WAAS using WCCP with gre tunnel going via vpn

Similar Messages

• HT201210 I'm trying to update my iOS to 6.0, using iTunes (with my 4s connected via USB and WiFi is on also). I get a message that 'there are purchased items on my iPhone that have not been transferred to my iTunes library. Yet, I can't find those items!

  I'm trying to update my iOS to 6.0, using iTunes (with my 4s connected via USB and WiFi is on also). I get a message that 'there are purchased items on my iPhone that have not been transferred to my iTunes library. Yet, I can't find those items! Help!  There is not error message number just the text message. I've searched for an answer but have found nothing on "transfering items purchased to your iTunes library".

  Right click on your device icon on the left pane of iTunes and click on transfer pur....

• WAAS using WCCP from 2 6509's?

  I am preparing to install a WAE in the datacenter using WCCP for redirection of traffic to 1 of my networks on a point-to-multipoint frame relay network. Where things get foggy is the WCCP server install on my "router" which is actually 2 6509's which are used to route different vlans for both redundancy and load-balancing in the Datacenter. Is it possible/advisable to set both up with WCCP to redirect to the WAE? Could this cause any unforeseen issues?
  I'm also wondering about traffic that is destined for other networks on that point-to-multipoint frame relay connection that my remote site is on which will have the other WAE. Will it be easy to specify which traffic to redirect to the WAE (that which is destined for that one remote site) or will this also cause issues?
  Thanks in advance!

  Karen,
  With WCCP, you can have multiple WAEs (theoretically up to 32) and multiple routers (again up to 32) in the service group. So in your case, both routers can be registered to the same WAE(s). You can limit traffic via a redirect-list, which is an ACL (only accept traffic to/from your remote site).
  WCCP is configured on the interfaces for the service groups you are interested in. For WAAS, you use services 61 and 62 in opposite directions to perform load balancing appropriately.
  A hint on your wccp on the 6500. Always configure redirect-in on the interfaces, L2-redirect and mask-assign to keep the traffic processed in hardware.
  Here is a link on configuring WCCP for WAAS (which I assume you are deploying).
  Hope that helps,
  Dan

• Getting error 789 when trying to connect with a PC remotely via VPN

  When we set up the VPN we are getting a Error 789 when trying to connect with a PC. Any suggestions would be appreciated.

  The utilities, provided on the CD, are not required for the PC to access the Internet through the 802.11n AirPort Extreme Base Station (AEBSn). They are only necessary for administering the base station.
  If your PC is currently configured as a DHCP client, it shouldn't have any issues connecting by Ethernet. The AEBSn will assign the appropriate IP addresses required for connectivity to the Internet ... just like it does for wireless clients.

• WSA & CAT6500 WCCP GRE Tunnel

  Hello everyone
  First time writing in the support community. So exiting!!!!
  I am trying to have a transparent WSA (7.5) with a CAT6509 SXF7 WCCP. between them there is a Firewall/router. so I built the WCCP with GRE/L3.
  so far so good. WCCP GRE tunnel is there.
  However cannot surf the internet.
  After much troubleshooting (wireshark mainly) I believe I know where the problem is.
  Client want to surf the Internet (http)
  Client sends a SYN request to the IP of the website (after resolving DNS)
  CAT6500 tunnels the request with GRE to WSA
  WSA receives request and sends to SYN packet to the webpage.
  Webpage sends a SYN ACK to WSA  (no spoofing)
  PROBLEM: WSA then sends the SYN ACK without GRE to client with in turn does not go through the FW
  Client does not receive SYN ACK, sends another SYN and then another until he gives up.
  Question: How can I force the WSA to return traffic through the GRE tunnel.
  I already chose return method as "alloow GRE only" under WCCPv2 Service
  So look forward to receive some help

  Hi,
  Yes, it will work.
  Regards,
  Erik
  Sent from Cisco Technical Support iPad App

• Using ISE to assign ACL's for VPN users

  Hi,
  I've just implemented ISE into our environment using various documents and videos found online but have not been able to find anything about using ISE to Authenticate remote users via VPN and assigning them the ACL's created for thewir level of network access.
  Does anyone know of a good document or training video knocking about that I can use?
  Thanks
  Jason

