[c-nsp] BGP Route Announcement
Having a problem with changing a bgp route announcement to cogent. We are announcing 216.24.0.0/18 to cogent currently. router bgp no synchronization bgp router-id bgp cluster-id xxx bgp log-neighbor-changes bgp bestpath compare-routerid network 216.24.0.0 mask 255.255.192.0 neighbor 38.122.142.5 remote-as 174 neighbor 38.122.142.5 description Cogent A Peer to node router neighbor 38.122.142.5 send-community neighbor 38.122.142.5 version 4 neighbor 38.122.142.5 soft-reconfiguration inbound neighbor 38.122.142.5 distribute-list deny-our-nets in neighbor 38.122.142.5 distribute-list allow-our-nets out neighbor 38.122.142.5 route-map cogent-outbound-prefs in neighbor 38.122.142.5 route-map cogent-out out no auto-summary The distribute lists shown also just contained appropriate permit and deny entries for 216.24.0.0 /18 Kind of against my wishes the owner of our company sold several small network blocks we weren't using out of the upper half of the /18. As a result I have to change the bgp broadcast to cogent to broadcast a 216.24.0.0/19 and several smaller blocks we are still using out of the upper half. I assumed if I changed the distribute lists it would change the routes cogent was seeing. So I changed those first -- ip access-list standard allow-our-nets permit 38.103.73.193 permit 216.24.0.0 0.0.31.255 permit 216.24.35.0 0.0.0.255 permit 216.24.36.0 0.0.3.255 permit 216.24.42.0 0.0.0.255 permit 216.24.48.0 0.0.3.255 permit 216.24.53.0 0.0.0.255 permit 216.24.54.0 0.0.0.255 permit 216.24.56.0 0.0.0.255 permit 216.24.60.0 0.0.1.255 permit 216.24.62.0 0.0.0.255 ip access-list standard deny-our-nets deny 216.24.35.0 0.0.0.255 deny 216.24.36.0 0.0.3.255 deny 216.24.42.0 0.0.0.255 deny 216.24.48.0 0.0.3.255 deny 216.24.53.0 0.0.0.255 deny 216.24.54.0 0.0.0.255 deny 216.24.56.0 0.0.0.255 deny 216.24.60.0 0.0.1.255 deny 216.24.62.0 0.0.0.255 deny 216.24.0.0 0.0.31.255 permit any But it didn't change the broadcast cogent was receiving at all. So then I changed the networks statement in bgp config. router bgp no synchronization bgp router-id bgp cluster-id xxx bgp log-neighbor-changes bgp bestpath compare-routerid network 216.24.32.0 mask 255.255.224.0 network 216.24.35.0 mask 255.255.255.0 network 216.24.36.0 mask 255.255.252.0 network 216.24.42.0 mask 255.255.255.0 network 216.24.48.0 mask 255.255.252.0 network 216.24.53.0 mask 255.255.255.0 network 216.24.54.0 mask 255.255.255.0 network 216.24.56.0 mask 255.255.255.0 network 216.24.60.0 mask 255.255.254.0 network 216.24.62.0 mask 255.255.255.0 neighbor 38.122.142.5 remote-as 174 neighbor 38.122.142.5 description Cogent A Peer to node router neighbor 38.122.142.5 send-community neighbor 38.122.142.5 version 4 neighbor 38.122.142.5 soft-reconfiguration inbound neighbor 38.122.142.5 distribute-list deny-our-nets in neighbor 38.122.142.5 distribute-list allow-our-nets out neighbor 38.122.142.5 route-map cogent-outbound-prefs in neighbor 38.122.142.5 route-map cogent-out out no auto-summary That changed the broadcast cogent was receiving, but not in the expected way. They only route they saw us broadcasting after that was the 216.24.60.0/23 route. Not the first one in the list, not the last one, not the biggest one or the smallest one, but just one route from the middle of the list. I don't get this behavior at all. Cogent cleared and bounced bgp to us, and still received only that one route in the broadcast from us. Can anyone tell me why I got this behavior, and what am I overlooking in altering our bgp config to broadcast this group of routes? Thank you for your patience with this message. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router memory problem
You are correct. I changed it as I was in the process of writing the mail to see if filtering even more would cause the number of routes to drop faster. It didn't. Continued dropping at the same slow rate. So I put it back to 23. But the email got parts of each config. From: CiscoNSP List Sent: Sunday, October 30, 2016 4:31 PM To: Joseph Mays ; Chris Boyd ; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Router memory problem Very bleary eyed - but shouldnt this: ip prefix-list max23 seq 5 permit 0.0.0.0/0 ge 8 le 16 be: ip prefix-list max16 seq 5 permit 0.0.0.0/0 ge 8 le 16 As you are referencing max16 in your dist-ist router bgp distribute-list prefix max16 in From: cisco-nsp <cisco-nsp-boun...@puck.nether.net> on behalf of Joseph Mays <m...@win.net> Sent: Thursday, 27 October 2016 7:06 AM To: Chris Boyd; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Router memory problem > On the plus side, if you screw up routing with a mistake, you’ll free a lot > of memory :-/ See, there could be a silver lining. :-) Got the commands in... router bgp distribute-list prefix max16 in ip prefix-list max23 seq 5 permit 0.0.0.0/0 ge 8 le 16 The bgp table seems to be dropping in size over time core-gw1.noc#show ip bgp sum [...] xx.xxx.xxx.x4 174 146060 785 70730200 13:00:03 605322 core-gw1.noc#show ip bgp sum [...] xx.xxx.xxx.x4 174 146060 785 70730200 13:00:03 603660 but it's taking a long time. I could clear the bgp tables, but I'm hesitant to do that. Maybe better to just let it drop over time. -Original Message- From: Chris Boyd Sent: Wednesday, October 26, 2016 3:57 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Router memory problem > On Oct 26, 2016, at 2:19 PM, Joseph Mays <m...@win.net> wrote: > > I was thinking about using a prefix list to limit the size of the BGP routing > table. Hard to do if you can’t see the config, but I suppose if you are careful you could tftp it in, since you mentioned that’s still working. On the plus side, if you screw up routing with a mistake, you’ll free a lot of memory :-/ —Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp cisco-nsp Info Page - puck.nether.net puck.nether.net cisco-nsp -- list for people using cisco in a NSP (Network service provider) environment About cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp cisco-nsp Info Page - puck.nether.net puck.nether.net cisco-nsp -- list for people using cisco in a NSP (Network service provider) environment About cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router memory problem
> On the plus side, if you screw up routing with a mistake, you’ll free a lot > of memory :-/ See, there could be a silver lining. :-) Got the commands in... router bgp distribute-list prefix max16 in ip prefix-list max23 seq 5 permit 0.0.0.0/0 ge 8 le 16 The bgp table seems to be dropping in size over time core-gw1.noc#show ip bgp sum [...] xx.xxx.xxx.x4 174 146060 785 70730200 13:00:03 605322 core-gw1.noc#show ip bgp sum [...] xx.xxx.xxx.x4 174 146060 785 70730200 13:00:03 603660 but it's taking a long time. I could clear the bgp tables, but I'm hesitant to do that. Maybe better to just let it drop over time. -Original Message- From: Chris Boyd Sent: Wednesday, October 26, 2016 3:57 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Router memory problem > On Oct 26, 2016, at 2:19 PM, Joseph Mays <m...@win.net> wrote: > > I was thinking about using a prefix list to limit the size of the BGP routing > table. Hard to do if you can’t see the config, but I suppose if you are careful you could tftp it in, since you mentioned that’s still working. On the plus side, if you screw up routing with a mistake, you’ll free a lot of memory :-/ —Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router memory problem
I was thinking about using a prefix list to limit the size of the BGP routing table. -Original Message- From: Chris Boyd Sent: Wednesday, October 26, 2016 2:59 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Router memory problem On Oct 26, 2016, at 1:51 PM, Chuck Churchwrote: Is the router out of RAM? A really low memory condition might cause this. 'show mem' or 'show log' (if configured) might show some malloc errors if that is the issue. +1 I had a similar issue a while back with a 7206VXR that was getting full routes. Worked fine, forwarding packets, but could not sh run. Cutting back to customer routes + default “fixed” it about 10 minutes after the upstream made the change. —Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router memory problem
Perhaps. Looks like, but I don't know if it's TOO low. core-gw1.noc#show mem HeadTotal(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 6381CC60 78368 438972176 5506192 945056 898812 I/OE003355443210948872226055602228776022426364 Maybe if I reduce the size of the bgp tables. -Original Message- From: Chuck Church Sent: Wednesday, October 26, 2016 2:51 PM To: 'Joseph Mays' ; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Router memory problem Is the router out of RAM? A really low memory condition might cause this. 'show mem' or 'show log' (if configured) might show some malloc errors if that is the issue. Chuck -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joseph Mays Sent: Wednesday, October 26, 2016 2:28 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Router memory problem I’m dealing with a serious problem on a router I can only connect to remotely. Show run on the router returns nothing. core-gw1.noc#show run core-gw1.noc# The running config is definitely there, though and the router is operational. And interestingly the system that copies the router’s config every night seems to have no problem pulling it down via tftp. And I can add and remove config commands and have them become active, even though I can’t see the config when it’s running. I tried copying the running config to the startup config and got an error. core-gw1.noc#dir nvram: Directory of nvram:/ 488 -rw- 19717 startup-config 489 1157 private-config 490 -rw- 19717 underlying-config 1 46 persistent-data 2 -rw- 0 ifIndex-table 3 -rw- 4 rf_cold_starts 522232 bytes total (498234 bytes free) core-gw1.noc#write mem startup-config file open failed (Not enough space) I found that any command I try with regards to the startup config gets the same result. I concluded that the nvram: must be corrupt. So I did an “erase” to reformat and clear it, and that went fine. so then I tried to write the startup-config again and had the same problem. core-gw1.noc#erase nvram: Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete core-gw1.noc#dir nvram: Directory of nvram:/ 508 -rw- 0 startup-config 509 0 private-config 510 -rw- 0 underlying-config 1 46 persistent-data 2 -rw- 0 ifIndex-table 3 -rw- 4 rf_cold_starts 522232 bytes total (519108 bytes free) core-gw1.noc#copy run start Destination filename [startup-config]? startup-config file open failed (Not enough space) So now I am in a position where I don’t dare reboot the router because it has no startup config. I did try tftping the backup config to nvram:, and it worked find as long as I gave it another name. core-gw1.noc#copy tftp nvram: Address or name of remote host [admin2.win.net]? Source filename [core-gw1.noc-confg.noALW]? noc-config Destination filename [noc-config]? Accessing tftp://admin2.win.net/noc-config... Loading noc-config from 216.24.27.2 (via FastEthernet2/0): !!! [OK - 34368 bytes] 34368 bytes copied in 0.756 secs (45460 bytes/sec) core-gw1.noc#dir nvram: Directory of nvram:/ 508 -rw- 0 startup-config 509 0 private-config 510 -rw- 0 underlying-config 1 46 persistent-data 2 -rw- 0 ifIndex-table 3 -rw- 4 rf_cold_starts 4 -rw- 34368 noc-config But when I tried to rename noc-config to startup-config, it gave the same space error. As does deleting startup-config, or any attempt to do anything to the startup-config file. Here is the show ver info on the router. Cisco Internetwork Operating System Software IOS (tm) 7200 Software (C7200-IK9SU2-M), Version 12.3(23), RELEASE SOFTWARE (fc5) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 24-Jul-07 21:42 by stshen Image text-base: 0x60008AF4, data-base: 0x61F53280 ROM: System Bootstrap, Version 12.2(20030826:190624) [BLD-npeg1_rommon_r11 102], DEVELOPMENT SOFTWARE BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.2(15)B, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) core-gw1.noc uptime is 11 hours, 10 minutes System returned to ROM by reload at 03:00:12 EDT Wed Oct 26 2016 System restarted at 03:02:54 EDT Wed Oct 26 2016 System image file is "disk2:
Re: [c-nsp] Router memory problem
The "show run" command has always worked in the past. No one else has reconfigured anything on this router since I started working on it. core-gw1.noc#show priv Current privilege level is 15 core-gw1.noc#show running-config view full ^ % Invalid input detected at '^' marker. core-gw1.noc#show running-config ? brief configuration without certificate data class-map Show class-map information fullfull configuration interface Show interface configuration linenum Display line numbers in output map-class Show map class information policy-map Show policy-map information | Output modifiers core-gw1.noc#show running-config full core-gw1.noc# -Original Message- From: Nick Cutting Sent: Wednesday, October 26, 2016 2:32 PM To: Joseph Mays ; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Router memory problem Check your logged in at privilege 15 Also - there may be "views" configured. Try also this: sh running-config view full -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joseph Mays Sent: Wednesday, October 26, 2016 2:28 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Router memory problem I’m dealing with a serious problem on a router I can only connect to remotely. Show run on the router returns nothing. core-gw1.noc#show run core-gw1.noc# The running config is definitely there, though and the router is operational. And interestingly the system that copies the router’s config every night seems to have no problem pulling it down via tftp. And I can add and remove config commands and have them become active, even though I can’t see the config when it’s running. I tried copying the running config to the startup config and got an error. core-gw1.noc#dir nvram: Directory of nvram:/ 488 -rw- 19717 startup-config 489 1157 private-config 490 -rw- 19717 underlying-config 1 46 persistent-data 2 -rw- 0 ifIndex-table 3 -rw- 4 rf_cold_starts 522232 bytes total (498234 bytes free) core-gw1.noc#write mem startup-config file open failed (Not enough space) I found that any command I try with regards to the startup config gets the same result. I concluded that the nvram: must be corrupt. So I did an “erase” to reformat and clear it, and that went fine. so then I tried to write the startup-config again and had the same problem. core-gw1.noc#erase nvram: Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete core-gw1.noc#dir nvram: Directory of nvram:/ 508 -rw- 0 startup-config 509 0 private-config 510 -rw- 0 underlying-config 1 46 persistent-data 2 -rw- 0 ifIndex-table 3 -rw- 4 rf_cold_starts 522232 bytes total (519108 bytes free) core-gw1.noc#copy run start Destination filename [startup-config]? startup-config file open failed (Not enough space) So now I am in a position where I don’t dare reboot the router because it has no startup config. I did try tftping the backup config to nvram:, and it worked find as long as I gave it another name. core-gw1.noc#copy tftp nvram: Address or name of remote host [admin2.win.net]? Source filename [core-gw1.noc-confg.noALW]? noc-config Destination filename [noc-config]? Accessing tftp://admin2.win.net/noc-config... Loading noc-config from 216.24.27.2 (via FastEthernet2/0): !!! [OK - 34368 bytes] 34368 bytes copied in 0.756 secs (45460 bytes/sec) core-gw1.noc#dir nvram: Directory of nvram:/ 508 -rw- 0 startup-config 509 0 private-config 510 -rw- 0 underlying-config 1 46 persistent-data 2 -rw- 0 ifIndex-table 3 -rw- 4 rf_cold_starts 4 -rw- 34368 noc-config But when I tried to rename noc-config to startup-config, it gave the same space error. As does deleting startup-config, or any attempt to do anything to the startup-config file. Here is the show ver info on the router. Cisco Internetwork Operating System Software IOS (tm) 7200 Software (C7200-IK9SU2-M), Version 12.3(23), RELEASE SOFTWARE (fc5) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 24-Jul-07 21:42 by stshen Image text-base: 0x60008AF4, data-base: 0x61F53280 ROM: System Bootstrap, Version 12.2(20030826:190624) [BLD-npeg1_rommon_r1
[c-nsp] Router memory problem
I’m dealing with a serious problem on a router I can only connect to remotely. Show run on the router returns nothing. core-gw1.noc#show run core-gw1.noc# The running config is definitely there, though and the router is operational. And interestingly the system that copies the router’s config every night seems to have no problem pulling it down via tftp. And I can add and remove config commands and have them become active, even though I can’t see the config when it’s running. I tried copying the running config to the startup config and got an error. core-gw1.noc#dir nvram: Directory of nvram:/ 488 -rw- 19717 startup-config 489 1157 private-config 490 -rw- 19717 underlying-config 1 46 persistent-data 2 -rw- 0 ifIndex-table 3 -rw- 4 rf_cold_starts 522232 bytes total (498234 bytes free) core-gw1.noc#write mem startup-config file open failed (Not enough space) I found that any command I try with regards to the startup config gets the same result. I concluded that the nvram: must be corrupt. So I did an “erase” to reformat and clear it, and that went fine. so then I tried to write the startup-config again and had the same problem. core-gw1.noc#erase nvram: Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete core-gw1.noc#dir nvram: Directory of nvram:/ 508 -rw- 0 startup-config 509 0 private-config 510 -rw- 0 underlying-config 1 46 persistent-data 2 -rw- 0 ifIndex-table 3 -rw- 4 rf_cold_starts 522232 bytes total (519108 bytes free) core-gw1.noc#copy run start Destination filename [startup-config]? startup-config file open failed (Not enough space) So now I am in a position where I don’t dare reboot the router because it has no startup config. I did try tftping the backup config to nvram:, and it worked find as long as I gave it another name. core-gw1.noc#copy tftp nvram: Address or name of remote host [admin2.win.net]? Source filename [core-gw1.noc-confg.noALW]? noc-config Destination filename [noc-config]? Accessing tftp://admin2.win.net/noc-config... Loading noc-config from 216.24.27.2 (via FastEthernet2/0): !!! [OK - 34368 bytes] 34368 bytes copied in 0.756 secs (45460 bytes/sec) core-gw1.noc#dir nvram: Directory of nvram:/ 508 -rw- 0 startup-config 509 0 private-config 510 -rw- 0 underlying-config 1 46 persistent-data 2 -rw- 0 ifIndex-table 3 -rw- 4 rf_cold_starts 4 -rw- 34368 noc-config But when I tried to rename noc-config to startup-config, it gave the same space error. As does deleting startup-config, or any attempt to do anything to the startup-config file. Here is the show ver info on the router. Cisco Internetwork Operating System Software IOS (tm) 7200 Software (C7200-IK9SU2-M), Version 12.3(23), RELEASE SOFTWARE (fc5) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 24-Jul-07 21:42 by stshen Image text-base: 0x60008AF4, data-base: 0x61F53280 ROM: System Bootstrap, Version 12.2(20030826:190624) [BLD-npeg1_rommon_r11 102], DEVELOPMENT SOFTWARE BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.2(15)B, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) core-gw1.noc uptime is 11 hours, 10 minutes System returned to ROM by reload at 03:00:12 EDT Wed Oct 26 2016 System restarted at 03:02:54 EDT Wed Oct 26 2016 System image file is "disk2:c7200-ik9su2-mz.123-23.bin" Last reload reason: Reload command This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to exp...@cisco.com. cisco 7206VXR (NPE-G1) processor (revision A) with 491520K/32768K bytes of memory. Processor board ID 20399590 SB-1 CPU at
[c-nsp] Etherchannel problem
