I don't see any issues with the config, but it shouldn't behave like that. I will try to lab that up when I get some time on my equipment. This question is to both Dave and Brian. Are either or both of you running this on Dynamips? I guess I am curious if it could be a minor glitch with how that works.
On Sat, Oct 24, 2009 at 12:40 PM, Mack, David A (Dave) <[email protected]>wrote: > Paul, > Ok, so restored the config I had saved prior to the erase and reload. I > also added the ip inspect log drop-pkt. Traffic is flowing through R8 just > fine but there are no counters incrementing or sessions: > > SEC-R8# sh policy-map type inspect zone-pair > Zone-pair: IN->OUT > > Service-policy inspect : FW-IN->OUT > > Class-map: IN->OUT-PROTO (match-any) > Match: protocol ssh > 0 packets, 0 bytes > 30 second rate 0 bps > Match: protocol http > 0 packets, 0 bytes > 30 second rate 0 bps > Match: protocol https > 0 packets, 0 bytes > 30 second rate 0 bps > Match: protocol dns > 0 packets, 0 bytes > 30 second rate 0 bps > Match: protocol smtp > 0 packets, 0 bytes > 30 second rate 0 bps > Match: protocol bootps > 0 packets, 0 bytes > 30 second rate 0 bps > Inspect > Session creations since subsystem startup or last reset 0 > Current session counts (estab/half-open/terminating) [0:0:0] > Maxever session counts (estab/half-open/terminating) [0:0:0] > Last session created never > Last statistic reset never > Last session creation rate 0 > Maxever session creation rate 0 > Last half-open session total 0 > > Class-map: IN->OUT-ICMP (match-all) > Match: access-group name ICMP > Inspect > Session creations since subsystem startup or last reset 0 > Current session counts (estab/half-open/terminating) [0:0:0] > Maxever session counts (estab/half-open/terminating) [0:0:0] > Last session created never > Last statistic reset never > Last session creation rate 0 > Maxever session creation rate 0 > Last half-open session total 0 > > Class-map: IN->OUT-ICMP-REPLY (match-all) > Match: access-group name IN->OUT > Pass > 0 packets, 0 bytes > > Class-map: class-default (match-any) > Match: any > Pass > 0 packets, 0 bytes > Zone-pair: OUT->IN > > Service-policy inspect : FW-OUT->IN > > Class-map: OUT-IN (match-all) > Match: access-group name FW-IN > Pass > 0 packets, 0 bytes > > Class-map: class-default (match-any) > Match: any > Drop > 0 packets, 0 bytes > SEC-R8# > > > > The logs don't show anything: > > SEC-R8# sh log > Syslog logging: enabled (12 messages dropped, 0 messages rate-limited, > 0 flushes, 0 overruns, xml disabled, filtering disabled) > > No Active Message Discriminator. > > > > No Inactive Message Discriminator. > > > Console logging: level emergencies, 56 messages logged, xml disabled, > filtering disabled > Monitor logging: level debugging, 0 messages logged, xml disabled, > filtering disabled > Buffer logging: level debugging, 9 messages logged, xml disabled, > filtering disabled > Logging Exception size (8192 bytes) > Count and timestamp logging messages: disabled > Persistent logging: disabled > > No active filter modules. > > ESM: 0 messages dropped > > Trap logging: level informational, 69 message lines logged > Logging to 9.2.1.101 (udp port 514, audit disabled, > authentication disabled, encryption disabled, link up), > 5 message lines logged, > 0 message lines rate-limited, > 0 message lines dropped-by-MD, > xml disabled, sequence number disabled > filtering disabled > > Log Buffer (10000 bytes): > > *Oct 24 15:08:29.615: %SYS-6-CLOCKUPDATE: System clock has been updated > from 15:08:29 UTC Sat Oct 24 2009 to 10:08:29 EST Sat Oct 24 2009, > configured from console by console. > *Oct 24 15:08:29.643: %SYS-6-CLOCKUPDATE: System clock has been updated > from 10:08:29 EST Sat Oct 24 2009 to 11:08:29 EDT Sat Oct 24 2009, > configured from console by console. > *Oct 24 15:08:32.835: %LINK-3-UPDOWN: Interface Serial1/0:0, changed