  Jason,
  If the ACL is present on the ASA you can use the "filter-id" radius attribute to reference the acl to the user's session. You can make this work by configuring an authorization profile and tying this in with your authorization policy for vpn users.
  If you want to push an acl then my recommendation is to use the cisco-av-pairs to push the acls since the username is associated with the acl that is applied to the username of the vpn session.
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1763743
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• WAAS with IPSEC or GRE tunnels

  Hello,
  I have a client with HQ and remote site, I need to implement WAAS between them.
  issue is they are connected GRE over IPsec over MPLS WAAN, is there anything to take care about when implementing WAAS in GRE/IPSEC deployment.
  Thanks & BR
  Moamen

  I would keep in mind the following things...
  1. Interception - You have to ensure you intercept the traffic outside the tunnels, otherwise you won't get any compression. Hardware based switches like the Cat6K cannot use WCCP on tunnel interfaces. Software based routers can do interception on tunnel interfaces, but don't scale as much as the hardware assisted platforms.
  2. Packet size - if you are getting excessive fragmentation, try lowering the Optimized MSS value on the WAEs to under what you need for headers. WAAS default is 1432.
  Other then that, what you have is a pretty normal installation situation.
  Thanks,
  Dan

• IP routing utilizing Verizon private network (GRE tunnel) with remote cellular gateways

  Okay, I give up, and think I have done my due diligence (I have been engrossed and fascinated spending many more hours than allotted to try and learn some of the finer details).  Time for some advice.  My usual trade is controls engineering which generally require only basic knowledge of networking principals.  However I recently took a job to integrate 100 or so lift stations scattered around a county into a central SCADA system.  I decided to use cellular technology to connect these remote sites back to the main SCADA system.  Well the infrastructure is now in and it’s time to get these things talking.  Basic topology description is as follows:  Each remote site has an Airlink LS300 gateway.  Attached to the gateway via Ethernet is a system controller that I will be polling via Modbus TCP from the main SCADA system.  The Airlinks are provisioned by Verizon utilizing a private network with static IP's.  This private networks address is 192.168.1.0/24.  Back at the central office the SCADA computer is sitting behind a Cisco 2911.  The LAN address of the central office is 192.168.11.0/24.  The 2911 is utilizing GRE tunnels that terminate with Verizon.  The original turn up was done with another contractor that did a basic config of the router which you will find below.  As it stands now I am pretty confident the tunnels are up and working (if I change a local computers subnet to 255.255.0.0 I can surprisingly reach the airlinks in the field), but this is obviously not the right way to solve the problem, not to mention I was unable to successfully poll the end devices on the other side of the Airlinks.  I think I understand just about every part of the config below and think it is just missing a few items to be complete.  I would greatly appreciate anyone’s help in getting this set up correctly.  I also have a few questions about the set up that still don’t make sense to me, you will find them below the config.  Thanks in advance.
  no aaa new-model
  ip cef
  ip dhcp excluded-address 10.10.10.1
  ip dhcp pool ccp-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1 
   lease 0 2