> RtrA(216.24.2.201,205)SwASwBRtrB(216.24.2.202,206) Got the vlan problem fixed. Now on to a related, but slightly different problem with the same set of ports. I actually want the ethernet connections between SwA and SwB to be etherchannel port groups on vlan808. As I said, SwB is a 2924, and they don't support interface ranges. I put the ports on SwB in a port group, and SwA into an etherchannel group, and it seems to work, except pings from off the router on the RtrA lan receive duplicate packet responses. When I ping from the routers on either side they don't show duplicate packets, but then I've never seen a duplicate packet response on a cisco ping so I'm not sure how it gets represented. Ping from RtrA to RtrB across the bundled ethernet ports between SwA and SwB gw1.armplc#ping 216.24.2.201 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 216.24.2.201, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Ping from a FreeBSD machine on the lan behind RtrA. Note that this ping did not show duplicate packet responses until I had the ethernet ports bundled. admin1# ping 216.24.2.202 PING 216.24.2.202 (216.24.2.202): 56 data bytes 64 bytes from 216.24.2.202: icmp_seq=0 ttl=254 time=1.755 ms 64 bytes from 216.24.2.202: icmp_seq=0 ttl=254 time=1.953 ms (DUP!) 64 bytes from 216.24.2.202: icmp_seq=1 ttl=254 time=4.208 ms 64 bytes from 216.24.2.202: icmp_seq=1 ttl=254 time=4.446 ms (DUP!) Here are the etherchannel and port group configs on the routers RtrA (2950) interface Port-channel2 ! interface FastEthernet0/1 description Link via HN408U #1 to sw1.armplc FE0/10 switchport trunk allowed vlan 808 switchport mode trunk speed 100 duplex full channel-group 2 mode desirable ! interface FastEthernet0/2 description Link via HN408U #2 to sw1.armplc FE0/17 switchport trunk allowed vlan 808 switchport mode trunk speed 100 duplex full channel-group 2 mode desirable RtrB (2924XL) interface FastEthernet0/10 description Link via HN408U #1 to sw1.armplc FE0/1 duplex full speed 100 port group 2 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,808,1002-1005 switchport mode trunk no cdp enable ! interface FastEthernet0/17 description Link via HN408U #2 to sw1.armplc FE0/2 duplex full speed 100 port group 2 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,808,1002-1005 switchport mode trunk no cdp enable ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VLAN mystery
Dealing with a mysterious vlan that won't work, right next to an identically configured VLAN on all the same equipment that works fine. Router A is a cisco 7206 with two vlan subinterfaces on the same port, one (vlan 808) with address 216.24.2.201/30, one (vlan 888) with address 216.24.2.205/30. Gigabit0/2 is a gigE interface to Switch A Switch A is a catalyst 2950. FastEthernet0/1 is a gig-e connection to Router A configured in VLAN trunking mode. Fastethernet0/1 is a 100bt connection to remote switch B, configured as a vlan trunk that only allows vlan 808. Fastethernet0/2 is a 100bt connection to remote switch B, configured as a vlan trunk that only allows vlan 888. Both vlans are defined in both the config and the vlan database. Switch B is a catalyst 2924. FastEthernet0/1 is a 100bt connection to Router B configured in VLAN trunking mode. Fastethernet0/10 is a 100bt connection to remote switch A, configured as a vlan trunk that only allows vlan 808. Fastethernet0/17 is a 100bt connection to remote switch A, configured as a vlan trunk that only allows vlan 888. Both vlans are defined in both the config and the vlan database. Router B is a cisco 7206 with two vlan subinterfaces on the same port, one (vlan 808) with address 216.24.2.201/30, one (vlan 888) with address 216.24.2.205/30. Fastethernet1/0 is a 100bt interface to Switch A So -- RtrA(216.24.2.201,205)SwASwBRtrB(216.24.2.202,206) >From I can ping between 216.24.2.201 and 216.24.2.202 across vlan 808 fine. I >cannot get traffic either direction between 216.24.2.205 and 216.24.2.206 >across vlan 888. As near as I can tell the vlans are configured identically >through all pieces of equipment, and both have been entered in the vlan >database on both switches. I must be forgetting something about vlan config >somewhere, but I can't figure out where. What am I missing? Pings from core-gw1 (RtrA) core-gw1.noc#ping 216.24.2.202 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 216.24.2.202, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms core-gw1.noc#ping 216.24.2.206 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 216.24.2.206, timeout is 2 seconds: . Success rate is 0 percent (0/5) Below is the relevant config info from all the equipment. = On Router A interface GigabitEthernet0/2.808 description HN-808 interconnect to armplc via core-sw3 encapsulation dot1Q 808 ip address 216.24.2.201 255.255.255.252 no cdp enable ! interface GigabitEthernet0/2.888 description HN-888 interconnect to armplc via core-sw3 encapsulation dot1Q 888 ip address 216.24.2.205 255.255.255.252 no cdp enable = On Switch A interface FastEthernet0/1 switchport trunk allowed vlan 808 switchport mode trunk speed 100 duplex full ! interface FastEthernet0/2 switchport trunk allowed vlan 888 switchport mode trunk speed 100 duplex full ! interface GigabitEthernet0/1 switchport mode trunk speed 1000 duplex full ! interface Vlan1 no ip address no ip route-cache ! interface Vlan808 no ip address no ip route-cache shutdown ! interface Vlan888 no ip address no ip route-cache shutdown Switch#show vlan id 808 VLAN Name StatusPorts - --- 808 VLAN0808 activeFa0/1, Gi0/1 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 - -- - -- -- -- -- 808 enet 100808 1500 - - ---0 0 Remote SPAN VLAN Disabled Primary Secondary Type Ports --- - - -- Switch#show vlan id 888 VLAN Name StatusPorts - --- 888 VLAN0888 activeFa0/2, Gi0/1 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 - -- - -- -- -- -- 888 enet 100888 1500 - - ---0 0 Remote SPAN VLAN Disabled Primary Secondary Type Ports --- - - -- = On Switch B interface FastEthernet0/1 description to gw1.armplc duplex full speed 100 switchport trunk encapsulation dot1q switchport mode trunk no cdp enable ! interface FastEthernet0/10 description Hatteras 1 - HN408-U switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,808,1002-1005 switchport mode trunk no
Re: [c-nsp] [cisco-nas] AS5400 More than 256 HDLC channels per CT3 card
From: Joseph Mays Sent: Wednesday, July 08, 2015 12:36 PM To: Aaron Leonard Cc: cisco-...@puck.nether.net Subject: Re: [cisco-nas] AS5400 More than 256 HDLC channels per CT3 card This is useful information, but does it allow me to add more HDLC channels to a channel-group in a controller config? The problem I am having is that we add ds1 channels to ds3’s on an AS5400, add channel-gorups and pri-groups to the ds1’s, like so... controller T1 1/0:26 framing esf channel-group 0 timeslots 1-15 speed 64 loopback network ignore pri-group timeslots 16-24 description combo PRI/T1 ... and when channel-groups equal to 256 hdlc channels for the particular ds3 card have been added then the following happens AS5400#config t Enter configuration commands, one per line. End with CNTL/Z. AS5400(config)#controller t1 7/0:14 AS5400#(config-controller)#channel-group 0 timeslots 1-22 speed 64 %Insufficient HDLC resources to create channel group So what I specifically need is to be able to add more channel-group timeslots to the ds1’s on the unit. If I add resource pools as shown in your example below, will it allow me to add more channel-groups and channels to a t1 controller config? From: Aaron Leonard Sent: Friday, April 18, 2014 5:29 PM To: Joseph Mays Cc: nas cisco Subject: Re: [cisco-nas] AS5400 More than 256 HDLC channels per CT3 card Joe, the 256 HDLC framers are on each CT3 card, and you can't use the framers on one card to handle channels on another card. However, you can go past the HDLC channel limit by adding NextPort DSPs to handle the HDLC framing (Tardis), and then the DSPs do act as a global pool. Afaik, we never documented anything on this on CCO. Below is a snippet of a config that uses RPM to switch HDLC calls to a Tardis DSP pool. Hth, Aaron Yes, you can use RPM to route your HDLC calls to NP resources. Basically you create a DNIS based customer profile and specify NP resource range for that number, such that the call will be routed to NP resources instead of default FreeDM resources. We use that in our Tardis testing and regression. Here is the configuration looks like. If you need some automated help then we have a ready-to-go scripts running for both AS5400 and AS5850. === resource-pool enable resource-pool group resource tardis-ports range 1/0 - 1/323 resource-pool profile customer tardis-cust limit base-size all limit overflow-size 0 resource tardis-ports digital dnis group tardis-dnis dialer dnis group tardis-dnis number ... your DNIS number here... On 4/16/2014 11:04 AM, m...@win.net (Joseph Mays) wrote: The standard CT3 card for an AS5400 only allows 256 HDLC channels, or about 10.5 T1’s. Is there any other T3 card available for an AS5400 that supports more HDLC channels, or any way to increase the number of HDLC channels supported? Also, if I have two CT3 cards in a unit, are the HDLC channels for each tied to their respective cards, or are they available system-wide? That is, would two cards required that I set up 10 T1’s on each card, or would they allow me to set up 20 T1’s on one card and no T1’s on the other? Joe Mays ___ cisco-nas mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nas ___ cisco-nas mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Ping getting IPv6 address, though IPv6 is not enabled.
Got something going on on a router that seems strange. To me, anyway. I have a router that does not have IPv6 enabled, nor is IPv6 being used in the network it’s on. “ipv6” does not even occur anywhere in the config. On any addresses it looks up the IPv4 address fine, and can route to that address. But when I ping something like www.yahoo.com it grabs the IPv6 address and tries to ping that. And fails, of course. How do I get it to stop preferring IPv6 addresses? core-gw1.noc#show ip route www.yahoo.com Translating www.yahoo.com...domain server (216.24.27.4) [OK] Routing entry for 98.139.128.0/17 Known via bgp 7333, distance 20, metric 126041 Tag 174, type external Last update from 38.122.142.5 1w0d ago Routing Descriptor Blocks: * 38.122.142.5, from 38.122.142.5, 1w0d ago Route metric is 126041, traffic share count is 1 AS Hops 3 core-gw1.noc#show run | include ping core-gw1.noc#show run | include icmp permit icmp any host 216.24.27.41 core-gw1.noc#ping www.yahoo.com Translating www.yahoo.com...domain server (216.24.27.4) [OK] Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:4998:58:C02::A9, timeout is 2 seconds: . Success rate is 0 percent (0/5) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Router MIB for Lowest Processor Mem
So, I was looking for the MIB’s for the following info -- hbpots01.noc#show mem stat HeadTotal(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 646D7940 18261779236604700 146013092 145186904 142833748 I/OF5011534336 6070116 5464220 5438864 5458140 I found all of them except the one I particularly need. Which is not surprising, because that’s just the way my life works, really. I found Process and IO MIB’s for Used, Free, and Largest Memory, which are all together. SNMPv2-SMI::enterprises.9.9.48.1.1.1.5.1 = Gauge32: 36547448 SNMPv2-SMI::enterprises.9.9.48.1.1.1.5.2 = Gauge32: 6070096 SNMPv2-SMI::enterprises.9.9.48.1.1.1.6.1 = Gauge32: 146070344 SNMPv2-SMI::enterprises.9.9.48.1.1.1.6.2 = Gauge32: 5464240 SNMPv2-SMI::enterprises.9.9.48.1.1.1.7.1 = Gauge32: 142866568 SNMPv2-SMI::enterprises.9.9.48.1.1.1.7.2 = Gauge32: 5458140 What I can’t find is the one I really need, “Lowest” processor memory. I was looking through Cisco OID docs and can’t find it there. Anyone know the MIB for the Lowest Processor Memory value, or where to find it? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Upgrade NPE-400 to NPE-G1
I have a cisco 7206 VXR with NPE-400 running c7200-ik9su2-mz.123-23.bin. I have an NPE-G1 card now that I would like to put in the router instead. Can I just swap the NPE-400 for the G1 card and expect it to work? I’m attaching the show ver on the NPE-400 system showing the bootloader, IOS, etc. core-gw1.noc#show ver Cisco Internetwork Operating System Software IOS (tm) 7200 Software (C7200-IK9SU2-M), Version 12.3(23), RELEASE SOFTWARE (fc5) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 24-Jul-07 21:42 by stshen Image text-base: 0x60008AF4, data-base: 0x61F61720 ROM: System Bootstrap, Version 12.2(4r)B, RELEASE SOFTWARE (fc1) BOOTLDR: 7200 Software (C7200-BOOT-M), Version 12.0(24)S, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) core-gw1.noc uptime is 1 year, 14 weeks, 6 days, 22 hours, 58 minutes System returned to ROM by power-on System restarted at 16:57:27 EDT Tue May 21 2013 System image file is disk0:c7200-ik9su2-mz.123-23.bin This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to exp...@cisco.com. cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of memory. Processor board ID 20399590 R7000 CPU at 350MHz, Implementation 39, Rev 3.3, 256KB L2 Cache 6 slot VXR midplane, Version 2.0 Last reset from power-on Bridging software. X.25 software, Version 3.0.0. PCI bus mb0_mb1 (Slots 0, 1, 3 and 5) has a capacity of 600 bandwidth points. Current configuration on bus mb0_mb1 has a total of 800 bandwidth points. The set of PA-2FE, PA-POS-2OC3, and I/O-2FE qualify for half bandwidth points consideration, when full bandwidth point counting results in oversubscription, under the condition that only one of the two ports is used. With this adjustment, current configuration on bus mb0_mb1 has a total of 800 bandwidth points. This configuration has oversubscripted the PCI bus and is not a supported configuration. PCI bus mb2 (Slots 2, 4, 6) has a capacity of 600 bandwidth points. Current configuration on bus mb2 has a total of 380 bandwidth points This configuration is within the PCI bus capacity and is supported. Please refer to the following document Cisco 7200 Series Port Adaptor Hardware Configuration Guidelines on Cisco.com http://www.cisco.com for c7200 bandwidth points oversubscription and usage guidelines. WARNING: PCI bus mb0_mb1 Exceeds 600 bandwidth points 3 FastEthernet/IEEE 802.3 interface(s) 1 Gigabit Ethernet/IEEE 802.3 interface(s) 2 Serial network interface(s) 125K bytes of non-volatile configuration memory. 46976K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes). 4096K bytes of Flash internal SIMM (Sector size 256K). Configuration register is 0x102 core-gw1.noc# ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7206 Gigabit Ethernet Card - Strange behavior
I have a Cisco 7206 with a Gigabit Ethernet card in it. I’m getting what I think is anomalous behavior, but I’m not sure. 7206, NPE-400 Slot 1: Gigabit Ethernet Port adapter, 1 port Port adapter is analyzed Port adapter insertion time 13:47:46 ago EEPROM contents at hardware discovery: Hardware revision 1.0 Board revision A0 Serial number 24455260 Part number73-3144-04 FRU Part Number: PA-1GE= Test history 0x0 RMA number 00-00-00 EEPROM format version 1 The card has an adapter that plugs into it that adapts it for gig copper. The thing is, it shows a link light and up/up from the moment the adapter is plugged in, regardless of whether or not a cable is plugged into the adapter. Is this normal behavior, or an indication that something is wrong with the adapter or card? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] HDLC limitations on AS5400 CT3 card
The standard CT3 card for an AS5400 only allows 256 HDLC channels, or about 10.5 T1’s. Is there any other T3 card available for an AS5400 that supports more HDLC channels, or any way to increase the number of HDLC channels supported? Also, if I have two CT3 cards in a unit, are the HDLC channels for each tied to their respective cards, or are they available system-wide? That is, would two cards required that I set up 10 T1’s on each card, or would they allow me to set up 20 T1’s on one card and no T1’s on the other? Joe Mays ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VLAN Trunking Question
Yes, configured it in both the vlan database (they are older switches) and in the config on each switch. It shows up in show vlan on all the switches. core-sw3.noc#show vlan VLAN Name StatusPorts - --- 1default activeFa0/2, Fa0/3, Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16, Fa0/17, Fa0/18, Fa0/19, Fa0/20, Fa0/21, Fa0/22, Fa0/23, Fa0/24, Fa1/3, Fa1/4 201 VLAN0201 active 302 VLAN0302 active 303 VLAN0303 active 304 VLAN0304 active 808 VLAN0808 active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-defaultactive VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 - -- - -- -- -- -- 1enet 11 1500 - - ---0 0 201 enet 100201 1500 - - ---0 0 302 enet 100302 1500 - - ---0 0 303 enet 100303 1500 - - ---0 0 304 enet 100304 1500 - - ---0 0 808 enet 100808 1500 - - ---0 0 1002 fddi 101002 1500 - - ---0 0 1003 tr101003 1500 - - ---0 0 1004 fdnet 101004 1500 - - -ieee -0 0 1005 trnet 101005 1500 - - -ibm -0 0 -Original Message- From: quinn snyder Sent: Tuesday, September 10, 2013 6:13 PM To: Joseph Mays Subject: Re: [c-nsp] VLAN Trunking Question do you have vl808 on all cats between your pair of c7200s? q. -= sent via iphone. please excuse spelling, grammar, and brevity =- On Sep 10, 2013, at 14:25, Joseph Mays m...@win.net wrote: Okay, so I am trying to set up a single VLAN to go through a series of catalyst switches. What I need, effectively, is one long ethernet connection between two routers. I thought this should work but since it is not, clearly, I've fundamentally misunderstood something. Cisco 7206A(vlan 808 subinterface)--(vlan trunk Fe0/1)CatalystA(vlan trunk FE0/10)-... ...-(vlan trunk FE0/4)CatalystB(vlan trunk FE0/1)--(vlan trunk FE0/17)CatalystC(vlan trunk FE0/1)-... ...-(vlan 808 subinterface)Cisco 7206B The configs on each port, for the curious. Cisco 7206 A interface FastEthernet1/0.808 description HN-808 interconnect to armplc via sw1.armplc encapsulation dot1Q 808 ip address 216.24.2.202 255.255.255.252 Catalyst A interface FastEthernet0/1 description to gw1.armplc duplex full speed 100 switchport trunk encapsulation dot1q switchport mode trunk no cdp enable interface FastEthernet0/10 description Hatteras 1 - HN408-U switchport trunk encapsulation dot1q switchport mode trunk no cdp enable Catalyst B interface FastEthernet0/4 description HN-808 interconnect to Armory Place switchport trunk encapsulation dot1q switchport mode trunk interface FastEthernet0/1 description 802.1q trunk to core-sw1.noc (Heyburn 911) FE0/17 load-interval 30 duplex full speed 100 switchport trunk encapsulation dot1q switchport mode trunk Catalyst C interface FastEthernet0/17 description 802.1q trunk to core-sw3.noc.win.net (in Heyburn 513) FastEthernet0/0 load-interval 30 duplex full speed 100 switchport trunk encapsulation dot1q switchport mode trunk no cdp enable interface FastEthernet0/1 description 802.1q trunk to core-gw1.noc.win.net port FastEthernet0/0 load-interval 30 duplex full speed 100 switchport trunk encapsulation dot1q switchport mode trunk no cdp enable Cisco 7206 B interface FastEthernet0/0.808 description HN-808 interconnect to armplc via core-sw3 encapsulation dot1Q 808 ip address 216.24.2.201 255.255.255.252 no cdp enable ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VLAN Trunking Question
