[c-nsp] BGP Route Announcement

[Joseph Mays]

Having a problem with changing a bgp route announcement to cogent. We are 
announcing 216.24.0.0/18 to cogent currently.

router bgp 
no synchronization
bgp router-id 
bgp cluster-id xxx
bgp log-neighbor-changes
bgp bestpath compare-routerid
network 216.24.0.0 mask 255.255.192.0
neighbor 38.122.142.5 remote-as 174
neighbor 38.122.142.5 description Cogent A Peer to node router
neighbor 38.122.142.5 send-community
neighbor 38.122.142.5 version 4
neighbor 38.122.142.5 soft-reconfiguration inbound
neighbor 38.122.142.5 distribute-list deny-our-nets in
neighbor 38.122.142.5 distribute-list allow-our-nets out
neighbor 38.122.142.5 route-map cogent-outbound-prefs in
neighbor 38.122.142.5 route-map cogent-out out
no auto-summary

The distribute lists shown also just contained appropriate permit and deny 
entries for 216.24.0.0 /18

Kind of against my wishes the owner of our company sold several small network 
blocks we weren't using out of the upper half of the /18. As a result I have to 
change the bgp broadcast to cogent to broadcast a 216.24.0.0/19 and several 
smaller blocks we are still using out of the upper half. I assumed if I changed 
the distribute lists it would change the routes cogent was seeing. So I changed 
those first --

ip access-list standard allow-our-nets
permit 38.103.73.193
permit 216.24.0.0 0.0.31.255
permit 216.24.35.0 0.0.0.255
permit 216.24.36.0 0.0.3.255
permit 216.24.42.0 0.0.0.255
permit 216.24.48.0 0.0.3.255
permit 216.24.53.0 0.0.0.255
permit 216.24.54.0 0.0.0.255
permit 216.24.56.0 0.0.0.255
permit 216.24.60.0 0.0.1.255
permit 216.24.62.0 0.0.0.255

ip access-list standard deny-our-nets
deny   216.24.35.0 0.0.0.255
deny   216.24.36.0 0.0.3.255
deny   216.24.42.0 0.0.0.255
deny   216.24.48.0 0.0.3.255
deny   216.24.53.0 0.0.0.255
deny   216.24.54.0 0.0.0.255
deny   216.24.56.0 0.0.0.255
deny   216.24.60.0 0.0.1.255
deny   216.24.62.0 0.0.0.255
deny   216.24.0.0 0.0.31.255
permit any

But it didn't change the broadcast cogent was receiving at all. So then I 
changed the networks statement in bgp config.

router bgp 
no synchronization
bgp router-id 
bgp cluster-id xxx
bgp log-neighbor-changes
bgp bestpath compare-routerid
network 216.24.32.0 mask 255.255.224.0
network 216.24.35.0 mask 255.255.255.0
network 216.24.36.0 mask 255.255.252.0
network 216.24.42.0 mask 255.255.255.0
network 216.24.48.0 mask 255.255.252.0
network 216.24.53.0 mask 255.255.255.0
network 216.24.54.0 mask 255.255.255.0
network 216.24.56.0 mask 255.255.255.0
network 216.24.60.0 mask 255.255.254.0
network 216.24.62.0 mask 255.255.255.0
neighbor 38.122.142.5 remote-as 174
neighbor 38.122.142.5 description Cogent A Peer to node router
neighbor 38.122.142.5 send-community
neighbor 38.122.142.5 version 4
neighbor 38.122.142.5 soft-reconfiguration inbound
neighbor 38.122.142.5 distribute-list deny-our-nets in
neighbor 38.122.142.5 distribute-list allow-our-nets out
neighbor 38.122.142.5 route-map cogent-outbound-prefs in
neighbor 38.122.142.5 route-map cogent-out out
no auto-summary

That changed the broadcast cogent was receiving, but not in the expected way. 
They only route they saw us broadcasting after that was the 216.24.60.0/23 
route. Not the first one in the list, not the last one, not the biggest one or 
the smallest one, but just one route from the middle of the list. I don't get 
this behavior at all. Cogent cleared and bounced bgp to us, and still received 
only that one route in the broadcast from us.

Can anyone tell me why I got this behavior, and what am I overlooking in 
altering our bgp config to broadcast this group of routes? Thank you for your 
patience with this message.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Router memory problem

[Joseph Mays]

You are correct. I changed it as I was in the process of writing the mail to 
see if filtering even more would cause the number of routes to drop faster. 
It didn't. Continued dropping at the same slow rate. So I put it back to 23. 
But the email got parts of each config.


From: CiscoNSP List 
Sent: Sunday, October 30, 2016 4:31 PM
To: Joseph Mays ; Chris Boyd ; cisco-nsp@puck.nether.net 
Subject: Re: [c-nsp] Router memory problem

Very bleary eyed - but shouldnt this:



ip prefix-list max23 seq 5 permit 0.0.0.0/0 ge 8 le 16



be:

ip prefix-list max16 seq 5 permit 0.0.0.0/0 ge 8 le 16



As you are referencing max16 in your dist-ist 

router bgp 
  distribute-list prefix max16 in









From: cisco-nsp <cisco-nsp-boun...@puck.nether.net> on behalf of Joseph Mays 
<m...@win.net>
Sent: Thursday, 27 October 2016 7:06 AM
To: Chris Boyd; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Router memory problem 

> On the plus side, if you screw up routing with a mistake, you’ll free a lot 
> of memory :-/

See, there could be a silver lining. :-)

Got the commands in...

router bgp 
  distribute-list prefix max16 in

ip prefix-list max23 seq 5 permit 0.0.0.0/0 ge 8 le 16

The bgp table seems to be dropping in size over time

core-gw1.noc#show ip bgp sum
[...]
xx.xxx.xxx.x4   174  146060 785   70730200 13:00:03   605322

core-gw1.noc#show ip bgp sum
[...]
xx.xxx.xxx.x4   174  146060 785   70730200 13:00:03   603660

but it's taking a long time. I could clear the bgp tables, but I'm hesitant to 
do that. Maybe better to just let it drop over time.







-Original Message- 
From: Chris Boyd 
Sent: Wednesday, October 26, 2016 3:57 PM 
To: cisco-nsp@puck.nether.net 
Subject: Re: [c-nsp] Router memory problem 


> On Oct 26, 2016, at 2:19 PM, Joseph Mays <m...@win.net> wrote:
> 
> I was thinking about using a prefix list to limit the size of the BGP routing 
> table.

Hard to do if you can’t see the config, but I suppose if you are careful you 
could tftp it in, since you mentioned that’s still working.  On the plus side, 
if you screw up routing with a mistake, you’ll free a lot of memory :-/

—Chris

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp cisco-nsp Info Page - 
puck.nether.net
  puck.nether.net
  cisco-nsp -- list for people using cisco in a NSP (Network service 
provider) environment About cisco-nsp 


archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp cisco-nsp Info Page - 
puck.nether.net
  puck.nether.net
  cisco-nsp -- list for people using cisco in a NSP (Network service 
provider) environment About cisco-nsp 


archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Router memory problem

[Joseph Mays]

> On the plus side, if you screw up routing with a mistake, you’ll free a lot 
> of memory :-/

See, there could be a silver lining. :-)

Got the commands in...

router bgp 
  distribute-list prefix max16 in

ip prefix-list max23 seq 5 permit 0.0.0.0/0 ge 8 le 16

The bgp table seems to be dropping in size over time

core-gw1.noc#show ip bgp sum
[...]
xx.xxx.xxx.x4   174  146060 785   70730200 13:00:03   605322

core-gw1.noc#show ip bgp sum
[...]
xx.xxx.xxx.x4   174  146060 785   70730200 13:00:03   603660

but it's taking a long time. I could clear the bgp tables, but I'm hesitant to 
do that. Maybe better to just let it drop over time.







-Original Message- 
From: Chris Boyd 
Sent: Wednesday, October 26, 2016 3:57 PM 
To: cisco-nsp@puck.nether.net 
Subject: Re: [c-nsp] Router memory problem 


> On Oct 26, 2016, at 2:19 PM, Joseph Mays <m...@win.net> wrote:
> 
> I was thinking about using a prefix list to limit the size of the BGP routing 
> table.

Hard to do if you can’t see the config, but I suppose if you are careful you 
could tftp it in, since you mentioned that’s still working.  On the plus side, 
if you screw up routing with a mistake, you’ll free a lot of memory :-/

—Chris

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Router memory problem

[Joseph Mays]

I was thinking about using a prefix list to limit the size of the BGP 
routing table.



-Original Message- 
From: Chris Boyd

Sent: Wednesday, October 26, 2016 2:59 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Router memory problem



On Oct 26, 2016, at 1:51 PM, Chuck Church  wrote:

Is the router out of RAM?  A really low memory condition might cause this. 
'show mem' or 'show log' (if configured) might show some malloc errors if 
that is the issue.


+1 I had a similar issue a while back with a 7206VXR that was getting full 
routes.  Worked fine, forwarding packets, but could not sh run.  Cutting 
back to customer routes + default “fixed” it about 10 minutes after the 
upstream made the change.


—Chris

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/ 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Router memory problem

[Joseph Mays]

Perhaps. Looks like, but I don't know if it's TOO low.


core-gw1.noc#show mem
HeadTotal(b) Used(b) Free(b)   Lowest(b)  Largest(b)
Processor   6381CC60   78368   438972176 5506192  945056  898812
  I/OE003355443210948872226055602228776022426364

Maybe if I reduce the size of the bgp tables.

-Original Message- 
From: Chuck Church 
Sent: Wednesday, October 26, 2016 2:51 PM 
To: 'Joseph Mays' ; cisco-nsp@puck.nether.net 
Subject: RE: [c-nsp] Router memory problem 

Is the router out of RAM?  A really low memory condition might cause this.  
'show mem' or 'show log' (if configured) might show some malloc errors if that 
is the issue.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joseph 
Mays
Sent: Wednesday, October 26, 2016 2:28 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Router memory problem

I’m dealing with a serious problem on a router I can only connect to remotely. 
Show run on the router returns nothing.

core-gw1.noc#show run
core-gw1.noc#

The running config is definitely there, though and the router is operational. 
And interestingly the system that copies the router’s config every night seems 
to have no problem pulling it down via tftp. And I can add and remove config 
commands and have them become active, even though I can’t see the config when 
it’s running.

I tried copying the running config to the startup config and got an error.

core-gw1.noc#dir nvram:
Directory of nvram:/

  488  -rw-   19717  startup-config
  489  1157  private-config
  490  -rw-   19717  underlying-config
1    46  persistent-data
2  -rw-   0  ifIndex-table
3  -rw-   4  rf_cold_starts

522232 bytes total (498234 bytes free)
core-gw1.noc#write mem
startup-config file open failed (Not enough space)

I found that any command I try with regards to the startup config gets the same 
result. I concluded that the nvram: must be corrupt. So I did an “erase” to 
reformat and clear it, and that went fine. so then I tried to write the 
startup-config again and had the same problem.

core-gw1.noc#erase nvram:
Erasing the nvram filesystem will remove all configuration files! Continue? 
[confirm] [OK] Erase of nvram: complete core-gw1.noc#dir nvram:
Directory of nvram:/

  508  -rw-   0  startup-config
  509     0  private-config
  510  -rw-   0  underlying-config
1    46  persistent-data
2  -rw-   0  ifIndex-table
3  -rw-   4  rf_cold_starts

522232 bytes total (519108 bytes free)
core-gw1.noc#copy run start
Destination filename [startup-config]?
startup-config file open failed (Not enough space)

So now I am in a position where I don’t dare reboot the router because it has 
no startup config. I did try tftping the backup config to nvram:, and it worked 
find as long as I gave it another name.

core-gw1.noc#copy tftp nvram:
Address or name of remote host [admin2.win.net]?
Source filename [core-gw1.noc-confg.noALW]? noc-config Destination filename 
[noc-config]?
Accessing tftp://admin2.win.net/noc-config...
Loading noc-config from 216.24.27.2 (via FastEthernet2/0): !!!
[OK - 34368 bytes]

34368 bytes copied in 0.756 secs (45460 bytes/sec) core-gw1.noc#dir nvram:
Directory of nvram:/

  508  -rw-   0  startup-config
  509     0  private-config
  510  -rw-   0  underlying-config
1    46  persistent-data
2  -rw-   0  ifIndex-table
3  -rw-   4  rf_cold_starts
4  -rw-   34368  noc-config

But when I tried to rename noc-config to startup-config, it gave the same space 
error. As does deleting startup-config, or any attempt to do anything to the 
startup-config file.

Here is the show ver info on the router.

Cisco Internetwork Operating System Software IOS (tm) 7200 Software 
(C7200-IK9SU2-M), Version 12.3(23), RELEASE SOFTWARE (fc5) Technical Support: 
http://www.cisco.com/techsupport Copyright (c) 1986-2007 by cisco Systems, Inc.
Compiled Tue 24-Jul-07 21:42 by stshen
Image text-base: 0x60008AF4, data-base: 0x61F53280

ROM: System Bootstrap, Version 12.2(20030826:190624) [BLD-npeg1_rommon_r11 
102], DEVELOPMENT SOFTWARE
BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.2(15)B, EARLY DEPLOYMENT 
RELEASE SOFTWARE (fc1)

core-gw1.noc uptime is 11 hours, 10 minutes System returned to ROM by reload at 
03:00:12 EDT Wed Oct 26 2016 System restarted at 03:02:54 EDT Wed Oct 26 2016 
System image file is "disk2:

Re: [c-nsp] Router memory problem

[Joseph Mays]

The "show run" command has always worked in the past. No one else has 
reconfigured anything on this router since I started working on it.

core-gw1.noc#show priv
Current privilege level is 15
core-gw1.noc#show running-config view full
 ^
% Invalid input detected at '^' marker.

core-gw1.noc#show running-config ?
  brief   configuration without certificate data
  class-map   Show class-map information
  fullfull configuration
  interface   Show interface configuration
  linenum Display line numbers in output
  map-class   Show map class information
  policy-map  Show policy-map information
  |   Output modifiers
  

core-gw1.noc#show running-config full
core-gw1.noc#


-Original Message- 
From: Nick Cutting 
Sent: Wednesday, October 26, 2016 2:32 PM 
To: Joseph Mays ; cisco-nsp@puck.nether.net 
Subject: RE: [c-nsp] Router memory problem 

Check your logged in at privilege 15
Also - there may be "views" configured.

Try also this:

sh running-config view full

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joseph 
Mays
Sent: Wednesday, October 26, 2016 2:28 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Router memory problem

I’m dealing with a serious problem on a router I can only connect to remotely. 
Show run on the router returns nothing.

core-gw1.noc#show run
core-gw1.noc#

The running config is definitely there, though and the router is operational. 
And interestingly the system that copies the router’s config every night seems 
to have no problem pulling it down via tftp. And I can add and remove config 
commands and have them become active, even though I can’t see the config when 
it’s running.

I tried copying the running config to the startup config and got an error.

core-gw1.noc#dir nvram:
Directory of nvram:/

  488  -rw-   19717  startup-config
  489  1157  private-config
  490  -rw-   19717  underlying-config
1    46  persistent-data
2  -rw-   0  ifIndex-table
3  -rw-   4  rf_cold_starts

522232 bytes total (498234 bytes free)
core-gw1.noc#write mem
startup-config file open failed (Not enough space)

I found that any command I try with regards to the startup config gets the same 
result. I concluded that the nvram: must be corrupt. So I did an “erase” to 
reformat and clear it, and that went fine. so then I tried to write the 
startup-config again and had the same problem.

core-gw1.noc#erase nvram:
Erasing the nvram filesystem will remove all configuration files! Continue? 
[confirm] [OK] Erase of nvram: complete core-gw1.noc#dir nvram:
Directory of nvram:/

  508  -rw-   0  startup-config
  509     0  private-config
  510  -rw-   0  underlying-config
1    46  persistent-data
2  -rw-   0  ifIndex-table
3  -rw-   4  rf_cold_starts

522232 bytes total (519108 bytes free)
core-gw1.noc#copy run start
Destination filename [startup-config]?
startup-config file open failed (Not enough space)

So now I am in a position where I don’t dare reboot the router because it has 
no startup config. I did try tftping the backup config to nvram:, and it worked 
find as long as I gave it another name.

core-gw1.noc#copy tftp nvram:
Address or name of remote host [admin2.win.net]?
Source filename [core-gw1.noc-confg.noALW]? noc-config Destination filename 
[noc-config]?
Accessing tftp://admin2.win.net/noc-config...
Loading noc-config from 216.24.27.2 (via FastEthernet2/0): !!!
[OK - 34368 bytes]

34368 bytes copied in 0.756 secs (45460 bytes/sec) core-gw1.noc#dir nvram:
Directory of nvram:/

  508  -rw-   0  startup-config
  509     0  private-config
  510  -rw-   0  underlying-config
1    46  persistent-data
2  -rw-   0  ifIndex-table
3  -rw-   4  rf_cold_starts
4  -rw-   34368  noc-config

But when I tried to rename noc-config to startup-config, it gave the same space 
error. As does deleting startup-config, or any attempt to do anything to the 
startup-config file.

Here is the show ver info on the router.

Cisco Internetwork Operating System Software IOS (tm) 7200 Software 
(C7200-IK9SU2-M), Version 12.3(23), RELEASE SOFTWARE (fc5) Technical Support: 
http://www.cisco.com/techsupport Copyright (c) 1986-2007 by cisco Systems, Inc.
Compiled Tue 24-Jul-07 21:42 by stshen
Image text-base: 0x60008AF4, data-base: 0x61F53280

ROM: System Bootstrap, Version 12.2(20030826:190624) [BLD-npeg1_rommon_r1

[c-nsp] Router memory problem

[Joseph Mays]

I’m dealing with a serious problem on a router I can only connect to remotely. 
Show run on the router returns nothing.

core-gw1.noc#show run
core-gw1.noc#

The running config is definitely there, though and the router is operational. 
And interestingly the system that copies the router’s config every night seems 
to have no problem pulling it down via tftp. And I can add and remove config 
commands and have them become active, even though I can’t see the config when 
it’s running.

I tried copying the running config to the startup config and got an error.

core-gw1.noc#dir nvram:
Directory of nvram:/

  488  -rw-   19717  startup-config
  489  1157  private-config
  490  -rw-   19717  underlying-config
1    46  persistent-data
2  -rw-   0  ifIndex-table
3  -rw-   4  rf_cold_starts

522232 bytes total (498234 bytes free)
core-gw1.noc#write mem
startup-config file open failed (Not enough space)

I found that any command I try with regards to the startup config gets the same 
result. I concluded that the nvram: must be corrupt. So I did an “erase” to 
reformat and clear it, and that went fine. so then I tried to write the 
startup-config again and had the same problem.

core-gw1.noc#erase nvram:
Erasing the nvram filesystem will remove all configuration files! Continue? 
[confirm]
[OK]
Erase of nvram: complete
core-gw1.noc#dir nvram:
Directory of nvram:/

  508  -rw-   0  startup-config
  509     0  private-config
  510  -rw-   0  underlying-config
1    46  persistent-data
2  -rw-   0  ifIndex-table
3  -rw-   4  rf_cold_starts

522232 bytes total (519108 bytes free)
core-gw1.noc#copy run start
Destination filename [startup-config]?
startup-config file open failed (Not enough space)

So now I am in a position where I don’t dare reboot the router because it has 
no startup config. I did try tftping the backup config to nvram:, and it worked 
find as long as I gave it another name.

core-gw1.noc#copy tftp nvram:
Address or name of remote host [admin2.win.net]?
Source filename [core-gw1.noc-confg.noALW]? noc-config
Destination filename [noc-config]?
Accessing tftp://admin2.win.net/noc-config...
Loading noc-config from 216.24.27.2 (via FastEthernet2/0): !!!
[OK - 34368 bytes]

34368 bytes copied in 0.756 secs (45460 bytes/sec)
core-gw1.noc#dir nvram:
Directory of nvram:/

  508  -rw-   0  startup-config
  509     0  private-config
  510  -rw-   0  underlying-config
1    46  persistent-data
2  -rw-   0  ifIndex-table
3  -rw-   4  rf_cold_starts
4  -rw-   34368  noc-config

But when I tried to rename noc-config to startup-config, it gave the same space 
error. As does deleting startup-config, or any attempt to do anything to the 
startup-config file.

Here is the show ver info on the router.

Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (C7200-IK9SU2-M), Version 12.3(23), RELEASE SOFTWARE 
(fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by cisco Systems, Inc.
Compiled Tue 24-Jul-07 21:42 by stshen
Image text-base: 0x60008AF4, data-base: 0x61F53280

ROM: System Bootstrap, Version 12.2(20030826:190624) [BLD-npeg1_rommon_r11 
102], DEVELOPMENT SOFTWARE
BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.2(15)B, EARLY DEPLOYMENT 
RELEASE SOFTWARE (fc1)

core-gw1.noc uptime is 11 hours, 10 minutes
System returned to ROM by reload at 03:00:12 EDT Wed Oct 26 2016
System restarted at 03:02:54 EDT Wed Oct 26 2016
System image file is "disk2:c7200-ik9su2-mz.123-23.bin"
Last reload reason: Reload command



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
exp...@cisco.com.

cisco 7206VXR (NPE-G1) processor (revision A) with 491520K/32768K bytes of 
memory.
Processor board ID 20399590
SB-1 CPU at 

[c-nsp] Etherchannel problem

[Joseph Mays]

> RtrA(216.24.2.201,205)SwASwBRtrB(216.24.2.202,206)

Got the vlan problem fixed. Now on to a related, but slightly different problem 
with the same set of ports.

I actually want the ethernet connections between SwA and SwB to be etherchannel 
port groups on vlan808. As I said, SwB is a 2924, and they don't support 
interface ranges. I put the ports on SwB in a port group, and SwA into an 
etherchannel group, and it seems to work, except pings from off the router on 
the RtrA lan receive duplicate packet responses. When I ping from the routers 
on either side they don't show duplicate packets, but then I've never seen a 
duplicate packet response on a cisco ping so I'm not sure how it gets 
represented.

Ping from RtrA to RtrB across the bundled ethernet ports between SwA and SwB

gw1.armplc#ping 216.24.2.201

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.24.2.201, timeout is 2 seconds:
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Ping from a FreeBSD machine on the lan behind RtrA. Note that this ping did not 
show duplicate packet responses until I had the ethernet ports bundled.

admin1# ping 216.24.2.202
PING 216.24.2.202 (216.24.2.202): 56 data bytes
64 bytes from 216.24.2.202: icmp_seq=0 ttl=254 time=1.755 ms
64 bytes from 216.24.2.202: icmp_seq=0 ttl=254 time=1.953 ms (DUP!)
64 bytes from 216.24.2.202: icmp_seq=1 ttl=254 time=4.208 ms
64 bytes from 216.24.2.202: icmp_seq=1 ttl=254 time=4.446 ms (DUP!)

Here are the etherchannel and port group configs on the routers

RtrA (2950)

interface Port-channel2
!
interface FastEthernet0/1
description Link via HN408U #1 to sw1.armplc FE0/10
switchport trunk allowed vlan 808
switchport mode trunk
speed 100
duplex full
channel-group 2 mode desirable
!
interface FastEthernet0/2
description Link via HN408U #2 to sw1.armplc FE0/17
switchport trunk allowed vlan 808
switchport mode trunk
speed 100
duplex full
channel-group 2 mode desirable

RtrB (2924XL)

interface FastEthernet0/10
description Link via HN408U #1 to sw1.armplc FE0/1
duplex full
speed 100
port group 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,808,1002-1005
switchport mode trunk
no cdp enable
!
interface FastEthernet0/17
description Link via HN408U #2 to sw1.armplc FE0/2
duplex full
speed 100
port group 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,808,1002-1005
switchport mode trunk
no cdp enable
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] VLAN mystery

[Joseph Mays]

Dealing with a mysterious vlan that won't work, right next to an identically 
configured VLAN on all the same equipment that works fine.

Router A is a cisco 7206 with two vlan subinterfaces on the same port, one 
(vlan 808) with address 216.24.2.201/30, one (vlan 888) with address 
216.24.2.205/30. Gigabit0/2 is a gigE interface to Switch A

Switch A is a catalyst 2950. FastEthernet0/1 is a gig-e connection to Router A 
configured in VLAN trunking mode. Fastethernet0/1 is a 100bt connection to 
remote switch B, configured as a vlan trunk that only allows vlan 808. 
Fastethernet0/2 is a 100bt connection to remote switch B, configured as a vlan 
trunk that only allows vlan 888. Both vlans are defined in both the config and 
the vlan database.

Switch B is a catalyst 2924. FastEthernet0/1 is a 100bt connection to Router B 
configured in VLAN trunking mode. Fastethernet0/10 is a 100bt connection to 
remote switch A, configured as a vlan trunk that only allows vlan 808. 
Fastethernet0/17 is a 100bt connection to remote switch A, configured as a vlan 
trunk that only allows vlan 888. Both vlans are defined in both the config and 
the vlan database.

Router B is a cisco 7206 with two vlan subinterfaces on the same port, one 
(vlan 808) with address 216.24.2.201/30, one (vlan 888) with address 
216.24.2.205/30. Fastethernet1/0 is a 100bt interface to Switch A

So --

RtrA(216.24.2.201,205)SwASwBRtrB(216.24.2.202,206)

>From I can ping between 216.24.2.201 and 216.24.2.202 across vlan 808 fine. I 
>cannot get traffic either direction between 216.24.2.205 and 216.24.2.206 
>across vlan 888. As near as I can tell the vlans are configured identically 
>through all pieces of equipment, and both have been entered in the vlan 
>database on both switches. I must be forgetting something about vlan config 
>somewhere, but I can't figure out where. What am I missing?

Pings from core-gw1 (RtrA)

core-gw1.noc#ping 216.24.2.202

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.24.2.202, timeout is 2 seconds:
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
core-gw1.noc#ping 216.24.2.206

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.24.2.206, timeout is 2 seconds:
.
Success rate is 0 percent (0/5)

Below is the relevant config info from all the equipment.

=
On Router A

interface GigabitEthernet0/2.808
description HN-808 interconnect to armplc via core-sw3
encapsulation dot1Q 808
ip address 216.24.2.201 255.255.255.252
no cdp enable
!
interface GigabitEthernet0/2.888
description HN-888 interconnect to armplc via core-sw3
encapsulation dot1Q 888
ip address 216.24.2.205 255.255.255.252
no cdp enable

=
On Switch A

interface FastEthernet0/1
switchport trunk allowed vlan 808
switchport mode trunk
speed 100
duplex full
!
interface FastEthernet0/2
switchport trunk allowed vlan 888
switchport mode trunk
speed 100
duplex full
!
interface GigabitEthernet0/1
switchport mode trunk
speed 1000
duplex full
!
interface Vlan1
no ip address
no ip route-cache
!
interface Vlan808
no ip address
no ip route-cache
shutdown
!
interface Vlan888
no ip address
no ip route-cache
shutdown

Switch#show vlan id 808

VLAN Name StatusPorts
  - ---
808  VLAN0808 activeFa0/1, Gi0/1

VLAN Type  SAID   MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
 - -- - -- --    -- --
808  enet  100808 1500  -  -  ---0  0

Remote SPAN VLAN

Disabled

Primary Secondary Type  Ports
--- - - --

Switch#show vlan id 888

VLAN Name StatusPorts
  - ---
888  VLAN0888 activeFa0/2, Gi0/1

VLAN Type  SAID   MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
 - -- - -- --    -- --
888  enet  100888 1500  -  -  ---0  0

Remote SPAN VLAN

Disabled

Primary Secondary Type  Ports
--- - - --

=
On Switch B

interface FastEthernet0/1
description to gw1.armplc
duplex full
speed 100
switchport trunk encapsulation dot1q
switchport mode trunk
no cdp enable
!
interface FastEthernet0/10
description Hatteras 1 - HN408-U
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,808,1002-1005
switchport mode trunk
no 

Re: [c-nsp] [cisco-nas] AS5400 More than 256 HDLC channels per CT3 card

[Joseph Mays]

From: Joseph Mays 
Sent: Wednesday, July 08, 2015 12:36 PM
To: Aaron Leonard 
Cc: cisco-...@puck.nether.net 
Subject: Re: [cisco-nas] AS5400 More than 256 HDLC channels per CT3 card

This is useful information, but does it allow me to add more HDLC channels to a 
channel-group in a controller config? The problem I am having is that we add 
ds1 channels to ds3’s on an AS5400, add channel-gorups and pri-groups to the 
ds1’s, like so...

controller T1 1/0:26
framing esf
channel-group 0 timeslots 1-15 speed 64
loopback network ignore
pri-group timeslots 16-24
description combo PRI/T1

... and when channel-groups equal to 256 hdlc channels for the particular ds3 
card have been added then the following happens

AS5400#config t
Enter configuration commands, one per line.  End with CNTL/Z.
AS5400(config)#controller t1 7/0:14
AS5400#(config-controller)#channel-group 0 timeslots 1-22 speed 64 
%Insufficient HDLC resources to create channel group

So what I specifically need is to be able to add more channel-group timeslots 
to the ds1’s on the unit. If I add resource pools as shown in your example 
below, will it allow me to add more channel-groups and channels to a t1 
controller config?



From: Aaron Leonard 
Sent: Friday, April 18, 2014 5:29 PM
To: Joseph Mays 
Cc: nas cisco 
Subject: Re: [cisco-nas] AS5400 More than 256 HDLC channels per CT3 card

Joe, the 256 HDLC framers are on each CT3 card, and you can't use the framers 
on one card to handle channels on another card. However, you can go past the 
HDLC channel limit by adding NextPort DSPs to handle the HDLC framing 
(Tardis), and then the DSPs do act as a global pool.

Afaik, we never documented anything on this on CCO.  Below is a snippet of a 
config that uses RPM to switch HDLC calls to a Tardis DSP pool.

Hth,

Aaron




Yes, you can use RPM to route your HDLC calls to NP resources. Basically 
you create a DNIS based customer profile and specify NP resource range for 
that number, such that the call will be routed to NP resources instead of 
default FreeDM resources. We use that in our Tardis testing and regression. 
Here is the configuration looks like. If you need some automated help then 
we have a ready-to-go scripts running for both AS5400 and AS5850.

===
resource-pool enable

resource-pool group resource tardis-ports
  range 1/0 - 1/323

resource-pool profile customer tardis-cust
  limit base-size all
  limit overflow-size 0
  resource tardis-ports digital
  dnis group tardis-dnis

dialer dnis group tardis-dnis
   number ... your DNIS number here...





On 4/16/2014 11:04 AM, m...@win.net (Joseph Mays) wrote:

  The standard CT3 card for an AS5400 only allows 256 HDLC channels, or about 
10.5 T1’s. Is there any other T3 card available for an AS5400 that supports 
more HDLC channels, or any way to increase the number of HDLC channels 
supported? Also, if I have two CT3 cards in a unit, are the HDLC channels for 
each tied to their respective cards, or are they available system-wide? That 
is, would two cards required that I set up 10 T1’s on each card, or would they 
allow me to set up 20 T1’s on one card and no T1’s on the other?

  Joe Mays


   

___
cisco-nas mailing list
cisco-...@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas




___
cisco-nas mailing list
cisco-...@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nas
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Ping getting IPv6 address, though IPv6 is not enabled.

[Joseph Mays]

Got something going on on a router that seems strange. To me, anyway.

I have a router that does not have IPv6 enabled, nor is IPv6 being used in the 
network it’s on. “ipv6” does not even occur anywhere in the config.

On any addresses it looks up the IPv4 address fine, and can route to that 
address. But when I ping something like www.yahoo.com it grabs the IPv6 address 
and tries to ping that. And fails, of course. How do I get it to stop 
preferring IPv6 addresses?

core-gw1.noc#show ip route www.yahoo.com
Translating www.yahoo.com...domain server (216.24.27.4) [OK]

Routing entry for 98.139.128.0/17
  Known via bgp 7333, distance 20, metric 126041
  Tag 174, type external
  Last update from 38.122.142.5 1w0d ago
  Routing Descriptor Blocks:
  * 38.122.142.5, from 38.122.142.5, 1w0d ago
  Route metric is 126041, traffic share count is 1
  AS Hops 3

core-gw1.noc#show run | include ping
core-gw1.noc#show run | include icmp
permit icmp any host 216.24.27.41
core-gw1.noc#ping www.yahoo.com
Translating www.yahoo.com...domain server (216.24.27.4) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:4998:58:C02::A9, timeout is 2 seconds:
.
Success rate is 0 percent (0/5)
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Router MIB for Lowest Processor Mem

[Joseph Mays]

So, I was looking for the MIB’s for the following info --


hbpots01.noc#show mem stat
HeadTotal(b) Used(b) Free(b)   Lowest(b)  Largest(b)
Processor   646D7940   18261779236604700   146013092   145186904   142833748
  I/OF5011534336 6070116 5464220 5438864 5458140


I found all of them except the one I particularly need. Which is not 
surprising, because that’s just the way my life works, really. I found Process 
and IO MIB’s for Used, Free, and Largest Memory, which are all together.


SNMPv2-SMI::enterprises.9.9.48.1.1.1.5.1 = Gauge32: 36547448
SNMPv2-SMI::enterprises.9.9.48.1.1.1.5.2 = Gauge32: 6070096
SNMPv2-SMI::enterprises.9.9.48.1.1.1.6.1 = Gauge32: 146070344
SNMPv2-SMI::enterprises.9.9.48.1.1.1.6.2 = Gauge32: 5464240
SNMPv2-SMI::enterprises.9.9.48.1.1.1.7.1 = Gauge32: 142866568
SNMPv2-SMI::enterprises.9.9.48.1.1.1.7.2 = Gauge32: 5458140

What I can’t find is the one I really need, “Lowest” processor memory. I was 
looking through Cisco OID docs and can’t find it there. Anyone know the MIB for 
the Lowest Processor Memory value, or where to find it?

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Upgrade NPE-400 to NPE-G1

[Joseph Mays]

I have a cisco 7206 VXR with NPE-400 running c7200-ik9su2-mz.123-23.bin. I have 
an NPE-G1 card now that I would like to put in the router instead. Can I just 
swap the NPE-400 for the G1 card and expect it to work? I’m attaching the show 
ver on the NPE-400 system showing the bootloader, IOS, etc.

core-gw1.noc#show ver
Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (C7200-IK9SU2-M), Version 12.3(23), RELEASE SOFTWARE 
(fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by cisco Systems, Inc.
Compiled Tue 24-Jul-07 21:42 by stshen
Image text-base: 0x60008AF4, data-base: 0x61F61720

ROM: System Bootstrap, Version 12.2(4r)B, RELEASE SOFTWARE (fc1)
BOOTLDR: 7200 Software (C7200-BOOT-M), Version 12.0(24)S, EARLY DEPLOYMENT 
RELEASE SOFTWARE (fc1)

core-gw1.noc uptime is 1 year, 14 weeks, 6 days, 22 hours, 58 minutes
System returned to ROM by power-on
System restarted at 16:57:27 EDT Tue May 21 2013
System image file is disk0:c7200-ik9su2-mz.123-23.bin


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
exp...@cisco.com.

cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of 
memory.
Processor board ID 20399590
R7000 CPU at 350MHz, Implementation 39, Rev 3.3, 256KB L2 Cache
6 slot VXR midplane, Version 2.0

Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.

PCI bus mb0_mb1 (Slots 0, 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb0_mb1 has a total of 800 bandwidth points.
The set of PA-2FE, PA-POS-2OC3, and I/O-2FE qualify for half
bandwidth points consideration, when full bandwidth point counting
results in oversubscription, under the condition that only one of the
two ports is used. With this adjustment, current configuration on bus
mb0_mb1 has a total of 800 bandwidth points.
This configuration has oversubscripted the PCI bus and is not a
supported configuration.

PCI bus mb2 (Slots 2, 4, 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 380 bandwidth points
This configuration is within the PCI bus capacity and is supported.

Please refer to the following document Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines on Cisco.com http://www.cisco.com
for c7200 bandwidth points oversubscription and usage guidelines.

WARNING: PCI bus mb0_mb1 Exceeds 600 bandwidth points

3 FastEthernet/IEEE 802.3 interface(s)
1 Gigabit Ethernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
125K bytes of non-volatile configuration memory.

46976K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
4096K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x102

core-gw1.noc#
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 7206 Gigabit Ethernet Card - Strange behavior

[Joseph Mays]

I have a Cisco 7206 with a Gigabit Ethernet card in it. I’m getting what I 
think is anomalous behavior, but I’m not sure.

7206, NPE-400


Slot 1:
Gigabit Ethernet Port adapter, 1 port
Port adapter is analyzed
Port adapter insertion time 13:47:46 ago
EEPROM contents at hardware discovery:
Hardware revision 1.0   Board revision A0
Serial number 24455260  Part number73-3144-04
FRU Part Number:  PA-1GE=

Test history  0x0   RMA number 00-00-00
EEPROM format version 1

The card has an adapter that plugs into it that adapts it for gig copper. The 
thing is, it shows a link light and up/up from the moment the adapter is 
plugged in, regardless of whether or not a cable is plugged into the adapter. 
Is this normal behavior, or an indication that something is wrong with the 
adapter or card?

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] HDLC limitations on AS5400 CT3 card

[Joseph Mays]

The standard CT3 card for an AS5400 only allows 256 HDLC channels, or about 
10.5 T1’s. Is there any other T3 card available for an AS5400 that supports 
more HDLC channels, or any way to increase the number of HDLC channels 
supported? Also, if I have two CT3 cards in a unit, are the HDLC channels for 
each tied to their respective cards, or are they available system-wide? That 
is, would two cards required that I set up 10 T1’s on each card, or would they 
allow me to set up 20 T1’s on one card and no T1’s on the other?

Joe Mays
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VLAN Trunking Question

[Joseph Mays]

Yes, configured it in both the vlan database (they are older switches) and in 
the config on each switch. It shows up in show vlan on all the switches.

core-sw3.noc#show vlan
VLAN Name StatusPorts
  - ---
1default  activeFa0/2, Fa0/3, Fa0/5, Fa0/6,
Fa0/7, Fa0/8, Fa0/9, Fa0/10,
Fa0/11, Fa0/12, Fa0/13, Fa0/14,
Fa0/15, Fa0/16, Fa0/17, Fa0/18,
Fa0/19, Fa0/20, Fa0/21, Fa0/22,
Fa0/23, Fa0/24, Fa1/3, Fa1/4
201  VLAN0201 active
302  VLAN0302 active
303  VLAN0303 active
304  VLAN0304 active
808  VLAN0808 active
1002 fddi-default active
1003 token-ring-default   active
1004 fddinet-default  active
1005 trnet-defaultactive

VLAN Type  SAID   MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
 - -- - -- --    -- --
1enet  11 1500  -  -  ---0  0
201  enet  100201 1500  -  -  ---0  0
302  enet  100302 1500  -  -  ---0  0
303  enet  100303 1500  -  -  ---0  0
304  enet  100304 1500  -  -  ---0  0
808  enet  100808 1500  -  -  ---0  0
1002 fddi  101002 1500  -  -  ---0  0
1003 tr101003 1500  -  -  ---0  0
1004 fdnet 101004 1500  -  -  -ieee -0  0
1005 trnet 101005 1500  -  -  -ibm  -0  0


-Original Message- 
From: quinn snyder 
Sent: Tuesday, September 10, 2013 6:13 PM 
To: Joseph Mays 
Subject: Re: [c-nsp] VLAN Trunking Question 

do you have vl808 on all cats between your pair of c7200s?

q. 

-= sent via iphone. please excuse spelling, grammar, and brevity =-

On Sep 10, 2013, at 14:25, Joseph Mays m...@win.net wrote:

 Okay, so I am trying to set up a single VLAN to go through a series of 
 catalyst switches. What I need, effectively, is one long ethernet connection 
 between two routers. I thought this should work but since it is not, clearly, 
 I've fundamentally misunderstood something.
 
 
 Cisco 7206A(vlan 808 subinterface)--(vlan trunk Fe0/1)CatalystA(vlan 
 trunk FE0/10)-...
 ...-(vlan trunk FE0/4)CatalystB(vlan trunk FE0/1)--(vlan trunk 
 FE0/17)CatalystC(vlan trunk FE0/1)-...
 ...-(vlan 808 subinterface)Cisco 7206B
 
 
 The configs on each port, for the curious.
 
