Re: [c-nsp] OSM-2OC12 question
The 4 ports of Gig on the OSM-OC12 module are gig x/y ports, same feature set as the supervisor 720 gig ports or WS-X6516. They show up as int gig x/y. Only OSM-GEWAN module has fancy features enabled for GE. Ah yes, I remembered wrong. Been too long since I worked with those beasts... Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SRB on 6500
Hi, Is it possible to run SRB3 on 6500-E chassis. I am sure this can be done by using 6509-NEB-A, but not sure about 6509-E. Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Weird Port Loopback Issues with 3750 and ESX 3.5
Hey Guys, I am hoping some of you out there may have experienced this problem in the past. We have a spare NIC on a DELL X445 (Broadcom NetXtreme BCM5793 1000Base-T) running ESX 3.5. No matter what I do I cannot seem to get this NIC working properly. I have it connected to a 3750 switch GIG GLC-T SFP port and I am getting err-disable loopback issues where the switch is actually receiving its own keep alives on the same port. I have messed with the various duplex / speed settings at both ends and this doesn't seem to resolve the issue. I have turned off inline power and mdix auto. The cable is CAT5E UTP. Several cables have been tested and the length is no longer than 10m. I have connected this NIC to a 3550 series switch and the exact same thing happens. I have come to the conclusion that the NIC must be faulty or musn't have the correct drivers installed. Any ideas? Thanks, Aaron. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Maximum number of class-map supported
Hello, I can't find information about maximum number of class-map supported on a particular platfom (e.g. 2800, 3800, NPE-G1) in one policy-map. Does anyone have link to any documentation or does anyone know how many class-map are supported in one policy-map ? Regards, David ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum number of class-map supported
AFIAK it's 256 mate. Could be different for the different IOS versions though. Cheers, Aaron. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Granzer Sent: Thursday, 25 September 2008 4:00 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Maximum number of class-map supported Hello, I can't find information about maximum number of class-map supported on a particular platfom (e.g. 2800, 3800, NPE-G1) in one policy-map. Does anyone have link to any documentation or does anyone know how many class-map are supported in one policy-map ? Regards, David ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXH3 ghost bugs - more details
Hi, On Tue, Sep 23, 2008 at 04:46:38PM -0400, Rodney Dunn wrote: Seems they are not planning a special rebuild for this unfortunately. Mmmh, bad news. We are trying to get them to build a engineering special generally available for TAC if you have a SR open they should be able to get it. That would work fine for us, though. Thanks, gert -- Gert Doering Mobile communications ... right now writing from * Sardegna, Italy * ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 12.2(33)SXI
Rubens Kuhl Jr. wrote: Not only postponed, but the feature matrix has been changed, so some roadmapped features won't show up in SXI. Any idea which ones? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Performance Of www.cisco.com
Someone heard all of you and made www.cisco.com extra-light! -- Tassos Sean Granger wrote on 24/9/2008 11:35 μμ: Seconded. In fact, it's a common sense thing that since it's not being done, is brilliant. Justin Shore [EMAIL PROTECTED] 09/24/08 01:43PM Seth Mattinen wrote: It's been slow for me since this current iteration of the design came out. I just attributed it to the tradeoff between flashy and functional. I was stuck on a dialup modem (21k) once during an emergency after my 877 at home failed and trying to access my TAC case online was horribly painful to the point of causing extreme rage. Download speeds are fine, though. My download speeds are fine too. My biggest gripe is how things keep changing and how fancy the pages are getting. I can understand some bling on the product and marketing pages but the support pages should be downright blah in my opinion. I should be able to load up the support site in lynx if I have to and find what I'm looking for. Today we have to deal with all those damn style sheets, indirect linking through CGIs, flash and javascript crap, having to (re)authenticate at every turn, and timeouts that are way too short (can you say Dynamic Config Tool?). Like I said earlier, give the product and marketing pages the shiny bling and give the support pages the look, feel and function of what a professional Cisco engineer would except and need. After all, we use the command line all day long. We don't need a stinking GUI. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Performance Of www.cisco.com
And also without ts for some reason :) Irena 2008/9/25 Tassos Chatzithomaoglou [EMAIL PROTECTED] Someone heard all of you and made www.cisco.com extra-light! -- Tassos Sean Granger wrote on 24/9/2008 11:35 μμ: Seconded. In fact, it's a common sense thing that since it's not being done, is brilliant. Justin Shore [EMAIL PROTECTED] 09/24/08 01:43PM Seth Mattinen wrote: It's been slow for me since this current iteration of the design came out. I just attributed it to the tradeoff between flashy and functional. I was stuck on a dialup modem (21k) once during an emergency after my 877 at home failed and trying to access my TAC case online was horribly painful to the point of causing extreme rage. Download speeds are fine, though. My download speeds are fine too. My biggest gripe is how things keep changing and how fancy the pages are getting. I can understand some bling on the product and marketing pages but the support pages should be downright blah in my opinion. I should be able to load up the support site in lynx if I have to and find what I'm looking for. Today we have to deal with all those damn style sheets, indirect linking through CGIs, flash and javascript crap, having to (re)authenticate at every turn, and timeouts that are way too short (can you say Dynamic Config Tool?). Like I said earlier, give the product and marketing pages the shiny bling and give the support pages the look, feel and function of what a professional Cisco engineer would except and need. After all, we use the command line all day long. We don't need a stinking GUI. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Performance Of www.cisco.com
