View traffic "in the tunnel"?

I have a VPN setup between two sites. My end has a 3000 concentrator, other end is unknown at this time.
I know the tunnel is up and I know that the initial syn is being passed and hitting the system in question on the other side. I also know that the other side is responding with a syn/ack, but I don't see anything on my side.
I don't have access to the other side but they assure me its NOT THEM.
So I need to PROVE that I can see traffic go IN the tunnel and ALSO see that nothing is being dropped while in the tunnel on my side.
I have yet to find how to view this. What classes should I have enable to view this?
Appreciate any assistance or pointing to the documentation where this is found

Kendall,
You will have to work with the concentrator live event log as well as some basic test when bringing up the tunnel and stablishing the connection. You do not say who initiates this tunnel nor what type of tcp services are allowed, but lets assume host 10.2.2.2 on your side is the one initiating the tunnel to destination host on other side 192.168.1.1 , and that other side is allowing RDP port 3389.
You may do a simple telnet test on 3389 port.
e.g telnet 192.168.1.1 3389 you should get a black screen and at the some time this will also triger interesting traffic to bring up the tunnel, observe the live event log from concentrator which will provide detailed information on the two Ipsec Phases, that is Phase-1 and Phase-2 SA exchange etc... if indeed the tunnel comes up you should see it is the live event log as well as when you do the telnet test, you may provide the other side with log information from the your concentrator.
As for encripted traffic on the concentrator loog at the Monitor sessions Window look at LAN-to-LAN section , if tunnel is up and traffic is exchanged you should see Bytes Tx, Bytes Rx as well as Encryption statistics on the tunnel.
If this process is the other way around meaning the other side is initiating interesting traffic the same information applies, live event log should provide the IPsec tunnel being stablished or failing.
Rgds
Jorge

Similar Messages

How to: audit guest user traffic and keep it out of the tunnel

Hi all,
Project:
Install AP in county library for local client use to the cloud via cable/dsl (vlan3) and maintain usage counters.
Manage the AP thru the cloud, over the existing (3rd party) library network (vlan2), no client traffic.
Sounds just like an OEAP using the private ssid. Just no accounting that way.
I read somewhere that ver 8.0 would let us flex internet traffic local and route everything else thru the tunnel,
but that probably would not provide a usage audit either.

Hi all,
Well the question had a bit of obfuscation built in.
I trunked my AP from the local switch... native vlan 125. Vlan 16 is the dsl pop.
AP links to the WLC via 125. Flex ssid is linked to the local vl16. The flex ssid is wpa2/psk and the WLC tracks all associations there-too with MAC/IP data, adequate to create user/count data.
Too simple. I was thinking ACL's and all the rest.
Thank you

Cisco 881 ISR IPSec VPN Tunnel does not pass traffic from the vlan.

I have a cisco 881 ISR Router with a site-to-site IPsec vpn tunnel to a mikrotik device on the other end (I inherited this from my client). The tunnel is constructed properly and is up, however traffic does not pass or get routed to the FA4 interface. I see in my packet captures that it hits the vlan1 interface (vlans are required on the L2 ports) and does not pass to the tunnel.
This is my configuration:
141Kerioth#sh config
Using 3763 out of 262136 bytes
! Last configuration change at 01:02:41 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
141Kerioth#do wr mem
              ^
% Invalid input detected at '^' marker.
141Kerioth#wr mem
Building configuration...
[OK]
141Kerioth#sh run
Building configuration...
Current configuration : 5053 bytes
! Last configuration change at 01:38:06 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-580381394
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-580381394
revocation-check none
rsakeypair TP-self-signed-580381394
crypto pki certificate chain TP-self-signed-580381394
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35383033 38313339 34301E17 0D313430 35323231 38323333
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 30333831
33393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B001A012 2CA6970C 0648798B 2A786704 84F2D989 83974B19 9B4287F2 4503D2C9
173F23C4 FF34D160 202A7565 4A1CE08B 60B3ADAE 6E19EE6E 9CD39E72 71F9650E
930F22FE C4441F9C 2D7DD420 71F75DFC 3CCAC94E BA304685 E0E62658 A3E8D01C
D01D7D6A 5AF0B0E6 3CF6AF3A B7E51F83 9BF6D38E 65254E1F 71369718 ADADD691
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014D6 24878F12 1FFADF2F 537A438E 6DD7FB6B D79E4130 1D060355
1D0E0416 0414D624 878F121F FADF2F53 7A438E6D D7FB6BD7 9E41300D 06092A86
4886F70D 01010505 00038181 00771667 FCA66002 8AB9E5FB F210012F C50B586F
9A9640BB 45B4CEFD 030A38C0 E610AAC8 B41EF3C4 E55810F9 B2C727CF C1DEFCF1
0846E7BC 1D95420E 5DADB5F8 EFE7EB37 B5433B80 4FF787D4 B1F2A527 06F065A4
00522E97 A9D2335C E83C4AE1 E68D7A41 9D0046A7 ADCC282B 7527F84D E71CC567
14EF37EA 15E57AD0 3C5D01F3 EF
        quit
ip dhcp excluded-address 10.0.16.1
ip dhcp pool ccp-pool
import all
network 10.0.16.0 255.255.255.0
default-router 10.0.16.1
dns-server 8.8.8.8
lease 0 2
ip domain name kerioth.com
ip host hostname.domain z.z.z.z
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip cef
no ipv6 cef
license udi pid CISCO881-K9 sn FTX180483DD
username admin privilege 15 secret 4 CmmfIy.RPySmo4Q2gEIZ2jlr3J.bTBAszoe5Bry0z4c
username meadowbrook privilege 0 password 0 $8UBr#Ux
username meadowbrook autocommand exit
policy-map type inspect outbound-policy
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
crypto isakmp key 141Township address z.z.z.z
crypto isakmp keepalive 10
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
crypto map mymap 10 ipsec-isakmp
set peer z.z.z.z
set transform-set TS
match address 115
interface Loopback0
no ip address
interface Tunnel1
no ip address
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description $FW_OUTSIDE_WAN$
ip address 50.y.y.y 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map mymap
interface Vlan1
description $ETH_LAN$
ip address 10.0.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 115 interface Vlan1 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 50.x.x.x
access-list 110 deny   ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 110 permit ip 10.0.16.0 0.0.0.255 any
access-list 115 permit ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 144 permit icmp host c.c.c.c host 10.0.1.50
access-list 144 permit icmp host p.p.p.p host 10.0.16.105
access-list 199 permit ip a.a.a.a 0.0.0.255 any
no cdp run
route-map nonat permit 10
match ip address 100
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
transport preferred ssh
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
cns trusted-server all-agents x.x.x.x
cns trusted-server all-agents hostname
cns trusted-server all-agents hostname.domain
cns id hardware-serial
cns id hardware-serial event
cns id hardware-serial image
cns event hostname.domain 11011
cns config initial hostname.domain 80
cns config partial hostname.domain 80
cns exec 80
end

