VRF redistribution problem
Hello,
I configured some VRF -s and redistribution
between them using import and export maps on vrf configuration. The route-maps are matching prefix list statements to allow import and export. The problem is that i have to clear bgp for the changes to take
effect and it is not good solution for this router since it routes primarily VOIP. Is there any way to avoid this ?
The router is 2801 and software image is c2801-advipservicesk9-mz.124-11.T.bin
Thanks in advance,
Armin
It doesnt seem to work. I tried on 2801 and 7200
ip vrf KLIENT-1
rd 65000:500
export map KLIENT-1-OUT
route-target export 65000:101
route-target import 65000:101
route-target import 65000:111
ip vrf NMS
rd 65000:1
import map NMS-IN
export map NMS-OUT
route-target export 65000:450
route-target import 65000:450
route-target import 65000:110
route-target import 65000:123
interface Loopback2
ip vrf forwarding KLIENT-1
ip address 10.0.0.1 255.255.255.0
interface Loopback5
ip vrf forwarding KLIENT-1
ip address 172.16.0.1 255.255.255.0
interface Loopback102
ip vrf forwarding NMS
ip address 18.2.1.2 255.255.255.255
interface FastEthernet0/0
description R2
ip vrf forwarding VOIP
ip address 192.168.1.2 255.255.255.0
duplex full
interface FastEthernet1/0
description CPE2
ip vrf forwarding NMS
ip address 192.168.253.33 255.255.255.248
duplex full
router bgp 65000
no bgp default ipv4-unicast
bgp log-neighbor-changes
address-family ipv4
redistribute connected
no auto-summary
no synchronization
bgp scan-time 15
exit-address-family
address-family ipv4 vrf NMS
redistribute connected
no auto-summary
no synchronization
exit-address-family
address-family ipv4 vrf KLIENT-1
redistribute connected
no auto-summary
no synchronization
exit-address-family
ip prefix-list KLIENT-1-IN seq 5 permit 192.168.253.32/29
ip prefix-list KLIENT-1-OUT seq 5 permit 172.16.0.0/24
ip prefix-list KLIENT-1-OUT seq 15 permit 10.0.0.0/24
ip prefix-list NMS-IN seq 5 permit 192.168.1.0/24
ip prefix-list NMS-IN seq 10 permit 172.16.0.0/24
ip prefix-list NMS-IN seq 15 permit 10.0.0.0/24
ip prefix-list NMS-OUT seq 5 permit 192.168.253.32/29
route-map NMS-OUT permit 10
match ip address prefix-list NMS-OUT
set extcommunity rt 65000:111 additive
route-map KLIENT-1-OUT permit 10
match ip address prefix-list KLIENT-1-OUT
set extcommunity rt 65000:110 additive
route-map NMS-IN permit 10
match ip address prefix-list NMS-IN
R3#sh ip bgp vpnv4 vrf NMS
BGP table version is 22, local router ID is 192.168.222.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 65000:1 (default for vrf NMS)
*> 18.2.1.2/32 0.0.0.0 0 32768 ?
*> 172.16.0.0/24 0.0.0.0 0 32768 ?
*> 192.168.1.0 0.0.0.0 0 32768 ?
*> 192.168.253.32/29
0.0.0.0 0 32768 ?
I am testing on prefix 10.0.0.0/24 and it doesnt appear on the routing table.
I also configured scan-time under vpnv4 unicast af but it doesnt show in the config.
Armin
Similar Messages
-
I provide my customers an ethernet port off my PE (ie: FastEthernet0/0 on PE from configuration below). They can connect whatever they want into the port. Most times it's simply a PC. The only thing they expect to get off that port is Internet access.
I'm trying to stick all these users into a VRF called INTERNET, but I'm having some trouble getting the global table to see the networks that I'm assigning to my customers (ie: 5.0.0.0/30 from the PE config below).
Near as I can tell, the VRF knows about the default gateway and the global table knows how to reach 5.0.0.0/30, but for some reason, there's no connectivity and I'm not sure how to begin troubleshooting this.
Anyone have any pointers?
PE#traceroute vrf INTERNET 7.7.7.7
Type escape sequence to abort.
Tracing the route to 7.7.7.7
1 * * *
PE#show ip route vrf INTERNET
Routing Table: INTERNET
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP
+ - replicated route, % - next hop override
Gateway of last resort is 10.0.0.1 to network 0.0.0.0
S* 0.0.0.0/0 [250/0] via 10.0.0.1
5.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 5.0.0.0/30 is directly connected, FastEthernet0/0
L 5.0.0.1/32 is directly connected, FastEthernet0/0
PE#show ip bgp vpnv4 vrf INTERNET
BGP table version is 40, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 21949:0 (default for vrf INTERNET)
*> 5.0.0.0/30 0.0.0.0 0 32768 ?