 Cisco 7206 A
 
 interface FastEthernet1/0.808
 description HN-808 interconnect to armplc via sw1.armplc
 encapsulation dot1Q 808
 ip address 216.24.2.202 255.255.255.252
 
 Catalyst A
 
 interface FastEthernet0/1
 description to gw1.armplc
 duplex full
 speed 100
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no cdp enable
 
 interface FastEthernet0/10
 description Hatteras 1 - HN408-U
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no cdp enable
 
 Catalyst B
 
 interface FastEthernet0/4
 description HN-808 interconnect to Armory Place
 switchport trunk encapsulation dot1q
 switchport mode trunk
 
 interface FastEthernet0/1
 description 802.1q trunk to core-sw1.noc (Heyburn 911) FE0/17
 load-interval 30
 duplex full
 speed 100
 switchport trunk encapsulation dot1q
 switchport mode trunk
 
 Catalyst C
 
 interface FastEthernet0/17
 description 802.1q trunk to core-sw3.noc.win.net (in Heyburn 513) 
 FastEthernet0/0
 load-interval 30
 duplex full
 speed 100
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no cdp enable
 
 interface FastEthernet0/1
 description 802.1q trunk to core-gw1.noc.win.net port FastEthernet0/0
 load-interval 30
 duplex full
 speed 100
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no cdp enable
 
 Cisco 7206 B
 
 interface FastEthernet0/0.808
 description HN-808 interconnect to armplc via core-sw3
 encapsulation dot1Q 808
 ip address 216.24.2.201 255.255.255.252
 no cdp enable
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VLAN Trunking Question

[Joseph Mays]

 * Have you defined the vlans?

Yes, they are defined in both the vlan database and the config on all the 
switches.

 * Why have a dirty net and have all vlans tagged on all ports, and not only 
 on the ports you want them on?

At the moment I’m just trying to make it work. If I don’t specifically allow 
certain vlans on the trunk then (my understanding is) all the vlans should be 
allowed and passed by the trunk by default. I thought that should work. If and 
when it does, I intend to lock it down so only vlan 808 is allowed on the 
trunk. But there is not much point in applying filters to a trunk that is not 
working even when it’s wide open.

From: Peter Persson 
Sent: Tuesday, September 10, 2013 6:21 PM
To: Joseph Mays 
Subject: Re: [c-nsp] VLAN Trunking Question

Hey,

This would be right.
But i got a few questions.
* Have you defined the vlans?
* Why have a dirty net and have all vlans tagged on all ports, and not only on 
the ports you want them on?

/Peter

2013/9/10 Joseph Mays m...@win.net

  Okay, so I am trying to set up a single VLAN to go through a series of 
catalyst switches. What I need, effectively, is one long ethernet connection 
between two routers. I thought this should work but since it is not, clearly, 
I've fundamentally misunderstood something.


  Cisco 7206A(vlan 808 subinterface)--(vlan trunk Fe0/1)CatalystA(vlan 
trunk FE0/10)-...
  ...-(vlan trunk FE0/4)CatalystB(vlan trunk FE0/1)--(vlan trunk 
FE0/17)CatalystC(vlan trunk FE0/1)-...
  ...-(vlan 808 subinterface)Cisco 7206B


  The configs on each port, for the curious.

  Cisco 7206 A

  interface FastEthernet1/0.808
  description HN-808 interconnect to armplc via sw1.armplc
  encapsulation dot1Q 808
  ip address 216.24.2.202 255.255.255.252

  Catalyst A

  interface FastEthernet0/1
  description to gw1.armplc
  duplex full
  speed 100
  switchport trunk encapsulation dot1q
  switchport mode trunk
  no cdp enable

  interface FastEthernet0/10
  description Hatteras 1 - HN408-U
  switchport trunk encapsulation dot1q
  switchport mode trunk
  no cdp enable

  Catalyst B

  interface FastEthernet0/4
  description HN-808 interconnect to Armory Place
  switchport trunk encapsulation dot1q
  switchport mode trunk

  interface FastEthernet0/1
  description 802.1q trunk to core-sw1.noc (Heyburn 911) FE0/17
  load-interval 30
  duplex full
  speed 100
  switchport trunk encapsulation dot1q
  switchport mode trunk

  Catalyst C

  interface FastEthernet0/17
  description 802.1q trunk to core-sw3.noc.win.net (in Heyburn 513) 
FastEthernet0/0
  load-interval 30
  duplex full
  speed 100
  switchport trunk encapsulation dot1q
  switchport mode trunk
  no cdp enable

  interface FastEthernet0/1
  description 802.1q trunk to core-gw1.noc.win.net port FastEthernet0/0
  load-interval 30
  duplex full
  speed 100
  switchport trunk encapsulation dot1q
  switchport mode trunk
  no cdp enable

  Cisco 7206 B

  interface FastEthernet0/0.808
  description HN-808 interconnect to armplc via core-sw3
  encapsulation dot1Q 808
  ip address 216.24.2.201 255.255.255.252
  no cdp enable
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VLAN Trunking Question

[Joseph Mays]

 In that instance we had to make the middle switch a vtp client. Odd but 
true...


All are set to vtp transparent at the moment, but I can try setting the 
middle to vtp client to see what happens.


No difference. I changed it back to them all being in transparent mode.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VLAN Trunking Question

[Joseph Mays]

  In that instance we had to make the middle switch a vtp client. Odd but 
 true...

All are set to vtp transparent at the moment, but I can try setting the middle 
to vtp client to see what happens.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] VLAN Trunking Question

[Joseph Mays]

Okay, so I am trying to set up a single VLAN to go through a series of catalyst 
switches. What I need, effectively, is one long ethernet connection between two 
routers. I thought this should work but since it is not, clearly, I've 
fundamentally misunderstood something.


Cisco 7206A(vlan 808 subinterface)--(vlan trunk Fe0/1)CatalystA(vlan trunk 
FE0/10)-...
...-(vlan trunk FE0/4)CatalystB(vlan trunk FE0/1)--(vlan trunk 
FE0/17)CatalystC(vlan trunk FE0/1)-...
...-(vlan 808 subinterface)Cisco 7206B


The configs on each port, for the curious.

Cisco 7206 A

interface FastEthernet1/0.808
description HN-808 interconnect to armplc via sw1.armplc
encapsulation dot1Q 808
ip address 216.24.2.202 255.255.255.252

Catalyst A

interface FastEthernet0/1
description to gw1.armplc
duplex full
speed 100
switchport trunk encapsulation dot1q
switchport mode trunk
no cdp enable

interface FastEthernet0/10
description Hatteras 1 - HN408-U
switchport trunk encapsulation dot1q
switchport mode trunk
no cdp enable

Catalyst B

interface FastEthernet0/4
description HN-808 interconnect to Armory Place
switchport trunk encapsulation dot1q
switchport mode trunk

interface FastEthernet0/1
description 802.1q trunk to core-sw1.noc (Heyburn 911) FE0/17
load-interval 30
duplex full
speed 100
switchport trunk encapsulation dot1q
switchport mode trunk

Catalyst C

interface FastEthernet0/17
description 802.1q trunk to core-sw3.noc.win.net (in Heyburn 513) 
FastEthernet0/0
load-interval 30
duplex full
speed 100
switchport trunk encapsulation dot1q
switchport mode trunk
no cdp enable

interface FastEthernet0/1
description 802.1q trunk to core-gw1.noc.win.net port FastEthernet0/0
load-interval 30
duplex full
speed 100
switchport trunk encapsulation dot1q
switchport mode trunk
no cdp enable

Cisco 7206 B

interface FastEthernet0/0.808
description HN-808 interconnect to armplc via core-sw3
encapsulation dot1Q 808
ip address 216.24.2.201 255.255.255.252
no cdp enable
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Strange Arp Entries

[Joseph Mays]

I have a simple cisco 2600 that has two fastethernet interfaces. The arp table 
is filled with entries from ip's from all over the internet associated with the 
wan interface. I have no ip proxy-arp turned on for both interfaces. Any idea 
why the arp table might be filling up with this stuff?

[...]
Internet  194.225.24.70  73   000d.bdc3.f861  ARPA   FastEthernet0/0
Internet  4.79.209.231   21   000d.bdc3.f861  ARPA   FastEthernet0/0
Internet  208.185.44.56  38   000d.bdc3.f861  ARPA   FastEthernet0/0
Internet  65.55.206.197  41   000d.bdc3.f861  ARPA   FastEthernet0/0
Internet  184.31.53.239 101   000d.bdc3.f861  ARPA   FastEthernet0/0
Internet  184.51.126.136 28   000d.bdc3.f861  ARPA   FastEthernet0/0
Internet  211.23.224.89  63   000d.bdc3.f861  ARPA   FastEthernet0/0
Internet  186.114.187.14212   000d.bdc3.f861  ARPA   FastEthernet0/0
Internet  94.102.51.118  48   000d.bdc3.f861  ARPA   FastEthernet0/0
Internet  54.242.87.237 217   000d.bdc3.f861  ARPA   FastEthernet0/0
Internet  74.125.29.84  225   000d.bdc3.f861  ARPA   FastEthernet0/0
[...]
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Strange Arp Entries

[Joseph Mays]

That was it, thank you.

-Original Message- 
From: Wouter Prins

Sent: Friday, August 30, 2013 1:12 PM
To: Joseph Mays
Cc: Cisco NSP
Subject: Re: [c-nsp] Strange Arp Entries

Hi Joseph,

You probably set a static (default) route with a next-hop interface
instead of next-hop IP.

On 30 August 2013 18:45, Joseph Mays m...@win.net wrote:
I have a simple cisco 2600 that has two fastethernet interfaces. The arp 
table is filled with entries from ip's from all over the internet 
associated with the wan interface. I have no ip proxy-arp turned on for 
both interfaces. Any idea why the arp table might be filling up with this 
stuff?


[...]
Internet  194.225.24.70  73   000d.bdc3.f861  ARPA 
FastEthernet0/0
Internet  4.79.209.231   21   000d.bdc3.f861  ARPA 
FastEthernet0/0
Internet  208.185.44.56  38   000d.bdc3.f861  ARPA 
FastEthernet0/0
Internet  65.55.206.197  41   000d.bdc3.f861  ARPA 
FastEthernet0/0
Internet  184.31.53.239 101   000d.bdc3.f861  ARPA 
FastEthernet0/0
Internet  184.51.126.136 28   000d.bdc3.f861  ARPA 
FastEthernet0/0
Internet  211.23.224.89  63   000d.bdc3.f861  ARPA 
FastEthernet0/0
Internet  186.114.187.14212   000d.bdc3.f861  ARPA 
FastEthernet0/0
Internet  94.102.51.118  48   000d.bdc3.f861  ARPA 
FastEthernet0/0
Internet  54.242.87.237 217   000d.bdc3.f861  ARPA 
FastEthernet0/0
Internet  74.125.29.84  225   000d.bdc3.f861  ARPA 
FastEthernet0/0

[...]
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




--
Wouter Prins
w...@null0.nl 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Router rebooting due to software crash.

[Joseph Mays]

Yeah, I got some 12.4 code for it, but it doesn't currently have enough 
flash ram to hold that. I upgraded it for 12.3(6) to 12.3(23), we'll see if 
that helps.


-Original Message- 
From: Chuck Church

Sent: Tuesday, August 06, 2013 10:39 AM
To: 'Justin M. Streiner' ; 'Cisco-nsp'
Subject: Re: [c-nsp] Router rebooting due to software crash.

I think you can actually get recent 12.4 code for it.  Not the latest, but
close.  Could be a memory issue with it, a DOS against it, etc.  Reseating
the modules and memory and trying a more recent IOS might all help.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Justin M. Streiner
Sent: Tuesday, August 06, 2013 10:18 AM
To: Cisco-nsp
Subject: Re: [c-nsp] Router rebooting due to software crash.

On Mon, 5 Aug 2013, Joseph Mays wrote:


We have a cisco 3600 that has rebooted twice in the last two hours,
both times due to a software crash that shows the same memory address.
I checked show mem and nothing is listed as operating that address,
at least not right now. This router has been in operation a long time
and has not had these problems previously. Nothing has changed in the
config on the router in the last several months, at least.


Another possibility is that the version of code you're running is vulnerable
to one (or more) of the many bugs that can cause a Cisco router to reload,
leak memory, etc.  12.3(6) is pretty ancient code, and the
3640 has been end-of-life since 2007, and no new code has been released for
it since probably late 2005.

I don't know what function this router serves in your network, but replacing
it with something newer that can run newer code is worth considering,
epecially if it's something that can be reached from untrusted networks.

jms
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/ 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Router rebooting due to software crash.

[Joseph Mays]

We have a cisco 3600 that has rebooted twice in the last two hours, both times 
due to a software crash that shows the same memory address. I checked show 
mem and nothing is listed as operating that address, at least not right now. 
This router has been in operation a long time and has not had these problems 
previously. Nothing has changed in the config on the router in the last several 
months, at least.

gw1.dist#show ver
Cisco Internetwork Operating System Software
IOS (tm) 3600 Software (C3640-IS-M), Version 12.3(6), RELEASE SOFTWARE (fc3)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Wed 11-Feb-04 18:02 by kellythw
Image text-base: 0x60008B00, data-base: 0x61B9C000

ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE 
(fc1)

gw1.dist uptime is 9 minutes
System returned to ROM by error - a Software forced crash, PC 0x604F0D20 at 
14:22:26 EDT Mon Aug 5 2013
System restarted at 14:24:08 EDT Mon Aug 5 2013
System image file is flash:c3640-is-mz.123-6.bin

cisco 3640 (R4700) processor (revision 0x00) with 124928K/6144K bytes of memory.
Processor board ID 11876053
R4700 CPU at 100MHz, Implementation 33, Rev 1.0
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
2 FastEthernet/IEEE 802.3 interface(s)
3 Serial network interface(s)
1 Subrate T3/E3 ports(s)
DRAM configuration is 64 bits wide with parity disabled.
125K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

I checked show mem and this address doesn't show up currently. Any clues on 
how to isolate what is causing this?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Access lists and NAT

[Joseph Mays]

I have the following LAN interface, which has two addresses, one of which is 
NATted.

interface FastEthernet0/1
ip address 216.24.4.185 255.255.255.248 secondary
ip address 192.168.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list 50 interface FastEthernet0/0 overload

access-list 50 permit 192.168.0.0 0.0.0.255

I want to block traffic so that addresses on the 216.24.4.185/29 block can only 
speak to things in the larger 216.24.0.0/18 block. I want traffic from the 
196.168.0/24 address to be NATted and able to go to the world.

I’ve tried a few different access lists, and sets of access lists, but I get 
pretty much the same result whatever I try. If for instance, I put 

ip access-list extended permit-phone-service-in
permit ip 216.24.4.184 0.0.0.7 216.24.0.0 0.0.63.255 log-input
permit ip 216.24.4.184 0.0.0.7 24.235.0.0 0.0.31.255 log-input
permit ip any 192.168.0.0 0.0.0.255 log-input
ip access-list extended permit-phone-service-out
permit ip 216.24.0.0 0.0.63.255 216.24.4.184 0.0.0.7 log-input
permit ip 24.235.0.0 0.0.31.255 216.24.4.184 0.0.0.7 log-input
permit ip 192.168.0.0 0.0.0.255 any log-input

And add the lines for those to the interface --

interface FastEthernet0/1
ip address 216.24.4.185 255.255.255.248 secondary
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip access-group permit-phone-service-out out
ip access-group permit-phone-service-in in
duplex auto
speed auto

Things in the 216.24.4.184/28 network block work fine and as desired. They 
still work for 216.24.0.0/18, but are blocked from outside of that.

Things in the 192.168.0.0/24 network block stop working completely, though. 
They can no longer get out from those addresses to the world. I think, but am 
not certain, that it may be breaking NAT for that network block.



HBMgmtOffice#show run
Building configuration...

Current configuration : 1499 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HBMgmtOffice
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$a.yY$AyH/z0cGnCoai.UL5i7Rw0
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa accounting delay-start
aaa session-id common
ip subnet-zero
ip cef
!
!
ip name-server 216.24.27.3
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.0.150 192.168.0.255
ip dhcp excluded-address 192.168.0.0 192.168.0.50
!
ip dhcp pool edge-dhcp-pool
   network 192.168.0.0 255.255.255.0
   dns-server 216.24.27.3
   default-router 192.168.0.1
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username admin password 7 094E5B0E0A0302160F
!
!
!
!
!
!
interface FastEthernet0/0
ip address 216.24.2.30 255.255.255.252
no ip proxy-arp
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 216.24.4.185 255.255.255.248 secondary
ip address 192.168.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list 50 interface FastEthernet0/0 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
!
access-list 20 permit 216.24.27.0 0.0.0.255
access-list 50 permit 192.168.0.0 0.0.0.255
!
snmp-server community wini4q5cust RO 20
snmp-server community mmn3gv5h RW 20
snmp-server tftp-server-list 20
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!

HBMgmtOffice#config t
Enter configuration commands, one per line.  End with CNTL/Z.
HBMgmtOffice(config)#ip access-list extended permit-phone-service-in
HBMgmtOffice(config-ext-nacl)#$84 0.0.0.7 216.24.0.0 0.0.63.255 log-input
HBMgmtOffice(config-ext-nacl)#$84 0.0.0.7 24.235.0.0 0.0.31.255 log-input
HBMgmtOffice(config-ext-nacl)# permit ip any 192.168.0.0 0.0.0.255 log-input
HBMgmtOffice(config-ext-nacl)#$ist extended permit-phone-service-out
HBMgmtOffice(config-ext-nacl)#$ 0.0.63.255 216.24.4.184 0.0.0.7 log-input
HBMgmtOffice(config-ext-nacl)#$ 0.0.31.255 216.24.4.184 0.0.0.7 log-input
HBMgmtOffice(config-ext-nacl)# permit ip 192.168.0.0 0.0.0.255 any log-input
HBMgmtOffice(config-ext-nacl)#
HBMgmtOffice(config-ext-nacl)#
HBMgmtOffice(config-ext-nacl)#exit
HBMgmtOffice(config)#exit
HBMgmtOffice#write mem
Building configuration...
[OK]
HBMgmtOffice#Connection closed by foreign host.
admin1 telnet 216.24.2.30
Trying 216.24.2.30...
Connected to 216-24-2-30.ip.win.net.
Escape character is '^]'.


User Access Verification

Username: admin
Password:

HBMgmtOfficeenable
Password:
HBMgmtOffice#
HBMgmtOffice#
HBMgmtOffice#
HBMgmtOffice#show run
Building configuration...

Current configuration : 1948 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HBMgmtOffice
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$a.yY$AyH/z0cGnCoai.UL5i7Rw0
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa accounting delay-start
aaa session-id common
ip subnet-zero
ip cef
!
!

Re: [c-nsp] Access lists and NAT

[Joseph Mays]

Whoops. I was working on another issue the last couple of days so admittedly 
haven't been getting as much sleep as I should. I meant to strip the 
complete config off the end of the message rather than sending it to the 
list along with the passwords. What I intended to do and what happened were 
two different things. Anyway, passwords have been changed. Getting back to 
the initial question



I have the following LAN interface, which has two addresses, one of
which is NATted.

interface FastEthernet0/1
ip address 216.24.4.185 255.255.255.248 secondary
ip address 192.168.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list 50 interface FastEthernet0/0 overload

access-list 50 permit 192.168.0.0 0.0.0.255

I want to block traffic so that addresses on the 216.24.4.185/29
block can only speak to things in the larger 216.24.0.0/18 block. I
want traffic from the 196.168.0/24 address to be NATted and able to
go to the world.

I’ve tried a few different access lists, and sets of access lists,
but I get pretty much the same result whatever I try. If for
instance, I put

ip access-list extended permit-phone-service-in
permit ip 216.24.4.184 0.0.0.7 216.24.0.0 0.0.63.255 log-input
permit ip 216.24.4.184 0.0.0.7 24.235.0.0 0.0.31.255 log-input
permit ip any 192.168.0.0 0.0.0.255 log-input
ip access-list extended permit-phone-service-out
permit ip 216.24.0.0 0.0.63.255 216.24.4.184 0.0.0.7 log-input
permit ip 24.235.0.0 0.0.31.255 216.24.4.184 0.0.0.7 log-input
permit ip 192.168.0.0 0.0.0.255 any log-input

And add the lines for those to the interface --

interface FastEthernet0/1
ip address 216.24.4.185 255.255.255.248 secondary
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip access-group permit-phone-service-out out
ip access-group permit-phone-service-in in
duplex auto
speed auto

Things in the 216.24.4.184/28 network block work fine and as desired.
They still work for 216.24.0.0/18, but are blocked from outside of
that.

Things in the 192.168.0.0/24 network block stop working completely,
though. They can no longer get out from those addresses to the
world. I think, but am not certain, that it may be breaking NAT for
that network block.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 7206 NVRAM issue

[Joseph Mays]

Got a used 7206 I am trying to bring back to life. It seems to be able to read 
the PCMCIA card in the slot okay, but after a power cycle it loses config and 
claims the NVRAM is corrupt, throwing me to rommon. From there I can tell it to 
boot from disk0 and it boots alright from the PCMCIA card into the default 
config. Needless to say, any config I have entered gets lost. Which NVRAM is it 
referring to? The 4 meg on the motherboard? Is there anyway to clear and reset 
that, or does it just need to be replaced?