Why do you have following command on the PIX?
crypto map outside_map 40 set transform-set 165.228.x.x
Also you have this transform set on the PIX:
crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac
This does not match the transfor set on the router:
crypto ipsec transform-set tritest esp-3des esp-md5-hmac
Where are you using the access-list/route-map
101 ?

What is the 'tunnel mpls traffic-en bandwidth' ?

Hi
I do not understand about 'mpls tunnel traffic-en bandwidth'
If i want to use the RSVP-TE then i know i have to configure the 'ip rsvp bandwidth ...' and 'tunnel mpls traffic-en bandwidth...'
But why i have to configure them for TE.
RSVP is Resource Reservation Bandwidth so i think that 'ip rsvp bandwidth' checked the available B/W in physical interface for TE and it is not the reality B/W for tunnel.
Is it correct?
Can you teach me them for me 'IP RSVP BANDWIDTH, TUNNEL MPLS TRAFFIC-EN BANDWIDTH'
Thank you

Hello Byung,
the ip rsvp bandwidth specifies the total amount of resources available outbound an interface = total reserveable bandwidth on the link it can even bei higher then effective interface speed.
The other command specifies the amount of bandwidth to be used in the reservation for the specific MPLS TE tunnel and has to be lower then the first one in order for the link to be selected and used for the tunnel. If no suitable path is found the tunnel setup fails.
To be noted the bandwidth associated to an MPLS TE Tunnel is an administrative parameter and does not reflect the effective traffic that can travel over the tunnel.
The Call admission control is performed on the administrative bandwidth parameter not on effective user traffic.
Hope to help
Giuseppe

High delay when traffic passes through the tunnel

Hello,
i have a dmvpn topology, .
When i try to ping the real ip on the hub's outside interface from the spoke, the delay is approximately 100ms, but when i ping the tunnel ip address the delay becomes 4000ms.
Your help is really appreciated

Can you post the configuration?
Did you set the MTU of the tunnel interface correctly?
Also check the switching (CEF/Process Switching) configuration.
Regards
Farrukh