  ip domain name yourdomain.com
  no ipv6 cef
  multilink bundle-name authenticated
  username cisco privilege 15 one-time secret 
  redundancy
  crypto isakmp policy 1
  encr 3des
  hash md5
   authentication pre-share
   group 2
  crypto isakmp key AbCdEf01294 address 99.101.15.99  
  crypto isakmp key AbCdEf01294 address 99.100.14.88 
  crypto ipsec transform-set VZW_TSET esp-3des esp-md5-hmac 
  mode transport
  crypto map VZW_VPNTUNNEL 1 ipsec-isakmp 
   description Verizon Wireless Tunnel
   set peer 99.101.15.99
   set peer 99.100.14.88
   set transform-set VZW_TSET 
   match address VZW_VPN
  interface Tunnel1
   description GRE Tunnel to Verizon Wireless
   ip address 172.16.200.2 255.255.255.252
   tunnel source 22.20.19.18
   tunnel destination 99.101.15.99
  interface Tunnel2
  description GRE Tunnel 2 to Verizon Wireless
   ip address 172.16.200.6 255.255.255.252
   tunnel source 22.20.19.18
   tunnel destination 99.100.14.88
  interface Embedded-Service-Engine0/0
   no ip address
   shutdown
  interface GigabitEthernet0/0
   description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
   ip address 10.10.10.1 255.255.255.248
   shutdown
   duplex auto
   speed auto
  interface GigabitEthernet0/1
   ip address 192.168.11.1 255.255.255.0
   duplex auto
   speed auto
  interface GigabitEthernet0/2
   ip address 22.20.19.18 255.255.255.0
  duplex full
   speed 100
   crypto map VZW_VPNTUNNEL
  router bgp 65505
   bgp log-neighbor-changes
   network 0.0.0.0
   network 192.168.11.0
   neighbor 172.16.200.1 remote-as 6167
   neighbor 172.16.200.5 remote-as 6167
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip route 0.0.0.0 0.0.0.0 22.20.19.19
  ip access-list extended VZW_VPN
   permit gre host 99.101.15.99 host 22.20.19.18
   permit icmp host 99.101.15.99 host 22.20.19.18
   permit esp host 99.101.15.99 host 22.20.19.18
   permit udp host 99.101.15.99 host 22.20.19.18 eq isakmp
   permit gre host 22.20.19.18 host 99.101.15.99
   permit gre host 22.20.19.18 host 99.100.14.88
  access-list 23 permit 10.10.10.0 0.0.0.7
  control-plane
  end
  So after spending countless hours analyzing every portion of this,  I think that adding one line to this will get it going (or at least closer).
  ip route 192.168.1.0 255.255.0.0 22.20.19.19
  That should allow my internal LAN to reach the Airlink gateways on the other side of the tunnel (I think)
  Now for a couple of questions for those that are still actually hanging around.
  #1 what is the purpose of the Ethernet address assigned to each tunnel?  I only see them being used in the BGP section where they are receiving routing tables from the Verizon side (is that correct?).  Why wouldn't or couldn't you just use the physical Ethernet address interface in its place (in the BGP section)?
  #2 is the config above correct in pointing the default route to the physical Ethernet address?  Does that force the packets into the tunnel, or shouldn’t you be pointing it towards the tunnel IP's (172.16.200.2)?  If the config above is correct then I should not need to add the route I described above as if I ping out to 192.168.1.X that should catch it and force it into the tunnel where Verizon would pick it up and know how to get it to its destination??
  #3 Will I need to add another permit to the VZW_VPN for TCP as in the end I need to be able to poll via Modbus which uses port 502 TCP.  Or is TCP implicit in some way with the GRE permit?
   I actually have alot more questions, but I will keep reading for now.
  I really appreciate the time you all took to trudge through this.  Also please feel free to point anything else out that I may have missed or that can be improved.  Have a great day!