PE#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP
+ - replicated route, % - next hop override
Gateway of last resort is not set
1.0.0.0/8 is variably subnetted, 1 subnets, 1 masks
C 1.1.1.1/32 is directly connected, Loopback0
3.0.0.0/8 is variably subnetted, 1 subnets, 1 masks
O 3.3.3.3/32 [110/2] via 10.0.0.1, 2d02h, FastEthernet3/0
7.0.0.0/32 is subnetted, 1 subnets
B 7.7.7.7 [200/0] via 3.3.3.3, 1d18h
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/31 is directly connected, FastEthernet3/0
L 10.0.0.0/32 is directly connected, FastEthernet3/0
PE#show ip bgp
BGP table version is 35, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i5.0.0.0/24 3.3.3.3 0 100 0 i
*>i7.7.7.7/32 3.3.3.3 0 100 0 1 i
PE#
P#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP
+ - replicated route, % - next hop override
Gateway of last resort is not set
1.0.0.0/8 is variably subnetted, 1 subnets, 1 masks
O 1.1.1.1/32 [110/2] via 10.0.0.0, 2d02h, FastEthernet1/0
5.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S 5.0.0.0/24 is directly connected, Null0
S 5.0.0.0/30 [1/0] via 10.0.0.0, FastEthernet1/0
7.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 7.0.0.0/31 is directly connected, FastEthernet0/0
L 7.0.0.0/32 is directly connected, FastEthernet0/0
B 7.7.7.7/32 [20/0] via 7.0.0.1, 2d02h
C 10.0.0.0/31 is directly connected, FastEthernet1/0
L 10.0.0.1/32 is directly connected, FastEthernet1/0
P#show ip route vrf INTERNET
Routing Table: INTERNET
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP
+ - replicated route, % - next hop override
Gateway of last resort is not set
5.0.0.0/30 is subnetted, 1 subnets
B 5.0.0.0 [200/0] via 1.1.1.1, 00:09:33
ISP#traceroute 5.0.0.2
Type escape sequence to abort.
Tracing the route to 5.0.0.2
1 7.0.0.0 40 msec 8 msec 4 msec
2 * * *
3 10.0.0.1 [AS 21949] 24 msec 16 msec 8 msec
4 * * *
5 10.0.0.1 [AS 21949] 32 msec 20 msec 12 msec
6 * * *
7 10.0.0.1 [AS 21949] 12 msec 16 msec 12 msec
8 * * *
9 10.0.0.1 [AS 21949] 28 msec 28 msec 16 msec
10 * * *
ISP#show ip route 5.0.0.0
Routing entry for 5.0.0.0/24, 1 known subnets
B 5.0.0.0 [20/0] via 7.0.0.0, 02:34:17
R7#
!PE
ip vrf INTERNET
rd 21949:0
route-target export 21949:0
route-target import 21949:0
interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface FastEthernet0/0
ip vrf forwarding INTERNET
ip address 5.0.0.1 255.255.255.252
speed 100
duplex full
interface FastEthernet3/0
ip address 10.0.0.0 255.255.255.254
speed auto
duplex auto
mpls ip
router ospf 21949
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.0.0.0 0.255.255.255 area 0
router bgp 21949
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 21949
neighbor 3.3.3.3 update-source Loopback0
address-family ipv4
no synchronization
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 next-hop-self
no auto-summary
exit-address-family
address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community both
exit-address-family
address-family ipv4 vrf INTERNET
no synchronization
redistribute connected
exit-address-family
ip route vrf INTERNET 0.0.0.0 0.0.0.0 10.0.0.1 global 250 permanent name "L3VPN Default Leak"
!P
interface Loopback0
ip address 3.3.3.3 255.255.255.255
interface FastEthernet0/0
ip address 7.0.0.0 255.255.255.254
speed 100
duplex full
interface FastEthernet1/0
ip address 10.0.0.1 255.255.255.254
speed auto
duplex auto
mpls ip
router ospf 21949
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 10.0.0.0 0.255.255.255 area 0
router bgp 21949
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 21949
neighbor 1.1.1.1 update-source Loopback0
neighbor 7.0.0.1 remote-as 1
address-family ipv4
no synchronization
network 5.0.0.0 mask 255.255.255.0
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 next-hop-self
neighbor 7.0.0.1 activate
no auto-summary
exit-address-family
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community both
neighbor 1.1.1.1 route-reflector-client
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community both
neighbor 2.2.2.2 route-reflector-client
exit-address-family
address-family ipv4 vrf INTERNET
no synchronization
redistribute connected
exit-address-family
ip route 5.0.0.0 255.255.255.0 Null0 250
ip route 5.0.0.0 255.255.255.252 FastEthernet1/0 10.0.0.0
!ISP
interface Loopback0
ip address 7.7.7.7 255.255.255.255
interface FastEthernet0/0
ip address 7.0.0.1 255.255.255.254
speed 100
full-duplex
router bgp 1
no synchronization
bgp log-neighbor-changes
network 7.7.7.7 mask 255.255.255.255
neighbor 7.0.0.0 remote-as 21949Route leakage between global/VRF is not allowed on multi-access interfaces like ethernet.
Few common solutions to the problem you are facing -
1. put the internet interface on router P in a VRF lets say ISP, and use the conventional vpnv4 import/export between INTERNET and ISP VRFs.
2. use VRF NAT on PE
3. use other methods to leak routes - e.g. cable loop, gre based leakage etc.
HTH
Swap
#19804x2 -
we have few sites connected over two different vpn tunnels one is over IPSec other is on plain GRE without IPSec due to ISP Constraints, both were working fine.
now some remote Locations connected to one ISP having problem at my VPN router.
i can reach remote location 1 from my core switch, but not to the other one, while i check the tunnels on vpn router bother up and can be reached through vpn router.
i am having rip between my vpn router and remote location and OSPF between core and vpn router.
the configuration is like
vpn router :
router ospf 10
redistribute rip subnets
network 192.168.1.0 0.0.0.255 area 0
distribute-list 10 in
router rip
version 2
redistribute ospf 10 metric 5
network 172.16.0.0
network 172.30.0.0
no auto-summary
Remote Location 1:
router rip
version 2
network 172.16.0.0
no auto-summary
Remote Location 2 :
router rip
version 2
network 172.30.0.0
no auto-summary
this was working config, but now its giving problem all of a sudden, which i couldn't get the reason.Please tell us which one is working IPSEC or GRE vpn?