* Have you defined the vlans? Yes, they are defined in both the vlan database and the config on all the switches. * Why have a dirty net and have all vlans tagged on all ports, and not only on the ports you want them on? At the moment I’m just trying to make it work. If I don’t specifically allow certain vlans on the trunk then (my understanding is) all the vlans should be allowed and passed by the trunk by default. I thought that should work. If and when it does, I intend to lock it down so only vlan 808 is allowed on the trunk. But there is not much point in applying filters to a trunk that is not working even when it’s wide open. From: Peter Persson Sent: Tuesday, September 10, 2013 6:21 PM To: Joseph Mays Subject: Re: [c-nsp] VLAN Trunking Question Hey, This would be right. But i got a few questions. * Have you defined the vlans? * Why have a dirty net and have all vlans tagged on all ports, and not only on the ports you want them on? /Peter 2013/9/10 Joseph Mays m...@win.net Okay, so I am trying to set up a single VLAN to go through a series of catalyst switches. What I need, effectively, is one long ethernet connection between two routers. I thought this should work but since it is not, clearly, I've fundamentally misunderstood something. Cisco 7206A(vlan 808 subinterface)--(vlan trunk Fe0/1)CatalystA(vlan trunk FE0/10)-... ...-(vlan trunk FE0/4)CatalystB(vlan trunk FE0/1)--(vlan trunk FE0/17)CatalystC(vlan trunk FE0/1)-... ...-(vlan 808 subinterface)Cisco 7206B The configs on each port, for the curious. Cisco 7206 A interface FastEthernet1/0.808 description HN-808 interconnect to armplc via sw1.armplc encapsulation dot1Q 808 ip address 216.24.2.202 255.255.255.252 Catalyst A interface FastEthernet0/1 description to gw1.armplc duplex full speed 100 switchport trunk encapsulation dot1q switchport mode trunk no cdp enable interface FastEthernet0/10 description Hatteras 1 - HN408-U switchport trunk encapsulation dot1q switchport mode trunk no cdp enable Catalyst B interface FastEthernet0/4 description HN-808 interconnect to Armory Place switchport trunk encapsulation dot1q switchport mode trunk interface FastEthernet0/1 description 802.1q trunk to core-sw1.noc (Heyburn 911) FE0/17 load-interval 30 duplex full speed 100 switchport trunk encapsulation dot1q switchport mode trunk Catalyst C interface FastEthernet0/17 description 802.1q trunk to core-sw3.noc.win.net (in Heyburn 513) FastEthernet0/0 load-interval 30 duplex full speed 100 switchport trunk encapsulation dot1q switchport mode trunk no cdp enable interface FastEthernet0/1 description 802.1q trunk to core-gw1.noc.win.net port FastEthernet0/0 load-interval 30 duplex full speed 100 switchport trunk encapsulation dot1q switchport mode trunk no cdp enable Cisco 7206 B interface FastEthernet0/0.808 description HN-808 interconnect to armplc via core-sw3 encapsulation dot1Q 808 ip address 216.24.2.201 255.255.255.252 no cdp enable ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VLAN Trunking Question
In that instance we had to make the middle switch a vtp client. Odd but true... All are set to vtp transparent at the moment, but I can try setting the middle to vtp client to see what happens. No difference. I changed it back to them all being in transparent mode. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VLAN Trunking Question
In that instance we had to make the middle switch a vtp client. Odd but true... All are set to vtp transparent at the moment, but I can try setting the middle to vtp client to see what happens. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VLAN Trunking Question
Okay, so I am trying to set up a single VLAN to go through a series of catalyst switches. What I need, effectively, is one long ethernet connection between two routers. I thought this should work but since it is not, clearly, I've fundamentally misunderstood something. Cisco 7206A(vlan 808 subinterface)--(vlan trunk Fe0/1)CatalystA(vlan trunk FE0/10)-... ...-(vlan trunk FE0/4)CatalystB(vlan trunk FE0/1)--(vlan trunk FE0/17)CatalystC(vlan trunk FE0/1)-... ...-(vlan 808 subinterface)Cisco 7206B The configs on each port, for the curious. Cisco 7206 A interface FastEthernet1/0.808 description HN-808 interconnect to armplc via sw1.armplc encapsulation dot1Q 808 ip address 216.24.2.202 255.255.255.252 Catalyst A interface FastEthernet0/1 description to gw1.armplc duplex full speed 100 switchport trunk encapsulation dot1q switchport mode trunk no cdp enable interface FastEthernet0/10 description Hatteras 1 - HN408-U switchport trunk encapsulation dot1q switchport mode trunk no cdp enable Catalyst B interface FastEthernet0/4 description HN-808 interconnect to Armory Place switchport trunk encapsulation dot1q switchport mode trunk interface FastEthernet0/1 description 802.1q trunk to core-sw1.noc (Heyburn 911) FE0/17 load-interval 30 duplex full speed 100 switchport trunk encapsulation dot1q switchport mode trunk Catalyst C interface FastEthernet0/17 description 802.1q trunk to core-sw3.noc.win.net (in Heyburn 513) FastEthernet0/0 load-interval 30 duplex full speed 100 switchport trunk encapsulation dot1q switchport mode trunk no cdp enable interface FastEthernet0/1 description 802.1q trunk to core-gw1.noc.win.net port FastEthernet0/0 load-interval 30 duplex full speed 100 switchport trunk encapsulation dot1q switchport mode trunk no cdp enable Cisco 7206 B interface FastEthernet0/0.808 description HN-808 interconnect to armplc via core-sw3 encapsulation dot1Q 808 ip address 216.24.2.201 255.255.255.252 no cdp enable ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Strange Arp Entries
I have a simple cisco 2600 that has two fastethernet interfaces. The arp table is filled with entries from ip's from all over the internet associated with the wan interface. I have no ip proxy-arp turned on for both interfaces. Any idea why the arp table might be filling up with this stuff? [...] Internet 194.225.24.70 73 000d.bdc3.f861 ARPA FastEthernet0/0 Internet 4.79.209.231 21 000d.bdc3.f861 ARPA FastEthernet0/0 Internet 208.185.44.56 38 000d.bdc3.f861 ARPA FastEthernet0/0 Internet 65.55.206.197 41 000d.bdc3.f861 ARPA FastEthernet0/0 Internet 184.31.53.239 101 000d.bdc3.f861 ARPA FastEthernet0/0 Internet 184.51.126.136 28 000d.bdc3.f861 ARPA FastEthernet0/0 Internet 211.23.224.89 63 000d.bdc3.f861 ARPA FastEthernet0/0 Internet 186.114.187.14212 000d.bdc3.f861 ARPA FastEthernet0/0 Internet 94.102.51.118 48 000d.bdc3.f861 ARPA FastEthernet0/0 Internet 54.242.87.237 217 000d.bdc3.f861 ARPA FastEthernet0/0 Internet 74.125.29.84 225 000d.bdc3.f861 ARPA FastEthernet0/0 [...] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Strange Arp Entries
That was it, thank you. -Original Message- From: Wouter Prins Sent: Friday, August 30, 2013 1:12 PM To: Joseph Mays Cc: Cisco NSP Subject: Re: [c-nsp] Strange Arp Entries Hi Joseph, You probably set a static (default) route with a next-hop interface instead of next-hop IP. On 30 August 2013 18:45, Joseph Mays m...@win.net wrote: I have a simple cisco 2600 that has two fastethernet interfaces. The arp table is filled with entries from ip's from all over the internet associated with the wan interface. I have no ip proxy-arp turned on for both interfaces. Any idea why the arp table might be filling up with this stuff? [...] Internet 194.225.24.70 73 000d.bdc3.f861 ARPA FastEthernet0/0 Internet 4.79.209.231 21 000d.bdc3.f861 ARPA FastEthernet0/0 Internet 208.185.44.56 38 000d.bdc3.f861 ARPA FastEthernet0/0 Internet 65.55.206.197 41 000d.bdc3.f861 ARPA FastEthernet0/0 Internet 184.31.53.239 101 000d.bdc3.f861 ARPA FastEthernet0/0 Internet 184.51.126.136 28 000d.bdc3.f861 ARPA FastEthernet0/0 Internet 211.23.224.89 63 000d.bdc3.f861 ARPA FastEthernet0/0 Internet 186.114.187.14212 000d.bdc3.f861 ARPA FastEthernet0/0 Internet 94.102.51.118 48 000d.bdc3.f861 ARPA FastEthernet0/0 Internet 54.242.87.237 217 000d.bdc3.f861 ARPA FastEthernet0/0 Internet 74.125.29.84 225 000d.bdc3.f861 ARPA FastEthernet0/0 [...] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Wouter Prins w...@null0.nl ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router rebooting due to software crash.
Yeah, I got some 12.4 code for it, but it doesn't currently have enough flash ram to hold that. I upgraded it for 12.3(6) to 12.3(23), we'll see if that helps. -Original Message- From: Chuck Church Sent: Tuesday, August 06, 2013 10:39 AM To: 'Justin M. Streiner' ; 'Cisco-nsp' Subject: Re: [c-nsp] Router rebooting due to software crash. I think you can actually get recent 12.4 code for it. Not the latest, but close. Could be a memory issue with it, a DOS against it, etc. Reseating the modules and memory and trying a more recent IOS might all help. Chuck -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin M. Streiner Sent: Tuesday, August 06, 2013 10:18 AM To: Cisco-nsp Subject: Re: [c-nsp] Router rebooting due to software crash. On Mon, 5 Aug 2013, Joseph Mays wrote: We have a cisco 3600 that has rebooted twice in the last two hours, both times due to a software crash that shows the same memory address. I checked show mem and nothing is listed as operating that address, at least not right now. This router has been in operation a long time and has not had these problems previously. Nothing has changed in the config on the router in the last several months, at least. Another possibility is that the version of code you're running is vulnerable to one (or more) of the many bugs that can cause a Cisco router to reload, leak memory, etc. 12.3(6) is pretty ancient code, and the 3640 has been end-of-life since 2007, and no new code has been released for it since probably late 2005. I don't know what function this router serves in your network, but replacing it with something newer that can run newer code is worth considering, epecially if it's something that can be reached from untrusted networks. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Router rebooting due to software crash.
We have a cisco 3600 that has rebooted twice in the last two hours, both times due to a software crash that shows the same memory address. I checked show mem and nothing is listed as operating that address, at least not right now. This router has been in operation a long time and has not had these problems previously. Nothing has changed in the config on the router in the last several months, at least. gw1.dist#show ver Cisco Internetwork Operating System Software IOS (tm) 3600 Software (C3640-IS-M), Version 12.3(6), RELEASE SOFTWARE (fc3) Copyright (c) 1986-2004 by cisco Systems, Inc. Compiled Wed 11-Feb-04 18:02 by kellythw Image text-base: 0x60008B00, data-base: 0x61B9C000 ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) gw1.dist uptime is 9 minutes System returned to ROM by error - a Software forced crash, PC 0x604F0D20 at 14:22:26 EDT Mon Aug 5 2013 System restarted at 14:24:08 EDT Mon Aug 5 2013 System image file is flash:c3640-is-mz.123-6.bin cisco 3640 (R4700) processor (revision 0x00) with 124928K/6144K bytes of memory. Processor board ID 11876053 R4700 CPU at 100MHz, Implementation 33, Rev 1.0 Bridging software. X.25 software, Version 3.0.0. SuperLAT software (copyright 1990 by Meridian Technology Corp). 2 FastEthernet/IEEE 802.3 interface(s) 3 Serial network interface(s) 1 Subrate T3/E3 ports(s) DRAM configuration is 64 bits wide with parity disabled. 125K bytes of non-volatile configuration memory. 24576K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 I checked show mem and this address doesn't show up currently. Any clues on how to isolate what is causing this? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Access lists and NAT
I have the following LAN interface, which has two addresses, one of which is NATted. interface FastEthernet0/1 ip address 216.24.4.185 255.255.255.248 secondary ip address 192.168.0.1 255.255.255.0 ip nat inside duplex auto speed auto ! ip nat inside source list 50 interface FastEthernet0/0 overload access-list 50 permit 192.168.0.0 0.0.0.255 I want to block traffic so that addresses on the 216.24.4.185/29 block can only speak to things in the larger 216.24.0.0/18 block. I want traffic from the 196.168.0/24 address to be NATted and able to go to the world. I’ve tried a few different access lists, and sets of access lists, but I get pretty much the same result whatever I try. If for instance, I put ip access-list extended permit-phone-service-in permit ip 216.24.4.184 0.0.0.7 216.24.0.0 0.0.63.255 log-input permit ip 216.24.4.184 0.0.0.7 24.235.0.0 0.0.31.255 log-input permit ip any 192.168.0.0 0.0.0.255 log-input ip access-list extended permit-phone-service-out permit ip 216.24.0.0 0.0.63.255 216.24.4.184 0.0.0.7 log-input permit ip 24.235.0.0 0.0.31.255 216.24.4.184 0.0.0.7 log-input permit ip 192.168.0.0 0.0.0.255 any log-input And add the lines for those to the interface -- interface FastEthernet0/1 ip address 216.24.4.185 255.255.255.248 secondary ip address 192.168.0.1 255.255.255.0 ip nat inside ip access-group permit-phone-service-out out ip access-group permit-phone-service-in in duplex auto speed auto Things in the 216.24.4.184/28 network block work fine and as desired. They still work for 216.24.0.0/18, but are blocked from outside of that. Things in the 192.168.0.0/24 network block stop working completely, though. They can no longer get out from those addresses to the world. I think, but am not certain, that it may be breaking NAT for that network block. HBMgmtOffice#show run Building configuration... Current configuration : 1499 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname HBMgmtOffice ! boot-start-marker boot-end-marker ! enable secret 5 $1$a.yY$AyH/z0cGnCoai.UL5i7Rw0 ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local aaa accounting delay-start aaa session-id common ip subnet-zero ip cef ! ! ip name-server 216.24.27.3 no ip dhcp conflict logging ip dhcp excluded-address 192.168.0.150 192.168.0.255 ip dhcp excluded-address 192.168.0.0 192.168.0.50 ! ip dhcp pool edge-dhcp-pool network 192.168.0.0 255.255.255.0 dns-server 216.24.27.3 default-router 192.168.0.1 ! ip audit po max-events 100 ! ! ! ! ! ! ! ! ! ! ! ! username admin password 7 094E5B0E0A0302160F ! ! ! ! ! ! interface FastEthernet0/0 ip address 216.24.2.30 255.255.255.252 no ip proxy-arp ip nat outside duplex auto speed auto ! interface FastEthernet0/1 ip address 216.24.4.185 255.255.255.248 secondary ip address 192.168.0.1 255.255.255.0 ip nat inside duplex auto speed auto ! ip nat inside source list 50 interface FastEthernet0/0 overload no ip http server no ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 ! ! access-list 20 permit 216.24.27.0 0.0.0.255 access-list 50 permit 192.168.0.0 0.0.0.255 ! snmp-server community wini4q5cust RO 20 snmp-server community mmn3gv5h RW 20 snmp-server tftp-server-list 20 ! ! ! ! ! line con 0 line aux 0 line vty 0 4 ! HBMgmtOffice#config t Enter configuration commands, one per line. End with CNTL/Z. HBMgmtOffice(config)#ip access-list extended permit-phone-service-in HBMgmtOffice(config-ext-nacl)#$84 0.0.0.7 216.24.0.0 0.0.63.255 log-input HBMgmtOffice(config-ext-nacl)#$84 0.0.0.7 24.235.0.0 0.0.31.255 log-input HBMgmtOffice(config-ext-nacl)# permit ip any 192.168.0.0 0.0.0.255 log-input HBMgmtOffice(config-ext-nacl)#$ist extended permit-phone-service-out HBMgmtOffice(config-ext-nacl)#$ 0.0.63.255 216.24.4.184 0.0.0.7 log-input HBMgmtOffice(config-ext-nacl)#$ 0.0.31.255 216.24.4.184 0.0.0.7 log-input HBMgmtOffice(config-ext-nacl)# permit ip 192.168.0.0 0.0.0.255 any log-input HBMgmtOffice(config-ext-nacl)# HBMgmtOffice(config-ext-nacl)# HBMgmtOffice(config-ext-nacl)#exit HBMgmtOffice(config)#exit HBMgmtOffice#write mem Building configuration... [OK] HBMgmtOffice#Connection closed by foreign host. admin1 telnet 216.24.2.30 Trying 216.24.2.30... Connected to 216-24-2-30.ip.win.net. Escape character is '^]'. User Access Verification Username: admin Password: HBMgmtOfficeenable Password: HBMgmtOffice# HBMgmtOffice# HBMgmtOffice# HBMgmtOffice#show run Building configuration... Current configuration : 1948 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname HBMgmtOffice ! boot-start-marker boot-end-marker ! enable secret 5 $1$a.yY$AyH/z0cGnCoai.UL5i7Rw0 ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local aaa accounting delay-start aaa session-id common ip subnet-zero ip cef ! !
Re: [c-nsp] Access lists and NAT
Whoops. I was working on another issue the last couple of days so admittedly haven't been getting as much sleep as I should. I meant to strip the complete config off the end of the message rather than sending it to the list along with the passwords. What I intended to do and what happened were two different things. Anyway, passwords have been changed. Getting back to the initial question I have the following LAN interface, which has two addresses, one of which is NATted. interface FastEthernet0/1 ip address 216.24.4.185 255.255.255.248 secondary ip address 192.168.0.1 255.255.255.0 ip nat inside duplex auto speed auto ! ip nat inside source list 50 interface FastEthernet0/0 overload access-list 50 permit 192.168.0.0 0.0.0.255 I want to block traffic so that addresses on the 216.24.4.185/29 block can only speak to things in the larger 216.24.0.0/18 block. I want traffic from the 196.168.0/24 address to be NATted and able to go to the world. I’ve tried a few different access lists, and sets of access lists, but I get pretty much the same result whatever I try. If for instance, I put ip access-list extended permit-phone-service-in permit ip 216.24.4.184 0.0.0.7 216.24.0.0 0.0.63.255 log-input permit ip 216.24.4.184 0.0.0.7 24.235.0.0 0.0.31.255 log-input permit ip any 192.168.0.0 0.0.0.255 log-input ip access-list extended permit-phone-service-out permit ip 216.24.0.0 0.0.63.255 216.24.4.184 0.0.0.7 log-input permit ip 24.235.0.0 0.0.31.255 216.24.4.184 0.0.0.7 log-input permit ip 192.168.0.0 0.0.0.255 any log-input And add the lines for those to the interface -- interface FastEthernet0/1 ip address 216.24.4.185 255.255.255.248 secondary ip address 192.168.0.1 255.255.255.0 ip nat inside ip access-group permit-phone-service-out out ip access-group permit-phone-service-in in duplex auto speed auto Things in the 216.24.4.184/28 network block work fine and as desired. They still work for 216.24.0.0/18, but are blocked from outside of that. Things in the 192.168.0.0/24 network block stop working completely, though. They can no longer get out from those addresses to the world. I think, but am not certain, that it may be breaking NAT for that network block. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7206 NVRAM issue
Got a used 7206 I am trying to bring back to life. It seems to be able to read the PCMCIA card in the slot okay, but after a power cycle it loses config and claims the NVRAM is corrupt, throwing me to rommon. From there I can tell it to boot from disk0 and it boots alright from the PCMCIA card into the default config. Needless to say, any config I have entered gets lost. Which NVRAM is it referring to? The 4 meg on the motherboard? Is there anyway to clear and reset that, or does it just need to be replaced? Warning: monitor nvram area is corrupt ... using default values C7200 platform with 131072 Kbytes of main memory [after a power cycle] System Bootstrap, Version 12.2(4r)B, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 2002 by cisco Systems, Inc. Warning: monitor nvram area is corrupt ... using default values C7200 platform with 131072 Kbytes of main memory rommon 1 boot disk0 Self decompressing the image : [OK] [... and so on into the default config...] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7206 NVRAM issue
Got a used 7206 I should have said, 7206VXR - NPE400. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7206 NVRAM issue
I had a couple that did that and I was able to fix one of them by replacing the battery on the I/O card. The I/O Board has been sitting on a shelf for... a long time anyway. So that makes sense. I'll replace the battery. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] pptp connection to 2600 with Windows VPN failing.