  This post is a duplicate of this thread
  https://supportforums.cisco.com/discussion/12275476/proper-routing-lan-through-verizon-private-network-gre-airlink-gateways
  which has a response. I suggest that all discussion of this question be done through the other thread.
  HTH
  Rick

• GRE Tunnel/NAT with multiple subnets and interfaces

  So, I am not sure if we are trying to accomplish too many things at once and what we are attempting to do is not possible or if we are missing something in our configurations...
  Here is the situation...
  We are migrating some equipment between datacenters.  The equipment only a has a /27 worth of IP space assigned to it so we cannot simply "move" the IP space to the new datacenter.  Further because we have several VPNs terminated in the old IP space that originate from devices we do not directly control and are essential in continuing to provide service, it was/is difficult to magically update some DNS entries and change IP addresses overnight.  The last twist in this puzzle is that at the new datacenter, we will deploying some new equipment that will be in a separate subnet (with a separate Windows AD structure) but sharing the new public IP space we have in the new datacenter.
  We thought using a GRE tunnel, some trunks, and a bunch of NATs would make the whole process easy and we tested ti in a lab and everything SEEMED to work.  However, when we performed the move we ran into an odd issue that we were unable to figure out and had to go back to a failsafe configuration that has the essentials up and running, but the environment is not running in an ideal way for us to gradually transition as we would like.
  Essentially what we had/have and how it was configured is as follows:
  Site A
  Edge Router - x.x.x.x /24 BGP announcement
  x.x.x.y/27 that is within the /24 that we need at site b
  GRE tunnel configuration
  interface tunnel0
    ip address 10.x.x.1 255.255.255.252
    tunnel source <router edge IP>
    tunnel destination <site b router edge ip>
    keepalive 10 3
  static route for site a public ip to bring it to site b via GRE tunnel
  ip route x.x.x.y 255.255.255.224 10.x.x.2
  Site B
  Edge Router - y.y.y.y /24 BGP announcement
  Similar GRE tunnel configuration (tunnel comes out and works so don't think issue is here)
  2 Vlans (1 for site a ip space, 1 for site b ip space)
  int vlan 50
  ip address x.x.x.1 /27
  int vlan 51
  ip address y.y.y.129 /25
  Trunk port for the VLANs going down to an ASA
  int g1/1
    swi mode trunk
    swi trunk native vlan 51
    swi tru all vlan 50,51
    swi tru en dot1q
  Then on the ASA, I have 2 physical interfaces for 4 logical interfaces (outside, outsideold, inside, insideold)
  int e0/0
   nameif outside
   sec 0
   ip address y.y.y.130 /25
  int e0/0.50
   nameif outsideold
   sec 0
   ip address x.x.x.2 /27
   vlan 51
  int e0/1
    nameif inside
    sec 100
    ip address 192.168.y.1 /24
  int e0/1.60
    nameif insideold
    sec 100
    ip address 192.168.x.1 /24
    vlan 60
  A static route using the new ip space on the native outside interface...
  route 0 0 y.y.y.129
  And then I have some nat rules which is where I think things go a little haywire...
  object network obj-y.y.y.0-24
    subnet y.y.y.0 255.255.255.0
   nat (inside,outside) dynamic interface
  object network obj-x.x.x.0-24
    subnet x.x.x.0 255.255.255.0
   nat (insideold,outside) dynamic interface
  object network obj-y.y.y.135-160
    range y.y.y.135 y.y.y.160
  object network obj-192.168.y.135-160
    range 192.168.y.135 192.168.y.160
    nat (inside,outside) static obj-y.y.y.135-160
  object network obj-x.x.x.10-20
    range x.x.x.10 x.x.x.20
  object network obj-192.168.x.10-20
    range 192.168.x.10 192.168.x.20
    nat (insideold,outsideold) static obj-x.x.x.10-20
  From some debugging and looking at packet-tracer, I found out I left out the below which was needed to properly nat traffic as it leaves the outside interface (when the default sends the traffic)
  object network obj-192.168.x.10-20-2
    range 192.168.x.10 192.168.x.20
    nat (insideold,outside) static obj-x.x.x.10-20
  There are / were a bunch of other nat exemptions for the VPNs and specific external routes to ensure all vpn traffic exited the "outsideold" interface which is where all the existing tunnels were terminated.
  Everything appeared to be working great as all the VPN tunnels came up perfectly as expected and traffic appeared to be flowing, except for some of the most important traffic.  The following was what was observed:
  1.  Any traffic using the dynamic NAT (ie...a machine with IP x.x.x.200 or y.y.y.20) would connect to the internet perfectly and work fine using the "new interface ip".
  2.  Any traffic in the "new range" using a one to one nat worked perfectly (ie y.y.y.140).  Internet would work etc and nat translation would properly occur and everything could connect fine as expected.
  3.  ICMP packets to "old ip range" flowed perfectly fine to one to one nat IP (ie I could ping x.x.x.20 from outside) and likelise I could ping anywhere on the internet from a machine with a static natted ip.
  4.  Heres the butt...no traffic other than ICMP would reach these machines with static ips.  Same range, same subnet as ones using the dynamic port translation that worked perfectly.  Do not understand why this was / is the case and this is what I am seeking a solution to.  I have attempted the following troubleshooting steps without success:
  A. Confirmed MTU size was not an issue with the GRE tunnel.  2 methods, one plugging to edge router and using the "outsideold" ip space works perfectly and 2 if I assign outsideold ip space to "outside" interface, everything nats fine.
  B. Ran packet-tracer, all results show "allow" as if I should be seeing the packets.
  C. Confirmed local windows machine firewall was off and not blocking anything.
  D. Reviewed logs and observed SYN timeouts and TCP teardowns as if the firewall is not getting a response and this is where I am stumped.  There is no path around the firewall so asymmetric routing should not be an issue and if that was the problem it should not work when the "outsideold" ip space is assigned and natted from the "outside" interface, but it does.  Packet-tracer shows proper nat translations occurring and there is definitely proper routing along the path for stuff to return to the network or ICMP would not work (IE I can ping www.google.com but not open the web page).
  So what simple piece of the nat configuration am I overlooking because I cannot possible wrap my head around it being anything else.
  Any suggestions / lessons would be greatly appreciated.

  is this still a problem?