If IPSec is not working then you have to make clear, which type of this vpn, gre over ipsec or simple ipsec. If it is simple IPSec then your routing updates are not reaching the across the tunnel. you have two options:
1) Static routes
2) implement GRE over IPsec
Regards,
Kazim
"Don't forget to select correct answer and mark as correct for helpful posts" -
Have a lab setup to run IPSEC VPN with DVTI on Hub and SVTI on spoke. The goal is to have two tunnels from each spoke to two Hubs for redundancy. Eigrp is needed in order to get BGP up and running which will be used for routing policies.
The problem I phase is that eigrp is not established over the IPSEC tunnel (see neighbour details below). The spoke is configured with vrf on the public interface for security reasons. I have one spoke without vrf on the public interface and this connection works fine.
I can ping the physical interfaces and the ISAKMP SA and IPSEC SA are up. Doing debug eigrp packet shows that both mcast and ucast traffic is exchanged but no ack on both sides are transmitted (also indicated by Q > 0). feels like I have missed some basic stuff but can't find it.
Spoke1 (vrf with problem):
sesthcombox001#sh ip eigrp 1 neighbors detail
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.0.1 Tu1 57 00:01:07 1 5000 2 0
Version 10.0/2.0, Retrans: 14, Retries: 14, Waiting for Init, Waiting for Init Ack
UPDATE seq 499 ser 0-0 Sent 67028 Init Sequenced
UPDATE seq 500 ser 1-9 Sequenced
Spoke2)working fine):
sesthcombox002#sh ip eigrp 1 neighbors detail
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.0.1 Tu1 59 04:21:46 4 1452 0 53
Version 10.0/2.0, Retrans: 0, Retries: 0, Prefixes: 2
Topology-ids from peer - 0
Hub:
sesthcg1rtr002#sh ip eigrp 1 neighbors detail
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.0.2 Vi1 58 00:00:30 1 5000 1 509
Version 12.4/1.2, Retrans: 7, Retries: 7, Waiting for Init Ack
Topology-ids from peer - 0
UPDATE seq 246 ser 0-0 Sent 30664 Init Sequenced
1 172.16.0.6 Vi2 10 04:22:04 4 100 0 26
Version 10.0/2.0, Retrans: 0, Retries: 0, Prefixes: 1
Topology-ids from peer - 0
Relevant configuration:
Spoke1 (no working)
crypto keyring key-internet vrf internet
pre-shared-key address 20.20.20.2 key cisco
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key cisco address 20.20.20.2
crypto isakmp profile ISA-PROP
keyring key-internet
match identity address 20.20.20.2 255.255.255.255 internet
crypto ipsec transform-set aes256sha esp-aes 256 esp-sha-hmac
crypto ipsec profile LAB
set transform-set aes256sha
set pfs group14
set isakmp-profile ISA-PROP
interface Tunnel1
ip address 172.16.0.2 255.255.255.0
ip mtu 1400
ip hold-time eigrp 1 60
ip virtual-reassembly
ip tcp adjust-mss 1400
tunnel source FastEthernet0/0.37
tunnel destination 20.20.20.2
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel vrf internet
tunnel protection ipsec profile LAB
interface FastEthernet0/0.37
description internet
encapsulation dot1Q 37
ip vrf forwarding internet
ip address 20.20.30.2 255.255.255.248
HUB:
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key cisco address 0.0.0.0
crypto isakmp profile lab-vti
keyring default
match identity address 0.0.0.0
virtual-template 1
local-address 20.20.20.2
crypto ipsec transform-set aes256sha esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile LAB
set transform-set aes256sha
set pfs group14
set isakmp-profile lab-vti
interface Virtual-Template1 type tunnel
ip unnumbered Loopback10
ip access-group shop-out out
ip mtu 1400
ip hold-time eigrp 1 60
ip virtual-reassembly in
ip tcp adjust-mss 1400
tunnel source GigabitEthernet0/0.800
tunnel mode ipsec ipv4
tunnel protection ipsec profile LAB
Spoke2:
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key cisco address 20.20.20.2
crypto ipsec transform-set aes256sha esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile LAB
set transform-set aes256sha
set pfs group14
interface Tunnel1
ip address 172.16.0.6 255.255.255.0
ip virtual-reassembly in
ip tcp adjust-mss 1400
tunnel source GigabitEthernet0/0.37
tunnel mode ipsec ipv4
tunnel destination 20.20.20.2
tunnel path-mtu-discovery
tunnel protection ipsec profile LABBut from config you provided,
Relevant configuration:Spoke1 (no working)crypto keyring key-internet vrf internet pre-shared-key address 20.20.20.2 key ciscocrypto isakmp policy 10 encr aes 256 authentication pre-share group 14crypto isakmp key cisco address 20.20.20.2crypto isakmp profile ISA-PROP keyring key-internet match identity address 20.20.20.2 255.255.255.255 internetcrypto ipsec transform-set aes256sha esp-aes 256 esp-sha-hmac crypto ipsec profile LAB set transform-set aes256sha set pfs group14 set isakmp-profile ISA-PROPinterface Tunnel1 ip address 172.16.0.2 255.255.255.0 ip mtu 1400 ip hold-time eigrp 1 60 ip virtual-reassembly ip tcp adjust-mss 1400 tunnel source FastEthernet0/0.37 tunnel destination 20.20.20.2 tunnel mode ipsec ipv4 tunnel path-mtu-discovery tunnel vrf internet tunnel protection ipsec profile LAB
the tunnel itself is the part of internet routing table. So you should configure eigrp correspondingly, i assume. -
MPLS Core sharing a net /25
Hi,
I need help, I have a core MPLS made by four devices. They are ASR 9006, everything works perfect, lately we installed a client that need redundancy so I configure two BGP session on my internet VRF, the problem is that I assigned to the client a netmask 25. A client that depends on the same ASR can make ping to the new client but if a client depends of another ASR can make ping to this client. I checked and I have to entries for this net on my routing table, I don't know which is the problem. can you help me?
