VPN service module choice 7600-SSC-400 vs. SPA-IPSEC-2G

Similar Messages

• VPN service module with EFM

  Dears,
          we are already user VPN module in our chassis 6500 where all communication lines are terminated.
  now we will using EFM line , but i am not sure how to cahnage configuration related to it.

  Hello,
  You will need both. The 7600-SSC-400 is the carrier module of the SPA-IPSec-2G.
  There is more information on this via the following link:
  http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/76ovwvpn.html
  Warm Regards,
  Rose

• IP sec VPN service module

  Hi All,
  we have a VPN service module that doesn't support AES 256 bits. is there a way to overcome this limitation by uploading a key? how can we do it if feasible?
  thanks
  Jean

  if you require aes you need the newer VPN SPA.
  http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sheet0900aecd8027c9ee_ps8768_Products_Data_Sheet.html
  (assuming you have a 6500/7600...but you didn't state exactly what you have)

• Problem with installing new line card 7600-SSC-400

  Hi all,
  I have a trouble when trying to install new line card 7600-SSC-400 on Cisco 6509. Here was the message displays on the screen after I finished installing the line card : "%C6KPWR-SP-4-UNSUPPORTED: unsupported module in slot 7, power not allowed: The image for the card is not bundled in image." I tried to install this line card on another slot, but it doesn't work. The attched item is logfile which I saved in the installing session. I don't know what I hvae to do now, please help me to resolve this problem !
  Thanks so much,
  Hieu

  Hi Hieu,
  You might want to run the following to see more detail of the error:
  show diagnostic result module all detail
  And I would also suggest that you reseat the 7600-SSC-400 line card firmly back to the switch, and check the status again.
  If it's still showing the error, maybe you can try seating the module on a different slot, and check if you have the same issue.
  If the issue still persist after reseating and testing it on different slot, then it might be a hardware issue, and you might want to open a TAC case to further investigate it.
  Hope that helps.

• 7600 SSC-400 / SSC-600 Design Limitation

  Hello,
  I want to know if there is any way we can overcome the restrictions on these cards, resulting in reload when an SSO happens on a Catalyst 6500 switch.
  Is there any new or upcoming model of SSC cards which will be SSO aware ?
  Restrictions:
  >VSPA state information is not maintained between the active and standby supervisor engine during normal operation. During a supervisor engine switchover in an SSO environment, the VSPA will reboot.
  >The Cisco 7600 SSC-400 is not Route Processor Redundancy Plus (RPR+) or Stateful Switchover (SSO) aware. As a result, the Cisco 7600 SSC-400 will reset if RPR+ or SSO is configured.
  http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/7600series/76ovwvpn.html#wp1108766
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/vspa/configuration/guide/ivmovw.html#wp1051863
  Regards,
  Akhtar

  Hello,
  You will need both. The 7600-SSC-400 is the carrier module of the SPA-IPSec-2G.
  There is more information on this via the following link:
  http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/76ovwvpn.html
  Warm Regards,
  Rose

• SSC-400 / SSC-600 / IPsec SPA resets during SSO

  Hello,
  I want to know if there is any way we can overcome the restrictions on these cards, resulting in reload when an SSO happens on a Catalyst 6500 switch.
  Restrictions:
  >VSPA state information is not maintained between the active and standby supervisor engine during normal operation. During a supervisor engine switchover in an SSO environment, the VSPA will reboot.
  >The Cisco 7600 SSC-400 is not Route Processor Redundancy Plus (RPR+) or Stateful Switchover (SSO) aware. As a result, the Cisco 7600 SSC-400 will reset if RPR+ or SSO is configured.
  http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/7600series/76ovwvpn.html#wp1108766
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/vspa/configuration/guide/ivmovw.html#wp1051863
  Regards,
  Akhtar

  Hi Sung,
  Have you load the appropiate FPD image into the flash? Please find the following document for more info:
  http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.html#wp2430389
  HTH,
  jerry