Trying to make a vpdn setup work from a windows vpn client to a cisco 2600. I had this working for a while, but then after one minor config change by someone else it stopped working. That change shouldn't have broken anything, but I backed it out nonetheless and the connection is still not working again. I think it's breaking during the LCP negotiation, before authentication even occurs. Here's what I get from PPP debugging. Notice that it never gets to the authentication phase. I will attach relevant portions of the config afterwards. genisis#show debug PPP: PPP detailed event debugging is on PPP authentication debugging is on PPP protocol errors debugging is on PPP protocol negotiation debugging is on genisis# genisis#term mon genisis# *Mar 1 02:26:32.559: Se0/0 PPP: Outbound cdp packet dropped, CDPCP state is Listen *Mar 1 02:26:39.415: EVT: Dynamic Bind 0 0x82C3989C *Mar 1 02:26:39.415: ppp13 EVT: Cstate 4 0x *Mar 1 02:26:39.415: ppp13 PPP: Using vpn set call direction *Mar 1 02:26:39.415: ppp13 PPP: Treating connection as a callin *Mar 1 02:26:39.415: ppp13 PPP: Phase is ESTABLISHING, Passive Open *Mar 1 02:26:39.415: ppp13 LCP: State is Listen *Mar 1 02:26:39.439: ppp13 EVT: Packet 0 0x8332C29C *Mar 1 02:26:39.439: ppp13 LCP: I CONFREQ [Listen] id 0 len 21 *Mar 1 02:26:39.439: ppp13 LCP:MRU 1400 (0x01040578) *Mar 1 02:26:39.439: ppp13 LCP:MagicNumber 0x4FC8505D (0x05064FC8505D) *Mar 1 02:26:39.439: ppp13 LCP:PFC (0x0702) *Mar 1 02:26:39.439: ppp13 LCP:ACFC (0x0802) *Mar 1 02:26:39.439: ppp13 LCP:Callback 6 (0x0D0306) *Mar 1 02:26:39.439: ppp13 PPP: Authorization required *Mar 1 02:26:39.439: ppp13 LCP: O CONFREQ [Listen] id 1 len 15 *Mar 1 02:26:39.443: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380) *Mar 1 02:26:39.443: ppp13 LCP:MagicNumber 0x0F0968D2 (0x05060F0968D2) *Mar 1 02:26:39.443: ppp13 LCP: O CONFREJ [Listen] id 0 len 7 *Mar 1 02:26:39.443: ppp13 LCP:Callback 6 (0x0D0306) *Mar 1 02:26:41.431: ppp13 EVT: Packet 0 0x830D1F30 *Mar 1 02:26:41.431: ppp13 LCP: I CONFREQ [REQsent] id 1 len 21 *Mar 1 02:26:41.431: ppp13 LCP:MRU 1400 (0x01040578) *Mar 1 02:26:41.431: ppp13 LCP:MagicNumber 0x4FC8505D (0x05064FC8505D) *Mar 1 02:26:41.431: ppp13 LCP:PFC (0x0702) *Mar 1 02:26:41.431: ppp13 LCP:ACFC (0x0802) *Mar 1 02:26:41.431: ppp13 LCP:Callback 6 (0x0D0306) *Mar 1 02:26:41.431: ppp13 LCP: O CONFREJ [REQsent] id 1 len 7 *Mar 1 02:26:41.431: ppp13 LCP:Callback 6 (0x0D0306) *Mar 1 02:26:41.451: ppp13 LCP: TIMEout: State REQsent *Mar 1 02:26:41.451: ppp13 LCP: O CONFREQ [REQsent] id 2 len 15 *Mar 1 02:26:41.451: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380) *Mar 1 02:26:41.451: ppp13 LCP:MagicNumber 0x0F0968D2 (0x05060F0968D2) *Mar 1 02:26:43.467: ppp13 LCP: TIMEout: State REQsent *Mar 1 02:26:43.467: ppp13 LCP: O CONFREQ [REQsent] id 3 len 15 *Mar 1 02:26:43.467: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380) *Mar 1 02:26:43.467: ppp13 LCP:MagicNumber 0x0F0968D2 (0x05060F0968D2) *Mar 1 02:26:44.431: ppp13 EVT: Packet 0 0x830D2E1C *Mar 1 02:26:44.435: ppp13 LCP: I CONFREQ [REQsent] id 2 len 21 *Mar 1 02:26:44.435: ppp13 LCP:MRU 1400 (0x01040578) *Mar 1 02:26:44.435: ppp13 LCP:MagicNumber 0x4FC8505D (0x05064FC8505D) *Mar 1 02:26:44.435: ppp13 LCP:PFC (0x0702) *Mar 1 02:26:44.435: ppp13 LCP:ACFC (0x0802) *Mar 1 02:26:44.435: ppp13 LCP:Callback 6 (0x0D0306) *Mar 1 02:26:44.435: ppp13 LCP: O CONFREJ [REQsent] id 2 len 7 *Mar 1 02:26:44.435: ppp13 LCP:Callback 6 (0x0D0306) *Mar 1 02:26:45.483: ppp13 LCP: TIMEout: State REQsent *Mar 1 02:26:45.483: ppp13 LCP: O CONFREQ [REQsent] id 4 len 15 *Mar 1 02:26:45.483: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380) *Mar 1 02:26:45.483: ppp13 LCP:MagicNumber 0x0F0968D2 (0x05060F0968D2) *Mar 1 02:26:47.499: ppp13 LCP: TIMEout: State REQsent *Mar 1 02:26:47.499: ppp13 LCP: O CONFREQ [REQsent] id 5 len 15 *Mar 1 02:26:47.499: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380) *Mar 1 02:26:47.499: ppp13 LCP:MagicNumber 0x0F0968D2 (0x05060F0968D2) *Mar 1 02:26:48.427: ppp13 EVT: Packet 0 0x830D3118 *Mar 1 02:26:48.431: ppp13 LCP: I CONFREQ [REQsent] id 3 len 21 *Mar 1 02:26:48.431: ppp13 LCP:MRU 1400 (0x01040578) *Mar 1 02:26:48.431: ppp13 LCP:MagicNumber 0x4FC8505D (0x05064FC8505D) *Mar 1 02:26:48.431: ppp13 LCP:PFC (0x0702) *Mar 1 02:26:48.431: ppp13 LCP:ACFC (0x0802) *Mar 1 02:26:48.431: ppp13 LCP:Callback 6 (0x0D0306) *Mar 1 02:26:48.431: ppp13 LCP: O CONFREJ [REQsent] id 3 len 7 *Mar 1 02:26:48.431: ppp13 LCP:Callback 6 (0x0D0306) *Mar 1 02:26:49.515: ppp13 LCP: TIMEout: State REQsent *Mar 1 02:26:49.515: ppp13 LCP: O CONFREQ [REQsent] id 6 len 15 *Mar 1 02:26:49.515: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380) *Mar 1 02:26:49.515: ppp13 LCP:MagicNumber 0x0F0968D2 (0x05060F0968D2) *Mar 1 02:26:51.531: ppp13 LCP: TIMEout: State REQsent *Mar 1
Re: [c-nsp] pptp connection to 2600 with Windows VPN failing.
BTW, yes, I am aware that I left the passwords for ftp etc in the config. They've already been changed. - Original Message - From: Joseph Mays m...@win.net To: cisco-nsp@puck.nether.net Sent: Wednesday, December 12, 2012 5:12 PM Subject: [c-nsp] pptp connection to 2600 with Windows VPN failing. Trying to make a vpdn setup work from a windows vpn client to a cisco 2600. I had this working for a while, but then after one minor config change by someone else it stopped working. That change shouldn't have broken anything, but I backed it out nonetheless and the connection is still not working again. I think it's breaking during the LCP negotiation, before authentication even occurs. Here's what I get from PPP debugging. Notice that it never gets to the authentication phase. I will attach relevant portions of the config afterwards. genisis#show debug PPP: PPP detailed event debugging is on PPP authentication debugging is on PPP protocol errors debugging is on PPP protocol negotiation debugging is on genisis# genisis#term mon genisis# *Mar 1 02:26:32.559: Se0/0 PPP: Outbound cdp packet dropped, CDPCP state is Listen *Mar 1 02:26:39.415: EVT: Dynamic Bind 0 0x82C3989C *Mar 1 02:26:39.415: ppp13 EVT: Cstate 4 0x *Mar 1 02:26:39.415: ppp13 PPP: Using vpn set call direction *Mar 1 02:26:39.415: ppp13 PPP: Treating connection as a callin *Mar 1 02:26:39.415: ppp13 PPP: Phase is ESTABLISHING, Passive Open *Mar 1 02:26:39.415: ppp13 LCP: State is Listen *Mar 1 02:26:39.439: ppp13 EVT: Packet 0 0x8332C29C *Mar 1 02:26:39.439: ppp13 LCP: I CONFREQ [Listen] id 0 len 21 *Mar 1 02:26:39.439: ppp13 LCP:MRU 1400 (0x01040578) *Mar 1 02:26:39.439: ppp13 LCP:MagicNumber 0x4FC8505D (0x05064FC8505D) *Mar 1 02:26:39.439: ppp13 LCP:PFC (0x0702) *Mar 1 02:26:39.439: ppp13 LCP:ACFC (0x0802) *Mar 1 02:26:39.439: ppp13 LCP:Callback 6 (0x0D0306) *Mar 1 02:26:39.439: ppp13 PPP: Authorization required *Mar 1 02:26:39.439: ppp13 LCP: O CONFREQ [Listen] id 1 len 15 *Mar 1 02:26:39.443: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380) *Mar 1 02:26:39.443: ppp13 LCP:MagicNumber 0x0F0968D2 (0x05060F0968D2) *Mar 1 02:26:39.443: ppp13 LCP: O CONFREJ [Listen] id 0 len 7 *Mar 1 02:26:39.443: ppp13 LCP:Callback 6 (0x0D0306) *Mar 1 02:26:41.431: ppp13 EVT: Packet 0 0x830D1F30 *Mar 1 02:26:41.431: ppp13 LCP: I CONFREQ [REQsent] id 1 len 21 *Mar 1 02:26:41.431: ppp13 LCP:MRU 1400 (0x01040578) *Mar 1 02:26:41.431: ppp13 LCP:MagicNumber 0x4FC8505D (0x05064FC8505D) *Mar 1 02:26:41.431: ppp13 LCP:PFC (0x0702) *Mar 1 02:26:41.431: ppp13 LCP:ACFC (0x0802) *Mar 1 02:26:41.431: ppp13 LCP:Callback 6 (0x0D0306) *Mar 1 02:26:41.431: ppp13 LCP: O CONFREJ [REQsent] id 1 len 7 *Mar 1 02:26:41.431: ppp13 LCP:Callback 6 (0x0D0306) *Mar 1 02:26:41.451: ppp13 LCP: TIMEout: State REQsent *Mar 1 02:26:41.451: ppp13 LCP: O CONFREQ [REQsent] id 2 len 15 *Mar 1 02:26:41.451: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380) *Mar 1 02:26:41.451: ppp13 LCP:MagicNumber 0x0F0968D2 (0x05060F0968D2) *Mar 1 02:26:43.467: ppp13 LCP: TIMEout: State REQsent *Mar 1 02:26:43.467: ppp13 LCP: O CONFREQ [REQsent] id 3 len 15 *Mar 1 02:26:43.467: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380) *Mar 1 02:26:43.467: ppp13 LCP:MagicNumber 0x0F0968D2 (0x05060F0968D2) *Mar 1 02:26:44.431: ppp13 EVT: Packet 0 0x830D2E1C *Mar 1 02:26:44.435: ppp13 LCP: I CONFREQ [REQsent] id 2 len 21 *Mar 1 02:26:44.435: ppp13 LCP:MRU 1400 (0x01040578) *Mar 1 02:26:44.435: ppp13 LCP:MagicNumber 0x4FC8505D (0x05064FC8505D) *Mar 1 02:26:44.435: ppp13 LCP:PFC (0x0702) *Mar 1 02:26:44.435: ppp13 LCP:ACFC (0x0802) *Mar 1 02:26:44.435: ppp13 LCP:Callback 6 (0x0D0306) *Mar 1 02:26:44.435: ppp13 LCP: O CONFREJ [REQsent] id 2 len 7 *Mar 1 02:26:44.435: ppp13 LCP:Callback 6 (0x0D0306) *Mar 1 02:26:45.483: ppp13 LCP: TIMEout: State REQsent *Mar 1 02:26:45.483: ppp13 LCP: O CONFREQ [REQsent] id 4 len 15 *Mar 1 02:26:45.483: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380) *Mar 1 02:26:45.483: ppp13 LCP:MagicNumber 0x0F0968D2 (0x05060F0968D2) *Mar 1 02:26:47.499: ppp13 LCP: TIMEout: State REQsent *Mar 1 02:26:47.499: ppp13 LCP: O CONFREQ [REQsent] id 5 len 15 *Mar 1 02:26:47.499: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380) *Mar 1 02:26:47.499: ppp13 LCP:MagicNumber 0x0F0968D2 (0x05060F0968D2) *Mar 1 02:26:48.427: ppp13 EVT: Packet 0 0x830D3118 *Mar 1 02:26:48.431: ppp13 LCP: I CONFREQ [REQsent] id 3 len 21 *Mar 1 02:26:48.431: ppp13 LCP:MRU 1400 (0x01040578) *Mar 1 02:26:48.431: ppp13 LCP:MagicNumber 0x4FC8505D (0x05064FC8505D) *Mar 1 02:26:48.431: ppp13 LCP:PFC (0x0702) *Mar 1 02:26:48.431: ppp13 LCP:ACFC (0x0802) *Mar 1 02:26:48.431: ppp13 LCP:Callback 6 (0x0D0306) *Mar 1 02:26:48.431: ppp13 LCP: O CONFREJ [REQsent] id 3 len 7 *Mar 1 02:26:48.431: ppp13 LCP:Callback 6 (0x0D0306) *Mar
Re: [c-nsp] CRC errors on fastethernet interface
Two or three people have pointed out that speed 100 should be set on the interface of the 7206. To quote my original message... (Since the 7206 does not specify 100mbps, I had thought maybe it was occasionally trying to renegotiate the speed, which might screw up the switch end, which is hardwired 100-full, while the 7206 is set to full-duplex, the speed command to force 100mbps speed does not seem to exist on the 7206.) I originally tried the speed 100 command on the ethernet interface of the 7206. To my complete surprise, the 7206 does not seem to recognize that command. It's running... IOS (tm) 7200 Software (C7200-IK9SU2-M), Version 12.3(23), RELEASE SOFTWARE (fc5) When I try to set the speed, it rejects the config line. core-gw1.noc(config)#int fastethernet0/0 core-gw1.noc(config-if)#speed 100 ^ % Invalid input detected at '^' marker. This is a complete surprise to me, to say the least. If there is some other command to set the speed, I can't find it. - Original Message - From: Joe Mays m...@win.net To: cisco-nsp@puck.nether.net Sent: Thursday, November 22, 2012 1:33 AM Subject: [c-nsp] CRC errors on fastethernet interface Have a 7206 connected to a Catalyst 2900XL switch port. The 2900XL is getting CRC errors on the port at the rate of about one every one or two seconds. I've tried replacing the cable, no effect. core-sw1.noc#show int fastethernet0/1 FastEthernet0/1 is up, line protocol is up Hardware is Fast Ethernet, address is 0002.7d2f.bc41 (bia 0002.7d2f.bc41) Description: 802.1q trunk to core-gw1.noc.win.net port FastEthernet0/0 MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, reliability 255/255, txload 51/255, rxload 37/255 Encapsulation ARPA, loopback not set Keepalive not set Full-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:00, output hang never Last clearing of show interface counters 00:05:49 Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 30 second input rate 14547000 bits/sec, 2327 packets/sec 30 second output rate 20099000 bits/sec, 3507 packets/sec 862330 packets input, 682108246 bytes Received 398 broadcasts, 0 runts, 0 giants, 0 throttles 63 input errors, 63 CRC, 0 frame, 64 overrun, 64 ignored 0 watchdog, 257 multicast 0 input packets with dribble condition detected 1262698 packets output, 899402766 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out Since changing the cable made no difference, it's either a port problem on the 7206 or 2900XL, or a config problem. Here are the configs for the interfaces on each end. (Since the 7206 does not specify 100mbps, I had thought maybe it was occasionally trying to renegotiate the speed, which might screw up the switch end, which is hardwired 100-full, while the 7206 is set to full-duplex, the speed command to force 100mbps speed does not seem to exist on the 7206.) Cisco 7206 -- interface FastEthernet0/0 description Win.net NOC gateway LAN, 911 Heyburn Bldg (via core-sw1.noc.win.net) ip address nnn.nnn.nnn.nnn 255.255.255.192 ip access-group block-out-to-dot30 out no ip proxy-arp ip route-cache same-interface ip route-cache flow ip ospf message-digest-key 1 md5 7 xxx ip ospf cost 2 ip ospf priority 200 no ip mroute-cache load-interval 60 duplex full no keepalive no cdp enable standby 1 ip 216.24.30.65 standby 1 timers 5 15 standby 1 priority 105 standby 1 preempt delay minimum 60 standby 1 authentication dfwmhsrp standby 1 track Serial6/0 crypto map KYtoINvpn service-policy output queue-on-dscp 2900XL interface FastEthernet0/1 description 802.1q trunk to core-gw1.noc.win.net port FastEthernet0/0 load-interval 30 duplex full speed 100 switchport trunk encapsulation dot1q switchport mode trunk no cdp enable ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco VPN intermittent disconnects
We have a client on a connection to a cisco switch at one of our locations, routing out through a 3600 to a cisco firewall at a remote location. The firewall is a CISCO 5505 running 8.25. When they connect to the remote firewall with a cisco VPN client (Cisco VPN client for windows version 5.0.07.0290) they get intermittent drops in service. If they set up a hard firewall from inside their network that connects to the remote firewall, and then run their connections through that, it works fine. I asked them to try setting the MTU on the cisco client down to 576 from 1300 -- same result. They can also run the client through another wan connection to the remote firewall and it works fine. It seems to be something about connecting to the remote firewall with this client across the WAN connection that runs through us, but no errors are occurring on any of the interfaces in the path, and I can't find that any packets are being dropped or anything. I received a snippet of Cisco VPN client logs from the customer, but I'm not well-versed in it enough to see if it's providing any useful info. Quite possibly it is and I just am not recognizing the fact. Cisco Systems VPN Client Version 5.0.07.0290 Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 6.1.7601 Service Pack 1 Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\ 1 14:29:34.774 10/25/12 Sev=Info/4IKE/0x6313 SENDING ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 199.30.90.62 2 14:29:34.774 10/25/12 Sev=Info/6IKE/0x633D Sending DPD request to 199.30.90.62, our seq# = 2332051025 3 14:29:39.843 10/25/12 Sev=Info/4IKE/0x6313 SENDING ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 199.30.90.62 4 14:29:39.843 10/25/12 Sev=Info/6IKE/0x633D Sending DPD request to 199.30.90.62, our seq# = 2332051026 5 14:29:44.912 10/25/12 Sev=Info/4IKE/0x6313 SENDING ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 199.30.90.62 6 14:29:44.912 10/25/12 Sev=Info/6IKE/0x633D Sending DPD request to 199.30.90.62, our seq# = 2332051027 7 14:29:49.981 10/25/12 Sev=Info/4IKE/0x6313 SENDING ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 199.30.90.62 8 14:29:49.981 10/25/12 Sev=Info/6IKE/0x633D Sending DPD request to 199.30.90.62, our seq# = 2332051028 9 14:29:55.051 10/25/12 Sev=Info/4IKE/0x6313 SENDING ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 199.30.90.62 10 14:29:55.051 10/25/12 Sev=Info/6 IKE/0x633D Sending DPD request to 199.30.90.62, our seq# = 2332051029 11 14:30:00.120 10/25/12 Sev=Info/4 IKE/0x6313 SENDING ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 199.30.90.62 12 14:30:00.120 10/25/12 Sev=Info/6 IKE/0x633D Sending DPD request to 199.30.90.62, our seq# = 2332051030 13 14:30:00.620 10/25/12 Sev=Info/6 IPSEC/0x63700022 TCP heartbeat sent to 199.30.90.62, src port 1331, dst port 1 14 14:30:05.192 10/25/12 Sev=Info/4 IKE/0x6313 SENDING ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 199.30.90.62 15 14:30:05.192 10/25/12 Sev=Info/6 IKE/0x633D Sending DPD request to 199.30.90.62, our seq# = 2332051031 16 14:30:10.259 10/25/12 Sev=Info/4 IKE/0x6313 SENDING ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 199.30.90.62 17 14:30:10.259 10/25/12 Sev=Info/6 IKE/0x633D Sending DPD request to 199.30.90.62, our seq# = 2332051032 18 14:30:15.216 10/25/12 Sev=Info/5 IKE/0x632F Received ISAKMP packet: peer = 199.30.90.62 19 14:30:15.216 10/25/12 Sev=Info/4 IKE/0x6314 RECEIVING ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 199.30.90.62 20 14:30:15.216 10/25/12 Sev=Info/5 IKE/0x6340 Received DPD ACK from 199.30.90.62, seq# received = 2332051025, seq# expected = 2332051032 21 14:30:15.216 10/25/12 Sev=Info/5 IKE/0x632F Received ISAKMP packet: peer = 199.30.90.62 22 14:30:15.216 10/25/12 Sev=Info/4 IKE/0x6314 RECEIVING ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 199.30.90.62 23 14:30:15.216 10/25/12 Sev=Info/5 IKE/0x6340 Received DPD ACK from 199.30.90.62, seq# received = 2332051026, seq# expected = 2332051032 24 14:30:15.216 10/25/12 Sev=Info/5 IKE/0x632F Received ISAKMP packet: peer = 199.30.90.62 25 14:30:15.216 10/25/12 Sev=Info/4 IKE/0x6314 RECEIVING ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 199.30.90.62 26 14:30:15.216 10/25/12 Sev=Info/5 IKE/0x6340 Received DPD ACK from 199.30.90.62, seq# received = 2332051027, seq# expected = 2332051032 27 14:30:15.216 10/25/12 Sev=Info/5
[c-nsp] Clocking for T1's on AS5400 virtually guarantees slips?
