got it.
thanks
yong
>>> [EMAIL PROTECTED] 4/19/2008 4:34 AM >>>
Send cisco-nsp mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/cisco-nsp
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of cisco-nsp digest..."
Today's Topics:
1. Re: Cisco 7206VXR (Gert Doering)
2. Re: Cisco 7206VXR (Jason Berenson)
3. Re: Cisco 7206VXR (Buhrmaster, Gary)
4. Re: Cisco 7206VXR (Tassos Chatzithomaoglou)
5. Re: %BGP-3-INVALID_MPLS: Invalid MPLS label (1) (Christian
Bering)
6. Re: Cisco 7206VXR (Tolstykh, Andrew)
7. Re: Cisco 7206VXR (e ninja)
8. Re: EAP SSL certificates - how to? (Phil Mayers)
9. Re: %BGP-3-INVALID_MPLS: Invalid MPLS label (1) (Saku Ytti)
10. "continue" in outbound route-map (Peter Rathlev)
----------------------------------------------------------------------
Message: 1
Date: Fri, 18 Apr 2008 23:16:04 +0200
From: Gert Doering <[EMAIL PROTECTED]>
Subject: Re: [c-nsp] Cisco 7206VXR
To: Rodney Dunn <[EMAIL PROTECTED]>
Cc: "[email protected]" <[email protected]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
Hi,
On Fri, Apr 18, 2008 at 02:55:54PM -0400, Rodney Dunn wrote:
> PS. 12.4 will never be GD. That program is retired.
Hmmm?
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
[EMAIL PROTECTED]
fax: +49-89-35655025
[EMAIL PROTECTED]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
Url :
https://puck.nether.net/pipermail/cisco-nsp/attachments/20080418/9adba543/attachment-0001.bin
------------------------------
Message: 2
Date: Fri, 18 Apr 2008 17:17:25 -0400
From: Jason Berenson <[EMAIL PROTECTED]>
Subject: Re: [c-nsp] Cisco 7206VXR
To: Gert Doering <[EMAIL PROTECTED]>
Cc: "[email protected]" <[email protected]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
That's what I say too...
Gert Doering wrote:
> Hi,
>
> On Fri, Apr 18, 2008 at 02:55:54PM -0400, Rodney Dunn wrote:
>
>> PS. 12.4 will never be GD. That program is retired.
>>
>
> Hmmm?
>
> gert
>
------------------------------
Message: 3
Date: Fri, 18 Apr 2008 14:42:16 -0700
From: "Buhrmaster, Gary" <[EMAIL PROTECTED]>
Subject: Re: [c-nsp] Cisco 7206VXR
To: "Gert Doering" <[EMAIL PROTECTED]>, "Rodney Dunn"
<[EMAIL PROTECTED]>
Cc: [email protected]
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
> On Fri, Apr 18, 2008 at 02:55:54PM -0400, Rodney Dunn wrote:
> > PS. 12.4 will never be GD. That program is retired.
>
> Hmmm?
Cisco retired (is retiring) the GD/LD program
(ED and DF continue, MD is a new designation):
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6350/product_bulletin_cisco_ios_software_gd_program_retirement.html
Gary
------------------------------
Message: 4
Date: Sat, 19 Apr 2008 00:47:13 +0300
From: Tassos Chatzithomaoglou <[EMAIL PROTECTED]>
Subject: Re: [c-nsp] Cisco 7206VXR
To: Jason Berenson <[EMAIL PROTECTED]>
Cc: Gert Doering
<[EMAIL PROTECTED]>, "[email protected]"
<[email protected]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-7; format=flowed
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6350/product_bulletin_cisco_ios_software_gd_program_retirement.html
--
Tassos
Jason Berenson wrote on 19/4/2008 12:17 ??:
> That's what I say too...
>
> Gert Doering wrote:
>> Hi,
>>
>> On Fri, Apr 18, 2008 at 02:55:54PM -0400, Rodney Dunn wrote:
>>
>>> PS. 12.4 will never be GD. That program is retired.
>>>
>> Hmmm?
>>
>> gert
>>
> _______________________________________________
> cisco-nsp mailing list [email protected]
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
------------------------------
Message: 5
Date: Sat, 19 Apr 2008 00:17:43 +0200
From: "Christian Bering" <[EMAIL PROTECTED]>
Subject: Re: [c-nsp] %BGP-3-INVALID_MPLS: Invalid MPLS label (1)
To: "Saku Ytti" <[EMAIL PROTECTED]>
Cc: [email protected]
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
Hi Saku,
>I don't think you have anything to worry about. Most likely
>this is caused by dual-homed site or
>import map that may be denying local routes to BGP. Don't you
>have any prefix behind that
>log message?
