Re: [c-nsp] 7606 to 6509 [BGP hold time issue]
FYI to all involved. This has been resolved. Moved physical cabling to a new port on our ASR and like magic. Sorted. From: Shanawaz Batcha [mailto:ismath.sh...@gmail.com] Sent: 08 May 2012 13:15 To: Scantlebury, Kieron Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 7606 to 6509 [BGP hold time issue] Now that you are confident you have tried a lower MTU setting satisfactorily, just revisiting a couple of points mentioned by others (at the cost of sounding repetitive but always good to check) 1. Is BGP MSS or PMTUD explicitly set on either side? have you tried disabling them 2. Is BGP max prefix set on the other side ? On Tue, May 8, 2012 at 7:59 PM, Scantlebury, Kieron kieron.scantleb...@level3.commailto:kieron.scantleb...@level3.com wrote: MTU's been checked and confirmed on numerous occasions with the customer. Their control plane has no policing. FYI. He has numerous other connections to the same device all receiving a full routing table and they all work fine. Its just our connection that's having the issue. Its driving me round the bend :) Cheers Kieron -Original Message- From: cisco-nsp-boun...@puck.nether.netmailto:cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.netmailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Shanawaz Batcha Sent: 04 May 2012 23:14 To: cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net Subject: [c-nsp] 7606 to 6509 [BGP hold time issue] During the 3 minutes of the session holding up, do you see any packets in the OutQ (show ip bgp summ) NeighborV AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.16.2.1 4 64900 1754971 1714093 140654700 7w2d8 As has been fairly pointed out, it looks like your 'fat' update packets are likely dropped by either an MTU mismatch or a CoPP filter on the other side. Its hard to know either way without further debugging (debug ip bgp update) run during your off-hours Shaan ___ cisco-nsp mailing list cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Twenty years from now you will be more disappointed by the things that you didn't do than by the ones you did do. So throw off the bowlines. Sail away from the safe harbor. Catch the trade winds in your sails. Explore. Dream. Discover. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Possible to trunk over Serial or DSL?
Hi all. I'm trying to find a possible way to run dot1q tags over serial and/or dsl interfaces. I could trunk over E1's on my old Riverstone kit without a problem, but I can't find a way to do it with a Cisco box. Is this possible? Thanks Darren O'Connor _ This e-mail and all attachments have been scanned by the hSo virus scanning service and no known viruses were detected. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Possible to trunk over Serial or DSL?
Hi, On Wed, May 09, 2012 at 12:28:59PM +0100, Darren O'Connor wrote: I'm trying to find a possible way to run dot1q tags over serial and/or dsl interfaces. I could trunk over E1's on my old Riverstone kit without a problem, but I can't find a way to do it with a Cisco box. Is this possible? Cisco can do *bridging* over E1, which might or might not do dot1q if tagged packets are coming in via the to-be-bridged LAN interface. Might be worth a try :-) If you want to do routing via those E1s, and have separate virtual routers (what is dot1q to switches), take a look at either FrameRelay encapsulation on the E1, or MPLS with VRF/Layer3 VPNs. Or MPLS with Layer2 VPNs. It's a bit unclear what you are trying to achieve... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpnkgTBnbexj.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Possible to trunk over Serial or DSL?
Hi Gert. Thanks. Basically what I'm trying to do is run subinterfaces, with each of those subinterfaces in a separate vrf. So while I can have fa0/1.10 and fa0/1.20 in different vrfs on the same box, I would like to be able to do the same over Serial and/or ADSL. I have been able to do this with an old Riverstone so technically it should be possible. Thanks -Original Message- From: Gert Doering [mailto:g...@greenie.muc.de] Sent: 09 May 2012 12:47 To: Darren O'Connor Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Possible to trunk over Serial or DSL? Hi, On Wed, May 09, 2012 at 12:28:59PM +0100, Darren O'Connor wrote: I'm trying to find a possible way to run dot1q tags over serial and/or dsl interfaces. I could trunk over E1's on my old Riverstone kit without a problem, but I can't find a way to do it with a Cisco box. Is this possible? Cisco can do *bridging* over E1, which might or might not do dot1q if tagged packets are coming in via the to-be-bridged LAN interface. Might be worth a try :-) If you want to do routing via those E1s, and have separate virtual routers (what is dot1q to switches), take a look at either FrameRelay encapsulation on the E1, or MPLS with VRF/Layer3 VPNs. Or MPLS with Layer2 VPNs. It's a bit unclear what you are trying to achieve... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de _ This e-mail and all attachments have been scanned by the hSo virus scanning service and no known viruses were detected. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Possible to trunk over Serial or DSL?
Hi Darren, you wrote: I'm trying to find a possible way to run dot1q tags over serial and/or dsl interfaces. I could trunk over E1's on my old Riverstone ADSL doesn't know about VLANs, because it's based on ATM. But you could use different VPI/VCI-Pairs to seperate the traffic. Some snippet for this: interface ATM0 no ip address ! interface ATM0.1 point-to-point pvc 1/32 pppoe-client dial-pool-number 1 dial-on-demand pvc 2/32 pppoe-client dial-pool-number 2 dial-on-demand But in VDSL you can use VLAN subinterfaces like FastEthernet0/0.10 because it's based on Ethernet. Both things have to be configured also in the DSLAM on the other end of the DSL line and are terminated there. You cannot tunnel VLANs this way to another DSL line. -- Regards Thomas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Possible to trunk over Serial or DSL?
