3 13:11:33: ISAKMP:(35001): phase 2 SA policy not acceptable! (local 10.255.68.246 remote 10.200.25.106)
    anybody could help me to troubleshoot why it doesn´t work?
    I post you involved configuration sections from ASR and 819G routers
    B.R.

    Ops!! I forgot to paste involved routes from both devices.
    ASR router
    ip route vrf EXTERNOS2 10.200.24.0 255.255.248.0 10.255.68.245 tag 6
    ip route vrf EXTERNOS2 185.1.1.0 255.255.255.0 Tunnel21 tag 6          <--- c819G LAN network
    Cisco 819G
    ip route 0.0.0.0 0.0.0.0 Tunnel1
    ip route 10.255.68.246 255.255.255.255 Cellular0
    B.R.

  • WCCP inside VRF

    Hi Team,
    I have one issue with WCCP redirection inside VRF. Here is my scenario:
    PE router config (MPLS edge)
    ip vrf aaa
    rd 10:1
    route-target both 10:1
    int facing CE router
    ip vrf forwarding aaa
    ip address x.x.x.x x.x.x.x
    mpls bgp forwarding
    router bgp 10
    <classic MP-BGP config>
    address-family vpnv4 vrf aaa
      neighbor <CE router> remote-as 100
      neighbor <CE router> activate
      neighbor <CE router> send-label
    CE router (using VRF lite)
    ip vrf aaa
    rd 100:1
    route-target both 100:1
    ip wccp vrf aaa 61
    ip wccp vrf aaa 62
    int facing PE router
    ip vrf forwarding aaa
    ip address c.c.c.c c.c.c.c
    ip wccp vrf aaa 62 redirect in
    ip bgp mpls forwarding
    int facing WAAS
    ip vrf forwarding aaa
    ip address w.w.w.w w.w.w.w
    int LAN
    ip vrf forwarding aaa
    ip address l.l.l.l l.l.l.l
    ip wccp vrf aaa 61 redirect in
    router bgp 100
    address-family vpnv4 vrf aaa
    neighbor <PE router> remote-as 10
    neighbor <PE router> activate
    neighbor <PE router> send-label
    <classic network advertising>
    WAE config is classis WCCP with hash assignment and negotiated GRE return method. CE router does not have any issues detecting WAE appliance.
    Now the mentioned issue:
    Traffic from LAN to PE is being redirected OK. No issues here. But return traffic from PE router is not redirected to WAE appliance despite the fact that WCCP "redirect in" command is configured under CE WAN interface. When I remove "neighbor <CE router> send-label" command under "
    address-family vpnv4 vrf aaa" on PE router, CE router starts to redirect traffic from PE to WAE appliance (but I loose label information on CE). When I configure this command back, redirection stops.
    So my question is why this command is causing CE router not to redirect traffic from PE to LAN on its WAN interface? I was not able to find any restrictions regarding VRF lite and WCCP. I am using 15.2(3)T1 IOS version.
    Many thanks for any inputs.
    Regards,
    Stan

    hi Stan,
    I´m not really into VRF troubleshooting but you should check this info;
    If a Cisco WAAS NME-WAE network module or Cisco WAE appliance is used at a branch location and the service provider cannot strip off the labels, WCCP can be used with a route-leaking option as long as there are no overlapping IP addresses. ( that sounds like your design)
    look for  WCCP Deployment
    http://www.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps6870/white_paper_C11-560131.pdf
    good luck!

  • Troubleshooting VPN drops between 871 client and 2811

    My small company uses a 2811 ISR for VPN services (among other tasks such as internet access, p2p circuits to a second site, etc). I have a couple of remote users that have 871 routers that have occasional problems with their routers dropping their VPN tunnels to the 2811. I'm not really sure where to start with the troubleshooting. There are other clients (such as my own 871W) that seem to maintain a connection for weeks. These remote routers that do drop the connection usually reconnect at their next schedule attempt (180 seconds or so.)
    Most of the previous questions I've seen similar to this involve software clients but these are hardware routers as the clients and as such I'm not sure how to enable or retrieve logs for the VPN sessions.

