Re: [c-nsp] 6500 with WS-SVC-IPSEC-1, traffic not reaching module.
Hi Lee, You're right and I'm wrong. Have to use BITW. Thanks for the advise, back to reading more documentation for me. Best regards, .pelle On Tue, Dec 15, 2009 at 4:20 PM, Lee ler...@gmail.com wrote: On Tue, Dec 15, 2009 at 8:45 AM, Pär Åslund psl...@gmail.com wrote: Hi Lee, No, I don't have it configured with crypto connect. From what I read so far, I don't need that for site-to-site ipsec? All the docs I read talked about the bump in the wire encryption. Somehow or other you have to get the traffic going thru the ipsec card the only way I know of is to use the 'crypto connect' command or the much-discouraged-in-the-docs switchport trunk allowed vlan add NNN on the ipsec card ports. But I never did dynamic crypto maps, so maybe they do some extra magic? The asa in the remote office can ping the remote peer ip configured on the 6500. Just seems like bad magic for me right now that for some reason the traffic doesn't seem to reach the IPSEC module. A fun thing about the 6500 ipsec card is that traffic not matching the crypto map goes through unaltered whereas a real router would drop the traffic. If your ASA has a 192.168.1.1 address and the 6500 vlan 8 ip address is 192.168.1.2 it wouldn't surprise me that the asa can ping the 6500. Another fun thing about the 6500 ipsec card is that routing happens only on the cleartext traffic. By the time the traffic comes out of the ipsec card all the routing decisions have been made :( For example, say you're putting traffic for 10.10.10.0/24 in the IPSec tunnel and the tunnel endpoint is 192.168.1.1. If the route for 10.10.10.0/24 is out vlan10 and the route for 192.168.1.1 is out vlan 8 it ain't gonna work. I ended up adding a static route for 10.10.10.0/24 pointing to 192.168.1.1 as a work-around. Then again, I haven't had anything to do with a 6500 ipsec card for over a year so maybe they've fixed some of the weirdness that I had to deal with. Extra, forgot to show the configuration of the interfaces on module 8 - WS-SVC-IPSEC-1 Current configuration : 243 bytes ! interface GigabitEthernet8/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 8 switchport mode trunk mtu 4500 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk end interface GigabitEthernet8/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan none switchport mode trunk mtu 4500 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk end What I ended up with was interface GigabitEthernet8/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 550,551,702 switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet8/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 551,703 switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! Looking at it now, having vlan 551 on G8/0/1 and 2 seems wrong.. but it did work. We moved all our ipsec tunnels over to asrs a while back, so nothing I need to do about it now :) Regards, Lee Best regards, .pelle On Tue, Dec 15, 2009 at 1:30 PM, Lee ler...@gmail.com wrote: Do you have the inside and outside vlan for your ipsec traffic configured with a crypto connect? eg interface Vlan7 description outside:encrypted traffic no ip address crypto engine subslot 8/0 crypto connect vlan8 ! interface Vlan8 description inside:cleartext traffic ip address xxx crypto map xxx crypto engine subslot 8/0 Regards, Lee On Tue, Dec 15, 2009 at 6:46 AM, Pär Åslund psl...@gmail.com wrote: Hi, I have problems with a WS-SVC-IPSEC-1 where I'm trying to setup a site-to-site tunnel. Last night, I got the tunnel up. But after applying a acl to the 6500, the tunnel went down and stayed down. Removing configuration just to get the tunnel up again and continue trying to get the interesting traffic through as intended, the tunnel never comes up. The remote device is a ASA 5505, where I haven't touched anything since this failure started. From what I can get out of all this, looking at logs and crypto statistics. The traffic never gets to the module in slot 8. show crypto sessions - nothing show crypto isakmp sa - nothing show crypto ipsec sa - nothing I can still use packet-tracer on the asa as I could before and the flow is created, but nothing ends up in the 6500 logs. debug crypto isakmp and debug crypto ipsec is both enabled without anything being logged. Any ideas are most welcome. Guess I have missed something obvious but right now I just can't figure out what it is. This it the configuration from the 6500
[c-nsp] 6500 with WS-SVC-IPSEC-1, traffic not reaching module.
Hi, I have problems with a WS-SVC-IPSEC-1 where I'm trying to setup a site-to-site tunnel. Last night, I got the tunnel up. But after applying a acl to the 6500, the tunnel went down and stayed down. Removing configuration just to get the tunnel up again and continue trying to get the interesting traffic through as intended, the tunnel never comes up. The remote device is a ASA 5505, where I haven't touched anything since this failure started. From what I can get out of all this, looking at logs and crypto statistics. The traffic never gets to the module in slot 8. show crypto sessions - nothing show crypto isakmp sa - nothing show crypto ipsec sa - nothing I can still use packet-tracer on the asa as I could before and the flow is created, but nothing ends up in the 6500 logs. debug crypto isakmp and debug crypto ipsec is both enabled without anything being logged. Any ideas are most welcome. Guess I have missed something obvious but right now I just can't figure out what it is. This it the configuration from the 6500. crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key SECRETKEY address peer ip no-xauth ! crypto isakmp client configuration group GROUP1 key KEY dns 172.16.9.2 domain i.company.com pool vpn acl 101 crypto isakmp profile ikepro match identity group GROUP1 client authentication list userlist isakmp authorization list grouplist client configuration address respond client configuration group GROUP1 crypto isakmp profile site-to-site keyring default match identity address peer ip 255.255.255.255 keepalive 60 retry 5 ! ! crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac ! crypto ipsec profile ipsecpro set transform-set 3dessha ! ! crypto dynamic-map dynmap 10 set transform-set 3dessha set isakmp-profile ikepro crypto dynamic-map dynmap 15 set peer 76.238.146.205 set transform-set 3dessha set isakmp-profile site-to-site crypto dynamic-map dynmap 20 set transform-set 3dessha set isakmp-profile ikepro ! ! crypto map vpnmap engine slot 8 crypto map vpnmap 10 ipsec-isakmp dynamic dynmap and then on VLAN 8 where the traffic is suppose to come in: interface Vlan8 ip address ip 255.255.255.248 ip nat outside standby 8 ip standby ip standby 8 priority 115 standby 8 preempt standby 8 name standby name crypto map vpnmap redundancy standby name end Best regards, .pelle ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 with WS-SVC-IPSEC-1, traffic not reaching module.