Suspicious... I can't believe that... maybe 'defaced' ? 2008/9/25 Irena Nikolova [EMAIL PROTECTED] And also without ts for some reason :) Irena 2008/9/25 Tassos Chatzithomaoglou [EMAIL PROTECTED] Someone heard all of you and made www.cisco.com extra-light! -- Tassos Sean Granger wrote on 24/9/2008 11:35 μμ: Seconded. In fact, it's a common sense thing that since it's not being done, is brilliant. Justin Shore [EMAIL PROTECTED] 09/24/08 01:43PM Seth Mattinen wrote: It's been slow for me since this current iteration of the design came out. I just attributed it to the tradeoff between flashy and functional. I was stuck on a dialup modem (21k) once during an emergency after my 877 at home failed and trying to access my TAC case online was horribly painful to the point of causing extreme rage. Download speeds are fine, though. My download speeds are fine too. My biggest gripe is how things keep changing and how fancy the pages are getting. I can understand some bling on the product and marketing pages but the support pages should be downright blah in my opinion. I should be able to load up the support site in lynx if I have to and find what I'm looking for. Today we have to deal with all those damn style sheets, indirect linking through CGIs, flash and javascript crap, having to (re)authenticate at every turn, and timeouts that are way too short (can you say Dynamic Config Tool?). Like I said earlier, give the product and marketing pages the shiny bling and give the support pages the look, feel and function of what a professional Cisco engineer would except and need. After all, we use the command line all day long. We don't need a stinking GUI. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Performance Of www.cisco.com
Tassos Chatzithomaoglou wrote: Someone heard all of you and made www.cisco.com extra-light! Ha. Some kind of s/t//g error perhaps. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Performance Of www.cisco.com
Irena Nikolova wrote: And also without ts for some reason :) rue bu i sure loads fas now. :-) -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 10/100/1000 speeds in GE SFP ports
http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_6981.html Is this accurate? Can someone find errors? I seem to recall cuSFP works in 10/100/1000 speeds in SUP720-3BXL supervisor ports (well other is dual personality anyhow) Mostly, I'm highly disappointed if there aren't any GE SFP ports at all in 7600/6500/4900/4500 that'll do 10/100 speeds. This mean, if you currently have 3750-12S and you're looking to step up, you need to buy three linecards, 1GE SFP, 100M SFP and 10/100/1000 cu, increasing costs in unacceptable way. Anyone know what's the state in foundry, huawei and extreme? -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum number of class-map supported
Hello, it seems that 256 is correct. I have tried on 2800 (12.4) and 7200 NPE400 (12.2SB) with the following output. 72-NPE400(config-pmap)#class 255 Max limit of 255 classes in a policy reached and also I found the same answer here http://6200networks.com/2007/11/26/modular-qos-cli-class-map-limitations/ Regards, David On 9/25/08, Aaron Riemer [EMAIL PROTECTED] wrote: AFIAK it's 256 mate. Could be different for the different IOS versions though. Cheers, Aaron. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Granzer Sent: Thursday, 25 September 2008 4:00 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Maximum number of class-map supported Hello, I can't find information about maximum number of class-map supported on a particular platfom (e.g. 2800, 3800, NPE-G1) in one policy-map. Does anyone have link to any documentation or does anyone know how many class-map are supported in one policy-map ? Regards, David ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] shut interfaces become enabled for some secs while reloading
Just disable the portfast, it wont have enough time to establish any connections then Has anyone met the above problem? I'm trying a 7200/G2 with 12.2(31)SB13 and i noticed that while reloading it, the shuted interfaces come up for 2 secs, which is more than enough time to send packets through them (having portfast enabled on the switch port). I guess the config is parsed sequentially, so if the shutdown command follows the ip address x.x.x.x command (which they do when doing sh run), ip connectivity is established first. The problem with the above is that if you have to prepare a second router having identical config with another one (keeping the interfaces of the second router in the shutdown state), you end up having duplicate ips for a while (in my case 2 secs) when reloading the second router. This small time is more than enough to make the hell out of arp/mac tables!!! I know there are many ways to avoid all this mess (remove/change ips, shut switch ports instead of router ports, etc), but i was mainly wondering if all this is expected/normal behavior. -- Tassos ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10/100/1000 speeds in GE SFP ports
GLC-T works only in 1000 speed when in 67xx-SFP cards (hardware limitation?). We use 6748-GE-TX for 10/100/1000BaseT in our 6500s/7600s, so we have the same issue as you. Does anyone know what happens with the ES/SPA cards? -- Tassos Saku Ytti wrote on 25/9/2008 1:34 μμ: http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_6981.html Is this accurate? Can someone find errors? I seem to recall cuSFP works in 10/100/1000 speeds in SUP720-3BXL supervisor ports (well other is dual personality anyhow) Mostly, I'm highly disappointed if there aren't any GE SFP ports at all in 7600/6500/4900/4500 that'll do 10/100 speeds. This mean, if you currently have 3750-12S and you're looking to step up, you need to buy three linecards, 1GE SFP, 100M SFP and 10/100/1000 cu, increasing costs in unacceptable way. Anyone know what's the state in foundry, huawei and extreme? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] High CPU - 7206 with NPE-G1
Searching through the Fourm for High CPU - 7206 with NPE-G1 . But did not found any conclusions . Anyone who has any concrete inputs . ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10/100/1000 speeds in GE SFP ports