RP/0/RSP0/CPU0:ASR9K_PEREIRA#show route vrf INTERNET 190.X.243.1
Thu Jan 8 10:20:18.860 gmt
Routing entry for 190.X.243.0/24
Known via "bgp 2X51", distance 200, metric 0, type internal
Installed Dec 30 01:29:43.582 for 1w2d
Routing Descriptor Blocks
10.248.10.1, from 10.248.10.1
Nexthop in Vrf: "default", Table: "default", IPv4 Unicast, Table Id: 0xe0000000
Route metric is 0
No advertising protos.
RP/0/RSP0/CPU0:ASR9K_PEREIRA#show route vrf INTERNET 190.X.243.129
Thu Jan 8 10:20:21.793 gmt
Routing entry for 190.X.243.128/25
Known via "bgp 2X951", distance 200, metric 0
Tag 65497, type internal
Installed Dec 30 01:29:44.163 for 1w2d
Routing Descriptor Blocks
10.248.10.1, from 10.248.10.1
Nexthop in Vrf: "default", Table: "default", IPv4 Unicast, Table Id: 0xe0000000
Route metric is 0
No advertising protos.
RP/0/RSP0/CPU0:ASR9K_PEREIRA#
The problem is only with the last /25.
Sorry for my english.hi ,
i have been troubleshooting the same issue for the last 2 days , i go the same message
*Mar 2 02:06:34.973: TE-PCALC_PATH: get_path: system_id not initialized!
R6#show mpls traffic-eng tunnels
Name: R6_t1 (Tunnel1) Destination: 1.1.1.1
Status:
Admin: up Oper: down Path: not valid Signalling: Down
path option 10, type dynamic
Config Parameters:
Bandwidth: 0 kbps (Global) Priority: 7 7 Affinity: 0x0/0xFFFF
Metric Type: TE (default)
AutoRoute: disabled LockDown: disabled Loadshare: 0 bw-based
auto-bw: disabled
History:
Tunnel:
Time since created: 1 days, 17 minutes
Path Option 10:
Last Error: PCALC:: Local system ID has not been set
R6#
i am using ISIS as routing protocol , I dont know if is a bug with GNS3 or something is wrong with my config wich i dont think so !!
can anybody help me please ! -
BGP to OSPF redistribution with VRFs
I am having a problem with redistribution of routes between BGP and OSPF when using VRFs mapping to VLANs between the PE and CE.
In this lab I've put together I have R4 and R5 communicating with eachother via BGP with MPLS. If I redistribute the BGP into OSPF and delivering the connection to the CE without VLANs it works fine. If I want to essentially keep the same primary network going into the other side of the BGP but send the VRF over a VLAN to the next router the redistribution doesn't happen.
In this example I have
192.168.100.0/24 (R6) --ospf-- (R4) --BGP-- (R5) --ospf-- (R7) 192.168.200.0/24
Between R4 and R5 is the core network running ospf (R1 - R3).
Can anyone point me in the right direction why this isn't working? I am obviously missing something here.
Thanks,
MikeHi Mike,
You need to add capability vrf-lite under ospf process of R6 and R7 because they are configured with VRF-lite. This command will disable the check usually done on the PE to avoid routing loops.
HTH
Laurent. -
Problem leaking route from VRF to global table on CSR 1000V
Hi Guys,
So I have a problem with VRF's on a CSR 1000V, specifically exporting a connected subnet from a VRF into the global routing table.
My config, very abbreviated, is as follows:
Router:
GE1: 10.0.0.1/31 VRF TEST
GE2: 172.30.20.1/24 (No VRF, BGP neighbor to 172.30.20.2, receiving 0.0.0.0/0 (default route))
Now sh ip route displays:
0.0.0.0/0 (BGP)
172.30.20.1/24 (Connected)
sh ip route vrf TEST displays:
0.0.0.0/0 (BGP)
10.0.0.1/31 connected
My VRF config is as follows:
ip vrf TEST
rd 1:1
import ipv4 unicast map GLOBAL
export ipv4 unicast map CONNECTED-SUBNET
ip prefix-list CONNECTED seq 1 permit 10.0.0.1/31
ip prefix-list DEFAULT seq 1 permit 0.0.0.0/0
route-map CONNECTED-SUBNET permit 10
match ip address prefix-list CONNECTED
route-map GLOBAL permit 10
match ip address prefix-list DEFAULT
Now my import command works perfectly (0.0.0.0/0 is imported from BGP into the VRF's routing table), however my export command does not function - seemingly at all.
Even though my prefix list is an exact match, I do not see 10.0.0.1/31 appearing in the global routing table, or the BGP table at all (show ip bgp 10.0.0.1 shows only the 0.0.0.0/0 default route)
Any thoughts on what is going on here? Am I misunderstanding the export command for VRF's? I was under the impression this will export directly to the BGP table, and then be imported to the global routing table if applicable?
