VPN service module choice 7600-SSC-400 vs. SPA-IPSEC-2G
Need to decide between the two VPN service module: 7600-SSC-400 and SPA-IPSEC-2G for a 6509 sup 720 3bxl. Not sure what is the difference and couldnt find too much info just searching the internet. What would be the benefits of one or another?
Hello,
You will need both. The 7600-SSC-400 is the carrier module of the SPA-IPSec-2G.
There is more information on this via the following link:
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/76ovwvpn.html
Warm Regards,
Rose
Similar Messages
-
Dears,
we are already user VPN module in our chassis 6500 where all communication lines are terminated.
now we will using EFM line , but i am not sure how to cahnage configuration related to it.Hello,
You will need both. The 7600-SSC-400 is the carrier module of the SPA-IPSec-2G.
There is more information on this via the following link:
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/76ovwvpn.html
Warm Regards,
Rose -
Hi All,
we have a VPN service module that doesn't support AES 256 bits. is there a way to overcome this limitation by uploading a key? how can we do it if feasible?
thanks
Jeanif you require aes you need the newer VPN SPA.
http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sheet0900aecd8027c9ee_ps8768_Products_Data_Sheet.html
(assuming you have a 6500/7600...but you didn't state exactly what you have) -
Problem with installing new line card 7600-SSC-400
Hi all,
I have a trouble when trying to install new line card 7600-SSC-400 on Cisco 6509. Here was the message displays on the screen after I finished installing the line card : "%C6KPWR-SP-4-UNSUPPORTED: unsupported module in slot 7, power not allowed: The image for the card is not bundled in image." I tried to install this line card on another slot, but it doesn't work. The attched item is logfile which I saved in the installing session. I don't know what I hvae to do now, please help me to resolve this problem !
Thanks so much,
HieuHi Hieu,
You might want to run the following to see more detail of the error:
show diagnostic result module all detail
And I would also suggest that you reseat the 7600-SSC-400 line card firmly back to the switch, and check the status again.
If it's still showing the error, maybe you can try seating the module on a different slot, and check if you have the same issue.
If the issue still persist after reseating and testing it on different slot, then it might be a hardware issue, and you might want to open a TAC case to further investigate it.
Hope that helps. -
7600 SSC-400 / SSC-600 Design Limitation
Hello,
I want to know if there is any way we can overcome the restrictions on these cards, resulting in reload when an SSO happens on a Catalyst 6500 switch.
Is there any new or upcoming model of SSC cards which will be SSO aware ?
Restrictions:
>VSPA state information is not maintained between the active and standby supervisor engine during normal operation. During a supervisor engine switchover in an SSO environment, the VSPA will reboot.
>The Cisco 7600 SSC-400 is not Route Processor Redundancy Plus (RPR+) or Stateful Switchover (SSO) aware. As a result, the Cisco 7600 SSC-400 will reset if RPR+ or SSO is configured.
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/7600series/76ovwvpn.html#wp1108766
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/vspa/configuration/guide/ivmovw.html#wp1051863
Regards,
AkhtarHello,
You will need both. The 7600-SSC-400 is the carrier module of the SPA-IPSec-2G.
There is more information on this via the following link:
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/76ovwvpn.html
Warm Regards,
Rose -
SSC-400 / SSC-600 / IPsec SPA resets during SSO
Hello,
I want to know if there is any way we can overcome the restrictions on these cards, resulting in reload when an SSO happens on a Catalyst 6500 switch.
Restrictions:
>VSPA state information is not maintained between the active and standby supervisor engine during normal operation. During a supervisor engine switchover in an SSO environment, the VSPA will reboot.
>The Cisco 7600 SSC-400 is not Route Processor Redundancy Plus (RPR+) or Stateful Switchover (SSO) aware. As a result, the Cisco 7600 SSC-400 will reset if RPR+ or SSO is configured.
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/7600series/76ovwvpn.html#wp1108766
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/vspa/configuration/guide/ivmovw.html#wp1051863
Regards,
AkhtarHi Sung,
Have you load the appropiate FPD image into the flash? Please find the following document for more info:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.html#wp2430389
HTH,
jerry -
c7600s72033-adventerprisek9-mz.122-33.SRC3.bin
7609 with Sup7203BXL supervisors.