On Thu, September 25, 2008 13:23, Tassos Chatzithomaoglou wrote: GLC-T works only in 1000 speed when in 67xx-SFP cards (hardware limitation?). We use 6748-GE-TX for 10/100/1000BaseT in our 6500s/7600s, so we have the same issue as you. Does anyone know what happens with the ES/SPA cards? In ES20, SFP-GE-T work in 10/100/1000 modes (caution: any GLC-* type SFPs are not supported with ES20 at all). Not sure about the state of support for auto-negotiation though, I personally have only used it with hardcoded speeds. Regards, -jr ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 10GbE SPA
Hi list ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 10GbE SPA
Hi list Sorry about the spam earlier. I wanted to ask what's the difference between SPA-1X10GE-L-V2 and SPA-1XTENGE-XFP When considering 10GbE WAN-PHY for 7600, what cards and optic form factors are available? Regards MKS ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Throttles on an interface
Can you post the 'sh int' and 'sh ver'? I posted a ressponse just yesterday or the day before about input drops can result in throttles. If it's microburst the 72xx may not can handle the rate. On Wed, Sep 24, 2008 at 06:46:06PM -0700, Roy wrote: I have a PA-FE on a 7206VXR. show int gives Received 7798 broadcasts, 0 runts, 0 giants, 17 throttles 393 input errors, 0 CRC, 0 frame, 0 overrun, 393 ignored The throttles seems to be related to the input errors. I also see throttles with no input errors. We have double checked (and replaced) the cable and the ports without success. Is there some sort of buffer tuning that would affect this? Roy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] High CPU - 7206 with NPE-G1
Hi, Doing a show proc cpu | e 0.00 would give you a list of sorted processes using a lot of CPU. Also, the output of show proc cpu has the format a/y showing the CPU usage for traffic proccessing (interrupt) and protocols handling. This will tell you if your CPU is high due to high traffic. HTH Christophe Please consider your environmental responsibility before printing this e-mail -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ved Labs Sent: Thursday, September 25, 2008 2:43 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] High CPU - 7206 with NPE-G1 Searching through the Fourm for High CPU - 7206 with NPE-G1 . But did not found any conclusions . Anyone who has any concrete inputs . ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ Information from ESET Smart Security, version of virus signature database 3470 (20080925) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 3470 (20080925) __ The message was checked by ESET Smart Security. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10/100/1000 speeds in GE SFP ports
I second that. I would give my right arm for a high density, inexpensive switch and/or blade matching set of copper fibre SFPs that did 10/100/1000. 10 Megabit is still pretty fast for a downlink from ISP-Customer. Switch vendors are so hell-bent on 10G, 40G+ stuff, they've forgotten about the simple ergonomic conveniences of the still massively used lower speed interfaces. Saku Ytti wrote: On (2008-09-25 13:43 +0200), Johannes Resch wrote: In ES20, SFP-GE-T work in 10/100/1000 modes (caution: any GLC-* type SFPs are not supported with ES20 at all). Not sure about the state of support for auto-negotiation though, I personally have only used it with hardcoded speeds. What a sad state of affair. ES20 port price isn't very comparable to 3750 port price when you just need that 10/100 option. On a side note I noticed recently that brand spanking new cat4 E 10/100/1000 copper cards don't do auto MDI/X. I'm pretty sure that MDI/X or multirate have no significant cost addition, MDI/X doesn't even have business driver not to include it. I guess multirate has business driver, force customers to buy more. I'm really tempted to finance shop that'll produce RJ45 PoE - SFP transceivers. So that you'd buy transceiver that plugs to PoE port and offers SFP port. You'd get multirate and tons of SFP ports without the insane mark-up and poor density that vendors offer for no valid reason other than 'because we can'. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] High CPU - 7206 with NPE-G1
The high CPU is due to interrupts and mostly caused due to IP input . How do i go further . dl#SH PROCesses Cpu Sorted | ex 0.0 CPU utilization for five seconds: 51%/43%; one minute: 47%; five minutes: 45% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 19162464784 124889936500 5.27% 1.14% 0.63% 0 OSPF-100 Router 11475665160 3632136 20832 0.71% 0.26% 0.25% 0 MFI LFD Stats Pr 62 2106239882116315242 99 0.63% 0.59% 0.57% 0 IP Input 17741091608 297395737138 0.15% 0.16% 0.14% 0 BGP Router dl#SH PROCesses Cpu Sorted | ex 0.0 CPU utilization for five seconds: 44%/42%; one minute: 47%; five minutes: 45% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 62 2106239922116315312 99 0.47% 0.58% 0.56% 0 IP Input ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] High CPU - 7206 with NPE-G1
Ved Labs wrote: Searching through the Fourm for High CPU - 7206 with NPE-G1 . But did not found any conclusions . Please clarify for us: where and how did you search? pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Throttles on an interface