• GRE tunnel could not be used by the hosts connected to the router

  Hi,
  I am using cisco ASR1013 (RP2) and a Mikrotik Router for setting up a GRE tunnel for LAN to LAN routing over a broadband link. The tunnel works fine (able to ping tunnel end points and also all the connected interfaces on both the Mikrotik and Cisco ASR) but the hosts that are connected directly to the Cisco router interface over a layer 2 cisco switch are unable to connect (ping) the hosts or connected interfaces on the mikrotik side. I am sure its not a mikrotik issue as i dont see any traffic coming through the tunnel using the mikrotik torch utility.  There are no ACL's or firewall rules on any of the devices...... 
  Source and destination of the tunnel are public IP's and are pingable via internet (The tunnel is connected and endpoints are pingable)
  Mikrotik connected interface IP = 192.168.253.1/24
  Mikrotik tunnel end point IP = 192.168.254.1/30
  Cisco tunnel end point IP = 192.168.254.2/30
  Connected cisco subnet to reach Mikrotik = M.N.O.32/28
  Cisco interface IP for LAN = M.N.O.33
  Test host IP on the LAN subnet = M.N.O.34
  The below is my Cisco config
  ASR-1#sh run int tun 1
  Building configuration...
  Current configuration : 144 bytes
  interface Tunnel1
   ip address 192.168.254.2 255.255.255.252
   ip mtu 1400
   tunnel source A.B.C.D
   tunnel destination W.X.Y.Z
  end
  ASR-1#sh run int g0/1/7
  Building configuration...
  Current configuration : 280 bytes
  interface GigabitEthernet0/1/7
   description LAN
   ip address M.N.O.33 255.255.255.240
   ip verify unicast source reachable-via rx
   no negotiation auto
   cdp enable
  end
  ASR-1#sh ip ro 192.168.253.1
  Routing entry for 192.168.253.0/24
    Known via "static", distance 1, metric 0 (connected)
    Routing Descriptor Blocks:
    * directly connected, via Tunnel1
        Route metric is 0, traffic share count is 1
  ASR-1#ping 192.168.253.1 so M.N.O.33
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.253.1, timeout is 2 seconds:
  Packet sent with a source address of M.N.O.33 
  Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
  ASR-1#pi M.N.O.34
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to M.N.O.34, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
  If i try to ping 192.168.253.1 (network connected to Mikrotik) from the host M.N.O.34 (the gateway of this host is M.N.O.33 - Int g0/1/7 of the Cisco ASR), i cannot reach detination - request timed out.... Below are the results of trace and ping from the host connected to ASR G1/0/7
  PING TO THE GATEWAY *********
  [root@localhost ~]# ping M.N.O.33
  PING M.N.O.33 (M.N.O.33) 56(84) bytes of data.
  64 bytes from M.N.O.33: icmp_seq=1 ttl=255 time=0.161 ms
  64 bytes from M.N.O.33: icmp_seq=2 ttl=255 time=0.143 ms
  ^C
  --- M.N.O.33 ping statistics ---
  2 packets transmitted, 2 received, 0% packet loss, time 1357ms
  rtt min/avg/max/mdev = 0.143/0.152/0.161/0.009 ms
  PING TO THE TUNNEL END POINT IN CISCO ASR
  [root@localhost ~]# ping 192.168.254.2
  PING 192.168.254.2 (192.168.254.2) 56(84) bytes of data.
  64 bytes from 192.168.254.2: icmp_seq=1 ttl=255 time=0.141 ms
  64 bytes from 192.168.254.2: icmp_seq=2 ttl=255 time=0.141 ms
  ^C
  --- 192.168.254.2 ping statistics ---
  2 packets transmitted, 2 received, 0% packet loss, time 1739ms
  rtt min/avg/max/mdev = 0.141/0.141/0.141/0.000 ms
  PING TO THE TUNNEL ENDPOINT IN MIKROTIK
  [root@localhost ~]# ping 192.168.254.1
  PING 192.168.254.1 (192.168.254.1) 56(84) bytes of data.
  ^C
  --- 192.168.254.1 ping statistics ---
  11 packets transmitted, 0 received, 100% packet loss, time 10413ms
  PING TO THE CONNECTED INTERFACE ON MIKROTIK
  [root@localhost ~]# ping 192.168.253.1
  PING 192.168.253.1 (192.168.253.1) 56(84) bytes of data.
  ^C
  --- 192.168.253.1 ping statistics ---
  4 packets transmitted, 0 received, 100% packet loss, time 3641ms
  TRACE TO THE CONNECTED INTERFACE ON MIKROTIK
  [root@localhost ~]# traceroute 192.168.253.1
  traceroute to 192.168.253.1 (192.168.253.1), 30 hops max, 60 byte packets
   1  M.N.O.33 (M.N.O.33)  0.180 ms  0.156 ms  0.145 ms
   2  * * *
   3  * * *
   4  * * *
   5  * * *
  Please help