• SPA-IPSEC-2G Module Problem

  c7600s72033-adventerprisek9-mz.122-33.SRC3.bin
  7609 with Sup7203BXL supervisors.
  Command rejected: VLAN 881 is crypto connected to Vl1020.This command is rejected because allowing it will result in a crypto connected interface vlan to belong to the interface's allowed vlan list. This poses a potential IPSec security breach.Note that this behavior applies to all trunk ports. If you're attempting to do "no switchport trunk allowed vlan <vlanlist>" Instead, use "switchport trunk allowed vlan none", or "switchport trunk allowed vlan remove <vlanlist>"
  I get the preceding message currently when trying to add the IPSec VLAN to a trunk port. Little background, this has been working for about a year on a different endpoint device with a trunk up to it. We migrated to a new device for the entpoint of the IPSec traffic and when trying to add the VLANs involved with it to the trunk, I get that message.
  Interface VLAN 881 on IPSec Service Module port GigabitEthernet7/0/1 connected to Vlan1020 with crypto map set IPSEC
  Interface VLAN 882 on IPSec Service Module port GigabitEthernet7/0/1 connected to Vlan1020 with crypto map set IPSEC
  Interface Vlan1020 on IPSec Service Module port GigabitEthernet7/0/1 connected to GigabitEthernet1/1 with crypto map set
  There is the show crypto vlan output. This was working just fine previously when I added the VLANs to a trunk, but when I tried to add the VLANs to a new set of interfaces, I got that error message. I went so far as to remove the VLANs from the working trunk and try to put them back, now I get the same message as above.
  VLAN Usage
  1006 online diag vlan0
  1007 online diag vlan1
  1008 online diag vlan2
  1009 online diag vlan3
  1010 online diag vlan4
  1011 online diag vlan5
  1012 PM vlan process (trunk tagging)
  1013 Control Plane Protection
  1014 vrf_0_vlan
  1015 Container0
  1016 IPv6-mpls RSVD VLAN
  1017 L3 multicast partial shortcuts for VPN 0
  1018 Egress internal vlan
  1019 Multicast VPN 0 QOS vlan
  1020 macedon_vrf0
  1021 IPv6 Multicast Egress multicast
  1022 GigabitEthernet1/1
  1023 GigabitEthernet1/2
  1024 GigabitEthernet1/3
  1025 GigabitEthernet1/7
  1026 GigabitEthernet1/22
  1027 GigabitEthernet1/24
  1028 macedon_ctlvlan
  1029 macedon_nat7.0
  1030 GigabitEthernet2/1
  1031 GigabitEthernet2/3
  1032 GigabitEthernet2/7
  1033 GigabitEthernet2/24
  1401 GigabitEthernet1/7.1401
  There is the internal VLAN usage. The IPSec tunnel is using VRF mode with the IPSec tunnel dropping to a VRF and the outside interfaces being in the gloal routing table. The VLANs 881 and 882 are part of that VRF and they are SVIs.

  Hello,
  You will need both. The 7600-SSC-400 is the carrier module of the SPA-IPSec-2G.
  There is more information on this via the following link:
  http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/76ovwvpn.html
  Warm Regards,
  Rose

• (Linecard image not present) at WS-SSC-600 and 7600-SIP-400

  i install two modules WS-SSC-600 and 7600-SIP-400 in slot 5 and 6 in 13-slot chassis and give this output from show power (Linecard image not present)
    for both cards.
  supervisor engine is : VS-S720-10G with sub-module VS-F6K-PFC3CXL and VS-F6K-MSFC3
  IOS : s72033-advipservicesk9-mz.122-33.SXI9
  what that mean and how to fix it ?

  Ok problem solved by upgrade ios to another version but the new image must contains (_wan) in image name for example (
  s72033-advipservicesk9_wan-mz.122-33.SXJ6 ) otherwise the two modules will not powered up.

• Does ASA Service Module on 6509-E support Remote Access VPN ?

  I'm having a problem configuring Remote Access VPN (SSL, Anyconnect ect.) on ASA Service Module on 6509-E. Is this even supported  or am i wasting my time trying to make something work which will not work in a first place :) ? Site-to-Site works without any problems.
  Tech Info:
  6509-E running SUP 2T 15.1(2)SY
  ASA Module - WS-SVC-ASA-SM1 running image - asa912-smp-k8 & asdm-712
  Licenses on ASA:
  Encryption-DES - Enabled
  Encryption-3DES-AES  -Enabled
  Thanks in Advance for support.