Warning: monitor nvram area is corrupt ... using default values
C7200 platform with 131072 Kbytes of main memory

[after a power cycle]

System Bootstrap, Version 12.2(4r)B, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 2002 by cisco Systems, Inc.

Warning: monitor nvram area is corrupt ... using default values
C7200 platform with 131072 Kbytes of main memory

rommon 1  boot disk0

Self decompressing the image : 

 [OK]

[... and so on into the default config...]
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7206 NVRAM issue

[Joseph Mays]

 Got a used 7206

I should have said, 7206VXR - NPE400.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7206 NVRAM issue

[Joseph Mays]

I had a couple that did that and I was able to fix one of them by 
replacing the battery on the I/O card.


The I/O Board has been sitting on a shelf for... a long time anyway. So that 
makes sense. I'll replace the battery.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] pptp connection to 2600 with Windows VPN failing.

[Joseph Mays]

Trying to make a vpdn setup work from a windows vpn client to a cisco 2600. I 
had this working for a while, but then after one minor config change by someone 
else it stopped working. That change shouldn't have broken anything, but I 
backed it out nonetheless and the connection is still not working again.

I think it's breaking during the LCP negotiation, before authentication even 
occurs. Here's what I get from PPP debugging. Notice that it never gets to the 
authentication phase. I will attach relevant portions of the config afterwards.

genisis#show debug
PPP:
  PPP detailed event debugging is on
  PPP authentication debugging is on
  PPP protocol errors debugging is on
  PPP protocol negotiation debugging is on



genisis#
genisis#term mon
genisis#
*Mar  1 02:26:32.559: Se0/0 PPP: Outbound cdp packet dropped, CDPCP state is 
Listen
*Mar  1 02:26:39.415:  EVT: Dynamic Bind 0 0x82C3989C
*Mar  1 02:26:39.415: ppp13 EVT: Cstate 4 0x
*Mar  1 02:26:39.415: ppp13 PPP: Using vpn set call direction
*Mar  1 02:26:39.415: ppp13 PPP: Treating connection as a callin
*Mar  1 02:26:39.415: ppp13 PPP: Phase is ESTABLISHING, Passive Open
*Mar  1 02:26:39.415: ppp13 LCP: State is Listen
*Mar  1 02:26:39.439: ppp13 EVT: Packet 0 0x8332C29C
*Mar  1 02:26:39.439: ppp13 LCP: I CONFREQ [Listen] id 0 len 21
*Mar  1 02:26:39.439: ppp13 LCP:MRU 1400 (0x01040578)
*Mar  1 02:26:39.439: ppp13 LCP:MagicNumber 0x4FC8505D (0x05064FC8505D)
*Mar  1 02:26:39.439: ppp13 LCP:PFC (0x0702)
*Mar  1 02:26:39.439: ppp13 LCP:ACFC (0x0802)
*Mar  1 02:26:39.439: ppp13 LCP:Callback 6  (0x0D0306)
*Mar  1 02:26:39.439: ppp13 PPP: Authorization required
*Mar  1 02:26:39.439: ppp13 LCP: O CONFREQ [Listen] id 1 len 15
*Mar  1 02:26:39.443: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380)
*Mar  1 02:26:39.443: ppp13 LCP:MagicNumber 0x0F0968D2 (0x05060F0968D2)
*Mar  1 02:26:39.443: ppp13 LCP: O CONFREJ [Listen] id 0 len 7
*Mar  1 02:26:39.443: ppp13 LCP:Callback 6  (0x0D0306)
*Mar  1 02:26:41.431: ppp13 EVT: Packet 0 0x830D1F30
*Mar  1 02:26:41.431: ppp13 LCP: I CONFREQ [REQsent] id 1 len 21
*Mar  1 02:26:41.431: ppp13 LCP:MRU 1400 (0x01040578)
*Mar  1 02:26:41.431: ppp13 LCP:MagicNumber 0x4FC8505D (0x05064FC8505D)
*Mar  1 02:26:41.431: ppp13 LCP:PFC (0x0702)
*Mar  1 02:26:41.431: ppp13 LCP:ACFC (0x0802)
*Mar  1 02:26:41.431: ppp13 LCP:Callback 6  (0x0D0306)
*Mar  1 02:26:41.431: ppp13 LCP: O CONFREJ [REQsent] id 1 len 7
*Mar  1 02:26:41.431: ppp13 LCP:Callback 6  (0x0D0306)
*Mar  1 02:26:41.451: ppp13 LCP: TIMEout: State REQsent
*Mar  1 02:26:41.451: ppp13 LCP: O CONFREQ [REQsent] id 2 len 15
*Mar  1 02:26:41.451: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380)
*Mar  1 02:26:41.451: ppp13 LCP:MagicNumber 0x0F0968D2 (0x05060F0968D2)
*Mar  1 02:26:43.467: ppp13 LCP: TIMEout: State REQsent
*Mar  1 02:26:43.467: ppp13 LCP: O CONFREQ [REQsent] id 3 len 15
*Mar  1 02:26:43.467: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380)
*Mar  1 02:26:43.467: ppp13 LCP:MagicNumber 0x0F0968D2 (0x05060F0968D2)
*Mar  1 02:26:44.431: ppp13 EVT: Packet 0 0x830D2E1C
*Mar  1 02:26:44.435: ppp13 LCP: I CONFREQ [REQsent] id 2 len 21
*Mar  1 02:26:44.435: ppp13 LCP:MRU 1400 (0x01040578)
*Mar  1 02:26:44.435: ppp13 LCP:MagicNumber 0x4FC8505D (0x05064FC8505D)
*Mar  1 02:26:44.435: ppp13 LCP:PFC (0x0702)
*Mar  1 02:26:44.435: ppp13 LCP:ACFC (0x0802)
*Mar  1 02:26:44.435: ppp13 LCP:Callback 6  (0x0D0306)
*Mar  1 02:26:44.435: ppp13 LCP: O CONFREJ [REQsent] id 2 len 7
*Mar  1 02:26:44.435: ppp13 LCP:Callback 6  (0x0D0306)
*Mar  1 02:26:45.483: ppp13 LCP: TIMEout: State REQsent
*Mar  1 02:26:45.483: ppp13 LCP: O CONFREQ [REQsent] id 4 len 15
*Mar  1 02:26:45.483: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380)
*Mar  1 02:26:45.483: ppp13 LCP:MagicNumber 0x0F0968D2 (0x05060F0968D2)
*Mar  1 02:26:47.499: ppp13 LCP: TIMEout: State REQsent
*Mar  1 02:26:47.499: ppp13 LCP: O CONFREQ [REQsent] id 5 len 15
*Mar  1 02:26:47.499: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380)
*Mar  1 02:26:47.499: ppp13 LCP:MagicNumber 0x0F0968D2 (0x05060F0968D2)
*Mar  1 02:26:48.427: ppp13 EVT: Packet 0 0x830D3118
*Mar  1 02:26:48.431: ppp13 LCP: I CONFREQ [REQsent] id 3 len 21
*Mar  1 02:26:48.431: ppp13 LCP:MRU 1400 (0x01040578)
*Mar  1 02:26:48.431: ppp13 LCP:MagicNumber 0x4FC8505D (0x05064FC8505D)
*Mar  1 02:26:48.431: ppp13 LCP:PFC (0x0702)
*Mar  1 02:26:48.431: ppp13 LCP:ACFC (0x0802)
*Mar  1 02:26:48.431: ppp13 LCP:Callback 6  (0x0D0306)
*Mar  1 02:26:48.431: ppp13 LCP: O CONFREJ [REQsent] id 3 len 7
*Mar  1 02:26:48.431: ppp13 LCP:Callback 6  (0x0D0306)
*Mar  1 02:26:49.515: ppp13 LCP: TIMEout: State REQsent
*Mar  1 02:26:49.515: ppp13 LCP: O CONFREQ [REQsent] id 6 len 15
*Mar  1 02:26:49.515: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380)
*Mar  1 02:26:49.515: ppp13 LCP:MagicNumber 0x0F0968D2 (0x05060F0968D2)
*Mar  1 02:26:51.531: ppp13 LCP: TIMEout: State REQsent
*Mar  1 

Re: [c-nsp] pptp connection to 2600 with Windows VPN failing.

[Joseph Mays]

BTW, yes, I am aware that I left the passwords for ftp etc in the config. 
They've already been changed.


- Original Message - 
From: Joseph Mays m...@win.net

To: cisco-nsp@puck.nether.net
Sent: Wednesday, December 12, 2012 5:12 PM
Subject: [c-nsp] pptp connection to 2600 with Windows VPN failing.


Trying to make a vpdn setup work from a windows vpn client to a cisco 
2600. I had this working for a while, but then after one minor config 
change by someone else it stopped working. That change shouldn't have 
broken anything, but I backed it out nonetheless and the connection is 
still not working again.


I think it's breaking during the LCP negotiation, before authentication 
even occurs. Here's what I get from PPP debugging. Notice that it never 
gets to the authentication phase. I will attach relevant portions of the 
config afterwards.


genisis#show debug
PPP:
 PPP detailed event debugging is on
 PPP authentication debugging is on
 PPP protocol errors debugging is on
 PPP protocol negotiation debugging is on



genisis#
genisis#term mon
genisis#
*Mar  1 02:26:32.559: Se0/0 PPP: Outbound cdp packet dropped, CDPCP state 
is Listen

*Mar  1 02:26:39.415:  EVT: Dynamic Bind 0 0x82C3989C
*Mar  1 02:26:39.415: ppp13 EVT: Cstate 4 0x
*Mar  1 02:26:39.415: ppp13 PPP: Using vpn set call direction
*Mar  1 02:26:39.415: ppp13 PPP: Treating connection as a callin
*Mar  1 02:26:39.415: ppp13 PPP: Phase is ESTABLISHING, Passive Open
*Mar  1 02:26:39.415: ppp13 LCP: State is Listen
*Mar  1 02:26:39.439: ppp13 EVT: Packet 0 0x8332C29C
*Mar  1 02:26:39.439: ppp13 LCP: I CONFREQ [Listen] id 0 len 21
*Mar  1 02:26:39.439: ppp13 LCP:MRU 1400 (0x01040578)
*Mar  1 02:26:39.439: ppp13 LCP:MagicNumber 0x4FC8505D 
(0x05064FC8505D)

*Mar  1 02:26:39.439: ppp13 LCP:PFC (0x0702)
*Mar  1 02:26:39.439: ppp13 LCP:ACFC (0x0802)
*Mar  1 02:26:39.439: ppp13 LCP:Callback 6  (0x0D0306)
*Mar  1 02:26:39.439: ppp13 PPP: Authorization required
*Mar  1 02:26:39.439: ppp13 LCP: O CONFREQ [Listen] id 1 len 15
*Mar  1 02:26:39.443: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380)
*Mar  1 02:26:39.443: ppp13 LCP:MagicNumber 0x0F0968D2 
(0x05060F0968D2)

*Mar  1 02:26:39.443: ppp13 LCP: O CONFREJ [Listen] id 0 len 7
*Mar  1 02:26:39.443: ppp13 LCP:Callback 6  (0x0D0306)
*Mar  1 02:26:41.431: ppp13 EVT: Packet 0 0x830D1F30
*Mar  1 02:26:41.431: ppp13 LCP: I CONFREQ [REQsent] id 1 len 21
*Mar  1 02:26:41.431: ppp13 LCP:MRU 1400 (0x01040578)
*Mar  1 02:26:41.431: ppp13 LCP:MagicNumber 0x4FC8505D 
(0x05064FC8505D)

*Mar  1 02:26:41.431: ppp13 LCP:PFC (0x0702)
*Mar  1 02:26:41.431: ppp13 LCP:ACFC (0x0802)
*Mar  1 02:26:41.431: ppp13 LCP:Callback 6  (0x0D0306)
*Mar  1 02:26:41.431: ppp13 LCP: O CONFREJ [REQsent] id 1 len 7
*Mar  1 02:26:41.431: ppp13 LCP:Callback 6  (0x0D0306)
*Mar  1 02:26:41.451: ppp13 LCP: TIMEout: State REQsent
*Mar  1 02:26:41.451: ppp13 LCP: O CONFREQ [REQsent] id 2 len 15
*Mar  1 02:26:41.451: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380)
*Mar  1 02:26:41.451: ppp13 LCP:MagicNumber 0x0F0968D2 
(0x05060F0968D2)

*Mar  1 02:26:43.467: ppp13 LCP: TIMEout: State REQsent
*Mar  1 02:26:43.467: ppp13 LCP: O CONFREQ [REQsent] id 3 len 15
*Mar  1 02:26:43.467: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380)
*Mar  1 02:26:43.467: ppp13 LCP:MagicNumber 0x0F0968D2 
(0x05060F0968D2)

*Mar  1 02:26:44.431: ppp13 EVT: Packet 0 0x830D2E1C
*Mar  1 02:26:44.435: ppp13 LCP: I CONFREQ [REQsent] id 2 len 21
*Mar  1 02:26:44.435: ppp13 LCP:MRU 1400 (0x01040578)
*Mar  1 02:26:44.435: ppp13 LCP:MagicNumber 0x4FC8505D 
(0x05064FC8505D)

*Mar  1 02:26:44.435: ppp13 LCP:PFC (0x0702)
*Mar  1 02:26:44.435: ppp13 LCP:ACFC (0x0802)
*Mar  1 02:26:44.435: ppp13 LCP:Callback 6  (0x0D0306)
*Mar  1 02:26:44.435: ppp13 LCP: O CONFREJ [REQsent] id 2 len 7
*Mar  1 02:26:44.435: ppp13 LCP:Callback 6  (0x0D0306)
*Mar  1 02:26:45.483: ppp13 LCP: TIMEout: State REQsent
*Mar  1 02:26:45.483: ppp13 LCP: O CONFREQ [REQsent] id 4 len 15
*Mar  1 02:26:45.483: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380)
*Mar  1 02:26:45.483: ppp13 LCP:MagicNumber 0x0F0968D2 
(0x05060F0968D2)

*Mar  1 02:26:47.499: ppp13 LCP: TIMEout: State REQsent
*Mar  1 02:26:47.499: ppp13 LCP: O CONFREQ [REQsent] id 5 len 15
*Mar  1 02:26:47.499: ppp13 LCP:AuthProto MS-CHAP (0x0305C22380)
*Mar  1 02:26:47.499: ppp13 LCP:MagicNumber 0x0F0968D2 
(0x05060F0968D2)

*Mar  1 02:26:48.427: ppp13 EVT: Packet 0 0x830D3118
*Mar  1 02:26:48.431: ppp13 LCP: I CONFREQ [REQsent] id 3 len 21
*Mar  1 02:26:48.431: ppp13 LCP:MRU 1400 (0x01040578)
*Mar  1 02:26:48.431: ppp13 LCP:MagicNumber 0x4FC8505D 
(0x05064FC8505D)

*Mar  1 02:26:48.431: ppp13 LCP:PFC (0x0702)
*Mar  1 02:26:48.431: ppp13 LCP:ACFC (0x0802)
*Mar  1 02:26:48.431: ppp13 LCP:Callback 6  (0x0D0306)
*Mar  1 02:26:48.431: ppp13 LCP: O CONFREJ [REQsent] id 3 len 7
*Mar  1 02:26:48.431: ppp13 LCP:Callback 6  (0x0D0306)
*Mar

Re: [c-nsp] CRC errors on fastethernet interface

[Joseph Mays]

Two or three people have pointed out that speed 100 should be set on the 
interface of the 7206. To quote my original message...

 (Since the 7206 does not specify 100mbps, I had thought maybe it was
 occasionally trying to renegotiate the speed, which might screw up the
 switch end, which is hardwired 100-full, while the 7206 is set to
 full-duplex, the speed command to force 100mbps speed does not seem to
 exist on the 7206.)

I originally tried the speed 100 command on the ethernet interface of the 
7206. To my complete surprise, the 7206 does not seem to recognize that 
command. It's running...

IOS (tm) 7200 Software (C7200-IK9SU2-M), Version 12.3(23), RELEASE SOFTWARE 
(fc5)

When I try to set the speed, it rejects the config line.

core-gw1.noc(config)#int fastethernet0/0
core-gw1.noc(config-if)#speed 100
 ^
% Invalid input detected at '^' marker.

This is a complete surprise to me, to say the least. If there is some other 
command to set the speed, I can't find it.

- Original Message - 
From: Joe Mays m...@win.net
To: cisco-nsp@puck.nether.net
Sent: Thursday, November 22, 2012 1:33 AM
Subject: [c-nsp] CRC errors on fastethernet interface


 Have a 7206 connected to a Catalyst 2900XL switch port.
 
 The 2900XL is getting CRC errors on the port at the rate of about one
 every one or two seconds. I've tried replacing the cable, no effect.
 
 core-sw1.noc#show int fastethernet0/1
 FastEthernet0/1 is up, line protocol is up 
  Hardware is Fast Ethernet, address is 0002.7d2f.bc41 (bia
 0002.7d2f.bc41)
  Description: 802.1q trunk to core-gw1.noc.win.net port FastEthernet0/0
  MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, 
 reliability 255/255, txload 51/255, rxload 37/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
  Full-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:00, output hang never
  Last clearing of show interface counters 00:05:49
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  30 second input rate 14547000 bits/sec, 2327 packets/sec
  30 second output rate 20099000 bits/sec, 3507 packets/sec
 862330 packets input, 682108246 bytes
 Received 398 broadcasts, 0 runts, 0 giants, 0 throttles
 63 input errors, 63 CRC, 0 frame, 64 overrun, 64 ignored
 0 watchdog, 257 multicast
 0 input packets with dribble condition detected
 1262698 packets output, 899402766 bytes, 0 underruns
 0 output errors, 0 collisions, 0 interface resets
 0 babbles, 0 late collision, 0 deferred
 0 lost carrier, 0 no carrier
 0 output buffer failures, 0 output buffers swapped out
 
 Since changing the cable made no difference, it's either a port problem
 on the 7206 or 2900XL, or a config problem. Here are the configs for the
 interfaces on each end.
 
 (Since the 7206 does not specify 100mbps, I had thought maybe it was
 occasionally trying to renegotiate the speed, which might screw up the
 switch end, which is hardwired 100-full, while the 7206 is set to
 full-duplex, the speed command to force 100mbps speed does not seem to
 exist on the 7206.)
 
 Cisco 7206 --
 
 interface FastEthernet0/0
 description Win.net NOC gateway LAN, 911 Heyburn Bldg (via
 core-sw1.noc.win.net)
 ip address nnn.nnn.nnn.nnn 255.255.255.192
 ip access-group block-out-to-dot30 out
 no ip proxy-arp
 ip route-cache same-interface
 ip route-cache flow
 ip ospf message-digest-key 1 md5 7 xxx
 ip ospf cost 2
 ip ospf priority 200
 no ip mroute-cache
 load-interval 60
 duplex full
 no keepalive
 no cdp enable
 standby 1 ip 216.24.30.65
 standby 1 timers 5 15
 standby 1 priority 105
 standby 1 preempt delay minimum 60
 standby 1 authentication dfwmhsrp
 standby 1 track Serial6/0
 crypto map KYtoINvpn
 service-policy output queue-on-dscp
 
 2900XL
 
 interface FastEthernet0/1
 description 802.1q trunk to core-gw1.noc.win.net port FastEthernet0/0
 load-interval 30
 duplex full
 speed 100
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no cdp enable
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco VPN intermittent disconnects

[Joseph Mays]

We have a client on a connection to a cisco switch at one of our locations, 
routing out through a 3600 to a cisco firewall at a remote location. The 
firewall is a CISCO 5505 running 8.25.

When they connect to the remote firewall with a cisco VPN client (Cisco VPN 
client for windows version 5.0.07.0290) they get intermittent drops in service. 
If they set up a hard firewall from inside their network that connects to the 
remote firewall, and then run their connections through that, it works fine. I 
asked them to try setting the MTU on the cisco client down to 576 from 1300 -- 
same result. They can also run the client through another wan connection to the 
remote firewall and it works fine. It seems to be something about connecting to 
the remote firewall with this client across the WAN connection that runs 
through us, but no errors are occurring on any of the interfaces in the path, 
and I can't find that any packets are being dropped or anything.

I received a snippet of Cisco VPN client logs from the customer, but I'm not 
well-versed in it enough to see if it's providing any useful info. Quite 
possibly it is and I just am not recognizing the fact.

Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
 
1  14:29:34.774  10/25/12  Sev=Info/4IKE/0x6313
SENDING  ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 199.30.90.62
 
2  14:29:34.774  10/25/12  Sev=Info/6IKE/0x633D
Sending DPD request to 199.30.90.62, our seq# = 2332051025
 
3  14:29:39.843  10/25/12  Sev=Info/4IKE/0x6313
SENDING  ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 199.30.90.62
 
4  14:29:39.843  10/25/12  Sev=Info/6IKE/0x633D
Sending DPD request to 199.30.90.62, our seq# = 2332051026
 
5  14:29:44.912  10/25/12  Sev=Info/4IKE/0x6313
SENDING  ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 199.30.90.62
 
6  14:29:44.912  10/25/12  Sev=Info/6IKE/0x633D
Sending DPD request to 199.30.90.62, our seq# = 2332051027
 
7  14:29:49.981  10/25/12  Sev=Info/4IKE/0x6313
SENDING  ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 199.30.90.62
 
8  14:29:49.981  10/25/12  Sev=Info/6IKE/0x633D
Sending DPD request to 199.30.90.62, our seq# = 2332051028
 
9  14:29:55.051  10/25/12  Sev=Info/4IKE/0x6313
SENDING  ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 199.30.90.62
 
10 14:29:55.051  10/25/12  Sev=Info/6   IKE/0x633D
Sending DPD request to 199.30.90.62, our seq# = 2332051029
 
11 14:30:00.120  10/25/12  Sev=Info/4   IKE/0x6313
SENDING  ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 199.30.90.62
 
12 14:30:00.120  10/25/12  Sev=Info/6   IKE/0x633D
Sending DPD request to 199.30.90.62, our seq# = 2332051030
 
13 14:30:00.620  10/25/12  Sev=Info/6   IPSEC/0x63700022
TCP heartbeat sent to 199.30.90.62, src port 1331, dst port 1
 
14 14:30:05.192  10/25/12  Sev=Info/4   IKE/0x6313
SENDING  ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 199.30.90.62
 
15 14:30:05.192  10/25/12  Sev=Info/6   IKE/0x633D
Sending DPD request to 199.30.90.62, our seq# = 2332051031
 
16 14:30:10.259  10/25/12  Sev=Info/4   IKE/0x6313
SENDING  ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 199.30.90.62
 
17 14:30:10.259  10/25/12  Sev=Info/6   IKE/0x633D
Sending DPD request to 199.30.90.62, our seq# = 2332051032
 
18 14:30:15.216  10/25/12  Sev=Info/5   IKE/0x632F
Received ISAKMP packet: peer = 199.30.90.62
 
19 14:30:15.216  10/25/12  Sev=Info/4   IKE/0x6314
RECEIVING  ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 199.30.90.62
 
20 14:30:15.216  10/25/12  Sev=Info/5   IKE/0x6340
Received DPD ACK from 199.30.90.62, seq# received = 2332051025, seq# expected = 
2332051032
 
21 14:30:15.216  10/25/12  Sev=Info/5   IKE/0x632F
Received ISAKMP packet: peer = 199.30.90.62
 
22 14:30:15.216  10/25/12  Sev=Info/4   IKE/0x6314
RECEIVING  ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 199.30.90.62
 
23 14:30:15.216  10/25/12  Sev=Info/5   IKE/0x6340
Received DPD ACK from 199.30.90.62, seq# received = 2332051026, seq# expected = 
2332051032
 
24 14:30:15.216  10/25/12  Sev=Info/5   IKE/0x632F
Received ISAKMP packet: peer = 199.30.90.62
 
25 14:30:15.216  10/25/12  Sev=Info/4   IKE/0x6314
RECEIVING  ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 199.30.90.62
 
26 14:30:15.216  10/25/12  Sev=Info/5   IKE/0x6340
Received DPD ACK from 199.30.90.62, seq# received = 2332051027, seq# expected = 
2332051032
 
27 14:30:15.216  10/25/12  Sev=Info/5   

[c-nsp] Clocking for T1's on AS5400 virtually guarantees slips?

[Joseph Mays]

Okay, so here's where we stand after working on this for a few days.

We have several circuits that are coming into an AS5400 that are getting 
slips, whereas most of them don't.


Most of the circuits come in as T1 channels on a T3. Most of those don't get 
slips, some do. We also have two t1 circuits for which we have bypassed our 
mux, so they are T1's that plug into dedicated T1 ports on the AS5400. One 
gets slips, one doesn't.


We can change which lines are getting slips and which ones aren't by 
changing the tdm clock priority to match one of the lines. Basically, we can 
bring the backplane clock into sync with one line, it won't get slips, 
several of the others will.


The problem is that I have not found a way to tell all the circuits except 
the one setting the backplane clock how to set their timing via the clock. 
T1's on the AS5400 only set clocking to line. You can't tell the T1's to 
sync to the internal clock. If you could, we could set the clock that way, 
set the remote end to line, and everything would then be synced to the 
clocking of the line that was setting the primary TDM clock.


If this is true, there is no way to accept t1's from multiple sources in 
which the clocking may not agree with each other, nor is there any way to 
provide clocking for an outgoing T1. The AS5400 simply won't work for this, 
because while it sets the internal clock according to the primary tdm clock 
circuit, there is no way to tell the other T1's to synchronize according to 
the internal clock. They are virtually guaranteed to slip.


What we want is to be the clock source for all the T1's except for specific 
trunks we having coming from the phone company. Most specifically it matters 
for PRI's we are providing to customers. We need to be the clock source 
because in those cases the phone company simply passes the T1's through 
without providing any clocking themselves.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Slips

[Joseph Mays]

We have an AS5400 that we are using to provide PRI's to customers. It has 
the following circuits coming into it from the Telco (ATT).


5 Trunking circuits that come across T1 ties into a t3 mux, and then are 
then delivered to a T3 port on the AS5400. ! trunking circuit that is 
connected into a T1 card on the AS5400. Several circuits to customers that 
are delivered out of the T3 through the mux to T1 tie pairs through ATT, 
and some of which go through HDSL T1's that we provide.


We have clocking set up thusly. The T1 port that has the trunk line in it 
(Serial6/0) is set to clock source line, to get clocking from ATT.

The TDM clock priority on AS5400 is set to Serial6/0.
The T3 that has all the other T1's is set to clock source internal, on the 
assumption that the internal clock on the AS5400 should now be synchronizing 
to the trunk line coming in on 6/0. So all the T1 channels on the T3 should 
be following the Cisco clock.
The mux is set to clocking is set on the t3 to clock source line, to get 
clocking from the T3 coming from the AS5400.

The customers at the end are all set to clock source line.

None of the trunks is having slips, but several of the ATT customers are 
showing a slip every 10 seconds or so. The clocking chain we have set up 
seems logical to me. Is there something I'm missing? Why would the customers 
be having slips.


We asked ATT to monitor one of the lines that we are seeing slips on. They 
watched it for a bit and said no slips are occurring, though I am seeing 
them both on the AS5400 and on the Customer router. They are performing a 
more indepth test now.




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Slips

[Joseph Mays]

It occurs to me that there is an assumption built into this that is 
unproven. Does setting the AS5400 to internal clocking on the T3 cause it to 
provide clocking for the T1's on the T3? We have assumed that it does. If 
not, how do we tell it to provide an outgoing clock signal for the T1's on 
the T3?



- Original Message - 
From: Joseph Mays m...@win.net

To: cisco-nsp@puck.nether.net
Sent: Tuesday, October 09, 2012 11:45 AM
Subject: [c-nsp] Slips


We have an AS5400 that we are using to provide PRI's to customers. It has 
the following circuits coming into it from the Telco (ATT).


5 Trunking circuits that come across T1 ties into a t3 mux, and then are 
then delivered to a T3 port on the AS5400. ! trunking circuit that is 
connected into a T1 card on the AS5400. Several circuits to customers that 
are delivered out of the T3 through the mux to T1 tie pairs through ATT, 
and some of which go through HDSL T1's that we provide.


We have clocking set up thusly. The T1 port that has the trunk line in it 
(Serial6/0) is set to clock source line, to get clocking from ATT.

The TDM clock priority on AS5400 is set to Serial6/0.
The T3 that has all the other T1's is set to clock source internal, on the 
assumption that the internal clock on the AS5400 should now be 
synchronizing to the trunk line coming in on 6/0. So all the T1 channels 
on the T3 should be following the Cisco clock.
The mux is set to clocking is set on the t3 to clock source line, to get 
clocking from the T3 coming from the AS5400.

The customers at the end are all set to clock source line.

None of the trunks is having slips, but several of the ATT customers are 
showing a slip every 10 seconds or so. The clocking chain we have set up 
seems logical to me. Is there something I'm missing? Why would the 
customers be having slips.


We asked ATT to monitor one of the lines that we are seeing slips on. 
They watched it for a bit and said no slips are occurring, though I am 
seeing them both on the AS5400 and on the Customer router. They are 
performing a more indepth test now.




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/ 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 2900 - 2960 config question

[Joseph Mays]

Well, I did the switch from the 2900 to the 2960, everything works fine except 
for one thing...

Port 22 on the original switch is set to be a vlan trunk that links to another 
switch (sw2, also a 2900XL) in another building with a different set of vlans 
on it.

interface FastEthernet0/22
 description Trunk to sw2.dist.win.net
 duplex full
 speed 100
 switchport access vlan 22
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,201-224,1002-1005
 switchport mode trunk
 no cdp enable

One the new switch the config is the same except, of course, the encaps line is 
gone.

interface FastEthernet0/22
 description Trunk to sw2.dist.win.net
 duplex full
 speed 100
 switchport access vlan 22
 switchport trunk allowed vlan 1,201-224,1002-1005
 switchport mode trunk
 no cdp enable

The client on the remote switch, vlan 202, does not work through the new 
switch. On sw2 the uplink port is port 5, the client is on port 6.

interface FastEthernet0/5
 description Trunk port to sw1.dist.win.net
 duplex full
 speed 100
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,201-224,1002-1005
 switchport mode trunk
 no cdp enable
!
interface FastEthernet0/6
 description Reese Design Collaborative, 600 Distillery Ste 200
 switchport access vlan 202
 spanning-tree portfast
 no cdp enable

On the old switch they have no problem pinging their gateway address, the vlan 
interface on the router. On the new switch, they cannot.

I don't know what might be causing this, unless something about the vlan 
database is not created by cutting and pasting the config from the 2900XL to 
the 2960.



- Original Message - 
From: Seth Mattinen se...@rollernet.us
To: cisco-nsp@puck.nether.net
Sent: Thursday, September 20, 2012 6:11 PM
Subject: Re: [c-nsp] 2900 - 2960 config question


 On 9/20/12 1:52 PM, Joseph Mays wrote:
 I'm replacing a Cisco 2900XL running  12.0(5)WC13 with a Cisco 2960 running 
 12.2(25r)FX. I just cut and pasted the config from the 2900 into the 2960, 
 and it all seemed to work fine, except the new IOS on the 2960 does not 
 accept one command --
 
 
 Enter configuration commands, one per line.  End with CNTL/Z.
 sw1.dist(config)#interface FastEthernet0/1
 sw1.dist(config-if)# description Trunk port to gw1.dist.win.net
 sw1.dist(config-if)# duplex full
 sw1.dist(config-if)# speed 100
 sw1.dist(config-if)# switchport trunk encapsulation dot1q
   ^
 % Invalid input detected at '^' marker.
 
 
 
 That's because it only does dot1q, so there's no option for encap.
 
 ~Seth
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Serial interface stuck in reset status.

[Joseph Mays]

Okay. Trying to bring up a T1 on a channel on a channelized t3 card in an 
AS5400. I've done this more than once and have other working T1's on the same 
t3 card.

I have the config on both ends; it's very simple.

On the AS5400...

controller T1 1/0:26
 shutdown
 framing esf
 channel-group 0 timeslots 1-20

[...]

interface Serial1/0:26:0
 description Glass Doctor (K1.HCFU.417839..SC)
 no ip address
 encapsulation ppp
 no cdp enable
 ppp multilink
 ppp multilink group 180025

One the remote side ...

controller T1 0/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-20 speed 56

[...]

interface Serial0/0:0
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1

The problem I am having is that the t1 controller seems to come up fine and 
error free...

ArmoryPl-AS5400#show controller t1 1/0:26
T1 1/0:26 is up.
  Applique type is Channelized T1
  No alarms detected.
  alarm-trigger is not set
  Version info of slot 1:  HW: 768, PLD Rev: 4
  Framer Version: 0x28

Manufacture Cookie Info:
 EEPROM Type 0x0001, EEPROM Version 0x01, Board ID 0x01,
 Board Hardware Version 3.0, Item Number 73-4089-03,
 Board Revision B0, Serial Number JAE050301LR,
 PLD/ISP Version unset,  Manufacture Date 18-Jan-2001.

  Framing is ESF, Clock Source is Line.
  Data in current interval (293 seconds elapsed):
 0 Line Code Violations, 1 Path Code Violations
 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
 1 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
  Data in Interval 1:
 0 Line Code Violations, 0 Path Code Violations
 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
  Data in Interval 2:

... but the serial interface is stuck in reset status.

ArmoryPl-AS5400#show int Serial1/0:26:0
Serial1/0:26:0 is reset, line protocol is down
  Hardware is DSX1
  Description: Glass Doctor (K1.HCFU.417839..SC)
  MTU 1500 bytes, BW 1120 Kbit, DLY 2 usec,
 reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Closed, multilink Closed
  Closed: BACP, loopback not set
  Last input never, output never, output hang never
  Last clearing of show interface counters 13:01:00
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
 Conversations  0/0/256 (active/max active/max total)
 Reserved Conversations 0/0 (allocated/max allocated)
 Available Bandwidth 840 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
 0 packets input, 0 bytes, 0 no buffer
 Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
 0 packets output, 0 bytes, 0 underruns
 0 output errors, 0 collisions, 0 interface resets
 0 output buffer failures, 0 output buffers swapped out

Strangely, it stays in reset status even if I turn the t1 down.

ArmoryPl-AS5400#show controller t1 1/0:26
T1 1/0:26 is administratively down.
  Applique type is Channelized T1
  Transmitter is sending AIS.
  Receiver has remote alarm.
  alarm-trigger is not set
  Version info of slot 1:  HW: 768, PLD Rev: 4
  Framer Version: 0x28

Manufacture Cookie Info:
 EEPROM Type 0x0001, EEPROM Version 0x01, Board ID 0x01,
 Board Hardware Version 3.0, Item Number 73-4089-03,
 Board Revision B0, Serial Number JAE050301LR,
 PLD/ISP Version unset,  Manufacture Date 18-Jan-2001.

  Framing is ESF, Clock Source is Line.
  Data in current interval (334 seconds elapsed):
 0 Line Code Violations, 1 Path Code Violations
 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 1 Degraded Mins
 1 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
  Data in Interval 1:
 0 Line Code Violations, 0 Path Code Violations
 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs

ArmoryPl-AS5400#show int Serial1/0:26:0
Serial1/0:26:0 is reset, line protocol is down
  Hardware is DSX1
  Description: Glass Doctor (K1.HCFU.417839..SC)
  MTU 1500 bytes, BW 1120 Kbit, DLY 2 usec,
 reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Closed, multilink Closed
  Closed: BACP, loopback not set
  Last input never, output never, output hang never
  Last clearing of show interface counters 13:05:11
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
 Conversations  0/0/256 (active/max active/max total)
 Reserved Conversations 0/0 (allocated/max allocated)
 Available Bandwidth 840 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
 0 packets input, 0 bytes, 0 no 

Re: [c-nsp] Serial interface stuck in reset status.

[Joseph Mays]

Two obvious things are that the controller is shut down on one side in 
your config


Sorry, I just grabbed that section of the config while I was showing that 
the serial interface stays in reset status even while the controller is show 
down, when the serial interface should change to down. As I showed in the 
later example, the serial interface stays in reset status even when the 
controller is up.


The problem I am having is that the t1 controller seems to come up fine 
and error free...



ArmoryPl-AS5400#show controller t1 1/0:26
T1 1/0:26 is up.


[...]


... but the serial interface is stuck in reset status.



ArmoryPl-AS5400#show int Serial1/0:26:0
Serial1/0:26:0 is reset, line protocol is down


I originally had the controller set to 64kbps channels, the change to 56 
kbps was an attempt to figure out what is going on. I've changed it back to 
64kbps channels now. Serial interface is still stuck.


controller T1 1/0:26
framing esf
channel-group 0 timeslots 1-20 speed 64

T1 1/0:26 is up.
 Applique type is Channelized T1
 No alarms detected.
 alarm-trigger is not set
 Version info of slot 1:  HW: 768, PLD Rev: 4
 Framer Version: 0x28

Serial1/0:26:0 is reset, line protocol is down
 Hardware is DSX1
 Description: Glass Doctor (K1.HCFU.417839..SC)
 MTU 1500 bytes, BW 1280 Kbit, DLY 2 usec,
reliability 255/255, txload 1/255, rxload 1/255
 Encapsulation PPP, LCP Closed, multilink Closed
 Closed: BACP, loopback not set
 Last input never, output never, output hang never
 Last clearing of show interface counters 00:05:18
 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
 Queueing strategy: weighted fair
 Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations  0/0/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 960 kilobits/sec
 5 minute input rate 0 bits/sec, 0 packets/sec
 5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Serial interface stuck in reset status.

[Joseph Mays]

... but the serial interface is stuck in reset status.


I should point out, that even with the controller turned down, clearing the 
interface does not take it out of reset status.


ArmoryPl-AS5400#clear int Serial1/0:26:0
ArmoryPl-AS5400#show int Serial1/0:26:0
Serial1/0:26:0 is reset, line protocol is down
 Hardware is DSX1
 Description: Glass Doctor (K1.HCFU.417839..SC)
 MTU 1500 bytes, BW 1280 Kbit, DLY 2 usec,
reliability 255/255, txload 1/255, rxload 1/255

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] single static ip address for customer(s)

[Joseph Mays]

Please know that when I say single static ip address for customer(s) in 
my
subject heading, I mean a residential dsl subscriber with a windows 
computer

sitting on his desk in his master bedroom and he bought a single static ip
address from me (the isp I work for).  This is the context of my question.


This is what we do. Assign the address via radius with PPPoE, then broadcast 
that address from whatever router they connected to with OSPF. Within our 
network anyone can connect to any of our pops with DSL and get their 
assigned address.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Match dial peer on trunk group or caller id.

[Joseph Mays]

I want to route all incoming calls from a particular trunk to be outgoing 
calls on another specific trunk group. Is there any way, in a dial-peer 
entry, to match on caller ID or incoming trunk group, rather than 
destination-pattern?


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Call rejeciton from Cisco

[Joseph Mays]

Hello. I am using an AS5400 to generate a PRI that is then going to a CiscoIAD. 
So on the AS5400 side I have. The IAD only has 8 analog voice ports, so I am 
using the last 8 channels of the PRI for voice ports, and the first 16 channels 
as a T1 for internet service.

controller T1 1/0:24
 framing esf
 channel-group 0 timeslots 1-16 speed 64
 loopback network ignore
 pri-group timeslots 17-24

interface Serial1/0:24:0
 ip address 216.24.28.249 255.255.255.252
 encapsulation ppp
 no cdp enable
!
interface Serial1/0:24:23
 no ip address
 isdn switch-type primary-ni
 isdn protocol-emulate network
 no isdn outgoing ie redirecting-number
 no isdn incoming alerting add-PI
 no cdp enable


On the IAD I have

controller T1 1/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-16 speed 64
pri-group timeslots 17-24 nfas_d primary nfas_int 1 nfas_group 1

interface Serial1/0:0
ip address 216.24.28.250 255.255.255.252
encapsulation ppp
!
interface Serial1/0:23
no ip address
isdn switch-type primary-ni
isdn incoming-voice voice
no cdp enable

dial-peer voice 1 pots
description route calls to ISDN
destination-pattern .T
port 1/0:23

The PRI and TEI's seem to be up. The AS5400 has intermachine trunks connecting 
it to the telco system and routes incoming and outgoing phone calls all day 
long, but when I try to make an outgoing call from the Cisco IAD I see the IAD 
2400 appear to do the call setup and send the call out 1/0:23, but eventually I 
get a reject with a cause code of 0x0, which isn't very helpful. I'm not even 
sure if the error message is coming from the far end (the AS5400) or the near 
end (the IAD2400).

Error output below with the reject highlighted in red. It would seem that the 
called is being rejected for Invalid information element contents. I'm having 
a hard time determining which elements it considers invalid, though. We've 
never generated our own PRI out to a client box before, so any information 
anyone has would be greatly appreciated. Also, if anyone has a config example 
of both ends of such an arrangement I would love to see it.