Command rejected: VLAN 881 is crypto connected to Vl1020.This command is rejected because allowing it will result in a crypto connected interface vlan to belong to the interface's allowed vlan list. This poses a potential IPSec security breach.Note that this behavior applies to all trunk ports. If you're attempting to do "no switchport trunk allowed vlan <vlanlist>" Instead, use "switchport trunk allowed vlan none", or "switchport trunk allowed vlan remove <vlanlist>"
I get the preceding message currently when trying to add the IPSec VLAN to a trunk port. Little background, this has been working for about a year on a different endpoint device with a trunk up to it. We migrated to a new device for the entpoint of the IPSec traffic and when trying to add the VLANs involved with it to the trunk, I get that message.
Interface VLAN 881 on IPSec Service Module port GigabitEthernet7/0/1 connected to Vlan1020 with crypto map set IPSEC
Interface VLAN 882 on IPSec Service Module port GigabitEthernet7/0/1 connected to Vlan1020 with crypto map set IPSEC
Interface Vlan1020 on IPSec Service Module port GigabitEthernet7/0/1 connected to GigabitEthernet1/1 with crypto map set
There is the show crypto vlan output. This was working just fine previously when I added the VLANs to a trunk, but when I tried to add the VLANs to a new set of interfaces, I got that error message. I went so far as to remove the VLANs from the working trunk and try to put them back, now I get the same message as above.
VLAN Usage
1006 online diag vlan0
1007 online diag vlan1
1008 online diag vlan2
1009 online diag vlan3
1010 online diag vlan4
1011 online diag vlan5
1012 PM vlan process (trunk tagging)
1013 Control Plane Protection
1014 vrf_0_vlan
1015 Container0
1016 IPv6-mpls RSVD VLAN
1017 L3 multicast partial shortcuts for VPN 0
1018 Egress internal vlan
1019 Multicast VPN 0 QOS vlan
1020 macedon_vrf0
1021 IPv6 Multicast Egress multicast
1022 GigabitEthernet1/1
1023 GigabitEthernet1/2
1024 GigabitEthernet1/3
1025 GigabitEthernet1/7
1026 GigabitEthernet1/22
1027 GigabitEthernet1/24
1028 macedon_ctlvlan
1029 macedon_nat7.0
1030 GigabitEthernet2/1
1031 GigabitEthernet2/3
1032 GigabitEthernet2/7
1033 GigabitEthernet2/24
1401 GigabitEthernet1/7.1401
There is the internal VLAN usage. The IPSec tunnel is using VRF mode with the IPSec tunnel dropping to a VRF and the outside interfaces being in the gloal routing table. The VLANs 881 and 882 are part of that VRF and they are SVIs.Hello,
You will need both. The 7600-SSC-400 is the carrier module of the SPA-IPSec-2G.
There is more information on this via the following link:
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/76ovwvpn.html
Warm Regards,
Rose -
(Linecard image not present) at WS-SSC-600 and 7600-SIP-400
i install two modules WS-SSC-600 and 7600-SIP-400 in slot 5 and 6 in 13-slot chassis and give this output from show power (Linecard image not present)
for both cards.
supervisor engine is : VS-S720-10G with sub-module VS-F6K-PFC3CXL and VS-F6K-MSFC3
IOS : s72033-advipservicesk9-mz.122-33.SXI9
what that mean and how to fix it ?Ok problem solved by upgrade ios to another version but the new image must contains (_wan) in image name for example (
s72033-advipservicesk9_wan-mz.122-33.SXJ6 ) otherwise the two modules will not powered up. -
Does ASA Service Module on 6509-E support Remote Access VPN ?
I'm having a problem configuring Remote Access VPN (SSL, Anyconnect ect.) on ASA Service Module on 6509-E. Is this even supported or am i wasting my time trying to make something work which will not work in a first place :) ? Site-to-Site works without any problems.
Tech Info:
6509-E running SUP 2T 15.1(2)SY
ASA Module - WS-SVC-ASA-SM1 running image - asa912-smp-k8 & asdm-712
Licenses on ASA:
Encryption-DES - Enabled
Encryption-3DES-AES -Enabled
Thanks in Advance for support.Are you running multiple context mode?