Any thoughts/input would be appreciated!Hello
"GE1: 10.0.0.1/31 VRF TEST
GE2: 172.30.20.1/24 (No VRF, BGP neighbor to 172.30.20.2, receiving 0.0.0.0/0 (default route))"
I must have misunderstood somewhere I was assuming you had no vrf bgp between GE1-2 , and just vrf on subnet 10.0.0.0/x which needed to be advertised in the global routing table hence my last post suggested you redistribute into bgp,
So assuming you are accepting a default route from GE2 it went like this
GE1
int fa0/1
ip vrf forwading TEST
ip addresses 10.0.0.1 255.255.255.255
int xx
ip address 172.30.20.1 255.255.255.0
router bgp xy
neighbour 172.30.20.2 remote-as yx
redistribute static ( to advertised the vrf subnet to GE2)
ip route 10.0.0.1 255.255.255.255 fa0/1 ( this is tell the global rib where to go for the vrf route)
ip prefix-list VRF permit 0.0.0.0/0
route-map VRF_rm
match ip address prefix VRF ( match on the default route advertised from GE2 which is in the global rib)
ip vrf TEST
import-map ipv4 vrf VRF-rm ( import the default from global rib into the vrf rib)
res
Paul -
Oraview.vrf(0) is missing -- installation problem
Hello:
I had a problem when I was trying to install Oracle 8.0.5 on my
RedHat 6.0 machine. Please help me if you happen to know the
solution. It seemed that everything was OK at the first stage of
my installation. After I set the environment variables, I ran the
orainst to install new product without creating database. After I
got the success result, I ran the "glibcpatch" script. I also got
the message saying "Applied glibc patch for Oracle 8.0.5.
successfully." Well, after I ran the orainst again to try to
create database objects, I got the problem. In the install
screen, I select "Oracle 8 Standard RDBMS 8.0.5.0.0". After the
installation ran for a while, I got this message:
Oraview.vrf(0): FILE_NOT_FOUND while verifying oraview.
(No such file or directory.)
I tried several times to install again from the very beginning.
But each time it stopped there. I got the same results. Did
anybody out there have the same problem before? If you know how
to solve this problems, please help me. Your help is greatly
appreciated. Thanks in advance.
Warren
nullPhan Anh Tran (guest) wrote:
: Hi all,
: I have installed Oracle 8.0.5.1 is installed on my RH 6.0 box.
: However, I am running into a couple of post-installation
: problems.
: 1. root.sh (sucessfully ran).
: 2. glibc patch (successfuly ran). There were a few errors on
the
: screen with the "mv" commands (file does not exist). Is tha
: alright?
: 3. catrep.sql (problem). This is where I have a problem.
: I ran dbstart as oracle805 (installation account), but I have
no
: idea whether or not I really started the database. ps -aux did
: not yield any clue.
: I also tried svrmgrl and "startup", but the file "initXXX.ora"
: did not exist, so I copied the existing "init.ora" to
: "initXXX.ora". XXX is my ORACLE_SID. Instead alert_XXX.log
gave
: me the following:
: ORA-00202: controlfile: 'ora_control1'
: ORA-27037: unable to obtain file status
: So, in other words, I have no idea whether or not I have
: successfully installed Oracle. All insights are greatly
: appreciated.
: Thanks a bunch...
: Anh
Hei !
I also did this fault :-( See this webpage - it's excellent
and describes everything.
http://jordan.fortwayne.com/oracle/rh6x.html
null -
Cable Sub-Interface in VRF - DHCP Intermittent Problem
I've configured multiple VRF's to support third party access to our cable infrastructure.
Of the 15 CMTS' I have configured, all of them work fine except for one which happens to be a UBR10K running 12.2.15.BC1b. The other CMTS' (7200's and 7100's) are running fine with an older IOS revision but I need the latest IOS on the 10K to support VLAN sub-interfaces.
The problem is occasionally, DHCP clients will obtain an IP address/netmask from within the proper VRF subnet, but the client is unreachable from the CMTS.
If we disable the IP address in question from CNR and have the client renew their IP, service is restored.
This is a big problem. Even though this only happens occasionally, when you have 8000+ users on a CMTS, 'occasionally' still works out to quite a few problem calls.
Sub-interfaces set up to use static IP addressing on the client experience no problems.
Any advice would be appreciated.
= KMore information may be require to understand the problem, mean while you can go through link :
http://www.cisco.com/en/US/netsol/ns341/ns396/ns172/ns126/networking_solutions_design_guide_chapter09186a00800eeee8.html -
Problems with 3D graph application redistribution
Hello wireworkers,
i wonder if
someone encountered problems with distribution of application that
uses 3D graph objects. I've created application that uses NI 3D graph
component and created installer with "Enable 3D graph support"
check box enabled. However after installing this application on the
windows machine without Labview two problems appeared: 1) "Error
loading control. A newer version needed. The default settings for the
control will be used." and after it 2) "You have 30 days to
evaluate the Measurement Studio ActivX control..." and something
like that. I don't get it. Why some newer version is required? and
what with that evaluation period?
Have any hints???
Thank you in advance and Merry
Christmas to everyone.
Alex
www.xinstruments.com
Custom Software for Industrial Automation
www.hdrconverter.com
Picture processing made easyHi Alex,
I tried the process you described on my machine using LabVIEW 7.1 and could not reproduce the behavior. If you can clarify the version you were using that will be helpful. I will have to clean a test machine and try it again without LabVIEW installed, and get back with you if the problem appears. In the meanwhile, I found the following KB which, while not referring to the exact same problem you are describing, does address the evaluation message issue. You can try to follow the steps at the end of the KB, and let me know if that worked.
http://digital.ni.com/public.nsf/websearch/1E1FB3C19E8E0A9986256F8D0077D0E6?OpenDocument
Regards,
Aluma G.