  Hi,
  Sorry for the delayed response ....Both ends static routes are added for the connected test interfaces.....
  Regards,
  Mahesh 

• Can I use a GRE tunnel to solve my problem?

  Please see the attached file for a topology of the relevant portions of this network.
  All but three of the APs at Building B are plugged into Cisco 3650 switches that are also acting as the WLCs.  This allows for local switching of WiFi client traffic.  The WiFi clients are tagged with VLAN 20 and the PCs at Building B are tagged with VLAN 10.  Inter-VLAN routing occurs at the 3560 in Building B.  This is important so that iPads on the WiFi network are switched locally with the PCs in the classroom. I then turn on the mDNS feature on the 3650/WLC so that we can use our PCs as "Apple TVs" via a program called Air Server.  This allows the teacher to project the iPad onto the PC, which is then projected to the SMART Board.
  My problem is with the 3 classrooms whose APs plug into a 2960-PS.  These APs are managed by the dedicated WLC-5760 located at Building A.  This means that the teacher PC is using the 3560 in Building B as the default gateway while the wireless traffic is being handled by the 3750 in Building A.  The last time I checked, the WLC 5700 series controllers did not have Flex Connect as a feature.  
  Here's my question:  Is there any type of IP tunneling solution I could use to tunnel a particular client or VLAN so that it can be routed at Building A?  I've only played with tunneling from an IPv4/IPv6 standpoint.  Thank you for your time!

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  You're correct, you cannot extend L2 across L3 unless you use some kind of encapsulation technology, for example, the already mentioned L2TPv3 or pseudo-wire over MPLS, etc.
  However, what I have in mind for extending a VLAN means converting a routed p2p link to a L2 trunk link (I'm assuming the equipment, e.g. L3 switches, can support this). Across the trunk, you can extend your VLAN(s).  For the routers, you can dedicate a new VLAN, across just the trunk, that takes the place of the former p2p.  I.e. so you can do both L2 and L3 across the same physical link.
  [edit]
  I didn't see Jon's post until after I posted above, but he's explaining, in more detail, what I had in mind.

• I have bought a new airport express and using it with my macbook (iTunes 10.2.2). I have joined an existing network for internet in my home and with that i am trying to play the music via itunes but there is audio dropouts every 60 secs or so. any soln ?

  I have bought a new airport express and using it with my macbook (iTunes 10.2.2). I have joined an existing wireless network for internet in my home and with that i am trying to play the music via itunes but there is audio dropouts every 60 secs or so. I am using a set of speakers from kenwood connected to the airport express. The operating system on my macbook is mac os X 10.5.8. i am sure it is not a problem of streaming music online because i have even tried playing music which are stored in my macbook.
  Is there any problem with the setting in itunes or quicktime ? Kindly reply...... I am waiting for your valuable suggestion.
  Thank you a lot in advance.