If you are, remote access VPN is not supported in that case:
"Note Multiple context mode only applies to IKEv2 and IKEv1 site to site and does not apply to AnyConnect, clientless SSL VPN, the legacy Cisco VPN client, the Apple native VPN client, the Microsoft native VPN client, or cTCP for IKEv1 IPsec."
Reference. -
Flexible QinQ/Service Awareness on 7600 12.2(33)SRB
Hi experts,
I have a scenario whereby the NPE core-facing links are using the 7600-ES20-10G3CXL with MPLS turned on. The UPE facing links are using the WS-X6724-SFP LAN modules. I would like to know in this kind of setup, is the flexible QinQ feature supported, if configured on the WS-X6724 interfaces?
For example:
Module 2 on the 7600 is a WS-X6724-SFP LAN module.
7600-NPE#conf t
Enter configuration commands, one per line. End with CNTL/Z.
7600-NPE(config)#int g2/1
7600-NPE(config-if)#service instance 999 ?
ethernet Configure an Ethernet Instance
7600-NPE(config-if)#service instance 999 ethernet ?
WORD Attach an EVC to the service instance
<cr>
I understand the commands are there, but is this generally a supported feature? Or is the flexible QinQ only supported when a ES20/SIP-400 based card facing UPE is used?
Note: UPE is a 3750ME/ME3400 with 802.1Q trunk towards the 7600 NPE terminating on the WS-X6724.
Appreciate your thoughts on this.
Thanks in advance.Hello,
The config seems to be valid from H-QoS point of view.
But as per Table 7-3, first row and Note1, on the following CCO link there are restrictions
from Classification side (class-maps) on ES+:
https://www.cisco.com/en/US/docs/routers/7600/install_config/ES40_config_guide/es40_chap7.html#wp1337428
Like, for match ACLs only classify based on source MAC address using Layer 2 ACL
supported for L2-switchports, EVCs/Port-chan EVCs.
Deny ACL is not supported on ES+ linecards.
So if in your class maps classification is based on an ACLs trying to
match Layer3 (IPs) and/or Layer4 info, those classification options are not supported for ES+.
And you got those errors.
If such a case you would need a some kind of re-design, for example, to mark CoS fields on some downstream/access device,
and then on ES+ ingress l2 interface or EVCs use a class maps
which would just match on those DSCP/IP_Prec values.
Thanks,
Sergey -
I have what I believe to be a unique need;
I have a MacPro (1,1) running Lion with Server app.
I require that this particular machine be connected as a client to a VPN server, while at the same time acting as a VPN server for my network.
The PPTP connection configuration is such that "Send all traffic over VPN connection" is checked.
If PPTP client is NOT connected, I can connect to Lion as VPN server. As soon as I make the connection from Lion as a client, I can no longer
connect to Lion VPN server.
I understand this is because I am forcing all traffic out the virtual interface (tun0) and eth0 is no longer listening on the local network.
1. Is it possible to bind the VPN client (on Lion Server) to a particular interface? If I could tell the PPTP client to only use eth1 as the interface of choice, my assumption would be that eth0 would then be free to accept incoming connections.
2. Is it possible to bind the VPN service (on Lion Server) to a particular interface? if I could tell the vpn serviec to only listen on eth1, and in turn tell the PPTP client to NOT communicate on eth1 but only eth0 then perhaps I could separate the communications?
In my head, it seems as though both of the above options would be required in order to use Lion as both a VPN server and VPN client
Any and all help appreciated.This is a standard facet of most VPNs - the problem lies in your NAT router since both clients appear to come from the same IP address as far as the VPN server is concerned, and the router can't separate out the traffic.
There are a couple of solutions.
First, the built-in VPN server supports L2TP and PPTP protocols. You should be able to connect one system under each protocol, so that gets your two machines connected.
Second, you can replace your NAT router with one that supports multiple VPN clients (often termed 'VPN passthrough').