    As expected, the isakmp lifetime is 86400, but for ipsec it merely reports how much time is left in the current sa.
    For example:
    router#show crypto isakmp policy
    Global IKE policy
    Protection suite of priority 3
    encryption algorithm: Three key triple DES
    hash algorithm: Secure Hash Standard
    authentication method: Pre-Shared Key
    Diffie-Hellman group: #2 (1024 bit)
    lifetime: 86400 seconds, no volume limit
    Default protection suite
    encryption algorithm: DES - Data Encryption Standard (56 bit keys).
    hash algorithm: Secure Hash Standard
    authentication method: Rivest-Shamir-Adleman Signature
    Diffie-Hellman group: #1 (768 bit)
    lifetime: 86400 seconds, no volume limit
    router#show crypto ipsec sa
    interface: Virtual-Access4
    Crypto map tag: Virtual-Access4-head-0, local addr 209.XXX.XXX.82
    protected vrf: (none)
    local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
    remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
    current_peer 75.XXX.XXX.179 port 4500
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 681527, #pkts encrypt: 681527, #pkts digest: 681527
    #pkts decaps: 670316, #pkts decrypt: 670316, #pkts verify: 670316
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
    local crypto endpt.: 209.XXX.XXX.82, remote crypto endpt.: 75.XXX.XXX.179
    path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
    current outbound spi: 0xF0C2D65C(4039300700)
    inbound esp sas:
    spi: 0x2A7171E4(712077796)
    transform: esp-3des esp-sha-hmac ,
    in use settings ={Tunnel UDP-Encaps, }
    conn id: 4093, flow_id: NETGX:2093, crypto map: Virtual-Access4-head-0
    sa timing: remaining key lifetime (k/sec): (4577435/1047)
    IV size: 8 bytes
    replay detection support: Y
    Status: ACTIVE
    inbound ah sas:
    inbound pcp sas:
    outbound esp sas:
    spi: 0xF0C2D65C(4039300700)
    transform: esp-3des esp-sha-hmac ,
    in use settings ={Tunnel UDP-Encaps, }
    conn id: 4094, flow_id: NETGX:2094, crypto map: Virtual-Access4-head-0
    sa timing: remaining key lifetime (k/sec): (4572865/1027)
    IV size: 8 bytes
    replay detection support: Y
    Status: ACTIVE
    outbound ah sas:
    outbound pcp sas:

  • LMS management ip & VRF

    Dear Clarke,
    I've read the following URL which was very useful.
    https://supportforums.cisco.com/docs/DOC-9005#Preferred_Management_IP
    Dsepite of all I have not found solution  our problem.
    We use the loopback method for discovery which is very good for remote routers. We use many VRF's also in devices. Same devices (etc. switches ) have not loopback interfaces.
    So here the LMS choosed the highest IP address of devices . The problem that highest ip address are in the seperated VRF. After discovery the RME can not handle these devices. ( No config archive for example )
    Why use the LMS the ip addreses from VRF's?
    It will be good for us if LMS  uses the "default" VRF ip addresses only. Is it possible???
    What is the good, single solution for both routers and switches?
    Thanks!

    Sorry, I missed your reply.  The code that checks for reachability uses SNMP to fetch the sysObjectID.  If this fails, the next address in the ipAddrTable will be tried.  SNMP must be working to those chosen management addresses in order for Discovery to use them.  Troubleshooting this further would require debugging to be enabled for the System discovery module.  Then, the ngdiscovery.log would show the reachability checks.
    That said, if SNMP is working to these addresses, but TFTP/telnet/SSH do not, an alternative woud be to use resolve by sysName, resolve by name, or none.  None might be an acceptable option as that will use the address by which the device was discovered.

  • My new 8th gen iPod nano is 'not recognized' by my computer. My computer runs on Windows 7, and I've installed and updated the latest versions of itunes etc, but still to no avail! I've tried different usb ports, troubleshooting...