  I am shocked to have found this same AX audio dropout problem starting TODAY, every few seconds the audio just drops for a couple seconds and then resumes:  Latest software versions of everything.  No iPad, iPhone or Touch.  Internet hardwired to D-Link DES1105 (1000baseT Switch) hardwired to new 80211N AX, AX optical to stereo, AX Wi-Fi internet to basic 1st-gen MacBook operating at 80211G, and an older 'G' AX extender at the far end of the house, away from all this.  The MacBook streaming iTunes is usually 12 feet from AX.  I've used this setup for years of trouble-free AirTunes / Airplay until today.  Today I also found 2 very reliable fixes and 1 way to force a dropout, but first, I read some posts and tried ALL following settings one-at-a-time and restored them ALL because NONE of them helped:  Turned off IPV6.  Streamed to multiple speakers 'Computer' and 'AX' (restored to just AX).  Turned off 'Ask to Join new (WiFi) Networks'.  Turned off Bluetooth (can't live without Magic Trackpad, so glad that wasn't it).  Here's my discoveries:  Lo and behold, each time I click the Airport icon in the Menu (you know it shows you've got 4 bars from AX) when the status switches to 'Looking for Networks' for a second it CAUSES the AX audio to drop out for a couple seconds (it never did that before today.)  iTunes still playing, streaming, AX laser still lit, but the 'PCM' light on stereo and the sound GOES OUT EVERY time I click the Airport icon in the menubar, just like the regular, annoying dropouts.  So, to reduce traffic I quit Safari (3 tabs, no streaming, just Gmail, Google, and Netflix browsing).  Lo and behold, the dropouts stopped altogether.  No other Web apps going (not iTunes Store, Genius, Ping, nothing), so I launched Chrome to the same 3 tabs and the dropouts HAVE NOT RETURNED.  That's right, not only did simply QUITTING SAFARI cure it, and Chrome doesn't contribute to it, but I can demonstrate it just by forcing my Airport to re-scan.  Works for me, written using Chrome.  The other reliable fix is to hardwire MacBook to the Switch.  This is obviously not ideal, but Airplay audio doesn't drop out over Ethernet.  Also, in all my tests, it made no difference whether iTunes did the streaming, or Airfoil did.

• When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a gre tunnel

  i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

  Jose,
  It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
  Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
  HTH,
  Frank

• How to use authid with rwservlet via WebLogic Thin Client

  1. Using J2EE Thin Client for WebLogic (WL) to submit interactive requests for Oracle Reports (App Server 10g) running on another server without SSO.
  2. After starting basic Infrastructure, we start rwserver in batch mode (no other mid-tier components are used).
  3. It appears that the cgicmd.dat file in the Thin Client conf directory on the WL server controls the DB access with the key:connect string info it has.
  4. We had been allowing the testers to come in via the web through a SunOne (iPlanet/Netscape) web server instance, which in turn connects to the WL server running the Thin Client instance.
  5. We noticed that anyone could run rwservlet to view report status with the showjobs command via a URL through the same mechanism as point #4 above, and were concerned about security of the reports - "bad".
  6. Then someone realized the showmap command could also be specified, and thus see the DB connect string (Id/pw/SID) - "worse".
  I researched securing Reports, and read through the white paper, "Securing Oracle9i Reports", and although it discusses security without using SSO, all it says is "users accessing a secured instance of Oracle9iAS Reports Services will be challenged to identify themselves by the Reports Servlet, using its own authentication mechanism (as with Reports6i)", but I can find no explanation of how that works, nor how it would work with the WL Thin Client.
  Questions:
  1. How are the Id's/passwords set up under AS 10g "as with Reports6i" in this environment going through the WL Thin Client?
  2. Is there anything else that needs to be done to secure the created reports, and the connect string info (i.e. using authid with rwservlet?showjob, and not allowing the rwservlet?showmap to be executed at all)?
  TIA,
  ROC

  the JDBC Developer's Guide (11gR2)
  gives an example in chapter 9 under "JDBC Thin Driver Support for Encryption and Integrity", sub- "Setting Encryption and Integrity Parameters in Java"
  from Oracle SQL Devloper, without redirecting the client to use the OCI/thick driver, choose, new database connection, connection type Advanced. add the entry from the example noted above to the Custom JDBC URL form.
  for example:
  Properties prop = new Properties();
  prop.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL,"REQUIRED");
  prop.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_TYPES,"(AES128)");
  OracleDataSource ods = new OracleDataSource(); ods.setProperties(prop); ods.setURL(jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=xxxx)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=xxxx)(INSTANCE_NAME=xxxx))));
  Connection conn = ods.getConnection();
  strange side note!, we could not get this to encrypt unless the sqlnet.ora file included the SQLNET.ENCRYPTION_SERVER=required. if this was set to default(accepted), and even though the jdbc thin client properties set to required, the network traffic was still clear text.
  good luck