Data below. The machine has two fast E interfaces active (Fa0/0 and Fa 6/0) plus a few T1s. Roy Cisco Internetwork Operating System Software IOS (tm) 7200 Software (C7200-IK9S-M), Version 12.2(15)T5, RELEASE SOFTWARE (fc1) Image text-base: 0x60008954, data-base: 0x61DE ROM: System Bootstrap, Version 12.1(2710:044039) [nlaw-121E_npeb 117], DEVELOPMENT SOFTWARE BOOTLDR: 7200 Software (C7200-BOOT-M), Version 12.0(23)S1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) mushroom uptime is 15 weeks, 4 days, 7 hours, 16 minutes System returned to ROM by reload at 00:47:30 PDT Sun Jun 8 2008 System restarted at 00:49:23 PDT Sun Jun 8 2008 System image file is disk1:c7200-ik9s-mz.122-15.T5 Last reload reason: Reload Command cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of memory. Processor board ID 16067072 R7000 CPU at 350Mhz, Implementation 39, Rev 3.2, 256KB L2, 4096KB L3 Cache 6 slot VXR midplane, Version 2.0 Last reset from power-on Bridging software. X.25 software, Version 3.0.0. Primary Rate ISDN software, Version 1.1. 2 FastEthernet/IEEE 802.3 interface(s) 8 Serial network interface(s) 4 Channelized T1/PRI port(s) 125K bytes of non-volatile configuration memory. 16384K bytes of Flash PCMCIA card at slot 0 (Sector size 128K). 250880K bytes of ATA PCMCIA card at slot 1 (Sector size 512 bytes). 4096K bytes of Flash internal SIMM (Sector size 256K). Configuration register is 0x2102FastEthernet6/0 is up, line protocol is up Hardware is DEC21140, address is 0001.6388.00a8 (bia 0001.6388.00a8) Internet address is 1.1.1.1/30 MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, reliability 255/255, txload 15/255, rxload 68/255 Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 02:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of show interface counters 09:26:40 Input queue: 0/150/171/15119 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 2678 bits/sec, 4339 packets/sec 5 minute output rate 6272000 bits/sec, 2042 packets/sec 111824180 packets input, 2348806646 bytes Received 320815 broadcasts, 0 runts, 25 giants, 149 throttles 40174 input errors, 0 CRC, 0 frame, 0 overrun, 40136 ignored 0 watchdog 0 input packets with dribble condition detected 48129003 packets output, 2732343828 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out Rodney Dunn wrote: Can you post the 'sh int' and 'sh ver'? I posted a ressponse just yesterday or the day before about input drops can result in throttles. If it's microburst the 72xx may not can handle the rate. On Wed, Sep 24, 2008 at 06:46:06PM -0700, Roy wrote: I have a PA-FE on a 7206VXR. show int gives Received 7798 broadcasts, 0 runts, 0 giants, 17 throttles 393 input errors, 0 CRC, 0 frame, 0 overrun, 393 ignored The throttles seems to be related to the input errors. I also see throttles with no input errors. We have double checked (and replaced) the cable and the ports without success. Is there some sort of buffer tuning that would affect this? Roy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Traffic on IPSec Tunnel btw Pix and Router
What happens if you remove the static route?
route outside 10.180.0.0 255.255.0.0 180.200.200.141
I don't think I've had to put static routes on the vpn device for routes
at the other end of the tunnel. The acl (L2L in this case) should take
care of that.
Rogelio Gamino
[EMAIL PROTECTED]
(o) 202-741-5853
(c) 202-716-9965
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Everton Diniz
Sent: Tuesday, July 15, 2008 9:19 AM
To: cisco-nsp
Subject: [c-nsp] Traffic on IPSec Tunnel btw Pix and Router
Hi all,
I configure a tunnel btw pix and router. The traffic goes to PIX but
do not have return. I see only encaps on the router and decaps on the
PIX.
Is missing anything?
Tks
Router Output and Config
TEHTCVPNRT01#sh cry ip sa
interface: GigabitEthernet0/1
Crypto map tag: ra-L2L-vpn, local addr 180.200.200.141
protected vrf: (none)
local ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0)
current_peer 200.150.180.62 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 81, #pkts encrypt: 81, #pkts digest: 81
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0
local crypto endpt.: 180.200.200.141, remote crypto endpt.:
200.150.180.62 path mtu 1500, ip mtu 1500, ip mtu idb
GigabitEthernet0/1
current outbound spi: 0xEA23924(245512484)
inbound esp sas:
spi: 0x2E3660C5(775315653)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: NETGX:4, crypto map: ra-L2L-vpn
sa timing: remaining key lifetime (k/sec): (4429641/3573)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xEA23924(245512484)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: NETGX:3, crypto map: ra-L2L-vpn
sa timing: remaining key lifetime (k/sec): (4429640/3573)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 6 L2L address 200.150.180.62 no-xauth
crypto isakmp aggressive-mode disable
crypto ipsec transform-set aessha-pixrtr esp-3des esp-md5-hmac
crypto map ra-L2L-vpn 2 ipsec-isakmp
set peer 200.150.180.62
set transform-set aessha-pixrtr
match address 120
reverse-route
interface GigabitEthernet0/1
ip address 180.200.200.141 255.255.255.192
crypto map ra-L2L-vpn
access-list 120 permit ip 10.180.0.0 0.0.255.255 10.139.1.0 0.0.0.255
++
PIX output and Config:
local ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0)
current_peer: 180.200.200.141:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 81, #pkts decrypt: 81, #pkts verify 81
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 200.150.180.62 , remote crypto endpt.:
180.200.200.141
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 2e3660c5
inbound esp sas:
spi: 0xea23924(245512484)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: L2L-ons
sa timing: remaining key lifetime (k/sec): (4607999/3478)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2e3660c5(775315653)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: L2L-ons
sa timing: remaining key lifetime (k/sec): (4608000/3478)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
ip address outside 200.150.180.62 255.255.255.224
ip address inside 10.139.1.111 255.255.255.0
access-list L2L permit ip 10.139.1.0 255.255.255.0 10.180.0.0
255.255.0.0
access-list L2Lnonat permit ip 10.139.1.0 255.255.255.0 10.180.0.0
255.255.0.0
nat (inside) 0 access-list L2Lnonat
route outside 10.180.0.0 255.255.0.0 180.200.200.141 1
sysopt connection permit-ipsec
crypto ipsec transform-set aessha-pixrtr esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map L2L 1 ipsec-isakmp
crypto map L2L 1 match address L2L
crypto map L2L 1 set peer 180.200.200.141
crypto map L2L 1
Re: [c-nsp] Debugging Cisco VPN Client Software ... Is it even possible ?
On Sep 23, 2008, at 21:47, Justin Shore wrote: Wilkinson, Alex wrote: Any hot tips with how to debug VPN clients not being able to connect into a vpn concentrator (from the _client_ perspective) ? Yes. Don't mix Vista with Cisco's VPN client. Yeah, Vista is really all about SSL VPN Client although the 32 bit ipsec vpn client does work most of the time. Say bye bye to free licenses. ;-( Kaj -- Kaj J. Niemi [EMAIL PROTECTED] +358 45 63 12000 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Traffic on IPSec Tunnel btw Pix and Router
Nothing happens, i put the static route for test.