  Are you running multiple context mode?
  If you are, remote access VPN is not supported in that case:
  "Note Multiple context mode only applies to IKEv2 and IKEv1 site to site and does not apply to AnyConnect, clientless SSL VPN, the legacy Cisco VPN client, the Apple native VPN client, the Microsoft native VPN client, or cTCP for IKEv1 IPsec."
  Reference.

• Flexible QinQ/Service Awareness on 7600 12.2(33)SRB

  Hi experts,
  I have a scenario whereby the NPE core-facing links are using the 7600-ES20-10G3CXL with MPLS turned on. The UPE facing links are using the WS-X6724-SFP LAN modules. I would like to know in this kind of setup, is the flexible QinQ feature supported, if configured on the WS-X6724 interfaces?
  For example:
  Module 2 on the 7600 is a WS-X6724-SFP LAN module.
  7600-NPE#conf t
  Enter configuration commands, one per line. End with CNTL/Z.
  7600-NPE(config)#int g2/1
  7600-NPE(config-if)#service instance 999 ?
  ethernet Configure an Ethernet Instance
  7600-NPE(config-if)#service instance 999 ethernet ?
  WORD Attach an EVC to the service instance
  <cr>
  I understand the commands are there, but is this generally a supported feature? Or is the flexible QinQ only supported when a ES20/SIP-400 based card facing UPE is used?
  Note: UPE is a 3750ME/ME3400 with 802.1Q trunk towards the 7600 NPE terminating on the WS-X6724.
  Appreciate your thoughts on this.
  Thanks in advance.

  Hello,
  The config seems to be valid from H-QoS point of view.
  But as per Table 7-3, first row and Note1, on the following CCO link there are restrictions
  from Classification side (class-maps) on ES+:
  https://www.cisco.com/en/US/docs/routers/7600/install_config/ES40_config_guide/es40_chap7.html#wp1337428
  Like, for match ACLs only classify based on source MAC address using Layer 2 ACL
  supported for L2-switchports, EVCs/Port-chan EVCs.
  Deny ACL is not supported on ES+ linecards.
  So if in your class maps classification is based on an ACLs trying to
  match Layer3 (IPs) and/or Layer4 info, those classification options are not supported for ES+.
  And you got those errors.
  If such a case you would need a some kind of re-design, for example, to mark CoS fields on some downstream/access device,
  and then on ES+ ingress l2 interface or EVCs use a class maps
  which would just match on those DSCP/IP_Prec values.
  Thanks,
  Sergey

• How can I configure Lion server to accept inbound VPN (L2TP) connections while connected as client to another vpn service?

  I have what I believe to be a unique need;
  I have a MacPro (1,1) running Lion with Server app.
  I require that this particular machine be connected as a client to a VPN server, while at the same time acting as a VPN server for my network.
  The PPTP connection configuration is such that "Send all traffic over VPN connection" is checked.
  If PPTP client is NOT connected, I can connect to Lion as VPN server. As soon as I make the connection from Lion as a client, I can no longer
  connect to Lion VPN server.
  I understand this is because I am forcing all traffic out the virtual interface (tun0) and eth0 is no longer listening on the local network.
  1. Is it possible to bind the VPN client (on Lion Server) to a particular interface? If I could tell the PPTP client to only use eth1 as the interface of choice, my assumption would be that eth0 would then be free to accept incoming connections.
  2. Is it possible to bind the VPN service  (on Lion Server) to a particular interface? if I could tell the vpn serviec to only listen on eth1, and in turn tell the PPTP client to NOT communicate on eth1 but only eth0 then perhaps I could separate the communications?
  In my head, it seems as though both of the above options would be required in order to use Lion as both a VPN server and VPN client
  Any and all help appreciated.