IPSec secured L2TPv3 - one way traffic in L2 tunnel

Sigh... after 7 hours battling coming here because I've exhausted all my options to find an answer for my problem.
So here is the topology - standard (boring) IPSec secured L2TPv3 tunnel: on one side - 897 connected to a DSL box, on another side - 1921 with two interfaces.
Purpose to setup a plain L2TPv3 tunnel between those locations so computers plugged into the 897's 8-port switch interface can communicate with number of devices connected to 1921 on other side.
897:
crypto ikev2 keyring key1
peer destination_ip_address
address local_outside_ip_address
pre-shared-key key
crypto ikev2 profile default
match identity remote address 1921_outside_ip_address 255.255.255.255
identity local address 897_outside_ip_address
authentication remote pre-share
authentication local pre-share
keyring local key1
crypto ikev2 dpd 30 3 periodic
controller VDSL 0
ip ssh rsa keypair-name router-key
ip ssh version 2
pseudowire-class DZD
encapsulation l2tpv3
ip local interface Loopback1
ip pmtu
ip dfbit set
ip tos reflect
crypto ipsec transform-set default esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit set
crypto map local 1 ipsec-isakmp
set peer 1921_outside_ip_address
set ikev2-profile default
match address 130
interface Loopback1
ip address 172.16.1.1 255.255.255.255
interface ATM0
no ip address
no atm ilmi-keepalive
interface Ethernet0
no ip address
interface GigabitEthernet0
no ip address
interface GigabitEthernet1
no ip address
interface GigabitEthernet2
no ip address
interface GigabitEthernet3
no ip address
xconnect 172.16.1.2 1 encapsulation l2tpv3 pw-class DZD
interface GigabitEthernet4
no ip address
interface GigabitEthernet5
no ip address
interface GigabitEthernet6
no ip address
interface GigabitEthernet7
no ip address
interface GigabitEthernet8
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Wlan-GigabitEthernet8
no ip address
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
interface Vlan1
ip address 10.97.2.29 255.255.255.0
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ipv6 address autoconfig
ppp authentication pap callin
ppp pap sent-username DSL_username password DSL_password
crypto map local
ip forward-protocol nd
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Dialer1
access-list 130 permit ip host 172.16.1.1 host 172.16.1.2
dialer-list 1 protocol ip permit
c897#
1921:
crypto ikev2 keyring key1
peer 897_outside_ip_address
address 897_outside_ip_address
pre-shared-key key
crypto ikev2 profile default
match identity remote address 897_outside_ip_address 255.255.255.255
identity local address 1921_outside_ip_address
authentication remote pre-share
authentication local pre-share
keyring local key1
crypto ikev2 dpd 30 3 periodic
ip ssh version 2
lldp run
pseudowire-class ZRH
encapsulation l2tpv3
ip local interface Loopback1
ip pmtu
ip dfbit set
ip tos reflect
crypto ipsec transform-set default esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit set
crypto map local 1 ipsec-isakmp
set peer 897_outside_ip_address
set ikev2-profile default
match address 130
interface Loopback1
ip address 172.16.1.2 255.255.255.255
interface Embedded-Service-Engine0/0
no ip address
interface GigabitEthernet0/0
description WAN-ACC
ip address 1921_outside_ip_address 255.255.255.0
duplex auto
speed auto
crypto map local
interface GigabitEthernet0/1
description LAN-Trunk
no ip address
duplex auto
speed auto
xconnect 172.16.1.1 1 encapsulation l2tpv3 pw-class ZRH
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 default_gateway_of_1921
logging host 10.96.2.21
access-list 130 permit ip host 172.16.1.2 host 172.16.1.1
pnc01921#
Note - 1921 is connected to the Nexus 2248TP FEX, here is the config of the interface of the FEX:
pnc00001# sh run int e101/1/6
!Time: Thu May 1 06:15:02 2014
version 5.0(3)N2(2b)
interface Ethernet101/1/6
switchport access vlan 702
Now, IPsec tunnel comes up and does pass traffic - I can ping from one l1 another l1, below is the output from 897:
sh cry ike sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 897_outside_ip_address/500 1921_outside_ip_address/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/76 sec
IPv6 Crypto IKEv2 SA
#sh cry ips sa
interface: Dialer1
Crypto map tag: local, local addr 897_outside_ip_address
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.1.2/255.255.255.255/0/0)
current_peer 1921_outside_ip_address port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 897_outside_ip_address, remote crypto endpt.: 1921_outside_ip_address
path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
current outbound spi: 0x852BF1F2(2234249714)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x5D9DFB1A(1570634522)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000040, crypto map: local
sa timing: remaining key lifetime (k/sec): (4190855/3504)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x852BF1F2(2234249714)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map: local
sa timing: remaining key lifetime (k/sec): (4190863/3504)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
#ping 172.16.1.2 sour l1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/24 ms
Now, L2 tunnel shows to be up on both ends as well (output from 897 here)
#sh xconnect all
Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State
UP=Up DN=Down AD=Admin Down IA=Inactive
SB=Standby RV=Recovering NH=No Hardware
XC ST Segment 1 S1 Segment 2 S2
------+---------------------------------+--+---------------------------------+--
UP ac Gi3(Ethernet) UP l2tp 172.16.1.2:1 UP
However, if you look at detailed output of l2tunn, you will see that the tunnel receives traffic from 1921, but does not send anything:
#sh l2tun tunnel all
L2TP Tunnel Information Total tunnels 1 sessions 1
Tunnel id 3504576447 is up, remote id is 2898810219, 1 active sessions
Locally initiated tunnel
Tunnel state is established, time since change 00:19:34
Tunnel transport is IP (115)
Remote tunnel name is pnc01921
Internet Address 172.16.1.2, port 0
Local tunnel name is pnc0DRZD
Internet Address 172.16.1.1, port 0
L2TP class for tunnel is l2tp_default_class
Counters, taking last clear into account:
0 packets sent, 763 received
0 bytes sent, 65693 received
Last clearing of counters never
Counters, ignoring last clear:
0 packets sent, 763 received
0 bytes sent, 65693 received
Control Ns 18, Nr 9
Local RWS 512 (default), Remote RWS 512 (max)
Control channel Congestion Control is disabled
Tunnel PMTU checking enabled
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 2
Total resends 0, ZLB ACKs sent 8
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Control message authentication is disabled
Mirrored situation on other side - 1921 sends packets, but nothing is received:
pnc01921#sh l2tun tunnel all
L2TP Tunnel Information Total tunnels 1 sessions 1
Tunnel id 2898810219 is up, remote id is 3504576447, 1 active sessions
Remotely initiated tunnel
Tunnel state is established, time since change 00:21:15
Tunnel transport is IP (115)
Remote tunnel name is pnc0DRZD
Internet Address 172.16.1.1, port 0
Local tunnel name is pnc01921
Internet Address 172.16.1.2, port 0
L2TP class for tunnel is l2tp_default_class
Counters, taking last clear into account:
815 packets sent, 0 received
69988 bytes sent, 0 received
Last clearing of counters never
Counters, ignoring last clear:
815 packets sent, 0 received
69988 bytes sent, 0 received
Control Ns 9, Nr 20
Local RWS 1024 (default), Remote RWS 512
Control channel Congestion Control is disabled
Tunnel PMTU checking enabled
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 1
Total resends 0, ZLB ACKs sent 18
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Control message authentication is disabled
There is a Windows box plugged into 897's G3 with IP address 10.97.2.25. I can ping from it 897's VLAN1 at 10.97.2.29. However I can't ping anything across the L2TPv3 tunnel. At the same time on that Windows box I can see broadcast traffic coming across the tunnel.
I give up. Anyone has some reasonable suggestion what might be wrong? I suspect that something is wrong at 897's side.
One last question - how can I create svi on 1921 and assign ip address from 10.97.2.0/24 network on it?