No, there's never anything pointing to a specific prefix or even just
a
VRF in those messages.
>You could look in that box for the VRF and check
>it's import maps and also
>look 'sh ip bgp vrf X <prefix>' should it say 'no table' it's
>the culprit when funny
>label gets assigned.
I would if I could see which VRF and prefix the boxes complain about.
>CSCsg55591.
>--- (apologies for ugly paste)
Yes, that was the only one I found that mentions the error message. We
do see a few symptoms that could be explained by the part about a
local
label not being programmed into the forwarding table but without
knowing
the prefix and VRF, it's kind of hard to say for sure.
But it doesn't really tell me if the bug would affect the PEs or the
route reflectors (or both).
>This is new check implemented in CSCeh77395 and can be
>triggered by several issues (at least 4 documented,
>at least CSCsb87499, CSCse99753 are possible).
Ah, okay. That gives me a bit more to pursue. Thanks.
--
Regards
Christian Bering
IP engineer, nianet a/s
Phone: (+45) 7020 8730
------------------------------
Message: 6
Date: Fri, 18 Apr 2008 19:51:12 -0500
From: "Tolstykh, Andrew" <[EMAIL PROTECTED]>
Subject: Re: [c-nsp] Cisco 7206VXR
To: "Jason Berenson" <[EMAIL PROTECTED]>
Cc: [email protected]
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
Jason,
My issue was 100% specific to 12.4(19) - confirmed on 1 x 7204VXR and
1
x 7206VXR. Both routers were unable to boot the 12.4(19) IOS with
PA-2FE-FX card present (crash dump with the message that this code
does
not support the installed port adapter). Changing the code to 12.4(8d)
resolved this issue on both routers.
-----Original Message-----
From: Jason Berenson [mailto:[EMAIL PROTECTED]
Sent: Friday, April 18, 2008 2:33 PM
To: Tolstykh, Andrew
Cc: Justin M. Streiner; [email protected]
Subject: Re: [c-nsp] Cisco 7206VXR
Andrew,
It looks like it may be this G1. I'm testing another G1 with the T3
and
OC3 card in it and it seems to be happy but it's running:
:c7200-js-mz.123-4.T1.bin right now. I'm going to try
c7200-is-mz.124-19.bin and see what happens.
-Jason
Tolstykh, Andrew wrote:
> Same issue with PID: PA-2FE-FX running on 12.4(19); crash dump on
hard
> boot.
> Fixed by changing the image to 12.4(8d) - works like a charm.
12.4(17)
> should also work fine.
>
> HTH,
> Andrew
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jason
Berenson
> Sent: Friday, April 18, 2008 1:52 PM
> To: Justin M. Streiner
> Cc: [email protected]
> Subject: Re: [c-nsp] Cisco 7206VXR
>
> Justin, David,
>
> It crashes when I put the card in and keeps crashing on a reboot. I
did
>
> get it to boot with 12.3.26. When I put the PA-MC-T3 card in at that
> point it's ok but when I put the ATM OC3 card in it crashes.
>
> When I have this router configured with an NPE-400 and these two
cards
> it seems to work just fine. I'm about to throw these 7206's out the
> window and watch them slam into the pavement 10 floors down.
>
> -Jason
>
> Justin M. Streiner wrote:
>
>> On Fri, 18 Apr 2008, Jason Berenson wrote:
>>
>>
>>
>>> I'm going to be upgrading a couple of 7206VXR NPE-350's to G1's
>>>
> tomorrow
>
>>> night. I'm testing right now with the latest IP plus software:
>>> c7200-is-mz.124-19.bin. When I pop in a PA-MC-T3 the router
promptly
>>> crashes:
>>>
>>> 10:44:58 UTC Fri Oct 8 2004: Data Bus Error exception, CPU signal
10,
>>> PC = 0x60
>>> 98AAA0
>>>
>>>
--------------------------------------------------------------------
>>> Possible software fault. Upon reccurence, please collect
>>> crashinfo, "show tech" and contact Cisco Technical Support.
>>>
--------------------------------------------------------------------
>>>
>>>
>> You can try another version of code and see if that works better.
If
>>
> not,
>
>> your best bet is to open a case with the TAC.
>>
>> Does the router crash when you insert any other port adapters?
>> Does the router crash regardless of which slot/bus you put the
>>
> PA-MC-T3
>
>> in?
>> Is it a PA-MC-T3, or a PA-MC-T3+?