I could not make it work. The pix was change for a router and i put a
Tunnel interface and works ok.
tks for all!!!
On Thu, Sep 25, 2008 at 12:44 PM, Gamino, Rogelio (OCTO-Contractor)
[EMAIL PROTECTED] wrote:
What happens if you remove the static route?
route outside 10.180.0.0 255.255.0.0 180.200.200.141
I don't think I've had to put static routes on the vpn device for routes
at the other end of the tunnel. The acl (L2L in this case) should take
care of that.
Rogelio Gamino
[EMAIL PROTECTED]
(o) 202-741-5853
(c) 202-716-9965
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Everton Diniz
Sent: Tuesday, July 15, 2008 9:19 AM
To: cisco-nsp
Subject: [c-nsp] Traffic on IPSec Tunnel btw Pix and Router
Hi all,
I configure a tunnel btw pix and router. The traffic goes to PIX but
do not have return. I see only encaps on the router and decaps on the
PIX.
Is missing anything?
Tks
Router Output and Config
TEHTCVPNRT01#sh cry ip sa
interface: GigabitEthernet0/1
Crypto map tag: ra-L2L-vpn, local addr 180.200.200.141
protected vrf: (none)
local ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0)
current_peer 200.150.180.62 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 81, #pkts encrypt: 81, #pkts digest: 81
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0
local crypto endpt.: 180.200.200.141, remote crypto endpt.:
200.150.180.62 path mtu 1500, ip mtu 1500, ip mtu idb
GigabitEthernet0/1
current outbound spi: 0xEA23924(245512484)
inbound esp sas:
spi: 0x2E3660C5(775315653)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: NETGX:4, crypto map: ra-L2L-vpn
sa timing: remaining key lifetime (k/sec): (4429641/3573)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xEA23924(245512484)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: NETGX:3, crypto map: ra-L2L-vpn
sa timing: remaining key lifetime (k/sec): (4429640/3573)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 6 L2L address 200.150.180.62 no-xauth
crypto isakmp aggressive-mode disable
crypto ipsec transform-set aessha-pixrtr esp-3des esp-md5-hmac
crypto map ra-L2L-vpn 2 ipsec-isakmp
set peer 200.150.180.62
set transform-set aessha-pixrtr
match address 120
reverse-route
interface GigabitEthernet0/1
ip address 180.200.200.141 255.255.255.192
crypto map ra-L2L-vpn
access-list 120 permit ip 10.180.0.0 0.0.255.255 10.139.1.0 0.0.0.255
++
PIX output and Config:
local ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0)
current_peer: 180.200.200.141:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 81, #pkts decrypt: 81, #pkts verify 81
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 200.150.180.62 , remote crypto endpt.:
180.200.200.141
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 2e3660c5
inbound esp sas:
spi: 0xea23924(245512484)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: L2L-ons
sa timing: remaining key lifetime (k/sec): (4607999/3478)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2e3660c5(775315653)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: L2L-ons
sa timing: remaining key lifetime (k/sec): (4608000/3478)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
ip address outside 200.150.180.62 255.255.255.224
ip address inside 10.139.1.111 255.255.255.0
access-list L2L permit ip 10.139.1.0 255.255.255.0 10.180.0.0
255.255.0.0
access-list L2Lnonat permit ip 10.139.1.0 255.255.255.0 10.180.0.0
255.255.0.0
nat (inside) 0 access-list L2Lnonat
route outside
[c-nsp] ASA doesn't like ipsec...
Guys, Trying to turn up a vpn on a newly reinstalled (and out of support) pair of asa 5520s. They're running in multiple context mode, and active/standby. I've searched and searched to no avail, but man this seems familiar.. running 8.04. in ASDM there is no VPN wizard to try. (only setup and HA). Step 2 of vpnsetup site-to-site steps: oma-i33-fw1/oma-prod(config)# crypto isakmp policy 10 ^ ERROR: % Invalid input detected at '^' marker. oma-i33-fw1/oma-prod(config)# The only crypto options I have are: oma-i33-fw1/oma-prod(config)# crypto ? configure mode commands/options: ca Certification authority key Long term key operations oma-i33-fw1/oma-prod(config)# crypto wtf? anyone? Licensed features for this user context: Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled GTP/GPRS : Disabled And from the system side: oma-i33-fw1# sh ver | inc VPN VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers: 750 WebVPN Peers : 2 This platform has an ASA 5520 VPN Plus license. oma-i33-fw1# --- david raistrickhttp://www.netmeister.org/news/learn2quote.html [EMAIL PROTECTED] http://www.expita.com/nomime.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA doesn't like ipsec...