Anybody? Opened ticket #630128425, no response from Cisco yet..

Policy based routing on VRF interfaces to route traffic through TE Tunnel

Hi All,
Is there a method to do policy based routing on VRF interfaces and route data traffic through one TE tunnel and non-data traffic through another TE tunnel.
The tunnel is already build up with these below config
interface Tunnel25
ip unnumbered Loopback0
tunnel destination 10.250.16.250
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng path-option 10 explicit name test
ip explicit-path name test enable
next-address x.x.x.x
next-address y.y.y.y
router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
mpls traffic-eng tunnels
nterface GigabitEthernet5/2
mpls traffic-eng tunnels
mpls ip
Is there additional config needed to work ,also in the destination end for the return traffic,we want to use the normal PATH --I mean non TE tunnel.
We tested with the above scenario,but couldn't able to reach the destination.Meantime we had a question,when the packet uses the policy map while ingress,it may not know the associatuion with VRF(Is that right? --If so ,how to make it happen)
Any help would be really appreciated
Thanks
Regards
Anantha Subramanian Natarajan

hi Anantha!
I might not be the right person to comment on your first question. I have not configured MVPNs yet and not very confertable with the topic.
But I am sure that if you read through the CBTS doc thoroughly, you might be able to derive the answer yourself. One thing I notice is that " a Tunnel will be selected regularly according to the routing process (even isf it is cbts enabled). From the tunnels selected using the regular best path selection, the traffic is mapped to a perticular tunnel in the group if specific class is mapped to that tunnel.
So a master tunnel can be the only tunnel between the 2 devices over which the routing (bgp next hops) are exchanged and all other tunnels can be members of this tunnel. So your RPF might not fail.
You might have to explore on this a bit more and read about the co-existance of multicast and TE. This will be the same as that.
For your second question, the answer would be easy :
If you want a specific eompls cust to take a particular tunnel/path, just create a seperate pair of loopbacks on the PEs. Make the loopback learnt on the remote PE through the tunnel/path that you want the eompls to take. Then establish the xconnect with this loopback. I am assuming that your question is that a particular eompls session should take a particular path.
If you meant that certain traffic from the same eompls session take a different path/tunnel, then CBTS will work.
Regards,
Niranjan