  This is a standard facet of most VPNs - the problem lies in your NAT router since both clients appear to come from the same IP address as far as the VPN server is concerned, and the router can't separate out the traffic.
  There are a couple of solutions.
  First, the built-in VPN server supports L2TP and PPTP protocols. You should be able to connect one system under each protocol, so that gets your two machines connected.
  Second, you can replace your NAT router with one that supports multiple VPN clients (often termed 'VPN passthrough').
  Third, setup a site-to-site tunnel so that your entire LAN is connected to the VPN (this saves you from having to run a separate VPN client on each machine, but is typically only worth it when you have more machines).

• Lion 10.7.2 VPN service not working

  Hi,
  I have a clean installation of 10.7.2 on a Mac Pro which is not able to provide VPN service.  Here's what is configured:
  *OD Master - users and groups in place
  *firewall active with allow rules for all necessary VPN ports (500, 1701, 4500)
  *port forwarding on router to server IP address of 500, 1701 and 4500
  *pre-shared key in place
  *VPN server turned on
  I spent over an hour on the phone with Apple Enterprise Support and they finally conceded "the engineers have informed us that there is a bug with the VPN service and that it is being looked at currently. It will hopefully be addressed in the pending OS update." 
  Steps to reproduce:
  1. client is configured with approprate IP address, username, password and PSK
  2. client attempts to connect
  3. server's VPN log which should be in /var/log/ppp/vpnd.log is not populating with any new data, but the top-level "all messages" in console is showing a slew of information.  Here is what is displaying:
  12/4/11 8:42:41.340 PM          racoon          Connecting.
  12/4/11 8:42:41.340 PM          racoon          IPSec Phase1 started (Initiated by peer).
  12/4/11 8:42:41.340 PM          racoon          IKE Packet: receive success. (Responder, Main-Mode message 1).
  12/4/11 8:42:41.341 PM          racoon          IKE Packet: transmit success. (Responder, Main-Mode message 2).
  12/4/11 8:42:41.400 PM          racoon          IKE Packet: receive success. (Responder, Main-Mode message 3).
  12/4/11 8:42:41.423 PM          racoon          IKE Packet: transmit success. (Responder, Main-Mode message 4).
  12/4/11 8:42:44.297 PM          racoon          IKE Packet: transmit success. (Phase1 Retransmit).
  12/4/11 8:42:47.300 PM          racoon          IKE Packet: transmit success. (Phase1 Retransmit).
  12/4/11 8:42:50.303 PM          racoon          IKE Packet: transmit success. (Phase1 Retransmit).
  12/4/11 8:43:02.316 PM          racoon          IKE Packet: transmit success. (Phase1 Retransmit).
  12/4/11 8:43:17.332 PM          racoon          IKE Packet: transmit success. (Phase1 Retransmit).
  12/4/11 8:43:35.350 PM          racoon          IKE Packet: transmit success. (Phase1 Retransmit).
  12/4/11 8:43:56.373 PM          racoon          IKE Packet: transmit success. (Phase1 Retransmit).
  12/4/11 8:44:20.399 PM          racoon          IKE Packet: transmit success. (Phase1 Retransmit).
  12/4/11 8:44:47.428 PM          racoon          IKE Packet: transmit success. (Phase1 Retransmit).
  All that is displaying in the /var/log/ppp/vpnd.log is:
  2011-12-04 19:39:29 EST          Loading plugin /System/Library/Extensions/L2TP.ppp
  2011-12-04 19:39:29 EST          Listening for connections...
  2011-12-04 19:49:36 EST          terminating on signal 15
  #End-Date: 2011-12-04 19:49:36 EST
  #Start-Date: 2011-12-04 19:49:38 EST
  #Fields: date time s-comment
  2011-12-04 19:49:38 EST          Loading plugin /System/Library/Extensions/L2TP.ppp
  2011-12-04 19:49:38 EST          Listening for connections...
  2011-12-04 20:04:13 EST          terminating on signal 15
  #End-Date: 2011-12-04 20:04:13 EST
  #Start-Date: 2011-12-04 20:04:30 EST
  #Fields: date time s-comment
  2011-12-04 20:04:30 EST          Loading plugin /System/Library/Extensions/L2TP.ppp
  2011-12-04 20:04:30 EST          Listening for connections...
  I am hoping that this comes down to a bad port forwarding issue.  Does anything seen in the above logs indicate that to you?
  What would my next step be for trying to repair the VPN service?  I want to avoid a reinstall if possible.
  Thanks
  Pete

  Ok, so, the best FIRST test is to try from the local lan, same lan as the Lion server. L2TP works fine for me, PPTP definitely has a bug. You can configure the VPN connection in your network system preferences on the client machine. Just put in your local server IP.
  The idea here is to first make sure VPN works on the LAN (which is useless of course but great for troubleshooting), once it does, THEN you can go to the next step and troubleshoot the remote connection.