National Instruments -
Redistribution of "global" OSPF into a VRF
Im' trying to redistribute several routes learned via OSPF into a VRF. This VRF use EIGRP as routing protocol.
I'm not able to see any entry in the vrf table.
Have anybody done a similar things or can point me to samples and tips ?
Thanks
Marco
This is what I have done:
ip vrf 1
rd 1000:1
route-target export 1000:1
route-target import 1000:1
ip vrf 2
rd 1001:2
route-target export 1001:2
route-target import 1001:2
interface FastEthernet0/0
description connessione al porta 4/12
no ip address
duplex full
speed 100
interface FastEthernet0/0.1
description VLAN 1 per test
encapsulation dot1Q 34
ip vrf forwarding 1
ip address 192.168.230.1 255.255.255.248
ip nat inside
standby 1 ip 192.168.230.6
standby 1 priority 110
standby 1 track GigabitEthernet6/0.2
interface FastEthernet0/0.2
description VLAN 2 per test SNASW
encapsulation dot1Q 35
ip vrf forwarding 2
ip address 192.168.230.57 255.255.255.248
interface GigabitEthernet6/0.1
description vlan TEST_NAT
encapsulation dot1Q 42
ip address 192.168.230.9 255.255.255.248
standby 2 ip 192.168.230.14
standby 2 priority 110
interface GigabitEthernet6/0.2
description vlan NAT
encapsulation dot1Q 43
ip address 192.168.230.17 255.255.255.248
standby 3 ip 192.168.230.22
standby 3 priority 110
standby 3 track FastEthernet0/0.1
router eigrp 2000
auto-summary
address-family ipv4 vrf 2
network 192.168.230.56 0.0.0.3
no auto-summary
autonomous-system 1001
exit-address-family
address-family ipv4 vrf 1
network 192.168.230.0 0.0.0.3
no auto-summary
autonomous-system 1000
exit-address-family
no eigrp log-neighbor-changes
router ospf 1000
log-adjacency-changes
passive-interface FastEthernet0/0.1
passive-interface GigabitEthernet6/0.1
network 192.168.230.16 0.0.0.7 area 100.100.100.100Hi,
I don't understand very well your question, because I really don't know if you are trying to configure VPN's over MPLS but, maybe this can help you.
When you are configuring VPN's over MPLS:
- Supported by VPN aware routing protocols: eBGP, OSPF, RIPv2, Static Routes. The EIGRP is not a supported VPN, vrf Protocol.
- When you are configuring VPN's over MPLS you have to configure BGP and the address family for BGP.
- Also you have to be very careful when you are assigning OSPF to a vrf.
An example:
router ospf 1000 vrf Customer_ABC
network 192.168.230.16 0.0.0.7 area z
redistribute bgp xxx
router bgp xxx
address-family ipv4 vrf Customer_ABC
redistribute ospf 1000
There's more to configure in bgp, like neighbors address family vpnv4, etc.
Sorry if this don't help you or if you already knew this.
Regards,
Hector -
Filtering OSPF routes from MPBGP to BGP speaker in the same VRF
I'm wondering if anyone has some ideas they an share on this.
Assume the following:
- CE1 is speaking *iBGP and OSPF to PE1 inside vrf foo
- PE1 is mutually redistributing CE1's OSPF table with MPBGP
- PE1 exchanges MPBGP routes with PE2.
- PE2 is mutually redistributing CE2's OSPF table with MPBGP
- CE2 is speaking *iBGP and OSPF to PE2 inside vrf foo
So the problem is that the OSPF routes redistributed into MPBGP from via one CE are being announced to the other CE via the PE-CE BGP process. Because those routes are already being received by the CE via the PE-CE OSPF process, they are showing up in the CE's BGP table as RIB failures.
Is there any way to filter those out? I've tried setting and matching tags and communities from within various redistribution points on the PE, but I can't seem to keep them out of the CE's BGP table.are you sure you are using iBGP on both sides and not eBGP?
I'm asking because routes learnt by PE1 from CE via iBGP ( meaning same BGP AS number on CE1 and PE1 vrf foo) will not be propagated to CE2, because an iBGP route learned by a BGP speaker in not pushed to another iBGP speaker.
So it means that a show ip bgp neighbor vrf foo advertised routes on PE2 shall show that no routes from CE1 are being advertised to CE2.
As mentionned earlier, changing BGP admin distance is an option. Let BGP have a better distance on your CEs and this should do the trick :
router bgp xxx
distance bgp 20 20 20
Then after clearing bgp session, the rib failures are gone as OSPF is AD 110 and BGP is now AD 20 ( also remember that BGP does not annouces rib failure routes to other BGP peers)
cheers -
Sidecar Installation on Mac problem?
We have applied for the redistribution license and have all the necessary files ( .exe and .app for pc and mac respectively) to perform a sidecar installation.
We made a hybrid CD using toast on MAC.
This works great on PC but it has some trouble on mac.
The application requires AIR 1.5.3.
If the user has AIR 1.5.3 already installed and our application installs directly bypassing the AIR runtime installation and it works great. Code signing certificate is there and the application is installed with read/write permission for the Admin(me) and all aspects of application works well.
The problem starts if the user does not have AIR runtime installed. The side car installtion first installs AIR runtime environment and then proceeds to install our application which installs without any error but with read/write access to system and not me. In this case certain parts of the application do not work ( these parts read and write data to SQLite Database on local dissk).
I went a step further and added me with read/write permision manually just because it worked in the previous instance as expalined above. Even this did not work. I restarted the computer still it did not work.
I tried to delete system user so that our app has the same permissions as in the first case, but mac does not allow this user to be deleted.