I believe IPSec on the ASA will only run in single/routed mode. Try that. Regards, Ge Moua | Email: [EMAIL PROTECTED] Network Design Engineer University of Minnesota | Networking Telecommunications Services -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of david raistrick Sent: Thursday, September 25, 2008 12:15 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA doesn't like ipsec... Guys, Trying to turn up a vpn on a newly reinstalled (and out of support) pair of asa 5520s. They're running in multiple context mode, and active/standby. I've searched and searched to no avail, but man this seems familiar.. running 8.04. in ASDM there is no VPN wizard to try. (only setup and HA). Step 2 of vpnsetup site-to-site steps: oma-i33-fw1/oma-prod(config)# crypto isakmp policy 10 ^ ERROR: % Invalid input detected at '^' marker. oma-i33-fw1/oma-prod(config)# The only crypto options I have are: oma-i33-fw1/oma-prod(config)# crypto ? configure mode commands/options: ca Certification authority key Long term key operations oma-i33-fw1/oma-prod(config)# crypto wtf? anyone? Licensed features for this user context: Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled GTP/GPRS : Disabled And from the system side: oma-i33-fw1# sh ver | inc VPN VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers: 750 WebVPN Peers : 2 This platform has an ASA 5520 VPN Plus license. oma-i33-fw1# --- david raistrickhttp://www.netmeister.org/news/learn2quote.html [EMAIL PROTECTED] http://www.expita.com/nomime.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Layer 2 security issue
Does traffic which has specific mac addys (in band mgmt traffic , vtp , etc..) have something to do with this? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA doesn't like ipsec...
I'm pretty sure that you are out of luck if you are using multiple contexts. -- Regards, Jason Plank CCIE #16560 e: [EMAIL PROTECTED] -- Original message -- From: david raistrick [EMAIL PROTECTED] Guys, Trying to turn up a vpn on a newly reinstalled (and out of support) pair of asa 5520s. They're running in multiple context mode, and active/standby. I've searched and searched to no avail, but man this seems familiar.. running 8.04. in ASDM there is no VPN wizard to try. (only setup and HA). Step 2 of vpnsetup site-to-site steps: oma-i33-fw1/oma-prod(config)# crypto isakmp policy 10 ^ ERROR: % Invalid input detected at '^' marker. oma-i33-fw1/oma-prod(config)# The only crypto options I have are: oma-i33-fw1/oma-prod(config)# crypto ? configure mode commands/options: ca Certification authority key Long term key operations oma-i33-fw1/oma-prod(config)# crypto wtf? anyone? Licensed features for this user context: Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled GTP/GPRS : Disabled And from the system side: oma-i33-fw1# sh ver | inc VPN VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers: 750 WebVPN Peers : 2 This platform has an ASA 5520 VPN Plus license. oma-i33-fw1# --- david raistrickhttp://www.netmeister.org/news/learn2quote.html [EMAIL PROTECTED] http://www.expita.com/nomime.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA doesn't like ipsec...
VPN is a single context feature david raistrick wrote: Guys, Trying to turn up a vpn on a newly reinstalled (and out of support) pair of asa 5520s. They're running in multiple context mode, and active/standby. I've searched and searched to no avail, but man this seems familiar.. running 8.04. in ASDM there is no VPN wizard to try. (only setup and HA). Step 2 of vpnsetup site-to-site steps: oma-i33-fw1/oma-prod(config)# crypto isakmp policy 10 ^ ERROR: % Invalid input detected at '^' marker. oma-i33-fw1/oma-prod(config)# The only crypto options I have are: oma-i33-fw1/oma-prod(config)# crypto ? configure mode commands/options: ca Certification authority key Long term key operations oma-i33-fw1/oma-prod(config)# crypto wtf? anyone? Licensed features for this user context: Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled GTP/GPRS : Disabled And from the system side: oma-i33-fw1# sh ver | inc VPN VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers: 750 WebVPN Peers : 2 This platform has an ASA 5520 VPN Plus license. oma-i33-fw1# --- david raistrickhttp://www.netmeister.org/news/learn2quote.html [EMAIL PROTECTED] http://www.expita.com/nomime.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA doesn't like ipsec...
Unsupported Features Multiple context mode does not support the following features: Dynamic routing protocols Security contexts support only static routes. You cannot enable OSPF or RIP in multiple context mode. VPN Multicast http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/contexts.html -- Regards, Jason Plank CCIE #16560 e: [EMAIL PROTECTED] -- Original message -- From: david raistrick [EMAIL PROTECTED] Guys, Trying to turn up a vpn on a newly reinstalled (and out of support) pair of asa 5520s. They're running in multiple context mode, and active/standby. I've searched and searched to no avail, but man this seems familiar.. running 8.04. in ASDM there is no VPN wizard to try. (only setup and HA). Step 2 of vpnsetup site-to-site steps: oma-i33-fw1/oma-prod(config)# crypto isakmp policy 10 ^ ERROR: % Invalid input detected at '^' marker. oma-i33-fw1/oma-prod(config)# The only crypto options I have are: oma-i33-fw1/oma-prod(config)# crypto ? configure mode commands/options: ca Certification authority key Long term key operations oma-i33-fw1/oma-prod(config)# crypto wtf? anyone? Licensed features for this user context: Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled GTP/GPRS : Disabled And from the system side: oma-i33-fw1# sh ver | inc VPN VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers: 750 WebVPN Peers : 2 This platform has an ASA 5520 VPN Plus license. oma-i33-fw1# --- david raistrickhttp://www.netmeister.org/news/learn2quote.html [EMAIL PROTECTED] http://www.expita.com/nomime.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA doesn't like ipsec...