Hi, On Wed, May 09, 2012 at 01:15:46PM +0100, Darren O'Connor wrote: Basically what I'm trying to do is run subinterfaces, with each of those subinterfaces in a separate vrf. So while I can have fa0/1.10 and fa0/1.20 in different vrfs on the same box, I would like to be able to do the same over Serial and/or ADSL. On an E1, you can use frame relay encapsulation, and map different DLCIs to subinterfaces (I do not have a configuration ready to share, but cisco docs should have plenty of examples). On ADSL, this is harder, as you do not really have a transparent HDLC stream between both ends - it might work running multiple PPPoE sessions, but that's not properly supported on Cisco CPEs, and would be ugly anyway (and whether it can work at all depends on how this specific ADSL circuit is implemented end-to-end). MPLS-over-PPP might be an option here. I have been able to do this with an old Riverstone so technically it should be possible. It is, you just need to tag the frames in a way to make the other end recogize them - and that's basically what a frame relay DLCI does. (Of course Riverstone could use whatever they like, as an E1 is really quite transparent here regarding frame contents and interpretation...) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpxvATmsVNAR.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VFI LDP transport signaled down (ME3600x)
Hi all, My topology as follows: PE1--P1--P2--P3--P4--P5--PE2 PE1 lo0 - 200.28.0.15 (15.2(2)S) loader 12.2(52r)EY1 PE2 lo0 - 200.28.0.120 (15.2(2)S) loader 12.2(52r)EY2 Are there specific nuances for an LDP signaled transport for EoMPLS and VPLS in the Whales platform? An xconnect from PE1 to PE2 is signaled successfully however a VPLS instance based on BGP autodiscovery (manual VPLS works) is unable to bring up the LDP l2transport signal although the VFI is signaled up. EoMPLS es-103-glsfb#sh xconnect peer 200.28.0.120 vc 5070 Legend:XC ST=Xconnect State S1=Segment1 State S2=Segment2 State UP=Up DN=DownAD=Admin Down IA=Inactive SB=Standby HS=Hot Standby RV=Recovering NH=No Hardware XC ST Segment 1 S1 Segment 2 S2 --+-+--+-+-- UP pri ac Gi0/19:1(Ethernet) UP mpls 200.28.0.120:5070UP es-103-glsfb#sh mpls l2transport vc 5070 detail Local interface: Gi0/19 up, line protocol up, Ethernet:1 up Destination address: 200.28.0.120, VC ID: 5070, VC status: up Output interface: Te0/2, imposed label stack {298 16} Preferred path: not configured Default path: active Next hop: 200.28.2.242 Create time: 02:10:43, last status change time: 02:08:57 Signaling protocol: LDP, peer 200.28.0.120:0 up Targeted Hello: 200.28.0.15(LDP Id) - 200.28.0.120, LDP is UP Status TLV support (local/remote) : enabled/supported LDP route watch : disabled Label/status state machine: established, LruRru Last local dataplane status rcvd: No fault Last BFD dataplane status rcvd: Not sent Last BFD peer monitor status rcvd: No fault Last local AC circuit status rcvd: No fault Last local AC circuit status sent: No fault Last local LDP TLV status sent: No fault Last remote LDP TLVstatus rcvd: No fault Last remote LDP ADJstatus rcvd: No fault MPLS VC labels: local 17, remote 16 Group ID: local 0, remote 0 MTU: local 9178, remote 9178 Remote interface description: Sequencing: receive disabled, send disabled Control Word: On (configured: autosense) Dataplane: SSM segment/switch IDs: 45083/8194 (used), PWID: 2 VC statistics: transit packet totals: receive 24, send 21 transit byte totals: receive 2064, send 1344 transit packet drops: receive 0, seq error 0, send 0 VPLS es-103-glsfb#sh vfi Legend: RT=Route-target, S=Split-horizon, Y=Yes, N=No VFI name: ME002555, state: up, type: multipoint signaling: LDP VPN ID: 116, VPLS-ID: 9930:116 RD: 9930:116, RT: 9930:116 Bridge-Domain 116 attachment circuits: Vlan116 Neighbors connected via pseudowires: Peer Address VC IDDiscovered Router IDS 200.28.9.146 116 200.28.0.120Y es-103-glsfb#sh mpls l2transport vc 116 detail Local interface: VFI ME002555 vfi up Interworking type is Ethernet Destination address: 200.28.0.120, VC ID: 116, VC status: down Last error: Local access circuit is not ready for label advertise Next hop PE address: 200.28.9.146 Output interface: none, imposed label stack {} Preferred path: not configured Default path: no route No adjacency Create time: 02:07:55, last status change time: 02:07:55 Signaling protocol: LDP, peer unknown Targeted Hello: 200.28.0.15(LDP Id) - 200.28.9.146, LDP is DOWN, no binding Status TLV support (local/remote) : enabled/None (no remote binding) LDP route watch : disabled Label/status state machine: local standby, AC-ready, LnuRnd Last local dataplane status rcvd: No fault Last BFD dataplane status rcvd: Not sent Last BFD peer monitor status rcvd: No fault Last local AC circuit status rcvd: No fault Last local AC circuit status sent: Not sent Last local LDP TLV status sent: None Last remote LDP TLVstatus rcvd: None (no remote binding) Last remote LDP ADJstatus rcvd: None (no remote binding) MPLS VC labels: local 23, remote unassigned AGI: type 1, len 8, 000A 26CA 0074 Local AII: type 1, len 4, DF1C 000F (200.28.0.15) Remote AII: type 1, len 4, DF1C 0078 (200.28.0.120) Group ID: local n/a, remote unknown MTU: local 9178, remote unknown Remote interface description: Sequencing: receive disabled, send disabled Control Word: On (configured: autosense) Dataplane: SSM segment/switch IDs: 0/0 (used), PWID: 14 VC statistics: transit packet totals: receive 0, send 0 transit byte totals: receive 0, send 0 transit packet drops: receive 0, seq error 0, send 0 I'm getting the account team into the loop but if anyone has encountered this scenario before and managed to find the answer, that would be most helpful.