• Problem with a simple GRE tunnel

  Hello everyone:
  I have a problem with a simple GRE tunnel, and can not make it work, the problem lies in the instruction "tunnel source loopback-0" if I use this command does not work, now if I use "tunnel source <ip wan >" if it works, someone can tell me why?
  Thanks for your help
  Router 1: 2811
  version 12.4
  no service password-encryption
  hostname cisco2811
  no aaa new-model
  ip cef
  interface Loopback0
  ip address 2.2.2.2 255.255.255.255
  interface Tunnel0
  ip address 10.10.1.1 255.255.255.0
  tunnel source Loopback0
  tunnel destination 217.127.XXX.188
  interface Tunnel1
  ip address 10.10.2.1 255.255.255.0
  tunnel source Loopback0
  tunnel destination 80.32.XXX.125
  interface FastEthernet0/0
  description LOCAL LAN Interface
  ip address 192.168.1.254 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface FastEthernet0/1
  description WAN Interface
  ip address 195.77.XXX.70 255.255.255.248
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 195.77.XXX.65
  ip route 192.168.3.0 255.255.255.0 Tunnel0
  ip route 192.168.4.0 255.255.255.0 Tunnel1
  ip nat inside source route-map salida-fibra interface FastEthernet0/1 overload
  access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
  access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
  access-list 120 permit ip 192.168.1.0 0.0.0.255 any
  route-map salida-fibra permit 10
  match ip address 120
  Router 2: 2811
  version 12.4
  service password-encryption
  ip cef
  no ip domain lookup
  multilink bundle-name authenticated
  username admin privilege 15 password 7 104CXXXXx13
  interface Loopback0
  ip address 4.4.4.4 255.255.255.255
  interface Tunnel0
  ip address 10.10.1.2 255.255.255.0
  tunnel source Loopback0
  tunnel destination 195.77.XXX.70
  interface Ethernet0
  ip address 192.168.3.251 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  hold-queue 100 out
  interface ATM0
  no ip address
  no ip route-cache cef
  no ip route-cache
  no atm ilmi-keepalive
  dsl operating-mode auto
  interface ATM0.1 point-to-point
  ip address 217.127.XXX.188 255.255.255.192
  ip nat outside
  ip virtual-reassembly
  no ip route-cache
  no snmp trap link-status
  pvc 8/32
  encapsulation aal5snap
  ip route 0.0.0.0 0.0.0.0 ATM0.1
  ip route 192.168.1.0 255.255.255.0 Tunnel0
  ip nat inside source route-map nonat interface ATM0.1 overload
  access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 120 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 120 permit ip 192.168.3.0 0.0.0.255 any
  route-map nonat permit 10
  match ip address 120

  Hello, thank you for the answer, as to your question, I have no connectivity within the tunnel, whether from Router 1, I ping 10.10.1.2 not get response ...
  Now both routers remove the loopback, and the interface tunnel 0 change the tunnel source to "tunnel source " tunnel works perfectly, the problem is when I have to use the loopback. Unfortunately achieved when the tunnel work, this will have to endure multicast, and all the examples found carrying a loopback as' source '... but this is a step back ..
  Tunnel0 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 10.10.1.1/24
  MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 2.2.2.2 (Loopback0), destination 217.127.XXX.188
  Tunnel protocol/transport GRE/IP
  Key disabled, sequencing disabled
  Checksumming of packets disabled
  Tunnel TTL 255
  Fast tunneling enabled
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Last input 09:04:38, output 00:00:19, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  0 packets input, 0 bytes, 0 no buffer
  Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
  11101 packets output, 773420 bytes, 0 underruns
  0 output errors, 0 collisions, 0 interface resets
  0 unknown protocol drops
  0 output buffer failures, 0 output buffers swapped out