Sounds like a good request for feature to Cisco. I'm for it, I like to do IPSec in mulitple context so I can tie them to different VRF upstream; or better yet support for VRF-Aware IPSec on the ASA in multiple context mode. Regards, Ge Moua | Email: [EMAIL PROTECTED] Network Design Engineer University of Minnesota | Networking Telecommunications Services -Original Message- From: Ge Moua [mailto:[EMAIL PROTECTED] Sent: Thursday, September 25, 2008 12:22 PM To: 'david raistrick'; 'cisco-nsp@puck.nether.net' Subject: RE: [c-nsp] ASA doesn't like ipsec... I believe IPSec on the ASA will only run in single/routed mode. Try that. Regards, Ge Moua | Email: [EMAIL PROTECTED] Network Design Engineer University of Minnesota | Networking Telecommunications Services -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of david raistrick Sent: Thursday, September 25, 2008 12:15 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA doesn't like ipsec... Guys, Trying to turn up a vpn on a newly reinstalled (and out of support) pair of asa 5520s. They're running in multiple context mode, and active/standby. I've searched and searched to no avail, but man this seems familiar.. running 8.04. in ASDM there is no VPN wizard to try. (only setup and HA). Step 2 of vpnsetup site-to-site steps: oma-i33-fw1/oma-prod(config)# crypto isakmp policy 10 ^ ERROR: % Invalid input detected at '^' marker. oma-i33-fw1/oma-prod(config)# The only crypto options I have are: oma-i33-fw1/oma-prod(config)# crypto ? configure mode commands/options: ca Certification authority key Long term key operations oma-i33-fw1/oma-prod(config)# crypto wtf? anyone? Licensed features for this user context: Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled GTP/GPRS : Disabled And from the system side: oma-i33-fw1# sh ver | inc VPN VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers: 750 WebVPN Peers : 2 This platform has an ASA 5520 VPN Plus license. oma-i33-fw1# --- david raistrickhttp://www.netmeister.org/news/learn2quote.html [EMAIL PROTECTED] http://www.expita.com/nomime.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA doesn't like ipsec...
On Thu, 25 Sep 2008, david raistrick wrote: Trying to turn up a vpn on a newly reinstalled (and out of support) pair of asa 5520s. They're running in multiple context mode, and active/standby. The box won't let you do VPNs in multiple context mode. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] High CPU - 7206 with NPE-G1
Typing 7200 high cpu troubleshooting into google seems to work. May want to try that road for a bit. Michael Balasko CCSP,MCSE,MCNE,SCP Network Specialist II -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ved Labs Sent: Thursday, September 25, 2008 7:31 AM To: Pete Templin Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] High CPU - 7206 with NPE-G1 searched in this forum for previous history . https://puck.nether.net/pipermail/cisco-nsp/2008-September/053942.html http://puck.nether.net/pipermail/cisco-nsp/2004-April/009763.html and other links also . But didn't got concrete conclusions , what brough the CPU down ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA doesn't like ipsec...
As far as I can remember you can't use VPN or do IPSEC in multiple context mode and you have many, many restrictions in transparent mode (e.g. admin VPN only). Silly, isn't it? :) (I know you can't do VPN but I think this also applies to IPSEC. Someone can feel free to correct me if I'm wrong.) Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA doesn't like ipsec...
thanks everyone. scratch that multi context mode to save some money. ;) On Thu, 25 Sep 2008, Justin M. Streiner wrote: On Thu, 25 Sep 2008, david raistrick wrote: Trying to turn up a vpn on a newly reinstalled (and out of support) pair of asa 5520s. They're running in multiple context mode, and active/standby. The box won't let you do VPNs in multiple context mode. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ --- david raistrickhttp://www.netmeister.org/news/learn2quote.html [EMAIL PROTECTED] http://www.expita.com/nomime.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ELAM capture on SRB
Tim, Sorry for the delay.. See if this helps: 3#sh ip int br Interface IP-Address OK? Method StatusProtocol GigabitEthernet2/10192.168.10.1YES manual upup R3#sh ver Cisco IOS Software, c7600s3223_rp Software (c7600s3223_rp-ADVIPSERVICES-M), Version 12.2(33)SRC1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Fri 23-May-08 01:37 by prod_rel_team ROM: System Bootstrap, Version 12.2(17r)SX3, RELEASE SOFTWARE (fc1) R3 uptime is 1 week, 6 days, 5 hours, 55 minutes Uptime for this control processor is 1 week, 6 days, 5 hours, 56 minutes System returned to ROM by power-on (SP by power-on) System image file is bootdisk:c7600s3223-advipservices-mz.122-33.SRC1 Last reload type: Normal Reload cisco CISCO7606 (R7000) processor (revision 1.0) with 458752K/65536K bytes of memory. Processor board ID FOX1221GAQF R7000 CPU at 300Mhz, Implementation 0x27, Rev 3.3, 256KB L2, 1024KB L3 Cache Last reset from power-on 1 Virtual Ethernet interface 33 Gigabit Ethernet interfaces 2 Ten Gigabit Ethernet interfaces 1915K bytes of non-volatile configuration memory. R3#sh ip arp Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.10.1- 001b.0def.7240 ARPA GigabitEthernet2/10 Internet 192.168.10.2 175 001e.be8a.f880 ARPA GigabitEthernet2/10 Internet 192.168.10.9 11 001b.0def.7280 ARPA GigabitEthernet2/3 Internet 192.168.10.10 - 001b.0def.7240 ARPA GigabitEthernet2/3 R3#ping 192.168.10.