state > to up > *Oct 24 15:08:33.835: %LINEPROTO-5-UPDOWN: Line protocol on Interface > Serial1/0:0, changed state to up > *Oct 24 15:08:37.479: %SYS-5-CONFIG_I: Configured from console by console > *Oct 24 15:08:38.479: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host > 9.2.1.101 port 514 started - CLI initiated > Oct 24 16:01:25.063: %SYS-5-CONFIG_I: Configured from console by console > Oct 24 16:02:38.544: %SYS-5-CONFIG_I: Configured from console by console > Oct 24 16:06:51.457: %SYS-5-CONFIG_I: Configured from console by console > SEC-R8# > > > So here is the full config: > > SEC-R8#sh run > Building configuration... > > Current configuration : 3930 bytes > ! > ! Last configuration change at 12:06:51 EDT Sat Oct 24 2009 > ! > upgrade fpd auto > version 12.4 > service timestamps debug datetime msec > service timestamps log datetime msec > no service password-encryption > ! > hostname SEC-R8 > ! > boot-start-marker > boot system disk0:c7200-adventerprisek9-mz.124-15.T1.bin > boot-end-marker > ! > logging buffered 10000 > logging console emergencies > ! > no aaa new-model > clock timezone EST -5 > clock summer-time EDT recurring > ip cef > ! > ! > ! > ! > no ip domain lookup > > ip inspect log drop-pkt > ! > multilink bundle-name authenticated > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > archive > log config > hidekeys > ! > ! > controller T1 1/0 > framing esf > clock source internal > linecode b8zs > cablelength short 133 > channel-group 0 timeslots 1-24 > ! > controller T1 1/1 > framing esf > linecode b8zs > ! > controller T1 1/2 > framing esf > linecode b8zs > ! > controller T1 1/3 > framing esf > linecode b8zs > ! > controller T1 1/4 > framing esf > linecode b8zs > ! > controller T1 1/5 > framing esf > linecode b8zs > ! > controller T1 1/6 > framing esf > linecode b8zs > ! > controller T1 1/7 > framing esf > linecode b8zs > ! > ip tcp synwait-time 7 > > ! > class-map type inspect match-all IN->OUT-ICMP-REPLY > match access-group name IN->OUT > class-map type inspect match-any IN->OUT-PROTO > match protocol ssh > match protocol http > match protocol https > match protocol dns > match protocol smtp > match protocol bootps > class-map type inspect match-all IN->OUT-ICMP > match access-group name ICMP > class-map type inspect match-all OUT-IN > match access-group name FW-IN > ! > ! > policy-map type inspect FW-OUT->IN > class type inspect OUT-IN > pass > class class-default > drop > policy-map type inspect FW-IN->OUT > class type inspect IN->OUT-PROTO > inspect > class type inspect IN->OUT-ICMP > inspect > class type inspect IN->OUT-ICMP-REPLY > pass > class class-default > pass > ! > zone security INSIDE > zone security OUTSIDE > zone-pair security IN->OUT source INSIDE destination OUTSIDE > service-policy type inspect FW-IN->OUT > zone-pair security OUT->IN source OUTSIDE destination INSIDE > service-policy type inspect FW-OUT->IN > bridge irb > ! > ! > ! > ! > interface FastEthernet0/0 > ip address 192.168.144.158 255.255.255.0 > shutdown > duplex auto > speed auto > ! > interface FastEthernet0/1 > no ip address > shutdown > duplex auto > speed auto > ! > interface Serial1/0:0 > no ip address > ! > interface FastEthernet2/0 > no ip address > zone-member security OUTSIDE > duplex full > speed 100 > bridge-group 1 > ! > interface FastEthernet2/1 > no ip address > zone-member security INSIDE > duplex full > speed 100 > bridge-group 1 > ! > interface BVI1 > ip address 9.9.156.8 255.255.255.0 > ! > ip route 0.0.0.0 0.0.0.0 192.168.144.1 > ip route 0.0.0.0 0.0.0.0 9.9.156.9 > ip route 192.168.4.0 255.255.255.0 192.168.144.1 > ip route 192.168.5.0 255.255.255.0 192.168.144.1 > no ip http server > no ip http secure-server > ! > ip bgp-community new-format > ! > > ! > ip access-list extended FW-IN > permit icmp any any echo > permit icmp any any unreachable > permit udp host 9.9.156.9 eq ntp host 7.7.7.7 