[c-nsp] Tuning HSRP timers for BGP routers
We have a pair of Cisco 7204VXR with NPE-G2 running 15.1(4)M3. We are using default timers for the HSRP interfaces, and we are seeing nightly HSRP state changes. Not a lot, but 1-2 a night. This appears to only have started recently. We are looking at logs, but I assume it's due to BGP cpu exhaustion. We don't see any L2 errors on the VLAN where the HSRP is running, so I don't think it's a physical problem. What timers do people use for HSRP on BGP routers as a practice? Obviously we want the smallest timers that would be possible. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139 smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Timeout value on ASA
Hi David, Can you elaborate a little more about the xlate timeout, it's something I never understood very well. For example, taking this output as an example: ASA# sh xlate 2 in use, 229 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice UDP PAT from IN:xxx.xxx.xxx.xxx/54337 to OUT:xxx.xxx.xxx.xxx/6630 flags ri idle 0:00:01 timeout 0:00:30 TCP PAT from IN:xxx.xxx.xxx.xxx/1028 to OUT:xxx.xxx.xxx.xxx/5281 flags ri idle 0:00:13 timeout 0:00:30 Why do we see 30 seconds as the timeout ? By default it's 3 hours: ASA# sh runn timeout timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 ASA# timeout xlate: Configure idle time after which a dynamic address will be returned to the free pool, default is 3:00:00 The output above was taken from an ASA. For example, this FWSM reflects the timeout correctly as configured globally (25 minutes): FWSM# sh xlate debug Flags: D - DNS, d - dump, I - identity, i - inside, n - no random, o - outside, r - portmap, s - static 45 in use, 281 most used NAT from IN:172.23.254.149 to OUT:xxx.xxx.xxx.xxx flags i idle 0:06:35 timeout 0:25:00 connections 1 NAT from IN:172.23.254.155 to OUT:xxx.xxx.xxx.xxx flags i idle 0:00:54 timeout 0:25:00 connections 0 NAT from IN:172.23.254.167 to OUT:xxx.xxx.xxx.xxx flags i idle 0:00:14 timeout 0:25:00 connections 6 This debug option is not available on the ASA. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David White, Jr. (dwhitejr) Sent: terça-feira, 8 de Maio de 2012 23:20 To: Peter Rathlev; Judith Sanders Cc: 'cisco-nsp@puck.nether.net' Subject: Re: [c-nsp] Timeout value on ASA An alternative is to use Dead Connection Detection (DCD) on the ASA to validate if both endpoints on the idle connection are still alive, and if so reset the idle timeout, else tear it down. http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns _connlimits.html#wp1080752 Additionally, one point for Peter. Increasing the idle conn timeout does not require you to increase the xlate timeout. The xlate timeout only takes effect once all conns associated to that xlate no longer exist. Sincerely, David. Peter Rathlev wrote: Hi Judith, On Tue, 2012-05-08 at 19:16 +, Judith Sanders wrote: I have a Cisco ASA5520-I have an established VPN with a third party vendor. We are running applications over this tunnel and experiencing timeouts. The tunnel never drops, just the application. I know that there are default timeouts set on the ASA for certain protocols, but if the tunnel is established, would it not be an application issue and not a firewall/VPN timeout issue? The ASA defaults for TCP timeouts (1 hour IIRC) are not compliant with RFC 5782 NAT Behavioral Requirements for TCP, a BCP. It specifies that the timeout MUST NOT be less than 2 hours 4 minutes. Use timeout conn 2:04:00 on the ASA to adjust. You might also want to consider adjusting the timeout xlate upwards at the same time. Informational level debugging can tell you if and why the ASA have torn down a session; the ASA-6-302014 messsage (Teardown TCP ...) states the specific reason. Look for Conn-timeout, meaning that the TCP connection has been idle for too long and is therefore closed. Even with a 2:04:00 timeout you still need to convince the application developers to actually use TCP Keep-Alives. We have been forced to apply a 24 hour timeout for certain connections because the developers couldn't/wouldn't use Keep-Alives. A policy-map can select just the right connections, so you avoid a long timeout for every connection through the ASA. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tuning HSRP timers for BGP routers
We use timers 2 and 6 on multiple sets of 6500s with a relatively large number of VLANs. The 6500 has a much less powerful CPU and seems to handle it ok. However, the 7200 is a software device so through traffic can have a major effect on CPU. It may be you have large high BW bursts during backups or something similar. You should probably do some correlation analysis before blaming the BGP. If you are getting that kind of BGP event on a nightly basis you should probably talk to your provider. LR Mack McBride Network Architect -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Matthew Huff Sent: Wednesday, May 09, 2012 7:46 AM To: 'cisco-nsp@puck.nether.net' Subject: [c-nsp] Tuning HSRP timers for BGP routers We have a pair of Cisco 7204VXR with NPE-G2 running 15.1(4)M3. We are using default timers for the HSRP interfaces, and we are seeing nightly HSRP state changes. Not a lot, but 1-2 a night. This appears to only have started recently. We are looking at logs, but I assume it's due to BGP cpu exhaustion. We don't see any L2 errors on the VLAN where the HSRP is running, so I don't think it's a physical problem. What timers do people use for HSRP on BGP routers as a practice? Obviously we want the smallest timers that would be possible. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tuning HSRP timers for BGP routers