Monitoring Traffic on a tunnel - Netflow Version 7

Hi,
I am trying to setup monitoring for Netflow and it is working but it doesn't seem I am capturing all the traffic as the utilization only shows 1-2%.
My current setup is this:
ip flow-cache timeout active 1
ip flow-export source GigabitEthernet0/1
ip flow-export version 5
ip flow-export destination xxx.xxx.xxx.xxx 9996 vrf xxxxxxxxxxxx
interface Tunnel1
ip vrf forwarding xxxxxxxxxxxxx
ip address xxxxxxxxxxxxxxxxxx
tunnel source xxxxxxxxxxxxxxxxxxxxxx
tunnel destination xxxxxxxxxxxxxxxxxxxx
tunnel vrf INTERNE
interface Tunnel2203
description WAN: US | xxx.xxx.xxx.xxx | xxx.xxx.xxx.xxx | xxx.xxx.xxx.xxx
ip vrf forwarding xxxxxxxxxxxxxxxx
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip mtu 1500
ip route-cache flow
ip tcp adjust-mss 1350
ip ospf authentication-key 7 xxxxxxxxxxxxxxxxxxx
ip ospf cost 20
keepalive 10 3
tunnel sourcexxx.xxx.xxx.xxx
tunnel destination xxx.xxx.xxx.xxx
tunnel key xxx.xxx.xxx.xxx
tunnel checksum
interface GigabitEthernet0/1
description xxxxxxxxxxxxx, F0/45
no ip address
ip flow ingress
ip flow egress
ip route-cache flow
duplex auto
speed auto
interface GigabitEthernet0/0
description xxxxxxxxxxxxxxxx, xxxxxxxxxxxxx
ip vrf forwarding xxxxxxxxxxxxxxxx
ip address xxxxxxxxxxxxxxxxx
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip route-cache flow
load-interval 30
duplex full
speed 100
no mop enabled
Both Gig0/0 and 0/1 connect to the core however, as you see Gig0/0 uses VRP forwarding which is how I have it setup for our Netflow. I only seem be able to see Tunnel 1 and Gig0/0. I cannot see tunnel 2203 or Gig0/1.
xxxxxxxxxxxxxxx#show ip flow export
Flow export v5 is enabled for main cache
Export source and destination details :
VRF ID : 1
    Source(1)       xxxxxxxxxxx (Tunnel2203)
    Destination(1) xxxxxxxxxx (9996)
Version 5 flow records
3423675 flows exported in 115622 udp datagrams
0 flows failed due to lack of export packet
show ip cache flow
IP packet size distribution (1616M total packets):
   1-32   64   96 128 160 192 224 256 288 320 352 384 416 448 480
   .000 .398 .065 .054 .017 .030 .015 .011 .007 .007 .008 .005 .004 .003 .003
    512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
   .002 .002 .003 .038 .321 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
287 active, 3809 inactive, 62297999 added
1265353168 ager polls, 0 flow alloc failures
Active flows timeout in 1 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 25800 bytes
287 active, 737 inactive, 3406160 added, 3406160 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Please help?

This is not possible ... if you LAG the links. But if you un-LAG it maybe you can. I haven't tried it.
So that tunneled guest traffic flow can come via one trunk and leave on the guest VLAN via another trunk going to another switch. This sounds "awful" (for the lack of a better PG-13 word).

IPsec over GRE tunnel's line protocol is down but able to ping the tunnel destination

>>both routers are located in different countries and connected with ISP
>>IPsec over GRE tunnel is configured on both the routers
>>tunnel's line protocol is down for both the ends but able to reach the tunnel destination with tunnel source
>>Packet is not receiving on the router_1 and but could see packets are getting encrypting on the Router_2
>>ISP is not finding any issue with their end
>>Please guide me how i can fix this issue and what need to be check on this ????
========================
Router_1#sh run int Tunnel20
Building configuration...
Current configuration : 272 bytes
interface Tunnel20
bandwidth 2048
ip address 3.85.129.141 255.255.255.252
ip mtu 1412
ip flow ingress
delay 1
cdp enable
tunnel source GigabitEthernet0/0/3
tunnel destination 109.224.62.26
end
===================
Router_1#sh int Tunnel20
Tunnel20 is up, line protocol is up>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Keepalive is not set
Hardware is Tunnel
Description: *To CRPrgEIQbaghd01 - 2Mb GRE over Shared ISP Gateway*
Internet address is 3.85.129.141/30
MTU 17916 bytes, BW 2048 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 195.27.20.14 (GigabitEthernet0/0/3), destination 109.224.62.26
Tunnel Subblocks:
src-track:
Tunnel20 source tracking subblock associated with GigabitEthernet0/0/3
Set of tunnels with source GigabitEthernet0/0/3, 32 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 1w6d, output 14w4d, output hang never
Last clearing of "show interface" counters 2y5w
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1565172427 packets input, 363833090294 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1778491917 packets output, 1555959948508 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
=============================
Router_1#ping 109.224.62.26 re 100 sou 195.27.20.14
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 109.224.62.26, timeout is 2 seconds:
Packet sent with a source address of 195.27.20.14
Success rate is 92 percent (92/100), round-trip min/avg/max = 139/142/162 ms
Router_1#
============================================
Router_1#sh cry ip sa pe 109.224.62.26 | in caps
#pkts encaps: 831987306, #pkts encrypt: 831987306, #pkts digest: 831987306
#pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611
Router_1#sh clock
15:09:45.421 UTC Thu Dec 25 2014
Router_1#
===================
Router_1#sh cry ip sa pe 109.224.62.26 | in caps
#pkts encaps: 831987339, #pkts encrypt: 831987339, #pkts digest: 831987339
#pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611>>>>>>>>>>>>>>>>>>>>Traffic is not receiving from Router 2
Router_1#sh clock
15:11:36.476 UTC Thu Dec 25 2014
Router_1#
===================
Router_2#sh run int Tu1
Building configuration...
Current configuration : 269 bytes
interface Tunnel1
bandwidth 2000
ip address 3.85.129.142 255.255.255.252
ip mtu 1412
ip flow ingress
load-interval 30
keepalive 10 3
cdp enable
tunnel source GigabitEthernet0/0
tunnel destination 195.27.20.14
end
Router_2#
=======================
Router_2#sh run | sec cry
crypto isakmp policy 10
authentication pre-share
crypto isakmp key Router_2 address 195.27.20.14
crypto isakmp key Router_2 address 194.9.241.8
crypto ipsec transform-set ge3vpn esp-3des esp-sha-hmac
mode transport
crypto map <Deleted> 10 ipsec-isakmp
set peer 195.27.20.14
set transform-set ge3vpn
match address Router_2
crypto map <Deleted> 20 ipsec-isakmp
set peer 194.9.241.8
set transform-set ge3vpn
match address Router_1
crypto map <Deleted>
Router_2#
====================================
Router_2#sh cry ip sa pe 195.27.20.14 | in caps
#pkts encaps: 737092521, #pkts encrypt: 737092521, #pkts digest: 737092521
#pkts decaps: 828154572, #pkts decrypt: 828154572, #pkts verify: 828154572>>>>>>>>>>>>Traffic is getting encrypting from router 2
Router_2#sh clock
.15:10:33.296 UTC Thu Dec 25 2014
Router_2#
========================
Router_2#sh int Tu1
Tunnel1 is up, line protocol is down>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Down
Hardware is Tunnel
Internet address is 3.85.129.142/30
MTU 17916 bytes, BW 2000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (10 sec), retries 3
Tunnel source 109.224.62.26 (GigabitEthernet0/0), destination 195.27.20.14
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with GigabitEthernet0/0
Set of tunnels with source GigabitEthernet0/0, 2 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 1w6d, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 14843
Queueing strategy: fifo
Output queue: 0/0 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
1881547260 packets input, 956465296 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1705198723 packets output, 2654132592 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
=============================
Router_2#ping 195.27.20.14 re 100 sou 109.224.62.26
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 195.27.20.14, timeout is 2 seconds:
Packet sent with a source address of 109.224.62.26
Success rate is 94 percent (94/100), round-trip min/avg/max = 136/143/164 ms
Router_2#
=========================

