On Thu, 12 Dec 2013, Mark Tinka wrote:
CSR1000v is supported on ESXi only today, and to load it up,
you require vSphere client. I'd rather you didn't, but it's
FWIW - not anymore:
http://www.cisco.com/en/US/docs/routers/csr1000/software/configuration/csroverview.html#wp1081607
I happily
Guys, could you send me more specifics unicast ?
(Highly desirably with some PCAPs off your client segment that would
capture the entirety of the session with the problem).
I'll take a look, once we root-cause it I'll follow-up with our IT folks
and get back.
--a
On Fri, 20 Sep 2013,
Adam,
On Wed, 26 Jan 2011, Adam Greene wrote:
Pete,
Thanks ... we ran some tests this evening, disabling NAT entirely, and saw
the same results, so I think we can safely say that NAT is not causing the
issue.
The situation we are facing is that the customer appears to be unable to
route
Daniel,
excellent, thanks a lot for the info - I've updated the bug record so the others
can benefit from this finding.
cheers,
andrew
On Fri, 19 Nov 2010, Daniel Verlouw wrote:
(apologies for duplicates, thought this might be interesting for folks
on both lists):
Hi,
In case anyone is
Hi Andreas,
On Tue, 19 Oct 2010, Andreas Mueller wrote:
Hello,
my PIX515E is running PIX 8.0.4 with multiple contexts. In one of my contexts
I would like to have IPv6 connectivity. The Interface is configured as
I silently assume but just to verify - no shared interface between
On Thu, 25 Feb 2010, Antonio Soares wrote:
I have a customer swearing that these counters are related with TCP sessions
to/from the PIX/ASA and i found it very strange. Why
would we need so many details about that ? These counters make sense for
connections traversing the PIX/ASA. By the
Antonio,
On Thu, 25 Feb 2010, Antonio Soares wrote:
David/Andrew,
Thank you very much for clarifying this. Well, the customer was looking for
something like this but for TCP sessions traversing the
PIX/ASA. For example, how many SYN packets were sent to the systems protected
by the unit,
On Fri, 19 Feb 2010, Matt Addison wrote:
In addition to serving as a general maintenance release, the Cisco VPN
Client 5.0.7 beta is compatible with Windows 7 Windows Vista 64-bit
environments. A 64-bit specific compatible image is available for
installation on these platforms.
Are there
Hi all,
If you remember the threads about the 64-bit support on the IPSEC VPN
client for Windows: thank you for the feedback.
Adding to that:
$me mode=messenger
In addition to serving as a general maintenance release, the Cisco VPN
Client 5.0.7 beta is compatible with Windows 7 Windows
On Tue, 12 Jan 2010, Dale W. Carder wrote:
On Jan 11, 2010, at 1:41 PM, Brandon Applegate wrote:
So I'm playing around with ipv6 on the ASA. I'm running the latest
code (8.2(1)). And in trying to get traceroutes and pings 'through' the
ASA, I've found that icmp-types are translated to
Management LLC | Purchase, NY 10577
http://www.ox.com | Phone: 914-460-4039
aim: matthewbhuff | Fax: 914-460-4139
-Original Message-
From: Andrew Yourtchenko [mailto:ayour...@cisco.com]
Sent: Monday, December 28, 2009 10:43 AM
To: Matthew Huff
Subject: Re: [c-nsp] Failed crypto key
Reducing the timeut most probably would not help in this case - the
counters for the connections are maintained in the session path, while the
connections themselves are in the fast path.
Give show np all stats | inc Close - if the sum of the first two
numbers is running ahead of the third
On Tue, 29 Dec 2009, Matthew Melbourne wrote:
Thanks for your reply. It looks like it could be oversubscription of the
session path, though I am not completely familiar with the internal
architecture of the FWSM.
system/xxx# show np all stats | inc Close
PKT_CNT: Close indication sent
On Wed, 23 Dec 2009, abs wrote:
doesn't look like it's being intercepted... the traffic goes from my host to
the router to my ip address...
I'm with Jared on the theory that there is a middlebox somewhere on
the way being transparently helpful - though probably worth clarifying
that you
On Wed, 16 Dec 2009, Holemans Wim wrote:
It seems our FWSM doesn't log all denied ACLs. I blocked an IP address
on our FWSM and wanted to see whomever on campus is trying to access
this address (Botnet CC).
I added the following line in the ACL (even raised priority), you can
see that the
On Wed, 16 Dec 2009, Tony Varriale wrote:
gets the ACL exploded so much that it does not fit into the network
processors anymore - then the previously compiled version is being used -
but generally you get a pretty prominent warning about that.
Nope...NP was fine. How we found it was the
On Wed, 2 Dec 2009, Jared Gillis wrote:
Hello,
I'm running some 3750s that are providing IP aggregation for customers of mine. One of the
customers reported that his gateway (the 3750) was responding to ARP for his local LAN addresses.
Taking a look, I realized that I forgot to disable
Hi Alan, Gert,
first of all - thanks for sharing!