Third, setup a site-to-site tunnel so that your entire LAN is connected to the VPN (this saves you from having to run a separate VPN client on each machine, but is typically only worth it when you have more machines). -
Lion 10.7.2 VPN service not working
Hi,
I have a clean installation of 10.7.2 on a Mac Pro which is not able to provide VPN service. Here's what is configured:
*OD Master - users and groups in place
*firewall active with allow rules for all necessary VPN ports (500, 1701, 4500)
*port forwarding on router to server IP address of 500, 1701 and 4500
*pre-shared key in place
*VPN server turned on
I spent over an hour on the phone with Apple Enterprise Support and they finally conceded "the engineers have informed us that there is a bug with the VPN service and that it is being looked at currently. It will hopefully be addressed in the pending OS update."
Steps to reproduce:
1. client is configured with approprate IP address, username, password and PSK
2. client attempts to connect
3. server's VPN log which should be in /var/log/ppp/vpnd.log is not populating with any new data, but the top-level "all messages" in console is showing a slew of information. Here is what is displaying:
12/4/11 8:42:41.340 PM racoon Connecting.
12/4/11 8:42:41.340 PM racoon IPSec Phase1 started (Initiated by peer).
12/4/11 8:42:41.340 PM racoon IKE Packet: receive success. (Responder, Main-Mode message 1).
12/4/11 8:42:41.341 PM racoon IKE Packet: transmit success. (Responder, Main-Mode message 2).
12/4/11 8:42:41.400 PM racoon IKE Packet: receive success. (Responder, Main-Mode message 3).
12/4/11 8:42:41.423 PM racoon IKE Packet: transmit success. (Responder, Main-Mode message 4).
12/4/11 8:42:44.297 PM racoon IKE Packet: transmit success. (Phase1 Retransmit).
12/4/11 8:42:47.300 PM racoon IKE Packet: transmit success. (Phase1 Retransmit).
12/4/11 8:42:50.303 PM racoon IKE Packet: transmit success. (Phase1 Retransmit).
12/4/11 8:43:02.316 PM racoon IKE Packet: transmit success. (Phase1 Retransmit).
12/4/11 8:43:17.332 PM racoon IKE Packet: transmit success. (Phase1 Retransmit).
12/4/11 8:43:35.350 PM racoon IKE Packet: transmit success. (Phase1 Retransmit).
12/4/11 8:43:56.373 PM racoon IKE Packet: transmit success. (Phase1 Retransmit).
12/4/11 8:44:20.399 PM racoon IKE Packet: transmit success. (Phase1 Retransmit).
12/4/11 8:44:47.428 PM racoon IKE Packet: transmit success. (Phase1 Retransmit).
All that is displaying in the /var/log/ppp/vpnd.log is:
2011-12-04 19:39:29 EST Loading plugin /System/Library/Extensions/L2TP.ppp
2011-12-04 19:39:29 EST Listening for connections...
2011-12-04 19:49:36 EST terminating on signal 15
#End-Date: 2011-12-04 19:49:36 EST
#Start-Date: 2011-12-04 19:49:38 EST
#Fields: date time s-comment
2011-12-04 19:49:38 EST Loading plugin /System/Library/Extensions/L2TP.ppp
2011-12-04 19:49:38 EST Listening for connections...
2011-12-04 20:04:13 EST terminating on signal 15
#End-Date: 2011-12-04 20:04:13 EST
#Start-Date: 2011-12-04 20:04:30 EST
#Fields: date time s-comment
2011-12-04 20:04:30 EST Loading plugin /System/Library/Extensions/L2TP.ppp
2011-12-04 20:04:30 EST Listening for connections...
I am hoping that this comes down to a bad port forwarding issue. Does anything seen in the above logs indicate that to you?
What would my next step be for trying to repair the VPN service? I want to avoid a reinstall if possible.
Thanks
PeteOk, so, the best FIRST test is to try from the local lan, same lan as the Lion server. L2TP works fine for me, PPTP definitely has a bug. You can configure the VPN connection in your network system preferences on the client machine. Just put in your local server IP.
The idea here is to first make sure VPN works on the LAN (which is useless of course but great for troubleshooting), once it does, THEN you can go to the next step and troubleshoot the remote connection. -
ASA Service Module on 6500 montoring console session
We have 6500 with ASA Service Module
On 6500 how can we configure so that if someone logs in to the ASA Service Module and reboots the firewall we can have logs of it in syslog of switch .