I beleive that beacuse AIR runtime installs first and needs System permissions, even my application gets installed with these same permissions.
Now if I delete my application by dragging it to trash and reinstalll it then it works fine again ( As now Air runtime is already there).
I again checked the permissions and they were same as if AIR runtime was already present, which is true now because when I removed the application and reinsatlled it, it keeps the AIR runtime and deletes only my application.
If using sidecar insatllation my application somehow installs with read/write permission for (me) and no users as "system" the I think it wll work.
I dont know if this is a bug or if there is a solution around this.
Please Help ASAP as we want to go live with this project next week.Hi Harjeet,
This is what I encountered in my testing.
In the first scenario, both the runtime and application are being installed. The runtime installation requires the process to elevate, you are asked to enter your credentials. This allows the runtime to be installed successfully, but the application is also installed as part of the elevated process, so the final permissions on the application end up with the owner being "root" and the group "wheel".
In the second scenario, where the runtime is already installed, only the AIR application is being installed from the disc. If the user is an Administrator, the application install process is not elevated, you are not asked to enter your credentials. The final ownership permission on the application is the user who performed the install and the group "staff", at least on the Mac OS X 10.6 system I tried this on.
juan -
Problem with VPN client on Cisco 1801
Hi,
I have configured a new router for a customer.
All works fine but i have a strange issue with the VPN client.
When i start the VPN the client don't close the connection, ask for password, start to negotiate security policy the show the not connected status.
This is the log form the VPN client:
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
1 14:37:59.133 04/08/13 Sev=Info/6 GUI/0x63B00011
Reloaded the Certificates in all Certificate Stores successfully.
2 14:38:01.321 04/08/13 Sev=Info/4 CM/0x63100002
Begin connection process
3 14:38:01.335 04/08/13 Sev=Info/4 CM/0x63100004
Establish secure connection
4 14:38:01.335 04/08/13 Sev=Info/4 CM/0x63100024
Attempt connection with server "asgardvpn.dyndns.info"
5 14:38:02.380 04/08/13 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 79.52.36.120.
6 14:38:02.384 04/08/13 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
7 14:38:02.388 04/08/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 79.52.36.120
8 14:38:02.396 04/08/13 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
9 14:38:02.396 04/08/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
10 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 79.52.36.120
11 14:38:02.460 04/08/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 79.52.36.120
12 14:38:02.506 04/08/13 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
13 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
14 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer supports DPD
15 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
16 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
17 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
18 14:38:02.465 04/08/13 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
19 14:38:02.465 04/08/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 79.52.36.120
20 14:38:02.465 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
21 14:38:02.465 04/08/13 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xCEFD, Remote Port = 0x1194
22 14:38:02.465 04/08/13 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
23 14:38:02.465 04/08/13 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
24 14:38:02.502 04/08/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 79.52.36.120
25 14:38:02.502 04/08/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 79.52.36.120
26 14:38:02.502 04/08/13 Sev=Info/4 CM/0x63100015
Launch xAuth application
27 14:38:07.623 04/08/13 Sev=Info/4 CM/0x63100017
xAuth application returned
28 14:38:07.623 04/08/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 79.52.36.120
29 14:38:12.656 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
30 14:38:22.808 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
31 14:38:32.949 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
32 14:38:43.089 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
33 14:38:53.230 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
34 14:39:03.371 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
35 14:39:13.514 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
36 14:39:23.652 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
37 14:39:33.807 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
38 14:39:43.948 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
39 14:39:54.088 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
40 14:40:04.233 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
41 14:40:14.384 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
42 14:40:24.510 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
43 14:40:34.666 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
44 14:40:44.807 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
45 14:40:54.947 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
46 14:41:05.090 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
47 14:41:15.230 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
48 14:41:25.370 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
49 14:41:35.524 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
50 14:41:45.665 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
51 14:41:55.805 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
52 14:42:05.951 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
53 14:42:16.089 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
54 14:42:26.228 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
55 14:42:36.383 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
56 14:42:46.523 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
57 14:42:56.664 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
58 14:43:02.748 04/08/13 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH
59 14:43:02.748 04/08/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 79.52.36.120
60 14:43:03.248 04/08/13 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH
61 14:43:03.248 04/08/13 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "asgardvpn.dyndns.info" because of "DEL_REASON_CANNOT_AUTH"
62 14:43:03.248 04/08/13 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
63 14:43:03.262 04/08/13 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
64 14:43:03.262 04/08/13 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
65 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
66 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
67 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
68 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
And this is the conf from the 1801:
hostname xxx
boot-start-marker
boot-end-marker
enable secret 5 xxx
aaa new-model
aaa authentication login xauthlist local
aaa authorization network groupauthor local
aaa session-id common
dot11 syslog
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.1.1 10.0.1.10
ip dhcp excluded-address 10.0.1.60 10.0.1.200
ip dhcp excluded-address 10.0.1.225
ip dhcp excluded-address 10.0.1.250
ip dhcp pool LAN
network 10.0.1.0 255.255.255.0
default-router 10.0.1.10
dns-server 10.0.1.200 8.8.8.8
domain-name xxx
lease infinite
ip name-server 10.0.1.200
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect log drop-pkt
ip inspect name Firewall cuseeme
ip inspect name Firewall dns
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall icmp
ip inspect name Firewall imap
ip inspect name Firewall pop3
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall esmtp
ip inspect name Firewall sqlnet
ip inspect name Firewall streamworks
ip inspect name Firewall tftp
ip inspect name Firewall vdolive
ip inspect name Firewall udp
ip inspect name Firewall tcp
ip inspect name Firewall https
ip inspect name Firewall http
multilink bundle-name authenticated
username xxx password 0 xxxx
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group xxx
key xxx
dns 10.0.1.200
wins 10.0.1.200
domain xxx
pool ippool
acl 101
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set xauthtransform esp-des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
archive
log config
hidekeys
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode adsl2+
hold-queue 224 in
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
ip address 10.0.1.10 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp pap sent-username aliceadsl password 0 aliceadsl
crypto map clientmap
ip local pool ippool 10.16.20.1 10.16.20.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 10.0.1.2
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 10.0.1.60 1056 interface Dialer0 1056
ip nat inside source static tcp 10.0.1.60 1056 interface Dialer0 1056
ip nat inside source static tcp 10.0.1.60 3111 interface Dialer0 3111
ip nat inside source static udp 10.0.1.60 3111 interface Dialer0 3111
ip nat inside source list 101 interface Dialer0 overload
access-list 101 remark *** ACL nonat ***
access-list 101 deny ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
access-list 150 remark *** ACL split tunnel ***
access-list 150 permit ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
password xxx
scheduler max-task-time 5000
end
Anyone can help me ?