On Fri, 9 Oct 2009, Alan Buxey wrote:
@all: does everyone (who does deal with firewalls+IPv6) have also the
almost identical IPv4 and IPv6 policies ?
pretty much so - why would the policy be any different? incoming port 80
E.g. if someone
On Thu, 8 Oct 2009, Leif Sawyer wrote:
Andrew Yourtchenko writes, in response to
Nick Hilliard whom wrote:
Unfortunately, ASA boxes are beloved of enterprises, and
ipv6 is very much down the list as far as the enterprise
market segment is concerned. The service provider market
has
On Mon, 28 Sep 2009, Nick Hilliard wrote:
On 28/09/2009 18:13, Abello, Vinny wrote:
I don't care so much at this point if it fails over or not. If I were to
configure it, would it at least work as far as passing the traffic? I
thought I read early on that it would cause a conflict between
Hi,
On Thu, 3 Sep 2009, almog ohayon wrote:
Hello Everyone,Does anyone knows what is a Dispatch Unit process in Cisco
ASA 5510 ??
low-level packet forwarding. Don't worry about the high Runtime number
there, if that is the underlying question :)
And also to check the attached file and
Hi Gregory,
http://www.net-track.ch/opensource/remtty/ - does that fit the bill ?
thanks,
andrew
NB: to get it working on a x86_64 system you need to carefully weed
out all the compilation warnings before it runs correctly.
On Mon, Aug 10, 2009 at 11:24 PM, Gregory Boehnleinda...@nacs.net
Peter,
(not to hijack the thread, just to comment on tcptrace)
On Thu, 6 Aug 2009, Peter Rathlev wrote:
Thank you all for the pointers. Tcptrace does seem quite interesting,
even though it doesn't seem to be actively maintained since 2004.
At the IETF in Stockholm I had a chat with one of
Hi Peter,
On Tue, 4 Aug 2009, Peter Rathlev wrote:
I've been looking at tstat (http://tstat.tlc.polito.it/index.shtml) and
this looks very promising, but it doesn't seem to be able to analyze the
different flows seperately.
Have you taken a look at
On Fri, 17 Jul 2009, Clue Store wrote:
Hi All,
I'm trying to do DNS doctoring on an asa and for specific reasons I need to
map several different (public) outside IP's the one inside ip as shown
below.
*static (inside,outside) 208.x.x.25 192.168.100.10 netmask 255.255.255.255
dns*
*static
Hi Steven,
On Wed, Jul 15, 2009 at 6:28 PM, Steven Pfisterspfis...@dps.k12.oh.us wrote:
I'm having some trouble with h.323 (video) calls through a PIX 525 using NAT.
We can get incoming calls fine, but not outgoing calls for some reason. My
question has to do with 'inspect h323' vs 'fixup
Technical Coordinator,
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St.
Dayton, OH 45402
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfis...@dps.k12.oh.us
Andrew Yourtchenko ayour...@gmail.com 7/15/2009 2:07 PM
Hi Steven
Hi Jared,
On Tue, 30 Jun 2009, Jared Gillis wrote:
Hi all,
I'm configuring a PIX 501 running v6.3.5 code to terminate VPN connections from
remote users. I've got the config intact, but need to learn how the PIX handles
these connections internally.
Here's the relevant config:
access-list
On Wed, 24 Jun 2009, Phil Mayers wrote:
So, it seems to be some kind of analogous feature to TCP SYN protect or
such like, to protect a client flooding a server.
All,
Cisco have identified this as a bug, fixed in 1.5 - CSCsw52831 / CSCsu42225
udp packets are dropped by ace. It's a
On Fri, 19 Jun 2009, Benny Amorsen wrote:
Paul Stewart p...@paulstewart.org writes:
On a related note to the PS below... we have tested lt2tpv3 on a few
different boxes running various IOS images and on each of the devices we did
test we seen the same behavior. This means something is
On Fri, Jun 19, 2009 at 10:41 AM, Benny Amorsenbenny+use...@amorsen.dk wrote:
Paul Stewart p...@paulstewart.org writes:
Generally problems with PMTU are caused by people blocking ICMP in their
(usually PIX/ASA) firewalls. If you control the whole path, you can make
sure that you're not one of
Hi Ge,
On Thu, 18 Jun 2009, Ge Moua wrote:
[snip]
I haven't done this yet but one can adjust max segment size on end-station
hosts to something like 1300 (which of course would affect all protocol
types); there are open source tools to do this, but downside is that all the
end-station hosts
On Thu, 18 Jun 2009, Paul Stewart wrote:
I must admit - I didn't know such an option existed... and that's great to
know...
I myself discovered it by accident when I saw the MTU on my linux box to
be not the 1500 :-)
On a related note to the PS below... we have tested lt2tpv3 on a few
On Thu, Jun 11, 2009 at 2:00 PM, Skeeve Stevensske...@eintellego.net wrote:
Does anyone know if any of the SCCP or SIP images for any of the models of
Cisco IP Phones support IPv6?