Hello.
First of all, try to reset IPSec (clear crypto isakmp sa ..., clear crypto session ...).
Configure inbound ACL on the router to match esp protocol and check if the packets arrive.
Please provide full output "show crypto ipsec sa"
from both sides.

L2L issue, the tunnel does not getting up from one direction

Hello,
We have configure a L2L vpn between Asa and 1841 router. We are facing this issue.
The tunnel is not getting up from the 1841 site never. When we are trying to generate traffic from the ASA site the tunnel is up and we can see decryps and encryps packets.
Router 1841 Config:
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key * address 213.249.XX.XX
crypto ipsec transform-set XXXXX esp-3des esp-md5-hmac
crypto map EKO_BG 100 ipsec-isakmp
set peer 213.249.x.x
set security-association lifetime seconds 28800
set transform-set XXXXX
set pfs group2
match address 111
interface FastEthernet0/0.2
encapsulation dot1Q 3338
ip address 212.200.30.130 255.255.255.252
ip nat outside
ip virtual-reassembly
crypto map XXXXX
ip nat pool nat_pool 93.87.XX.XX 93.87.XX.XX prefix-length 29
ip nat inside source list 101 pool nat_pool overload
ip nat inside source static 10.70.2.10 93.87.18.161
ip nat inside source static 10.70.25.10 93.87.18.162
ip nat inside source static 10.70.36.5 93.87.18.163
ip nat inside source static 10.70.39.10 93.87.18.164
ip nat inside source static 10.70.5.10 93.87.18.165
access-list 101 deny ip 10.70.200.0 0.0.0.255 any
access-list 101 permit ip 10.70.0.0 0.0.255.255 any
access-list 111 permit ip 10.70.200.0 0.0.0.255 172.40.10.100 0.0.0.3
Asa Config:
access-list inside_nat0_outbound extended permit ip 172.40.10.100 255.255.255.252 10.70.200.0 255.255.255.0
access-list outside_cryptomap_320 remark xxxxxxx
access-list outside_cryptomap_320 extended permit ip 172.40.10.100 255.255.255.252 10.70.200.0 255.255.255.0
access-list inside_pnat_outbound_V5 extended permit ip host 10.8.x.x 10.70.200.0 255.255.255.0
pager lines 24
nat (inside) 9 access-list inside_pnat_outbound_V5
crypto ipsec transform-set xxxxx esp-3des esp-md5-hmac
crypto map mymap 150 match address
crypto map mymap 150 set pfs
crypto map mymap 150 set peer XXXXXX
crypto map mymap 150 set transform-set XXX
crypto map mymap 150 set security-association lifetime seconds 28800
crypto map mymap 150 set security-association lifetime kilobytes 10000
crypto map mymap 320 match address outside_cryptomap_320
crypto map mymap 320 set pfs
crypto map mymap 320 set peer XXXXX
crypto map mymap 320 set transform-set XXXXX
crypto map mymap 320 set security-association lifetime seconds 28800
crypto map mymap 320 set security-association lifetime kilobytes 4608000
crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap interface outside
isakmp policy 150 authentication pre-share
isakmp policy 150 encryption 3des
isakmp policy 150 hash md5
isakmp policy 150 group 2
tunnel-group 212.200.x.x type ipsec-l2l
tunnel-group 212.200.x.x ipsec-attributes
pre-shared-key *
Please advise.
Thank you.