eq ntp > permit tcp host 9.9.156.9 gt 1024 host 9.9.156.7 eq bgp > permit tcp host 9.9.156.9 eq bgp host 9.9.156.7 gt 1024 > ip access-list extended ICMP > permit icmp any any echo > ip access-list extended IN->OUT > permit icmp any any echo-reply > ! > logging alarm informational > logging 9.2.1.101 > ! > ! > ! > ! > ! > ! > control-plane > ! > bridge 1 protocol ieee > bridge 1 route ip > ! > ! > ! > ! > ! > gatekeeper > shutdown > ! > alias configure a access-list > alias exec c conf t > alias exec i sh ip route > alias exec ib sh ip int brief > alias exec b sh ip bgp > alias exec bs sh ip bgp summ > alias exec clb clear ip bgp * > alias exec oi sh ip ospf int > alias exec on sh ip ospf neigh > alias exec s sh run > ! > line con 0 > exec-timeout 0 0 > privilege level 15 > logging synchronous > stopbits 1 > line aux 0 > stopbits 1 > line vty 0 4 > exec-timeout 0 0 > privilege level 15 > no login > ! > ntp authentication-key 1 md5 020F145E13160A3358 7 > ntp authenticate > ntp trusted-key 1 > ntp clock-period 17179178 > ntp server 9.9.156.9 key 1 > > ! > webvpn cef > ! > end > > SEC-R8# > > and the sh ver > > SEC-R8#sh ver > Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version > 12.4(15)T1, RELEASE SOFTWARE (fc2) > Technical Support: http://www.cisco.com/techsupport > Copyright (c) 1986-2007 by Cisco Systems, Inc. > Compiled Wed 18-Jul-07 13:29 by prod_rel_team > > ROM: System Bootstrap, Version 12.2(4r)B2, RELEASE SOFTWARE (fc2) > BOOTLDR: Cisco IOS Software, 7200 Software (C7200-KBOOT-M), Version > 12.3(7)T, RELEASE SOFTWARE (fc1) > > SEC-R8 uptime is 3 hours, 36 minutes > System returned to ROM by reload at 08:59:14 EDT Sat Oct 24 2009 > System restarted at 09:01:22 EDT Sat Oct 24 2009 > System image file is "disk0:c7200-adventerprisek9-mz.124-15.T1.bin" > Last reload reason: Reload Command > > > > This product contains cryptographic features and is subject to United > States and local country laws governing import, export, transfer and > use. Delivery of Cisco cryptographic products does not imply > third-party authority to import, export, distribute or use encryption. > Importers, exporters, distributors and users are responsible for > compliance with U.S. and local country laws. By using this product you > agree to comply with applicable laws and regulations. If you are unable > to comply with U.S. and local laws, return this product immediately. > > A summary of U.S. laws governing Cisco cryptographic products may be found > at: > http://www.cisco.com/wwl/export/crypto/tool/stqrg.html > > If you require further assistance please contact us by sending email to > [email protected]. > > Cisco 7206VXR (NPE400) processor (revision B) with 491520K/32768K bytes of > memory. > Processor board ID 16066293 > R7000 CPU at 350MHz, Implementation 39, Rev 3.3, 256KB L2 Cache > 6 slot VXR midplane, Version 2.0 > > Last reset from power-on > > PCI bus mb0_mb1 (Slots 0, 1, 3 and 5) has a capacity of 600 bandwidth > points. > Current configuration on bus mb0_mb1 has a total of 400 bandwidth points. > This configuration is within the PCI bus capacity and is supported. > > PCI bus mb2 (Slots 2, 4, 6) has a capacity of 600 bandwidth points. > Current configuration on bus mb2 has a total of 400 bandwidth points > This configuration is within the PCI bus capacity and is supported. > > Please refer to the following document "Cisco 7200 Series Port Adaptor > Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com> > for c7200 bandwidth points oversubscription and usage guidelines. > > > 4 FastEthernet interfaces > 1 Serial interface > 8 Channelized T1/PRI ports > 125K bytes of NVRAM. > > 500377K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes). > 8192K bytes of Flash internal SIMM (Sector size 256K). > Configuration register is 0x2102 > > SEC-R8# > > Thanks! > Dave > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