Are you able to determine what process is active at the peek? Mack -Original Message- From: Matthew Huff [mailto:mh...@ox.com] Sent: Wednesday, May 09, 2012 12:49 PM To: Mack McBride; 'cisco-nsp@puck.nether.net' Subject: RE: Tuning HSRP timers for BGP routers Average less than 10%, peek at 40% Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: Mack McBride [mailto:mack.mcbr...@viawest.com] Sent: Wednesday, May 09, 2012 2:24 PM To: Matthew Huff; 'cisco-nsp@puck.nether.net' Subject: RE: Tuning HSRP timers for BGP routers What is your base CPU utilization? Mack -Original Message- From: Matthew Huff [mailto:mh...@ox.com] Sent: Wednesday, May 09, 2012 12:22 PM To: Mack McBride; 'cisco-nsp@puck.nether.net' Subject: RE: Tuning HSRP timers for BGP routers That's the thing, we aren't getting any BGP events, just HSRP ones. The netflow analysis don't show a high bandwidth utilization, that's why I was looking at the BGP re-calc causing the HSRP hellos to drop. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: Mack McBride [mailto:mack.mcbr...@viawest.com] Sent: Wednesday, May 09, 2012 1:39 PM To: Matthew Huff; 'cisco-nsp@puck.nether.net' Subject: RE: Tuning HSRP timers for BGP routers We use timers 2 and 6 on multiple sets of 6500s with a relatively large number of VLANs. The 6500 has a much less powerful CPU and seems to handle it ok. However, the 7200 is a software device so through traffic can have a major effect on CPU. It may be you have large high BW bursts during backups or something similar. You should probably do some correlation analysis before blaming the BGP. If you are getting that kind of BGP event on a nightly basis you should probably talk to your provider. LR Mack McBride Network Architect -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Matthew Huff Sent: Wednesday, May 09, 2012 7:46 AM To: 'cisco-nsp@puck.nether.net' Subject: [c-nsp] Tuning HSRP timers for BGP routers We have a pair of Cisco 7204VXR with NPE-G2 running 15.1(4)M3. We are using default timers for the HSRP interfaces, and we are seeing nightly HSRP state changes. Not a lot, but 1-2 a night. This appears to only have started recently. We are looking at logs, but I assume it's due to BGP cpu exhaustion. We don't see any L2 errors on the VLAN where the HSRP is running, so I don't think it's a physical problem. What timers do people use for HSRP on BGP routers as a practice? Obviously we want the smallest timers that would be possible. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tuning HSRP timers for BGP routers
That's the thing, we aren't getting any BGP events, just HSRP ones. The netflow analysis don't show a high bandwidth utilization, that's why I was looking at the BGP re-calc causing the HSRP hellos to drop. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: Mack McBride [mailto:mack.mcbr...@viawest.com] Sent: Wednesday, May 09, 2012 1:39 PM To: Matthew Huff; 'cisco-nsp@puck.nether.net' Subject: RE: Tuning HSRP timers for BGP routers We use timers 2 and 6 on multiple sets of 6500s with a relatively large number of VLANs. The 6500 has a much less powerful CPU and seems to handle it ok. However, the 7200 is a software device so through traffic can have a major effect on CPU. It may be you have large high BW bursts during backups or something similar. You should probably do some correlation analysis before blaming the BGP. If you are getting that kind of BGP event on a nightly basis you should probably talk to your provider. LR Mack McBride Network Architect -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Matthew Huff Sent: Wednesday, May 09, 2012 7:46 AM To: 'cisco-nsp@puck.nether.net' Subject: [c-nsp] Tuning HSRP timers for BGP routers We have a pair of Cisco 7204VXR with NPE-G2 running 15.1(4)M3. We are using default timers for the HSRP interfaces, and we are seeing nightly HSRP state changes. Not a lot, but 1-2 a night. This appears to only have started recently. We are looking at logs, but I assume it's due to BGP cpu exhaustion. We don't see any L2 errors on the VLAN where the HSRP is running, so I don't think it's a physical problem. What timers do people use for HSRP on BGP routers as a practice? Obviously we want the smallest timers that would be possible. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139 smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Crashinfo file
On 2012-05-01 09:24, bha Qaqish wrote: Dear Am having router with crashinfo file . I opened the file and its big. How can I analyze the file , and is there any software for it Open a case with Cisco TAC. They have tools to assist in pointing to the root cause of the crash. -- There's no sense in being precise when | Łukasz Bromirski you don't know what you're talking | jid:lbromir...@jabber.org about. John von Neumann |http://lukasz.bromirski.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Possible to trunk over Serial or DSL?
On Wed, May 9, 2012 at 7:28 AM, Darren O'Connor Darren.O'con...@hso.uk.comwrote: Hi all. I'm trying to find a possible way to run dot1q tags over serial and/or dsl interfaces. I could trunk over E1's on my old Riverstone kit without a problem, but I can't find a way to do it with a Cisco box. L2TPV3 perhaps. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1004 slot/backplane/capacity question
1) the latest data I have indicates the ASR1004 only supports the ESP20 however that could have changed with software tweaks. 2) Yes everything always goes to the ESP through the backplane there is no local switching. 3) In theory you could over subscribe a SIP10 4:1 (actually a little less oversubscription since the channel is more like 11.5G). I have not actually tried this in practice. I have verified that it allows more than one 10G SPA in a SIP. 4) The backplane connection which lives on the ESP10 is actually 11.5G. Above that level you are going to drop traffic and communications are going to be impaired. I would assume the other ESPs have similar headroom. In theory the ESP is going to rate limit incoming/outgoing traffic (uses the highest) to 10G and I am pretty sure it does it in practice. LR Mack McBride Network Architect -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David H Sent: Tuesday, May 08, 2012 2:57 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASR1004 slot/backplane/capacity question Hi all, I've got a few general questions about the ASR. On Cisco's site sometimes I see reference to the 1004 having a 20 gig capacity, other times 40. Will the 1004 accept the ESP-40 and SIP40 interface cards to get to 40 gigs or is the maximum really the ESP-20 and SIP10 cards? 2) Given a SIP10 card, does all traffic hit the backplane in the ASR architecture or can routing occur within the four slots of the SIP independently? You probably realize I'm asking because I'm wondering if the ten gig limit of the SIP10 applies if traffic is not leaving the SIP. 3) I see a reference to how far SIP10 is allowed to be oversubscribed. Does that mean you could not actually enable four 1-port 10-gig cards in it? I'm looking at an application where only one of the ports would be heavily used but would like to have multiple ten gig ports for backup. 4) What happens when traffic hits the limit of the ESP model you have? :-) Thanks in advance! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tuning HSRP timers for BGP routers