Hi Lee, No, I don't have it configured with crypto connect. From what I read so far, I don't need that for site-to-site ipsec? The asa in the remote office can ping the remote peer ip configured on the 6500. Just seems like bad magic for me right now that for some reason the traffic doesn't seem to reach the IPSEC module. Extra, forgot to show the configuration of the interfaces on module 8 - WS-SVC-IPSEC-1 Current configuration : 243 bytes ! interface GigabitEthernet8/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 8 switchport mode trunk mtu 4500 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk end interface GigabitEthernet8/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan none switchport mode trunk mtu 4500 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk end Best regards, .pelle On Tue, Dec 15, 2009 at 1:30 PM, Lee ler...@gmail.com wrote: Do you have the inside and outside vlan for your ipsec traffic configured with a crypto connect? eg interface Vlan7 description outside:encrypted traffic no ip address crypto engine subslot 8/0 crypto connect vlan8 ! interface Vlan8 description inside:cleartext traffic ip address xxx crypto map xxx crypto engine subslot 8/0 Regards, Lee On Tue, Dec 15, 2009 at 6:46 AM, Pär Åslund psl...@gmail.com wrote: Hi, I have problems with a WS-SVC-IPSEC-1 where I'm trying to setup a site-to-site tunnel. Last night, I got the tunnel up. But after applying a acl to the 6500, the tunnel went down and stayed down. Removing configuration just to get the tunnel up again and continue trying to get the interesting traffic through as intended, the tunnel never comes up. The remote device is a ASA 5505, where I haven't touched anything since this failure started. From what I can get out of all this, looking at logs and crypto statistics. The traffic never gets to the module in slot 8. show crypto sessions - nothing show crypto isakmp sa - nothing show crypto ipsec sa - nothing I can still use packet-tracer on the asa as I could before and the flow is created, but nothing ends up in the 6500 logs. debug crypto isakmp and debug crypto ipsec is both enabled without anything being logged. Any ideas are most welcome. Guess I have missed something obvious but right now I just can't figure out what it is. This it the configuration from the 6500. crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key SECRETKEY address peer ip no-xauth ! crypto isakmp client configuration group GROUP1 key KEY dns 172.16.9.2 domain i.company.com pool vpn acl 101 crypto isakmp profile ikepro match identity group GROUP1 client authentication list userlist isakmp authorization list grouplist client configuration address respond client configuration group GROUP1 crypto isakmp profile site-to-site keyring default match identity address peer ip 255.255.255.255 keepalive 60 retry 5 ! ! crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac ! crypto ipsec profile ipsecpro set transform-set 3dessha ! ! crypto dynamic-map dynmap 10 set transform-set 3dessha set isakmp-profile ikepro crypto dynamic-map dynmap 15 set peer 76.238.146.205 set transform-set 3dessha set isakmp-profile site-to-site crypto dynamic-map dynmap 20 set transform-set 3dessha set isakmp-profile ikepro ! ! crypto map vpnmap engine slot 8 crypto map vpnmap 10 ipsec-isakmp dynamic dynmap and then on VLAN 8 where the traffic is suppose to come in: interface Vlan8 ip address ip 255.255.255.248 ip nat outside standby 8 ip standby ip standby 8 priority 115 standby 8 preempt standby 8 name standby name crypto map vpnmap redundancy standby name end Best regards, .pelle ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Downgrade from 12.2(33)SXI2a to 122-18.SXF17
Hi, I'm going to downgrade a Cisco 6500 with Sup-720 from 12.2(33)SXI2a to 1.22(18)SXF17 for hardware issue. I think I have checked everything, Configuration issues (all commands available) Hardware support (all modules supported) Bootloader (not needed on sup-720 for 1.22(18)SXF17 according to Cisco documentation) Anyone got any more pointers I might have missed? Hard to find good documentation about downgrading. If anyone knows good dokumentation about this, feel free to share it. My experience after missed some configuration differences (Switch went berserk back then, several years ago) makes me a bit at unease with downgrading IOS versions. best regards, pelle ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Downgrade from 12.2(33)SXI2a to 122-18.SXF17
On Wed, Dec 2, 2009 at 6:18 PM, Phil Mayers p.may...@imperial.ac.uk wrote: Pär Åslund wrote: Hi, I'm going to downgrade a Cisco 6500 with Sup-720 from 12.2(33)SXI2a to 1.22(18)SXF17 for hardware issue. I think I have checked everything, Configuration issues (all commands available) Hardware support (all modules supported) Bootloader (not needed on sup-720 for 1.22(18)SXF17 according to Cisco documentation) Anyone got any more pointers I might have missed? I tested this for SXI (not 2a) when we upgraded, and from my notes: * If you're using VRFs and have converted the config to new-style vrf definition, you need to backport config * If you've re-formatted the flash disk under SXI you should probably (to be safe) format it under SXF before downgrade ...but other than that, if you're sure the IOS config hardware is compatible it should be fine - we frequently put our test/lab box back into SXF. Hi Phil, Thanks for the pointers. No VRF configuration is used at all. Didn't know about the format flash disk, will check that. .pelle ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/