022127: 1w0d: ISDN Se1/0:24:23 Q931: RX - SETUP pd = 8  callref = 0x002C
Bearer Capability i = 0x9090A2
Standard = CCITT
Transer Capability = 3.1kHz Audio
Transfer Mode = Circuit
Transfer Rate = 64 kbit/s
Channel ID i = 0xE1818397
Preferred, Interface 1, Channel 23
Progress Ind i = 0x8183 - Origination address is non-ISDN
Calling Party Number i = 0x2183, '5025673005'
Plan:ISDN, Type:National
Called Party Number i = 0x80, '75023871095'
Plan:Unknown, Type:Unknown
022128: 1w0d: ISDN Se1/0:24:23 LIFd: LIF_StartTimer: timer (0x64FBB518), ticks 
(3), event (0x1250)
022129: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: source = 0x20A, event = 0x241, 
call id = 0x0, int id = 0x0
022130: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: call_id 0x2F62 cr 0x802C state 0 
event 0x5 ces 1
022131: 1w0d: ISDN Se1/0:24:23 Q931d: L3_ProcessEvent: callref = 0x802C 
SETUP:U0_Setup(nlcb)
022132: 1w0d: ISDN Se1/0:24:23 Q931d: L3_state_change: callref 0x802C old 
NULL_STATE, new CALL_PRESENT
022133: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: source = 0x400, event = 0x340, 
call id = 0x2F62, int id = 0x0
022134: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: call_id 0x2F62 cr 0x802C state 6 
event 0x82 ces 1
022135: 1w0d: ISDN Se1/0:24:23 Q931d: L3_ProcessEvent: callref = 0x802C 
CC_SETUP_REJ_REQ:U6_SetupRejReq(nlcb)
022136: 1w0d: ISDN Se1/0:24:23 Q931d: L3_state_change: callref 0x802C old 
CALL_PRESENT, new NULL_STATE
022137: 1w0d: ISDN Se1/0:24:23 LIFd: LIF_StartTimer: timer (0x65F432AC), ticks 
(1000), event (0x1240)
022138: 1w0d: ISDN Se1/0:24:23 Q931: TX - RELEASE_COMP pd = 8  callref = 0x802C
Cause i = 0x82E418 - Invalid information element contents
022139: 1w0d: ISDN Se1/0:24:23 LIFd: LIF_StartTimer: timer (0x64FBB518), ticks 
(3), event (0x1250)
AMSS1#
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Call rejeciton from Cisco

[Joseph Mays]

On a related note, I am aware that part of the problem might be that the called 
party number might be listed as plan unknown and type unknown. I've been trying 
to figure out a way on the IAD 2400 to set this to national and isdn for all 
outgoing calls, but the only way I can find to do that is with translation 
rules, and those all seem to assume that the first thing you want to do is 
search and replace part of the dialed number. I really don't care what the 
dialed number is. Is there some way to match just on the plan and type, or some 
way to set those values other than a translation rule?
  - Original Message - 
  From: Joseph Mays 
  To: cisco-...@puck.nether.net ; cisco-nsp@puck.nether.net 
  Sent: Tuesday, May 15, 2012 1:42 PM
  Subject: Call rejeciton from Cisco


  Hello. I am using an AS5400 to generate a PRI that is then going to a 
CiscoIAD. So on the AS5400 side I have. The IAD only has 8 analog voice ports, 
so I am using the last 8 channels of the PRI for voice ports, and the first 16 
channels as a T1 for internet service.

  controller T1 1/0:24
   framing esf
   channel-group 0 timeslots 1-16 speed 64
   loopback network ignore
   pri-group timeslots 17-24

  interface Serial1/0:24:0
   ip address 216.24.28.249 255.255.255.252
   encapsulation ppp
   no cdp enable
  !
  interface Serial1/0:24:23
   no ip address
   isdn switch-type primary-ni
   isdn protocol-emulate network
   no isdn outgoing ie redirecting-number
   no isdn incoming alerting add-PI
   no cdp enable


  On the IAD I have

  controller T1 1/0
  framing esf
  linecode b8zs
  channel-group 0 timeslots 1-16 speed 64
  pri-group timeslots 17-24 nfas_d primary nfas_int 1 nfas_group 1

  interface Serial1/0:0
  ip address 216.24.28.250 255.255.255.252
  encapsulation ppp
  !
  interface Serial1/0:23
  no ip address
  isdn switch-type primary-ni
  isdn incoming-voice voice
  no cdp enable

  dial-peer voice 1 pots
  description route calls to ISDN
  destination-pattern .T
  port 1/0:23

  The PRI and TEI's seem to be up. The AS5400 has intermachine trunks 
connecting it to the telco system and routes incoming and outgoing phone calls 
all day long, but when I try to make an outgoing call from the Cisco IAD I see 
the IAD 2400 appear to do the call setup and send the call out 1/0:23, but 
eventually I get a reject with a cause code of 0x0, which isn't very helpful. 
I'm not even sure if the error message is coming from the far end (the AS5400) 
or the near end (the IAD2400).

  Error output below with the reject highlighted in red. It would seem that the 
called is being rejected for Invalid information element contents. I'm having 
a hard time determining which elements it considers invalid, though. We've 
never generated our own PRI out to a client box before, so any information 
anyone has would be greatly appreciated. Also, if anyone has a config example 
of both ends of such an arrangement I would love to see it.

  022127: 1w0d: ISDN Se1/0:24:23 Q931: RX - SETUP pd = 8  callref = 0x002C
  Bearer Capability i = 0x9090A2
  Standard = CCITT
  Transer Capability = 3.1kHz Audio
  Transfer Mode = Circuit
  Transfer Rate = 64 kbit/s
  Channel ID i = 0xE1818397
  Preferred, Interface 1, Channel 23
  Progress Ind i = 0x8183 - Origination address is non-ISDN
  Calling Party Number i = 0x2183, '5025673005'
  Plan:ISDN, Type:National
  Called Party Number i = 0x80, '75023871095'
  Plan:Unknown, Type:Unknown
  022128: 1w0d: ISDN Se1/0:24:23 LIFd: LIF_StartTimer: timer (0x64FBB518), 
ticks (3), event (0x1250)
  022129: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: source = 0x20A, event = 0x241, 
call id = 0x0, int id = 0x0
  022130: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: call_id 0x2F62 cr 0x802C state 0 
event 0x5 ces 1
  022131: 1w0d: ISDN Se1/0:24:23 Q931d: L3_ProcessEvent: callref = 0x802C 
SETUP:U0_Setup(nlcb)
  022132: 1w0d: ISDN Se1/0:24:23 Q931d: L3_state_change: callref 0x802C old 
NULL_STATE, new CALL_PRESENT
  022133: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: source = 0x400, event = 0x340, 
call id = 0x2F62, int id = 0x0
  022134: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: call_id 0x2F62 cr 0x802C state 6 
event 0x82 ces 1
  022135: 1w0d: ISDN Se1/0:24:23 Q931d: L3_ProcessEvent: callref = 0x802C 
CC_SETUP_REJ_REQ:U6_SetupRejReq(nlcb)
  022136: 1w0d: ISDN Se1/0:24:23 Q931d: L3_state_change: callref 0x802C old 
CALL_PRESENT, new NULL_STATE
  022137: 1w0d: ISDN Se1/0:24:23 LIFd: LIF_StartTimer: timer (0x65F432AC), 
ticks (1000), event (0x1240)
  022138: 1w0d: ISDN Se1/0:24:23 Q931: TX - RELEASE_COMP pd = 8  callref = 
0x802C
  Cause i = 0x82E418 - Invalid information element contents
  022139: 1w0d: ISDN Se1/0:24:23 LIFd: LIF_StartTimer: timer (0x64FBB518), 
ticks (3), event (0x1250)
  AMSS1#
___
cisco-nsp mailing list  cisco

Re: [c-nsp] Call rejeciton from Cisco

[Joseph Mays]

Disregard. I figured out how to get it to set the plan and type, but it's still 
having the same problem.

027789: 1w0d: ISDN Se1/0:24:23 Q931: RX - SETUP pd = 8  callref = 0x002D
Bearer Capability i = 0x9090A2
Standard = CCITT
Transer Capability = 3.1kHz Audio
Transfer Mode = Circuit
Transfer Rate = 64 kbit/s
Channel ID i = 0xE1818397
Preferred, Interface 1, Channel 23
Progress Ind i = 0x8183 - Origination address is non-ISDN
Calling Party Number i = 0x2183, '5025673005'
Plan:ISDN, Type:National
Called Party Number i = 0xA1, '5023871095'
Plan:ISDN, Type:National
027790: 1w0d: ISDN Se1/0:24:23 LIFd: LIF_StartTimer: timer (0x64FBB518), ticks 
(3), event (0x1250)
027791: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: source = 0x20A, event = 0x241, 
call id = 0x0, int id = 0x0
027792: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: call_id 0x300E cr 0x802D state 0 
event 0x5 ces 1
027793: 1w0d: ISDN Se1/0:24:23 Q931d: L3_ProcessEvent: callref = 0x802D 
SETUP:U0_Setup(nlcb)
027794: 1w0d: ISDN Se1/0:24:23 Q931d: L3_state_change: callref 0x802D old 
NULL_STATE, new CALL_PRESENT
027795: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: source = 0x400, event = 0x340, 
call id = 0x300E, int id = 0x0
027796: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: call_id 0x300E cr 0x802D state 6 
event 0x82 ces 1
027797: 1w0d: ISDN Se1/0:24:23 Q931d: L3_ProcessEvent: callref = 0x802D 
CC_SETUP_REJ_REQ:U6_SetupRejReq(nlcb)
027798: 1w0d: ISDN Se1/0:24:23 Q931d: L3_state_change: callref 0x802D old 
CALL_PRESENT, new NULL_STATE
027799: 1w0d: ISDN Se1/0:24:23 LIFd: LIF_StartTimer: timer (0x65F432AC), ticks 
(1000), event (0x1240)
027800: 1w0d: ISDN Se1/0:24:23 Q931: TX - RELEASE_COMP pd = 8  callref = 0x802D
Cause i = 0x82E418 - Invalid information element contents

  - Original Message - 
  From: Joseph Mays 
  To: cisco-...@puck.nether.net ; cisco-nsp@puck.nether.net 
  Sent: Tuesday, May 15, 2012 2:08 PM
  Subject: Re: Call rejeciton from Cisco


  On a related note, I am aware that part of the problem might be that the 
called party number might be listed as plan unknown and type unknown. I've been 
trying to figure out a way on the IAD 2400 to set this to national and isdn for 
all outgoing calls, but the only way I can find to do that is with translation 
rules, and those all seem to assume that the first thing you want to do is 
search and replace part of the dialed number. I really don't care what the 
dialed number is. Is there some way to match just on the plan and type, or some 
way to set those values other than a translation rule?
- Original Message - 
From: Joseph Mays 
To: cisco-...@puck.nether.net ; cisco-nsp@puck.nether.net 
Sent: Tuesday, May 15, 2012 1:42 PM
Subject: Call rejeciton from Cisco


Hello. I am using an AS5400 to generate a PRI that is then going to a 
CiscoIAD. So on the AS5400 side I have. The IAD only has 8 analog voice ports, 
so I am using the last 8 channels of the PRI for voice ports, and the first 16 
channels as a T1 for internet service.

controller T1 1/0:24
 framing esf
 channel-group 0 timeslots 1-16 speed 64
 loopback network ignore
 pri-group timeslots 17-24

interface Serial1/0:24:0
 ip address 216.24.28.249 255.255.255.252
 encapsulation ppp
 no cdp enable
!
interface Serial1/0:24:23
 no ip address
 isdn switch-type primary-ni
 isdn protocol-emulate network
 no isdn outgoing ie redirecting-number
 no isdn incoming alerting add-PI
 no cdp enable


On the IAD I have

controller T1 1/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-16 speed 64
pri-group timeslots 17-24 nfas_d primary nfas_int 1 nfas_group 1

interface Serial1/0:0
ip address 216.24.28.250 255.255.255.252
encapsulation ppp
!
interface Serial1/0:23
no ip address
isdn switch-type primary-ni
isdn incoming-voice voice
no cdp enable

dial-peer voice 1 pots
description route calls to ISDN
destination-pattern .T
port 1/0:23

The PRI and TEI's seem to be up. The AS5400 has intermachine trunks 
connecting it to the telco system and routes incoming and outgoing phone calls 
all day long, but when I try to make an outgoing call from the Cisco IAD I see 
the IAD 2400 appear to do the call setup and send the call out 1/0:23, but 
eventually I get a reject with a cause code of 0x0, which isn't very helpful. 
I'm not even sure if the error message is coming from the far end (the AS5400) 
or the near end (the IAD2400).

Error output below with the reject highlighted in red. It would seem that 
the called is being rejected for Invalid information element contents. I'm 
having a hard time determining which elements it considers invalid, though. 
We've never generated our own PRI out to a client box before, so any

Re: [c-nsp] Call rejeciton from Cisco

[Joseph Mays]

On the IAD2400 I have --

interface Serial1/0:23
 no ip address
 isdn switch-type primary-ni
 isdn incoming-voice voice
 isdn map address .T plan isdn type national
 isdn negotiate-bchan
 no cdp enable

and on the AS5400 I have --

interface Serial1/0:24:23
 no ip address
 isdn switch-type primary-ni
 isdn protocol-emulate network
 isdn negotiate-bchan
 no isdn outgoing ie redirecting-number
 no isdn incoming alerting add-PI
 trunk-group WinnetOfficePri
 no cdp enable



- Original Message - 
From: Tim Jackson jackson@gmail.com
To: Joseph Mays m...@win.net
Cc: cisco-...@puck.nether.net; cisco-nsp@puck.nether.net
Sent: Tuesday, May 15, 2012 3:44 PM
Subject: Re: [c-nsp] Call rejeciton from Cisco


http://www.cisco.com/en/US/docs/ios/12_2/dial/command/reference/drfisl2.html#wp1116673

Usually Cause i = 0x82E418 - Invalid information element contents
means that it's not happy about it requesting an exclusive channel vs
preferred iirc..

Could also be a mismatched ISDN switch type? NI2 I would assume on both?

On Tue, May 15, 2012 at 1:16 PM, Joseph Mays m...@win.net wrote:
 Disregard. I figured out how to get it to set the plan and type, but it's 
 still having the same problem.

 027789: 1w0d: ISDN Se1/0:24:23 Q931: RX - SETUP pd = 8 callref = 0x002D
 Bearer Capability i = 0x9090A2
 Standard = CCITT
 Transer Capability = 3.1kHz Audio
 Transfer Mode = Circuit
 Transfer Rate = 64 kbit/s
 Channel ID i = 0xE1818397
 Preferred, Interface 1, Channel 23
 Progress Ind i = 0x8183 - Origination address is non-ISDN
 Calling Party Number i = 0x2183, '5025673005'
 Plan:ISDN, Type:National
 Called Party Number i = 0xA1, '5023871095'
 Plan:ISDN, Type:National
 027790: 1w0d: ISDN Se1/0:24:23 LIFd: LIF_StartTimer: timer (0x64FBB518), 
 ticks (3), event (0x1250)
 027791: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: source = 0x20A, event = 0x241, 
 call id = 0x0, int id = 0x0
 027792: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: call_id 0x300E cr 0x802D state 0 
 event 0x5 ces 1
 027793: 1w0d: ISDN Se1/0:24:23 Q931d: L3_ProcessEvent: callref = 0x802D 
 SETUP:U0_Setup(nlcb)
 027794: 1w0d: ISDN Se1/0:24:23 Q931d: L3_state_change: callref 0x802D old 
 NULL_STATE, new CALL_PRESENT
 027795: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: source = 0x400, event = 0x340, 
 call id = 0x300E, int id = 0x0
 027796: 1w0d: ISDN Se1/0:24:23 Q931d: L3_Go: call_id 0x300E cr 0x802D state 6 
 event 0x82 ces 1
 027797: 1w0d: ISDN Se1/0:24:23 Q931d: L3_ProcessEvent: callref = 0x802D 
 CC_SETUP_REJ_REQ:U6_SetupRejReq(nlcb)
 027798: 1w0d: ISDN Se1/0:24:23 Q931d: L3_state_change: callref 0x802D old 
 CALL_PRESENT, new NULL_STATE
 027799: 1w0d: ISDN Se1/0:24:23 LIFd: LIF_StartTimer: timer (0x65F432AC), 
 ticks (1000), event (0x1240)
 027800: 1w0d: ISDN Se1/0:24:23 Q931: TX - RELEASE_COMP pd = 8 callref = 
 0x802D
 Cause i = 0x82E418 - Invalid information element contents

 - Original Message -
 From: Joseph Mays
 To: cisco-...@puck.nether.net ; cisco-nsp@puck.nether.net
 Sent: Tuesday, May 15, 2012 2:08 PM
 Subject: Re: Call rejeciton from Cisco


 On a related note, I am aware that part of the problem might be that the 
 called party number might be listed as plan unknown and type unknown. I've 
 been trying to figure out a way on the IAD 2400 to set this to national and 
 isdn for all outgoing calls, but the only way I can find to do that is with 
 translation rules, and those all seem to assume that the first thing you want 
 to do is search and replace part of the dialed number. I really don't care 
 what the dialed number is. Is there some way to match just on the plan and 
 type, or some way to set those values other than a translation rule?
 - Original Message -
 From: Joseph Mays
 To: cisco-...@puck.nether.net ; cisco-nsp@puck.nether.net
 Sent: Tuesday, May 15, 2012 1:42 PM
 Subject: Call rejeciton from Cisco


 Hello. I am using an AS5400 to generate a PRI that is then going to a 
 CiscoIAD. So on the AS5400 side I have. The IAD only has 8 analog voice 
 ports, so I am using the last 8 channels of the PRI for voice ports, and the 
 first 16 channels as a T1 for internet service.

 controller T1 1/0:24
 framing esf
 channel-group 0 timeslots 1-16 speed 64
 loopback network ignore
 pri-group timeslots 17-24

 interface Serial1/0:24:0
 ip address 216.24.28.249 255.255.255.252
 encapsulation ppp
 no cdp enable
 !
 interface Serial1/0:24:23
 no ip address
 isdn switch-type primary-ni
 isdn protocol-emulate network
 no isdn outgoing ie redirecting-number
 no isdn incoming alerting add-PI
 no cdp enable


 On the IAD I have

 controller T1 1/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-16 speed 64
 pri-group timeslots 17-24 nfas_d primary nfas_int 1 nfas_group 1

 interface Serial1/0:0
 ip address 216.24.28.250 255.255.255.252
 encapsulation ppp
 !
 interface Serial1/0:23
 no ip address
 isdn switch-type primary-ni
 isdn incoming-voice voice
 no cdp enable

 dial-peer voice 1 pots
 description route calls to ISDN
 destination

Re: [c-nsp] Possible T1 clocking problem.

[Joseph Mays]

 timeslots 1-24 speed 64.

That was it. Thanks so much. I've been trying to figure out for days why 
something that should be simple was proving impossible.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Possible T1 clocking problem.

[Joseph Mays]

We're setting up an HDSL4 t1 across two copper pairs. This is the first time 
I've ever turned up a T1 that was not telco provided. The smartjacks show the 
T1 as up (and extremely good quality, actually, strong signal and not a single 
bit error). On the CO side the T1 goes to a T3 multiplexer which is plugged 
into a channelized T3 card in an AS5400. On the remote end the T1 is plugged 
into T1 WIC in a 2600.

Both ends show the T1 interface up, line protocol is down. Encapsulation is 
PPP, but all I ever see are errors. I've confirmed the wiring and every other 
aspect of the physical layer.

Here is the show interface info from the AS5400 6 minutes after clearing 
counters on the interface.

AMSS1#show int serial1/0:24:0
Serial1/0:24:0 is up, line protocol is down
  Hardware is DSX1
  Internet address is 216.24.28.249/30
  MTU 1500 bytes, BW 1344 Kbit, DLY 2 usec,
 reliability 244/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP REQsent, loopback not set
  Last input 23:04:24, output never, output hang never
  Last clearing of show interface counters 00:06:00
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
 Conversations  0/1/256 (active/max active/max total)
 Reserved Conversations 0/0 (allocated/max allocated)
 Available Bandwidth 1008 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
 0 packets input, 0 bytes, 0 no buffer
 Received 0 broadcasts, 0 runts, 12 giants, 0 throttles
 14 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 2 abort
 75 packets output, 1050 bytes, 0 underruns
 0 output errors, 0 collisions, 0 interface resets
 0 output buffer failures, 0 output buffers swapped out
 0 carrier transitions
  Timeslot(s) Used:1-24, Transmitter delay is 0 flags
AMSS1#

The interface on the remote end (t1 WIC port in a 2600 shows a lot more errors, 
including a lot of frame errors, for the same time period.