What is your base CPU utilization? Mack -Original Message- From: Matthew Huff [mailto:mh...@ox.com] Sent: Wednesday, May 09, 2012 12:22 PM To: Mack McBride; 'cisco-nsp@puck.nether.net' Subject: RE: Tuning HSRP timers for BGP routers That's the thing, we aren't getting any BGP events, just HSRP ones. The netflow analysis don't show a high bandwidth utilization, that's why I was looking at the BGP re-calc causing the HSRP hellos to drop. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: Mack McBride [mailto:mack.mcbr...@viawest.com] Sent: Wednesday, May 09, 2012 1:39 PM To: Matthew Huff; 'cisco-nsp@puck.nether.net' Subject: RE: Tuning HSRP timers for BGP routers We use timers 2 and 6 on multiple sets of 6500s with a relatively large number of VLANs. The 6500 has a much less powerful CPU and seems to handle it ok. However, the 7200 is a software device so through traffic can have a major effect on CPU. It may be you have large high BW bursts during backups or something similar. You should probably do some correlation analysis before blaming the BGP. If you are getting that kind of BGP event on a nightly basis you should probably talk to your provider. LR Mack McBride Network Architect -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Matthew Huff Sent: Wednesday, May 09, 2012 7:46 AM To: 'cisco-nsp@puck.nether.net' Subject: [c-nsp] Tuning HSRP timers for BGP routers We have a pair of Cisco 7204VXR with NPE-G2 running 15.1(4)M3. We are using default timers for the HSRP interfaces, and we are seeing nightly HSRP state changes. Not a lot, but 1-2 a night. This appears to only have started recently. We are looking at logs, but I assume it's due to BGP cpu exhaustion. We don't see any L2 errors on the VLAN where the HSRP is running, so I don't think it's a physical problem. What timers do people use for HSRP on BGP routers as a practice? Obviously we want the smallest timers that would be possible. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Timeout value on ASA
Hi Antonio, The first output is showing PATed connections - or ones which have been Port Address Translated. In this case, the xlate timeout is hard-coded to 30 seconds, and is not user configurable. If instead you look at NATed connections, you will see the timeout would be set to the user-configured value - 3 hours in your case. Hope that helps explain it. Sincerely, David. Antonio Soares wrote: Hi David, Can you elaborate a little more about the xlate timeout, it's something I never understood very well. For example, taking this output as an example: ASA# sh xlate 2 in use, 229 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice UDP PAT from IN:xxx.xxx.xxx.xxx/54337 to OUT:xxx.xxx.xxx.xxx/6630 flags ri idle 0:00:01 timeout 0:00:30 TCP PAT from IN:xxx.xxx.xxx.xxx/1028 to OUT:xxx.xxx.xxx.xxx/5281 flags ri idle 0:00:13 timeout 0:00:30 Why do we see 30 seconds as the timeout ? By default it's 3 hours: ASA# sh runn timeout timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 ASA# timeout xlate: Configure idle time after which a dynamic address will be returned to the free pool, default is 3:00:00 The output above was taken from an ASA. For example, this FWSM reflects the timeout correctly as configured globally (25 minutes): FWSM# sh xlate debug Flags: D - DNS, d - dump, I - identity, i - inside, n - no random, o - outside, r - portmap, s - static 45 in use, 281 most used NAT from IN:172.23.254.149 to OUT:xxx.xxx.xxx.xxx flags i idle 0:06:35 timeout 0:25:00 connections 1 NAT from IN:172.23.254.155 to OUT:xxx.xxx.xxx.xxx flags i idle 0:00:54 timeout 0:25:00 connections 0 NAT from IN:172.23.254.167 to OUT:xxx.xxx.xxx.xxx flags i idle 0:00:14 timeout 0:25:00 connections 6 This debug option is not available on the ASA. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David White, Jr. (dwhitejr) Sent: terça-feira, 8 de Maio de 2012 23:20 To: Peter Rathlev; Judith Sanders Cc: 'cisco-nsp@puck.nether.net' Subject: Re: [c-nsp] Timeout value on ASA An alternative is to use Dead Connection Detection (DCD) on the ASA to validate if both endpoints on the idle connection are still alive, and if so reset the idle timeout, else tear it down. http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns _connlimits.html#wp1080752 Additionally, one point for Peter. Increasing the idle conn timeout does not require you to increase the xlate timeout. The xlate timeout only takes effect once all conns associated to that xlate no longer exist. Sincerely, David. Peter Rathlev wrote: Hi Judith, On Tue, 2012-05-08 at 19:16 +, Judith Sanders wrote: I have a Cisco ASA5520-I have an established VPN with a third party vendor. We are running applications over this tunnel and experiencing timeouts. The tunnel never drops, just the application. I know that there are default timeouts set on the ASA for certain protocols, but if the tunnel is established, would it not be an application issue and not a firewall/VPN timeout issue? The ASA defaults for TCP timeouts (1 hour IIRC) are not compliant with RFC 5782 NAT Behavioral Requirements for TCP, a BCP. It specifies that the timeout MUST NOT be less than 2 hours 4 minutes. Use timeout conn 2:04:00 on the ASA to adjust. You might also want to consider adjusting the timeout xlate upwards at the same time. Informational level debugging can tell you if and why the ASA have torn down a session; the ASA-6-302014 messsage (Teardown TCP ...) states the specific reason. Look for Conn-timeout, meaning that the TCP connection has been idle for too long and is therefore closed. Even with a 2:04:00 timeout you still need to convince the application developers to actually use TCP Keep-Alives. We have been forced to apply a 24 hour timeout for certain connections because the developers couldn't/wouldn't use Keep-Alives. A policy-map can select just the right connections, so you avoid a long timeout for every connection through the ASA. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net
Re: [c-nsp] Tuning HSRP timers for BGP routers