Thanks for helpI hate to answer my own posts, but here it is. TAC tells us that there are 2 choices to make this work. Apparently the way that worked on an ISR and ISRG2 does not work on the 4000 series routers. I guess that's progress.
Option 1. Use a physical cable to connect one of the router's interfaces to one of the etherswitches interfaces and treat it just like the etherswitch is a seperate physical switch. I'm sure there is a use case for that but I'll not cover that here.
Option 2. Use the "service instance" feature on the router's internal interface to bind it to a new "BDI" virtual interface on the router. This is what we'll do.
On our router ethernet-internal 1/0/0 maps to Gi0/18 on the etherswitch, all internal to the box. The router will be10.0.0.1 and the switch will be 10.0.0.2.
Router:
interface Ethernet-Internal 1/0/0
service instance 1 ethernet
encapsulation dot1q 50
rewrite ingress tag pop 1
interface BDI 1
mtu 9216
ip address 10.0.0.1 255.255.255.0
Switch:
interface Gi0/18
switchport trunk vlan allowed 50
switchport mode trunk
vlan 50
name Egress vlan
interface vlan 50
ip address 10.0.0.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.1
Then there are a million ways to design and configure the switch as a normal 3560X switch but that's beyond the scope of my question. -
I'm looking to expand the functionality of the service module and feel an add-on is the way to go. My choices seem to be:
1. A VAR designed add-on
2. A 3rd party 'service' add-on (Coresuite, Enprise, Maringo etc.)
As SAP has quite a lot of functionality I'd like an add-on that doesn't recreate the wheel as some seem to do.
My questions therefore are these:
1. Does anyone know of a VAR specific add-on?
2. Do the experts know of any other 3rd party add-ons I could try that are not listed above?
Thank you in advance.
Martin LewisHi,
Please refer document for marking answers:
http://scn.sap.com/community/support/blog/2013/04/03/how-to-close-a-discussion-and-why
Thanks & Regards,
Nagarajan -
Question on how does load balancing work on Firewall Services Module (FWSM)
Hi everyone,
I have a question about the algorithm of load balancing on Firewall Services Module (FWSM).
I understand that the FWSM supports up to three equal cost routes on the same interface for load balancing.
Please see a lower simple figure.
outside inside
--- L3 SW --+
|
MHSRP +--- FWSM ----
|
--- L3 SW --+
I am going to configure the following default routes on FWSM point to each MHSRP VIP (192.168.13.29 and 192.168.13.30) for load balancing.
route outside_1 0.0.0.0 0.0.0.0 192.168.13.29 1
route outside_1 0.0.0.0 0.0.0.0 192.168.13.30 1
However I don't know how load balancing work on FWSM.
On FWSM, load balancing work based on
Per-Destination ?
Per-Source ?
Per-Packet ?
or
Other criteria ?
Your information would be greatly appreciated.
Best Regards,Configuring "tunnel default gateway' on the concentrator allowed traffic to flow as desired through the FWSM.
FWSM is not capable of performing policy based routing, the additional static routes for the VPN load balancing caused half of the packets to be lost. As a result, it appears that the VPN concentrators will not be able to load balance.
Maybe you are looking for
-
Oracle 10g 10.2.0.3.0 takes 100% CPU
Hi, We are using Web sphere commerce server (IBM) with Oracle 10g. we are currently in development phase. what ever execute (jobs) small job like uploding 100 records, CPU takes 100%. the process can't complete, it goes on. System Details 2 CPU and 8
-
Hey guys, I have a question regarding ISE Authorization Policy. In my test lab, I don't have any wired station, and what I have is a wireless lapotp. I have configured to allow only EAP-TLS authentication. Now, my problem is I keep getting "15039 Rej
-
Hi, I want to conver my itab data into XML. is there any standard FM available fo this purpose. SA
-
New FMS 4.5 Trail, is it removed for good?
Hi, I need FMS 4.5 for a trail. One of our customers has built it and now the system is not working. Does anybody has a link for that? Thanks, Goktug
-
How do i transfer pics n videos frm my laptop to my iphone,without using the internet/cloud?