Sometimes the vpn can be vreated using the iPhone or iPad vpn client...I am having a simuliar issue with my ASA 5505 that I have set up. I am trying to VPN into the Office. I have no problem accessing the Office network when I am on the internet without the ASA 5505. After I installed the 5505, and there is internet access, I try to connect to the Office network without success. The VPN connects with the following error.
3 Dec 31 2007 05:30:00 305006 xxx.xx.114.97
regular translation creation failed for protocol 50 src inside:192.168.1.9 dst outside:xxx.xx.114.97
HELP? -
C2901, SSL_VPN and iPad/iPhone problem
Hello,
I've got C2901SEC/K9 and SSL-VPN licence. I've got problem with connectin to SSL-VPN from iPad via AnyConnect Secure Mobility Client 2.5.5112. In log II've got message:
Apr 24 2012 10:27:55.563: %SSLVPN-5-SSL_TLS_ERROR: vw_ctx: UNKNOWN vw_gw: SSL_GW i_vrf: 0 f_vrf: 0 status: SSL/TLS connection error with remote at 178.180.86.42:56562
It looks like context is unknown??? It's strange because sh webvpn context returns:
WABAGRTGW001#sh webvpn context
Context Name: SSL_USER
Admin Status: up
Operation Status: up
Error and Event Logging: Enabled
CSD Status: Disabled
Certificate authentication type: All attributes (like CRL) are verified
AAA Authentication List: default
AAA Authorization List not configured
AAA Accounting List not configured
AAA Authentication Domain not configured
Authentication mode: AAA authentication
Default Group Policy: SSL_POL
Associated WebVPN Gateway: SSL_GW
Domain Name and Virtual Host not configured
Maximum Users Allowed: 10
NAT Address not configured
VRF Name not configured
Virtual Template: 10
Virtual Access : 2
If I'm trying login via browser I've got login page to SSL-VPN.
VPn config
WABAGRTGW001#srs webvpn
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-2.5.3055-k9.pkg sequence 2
crypto vpn csd flash0:/webvpn/sdesktop.pkg
webvpn gateway SSL_GW
ip interface GigabitEthernet0/0 port 443
http-redirect port 80
ssl trustpoint local
logging enable
inservice
webvpn context SSL_USER
title "Centrum Medyczne MML SSL-VPN"
login-photo file flash:/webvpn/mml_o-nas01.jpg
logo file flash:/webvpn/logo.jpg
secondary-color white
title-color #6060FF
text-color black
login-message "Authorized users only!"
policy group SSL_POL
functions svc-enabled
timeout idle 600
timeout session 43200
svc dns-server primary 10.1.1.81
svc wins-server primary 10.1.1.81
virtual-template 10
default-group-policy SSL_POL
aaa authentication list default
gateway SSL_GW
max-users 10
logging enable
ssl authenticate verify all
url rewrite
unmatched-action redirect
inservice
For me it's confusing. It works before IOS upgrade. Currently I'm using :
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(3)T, RELEASE SOFTWARE (fc1)
Thanks for help
MarcinMarcin,
Anyconnect from mobile devices to IOS headend (unlike ASA) is not something that Cisco supports (yet). Some people have reported it to work, but we have never claimed that it would.
We're tracking this under following enhancement request:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx24822
You can get in touch with your account team to discuss this, for now it's due for March 2013 (tentative).
M.
Maybe you are looking for
-
I have no idea how to get rid of a question folder! Help!
I've had this problem for months now. I'd buy a new laptop but I need the stuff on my hard drive. It started when my safari froze. I tried to close to close the program but then my entire computer froze. So, I had to shut down the laptop. When I went
-
XML attributes makes my query return no rows
Hello everyone, I've an odd problem. I'm querying some XML, but the attributes in one of the tags make my query return no rows; if I remove the attributes, then the query works as expected. The XML is below; it's the attributes in the Report tag that
-
External editor cannot find files
this issue did not happen with Lightroom beta, but does happen with 1.0 release. I use Photoshop 5.02 as the external editor. when I select "Edit in photoshp" from the context menu, it opens the photoshop, but photoshop says "cannot find the file". I
-
Is it possible to download and use Photoshop CS2 on Imac with Mavericks OS?
-
Need script that replace text...
hello. I would like a script that prompts to input a body of text, and then replace all text on a layer with the entered text, preserving fonts, sizes, positions.. everything. If inputed text is to many letters, it chops off the exchange. If too litt