Average less than 10%, peek at 40% Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: Mack McBride [mailto:mack.mcbr...@viawest.com] Sent: Wednesday, May 09, 2012 2:24 PM To: Matthew Huff; 'cisco-nsp@puck.nether.net' Subject: RE: Tuning HSRP timers for BGP routers What is your base CPU utilization? Mack -Original Message- From: Matthew Huff [mailto:mh...@ox.com] Sent: Wednesday, May 09, 2012 12:22 PM To: Mack McBride; 'cisco-nsp@puck.nether.net' Subject: RE: Tuning HSRP timers for BGP routers That's the thing, we aren't getting any BGP events, just HSRP ones. The netflow analysis don't show a high bandwidth utilization, that's why I was looking at the BGP re-calc causing the HSRP hellos to drop. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: Mack McBride [mailto:mack.mcbr...@viawest.com] Sent: Wednesday, May 09, 2012 1:39 PM To: Matthew Huff; 'cisco-nsp@puck.nether.net' Subject: RE: Tuning HSRP timers for BGP routers We use timers 2 and 6 on multiple sets of 6500s with a relatively large number of VLANs. The 6500 has a much less powerful CPU and seems to handle it ok. However, the 7200 is a software device so through traffic can have a major effect on CPU. It may be you have large high BW bursts during backups or something similar. You should probably do some correlation analysis before blaming the BGP. If you are getting that kind of BGP event on a nightly basis you should probably talk to your provider. LR Mack McBride Network Architect -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Matthew Huff Sent: Wednesday, May 09, 2012 7:46 AM To: 'cisco-nsp@puck.nether.net' Subject: [c-nsp] Tuning HSRP timers for BGP routers We have a pair of Cisco 7204VXR with NPE-G2 running 15.1(4)M3. We are using default timers for the HSRP interfaces, and we are seeing nightly HSRP state changes. Not a lot, but 1-2 a night. This appears to only have started recently. We are looking at logs, but I assume it's due to BGP cpu exhaustion. We don't see any L2 errors on the VLAN where the HSRP is running, so I don't think it's a physical problem. What timers do people use for HSRP on BGP routers as a practice? Obviously we want the smallest timers that would be possible. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139 smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Timeout value on ASA
On Wed, 2012-05-09 at 18:09 +, Judith Sanders wrote: Here is an output from my ASA- this is part of my tunnel that the applications timeout thru... ... NAT from inside:172.16.1.201 to outside:64.250.19x.xx flags s idle 4:23:07 timeout 0:00:00 This would be from show xlate and describing a static NAT. If you suspect the ASA tears down connections you need to look at e.g. show conn address 192.0.2.1 instead. Looking at log files might prove easier, since show conn of course doesn't mention connections that have already been torn down. I wasn't aware exactly how timeout xlate worked, but from what David describes there's no need to adjust it. At the time it becomes relevant the ASA has already torn down the connection. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Timeout value on ASA
Here is an output from my ASA- this is part of my tunnel that the applications timeout thru... I see that they have been idle for four plus hours and the timeout is all 0-does this mean no timeout? or does this just mean default to the 3 hour timeout? NAT from inside:172.16.1.201 to outside:64.250.19x.xx flags s idle 4:23:07 timeout 0:00:00 NAT from inside:172.16.1.202 to outside:64.250.19x.xxx flags s idle 4:05:15 timeout 0:00:00 NAT from any:172.16.3.131 to any:64.250.19x.xxx flags s idle 0:25:16 timeout 0:00:00 NAT from inside:172.17.22.121 to outside:64.250.19x.xxx flags s idle 4:12:58 timeout 0:00:00 NAT from inside:172.17.23.121 to outside:64.250.19x.xx flags s idle 4:21:48 timeout 0:00:00 Judith Sanders Pioneer Telephone Inside Plant Networking Services jasand...@ptci.commailto:jasand...@ptci.com 405.375.0645 Our lives change when our habits change. Matthew Kelly From: David White, Jr. (dwhitejr) [mailto:dwhit...@cisco.com] Sent: Wednesday, May 09, 2012 12:51 PM To: Antonio Soares Cc: 'Peter Rathlev'; Judith Sanders; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Timeout value on ASA Hi Antonio, The first output is showing PATed connections - or ones which have been Port Address Translated. In this case, the xlate timeout is hard-coded to 30 seconds, and is not user configurable. If instead you look at NATed connections, you will see the timeout would be set to the user-configured value - 3 hours in your case. Hope that helps explain it. Sincerely, David. Antonio Soares wrote: Hi David, Can you elaborate a little more about the xlate timeout, it's something I never understood very well. For example, taking this output as an example: ASA# sh xlate 2 in use, 229 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice UDP PAT from IN:xxx.xxx.xxx.xxx/54337 to OUT:xxx.xxx.xxx.xxx/6630 flags ri idle 0:00:01 timeout 0:00:30 TCP PAT from IN:xxx.xxx.xxx.xxx/1028 to OUT:xxx.xxx.xxx.xxx/5281 flags ri idle 0:00:13 timeout 0:00:30 Why do we see 30 seconds as the timeout ? By default it's 3 hours: ASA# sh runn timeout timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 ASA# timeout xlate: Configure idle time after which a dynamic address will be returned to the free pool, default is 3:00:00 The output above was taken from an ASA. For example, this FWSM reflects the timeout correctly as configured globally (25 minutes): FWSM# sh xlate debug Flags: D - DNS, d - dump, I - identity, i - inside, n - no random, o - outside, r - portmap, s - static 45 in use, 281 most used NAT from IN:172.23.254.149 to OUT:xxx.xxx.xxx.xxx flags i idle 0:06:35 timeout 0:25:00 connections 1 NAT from IN:172.23.254.155 to OUT:xxx.xxx.xxx.xxx flags i idle 0:00:54 timeout 0:25:00 connections 0 NAT from IN:172.23.254.167 to OUT:xxx.xxx.xxx.xxx flags i idle 0:00:14 timeout 0:25:00 connections 6 This debug option is not available on the ASA. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.ptmailto:amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.netmailto:cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David White, Jr. (dwhitejr) Sent: terça-feira, 8 de Maio de 2012 23:20 To: Peter Rathlev; Judith Sanders Cc: 'cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net' Subject: Re: [c-nsp] Timeout value on ASA An alternative is to use Dead Connection Detection (DCD) on the ASA to validate if both endpoints on the idle connection are still alive, and if so reset the idle timeout, else tear it down. http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns _connlimits.html#wp1080752 Additionally, one point for Peter. Increasing the idle conn timeout does not require you to increase the xlate timeout. The xlate timeout only takes effect once all conns associated to that xlate no longer exist. Sincerely, David. Peter Rathlev wrote: Hi Judith, On Tue, 2012-05-08 at 19:16 +, Judith Sanders wrote: I have a Cisco ASA5520-I have an established VPN with a third party vendor. We are running applications over this tunnel and experiencing timeouts. The tunnel never drops, just the application. I know that there are default timeouts set on the ASA for certain protocols, but if the tunnel is established, would it not be an application issue and not a firewall/VPN timeout issue? The ASA defaults for TCP timeouts (1 hour IIRC) are not compliant with RFC 5782 NAT Behavioral Requirements for
Re: [c-nsp] Possible to trunk over Serial or DSL?