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms R3#config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#serv int R3(config)#end R3#sh mod *Sep 25 18:10:37.377: %SYS-5-CONFIG_I: Configured from console by console R3#sh mod | incl Act 53 Supervisor Engine 32 10GE (Active) WS-SUP32-10GE-3B SAL1051BEKF R3#show plat capture elam asic super slot 5 R3#$ elam trigger dbus ipv4 if IP_SA=192.168.10.1 IP_DA=192.168.10.2 R3#show plat capture elam status active ELAM info: Slot Cpu Asic Inst Ver PB Elam --- --- -- 50 SUPERMAN 01.3Y DBUS trigger: FORMAT=IP L3_PROTOCOL=IPV4 IP_SA=192.168.10.1 IP_DA=192.168.10.2 R3#show plat cap elam start R3#show plat capture elam status active ELAM info: Slot Cpu Asic Inst Ver PB Elam --- --- -- 50 SUPERMAN 01.3Y DBUS trigger: FORMAT=IP L3_PROTOCOL=IPV4 IP_SA=192.168.10.1 IP_DA=192.168.10.2 elam capture in progress R3#!send a ping R3#ping 192.168.10.2 rep 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 1/1/1 ms R3#show plat capture elam status active ELAM info: Slot Cpu Asic Inst Ver PB Elam --- --- -- 50 SUPERMAN 01.3Y DBUS trigger: FORMAT=IP L3_PROTOCOL=IPV4 IP_SA=192.168.10.1 IP_DA=192.168.10.2 elam capture completed R3#!elam completed R3#show plat cap elam data DBUS data: SEQ_NUM [5] = 0x3 QOS [3] = 0 QOS_TYPE [1] = 0 TYPE [4] = 0 [ETHERNET] STATUS_BPDU [1] = 0 IPO [1] = 1 NO_ESTBLS[1] = 0 RBH [3] = b000 CR [1] = 0 TRUSTED [1] = 0 NOTIFY_IL[1] = 0 NOTIFY_NL[1] = 0 DISABLE_NL [1] = 0 DISABLE_IL [1] = 0 DONT_FWD [1] = 0 INDEX_DIRECT [1] = 0 DONT_LEARN [1] = 0 COND_LEARN [1] = 0 BUNDLE_BYPASS[1] = 0 QOS_TIC [1] = 0 INBAND [1] = 0 IGNORE_QOSO [1] = 0 IGNORE_QOSI [1] = 1 IGNORE_ACLO [1] = 0 IGNORE_ACLI [1] = 1 PORT_QOS [1] = 0 CACHE_CNTRL [2] = 0 [NORMAL] VLAN [12] = 1030 SRC_FLOOD[1] = 0 SRC_INDEX[19] = 0x380 LEN [16] = 118 FORMAT [2] = 0 [IP] MPLS_EXP [3] = 0x0 REC [1] = 0 NO_STATS [1] = 0 VPN_INDEX[10] = 0x0 PACKET_TYPE [3] = 0 [ETHERNET] L3_PROTOCOL [4] = 0 [IPV4] L3_PT[8] = 1 [ICMP]
Re: [c-nsp] 10/100/1000 speeds in GE SFP ports
http://www.cisco.com/en/US/docs/interfaces_modules/transceiver _modules/compatibility/matrix/OL_6981.html Is this accurate? Can someone find errors? One funny thing is that the 6500 release note now (SXH) says: 48-port Gigabit or 10/100/1000 Mbps Ethernet SFP about the 6748-SFP, where the previous (SXF) phrase was: 48-port Gigabit Ethernet SFP. I haven't had a chance to test if anything's actually changed, though. (Yes, I've also heard the 'It's a hardware limitation. Forget it' story). -A ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10/100/1000 speeds in GE SFP ports
On (2008-09-25 22:56 +0200), Asbjorn Hojmark - Lists wrote: One funny thing is that the 6500 release note now (SXH) says: 48-port Gigabit or 10/100/1000 Mbps Ethernet SFP about the 6748-SFP, where the previous (SXF) phrase was: 48-port Gigabit Ethernet SFP. I haven't had a chance to test if anything's actually changed, though. (Yes, I've also heard the 'It's a hardware limitation. Forget it' story). Someone commented on the list about his 6724 or 6748 being able to display DOM info, while lot of us had been told hardware is unable to read the upper half where the data lives. But he had newer hardware revision than any of mine, so it's entirely possible that there has been hardware upgrade, but I couldn't find anything in PCN about that change. If there had been, perhaps they added multirate too? Sounds too good to be true though. Looking forward for someone to report back with SXI :) -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Debugging Cisco VPN Client Software ... Is it even possible ?
Ive found that Vista in the past has given me issues. What you can try doing is disabling unnecessary protocols on the relevant adapters while as keeping the specific one required by the virtual VPN adapter that it creates. To be honest I found a viable solution by rebooting into Ubuntu , deleting my Vista partition and expanding my ext3 to take the whole drive. That way I deleted all my problems in one go. The logfile is kind of off on troubleshooting issues , as is VPN entirely unless your familiar with it's debugging and phases. Maybe my solution will work for you. Warm Regards, Mario A. Spinthiras http://www.blupenguin.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Debugging Cisco VPN Client Software ... Is it even possible ?
Mario Spinthiras wrote: Ive found that Vista in the past has given me issues. What you can try doing is disabling unnecessary protocols on the relevant adapters while as keeping the specific one required by the virtual VPN adapter that it I never tried that. I haven't had to troubleshoot a non-Vista client VPN issue since Vista shipped. The best solution I've found is to uninstall, reboot and reinstall the latest BETA. The solution is a joke but surprisingly it usually works. creates. To be honest I found a viable solution by rebooting into Ubuntu , deleting my Vista partition and expanding my ext3 to take the whole drive. That way I deleted all my problems in one go. There's a solution that I can sink my teeth into. The logfile is kind of off on troubleshooting issues , as is VPN entirely unless your familiar with it's debugging and phases. Maybe my solution will work for you. I've had to delve into it before, digging into the nitty gritty of IPSec. It's doable but VPN isn't my strong point. It is doable though. I prefer your second solution. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SNMP Monitoring VPN Traffic
Hey guys, I am taking a bit of a leap here. But I would like to know if it's possible to actually monitor or graph bandwidth that each of our VPN tunnels are utilising terminating at our ASA firewall. We have implemented Cacti and weathermap monitoring. It would be great if we could actually see bandwidth statistics with each of these tunnels. Would there be some SNMP OID that I could graph for this? Thanks again guys, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