Okay, so here's where we stand after working on this for a few days. We have several circuits that are coming into an AS5400 that are getting slips, whereas most of them don't. Most of the circuits come in as T1 channels on a T3. Most of those don't get slips, some do. We also have two t1 circuits for which we have bypassed our mux, so they are T1's that plug into dedicated T1 ports on the AS5400. One gets slips, one doesn't. We can change which lines are getting slips and which ones aren't by changing the tdm clock priority to match one of the lines. Basically, we can bring the backplane clock into sync with one line, it won't get slips, several of the others will. The problem is that I have not found a way to tell all the circuits except the one setting the backplane clock how to set their timing via the clock. T1's on the AS5400 only set clocking to line. You can't tell the T1's to sync to the internal clock. If you could, we could set the clock that way, set the remote end to line, and everything would then be synced to the clocking of the line that was setting the primary TDM clock. If this is true, there is no way to accept t1's from multiple sources in which the clocking may not agree with each other, nor is there any way to provide clocking for an outgoing T1. The AS5400 simply won't work for this, because while it sets the internal clock according to the primary tdm clock circuit, there is no way to tell the other T1's to synchronize according to the internal clock. They are virtually guaranteed to slip. What we want is to be the clock source for all the T1's except for specific trunks we having coming from the phone company. Most specifically it matters for PRI's we are providing to customers. We need to be the clock source because in those cases the phone company simply passes the T1's through without providing any clocking themselves. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Slips
We have an AS5400 that we are using to provide PRI's to customers. It has the following circuits coming into it from the Telco (ATT). 5 Trunking circuits that come across T1 ties into a t3 mux, and then are then delivered to a T3 port on the AS5400. ! trunking circuit that is connected into a T1 card on the AS5400. Several circuits to customers that are delivered out of the T3 through the mux to T1 tie pairs through ATT, and some of which go through HDSL T1's that we provide. We have clocking set up thusly. The T1 port that has the trunk line in it (Serial6/0) is set to clock source line, to get clocking from ATT. The TDM clock priority on AS5400 is set to Serial6/0. The T3 that has all the other T1's is set to clock source internal, on the assumption that the internal clock on the AS5400 should now be synchronizing to the trunk line coming in on 6/0. So all the T1 channels on the T3 should be following the Cisco clock. The mux is set to clocking is set on the t3 to clock source line, to get clocking from the T3 coming from the AS5400. The customers at the end are all set to clock source line. None of the trunks is having slips, but several of the ATT customers are showing a slip every 10 seconds or so. The clocking chain we have set up seems logical to me. Is there something I'm missing? Why would the customers be having slips. We asked ATT to monitor one of the lines that we are seeing slips on. They watched it for a bit and said no slips are occurring, though I am seeing them both on the AS5400 and on the Customer router. They are performing a more indepth test now. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Slips
It occurs to me that there is an assumption built into this that is unproven. Does setting the AS5400 to internal clocking on the T3 cause it to provide clocking for the T1's on the T3? We have assumed that it does. If not, how do we tell it to provide an outgoing clock signal for the T1's on the T3? - Original Message - From: Joseph Mays m...@win.net To: cisco-nsp@puck.nether.net Sent: Tuesday, October 09, 2012 11:45 AM Subject: [c-nsp] Slips We have an AS5400 that we are using to provide PRI's to customers. It has the following circuits coming into it from the Telco (ATT). 5 Trunking circuits that come across T1 ties into a t3 mux, and then are then delivered to a T3 port on the AS5400. ! trunking circuit that is connected into a T1 card on the AS5400. Several circuits to customers that are delivered out of the T3 through the mux to T1 tie pairs through ATT, and some of which go through HDSL T1's that we provide. We have clocking set up thusly. The T1 port that has the trunk line in it (Serial6/0) is set to clock source line, to get clocking from ATT. The TDM clock priority on AS5400 is set to Serial6/0. The T3 that has all the other T1's is set to clock source internal, on the assumption that the internal clock on the AS5400 should now be synchronizing to the trunk line coming in on 6/0. So all the T1 channels on the T3 should be following the Cisco clock. The mux is set to clocking is set on the t3 to clock source line, to get clocking from the T3 coming from the AS5400. The customers at the end are all set to clock source line. None of the trunks is having slips, but several of the ATT customers are showing a slip every 10 seconds or so. The clocking chain we have set up seems logical to me. Is there something I'm missing? Why would the customers be having slips. We asked ATT to monitor one of the lines that we are seeing slips on. They watched it for a bit and said no slips are occurring, though I am seeing them both on the AS5400 and on the Customer router. They are performing a more indepth test now. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2900 - 2960 config question
Well, I did the switch from the 2900 to the 2960, everything works fine except for one thing... Port 22 on the original switch is set to be a vlan trunk that links to another switch (sw2, also a 2900XL) in another building with a different set of vlans on it. interface FastEthernet0/22 description Trunk to sw2.dist.win.net duplex full speed 100 switchport access vlan 22 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,201-224,1002-1005 switchport mode trunk no cdp enable One the new switch the config is the same except, of course, the encaps line is gone. interface FastEthernet0/22 description Trunk to sw2.dist.win.net duplex full speed 100 switchport access vlan 22 switchport trunk allowed vlan 1,201-224,1002-1005 switchport mode trunk no cdp enable The client on the remote switch, vlan 202, does not work through the new switch. On sw2 the uplink port is port 5, the client is on port 6. interface FastEthernet0/5 description Trunk port to sw1.dist.win.net duplex full speed 100 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,201-224,1002-1005 switchport mode trunk no cdp enable ! interface FastEthernet0/6 description Reese Design Collaborative, 600 Distillery Ste 200 switchport access vlan 202 spanning-tree portfast no cdp enable On the old switch they have no problem pinging their gateway address, the vlan interface on the router. On the new switch, they cannot. I don't know what might be causing this, unless something about the vlan database is not created by cutting and pasting the config from the 2900XL to the 2960. - Original Message - From: Seth Mattinen se...@rollernet.us To: cisco-nsp@puck.nether.net Sent: Thursday, September 20, 2012 6:11 PM Subject: Re: [c-nsp] 2900 - 2960 config question On 9/20/12 1:52 PM, Joseph Mays wrote: I'm replacing a Cisco 2900XL running 12.0(5)WC13 with a Cisco 2960 running 12.2(25r)FX. I just cut and pasted the config from the 2900 into the 2960, and it all seemed to work fine, except the new IOS on the 2960 does not accept one command -- Enter configuration commands, one per line. End with CNTL/Z. sw1.dist(config)#interface FastEthernet0/1 sw1.dist(config-if)# description Trunk port to gw1.dist.win.net sw1.dist(config-if)# duplex full sw1.dist(config-if)# speed 100 sw1.dist(config-if)# switchport trunk encapsulation dot1q ^ % Invalid input detected at '^' marker. That's because it only does dot1q, so there's no option for encap. ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Serial interface stuck in reset status.
Okay. Trying to bring up a T1 on a channel on a channelized t3 card in an AS5400. I've done this more than once and have other working T1's on the same t3 card. I have the config on both ends; it's very simple. On the AS5400... controller T1 1/0:26 shutdown framing esf channel-group 0 timeslots 1-20 [...] interface Serial1/0:26:0 description Glass Doctor (K1.HCFU.417839..SC) no ip address encapsulation ppp no cdp enable ppp multilink ppp multilink group 180025 One the remote side ... controller T1 0/0 framing esf linecode b8zs channel-group 0 timeslots 1-20 speed 56 [...] interface Serial0/0:0 no ip address encapsulation ppp ppp multilink ppp multilink group 1 The problem I am having is that the t1 controller seems to come up fine and error free... ArmoryPl-AS5400#show controller t1 1/0:26 T1 1/0:26 is up. Applique type is Channelized T1 No alarms detected. alarm-trigger is not set Version info of slot 1: HW: 768, PLD Rev: 4 Framer Version: 0x28 Manufacture Cookie Info: EEPROM Type 0x0001, EEPROM Version 0x01, Board ID 0x01, Board Hardware Version 3.0, Item Number 73-4089-03, Board Revision B0, Serial Number JAE050301LR, PLD/ISP Version unset, Manufacture Date 18-Jan-2001. Framing is ESF, Clock Source is Line. Data in current interval (293 seconds elapsed): 0 Line Code Violations, 1 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins 1 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs Data in Interval 1: 0 Line Code Violations, 0 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs Data in Interval 2: ... but the serial interface is stuck in reset status. ArmoryPl-AS5400#show int Serial1/0:26:0 Serial1/0:26:0 is reset, line protocol is down Hardware is DSX1 Description: Glass Doctor (K1.HCFU.417839..SC) MTU 1500 bytes, BW 1120 Kbit, DLY 2 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP Closed, multilink Closed Closed: BACP, loopback not set Last input never, output never, output hang never Last clearing of show interface counters 13:01:00 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/0/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 840 kilobits/sec 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out Strangely, it stays in reset status even if I turn the t1 down. ArmoryPl-AS5400#show controller t1 1/0:26 T1 1/0:26 is administratively down. Applique type is Channelized T1 Transmitter is sending AIS. Receiver has remote alarm. alarm-trigger is not set Version info of slot 1: HW: 768, PLD Rev: 4 Framer Version: 0x28 Manufacture Cookie Info: EEPROM Type 0x0001, EEPROM Version 0x01, Board ID 0x01, Board Hardware Version 3.0, Item Number 73-4089-03, Board Revision B0, Serial Number JAE050301LR, PLD/ISP Version unset, Manufacture Date 18-Jan-2001. Framing is ESF, Clock Source is Line. Data in current interval (334 seconds elapsed): 0 Line Code Violations, 1 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 1 Degraded Mins 1 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs Data in Interval 1: 0 Line Code Violations, 0 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs ArmoryPl-AS5400#show int Serial1/0:26:0 Serial1/0:26:0 is reset, line protocol is down Hardware is DSX1 Description: Glass Doctor (K1.HCFU.417839..SC) MTU 1500 bytes, BW 1120 Kbit, DLY 2 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP Closed, multilink Closed Closed: BACP, loopback not set Last input never, output never, output hang never Last clearing of show interface counters 13:05:11 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/0/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 840 kilobits/sec 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no
Re: [c-nsp] Serial interface stuck in reset status.
Two obvious things are that the controller is shut down on one side in your config Sorry, I just grabbed that section of the config while I was showing that the serial interface stays in reset status even while the controller is show down, when the serial interface should change to down. As I showed in the later example, the serial interface stays in reset status even when the controller is up. The problem I am having is that the t1 controller seems to come up fine and error free... ArmoryPl-AS5400#show controller t1 1/0:26 T1 1/0:26 is up. [...] ... but the serial interface is stuck in reset status. ArmoryPl-AS5400#show int Serial1/0:26:0 Serial1/0:26:0 is reset, line protocol is down I originally had the controller set to 64kbps channels, the change to 56 kbps was an attempt to figure out what is going on. I've changed it back to 64kbps channels now. Serial interface is still stuck. controller T1 1/0:26 framing esf channel-group 0 timeslots 1-20 speed 64 T1 1/0:26 is up. Applique type is Channelized T1 No alarms detected. alarm-trigger is not set Version info of slot 1: HW: 768, PLD Rev: 4 Framer Version: 0x28 Serial1/0:26:0 is reset, line protocol is down Hardware is DSX1 Description: Glass Doctor (K1.HCFU.417839..SC) MTU 1500 bytes, BW 1280 Kbit, DLY 2 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP Closed, multilink Closed Closed: BACP, loopback not set Last input never, output never, output hang never Last clearing of show interface counters 00:05:18 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/0/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 960 kilobits/sec 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Serial interface stuck in reset status.
... but the serial interface is stuck in reset status. I should point out, that even with the controller turned down, clearing the interface does not take it out of reset status. ArmoryPl-AS5400#clear int Serial1/0:26:0 ArmoryPl-AS5400#show int Serial1/0:26:0 Serial1/0:26:0 is reset, line protocol is down Hardware is DSX1 Description: Glass Doctor (K1.HCFU.417839..SC) MTU 1500 bytes, BW 1280 Kbit, DLY 2 usec, reliability 255/255, txload 1/255, rxload 1/255 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] single static ip address for customer(s)
Please know that when I say single static ip address for customer(s) in my subject heading, I mean a residential dsl subscriber with a windows computer sitting on his desk in his master bedroom and he bought a single static ip address from me (the isp I work for). This is the context of my question. This is what we do. Assign the address via radius with PPPoE, then broadcast that address from whatever router they connected to with OSPF. Within our network anyone can connect to any of our pops with DSL and get their assigned address. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Match dial peer on trunk group or caller id.