On the AS5400, the clocking on the t3 interface is set to take clocking from 
the network. Show tdm clock shows the clocking on the t1 channel in question 
(channel 24) as good.

AMSS1#show tdm clock

Primary Clock:
--
System primary is slot 1 ds3_port 0 ds1_port 1 of priority 1
TDM Bus Master Clock Generator State = NORMAL

Backup clocks for primary:
Source  Slot  Port  DS3-Port  Priority  Status  State
-
Trunk   1 2   YES   2GoodConfigured
Trunk   1 3   YES   3GoodConfigured
Trunk   1 4   YES   4GoodConfigured
Trunk   1 5   YES   5GoodConfigured
Trunk   1 6   YES   6GoodConfigured
Trunk   1 28  YES   202  GoodDefault

Trunk cards controllers clock health information

  CT3 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
Slot  Port  Type  8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1
1 0  T3   G B B B G B B B B B B B B B B B B B B B B B G G G G G G

Worth noting is that the other t1's (1-6) that show up as good are all standard 
t1's through the telco. Channel 24 connects directly to the HDSL smartjack that 
goes to the remote end. I assume the AS5400 end is picking up clocking from the 
MUX for channel 24, but it's not clear to me what is deciding the clocking for 
the T1 to the remote from the mux (which is where all the frame errors are 
showing up) in this case.

I've tried setting the T1 on the remote side to both clock-source line and 
clock-source internal. No difference in either case.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Setting line encoding, no controller present

[Joseph Mays]

I need to set the t1 controller for the serial interface below to be b8zs 
encoding and clock source internal, but the router does not even recognize the 
controller commands, and I can't find any relevant commands under the serial 
interface config.

=

gw1.office#show controller serial2/0
Interface Serial2/0
Hardware is Quicc 68360 with Integrated FT1 CSU/DSU module
 TX and RX clocks detected.
idb at 0x6416E310, driver data structure at 0x64175A34
WIC interrupt reg = F
SCC Registers:
General [GSMR]=0x2:0x0030, Protocol-specific [PSMR]=0x8
Events [SCCE]=0x, Mask [SCCM]=0x001F, Status [SCCS]=0x0002
Transmit on Demand [TODR]=0x0, Data Sync [DSR]=0x7E7E
Interrupt Registers:
Config [CICR]=0x00C9CF00, Pending [CIPR]=0x
Mask   [CIMR]=0xC000C000, In-srv  [CISR]=0x
SDMA Registers:
[SDSR]=0x00, [SDAR]=0x07A014E0, [SDCR]=0x0772
Command register [CR]=0x600
Port A [PADIR]=0x, [PAPAR]=0x
   [PAODR]=0x, [PADAT]=0xEEFD
Port B [PBDIR]=0x0011FE, [PBPAR]=0x0E
   [PBODR]=0x00, [PBDAT]=0x03EE5C
Port C [PCDIR]=0x000E, [PCPAR]=0x
   [PCSO]=0x0020,  [PCDAT]=0x0FCF, [PCINT]=0x0001
BRGC1 = 0x , BRGC2 = 0x
BRGC3 = 0x , BRGC4 = 0x
Receive Ring
rmd(3D010420): status 9000 length 2 address 7B99024
rmd(3D010428): status 9000 length F address 7B9B724
rmd(3D010430): status 9000 length 2 address 7B9C424
rmd(3D010438): status 9000 length 10 address 7B9AA24
rmd(3D010440): status 9000 length 12 address 7B996A4
rmd(3D010448): status 9000 length 11 address 7B99D24
rmd(3D010450): status B000 length F address 7B9A3A4
Transmit Ring
tmd(3D010458): status 5C00 length E address 7A01894
tmd(3D010460): status 5C00 length E address 7C14B34
tmd(3D010468): status 5C00 length E address 7A014D4
tmd(3D010470): status 5C00 length E address 7C161B4
tmd(3D010478): status 5C00 length E address 7C15DF4
tmd(3D010480): status 5C00 length E address 7A00AD4
tmd(3D010488): status 7C00 length E address 7C14634

tx_limited=1(2)

SCC GENERAL PARAMETER RAM (at 0x3D010C00)
Rx BD Base [RBASE]=0x420, Fn Code [RFCR]=0x18
Tx BD Base [TBASE]=0x458, Fn Code [TFCR]=0x18
Max Rx Buff Len [MRBLR]=1548
Rx State [RSTATE]=0x18008240, BD Ptr [RBPTR]=0x440
Tx State [TSTATE]=0x18000348, BD Ptr [TBPTR]=0x458

SCC HDLC PARAMETER RAM (at 0x3D010C38)
CRC Preset [C_PRES]=0x, Mask [C_MASK]=0xF0B8
Errors: CRC [CRCEC]=0, Aborts [ABTSC]=9, Discards [DISFC]=0
Nonmatch Addr Cntr [NMARC]=0
Retry Count [RETRC]=0
Max Frame Length [MFLR]=1608
Rx Int Threshold [RFTHR]=0, Frame Cnt [RFCNT]=65524
User-defined Address ///
User-defined Address Mask 0x


buffer size 1524
QUICC SCC specific errors:
131355 input aborts on receiving flag sequence
0 throttles, 0 enables
0 overruns
0 transmitter underruns
0 transmitter CTS losts
20703 aborted short frames


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Setting line encoding, no controller present

[Joseph Mays]

You didn't say what you've tried, but you might poke around in:

conf t
int s2/0
service-module t1 ?

and I think you'll find everything you're looking for.


That's it, thanks.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] QoS on Multilink T1's.

[Joseph Mays]

Are they real T1s or are they 1.5Mb MPLS service?  We've got several
4xT1 (MPLS service) bundles working  had to pay for QOS to get voice
working acceptably well.


Real T1's.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] QoS on Multilink T1's.

[Joseph Mays]

 We has similar issues and had to make a change to the ML interface. Try 
 adding ppp multilink fradment disable. 

I need to do some more testing, but it looks at first observation as if this 
may have fixed the problem. Why would fragmenting packets on a multilink PPP 
interface be a problem for QoS, and what are the potential implications of not 
fragmenting packets on the interface?

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Failing to load IOS

[Joseph Mays]

Is this a case where a bootldr file is needed?  Does the ROMMON understand
the disk1: filesystem?  In ROMMON, can you do a 'dev' and see the
filesystem, or do a 'dir' on it?  I haven't played with too many of the
older 7200s, but I seem to remember this.


This problem was fixed by upgrading the bootstrap software from 11.2 to --

BOOTLDR: 7200 Software (C7200-BOOT-M), Version 12.0(24)S

Then the bootldr could read the disk1 entry and load the IOS from it.

So the router loaded 12.4(13b) fine now and is running with that. 
Unfortunately, this did not fix the problem it was hoped it would fix, the 
problem with QoS over multilink PPP.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] QoS on Multilink T1's.

[Joseph Mays]

I took each t1 individually out of the multilink bundle, so the bundle 
contained only the first t1, then only the second t1. In both cases, the 
problem disappeared and QoS began working normally as soon as there was 
only one t1 in the bundle. This is without changing the multilink 
interface config or policy itself. As soon as I put both t1's back in the 
problem returns immediately.


Right now I'm planning to upgrade the router to 12.4ish Monday.


So unfortunately this problem still exists. If upgrading from 12.3 to 12.4 
did not fix the problem, I guess it's probably not a bug. So I'm momentarily 
at a loss. I can post the config if anyone would like to see it. Is there 
anyone out there who is doing QoS across a multilinked bundle of more than 
one T1 who can send it to me so I can compare what you have with what I am 
doing?



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] QoS on Multilink T1's.

[Joseph Mays]

Maybe check the release notes for later 12.4 releases, just in case?


I will.


Silly question, but is CEF enabled now?


No.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] QoS on Multilink T1's.

[Joseph Mays]

This may or may not be a stupid question


Not a stupid question at all. But yes, they are all identical.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Failing to load IOS

[Joseph Mays]

 And what is the boot process stating?  i.e. when it is booting, does it try 
 and load 124-13b and fail, or simply load 123-22?

I have been doing most of this work remote from the site, though I may travel 
to the site and reboot with a plug into the console port to answer this 
question.

 Is this a case where a bootldr file is needed?  Does the ROMMON understand 
 the disk1: filesystem?

Again, I haven't gotten much chance to see what the ROMMON thinks, as this is a 
production system in a remote facility. I do note however that we have two 
other 7200's that load IOS fine from disk0, but your question led me to look at 
the Boot info.

The other two are running --

ROM: System Bootstrap, Version 12.2(1r) [dchih 1r], RELEASE SOFTWARE (fc1)
BOOTLDR: 7200 Software (C7200-BOOT-M), Version 12.0(24)S, EARLY DEPLOYMENT 
RELEASE SOFTWARE (fc1)

The system that won't load 12.4 from disk0: is --

ROM: System Bootstrap, Version 12.1(2710:044039) [nlaw-121E_npeb 117], 
DEVELOPMENT SOFTWARE
BOOTLDR: 7200 Software (C7200-IS-M), Version 12.3(22), RELEASE SOFTWARE (fc2)

I tried verifying the file as suggested. 

gw1.armplc#verify disk1:c7200-is-mz.124-13b.bin
%Filesystem does not support verify operations
gw1.armplc#

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Failing to load IOS

[Joseph Mays]

Also, just as a sanity check --

I cannot find a listing for separate ram for the IOS. Does the NPE-400 set 
aside memory for the IOS load from the main memory? And if so, is that 
amount of memory dynamic? If so I can assume the 512 meg of ram in the box 
is enough and the amount of memory for storing the IOS is not the problem.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Failing to load IOS

[Joseph Mays]

From: Andriy Bilous andriy.bil...@gmail.com
 What 'show bootvar' says?

gw1.armplc#show bootvar
BOOT variable = 
disk1:c7200-is-mz.124-13b.bin,12;slot0:c7200-is-mz.123-22.bin,12;
CONFIG_FILE variable does not exist
BOOTLDR variable =
Configuration register is 0x2102

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Failing to load IOS

[Joseph Mays]

BTW, what does the number just after the file name in the BOOT variable 
represent?

gw1.armplc#show bootvar
BOOT variable = 
disk1:c7200-is-mz.124-13b.bin,12;slot0:c7200-is-mz.123-22.bin,12;
  ^^  ^^

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Failing to load IOS

[Joseph Mays]

Trying to load 12.4(13b) on a --

cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of 
memory.


I have the following boot sequence defined --

boot-start-marker
boot system disk1:c7200-is-mz.124-13b.bin
boot system slot0:c7200-is-mz.123-22.bin
boot-end-marker


Both images are there.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Failing to load IOS

[Joseph Mays]

Sorry, disregard the previous message, hit send by accident before it was 
completed.

Trying to load 12.4(13b) on a --

cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of 
memory.

I have the following boot sequence defined --

boot-start-marker
boot system disk1:c7200-is-mz.124-13b.bin
boot system slot0:c7200-is-mz.123-22.bin
boot-end-marker


Both images are there.

gw1.armplc#dir disk1:
Directory of disk1:/

1  -rw-26027532  Mar 29 2012 10:32:38 +00:00  c7200-is-mz.124-13b.bin

40759296 bytes total (14729216 bytes free)

gw1.armplc#dir slot0:
Directory of slot0:/

1  -rw-17839240   Apr 6 2011 14:12:43 +00:00  c7200-is-mz.123-22.bin

20578304 bytes total (2738936 bytes free)

Yet after bootup the router is still running the 12.3(22) version.

I assume the problem is the amount of ram, since the feature navigator shows 
that the router requires 48meg for 12.4(13b), and show ver shows it only has 32 
meg (is that correct)? But the feature navigator also shows that 12.3(22) 
requires 48meg, and that loads fine.

So I'm looking for a sanity check as to whether or not I am misreading the 
feature navigator or the router info, and whether or not something other than 
the amount of ram is likely to be the problem.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] QoS on Multilink T1's.

[Joseph Mays]

We have the following service policy on a router that priorities VOIP 
traffic according to the ef tag.


class-map match-all dscp-ef
 match ip dscp ef
!
!
policy-map queue-on-dscp
description Prioritizes voice traffic first, signalling next.
 class dscp-ef
  priority percent 75
 class class-default
  fair-queue
  random-detect dscp-based

The router primarily contains traffic for T1's routed to several 
destinations.


I can demonstrate that for individual T1's the service policy does as it 
should. Throw normal pings at the remote end, things are low latency and no 
packet loss. Ping flood the remote end with 1500 byte packets and latency 
for normal pings and packet loss go sky high. While still pingflooding, 
pings tagged with DSCP ef still have low latency and no packet loss. This is 
all the way it should be.


However, it generally doesn't work for the multilink client on the box. In 
this case, while ping flooding, packets with and without the EF tag set all 
suffer the same high latency and packet loss during ping flood. Not 
surprisingly, this one client is also having VOIP call quality problems. All 
the clients are using the same service policy. I have been assuming that 
it's something about the fact that this client has two multilink T1's bonded 
together with multilink PPP and other clients just have a single T1.


Is there somethings special that has to done for QoS over multilink PPP? Or 
is there possibly some other thing affecting this one client? There are no 
specific access lists relating to their connection, nor to the ones that 
work. Really, the only thing overt that sets them different from the others 
is that they have bonded T1's, as shown below.


interface Multilink117870
description Bonded Pair to Edge Outreach
bandwidth 3072
ip address 216.24.2.145 255.255.255.252
no cdp enable
ppp authorization PermT1
ppp multilink
ppp multilink group 117870
service-policy output queue-on-dscp

interface Serial6/0/1:0
description Edge Outreach (K1.HCFU.511024..SC)
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation ppp
ppp authorization PermT1
ppp multilink
ppp multilink group 117870
!
interface Serial6/0/2:0
description Edge Outreach (K1.HCFU.511025..SC)
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation ppp
ppp authorization PermT1
ppp multilink
ppp multilink group 117870

Here is an example of a plain single T1 client config, in which case the QoS 
service policy works exactly as it should.


interface Serial6/0/3:0
description Leonard Brush (K1.HCFU.511093..SC)
bandwidth 1536
ip address 216.24.0.53 255.255.255.252
no ip redirects
no ip proxy-arp
encapsulation ppp
ppp authorization PermT1
service-policy output queue-on-dscp

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] QoS on Multilink T1's.

[Joseph Mays]

You might try using an actual KBS number instead of percentages for the 
multilink.


That's what I was doing before. I changed to the percent in the process of 
trying to figure out this problem.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] QoS on Multilink T1's.

[Joseph Mays]

The router is a 7206VXR (NPE400) running 12.3.(22). I am out of ideas as it 
stands, so I was thinking about upgrading the IOS.


- Original Message - 
From: Craig Dickerson craig.dicker...@logixcom.com

To: Joseph Mays m...@win.net
Sent: Friday, March 23, 2012 4:01 PM
Subject: RE: [c-nsp] QoS on Multilink T1's.


We have had a similar problem before. Have you tried removing the policy
form the interface and then re-applying it? If this works you may have a
software bug.


-Original Message-
From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
boun...@puck.nether.net] On Behalf Of Joseph Mays
Sent: Friday, March 23, 2012 1:49 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] QoS on Multilink T1's.

 You might try using an actual KBS number instead of percentages for
 the multilink.

That's what I was doing before. I changed to the percent in the

process of

trying to figure out this problem.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/ 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] QoS on Multilink T1's.

[Joseph Mays]

I would also check the policy-map statistics on the multilink interface to 
see if it is actually doing

anything and go from there. It *could* be a bug.


I took each t1 individually out of the multilink bundle, so the bundle 
contained only the first t1, then only the second t1. In both cases, the 
problem disappeared and QoS began working normally as soon as there was only 
one t1 in the bundle. This is without changing the multilink interface 
config or policy itself. As soon as I put both t1's back in the problem 
returns immediately.


Right now I'm planning to upgrade the router to 12.4ish Monday.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] crypto map working on outbound interface, need it to work on inbound interface

[Joseph Mays]

Have a crypto map that was working to build a tunnel between 65.119.118.75 
and 24.235.0.25. Peers for the vpn tunnel were 24.235.0.26 and 
65.119.118.136. Due to some network changes 24.235.0.26, which was the 
egress interface toward the remote end, is now an ingress interface. Still, 
I don't see why this should matter. The access list is the same, it's just 
traffic coming in through the interface rather than out of it.


Crypto Map WinnetToSyniverse 20 ipsec-isakmp
   Description: PHL-3845-SS7-VPN router
   Peer = 65.119.118.136
   Extended IP access list PHL-3845-SS7-VPN
   access-list PHL-3845-SS7-VPN permit ip host 24.235.0.25 host 
65.119.118.76

   Current peer: 65.119.118.136
   Security association lifetime: 4608000 kilobytes/3600 seconds
   PFS (Y/N): N
   Transform sets={
   TSI2,
   }
   Interfaces using crypto map WinnetToSyniverse:
  FastEthernet1/1

The packets for the access list should match regardless of direction, but it 
acts like it's not matching packets to the access list and not even trying 
to start the vpn.


Router#show crypto isakmp sa
dst src state  conn-id slot status

Nothing there.

I can ping 65.119.118.136 from the router even when I set the source address 
to the address of the ingress interface, 24.235.0.26, and can ping the host 
we are trying to talk to across the vpn, 65.119.118.76, from 24.235.0.25.


I moved the crypto map command to the outside interface and it started 
matching packets tried to bring the vpn tunnel up, but that failed, I'm 
guessing because the source address changed to the address of the egress 
interface, which would not be the address configured in the remote side. So 
I want to use the ingress interface and its address so we don't have to go 
through a complex process to get the other side to reconfigure.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] crypto map working on outbound interface, need it to work on inbound interface

[Joseph Mays]

So, in the example below, will this cause the vpn to connect to the peer 
from FastEthernet0/0, but identify as the ip address of FastEthernet1/1?


crypto map WinnetToSyniverse local-address FastEthernet1/1
crypto map WinnetToSyniverse 20 ipsec-isakmp
description PHL-3845-SS7-VPN router
set peer 65.119.118.136
set transform-set TSI2
match address PHL-3845-SS7-VPN
!
!
!
interface FastEthernet0/0
ip address 216.135.80.50 255.255.255.252
duplex auto
speed auto
crypto map WinnetToSyniverse

- Original Message - 
From: Joseph Mays m...@win.net

To: cisco-nsp@puck.nether.net
Sent: Tuesday, December 13, 2011 3:41 PM
Subject: [c-nsp] crypto map working on outbound interface,need it to work on 
inbound interface



Have a crypto map that was working to build a tunnel between 65.119.118.75 
and 24.235.0.25. Peers for the vpn tunnel were 24.235.0.26 and 
65.119.118.136. Due to some network changes 24.235.0.26, which was the 
egress interface toward the remote end, is now an ingress interface. 
Still, I don't see why this should matter. The access list is the same, 
it's just traffic coming in through the interface rather than out of it.


Crypto Map WinnetToSyniverse 20 ipsec-isakmp
   Description: PHL-3845-SS7-VPN router
   Peer = 65.119.118.136
   Extended IP access list PHL-3845-SS7-VPN
   access-list PHL-3845-SS7-VPN permit ip host 24.235.0.25 host 
65.119.118.76

   Current peer: 65.119.118.136
   Security association lifetime: 4608000 kilobytes/3600 seconds
   PFS (Y/N): N
   Transform sets={
   TSI2,
   }
   Interfaces using crypto map WinnetToSyniverse:
  FastEthernet1/1

The packets for the access list should match regardless of direction, but 
it acts like it's not matching packets to the access list and not even 
trying to start the vpn.


Router#show crypto isakmp sa
dst src state  conn-id slot status

Nothing there.

I can ping 65.119.118.136 from the router even when I set the source 
address to the address of the ingress interface, 24.235.0.26, and can ping 
the host we are trying to talk to across the vpn, 65.119.118.76, from 
24.235.0.25.


I moved the crypto map command to the outside interface and it started 
matching packets tried to bring the vpn tunnel up, but that failed, I'm 
guessing because the source address changed to the address of the egress 
interface, which would not be the address configured in the remote side. 
So I want to use the ingress interface and its address so we don't have to 
go through a complex process to get the other side to reconfigure.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/ 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] crypto map working on outbound interface, need it to work on inbound interface

[Joseph Mays]

Mostly I was just trying to find out, never having used the local address 
parameter in the global crypto map config, if I was using it correctly. Here is 
the debug output you mentioned.

With the config shown below, pinging from 24.235.0.25 to 65.119.118.76 to bring 
the vpn up...