• ASA Service Module on 6500 montoring console session

  We have 6500 with ASA Service Module
  On 6500 how can we configure so that if someone logs in to the ASA Service Module and reboots the firewall we can have logs of it in syslog of switch .
  Thanks for help

  I hate to answer my own posts, but here it is.  TAC tells us that there are 2 choices to make this work.  Apparently the way that worked on an ISR and ISRG2 does not work on the 4000 series routers.  I guess that's progress.
  Option 1. Use a physical cable to connect one of the router's interfaces to one of the etherswitches interfaces and treat it just like the etherswitch is a seperate physical switch.  I'm sure there is a use case for that but I'll not cover that here.
  Option 2. Use the "service instance" feature on the router's internal interface to bind it to a new "BDI" virtual interface on the router.  This is what we'll do.
  On our router ethernet-internal 1/0/0 maps to Gi0/18 on the etherswitch, all internal to the box.  The router will be10.0.0.1 and the switch will be 10.0.0.2.
  Router:
  interface Ethernet-Internal 1/0/0
  service instance 1 ethernet
  encapsulation dot1q 50
  rewrite ingress tag pop 1
  interface BDI 1
  mtu 9216
  ip address 10.0.0.1 255.255.255.0
  Switch:
  interface Gi0/18
  switchport trunk vlan allowed 50
  switchport mode trunk
  vlan 50
  name Egress vlan
  interface vlan 50
  ip address 10.0.0.2 255.255.255.0
  ip route 0.0.0.0 0.0.0.0 10.0.0.1
  Then there are a million ways to design and configure the switch as a normal 3560X switch but that's beyond the scope of my question.

• Service Module Add-On

  I'm looking to expand the functionality of the service module and feel an add-on is the way to go. My choices seem to be:
  1. A VAR designed add-on
  2. A 3rd party 'service' add-on (Coresuite, Enprise, Maringo etc.)
  As SAP has quite a lot of functionality I'd like an add-on that doesn't recreate the wheel as some seem to do.
  My questions therefore are these:
  1. Does anyone know of a VAR specific add-on?
  2. Do the experts know of any other 3rd party add-ons I could try that are not listed above?
  Thank you in advance.
  Martin Lewis

  Hi,
  Please refer document for marking answers:
  http://scn.sap.com/community/support/blog/2013/04/03/how-to-close-a-discussion-and-why
  Thanks & Regards,
  Nagarajan

• Question on how does load balancing work on Firewall Services Module (FWSM)

  Hi everyone,
  I have a question about the algorithm of load balancing on Firewall Services Module (FWSM).
  I understand that the FWSM supports up to three equal cost routes on the same interface for load balancing.
  Please see a lower simple figure.
  outside inside
  --- L3 SW --+
  |
  MHSRP +--- FWSM ----
  |
  --- L3 SW --+
  I am going to configure the following default routes on FWSM point to each MHSRP VIP (192.168.13.29 and 192.168.13.30) for load balancing.
  route outside_1 0.0.0.0 0.0.0.0 192.168.13.29 1
  route outside_1 0.0.0.0 0.0.0.0 192.168.13.30 1　　　　　　
  However I don't know how load balancing work on FWSM.
  On FWSM, load balancing work based on
  Per-Destination ?
  Per-Source ?
  Per-Packet ?
  or
  Other criteria ?
  Your information would be greatly appreciated.
  Best Regards,

  Configuring "tunnel default gateway' on the concentrator allowed traffic to flow as desired through the FWSM.
  FWSM is not capable of performing policy based routing, the additional static routes for the VPN load balancing caused half of the packets to be lost. As a result, it appears that the VPN concentrators will not be able to load balance.