I want to route all incoming calls from a particular trunk to be outgoing calls on another specific trunk group. Is there any way, in a dial-peer entry, to match on caller ID or incoming trunk group, rather than destination-pattern? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Call rejeciton from Cisco
Hello. I am using an AS5400 to generate a PRI that is then going to a CiscoIAD. So on the AS5400 side I have. The IAD only has 8 analog voice ports, so I am using the last 8 channels of the PRI for voice ports, and the first 16 channels as a T1 for internet service. controller T1 1/0:24 framing esf channel-group 0 timeslots 1-16 speed 64 loopback network ignore pri-group timeslots 17-24 interface Serial1/0:24:0 ip address 216.24.28.249 255.255.255.252 encapsulation ppp no cdp enable ! interface Serial1/0:24:23 no ip address isdn switch-type primary-ni isdn protocol-emulate network no isdn outgoing ie redirecting-number no isdn incoming alerting add-PI no cdp enable On the IAD I have controller T1 1/0 framing esf linecode b8zs channel-group 0 timeslots 1-16 speed 64 pri-group timeslots 17-24 nfas_d primary nfas_int 1 nfas_group 1 interface Serial1/0:0 ip address 216.24.28.250 255.255.255.252 encapsulation ppp ! interface Serial1/0:23 no ip address isdn switch-type primary-ni isdn incoming-voice voice no cdp enable dial-peer voice 1 pots description route calls to ISDN destination-pattern .T port 1/0:23 The PRI and TEI's seem to be up. The AS5400 has intermachine trunks connecting it to the telco system and routes incoming and outgoing phone calls all day long, but when I try to make an outgoing call from the Cisco IAD I see the IAD 2400 appear to do the call setup and send the call out 1/0:23, but eventually I get a reject with a cause code of 0x0, which isn't very helpful. I'm not even sure if the error message is coming from the far end (the AS5400) or the near end (the IAD2400). Error output below with the reject highlighted in red. It would seem that the called is being rejected for Invalid information element contents. I'm having a hard time determining which elements it considers invalid, though. We've never generated our own PRI out to a client box before, so any information anyone has would be greatly appreciated. Also, if anyone has a config example of both ends of such an arrangement I would love to see it. 022127: 1w0d: ISDN Se1/0:24:23 Q931: RX - SETUP pd = 8 callref = 0x002C Bearer Capability i = 0x9090A2 Standard = CCITT Transer Capability = 3.1kHz Audio Transfer Mode = Circuit Transfer Rate = 64 kbit/s Channel ID i = 0xE1818397 Preferred, Interface 1, Channel 23 Progress Ind i = 0x8183 - Origination address is non-ISDN Calling Party Number i = 0x2183, '5025673005' Plan:ISDN, Type:National Called Party Number i = 0x80, '75023871095' Plan:Unknown, Type:Unknown 022128: 1w0d: ISDN Se1/0:24:23 LIFd: LIF_StartTimer: timer (0x64FBB518), ticks (3), event (0x1250) 022129: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: source = 0x20A, event = 0x241, call id = 0x0, int id = 0x0 022130: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: call_id 0x2F62 cr 0x802C state 0 event 0x5 ces 1 022131: 1w0d: ISDN Se1/0:24:23 Q931d: L3_ProcessEvent: callref = 0x802C SETUP:U0_Setup(nlcb) 022132: 1w0d: ISDN Se1/0:24:23 Q931d: L3_state_change: callref 0x802C old NULL_STATE, new CALL_PRESENT 022133: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: source = 0x400, event = 0x340, call id = 0x2F62, int id = 0x0 022134: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: call_id 0x2F62 cr 0x802C state 6 event 0x82 ces 1 022135: 1w0d: ISDN Se1/0:24:23 Q931d: L3_ProcessEvent: callref = 0x802C CC_SETUP_REJ_REQ:U6_SetupRejReq(nlcb) 022136: 1w0d: ISDN Se1/0:24:23 Q931d: L3_state_change: callref 0x802C old CALL_PRESENT, new NULL_STATE 022137: 1w0d: ISDN Se1/0:24:23 LIFd: LIF_StartTimer: timer (0x65F432AC), ticks (1000), event (0x1240) 022138: 1w0d: ISDN Se1/0:24:23 Q931: TX - RELEASE_COMP pd = 8 callref = 0x802C Cause i = 0x82E418 - Invalid information element contents 022139: 1w0d: ISDN Se1/0:24:23 LIFd: LIF_StartTimer: timer (0x64FBB518), ticks (3), event (0x1250) AMSS1# ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Call rejeciton from Cisco
On a related note, I am aware that part of the problem might be that the called party number might be listed as plan unknown and type unknown. I've been trying to figure out a way on the IAD 2400 to set this to national and isdn for all outgoing calls, but the only way I can find to do that is with translation rules, and those all seem to assume that the first thing you want to do is search and replace part of the dialed number. I really don't care what the dialed number is. Is there some way to match just on the plan and type, or some way to set those values other than a translation rule? - Original Message - From: Joseph Mays To: cisco-...@puck.nether.net ; cisco-nsp@puck.nether.net Sent: Tuesday, May 15, 2012 1:42 PM Subject: Call rejeciton from Cisco Hello. I am using an AS5400 to generate a PRI that is then going to a CiscoIAD. So on the AS5400 side I have. The IAD only has 8 analog voice ports, so I am using the last 8 channels of the PRI for voice ports, and the first 16 channels as a T1 for internet service. controller T1 1/0:24 framing esf channel-group 0 timeslots 1-16 speed 64 loopback network ignore pri-group timeslots 17-24 interface Serial1/0:24:0 ip address 216.24.28.249 255.255.255.252 encapsulation ppp no cdp enable ! interface Serial1/0:24:23 no ip address isdn switch-type primary-ni isdn protocol-emulate network no isdn outgoing ie redirecting-number no isdn incoming alerting add-PI no cdp enable On the IAD I have controller T1 1/0 framing esf linecode b8zs channel-group 0 timeslots 1-16 speed 64 pri-group timeslots 17-24 nfas_d primary nfas_int 1 nfas_group 1 interface Serial1/0:0 ip address 216.24.28.250 255.255.255.252 encapsulation ppp ! interface Serial1/0:23 no ip address isdn switch-type primary-ni isdn incoming-voice voice no cdp enable dial-peer voice 1 pots description route calls to ISDN destination-pattern .T port 1/0:23 The PRI and TEI's seem to be up. The AS5400 has intermachine trunks connecting it to the telco system and routes incoming and outgoing phone calls all day long, but when I try to make an outgoing call from the Cisco IAD I see the IAD 2400 appear to do the call setup and send the call out 1/0:23, but eventually I get a reject with a cause code of 0x0, which isn't very helpful. I'm not even sure if the error message is coming from the far end (the AS5400) or the near end (the IAD2400). Error output below with the reject highlighted in red. It would seem that the called is being rejected for Invalid information element contents. I'm having a hard time determining which elements it considers invalid, though. We've never generated our own PRI out to a client box before, so any information anyone has would be greatly appreciated. Also, if anyone has a config example of both ends of such an arrangement I would love to see it. 022127: 1w0d: ISDN Se1/0:24:23 Q931: RX - SETUP pd = 8 callref = 0x002C Bearer Capability i = 0x9090A2 Standard = CCITT Transer Capability = 3.1kHz Audio Transfer Mode = Circuit Transfer Rate = 64 kbit/s Channel ID i = 0xE1818397 Preferred, Interface 1, Channel 23 Progress Ind i = 0x8183 - Origination address is non-ISDN Calling Party Number i = 0x2183, '5025673005' Plan:ISDN, Type:National Called Party Number i = 0x80, '75023871095' Plan:Unknown, Type:Unknown 022128: 1w0d: ISDN Se1/0:24:23 LIFd: LIF_StartTimer: timer (0x64FBB518), ticks (3), event (0x1250) 022129: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: source = 0x20A, event = 0x241, call id = 0x0, int id = 0x0 022130: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: call_id 0x2F62 cr 0x802C state 0 event 0x5 ces 1 022131: 1w0d: ISDN Se1/0:24:23 Q931d: L3_ProcessEvent: callref = 0x802C SETUP:U0_Setup(nlcb) 022132: 1w0d: ISDN Se1/0:24:23 Q931d: L3_state_change: callref 0x802C old NULL_STATE, new CALL_PRESENT 022133: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: source = 0x400, event = 0x340, call id = 0x2F62, int id = 0x0 022134: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: call_id 0x2F62 cr 0x802C state 6 event 0x82 ces 1 022135: 1w0d: ISDN Se1/0:24:23 Q931d: L3_ProcessEvent: callref = 0x802C CC_SETUP_REJ_REQ:U6_SetupRejReq(nlcb) 022136: 1w0d: ISDN Se1/0:24:23 Q931d: L3_state_change: callref 0x802C old CALL_PRESENT, new NULL_STATE 022137: 1w0d: ISDN Se1/0:24:23 LIFd: LIF_StartTimer: timer (0x65F432AC), ticks (1000), event (0x1240) 022138: 1w0d: ISDN Se1/0:24:23 Q931: TX - RELEASE_COMP pd = 8 callref = 0x802C Cause i = 0x82E418 - Invalid information element contents 022139: 1w0d: ISDN Se1/0:24:23 LIFd: LIF_StartTimer: timer (0x64FBB518), ticks (3), event (0x1250) AMSS1# ___ cisco-nsp mailing list cisco
Re: [c-nsp] Call rejeciton from Cisco
Disregard. I figured out how to get it to set the plan and type, but it's still having the same problem. 027789: 1w0d: ISDN Se1/0:24:23 Q931: RX - SETUP pd = 8 callref = 0x002D Bearer Capability i = 0x9090A2 Standard = CCITT Transer Capability = 3.1kHz Audio Transfer Mode = Circuit Transfer Rate = 64 kbit/s Channel ID i = 0xE1818397 Preferred, Interface 1, Channel 23 Progress Ind i = 0x8183 - Origination address is non-ISDN Calling Party Number i = 0x2183, '5025673005' Plan:ISDN, Type:National Called Party Number i = 0xA1, '5023871095' Plan:ISDN, Type:National 027790: 1w0d: ISDN Se1/0:24:23 LIFd: LIF_StartTimer: timer (0x64FBB518), ticks (3), event (0x1250) 027791: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: source = 0x20A, event = 0x241, call id = 0x0, int id = 0x0 027792: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: call_id 0x300E cr 0x802D state 0 event 0x5 ces 1 027793: 1w0d: ISDN Se1/0:24:23 Q931d: L3_ProcessEvent: callref = 0x802D SETUP:U0_Setup(nlcb) 027794: 1w0d: ISDN Se1/0:24:23 Q931d: L3_state_change: callref 0x802D old NULL_STATE, new CALL_PRESENT 027795: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: source = 0x400, event = 0x340, call id = 0x300E, int id = 0x0 027796: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: call_id 0x300E cr 0x802D state 6 event 0x82 ces 1 027797: 1w0d: ISDN Se1/0:24:23 Q931d: L3_ProcessEvent: callref = 0x802D CC_SETUP_REJ_REQ:U6_SetupRejReq(nlcb) 027798: 1w0d: ISDN Se1/0:24:23 Q931d: L3_state_change: callref 0x802D old CALL_PRESENT, new NULL_STATE 027799: 1w0d: ISDN Se1/0:24:23 LIFd: LIF_StartTimer: timer (0x65F432AC), ticks (1000), event (0x1240) 027800: 1w0d: ISDN Se1/0:24:23 Q931: TX - RELEASE_COMP pd = 8 callref = 0x802D Cause i = 0x82E418 - Invalid information element contents - Original Message - From: Joseph Mays To: cisco-...@puck.nether.net ; cisco-nsp@puck.nether.net Sent: Tuesday, May 15, 2012 2:08 PM Subject: Re: Call rejeciton from Cisco On a related note, I am aware that part of the problem might be that the called party number might be listed as plan unknown and type unknown. I've been trying to figure out a way on the IAD 2400 to set this to national and isdn for all outgoing calls, but the only way I can find to do that is with translation rules, and those all seem to assume that the first thing you want to do is search and replace part of the dialed number. I really don't care what the dialed number is. Is there some way to match just on the plan and type, or some way to set those values other than a translation rule? - Original Message - From: Joseph Mays To: cisco-...@puck.nether.net ; cisco-nsp@puck.nether.net Sent: Tuesday, May 15, 2012 1:42 PM Subject: Call rejeciton from Cisco Hello. I am using an AS5400 to generate a PRI that is then going to a CiscoIAD. So on the AS5400 side I have. The IAD only has 8 analog voice ports, so I am using the last 8 channels of the PRI for voice ports, and the first 16 channels as a T1 for internet service. controller T1 1/0:24 framing esf channel-group 0 timeslots 1-16 speed 64 loopback network ignore pri-group timeslots 17-24 interface Serial1/0:24:0 ip address 216.24.28.249 255.255.255.252 encapsulation ppp no cdp enable ! interface Serial1/0:24:23 no ip address isdn switch-type primary-ni isdn protocol-emulate network no isdn outgoing ie redirecting-number no isdn incoming alerting add-PI no cdp enable On the IAD I have controller T1 1/0 framing esf linecode b8zs channel-group 0 timeslots 1-16 speed 64 pri-group timeslots 17-24 nfas_d primary nfas_int 1 nfas_group 1 interface Serial1/0:0 ip address 216.24.28.250 255.255.255.252 encapsulation ppp ! interface Serial1/0:23 no ip address isdn switch-type primary-ni isdn incoming-voice voice no cdp enable dial-peer voice 1 pots description route calls to ISDN destination-pattern .T port 1/0:23 The PRI and TEI's seem to be up. The AS5400 has intermachine trunks connecting it to the telco system and routes incoming and outgoing phone calls all day long, but when I try to make an outgoing call from the Cisco IAD I see the IAD 2400 appear to do the call setup and send the call out 1/0:23, but eventually I get a reject with a cause code of 0x0, which isn't very helpful. I'm not even sure if the error message is coming from the far end (the AS5400) or the near end (the IAD2400). Error output below with the reject highlighted in red. It would seem that the called is being rejected for Invalid information element contents. I'm having a hard time determining which elements it considers invalid, though. We've never generated our own PRI out to a client box before, so any
Re: [c-nsp] Call rejeciton from Cisco
On the IAD2400 I have -- interface Serial1/0:23 no ip address isdn switch-type primary-ni isdn incoming-voice voice isdn map address .T plan isdn type national isdn negotiate-bchan no cdp enable and on the AS5400 I have -- interface Serial1/0:24:23 no ip address isdn switch-type primary-ni isdn protocol-emulate network isdn negotiate-bchan no isdn outgoing ie redirecting-number no isdn incoming alerting add-PI trunk-group WinnetOfficePri no cdp enable - Original Message - From: Tim Jackson jackson@gmail.com To: Joseph Mays m...@win.net Cc: cisco-...@puck.nether.net; cisco-nsp@puck.nether.net Sent: Tuesday, May 15, 2012 3:44 PM Subject: Re: [c-nsp] Call rejeciton from Cisco http://www.cisco.com/en/US/docs/ios/12_2/dial/command/reference/drfisl2.html#wp1116673 Usually Cause i = 0x82E418 - Invalid information element contents means that it's not happy about it requesting an exclusive channel vs preferred iirc.. Could also be a mismatched ISDN switch type? NI2 I would assume on both? On Tue, May 15, 2012 at 1:16 PM, Joseph Mays m...@win.net wrote: Disregard. I figured out how to get it to set the plan and type, but it's still having the same problem. 027789: 1w0d: ISDN Se1/0:24:23 Q931: RX - SETUP pd = 8 callref = 0x002D Bearer Capability i = 0x9090A2 Standard = CCITT Transer Capability = 3.1kHz Audio Transfer Mode = Circuit Transfer Rate = 64 kbit/s Channel ID i = 0xE1818397 Preferred, Interface 1, Channel 23 Progress Ind i = 0x8183 - Origination address is non-ISDN Calling Party Number i = 0x2183, '5025673005' Plan:ISDN, Type:National Called Party Number i = 0xA1, '5023871095' Plan:ISDN, Type:National 027790: 1w0d: ISDN Se1/0:24:23 LIFd: LIF_StartTimer: timer (0x64FBB518), ticks (3), event (0x1250) 027791: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: source = 0x20A, event = 0x241, call id = 0x0, int id = 0x0 027792: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: call_id 0x300E cr 0x802D state 0 event 0x5 ces 1 027793: 1w0d: ISDN Se1/0:24:23 Q931d: L3_ProcessEvent: callref = 0x802D SETUP:U0_Setup(nlcb) 027794: 1w0d: ISDN Se1/0:24:23 Q931d: L3_state_change: callref 0x802D old NULL_STATE, new CALL_PRESENT 027795: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: source = 0x400, event = 0x340, call id = 0x300E, int id = 0x0 027796: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: call_id 0x300E cr 0x802D state 6 event 0x82 ces 1 027797: 1w0d: ISDN Se1/0:24:23 Q931d: L3_ProcessEvent: callref = 0x802D CC_SETUP_REJ_REQ:U6_SetupRejReq(nlcb) 027798: 1w0d: ISDN Se1/0:24:23 Q931d: L3_state_change: callref 0x802D old CALL_PRESENT, new NULL_STATE 027799: 1w0d: ISDN Se1/0:24:23 LIFd: LIF_StartTimer: timer (0x65F432AC), ticks (1000), event (0x1240) 027800: 1w0d: ISDN Se1/0:24:23 Q931: TX - RELEASE_COMP pd = 8 callref = 0x802D Cause i = 0x82E418 - Invalid information element contents - Original Message - From: Joseph Mays To: cisco-...@puck.nether.net ; cisco-nsp@puck.nether.net Sent: Tuesday, May 15, 2012 2:08 PM Subject: Re: Call rejeciton from Cisco On a related note, I am aware that part of the problem might be that the called party number might be listed as plan unknown and type unknown. I've been trying to figure out a way on the IAD 2400 to set this to national and isdn for all outgoing calls, but the only way I can find to do that is with translation rules, and those all seem to assume that the first thing you want to do is search and replace part of the dialed number. I really don't care what the dialed number is. Is there some way to match just on the plan and type, or some way to set those values other than a translation rule? - Original Message - From: Joseph Mays To: cisco-...@puck.nether.net ; cisco-nsp@puck.nether.net Sent: Tuesday, May 15, 2012 1:42 PM Subject: Call rejeciton from Cisco Hello. I am using an AS5400 to generate a PRI that is then going to a CiscoIAD. So on the AS5400 side I have. The IAD only has 8 analog voice ports, so I am using the last 8 channels of the PRI for voice ports, and the first 16 channels as a T1 for internet service. controller T1 1/0:24 framing esf channel-group 0 timeslots 1-16 speed 64 loopback network ignore pri-group timeslots 17-24 interface Serial1/0:24:0 ip address 216.24.28.249 255.255.255.252 encapsulation ppp no cdp enable ! interface Serial1/0:24:23 no ip address isdn switch-type primary-ni isdn protocol-emulate network no isdn outgoing ie redirecting-number no isdn incoming alerting add-PI no cdp enable On the IAD I have controller T1 1/0 framing esf linecode b8zs channel-group 0 timeslots 1-16 speed 64 pri-group timeslots 17-24 nfas_d primary nfas_int 1 nfas_group 1 interface Serial1/0:0 ip address 216.24.28.250 255.255.255.252 encapsulation ppp ! interface Serial1/0:23 no ip address isdn switch-type primary-ni isdn incoming-voice voice no cdp enable dial-peer voice 1 pots description route calls to ISDN destination
Re: [c-nsp] Possible T1 clocking problem.
timeslots 1-24 speed 64. That was it. Thanks so much. I've been trying to figure out for days why something that should be simple was proving impossible. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Possible T1 clocking problem.