Router#show debug
Generic IP:
  ICMP packet debugging is on

Cryptographic Subsystem:
  Crypto ISAKMP Error debugging is on
  Crypto ISAKMP High Availability debugging is on
  Crypto IPSEC Error debugging is on
  Crypto High Availability Manager debugging is on
  Crypto IPSEC High Availability debugging is on
Router#
*Apr  5 07:17:28.703: ISAKMP:(0:0:N/A:0):Notify has no hash. Rejected.
*Apr  5 07:17:28.707: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, 
IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Apr  5 07:17:28.707: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational 
mode failed with peer at 65.119.118.136
*Apr  5 07:17:58.667: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new 
ipsec request to it. (local 24.235.0.26, remote 65.119.118.136)
*Apr  5 07:18:01.359: %SEC-6-IPACCESSLOGDP: list PHL-3845-SS7-VPN permitted 
icmp 24.235.0.25 - 65.119.118.76 (8/0), 282 packets
*Apr  5 07:18:29.071: ISAKMP:(0:0:N/A:0):Notify has no hash. Rejected.
*Apr  5 07:18:29.071: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, 
IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Apr  5 07:18:29.071: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational 
mode failed with peer at 65.119.118.136
*Apr  5 07:18:59.031: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new 
ipsec request to it. (local 24.235.0.26, remote 65.119.118.136)
*Apr  5 07:19:29.291: ISAKMP:(0:0:N/A:0):Notify has no hash. Rejected.
*Apr  5 07:19:29.291: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, 
IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Apr  5 07:19:29.291: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational 
mode failed with peer at 65.119.118.136
*Apr  5 07:19:36.247: ICMP: time exceeded (time to live) sent to 118.96.20.16 
(dest was 216.135.93.64)
*Apr  5 07:19:42.315: ICMP: time exceeded (time to live) sent to 212.67.88.93 
(dest was 24.235.0.25)
*Apr  5 07:19:59.251: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new 
ipsec request to it. (local 24.235.0.26, remote 65.119.118.136)
*Apr  5 07:20:29.315: ISAKMP:(0:0:N/A:0):Notify has no hash. Rejected.
*Apr  5 07:20:29.319: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, 
IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Apr  5 07:20:29.319: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational 
mode failed with peer at 65.119.118.136
*Apr  5 07:20:49.895: ICMP: time exceeded (time to live) sent to 121.14.69.250 
(dest was 216.135.93.72)
*Apr  5 07:20:59.279: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new 
ipsec request to it. (local 24.235.0.26, remote 65.119.118.136)
*Apr  5 07:21:29.555: ISAKMP:(0:0:N/A:0):Notify has no hash. Rejected.
*Apr  5 07:21:29.555: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, 
IKE_INFO_NOTIFY:  state = IKE_I_MM1
*Apr  5 07:21:29.559: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational 
mode failed with peer at 65.119.118.136


  - Original Message - 
  From: Clint Wade 
  To: Joseph Mays 
  Cc: cisco-nsp@puck.nether.net 
  Sent: Tuesday, December 13, 2011 5:29 PM
  Subject: Re: [c-nsp] crypto map working on outbound interface, need it to 
work on inbound interface


  Joseph,

  With anything VPN related it may be better to either post outputs of a 'debug 
isakmp sa' or 'debug ipsec sa' or the relevent portions of the configurations 
on both devices. It's not easy to get an idea of what is going on with small 
config snippets.

  Regards,
  Clint Wade


  On Tue, Dec 13, 2011 at 4:22 PM, Joseph Mays m...@win.net wrote:

So, in the example below, will this cause the vpn to connect to the peer 
from FastEthernet0/0, but identify as the ip address of FastEthernet1/1?

crypto map WinnetToSyniverse local-address FastEthernet1/1
crypto map WinnetToSyniverse 20 ipsec-isakmp
description PHL-3845-SS7-VPN router
set peer 65.119.118.136
set transform-set TSI2
match address PHL-3845-SS7-VPN
!
!
!
interface FastEthernet0/0
ip address 216.135.80.50 255.255.255.252
duplex auto
speed auto
crypto map WinnetToSyniverse

- Original Message - From: Joseph Mays m...@win.net
To: cisco-nsp@puck.nether.net
Sent: Tuesday, December 13, 2011 3:41 PM
Subject: [c-nsp] crypto map working on outbound interface,need it to work 
on inbound interface




  Have a crypto map that was working to build a tunnel between 
65.119.118.75 and 24.235.0.25. Peers for the vpn tunnel were 24.235.0.26 and 
65.119.118.136. Due to some network changes 24.235.0.26, which was the egress 
interface toward the remote end, is now an ingress interface. Still, I don't 
see why this should matter. The access list is the same, it's just traffic 
coming in through the interface rather than out of it.

  Crypto Map WinnetToSyniverse 20 ipsec-isakmp

[c-nsp] FTP Throughput

[Joseph Mays]

Running tests on FTP throughput from a windows ftp client across two T3 hops 
to an ftp server running on FreeBSD unix. Pretty much all the bandwidth on 
both T3's is available. Total latency averages about 3ms. The customer on 
the end of the t3 is complaining that they can't get faster than 600KB per 
second anywhere. I get about 1000KB (8mbps) on a file transfer. I can start 
multiple file transfers, simultaneously, all top out at about that speed. 
The customer is demanding to know why they can't transfer files at, say, 
40mbps. I am assuming the answer is something to do with TCP window size, 
but how do I prove that?


Joe

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Subnetting problem

[Joseph Mays]

It feels strange to be asking a question about something as simple as a subnet 
here, but I'm honestly not sure what's going on in this case. Probably 
something simple.

As you can see from the following set of commands, the router is fine with 
breaking the following addresses up into /30's, but not fine with the aggregate 
of the two routes into a /29.

gw1.armplc(config)#ip route 216.24.2.4 255.255.255.252 216.24.0.54
gw1.armplc(config)#no ip route 216.24.2.4 255.255.255.252 216.24.0.54
gw1.armplc(config)#ip route 216.24.2.8 255.255.255.252 216.24.0.54
gw1.armplc(config)#no ip route 216.24.2.8 255.255.255.252 216.24.0.54
gw1.armplc(config)#ip route 216.24.2.4 255.255.255.248 216.24.0.54
%Inconsistent address and mask

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Subnetting problem

[Joseph Mays]

Got it. Thanks for all the responses. I figured it was going to be something 
obvious and simple. Please accept this as an object lesson in why you 
shouldn't get drawn into a party til 5am midweek and then try to work on a 
network the next day. :-)


- Original Message - 
From: Roy r.engehau...@gmail.com

To: Joseph Mays m...@win.net
Sent: Thursday, October 06, 2011 3:38 PM
Subject: Re: [c-nsp] Subnetting problem


216.24.2.4 255.255.255.248 is not the network boundary.  The last octet 
must be divisible by 8.




On 10/6/2011 12:22 PM, Joseph Mays wrote:
It feels strange to be asking a question about something as simple as a 
subnet here, but I'm honestly not sure what's going on in this case. 
Probably something simple.


As you can see from the following set of commands, the router is fine 
with breaking the following addresses up into /30's, but not fine with 
the aggregate of the two routes into a /29.


gw1.armplc(config)#ip route 216.24.2.4 255.255.255.252 216.24.0.54
gw1.armplc(config)#no ip route 216.24.2.4 255.255.255.252 216.24.0.54
gw1.armplc(config)#ip route 216.24.2.8 255.255.255.252 216.24.0.54
gw1.armplc(config)#no ip route 216.24.2.8 255.255.255.252 216.24.0.54
gw1.armplc(config)#ip route 216.24.2.4 255.255.255.248 216.24.0.54
%Inconsistent address and mask

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco 7206 overloading every four hours

[Joseph Mays]

Recently started receiving a full BGP table on a cisco 7206. Since doing 
that, the router will run fine for a few yours, and then periodically the 
CPU load goes over the top. Is there some periodic process running to do 
some route aggregation or something that causes this?


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 7206 overloading every four hours

[Joseph Mays]

What are the npe/mem specs of this box, and how many bgp peers are you 
getting partial or full routes from?


Only 1 peer for this box (at the moment). Show ver info below.

core-gw1.nocshow ver
Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (C7200-IK9SU2-M), Version 12.3(23), RELEASE SOFTWARE 
(fc5)

Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by cisco Systems, Inc.
Compiled Tue 24-Jul-07 21:42 by stshen
Image text-base: 0x60008AF4, data-base: 0x61F54BE0

ROM: System Bootstrap, Version 12.2(1r) [dchih 1r], RELEASE SOFTWARE (fc1)
BOOTLDR: 7200 Software (C7200-BOOT-M), Version 12.0(24)S, EARLY DEPLOYMENT 
RELEASE SOFTWARE (fc1)


core-gw1.noc uptime is 37 weeks, 1 day, 8 hours, 11 minutes
System returned to ROM by power-on
System restarted at 05:39:25 EST Sun Jan 2 2011
System image file is disk0:c7200-ik9su2-mz.123-23.bin


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found 
at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
exp...@cisco.com.

cisco 7206VXR (NPE300) processor (revision D) with 262144K/32768K bytes of 
memory.

Processor board ID 20399590
R7000 CPU at 262MHz, Implementation 39, Rev 2.1, 256KB L2 Cache
6 slot VXR midplane, Version 2.0

Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.

--
This Version of Cisco IOS Software is not supported on NPE300.
Please select a version of Cisco IOS software compatible with
this processor from http://www.cisco.com.
--

PCI bus mb0_mb1 (Slots 0, 1, 3 and 5) has a capacity of 600 bandwidth 
points.

Current configuration on bus mb0_mb1 has a total of 200 bandwidth points.
This configuration is within the PCI bus capacity and is supported.

PCI bus mb2 (Slots 2, 4, 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 380 bandwidth points
This configuration is within the PCI bus capacity and is supported.

Please refer to the following document Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines on Cisco.com http://www.cisco.com
for c7200 bandwidth points oversubscription and usage guidelines.


2 FastEthernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
125K bytes of non-volatile configuration memory.

46976K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
4096K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x102

core-gw1.noc


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Subrate T3 card

[Joseph Mays]

I have a T3/E3 card in a cisco 3640 that I want to use as a serialT3, but it 
does not show up as a serial interface, nor is there even a controller line 
in the config. It only shows up in the hardware infomration as a Subrate 
T3/E3 port. What does this mean?


gw1.dist uptime is 1 hour, 36 minutes
System returned to ROM by power-on
System restarted at 17:00:56 EDT Tue Jul 26 2011
System image file is flash:c3640-is-mz.123-6.bin

cisco 3640 (R4700) processor (revision 0x00) with 124928K/6144K bytes of 
memory.

Processor board ID 11876053
R4700 CPU at 100MHz, Implementation 33, Rev 1.0
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
2 FastEthernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
1 Subrate T3/E3 ports(s)
DRAM configuration is 64 bits wide with parity disabled.
125K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

gw1.dist#

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Subrate T3 card

[Joseph Mays]

You have to set the type first:

card type t3 slot


That was it. I've never heard of that or had to do that before. Thanks much!
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Problem with IP Inspect

[Joseph Mays]

Okay, we had a router that had the internal LAN on fastethernet0/0, and the 
external WAN on Serial1. The internal lan had the follwoing entries...


interface FastEthernet0/0
ip access-group OfficeACL out
ip inspect WinnetOffice in

Which were associated with

ip inspect max-incomplete high 1000
ip inspect max-incomplete low 800
ip inspect one-minute high 1000
ip inspect one-minute low 800
ip inspect dns-timeout 60
ip inspect tcp idle-time 10800
ip inspect name WinnetOffice icmp
ip inspect name WinnetOffice fragment maximum 500 timeout 15
ip inspect name WinnetOffice netshow
ip inspect name WinnetOffice realaudio
ip inspect name WinnetOffice tcp
ip inspect name WinnetOffice udp
ip inspect name WinnetOffice tftp
ip inspect name WinnetOffice ftp audit-trail off

...and a long OfficeACL list that I won't go into at the moment.

We moved to a router that has the WAN connecion on a pair bonded ethernet 
ports connected to a bridged ADSL modem, and the LAN port on Fastethernet0/0


I tried added the ip inspect line and the acl line to Fastethernet0, but I 
found with nothing else changing, including the LAN IP's not changing, 
connections to the outside world broke. In trying various thing, I found 
adding the ip inspect WinnetOffice in line broke communications to the 
outside world *by itself*, even if the ACL list was not being activated by 
the ip access-group line. This shouldn't happen, should it? There is no way 
turning on ip inspection should break communications anywhere in the absence 
of an ACL list, is there?



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Problem with IP Inspect

[Joseph Mays]

Tried your suggestion, thanks. Created a the following ACL...

ip access-list extended FaInboundACL
permit ip any any

Added it to the inbound traffic on the LAN interface

interface FastEthernet0/0
description Win.net Chestnut St Office LAN
ip address 216.24.33.1 255.255.255.0
ip access-group FaInboundACL in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip route-cache same-interface
speed 100
full-duplex
no cdp enable

Not surprisingly, no effect, web browsing and everything work normally. I 
then added the ip inspect ...



interface FastEthernet0/0
description Win.net Chestnut St Office LAN
ip address 216.24.33.1 255.255.255.0
ip access-group FaInboundACL in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip inspect WinnetOffice in
ip route-cache same-interface
speed 100
full-duplex
no cdp enable

And web browsing from the LAN stops working again.

- Original Message - 
From: Kevin Graham kgra...@industrial-marshmallow.com

To: Joseph Mays m...@win.net
Cc: cisco-nsp@puck.nether.net
Sent: Friday, July 22, 2011 6:32 PM
Subject: Re: [c-nsp] Problem with IP Inspect



On Jul 22, 2011, at 1:23 PM, Joseph Mays m...@win.net wrote:

 There is no way turning on ip inspection should break communications 
anywhere in the absence of an ACL list, is there?


IIRC, ip inspect is creating a pseudo-acl, so you're being bitten by the 
default deny. You should apply a permit ip any any ACL inbound on that 
interface. (Adding more specific permits and making sure ACE counters aren't 
excessively increasing is also a really good way of making sure inspection 
is handling the traffic you intended it to during initial deployment 
without breaking anything).






___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/ 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] AS5300/AS5400 power supplies

[Joseph Mays]

Does anyone know if the power supplies in AS5300's and AS5400's are 
interchangeable?



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] PPP fails with IOS upgrade

[Joseph Mays]

I sent a message yesterday about a problem we are having on an AS5400. PPP 
works fine with version 12.2.16, but fails with version 12.3.13. The config is 
not changing between the two versions. Here's information on the problem that 
is a bit more specific. With the old version of IOS everything proceeds as 
normally, as shown by the following debug output (debug ppp events, errors, and 
negotiation). With the new version, the debug output is identical through pap 
authentication (with the exception of a session ID line that doesn't show up 
with the old version, but I don't think it has anything to do with the 
problem). Immediately after authentication, the new version begins sending an 
IPCP packet (with a ccp code?). It sends it over and over. On the client 
side, windows dial-up times out during Registering your computer on the 
network saying it timed out awaiting a response from the server.

This is a confusing and disturbing problem, though I have a suspicion that when 
we arrive at the answer it will turn out to be something quite simple and easy 
to fix. Any help that can be offered would be appreciated.




With IOS c5400-js-mz.122-16.T17.bin

005248: Aug 23 12:00:14.918: As2/42 LCP: Lower layer not up, Fast Starting
005249: Aug 23 12:00:14.918: As2/42 PPP: Using dialer call direction
005250: Aug 23 12:00:14.918: As2/42 PPP: Treating connection as a callin
005251: Aug 23 12:00:14.918: As2/42 PPP: Phase is ESTABLISHING, Passive Open
005252: Aug 23 12:00:14.918: As2/42 LCP: State is Listen
[...]
005299: Aug 23 12:00:15.174: As2/42 PAP: Authenticating peer launch...@win.net
005300: Aug 23 12:00:15.174: As2/42 PPP: Phase is FORWARDING, Attempting Forward
005301: Aug 23 12:00:15.174: As2/42 EVT: Hook 1 0x
005302: Aug 23 12:00:15.174: As2/42 EVT: Hook 1 0x
005303: Aug 23 12:00:15.174: As2/42 EVT: Forwarded 0 0x
005304: Aug 23 12:00:15.174: As2/42 PPP: Phase is AUTHENTICATING, 
Unauthenticated User
005305: Aug 23 12:00:15.230: As2/42 EVT: AAA Response 0 0x6387270C
005306: Aug 23 12:00:15.230: As2/42 PPP: Phase is FORWARDING, Attempting Forward
005307: Aug 23 12:00:15.230: As2/42 EVT: Hook 1 0x
005308: Aug 23 12:00:15.230: As2/42 EVT: Forwarded 0 0x
005309: Aug 23 12:00:15.230: As2/42 PPP: Phase is AUTHENTICATING, Authenticated 
User
005310: Aug 23 12:00:15.230: As2/42 EVT: AAA Response 0 0x64BBD314
005311: Aug 23 12:00:15.230: As2/42 PAP: O AUTH-ACK id 27 len 5
005312: Aug 23 12:00:15.234: As2/42 PPP: Phase is UP
[...]
005361: Aug 23 12:00:15.550: As2/42 IPCP: Add link info for cef entry 
216.24.0.207


With IOS c5400-js-mz.123-13b.bin

000835: Aug 23 12:15:59.328: As2/46 LCP: Lower layer not up, Fast Starting
000836: Aug 23 12:15:59.328: As2/46 PPP: Using dialer call direction
000837: Aug 23 12:15:59.328: As2/46 PPP: Treating connection as a callin
000838: Aug 23 12:15:59.328: As2/46 PPP: Session handle[D062] Session id[0]
000839: Aug 23 12:15:59.328: As2/46 PPP: Phase is ESTABLISHING, Passive Open
000840: Aug 23 12:15:59.328: As2/46 LCP: State is Listen
[...]
000887: Aug 23 12:15:59.576: As2/46 PAP: Authenticating peer launch...@win.net
000888: Aug 23 12:15:59.576: As2/46 PPP: Phase is FORWARDING, Attempting Forward
000889: Aug 23 12:15:59.576: As2/46 EVT: Hook 1 0x
000890: Aug 23 12:15:59.580: As2/46 EVT: Forwarded 0 0x
000891: Aug 23 12:15:59.580: As2/46 PPP: Phase is AUTHENTICATING, 
Unauthenticated User
000892: Aug 23 12:15:59.584: As2/46 EVT: AAA Response 0 0x64DFF388
000893: Aug 23 12:15:59.584: As2/46 PPP: Phase is FORWARDING, Attempting Forward
000894: Aug 23 12:15:59.584: As2/46 EVT: Hook 1 0x
000895: Aug 23 12:15:59.584: As2/46 EVT: Forwarded 0 0x
000896: Aug 23 12:15:59.584: As2/46 PPP: Phase is AUTHENTICATING, Authenticated 
User
000897: Aug 23 12:15:59.584: As2/46 EVT: AAA Response 0 0x64E0A3EC
000898: Aug 23 12:15:59.584: As2/46 EVT: AAA Response 0 0x64DDA8F8
000899: Aug 23 12:15:59.588: As2/46 PAP: O AUTH-ACK id 30 len 5
000900: Aug 23 12:15:59.700: As2/46 EVT: Packet 0 0x62AC4B40
000901: Aug 23 12:15:59.700: As2/46 PPP: Queue CCP code[1] id[4]
000902: Aug 23 12:15:59.700: As2/46 EVT: IPCP Packet 0 0x62AC7508
000903: Aug 23 12:15:59.700: As2/46 PPP: Queue IPCP code[1] id[5]
000904: Aug 23 12:16:01.328: As2/46 EVT: IPCP Packet 0 0x62AC98D8
000905: Aug 23 12:16:01.328: As2/46 PPP: Update queued IPCP code[1] id[6]
000906: Aug 23 12:16:01.328: As2/46 EVT: Packet 0 0x62AC9BD4
000907: Aug 23 12:16:01.328: As2/46 PPP: Update queued CCP code[1] id[7]
000908: Aug 23 12:16:04.328: As2/46 EVT: IPCP Packet 0 0x62AD4EE4
000909: Aug 23 12:16:04.328: As2/46 PPP: Update queued IPCP code[1] id[8]
[...]

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] PPP fails with IOS upgrade

[Joseph Mays]

Dave Weis said

Wild guess would be put no compress in your virtual template, that's what 
CCP appears to be.


Good suggestion, thanks, and if compression is what CCP is it's a useful 
clue. I just tried setting both no compress and compress stac in the 
virtual template, though, and the problem seems to be the same.


Joe Mays

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/