On 5/9/12 4:28 AM, Darren O'Connor wrote: Hi all. I'm trying to find a possible way to run dot1q tags over serial and/or dsl interfaces. I could trunk over E1's on my old Riverstone kit without a problem, but I can't find a way to do it with a Cisco box. For serial interfaces you can run frame-relay encapsulation and map VLANs to PVCs. For DSL, if you control the DSLAM you can do something similar mapping VLANs to ATM VP/VCs. Other solutions include tunneling, pseudowire, etc. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Timeout value on ASA
Hi Judith, A timeout of all zero's means 'do not timeout' - or infinite timeout. Sincerely, David. Judith Sanders wrote: Here is an output from my ASA- this is part of my tunnel that the applications timeout thru... I see that they have been idle for four plus hours and the timeout is all 0-does this mean no timeout? or does this just mean default to the 3 hour timeout? NAT from inside:172.16.1.201 to outside:64.250.19x.xx flags s idle 4:23:07 timeout 0:00:00 NAT from inside:172.16.1.202 to outside:64.250.19x.xxx flags s idle 4:05:15 timeout 0:00:00 NAT from any:172.16.3.131 to any:64.250.19x.xxx flags s idle 0:25:16 timeout 0:00:00 NAT from inside:172.17.22.121 to outside:64.250.19x.xxx flags s idle 4:12:58 timeout 0:00:00 NAT from inside:172.17.23.121 to outside:64.250.19x.xx flags s idle 4:21:48 timeout 0:00:00 Judith Sanders Pioneer Telephone Inside Plant Networking Services jasand...@ptci.com mailto:jasand...@ptci.com 405.375.0645 */Our lives change when our habits change./* */ Matthew Kelly/* */ /* *From:* David White, Jr. (dwhitejr) [mailto:dwhit...@cisco.com] *Sent:* Wednesday, May 09, 2012 12:51 PM *To:* Antonio Soares *Cc:* 'Peter Rathlev'; Judith Sanders; cisco-nsp@puck.nether.net *Subject:* Re: [c-nsp] Timeout value on ASA Hi Antonio, The first output is showing PATed connections - or ones which have been Port Address Translated. In this case, the xlate timeout is hard-coded to 30 seconds, and is not user configurable. If instead you look at NATed connections, you will see the timeout would be set to the user-configured value - 3 hours in your case. Hope that helps explain it. Sincerely, David. Antonio Soares wrote: Hi David, Can you elaborate a little more about the xlate timeout, it's something I never understood very well. For example, taking this output as an example: ASA# sh xlate 2 in use, 229 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice UDP PAT from IN:xxx.xxx.xxx.xxx/54337 to OUT:xxx.xxx.xxx.xxx/6630 flags ri idle 0:00:01 timeout 0:00:30 TCP PAT from IN:xxx.xxx.xxx.xxx/1028 to OUT:xxx.xxx.xxx.xxx/5281 flags ri idle 0:00:13 timeout 0:00:30 Why do we see 30 seconds as the timeout ? By default it's 3 hours: ASA# sh runn timeout timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 ASA# timeout xlate: Configure idle time after which a dynamic address will be returned to the free pool, default is 3:00:00 The output above was taken from an ASA. For example, this FWSM reflects the timeout correctly as configured globally (25 minutes): FWSM# sh xlate debug Flags: D - DNS, d - dump, I - identity, i - inside, n - no random, o - outside, r - portmap, s - static 45 in use, 281 most used NAT from IN:172.23.254.149 to OUT:xxx.xxx.xxx.xxx flags i idle 0:06:35 timeout 0:25:00 connections 1 NAT from IN:172.23.254.155 to OUT:xxx.xxx.xxx.xxx flags i idle 0:00:54 timeout 0:25:00 connections 0 NAT from IN:172.23.254.167 to OUT:xxx.xxx.xxx.xxx flags i idle 0:00:14 timeout 0:25:00 connections 6 This debug option is not available on the ASA. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt mailto:amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net mailto:cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David White, Jr. (dwhitejr) Sent: terça-feira, 8 de Maio de 2012 23:20 To: Peter Rathlev; Judith Sanders Cc: 'cisco-nsp@puck.nether.net mailto:cisco-nsp@puck.nether.net' Subject: Re: [c-nsp] Timeout value on ASA An alternative is to use Dead Connection Detection (DCD) on the ASA to validate if both endpoints on the idle connection are still alive, and if so reset the idle timeout, else tear it down. http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns _connlimits.html#wp1080752 Additionally, one point for Peter. Increasing the idle conn timeout does not require you to increase the xlate timeout. The xlate timeout only takes effect once all conns associated to that xlate no longer exist. Sincerely, David. Peter Rathlev wrote: Hi Judith, On Tue, 2012-05-08 at 19:16 +, Judith Sanders wrote: I have a Cisco ASA5520-I have an established VPN with a third party vendor. We are running applications over this tunnel and experiencing timeouts. The tunnel never drops, just the
Re: [c-nsp] VFI LDP transport signaled down (ME3600x)