We're setting up an HDSL4 t1 across two copper pairs. This is the first time I've ever turned up a T1 that was not telco provided. The smartjacks show the T1 as up (and extremely good quality, actually, strong signal and not a single bit error). On the CO side the T1 goes to a T3 multiplexer which is plugged into a channelized T3 card in an AS5400. On the remote end the T1 is plugged into T1 WIC in a 2600. Both ends show the T1 interface up, line protocol is down. Encapsulation is PPP, but all I ever see are errors. I've confirmed the wiring and every other aspect of the physical layer. Here is the show interface info from the AS5400 6 minutes after clearing counters on the interface. AMSS1#show int serial1/0:24:0 Serial1/0:24:0 is up, line protocol is down Hardware is DSX1 Internet address is 216.24.28.249/30 MTU 1500 bytes, BW 1344 Kbit, DLY 2 usec, reliability 244/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP REQsent, loopback not set Last input 23:04:24, output never, output hang never Last clearing of show interface counters 00:06:00 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 1008 kilobits/sec 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 12 giants, 0 throttles 14 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 2 abort 75 packets output, 1050 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions Timeslot(s) Used:1-24, Transmitter delay is 0 flags AMSS1# The interface on the remote end (t1 WIC port in a 2600 shows a lot more errors, including a lot of frame errors, for the same time period. On the AS5400, the clocking on the t3 interface is set to take clocking from the network. Show tdm clock shows the clocking on the t1 channel in question (channel 24) as good. AMSS1#show tdm clock Primary Clock: -- System primary is slot 1 ds3_port 0 ds1_port 1 of priority 1 TDM Bus Master Clock Generator State = NORMAL Backup clocks for primary: Source Slot Port DS3-Port Priority Status State - Trunk 1 2 YES 2GoodConfigured Trunk 1 3 YES 3GoodConfigured Trunk 1 4 YES 4GoodConfigured Trunk 1 5 YES 5GoodConfigured Trunk 1 6 YES 6GoodConfigured Trunk 1 28 YES 202 GoodDefault Trunk cards controllers clock health information CT3 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 Slot Port Type 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 1 0 T3 G B B B G B B B B B B B B B B B B B B B B B G G G G G G Worth noting is that the other t1's (1-6) that show up as good are all standard t1's through the telco. Channel 24 connects directly to the HDSL smartjack that goes to the remote end. I assume the AS5400 end is picking up clocking from the MUX for channel 24, but it's not clear to me what is deciding the clocking for the T1 to the remote from the mux (which is where all the frame errors are showing up) in this case. I've tried setting the T1 on the remote side to both clock-source line and clock-source internal. No difference in either case. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Setting line encoding, no controller present
I need to set the t1 controller for the serial interface below to be b8zs encoding and clock source internal, but the router does not even recognize the controller commands, and I can't find any relevant commands under the serial interface config. = gw1.office#show controller serial2/0 Interface Serial2/0 Hardware is Quicc 68360 with Integrated FT1 CSU/DSU module TX and RX clocks detected. idb at 0x6416E310, driver data structure at 0x64175A34 WIC interrupt reg = F SCC Registers: General [GSMR]=0x2:0x0030, Protocol-specific [PSMR]=0x8 Events [SCCE]=0x, Mask [SCCM]=0x001F, Status [SCCS]=0x0002 Transmit on Demand [TODR]=0x0, Data Sync [DSR]=0x7E7E Interrupt Registers: Config [CICR]=0x00C9CF00, Pending [CIPR]=0x Mask [CIMR]=0xC000C000, In-srv [CISR]=0x SDMA Registers: [SDSR]=0x00, [SDAR]=0x07A014E0, [SDCR]=0x0772 Command register [CR]=0x600 Port A [PADIR]=0x, [PAPAR]=0x [PAODR]=0x, [PADAT]=0xEEFD Port B [PBDIR]=0x0011FE, [PBPAR]=0x0E [PBODR]=0x00, [PBDAT]=0x03EE5C Port C [PCDIR]=0x000E, [PCPAR]=0x [PCSO]=0x0020, [PCDAT]=0x0FCF, [PCINT]=0x0001 BRGC1 = 0x , BRGC2 = 0x BRGC3 = 0x , BRGC4 = 0x Receive Ring rmd(3D010420): status 9000 length 2 address 7B99024 rmd(3D010428): status 9000 length F address 7B9B724 rmd(3D010430): status 9000 length 2 address 7B9C424 rmd(3D010438): status 9000 length 10 address 7B9AA24 rmd(3D010440): status 9000 length 12 address 7B996A4 rmd(3D010448): status 9000 length 11 address 7B99D24 rmd(3D010450): status B000 length F address 7B9A3A4 Transmit Ring tmd(3D010458): status 5C00 length E address 7A01894 tmd(3D010460): status 5C00 length E address 7C14B34 tmd(3D010468): status 5C00 length E address 7A014D4 tmd(3D010470): status 5C00 length E address 7C161B4 tmd(3D010478): status 5C00 length E address 7C15DF4 tmd(3D010480): status 5C00 length E address 7A00AD4 tmd(3D010488): status 7C00 length E address 7C14634 tx_limited=1(2) SCC GENERAL PARAMETER RAM (at 0x3D010C00) Rx BD Base [RBASE]=0x420, Fn Code [RFCR]=0x18 Tx BD Base [TBASE]=0x458, Fn Code [TFCR]=0x18 Max Rx Buff Len [MRBLR]=1548 Rx State [RSTATE]=0x18008240, BD Ptr [RBPTR]=0x440 Tx State [TSTATE]=0x18000348, BD Ptr [TBPTR]=0x458 SCC HDLC PARAMETER RAM (at 0x3D010C38) CRC Preset [C_PRES]=0x, Mask [C_MASK]=0xF0B8 Errors: CRC [CRCEC]=0, Aborts [ABTSC]=9, Discards [DISFC]=0 Nonmatch Addr Cntr [NMARC]=0 Retry Count [RETRC]=0 Max Frame Length [MFLR]=1608 Rx Int Threshold [RFTHR]=0, Frame Cnt [RFCNT]=65524 User-defined Address /// User-defined Address Mask 0x buffer size 1524 QUICC SCC specific errors: 131355 input aborts on receiving flag sequence 0 throttles, 0 enables 0 overruns 0 transmitter underruns 0 transmitter CTS losts 20703 aborted short frames ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Setting line encoding, no controller present
You didn't say what you've tried, but you might poke around in: conf t int s2/0 service-module t1 ? and I think you'll find everything you're looking for. That's it, thanks. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS on Multilink T1's.
Are they real T1s or are they 1.5Mb MPLS service? We've got several 4xT1 (MPLS service) bundles working had to pay for QOS to get voice working acceptably well. Real T1's. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS on Multilink T1's.
We has similar issues and had to make a change to the ML interface. Try adding ppp multilink fradment disable. I need to do some more testing, but it looks at first observation as if this may have fixed the problem. Why would fragmenting packets on a multilink PPP interface be a problem for QoS, and what are the potential implications of not fragmenting packets on the interface? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Failing to load IOS
Is this a case where a bootldr file is needed? Does the ROMMON understand the disk1: filesystem? In ROMMON, can you do a 'dev' and see the filesystem, or do a 'dir' on it? I haven't played with too many of the older 7200s, but I seem to remember this. This problem was fixed by upgrading the bootstrap software from 11.2 to -- BOOTLDR: 7200 Software (C7200-BOOT-M), Version 12.0(24)S Then the bootldr could read the disk1 entry and load the IOS from it. So the router loaded 12.4(13b) fine now and is running with that. Unfortunately, this did not fix the problem it was hoped it would fix, the problem with QoS over multilink PPP. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS on Multilink T1's.
I took each t1 individually out of the multilink bundle, so the bundle contained only the first t1, then only the second t1. In both cases, the problem disappeared and QoS began working normally as soon as there was only one t1 in the bundle. This is without changing the multilink interface config or policy itself. As soon as I put both t1's back in the problem returns immediately. Right now I'm planning to upgrade the router to 12.4ish Monday. So unfortunately this problem still exists. If upgrading from 12.3 to 12.4 did not fix the problem, I guess it's probably not a bug. So I'm momentarily at a loss. I can post the config if anyone would like to see it. Is there anyone out there who is doing QoS across a multilinked bundle of more than one T1 who can send it to me so I can compare what you have with what I am doing? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS on Multilink T1's.
Maybe check the release notes for later 12.4 releases, just in case? I will. Silly question, but is CEF enabled now? No. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS on Multilink T1's.
This may or may not be a stupid question Not a stupid question at all. But yes, they are all identical. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Failing to load IOS
And what is the boot process stating? i.e. when it is booting, does it try and load 124-13b and fail, or simply load 123-22? I have been doing most of this work remote from the site, though I may travel to the site and reboot with a plug into the console port to answer this question. Is this a case where a bootldr file is needed? Does the ROMMON understand the disk1: filesystem? Again, I haven't gotten much chance to see what the ROMMON thinks, as this is a production system in a remote facility. I do note however that we have two other 7200's that load IOS fine from disk0, but your question led me to look at the Boot info. The other two are running -- ROM: System Bootstrap, Version 12.2(1r) [dchih 1r], RELEASE SOFTWARE (fc1) BOOTLDR: 7200 Software (C7200-BOOT-M), Version 12.0(24)S, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) The system that won't load 12.4 from disk0: is -- ROM: System Bootstrap, Version 12.1(2710:044039) [nlaw-121E_npeb 117], DEVELOPMENT SOFTWARE BOOTLDR: 7200 Software (C7200-IS-M), Version 12.3(22), RELEASE SOFTWARE (fc2) I tried verifying the file as suggested. gw1.armplc#verify disk1:c7200-is-mz.124-13b.bin %Filesystem does not support verify operations gw1.armplc# ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Failing to load IOS
Also, just as a sanity check -- I cannot find a listing for separate ram for the IOS. Does the NPE-400 set aside memory for the IOS load from the main memory? And if so, is that amount of memory dynamic? If so I can assume the 512 meg of ram in the box is enough and the amount of memory for storing the IOS is not the problem. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Failing to load IOS
From: Andriy Bilous andriy.bil...@gmail.com What 'show bootvar' says? gw1.armplc#show bootvar BOOT variable = disk1:c7200-is-mz.124-13b.bin,12;slot0:c7200-is-mz.123-22.bin,12; CONFIG_FILE variable does not exist BOOTLDR variable = Configuration register is 0x2102 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Failing to load IOS
BTW, what does the number just after the file name in the BOOT variable represent? gw1.armplc#show bootvar BOOT variable = disk1:c7200-is-mz.124-13b.bin,12;slot0:c7200-is-mz.123-22.bin,12; ^^ ^^ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Failing to load IOS
Trying to load 12.4(13b) on a -- cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of memory. I have the following boot sequence defined -- boot-start-marker boot system disk1:c7200-is-mz.124-13b.bin boot system slot0:c7200-is-mz.123-22.bin boot-end-marker Both images are there. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Failing to load IOS
Sorry, disregard the previous message, hit send by accident before it was completed. Trying to load 12.4(13b) on a -- cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of memory. I have the following boot sequence defined -- boot-start-marker boot system disk1:c7200-is-mz.124-13b.bin boot system slot0:c7200-is-mz.123-22.bin boot-end-marker Both images are there. gw1.armplc#dir disk1: Directory of disk1:/ 1 -rw-26027532 Mar 29 2012 10:32:38 +00:00 c7200-is-mz.124-13b.bin 40759296 bytes total (14729216 bytes free) gw1.armplc#dir slot0: Directory of slot0:/ 1 -rw-17839240 Apr 6 2011 14:12:43 +00:00 c7200-is-mz.123-22.bin 20578304 bytes total (2738936 bytes free) Yet after bootup the router is still running the 12.3(22) version. I assume the problem is the amount of ram, since the feature navigator shows that the router requires 48meg for 12.4(13b), and show ver shows it only has 32 meg (is that correct)? But the feature navigator also shows that 12.3(22) requires 48meg, and that loads fine. So I'm looking for a sanity check as to whether or not I am misreading the feature navigator or the router info, and whether or not something other than the amount of ram is likely to be the problem. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] QoS on Multilink T1's.
We have the following service policy on a router that priorities VOIP traffic according to the ef tag. class-map match-all dscp-ef match ip dscp ef ! ! policy-map queue-on-dscp description Prioritizes voice traffic first, signalling next. class dscp-ef priority percent 75 class class-default fair-queue random-detect dscp-based The router primarily contains traffic for T1's routed to several destinations. I can demonstrate that for individual T1's the service policy does as it should. Throw normal pings at the remote end, things are low latency and no packet loss. Ping flood the remote end with 1500 byte packets and latency for normal pings and packet loss go sky high. While still pingflooding, pings tagged with DSCP ef still have low latency and no packet loss. This is all the way it should be. However, it generally doesn't work for the multilink client on the box. In this case, while ping flooding, packets with and without the EF tag set all suffer the same high latency and packet loss during ping flood. Not surprisingly, this one client is also having VOIP call quality problems. All the clients are using the same service policy. I have been assuming that it's something about the fact that this client has two multilink T1's bonded together with multilink PPP and other clients just have a single T1. Is there somethings special that has to done for QoS over multilink PPP? Or is there possibly some other thing affecting this one client? There are no specific access lists relating to their connection, nor to the ones that work. Really, the only thing overt that sets them different from the others is that they have bonded T1's, as shown below. interface Multilink117870 description Bonded Pair to Edge Outreach bandwidth 3072 ip address 216.24.2.145 255.255.255.252 no cdp enable ppp authorization PermT1 ppp multilink ppp multilink group 117870 service-policy output queue-on-dscp interface Serial6/0/1:0 description Edge Outreach (K1.HCFU.511024..SC) bandwidth 1536 no ip address no ip redirects no ip proxy-arp encapsulation ppp ppp authorization PermT1 ppp multilink ppp multilink group 117870 ! interface Serial6/0/2:0 description Edge Outreach (K1.HCFU.511025..SC) bandwidth 1536 no ip address no ip redirects no ip proxy-arp encapsulation ppp ppp authorization PermT1 ppp multilink ppp multilink group 117870 Here is an example of a plain single T1 client config, in which case the QoS service policy works exactly as it should. interface Serial6/0/3:0 description Leonard Brush (K1.HCFU.511093..SC) bandwidth 1536 ip address 216.24.0.53 255.255.255.252 no ip redirects no ip proxy-arp encapsulation ppp ppp authorization PermT1 service-policy output queue-on-dscp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS on Multilink T1's.
You might try using an actual KBS number instead of percentages for the multilink. That's what I was doing before. I changed to the percent in the process of trying to figure out this problem. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS on Multilink T1's.
The router is a 7206VXR (NPE400) running 12.3.(22). I am out of ideas as it stands, so I was thinking about upgrading the IOS. - Original Message - From: Craig Dickerson craig.dicker...@logixcom.com To: Joseph Mays m...@win.net Sent: Friday, March 23, 2012 4:01 PM Subject: RE: [c-nsp] QoS on Multilink T1's. We have had a similar problem before. Have you tried removing the policy form the interface and then re-applying it? If this works you may have a software bug. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Joseph Mays Sent: Friday, March 23, 2012 1:49 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] QoS on Multilink T1's. You might try using an actual KBS number instead of percentages for the multilink. That's what I was doing before. I changed to the percent in the process of trying to figure out this problem. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS on Multilink T1's.