    My computer runs on Windows 7, and I've installed and updated the latest versions of itunes etc, but still to no avail! I've tried different usb ports, troubleshooting, etc... But it still says "One of the USB decuces arrached to this omputer has malfunctioned and windows does not recognize it".
    The iPod is brand new, sent to me by Apple as part of the 1st gen replacement programme. I've been using the cable that came with the 1st gen iPod (I bought the first gen second hand) It always worked on my computer with the 1st gen iPod. So I was wondering, do you think I need to replace my cable in order for my PC to recognize my iPod or is it something else?
    Thanks

    Try a different cable. And are you connecting directly to your computer or through a USB hub?

  • TS3694 My Ipod is not recognized by Itunes with my Windows 8 PC. Works fine with Windows 7 PC. Device sync test says "No device found". Already performed all of the Ipod device troubleshooting including reload Itunes, stop start Ipod device, changed drive

    Need help? Some of my Ipods are not recognized by Itunes with my Windows 8 PC. (Ipod Nano 4th gen  and Ipod Nano 6th gen), but on my Windows 7 PC, they work fine.  My Ipod 3rd gen and Ipod shuffle work both on Windows 8 and 7 PC's.  On the non-working Ipods, the  Device sync test says "No device found". Already performed all of the Ipod device troubleshooting including reload Itunes, stop start Ipod device, changed drive letter...
    any help is appreciated. Chris4sail

    Hello there, chris4sail.
    The following Knowledge Base article offers up some great step-by-step instructions on troubleshooting your iPod not being recognized in iTunes:
    iPod not recognized in My Computer and in iTunes for Windows
    http://support.apple.com/kb/ts1369
    Thanks for reaching out to Apple Support Communities.
    Cheers,
    Pedro.

  • IPod not recognized by Windows or iTunes, troubleshooting didn't help.

    I have an 80 gig iPod classic. When I plug it into my computer it is not recognized by either Windows or iTunes. However, it does charge while connected. I have gone through every troubleshooting tip on the Apple website and nothing has worked. The only thing I was unable to try was restoring it because it needs to be recognized in iTunes in order to do so. Any suggestions?

    I had the same problem.......
    OK, after 8 hours.. It worked..... I was installling and uninstalling only itunes 9 but not all the apple components in my computer....... uninstall itunes 9 and all its components: Apple Mobile Device Support, Apple Software Update, Bonjour, iPod for Windows, iTunes, QuickTime.
    Under the folder c:\Program Files delete the following folders:
    Apple Software Update, Bonjour, iPod, iTunes, QuickTime
    Search for any hidden folders named "Apple Computer" or "Apple" These may appear under AppData or Local/AppData, Delete these folders.
    Restart your Windows machine and install itunes 9 and quicktime again..... good luck!!!!!

Maybe you are looking for

  • Doubt in conversion of SQL query to oracle

    Hi guys, I'm new to oracle. I have a SQL query like the following, Select * From my_table With(Index(PK_my_key)) I want to convert this to oracle. How can I specify the syntax *'With(Index(PK_my_key)) '* in oracle. Please advice. Ram

  • Adobe form in Web Dynpro Submit Button Problem

    Hi all, I've created an Adobe form as a UI element in Web Dynpro as a development component. In this Adobe form, I've included a "Submit to SAP" button from the Web Dynpro Library. My whole purpose is to expose this DC as a callable object into Guide

  • Certain fillable PDFs will not open correctly in Acrobat DC

    An example of a problem form: http://armypubs.army.mil/eforms/pdf/A31.PDF This can be used in Acrobat for Windows, but on Android it just gives you a warning page saying something like "If this message is not eventually replaced..." It won't open in

  • Help on CELogonToken

    hi experts, i am trying to open a swf(previously created dashboard) file from another dashboard.i used an url shown below. http://server:port/OpenDocument/opendoc/openDocument.jsp?iDocID=123456&sIDType=CUID&sType=swf&sKind=Flash the child dashboard i

  • BAPI or Function to update Billing Plan in Sales Order Items

    Hello all !      I have to update some fields in the billing plan data in sales order's item (VA02) with a program (receiving it's data form csv files).      I've searched a BAPI but infortunately there are no "Billing Plan" data structure to update