Ihsan, On which IOS version are you? This should work on 15.2S Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ihsan Junaidi Ibrahim Sent: Wednesday, May 09, 2012 07:37 To: cisco-nsp@puck.nether.net Subject: [c-nsp] VFI LDP transport signaled down (ME3600x) Hi all, My topology as follows: PE1--P1--P2--P3--P4--P5--PE2 PE1 lo0 - 200.28.0.15 (15.2(2)S) loader 12.2(52r)EY1 PE2 lo0 - 200.28.0.120 (15.2(2)S) loader 12.2(52r)EY2 Are there specific nuances for an LDP signaled transport for EoMPLS and VPLS in the Whales platform? An xconnect from PE1 to PE2 is signaled successfully however a VPLS instance based on BGP autodiscovery (manual VPLS works) is unable to bring up the LDP l2transport signal although the VFI is signaled up. EoMPLS es-103-glsfb#sh xconnect peer 200.28.0.120 vc 5070 Legend:XC ST=Xconnect State S1=Segment1 State S2=Segment2 State UP=Up DN=DownAD=Admin Down IA=Inactive SB=Standby HS=Hot Standby RV=Recovering NH=No Hardware XC ST Segment 1 S1 Segment 2 S2 --+-+--+ -+-- UP pri ac Gi0/19:1(Ethernet) UP mpls 200.28.0.120:5070 UP es-103-glsfb#sh mpls l2transport vc 5070 detail Local interface: Gi0/19 up, line protocol up, Ethernet:1 up Destination address: 200.28.0.120, VC ID: 5070, VC status: up Output interface: Te0/2, imposed label stack {298 16} Preferred path: not configured Default path: active Next hop: 200.28.2.242 Create time: 02:10:43, last status change time: 02:08:57 Signaling protocol: LDP, peer 200.28.0.120:0 up Targeted Hello: 200.28.0.15(LDP Id) - 200.28.0.120, LDP is UP Status TLV support (local/remote) : enabled/supported LDP route watch : disabled Label/status state machine: established, LruRru Last local dataplane status rcvd: No fault Last BFD dataplane status rcvd: Not sent Last BFD peer monitor status rcvd: No fault Last local AC circuit status rcvd: No fault Last local AC circuit status sent: No fault Last local LDP TLV status sent: No fault Last remote LDP TLVstatus rcvd: No fault Last remote LDP ADJstatus rcvd: No fault MPLS VC labels: local 17, remote 16 Group ID: local 0, remote 0 MTU: local 9178, remote 9178 Remote interface description: Sequencing: receive disabled, send disabled Control Word: On (configured: autosense) Dataplane: SSM segment/switch IDs: 45083/8194 (used), PWID: 2 VC statistics: transit packet totals: receive 24, send 21 transit byte totals: receive 2064, send 1344 transit packet drops: receive 0, seq error 0, send 0 VPLS es-103-glsfb#sh vfi Legend: RT=Route-target, S=Split-horizon, Y=Yes, N=No VFI name: ME002555, state: up, type: multipoint signaling: LDP VPN ID: 116, VPLS-ID: 9930:116 RD: 9930:116, RT: 9930:116 Bridge-Domain 116 attachment circuits: Vlan116 Neighbors connected via pseudowires: Peer Address VC IDDiscovered Router IDS 200.28.9.146 116 200.28.0.120Y es-103-glsfb#sh mpls l2transport vc 116 detail Local interface: VFI ME002555 vfi up Interworking type is Ethernet Destination address: 200.28.0.120, VC ID: 116, VC status: down Last error: Local access circuit is not ready for label advertise Next hop PE address: 200.28.9.146 Output interface: none, imposed label stack {} Preferred path: not configured Default path: no route No adjacency Create time: 02:07:55, last status change time: 02:07:55 Signaling protocol: LDP, peer unknown Targeted Hello: 200.28.0.15(LDP Id) - 200.28.9.146, LDP is DOWN, no binding Status TLV support (local/remote) : enabled/None (no remote binding) LDP route watch : disabled Label/status state machine: local standby, AC-ready, LnuRnd Last local dataplane status rcvd: No fault Last BFD dataplane status rcvd: Not sent Last BFD peer monitor status rcvd: No fault Last local AC circuit status rcvd: No fault Last local AC circuit status sent: Not sent Last local LDP TLV status sent: None Last remote LDP TLVstatus rcvd: None (no remote binding) Last remote LDP ADJstatus rcvd: None (no remote binding) MPLS VC labels: local 23, remote unassigned AGI: type 1, len 8, 000A 26CA 0074 Local AII: type 1, len 4, DF1C 000F (200.28.0.15) Remote AII: type 1, len 4, DF1C 0078 (200.28.0.120) Group ID: local n/a, remote unknown MTU: local 9178, remote unknown Remote interface description: Sequencing: receive disabled, send disabled Control Word: On (configured: autosense) Dataplane: SSM segment/switch IDs: 0/0 (used), PWID: 14 VC statistics:
Re: [c-nsp] Tuning HSRP timers for BGP routers
On 5/9/2012 8:45 AM, Matthew Huff wrote: We have a pair of Cisco 7204VXR with NPE-G2 running 15.1(4)M3. We are using default timers for the HSRP interfaces, and we are seeing nightly HSRP state changes. Not a lot, but 1-2 a night. This appears to only have started recently. We are looking at logs, but I assume it's due to BGP cpu exhaustion. We don't see any L2 errors on the VLAN where the HSRP is running, so I don't think it's a physical problem. What timers do people use for HSRP on BGP routers as a practice? Obviously we want the smallest timers that would be possible. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139 That's the symptom. I wouldn't recommend changing those timers until you understand what is causing the issue. Sometimes (especially in STP, BGP, etc) changing how the protocol works makes things worse. tv ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CAB-SFP-50CM 2960S
That is correct, a 10gig interface will report as 10gig. Andrew Jones Alphawest -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mal Sent: Monday, 7 May 2012 5:00 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] CAB-SFP-50CM 2960S Anyone successfully using CAB-SFP-50CM between 2960S switches (WS-C2960S-48LPD-L) ? I have a link up between two 10G 2960S SFP+ port interfaces (and can ping across it) but its reporting a 10Gig speed connection via the cab-stack-50 SFP cable.. Switch# sho inventory NAME: 1, DESCR: WS-C2960S-48LPD-L PID: WS-C2960S-48LPD-L , VID: V02 , SN: xx NAME: TenGigabitEthernet1/0/1, DESCR: SFP-10GBase-CX1 PID: CAB-SFP-50CM, VID: V01 , SN: xx Mal ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/