>>
>> jms
>> _______________________________________________
>> cisco-nsp mailing list [email protected]
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
> _______________________________________________
> cisco-nsp mailing list [email protected]
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
------------------------------
Message: 7
Date: Fri, 18 Apr 2008 18:20:41 -0700
From: "e ninja" <[EMAIL PROTECTED]>
Subject: Re: [c-nsp] Cisco 7206VXR
To: "Jason Berenson" <[EMAIL PROTECTED]>
Cc: "[email protected]" <[email protected]>
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1
On Fri, Apr 18, 2008 at 11:57 AM, Jason Berenson <[EMAIL PROTECTED]>
wrote:
> Rodney,
>
> When I say pop in, I mean the router is booted and I put the card
in.
> I've tried a hard reboot too, same results. It did generate a
> crashinfo, once I get our contract renewed I can open a TAC case.
Jason,
You don't need to have a 'contract' to open a TAC case for a bug in
*any*
software you have already paid for. Call the TAC, get your bug fix and
get
your network online.
/eninja
PS. Enlighten yourself - http://resources.multiven.com/dossier
------------------------------
Message: 8
Date: Sat, 19 Apr 2008 11:47:33 +0100
From: Phil Mayers <[EMAIL PROTECTED]>
Subject: Re: [c-nsp] EAP SSL certificates - how to?
To: matthew zeier <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED], "[email protected]"
<[email protected]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
matthew zeier wrote:
> GeoTrust is a well known root CA and I don't get prompts going to
> websites signed by them. I do, however, if I use the same cert for
> RADIUS. The error is "unknown trust setting".
The server certificate may be lacking certain X509 fields; for example,
"openssl x509 -noout -text -in $cert.pem" for our cert, which works
fine, says:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
snip
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US,O=VeriSign...,CN=VeriSign Class 3 Secure Server
CA
Validity
Not Before: Apr 2 00:00:00 2007 GMT
Not After : May 17 23:59:59 2008 GMT
Subject: snip
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
snip
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
URI:http://SVRSecure-crl.verisign.com/SVRSecure2005.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.3
CPS: https://www.verisign.com/rpa
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication
X509v3 Authority Key Identifier: snip
Authority Information Access:
OCSP - URI:http://ocsp.verisign.com
CA Issuers - snip
1.3.6.1.5.5.7.1.12: snip
Signature Algorithm: sha1WithRSAEncryption
Specifically:
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication
...are important. We had problems with a previous "cheaper" CA which
issues certs unsuitable for 802.1x, with some clients failing to trust
the cert. We had to move to the Verisign product. I can't remember the
*specific* details, but IIRC there is a specific Verisign product for
802.1x certs.
Arguably a "safer" option is to issue a self-signed CA & server cert,
which prevents someone going out and buying a cert from the same CA and
impersonating your SSID, but that has the obvious deployment hassles of
deploying the CA. If you choose to do that, and appropriate "ca.cnf"
file for OpenSSL along with scripts to drive it lives in the FreeRadius
2.0.3 source tarball.
------------------------------
Message: 9
Date: Sat, 19 Apr 2008 13:56:36 +0300
From: Saku Ytti <[EMAIL PROTECTED]>
Subject: Re: [c-nsp] %BGP-3-INVALID_MPLS: Invalid MPLS label (1)
To: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
On (2008-04-19 00:17 +0200), Christian Bering wrote:
> But it doesn't really tell me if the bug would affect the PEs or the
> route reflectors (or both).
Most likely culprit is one box doing something funny (not RR), and
then
as it's propagated every box that has CSCeh77395 integrated will
report it by crying wolf.
For me, it was config mistake in single box. But as you didn't
have any prefix in it, you may have one of the other possible
bugid's causing it.
--
++ytti
------------------------------
Message: 10
Date: Sat, 19 Apr 2008 13:30:11 +0200
From: Peter Rathlev <[EMAIL PROTECTED]>
Subject: [c-nsp] "continue" in outbound route-map
To: cisco-nsp <[email protected]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain
Hi,
According to
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/cs_brmcs.html
the "continue" route-map statement is only supported in the outbound
direction when running 12.0(31)S and later. According to the Feature
Navigator, 12.2(33)SRB + SRC also supports it, but 12.2(18)SXF
doesn't.
Now the strange thing is that I can use it fine in labs on 6500 and
7600
SXF. I can configure it, and it works as I expect.
Is it a very bad idea starting to use this in production? I haven't
tested SXH yet, and I am a bit worried, thinking this might be an
"unintended feature" like BFD+SVI. Anybody else using it with C6k,
maybe
SXH?
Regards,
Peter
------------------------------
_______________________________________________
cisco-nsp mailing list
[email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
End of cisco-nsp Digest, Vol 65, Issue 103
******************************************
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