hello Ashley,
thank you for this info. Now from the router site the tunneling is getting up and I can see packets but althought the tunnel is up it can not make telnet to our server (172.40.10.100) on a specific port.
We from ASA site can ping router Site and make telnet.
Any ideas???
Thank you all from your answers!

Since installing LTR 5.4, which I've now upgraded to 5.6, I've encountered repeated slowness and malfunctions in operations, especially when using the Compare View function and the Tab key to open and close the right and left side panels. Such problems n

Since installing LTR 5.4, which I've now upgraded to 5.6, I've encountered repeated slowness and malfunctions in operations, especially when using the Compare View function and the Tab key to open and close the right and left side panels. Such problems never arose during two years of using LTR-4 and nothing else has changed on my computer. I have a pretty simple system with only a few plug-ins, which are usually not in operation. I have 12GB of RAM in my Windows 7 PC. I could illustrate these problems with screen shots if you would tell me how to submit screen shots. Otherwise I will try to describe the problems in words.
The problem is clearly cumulative, growing worse as usage time passes. Compare View feature gradually slows down and eventually seems to choke as my work session proceeds. If I Exit LTR and re-enter and start all over, things will work normally for maybe 30 minutes, but then the Compare View feature begins to become very slow to respond. In a recent example with my screen full of thumbnails in Library mode I highlighted two images to compare. LTR started to open the Compare View screen by first having the top row of thumbnails disappear to be replaced by the "SELECT" and "CANDIDATE" words in their spaces (but no images), but Compare View never succeeded in gaining control of the screen. After some seconds the top row of thumbnails reasserted its position and the Compare View windows disappeared. But LTR kept trying to bring them back. Again the top row of thumbnails would go away, Select and candidate would reappear, try again, and give up. This went on for at least 2-3 minutes before I tried to choose File and Exit, but even that did not initially want to respond. It doesn't like to accept other commands when it's trying to open Compare View. Finally it allowed me to exit.
To experiment I created a new catalog of 1100 images. After 30-40 minutes, the Compare View function began to operate very slowly. With left and right side panels visible and two thumbnails highlighted, hitting Compare View can take half a minute before the two mid-size images open in their respective SELECT and CANDIDATE windows. When the side panels are open and two images are in the Select/Candidate spaces, hitting the Tab button to close the side panels produces a very delayed response--25-30 seconds to close them, a few more seconds to enlarge the two images to full size. To reverse the process (i.e., to recall the two side panels), hitting Tab would make the two sides of the screen go black for up to a minute, with no words visible. Eventually the info fields in the panels would open up.
I also created a new user account and imported a folder of 160 images. After half an hour Compare View began mis-placing data. (I have a screen shot to show this.) CANDIDATE appears on the left side of SELECT, whereas it should be on the right. The accompanying camera exposure data appears almost entirely to the left of the mid-screen dividing line. Although the Candidate and Select headings were transposed, the image exposure data was not, but the data for the image on the right was almost entirely to the left of the line dividing the screen in two.
Gurus in The Lightroom Forum have examined Task Manager data showing Processes running and Performance indicators and they see nothing wrong. I could also send screen shots of this data.
At this point, the only way I can process my images is to work 30-40 minutes and then shut down everything, exit, and re-start LTR. This is not normal. I hope you can find the cause, and then the solution. If you would like to see my screen shots, tell me how to submit them.
Ollie
[email protected]