I would also check the policy-map statistics on the multilink interface to see if it is actually doing anything and go from there. It *could* be a bug. I took each t1 individually out of the multilink bundle, so the bundle contained only the first t1, then only the second t1. In both cases, the problem disappeared and QoS began working normally as soon as there was only one t1 in the bundle. This is without changing the multilink interface config or policy itself. As soon as I put both t1's back in the problem returns immediately. Right now I'm planning to upgrade the router to 12.4ish Monday. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] crypto map working on outbound interface, need it to work on inbound interface
Have a crypto map that was working to build a tunnel between 65.119.118.75 and 24.235.0.25. Peers for the vpn tunnel were 24.235.0.26 and 65.119.118.136. Due to some network changes 24.235.0.26, which was the egress interface toward the remote end, is now an ingress interface. Still, I don't see why this should matter. The access list is the same, it's just traffic coming in through the interface rather than out of it. Crypto Map WinnetToSyniverse 20 ipsec-isakmp Description: PHL-3845-SS7-VPN router Peer = 65.119.118.136 Extended IP access list PHL-3845-SS7-VPN access-list PHL-3845-SS7-VPN permit ip host 24.235.0.25 host 65.119.118.76 Current peer: 65.119.118.136 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ TSI2, } Interfaces using crypto map WinnetToSyniverse: FastEthernet1/1 The packets for the access list should match regardless of direction, but it acts like it's not matching packets to the access list and not even trying to start the vpn. Router#show crypto isakmp sa dst src state conn-id slot status Nothing there. I can ping 65.119.118.136 from the router even when I set the source address to the address of the ingress interface, 24.235.0.26, and can ping the host we are trying to talk to across the vpn, 65.119.118.76, from 24.235.0.25. I moved the crypto map command to the outside interface and it started matching packets tried to bring the vpn tunnel up, but that failed, I'm guessing because the source address changed to the address of the egress interface, which would not be the address configured in the remote side. So I want to use the ingress interface and its address so we don't have to go through a complex process to get the other side to reconfigure. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] crypto map working on outbound interface, need it to work on inbound interface
So, in the example below, will this cause the vpn to connect to the peer from FastEthernet0/0, but identify as the ip address of FastEthernet1/1? crypto map WinnetToSyniverse local-address FastEthernet1/1 crypto map WinnetToSyniverse 20 ipsec-isakmp description PHL-3845-SS7-VPN router set peer 65.119.118.136 set transform-set TSI2 match address PHL-3845-SS7-VPN ! ! ! interface FastEthernet0/0 ip address 216.135.80.50 255.255.255.252 duplex auto speed auto crypto map WinnetToSyniverse - Original Message - From: Joseph Mays m...@win.net To: cisco-nsp@puck.nether.net Sent: Tuesday, December 13, 2011 3:41 PM Subject: [c-nsp] crypto map working on outbound interface,need it to work on inbound interface Have a crypto map that was working to build a tunnel between 65.119.118.75 and 24.235.0.25. Peers for the vpn tunnel were 24.235.0.26 and 65.119.118.136. Due to some network changes 24.235.0.26, which was the egress interface toward the remote end, is now an ingress interface. Still, I don't see why this should matter. The access list is the same, it's just traffic coming in through the interface rather than out of it. Crypto Map WinnetToSyniverse 20 ipsec-isakmp Description: PHL-3845-SS7-VPN router Peer = 65.119.118.136 Extended IP access list PHL-3845-SS7-VPN access-list PHL-3845-SS7-VPN permit ip host 24.235.0.25 host 65.119.118.76 Current peer: 65.119.118.136 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ TSI2, } Interfaces using crypto map WinnetToSyniverse: FastEthernet1/1 The packets for the access list should match regardless of direction, but it acts like it's not matching packets to the access list and not even trying to start the vpn. Router#show crypto isakmp sa dst src state conn-id slot status Nothing there. I can ping 65.119.118.136 from the router even when I set the source address to the address of the ingress interface, 24.235.0.26, and can ping the host we are trying to talk to across the vpn, 65.119.118.76, from 24.235.0.25. I moved the crypto map command to the outside interface and it started matching packets tried to bring the vpn tunnel up, but that failed, I'm guessing because the source address changed to the address of the egress interface, which would not be the address configured in the remote side. So I want to use the ingress interface and its address so we don't have to go through a complex process to get the other side to reconfigure. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] crypto map working on outbound interface, need it to work on inbound interface
Mostly I was just trying to find out, never having used the local address parameter in the global crypto map config, if I was using it correctly. Here is the debug output you mentioned. With the config shown below, pinging from 24.235.0.25 to 65.119.118.76 to bring the vpn up... Router#show debug Generic IP: ICMP packet debugging is on Cryptographic Subsystem: Crypto ISAKMP Error debugging is on Crypto ISAKMP High Availability debugging is on Crypto IPSEC Error debugging is on Crypto High Availability Manager debugging is on Crypto IPSEC High Availability debugging is on Router# *Apr 5 07:17:28.703: ISAKMP:(0:0:N/A:0):Notify has no hash. Rejected. *Apr 5 07:17:28.707: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1 *Apr 5 07:17:28.707: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 65.119.118.136 *Apr 5 07:17:58.667: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 24.235.0.26, remote 65.119.118.136) *Apr 5 07:18:01.359: %SEC-6-IPACCESSLOGDP: list PHL-3845-SS7-VPN permitted icmp 24.235.0.25 - 65.119.118.76 (8/0), 282 packets *Apr 5 07:18:29.071: ISAKMP:(0:0:N/A:0):Notify has no hash. Rejected. *Apr 5 07:18:29.071: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1 *Apr 5 07:18:29.071: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 65.119.118.136 *Apr 5 07:18:59.031: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 24.235.0.26, remote 65.119.118.136) *Apr 5 07:19:29.291: ISAKMP:(0:0:N/A:0):Notify has no hash. Rejected. *Apr 5 07:19:29.291: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1 *Apr 5 07:19:29.291: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 65.119.118.136 *Apr 5 07:19:36.247: ICMP: time exceeded (time to live) sent to 118.96.20.16 (dest was 216.135.93.64) *Apr 5 07:19:42.315: ICMP: time exceeded (time to live) sent to 212.67.88.93 (dest was 24.235.0.25) *Apr 5 07:19:59.251: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 24.235.0.26, remote 65.119.118.136) *Apr 5 07:20:29.315: ISAKMP:(0:0:N/A:0):Notify has no hash. Rejected. *Apr 5 07:20:29.319: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1 *Apr 5 07:20:29.319: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 65.119.118.136 *Apr 5 07:20:49.895: ICMP: time exceeded (time to live) sent to 121.14.69.250 (dest was 216.135.93.72) *Apr 5 07:20:59.279: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 24.235.0.26, remote 65.119.118.136) *Apr 5 07:21:29.555: ISAKMP:(0:0:N/A:0):Notify has no hash. Rejected. *Apr 5 07:21:29.555: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1 *Apr 5 07:21:29.559: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 65.119.118.136 - Original Message - From: Clint Wade To: Joseph Mays Cc: cisco-nsp@puck.nether.net Sent: Tuesday, December 13, 2011 5:29 PM Subject: Re: [c-nsp] crypto map working on outbound interface, need it to work on inbound interface Joseph, With anything VPN related it may be better to either post outputs of a 'debug isakmp sa' or 'debug ipsec sa' or the relevent portions of the configurations on both devices. It's not easy to get an idea of what is going on with small config snippets. Regards, Clint Wade On Tue, Dec 13, 2011 at 4:22 PM, Joseph Mays m...@win.net wrote: So, in the example below, will this cause the vpn to connect to the peer from FastEthernet0/0, but identify as the ip address of FastEthernet1/1? crypto map WinnetToSyniverse local-address FastEthernet1/1 crypto map WinnetToSyniverse 20 ipsec-isakmp description PHL-3845-SS7-VPN router set peer 65.119.118.136 set transform-set TSI2 match address PHL-3845-SS7-VPN ! ! ! interface FastEthernet0/0 ip address 216.135.80.50 255.255.255.252 duplex auto speed auto crypto map WinnetToSyniverse - Original Message - From: Joseph Mays m...@win.net To: cisco-nsp@puck.nether.net Sent: Tuesday, December 13, 2011 3:41 PM Subject: [c-nsp] crypto map working on outbound interface,need it to work on inbound interface Have a crypto map that was working to build a tunnel between 65.119.118.75 and 24.235.0.25. Peers for the vpn tunnel were 24.235.0.26 and 65.119.118.136. Due to some network changes 24.235.0.26, which was the egress interface toward the remote end, is now an ingress interface. Still, I don't see why this should matter. The access list is the same, it's just traffic coming in through the interface rather than out of it. Crypto Map WinnetToSyniverse 20 ipsec-isakmp
[c-nsp] FTP Throughput
Running tests on FTP throughput from a windows ftp client across two T3 hops to an ftp server running on FreeBSD unix. Pretty much all the bandwidth on both T3's is available. Total latency averages about 3ms. The customer on the end of the t3 is complaining that they can't get faster than 600KB per second anywhere. I get about 1000KB (8mbps) on a file transfer. I can start multiple file transfers, simultaneously, all top out at about that speed. The customer is demanding to know why they can't transfer files at, say, 40mbps. I am assuming the answer is something to do with TCP window size, but how do I prove that? Joe ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Subnetting problem
It feels strange to be asking a question about something as simple as a subnet here, but I'm honestly not sure what's going on in this case. Probably something simple. As you can see from the following set of commands, the router is fine with breaking the following addresses up into /30's, but not fine with the aggregate of the two routes into a /29. gw1.armplc(config)#ip route 216.24.2.4 255.255.255.252 216.24.0.54 gw1.armplc(config)#no ip route 216.24.2.4 255.255.255.252 216.24.0.54 gw1.armplc(config)#ip route 216.24.2.8 255.255.255.252 216.24.0.54 gw1.armplc(config)#no ip route 216.24.2.8 255.255.255.252 216.24.0.54 gw1.armplc(config)#ip route 216.24.2.4 255.255.255.248 216.24.0.54 %Inconsistent address and mask ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Subnetting problem
Got it. Thanks for all the responses. I figured it was going to be something obvious and simple. Please accept this as an object lesson in why you shouldn't get drawn into a party til 5am midweek and then try to work on a network the next day. :-) - Original Message - From: Roy r.engehau...@gmail.com To: Joseph Mays m...@win.net Sent: Thursday, October 06, 2011 3:38 PM Subject: Re: [c-nsp] Subnetting problem 216.24.2.4 255.255.255.248 is not the network boundary. The last octet must be divisible by 8. On 10/6/2011 12:22 PM, Joseph Mays wrote: It feels strange to be asking a question about something as simple as a subnet here, but I'm honestly not sure what's going on in this case. Probably something simple. As you can see from the following set of commands, the router is fine with breaking the following addresses up into /30's, but not fine with the aggregate of the two routes into a /29. gw1.armplc(config)#ip route 216.24.2.4 255.255.255.252 216.24.0.54 gw1.armplc(config)#no ip route 216.24.2.4 255.255.255.252 216.24.0.54 gw1.armplc(config)#ip route 216.24.2.8 255.255.255.252 216.24.0.54 gw1.armplc(config)#no ip route 216.24.2.8 255.255.255.252 216.24.0.54 gw1.armplc(config)#ip route 216.24.2.4 255.255.255.248 216.24.0.54 %Inconsistent address and mask ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 7206 overloading every four hours
Recently started receiving a full BGP table on a cisco 7206. Since doing that, the router will run fine for a few yours, and then periodically the CPU load goes over the top. Is there some periodic process running to do some route aggregation or something that causes this? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7206 overloading every four hours
What are the npe/mem specs of this box, and how many bgp peers are you getting partial or full routes from? Only 1 peer for this box (at the moment). Show ver info below. core-gw1.nocshow ver Cisco Internetwork Operating System Software IOS (tm) 7200 Software (C7200-IK9SU2-M), Version 12.3(23), RELEASE SOFTWARE (fc5) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 24-Jul-07 21:42 by stshen Image text-base: 0x60008AF4, data-base: 0x61F54BE0 ROM: System Bootstrap, Version 12.2(1r) [dchih 1r], RELEASE SOFTWARE (fc1) BOOTLDR: 7200 Software (C7200-BOOT-M), Version 12.0(24)S, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) core-gw1.noc uptime is 37 weeks, 1 day, 8 hours, 11 minutes System returned to ROM by power-on System restarted at 05:39:25 EST Sun Jan 2 2011 System image file is disk0:c7200-ik9su2-mz.123-23.bin This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to exp...@cisco.com. cisco 7206VXR (NPE300) processor (revision D) with 262144K/32768K bytes of memory. Processor board ID 20399590 R7000 CPU at 262MHz, Implementation 39, Rev 2.1, 256KB L2 Cache 6 slot VXR midplane, Version 2.0 Last reset from power-on Bridging software. X.25 software, Version 3.0.0. -- This Version of Cisco IOS Software is not supported on NPE300. Please select a version of Cisco IOS software compatible with this processor from http://www.cisco.com. -- PCI bus mb0_mb1 (Slots 0, 1, 3 and 5) has a capacity of 600 bandwidth points. Current configuration on bus mb0_mb1 has a total of 200 bandwidth points. This configuration is within the PCI bus capacity and is supported. PCI bus mb2 (Slots 2, 4, 6) has a capacity of 600 bandwidth points. Current configuration on bus mb2 has a total of 380 bandwidth points This configuration is within the PCI bus capacity and is supported. Please refer to the following document Cisco 7200 Series Port Adaptor Hardware Configuration Guidelines on Cisco.com http://www.cisco.com for c7200 bandwidth points oversubscription and usage guidelines. 2 FastEthernet/IEEE 802.3 interface(s) 2 Serial network interface(s) 125K bytes of non-volatile configuration memory. 46976K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes). 4096K bytes of Flash internal SIMM (Sector size 256K). Configuration register is 0x102 core-gw1.noc ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Subrate T3 card
I have a T3/E3 card in a cisco 3640 that I want to use as a serialT3, but it does not show up as a serial interface, nor is there even a controller line in the config. It only shows up in the hardware infomration as a Subrate T3/E3 port. What does this mean? gw1.dist uptime is 1 hour, 36 minutes System returned to ROM by power-on System restarted at 17:00:56 EDT Tue Jul 26 2011 System image file is flash:c3640-is-mz.123-6.bin cisco 3640 (R4700) processor (revision 0x00) with 124928K/6144K bytes of memory. Processor board ID 11876053 R4700 CPU at 100MHz, Implementation 33, Rev 1.0 Bridging software. X.25 software, Version 3.0.0. SuperLAT software (copyright 1990 by Meridian Technology Corp). 2 FastEthernet/IEEE 802.3 interface(s) 2 Serial network interface(s) 1 Subrate T3/E3 ports(s) DRAM configuration is 64 bits wide with parity disabled. 125K bytes of non-volatile configuration memory. 24576K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 gw1.dist# ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Subrate T3 card
You have to set the type first: card type t3 slot That was it. I've never heard of that or had to do that before. Thanks much! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Problem with IP Inspect
Okay, we had a router that had the internal LAN on fastethernet0/0, and the external WAN on Serial1. The internal lan had the follwoing entries... interface FastEthernet0/0 ip access-group OfficeACL out ip inspect WinnetOffice in Which were associated with ip inspect max-incomplete high 1000 ip inspect max-incomplete low 800 ip inspect one-minute high 1000 ip inspect one-minute low 800 ip inspect dns-timeout 60 ip inspect tcp idle-time 10800 ip inspect name WinnetOffice icmp ip inspect name WinnetOffice fragment maximum 500 timeout 15 ip inspect name WinnetOffice netshow ip inspect name WinnetOffice realaudio ip inspect name WinnetOffice tcp ip inspect name WinnetOffice udp ip inspect name WinnetOffice tftp ip inspect name WinnetOffice ftp audit-trail off ...and a long OfficeACL list that I won't go into at the moment. We moved to a router that has the WAN connecion on a pair bonded ethernet ports connected to a bridged ADSL modem, and the LAN port on Fastethernet0/0 I tried added the ip inspect line and the acl line to Fastethernet0, but I found with nothing else changing, including the LAN IP's not changing, connections to the outside world broke. In trying various thing, I found adding the ip inspect WinnetOffice in line broke communications to the outside world *by itself*, even if the ACL list was not being activated by the ip access-group line. This shouldn't happen, should it? There is no way turning on ip inspection should break communications anywhere in the absence of an ACL list, is there? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Problem with IP Inspect
Tried your suggestion, thanks. Created a the following ACL... ip access-list extended FaInboundACL permit ip any any Added it to the inbound traffic on the LAN interface interface FastEthernet0/0 description Win.net Chestnut St Office LAN ip address 216.24.33.1 255.255.255.0 ip access-group FaInboundACL in ip verify unicast reverse-path no ip redirects no ip unreachables ip route-cache same-interface speed 100 full-duplex no cdp enable Not surprisingly, no effect, web browsing and everything work normally. I then added the ip inspect ... interface FastEthernet0/0 description Win.net Chestnut St Office LAN ip address 216.24.33.1 255.255.255.0 ip access-group FaInboundACL in ip verify unicast reverse-path no ip redirects no ip unreachables ip inspect WinnetOffice in ip route-cache same-interface speed 100 full-duplex no cdp enable And web browsing from the LAN stops working again. - Original Message - From: Kevin Graham kgra...@industrial-marshmallow.com To: Joseph Mays m...@win.net Cc: cisco-nsp@puck.nether.net Sent: Friday, July 22, 2011 6:32 PM Subject: Re: [c-nsp] Problem with IP Inspect On Jul 22, 2011, at 1:23 PM, Joseph Mays m...@win.net wrote: There is no way turning on ip inspection should break communications anywhere in the absence of an ACL list, is there? IIRC, ip inspect is creating a pseudo-acl, so you're being bitten by the default deny. You should apply a permit ip any any ACL inbound on that interface. (Adding more specific permits and making sure ACE counters aren't excessively increasing is also a really good way of making sure inspection is handling the traffic you intended it to during initial deployment without breaking anything). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] AS5300/AS5400 power supplies
Does anyone know if the power supplies in AS5300's and AS5400's are interchangeable? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PPP fails with IOS upgrade
I sent a message yesterday about a problem we are having on an AS5400. PPP works fine with version 12.2.16, but fails with version 12.3.13. The config is not changing between the two versions. Here's information on the problem that is a bit more specific. With the old version of IOS everything proceeds as normally, as shown by the following debug output (debug ppp events, errors, and negotiation). With the new version, the debug output is identical through pap authentication (with the exception of a session ID line that doesn't show up with the old version, but I don't think it has anything to do with the problem). Immediately after authentication, the new version begins sending an IPCP packet (with a ccp code?). It sends it over and over. On the client side, windows dial-up times out during Registering your computer on the network saying it timed out awaiting a response from the server. This is a confusing and disturbing problem, though I have a suspicion that when we arrive at the answer it will turn out to be something quite simple and easy to fix. Any help that can be offered would be appreciated. With IOS c5400-js-mz.122-16.T17.bin 005248: Aug 23 12:00:14.918: As2/42 LCP: Lower layer not up, Fast Starting 005249: Aug 23 12:00:14.918: As2/42 PPP: Using dialer call direction 005250: Aug 23 12:00:14.918: As2/42 PPP: Treating connection as a callin 005251: Aug 23 12:00:14.918: As2/42 PPP: Phase is ESTABLISHING, Passive Open 005252: Aug 23 12:00:14.918: As2/42 LCP: State is Listen [...] 005299: Aug 23 12:00:15.174: As2/42 PAP: Authenticating peer launch...@win.net 005300: Aug 23 12:00:15.174: As2/42 PPP: Phase is FORWARDING, Attempting Forward 005301: Aug 23 12:00:15.174: As2/42 EVT: Hook 1 0x 005302: Aug 23 12:00:15.174: As2/42 EVT: Hook 1 0x 005303: Aug 23 12:00:15.174: As2/42 EVT: Forwarded 0 0x 005304: Aug 23 12:00:15.174: As2/42 PPP: Phase is AUTHENTICATING, Unauthenticated User 005305: Aug 23 12:00:15.230: As2/42 EVT: AAA Response 0 0x6387270C 005306: Aug 23 12:00:15.230: As2/42 PPP: Phase is FORWARDING, Attempting Forward 005307: Aug 23 12:00:15.230: As2/42 EVT: Hook 1 0x 005308: Aug 23 12:00:15.230: As2/42 EVT: Forwarded 0 0x 005309: Aug 23 12:00:15.230: As2/42 PPP: Phase is AUTHENTICATING, Authenticated User 005310: Aug 23 12:00:15.230: As2/42 EVT: AAA Response 0 0x64BBD314 005311: Aug 23 12:00:15.230: As2/42 PAP: O AUTH-ACK id 27 len 5 005312: Aug 23 12:00:15.234: As2/42 PPP: Phase is UP [...] 005361: Aug 23 12:00:15.550: As2/42 IPCP: Add link info for cef entry 216.24.0.207 With IOS c5400-js-mz.123-13b.bin 000835: Aug 23 12:15:59.328: As2/46 LCP: Lower layer not up, Fast Starting 000836: Aug 23 12:15:59.328: As2/46 PPP: Using dialer call direction 000837: Aug 23 12:15:59.328: As2/46 PPP: Treating connection as a callin 000838: Aug 23 12:15:59.328: As2/46 PPP: Session handle[D062] Session id[0] 000839: Aug 23 12:15:59.328: As2/46 PPP: Phase is ESTABLISHING, Passive Open 000840: Aug 23 12:15:59.328: As2/46 LCP: State is Listen [...] 000887: Aug 23 12:15:59.576: As2/46 PAP: Authenticating peer launch...@win.net 000888: Aug 23 12:15:59.576: As2/46 PPP: Phase is FORWARDING, Attempting Forward 000889: Aug 23 12:15:59.576: As2/46 EVT: Hook 1 0x 000890: Aug 23 12:15:59.580: As2/46 EVT: Forwarded 0 0x 000891: Aug 23 12:15:59.580: As2/46 PPP: Phase is AUTHENTICATING, Unauthenticated User 000892: Aug 23 12:15:59.584: As2/46 EVT: AAA Response 0 0x64DFF388 000893: Aug 23 12:15:59.584: As2/46 PPP: Phase is FORWARDING, Attempting Forward 000894: Aug 23 12:15:59.584: As2/46 EVT: Hook 1 0x 000895: Aug 23 12:15:59.584: As2/46 EVT: Forwarded 0 0x 000896: Aug 23 12:15:59.584: As2/46 PPP: Phase is AUTHENTICATING, Authenticated User 000897: Aug 23 12:15:59.584: As2/46 EVT: AAA Response 0 0x64E0A3EC 000898: Aug 23 12:15:59.584: As2/46 EVT: AAA Response 0 0x64DDA8F8 000899: Aug 23 12:15:59.588: As2/46 PAP: O AUTH-ACK id 30 len 5 000900: Aug 23 12:15:59.700: As2/46 EVT: Packet 0 0x62AC4B40 000901: Aug 23 12:15:59.700: As2/46 PPP: Queue CCP code[1] id[4] 000902: Aug 23 12:15:59.700: As2/46 EVT: IPCP Packet 0 0x62AC7508 000903: Aug 23 12:15:59.700: As2/46 PPP: Queue IPCP code[1] id[5] 000904: Aug 23 12:16:01.328: As2/46 EVT: IPCP Packet 0 0x62AC98D8 000905: Aug 23 12:16:01.328: As2/46 PPP: Update queued IPCP code[1] id[6] 000906: Aug 23 12:16:01.328: As2/46 EVT: Packet 0 0x62AC9BD4 000907: Aug 23 12:16:01.328: As2/46 PPP: Update queued CCP code[1] id[7] 000908: Aug 23 12:16:04.328: As2/46 EVT: IPCP Packet 0 0x62AD4EE4 000909: Aug 23 12:16:04.328: As2/46 PPP: Update queued IPCP code[1] id[8] [...] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PPP fails with IOS upgrade
Dave Weis said Wild guess would be put no compress in your virtual template, that's what CCP appears to be. Good suggestion, thanks, and if compression is what CCP is it's a useful clue. I just tried setting both no compress and compress stac in the virtual template, though, and the problem seems to be the same. Joe Mays ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/