I found these two pointers, HTH:
On Tue, 9 Jun 2009, Tony Varriale wrote:
Odd, I've been seeing similiar problems lately in ASA 8.x code with IPv6 SSH
connections...when IPv6 isn't enabled.
Maybe the same team writes the management code? :)
nope, they are different. :)
If you have more details / case# for the ASA IPv6
Hi Jake,
sorry for delay with the reply - and top-posting to avoid having
the rest scroll through the debugs in case they find my scribbles
of any use.
From the messages you mentioned looks like it's the *reply* from the
server (presumably, DHCPACK) that gets dropped by the ASA because of
(even though at first I thought I just produced a pure noise by trying to
solve a not-anymore-an-issue, looks like I will make a second attempt
writing something :-)
From the looks at the bug, it would apply for the scenario of sending the
unicast DHCPREQUEST (because that one previously was
On Wed, Apr 22, 2009 at 5:27 AM, Justin Shore jus...@justinshore.com wrote:
on all interfaces including con0. I have TACACS+ set up with local auth as
the backup (and only one user account on the devices which I've gone to
great lengths to protect). Aux is explicitly disabled. He just
On Thu, 12 Mar 2009, Peter Rathlev wrote:
On Wed, 2009-03-11 at 19:14 +0100, Andrew Yourtchenko wrote:
On Wed, 11 Mar 2009, Peter Rathlev wrote:
This of course points to something else being the problem, not the
FWSM.
*bling* too strong of an assumption :).
Ironically that was a very
On Tue, 10 Mar 2009, Peter Rathlev wrote:
On Tue, 2009-03-10 at 11:32 +0100, Andrew Yourtchenko wrote:
if it is merely a new standby that is coming up, the active should not
stop forwarding the traffic.
That's what I would've assumed too. :-) I do seem to remember that we've
seen
On Wed, 11 Mar 2009, Peter Rathlev wrote:
Hmm... I have discovered that my original analysis was flawed. I knew
TCP sessions without activity survived this, among others a couple of
hmm, so no traffic during the problem = survival... for those sessions
that died in the process, would be
On Tue, 3 Mar 2009, Justin M. Streiner wrote:
On Tue, 3 Mar 2009, Leif Sawyer wrote:
Is anybody working with FWSM's and mixed-mode IPv4+IPv6 ACL's?
I'm having trouble with traceroute6 not succeeding, but ping6 working
fine:
You might be getting caught by flawed behavior of the FWSM.
If clear local fixes it - then most probably there's another xlate that
stands in the way, should not be related to arp.
Watch out for the identity statics that are supersets of this host static,
i.e. something like this is not good:
static (inside,outside) 1.1.1.1 2.2.2.2 netmask
On Sun, 5 Oct 2008, Justin Shore wrote:
FEATURE REQUEST
We need a sub-command of 'show ip access-list' that tells us what interfaces
a given ACL is applied to. Something simple like
show ip access-list acl interfaces
We already have 'sh ip access-list interface int' but that requires one
On Tue, Jul 1, 2008 at 9:55 PM, Sam Stickland
[EMAIL PROTECTED] wrote:
I can buy the comprising argument for a reason not to do this.
I think the reason most people here want to be able to do outbound telnet is
for troubleshooting - checking port connectivity and protocol banners. Many
times
On Tue, Jul 1, 2008 at 6:06 PM, Higham, Josh [EMAIL PROTECTED] wrote:
Tony Varriale wrote:
Any chance you could give the group more details before saying it
can't be trusted?
I'm afraid I don't have any concrete details to add, but I've found
capture expressions on Firewall Service
On Tue, 17 Jun 2008, Richard A Steenbergen wrote:
On Tue, Jun 17, 2008 at 11:27:23PM +0200, Peter Rathlev wrote:
Changing switching mode power cycles the modules by the way. I guess
that's a gotcha. :-)
I'm pretty sure thats not true. You may be thinking of PFC/DFC modes,
where inserting a
Hi David,
On Mon, Jun 9, 2008 at 5:25 AM, David Coulson [EMAIL PROTECTED] wrote:
I am looking at implementing some IP takeover services on a network behind
Pixs (I think it's a pair of 535s running 7.2 - I don't control it, but I
can request config changes). It would appear that Pix does not
On Fri, 6 Jun 2008, Joann Deng wrote:
By default only 5 ssh sessions are allowed in a single context FWSM. If type show ssh
sessions it looks like no session is active. But if type show resource usage resource
ssh, see 5 current sessions:
FWSM1# show resource usage resource ssh
Resource
On 7/2/07, Vincent De Keyzer [EMAIL PROTECTED] wrote:
How do I change the MTU to fix it? The frame circuit is in a Telco's
area I don't normally work in.
Well, you don't really have to change the MTU - you'd rather ask the telco
why you can't ping with large packets.
Normally you should
50 matches
Mail list logo