Since installing LTR 5.4, which I've now upgraded to 5.6, I've encountered repeated slowness and malfunctions in operations, especially when using the Compare View function and the Tab key to open and close the right and left side panels. Such problems never arose during two years of using LTR-4 and nothing else has changed on my computer. I have a pretty simple system with only a few plug-ins, which are usually not in operation. I have 12GB of RAM in my Windows 7 PC. I could illustrate these problems with screen shots if you would tell me how to submit screen shots. Otherwise I will try to describe the problems in words.
The problem is clearly cumulative, growing worse as usage time passes. Compare View feature gradually slows down and eventually seems to choke as my work session proceeds. If I Exit LTR and re-enter and start all over, things will work normally for maybe 30 minutes, but then the Compare View feature begins to become very slow to respond. In a recent example with my screen full of thumbnails in Library mode I highlighted two images to compare. LTR started to open the Compare View screen by first having the top row of thumbnails disappear to be replaced by the "SELECT" and "CANDIDATE" words in their spaces (but no images), but Compare View never succeeded in gaining control of the screen. After some seconds the top row of thumbnails reasserted its position and the Compare View windows disappeared. But LTR kept trying to bring them back. Again the top row of thumbnails would go away, Select and candidate would reappear, try again, and give up. This went on for at least 2-3 minutes before I tried to choose File and Exit, but even that did not initially want to respond. It doesn't like to accept other commands when it's trying to open Compare View. Finally it allowed me to exit.
To experiment I created a new catalog of 1100 images. After 30-40 minutes, the Compare View function began to operate very slowly. With left and right side panels visible and two thumbnails highlighted, hitting Compare View can take half a minute before the two mid-size images open in their respective SELECT and CANDIDATE windows. When the side panels are open and two images are in the Select/Candidate spaces, hitting the Tab button to close the side panels produces a very delayed response--25-30 seconds to close them, a few more seconds to enlarge the two images to full size. To reverse the process (i.e., to recall the two side panels), hitting Tab would make the two sides of the screen go black for up to a minute, with no words visible. Eventually the info fields in the panels would open up.
I also created a new user account and imported a folder of 160 images. After half an hour Compare View began mis-placing data. (I have a screen shot to show this.) CANDIDATE appears on the left side of SELECT, whereas it should be on the right. The accompanying camera exposure data appears almost entirely to the left of the mid-screen dividing line. Although the Candidate and Select headings were transposed, the image exposure data was not, but the data for the image on the right was almost entirely to the left of the line dividing the screen in two.
Gurus in The Lightroom Forum have examined Task Manager data showing Processes running and Performance indicators and they see nothing wrong. I could also send screen shots of this data.
At this point, the only way I can process my images is to work 30-40 minutes and then shut down everything, exit, and re-start LTR. This is not normal. I hope you can find the cause, and then the solution. If you would like to see my screen shots, tell me how to submit them.
Ollie
[email protected]

Unable to view data in the InfoCube as well as in the query

Hi all,
I have done the Init Load into an InfoCube 0Pur_c01. The Monitoring status is Green. I checked the Qm status which is green. There is data in the PSA.
However, I am unable to view data in the InfoCube. Also when I execute the report I am receiving 'Application Data not found'error.
It looks to be a strange sitaution.
Please help me out
Regards
YJ

Hi,
I hope, some times the the unavailability of "PROCESSKEY" value for the records delivers like this.
Refer the note: 353042
And also refer the links:
Re: Problem extracting 2LIS_03_BX into 0IC_C03
Re: Records Not Added
And also search this forum with "PROCESSKEY"
With rgds,
Anil Kumar Sharma .P

In two page view preview shows the first page on its own

In two page view preview shows the first page on its own. I have recently downloaded an ebook which has image based tutorials and the pages are in such a way that pages 3 and 4 should be seen next to each other. Preview seems to want to have pages 1 on its own therefore making this rather difficult. Any help on resolving this issue would be appreciated.

Try selecting the first page, and then from the "Edit" menu select "insert blank page". This should put a blank page at the beginning of the document, shifting all pages down one and putting them in the order you want for your display.

View objects referencing the same entity

The behaviour occurs in every version of jdeveloper ADF BC i have tried so far (10g, 11g).
I have 2 updatable view objects referencing the same entity object. When i create a new record using the first view object and before commiting the data to the database i navigate to the second
view object. Suprisingly the second view object is populated with the same data that is posted on the first view object. It seems like both view objects are referencing the same entity object instance.
Is any way to overcome this strange behaviour.
Thanks

As Timo says think of the EO as a record cache. If you had 700 VOs all based on the same EO, it would be ideal to store the same record(s) 700 times in the midtier as it would consume vasts amount of memory. Thus the EO cache.
If you do want to separate the VOs, you've 3 options:
1) Use separate EOs for each VO (not ideal)
2) Expose each VO under their own root level Application Module - a separate EO cache instance for each VO will be created at runtime - however you need to be careful between the VO/EO pairs, you don't update the same record, as you'll get record locks/contention
3) If you're using task flows in 11g, use the Always Begin New Transaction option for each screen/fragment for each VO. This is the equivalent of 2 but from the task flow level - however again you need to be careful on record locks.
CM.

For the past week, I am unable to view videos. The page comes up with this comment: "Blocked plug-in" and it suggests that I download the latest version of Flash player. I have downloaded that and still get the same comment. Please help.

I have an iMac11.2 and am running Mac OS 10.6.8. I have not had a problem viewing videos until the past week or so. Now I cannot view videos on my news, facebook or in email messages at all. A message pops up in the window that says "Blocked plug-in". I have downloaded the latest version of Flash Player for which it asks and still no luck. Can anyone here help me with this? Thank you. Grace

TThere have been 3 updates to flash player ink the past month.
download and install the latest.
this warning seems to be a part of the newer security updates.

View traffic "in the tunnel"?

Similar Messages

Maybe you are looking for