|
I am sorry that I am asking yet another VoIP question, but here it is. I have one user who as a 7941 who says other people often say that he is garbled sounding and choppy. It doesn't seem to matter if he in calling inside or outside phones. I have checked the port he is on and every port between each switch the entire way to the voice gateway. I have replaced his phone. I have checked the PRI for slips or errors. I see absolutely nothing wrong anywhere. Does anyone have any idea where or what to check?
|
#
?
Apr 20, 2009 16:42
|
|
|
|
| # ? May 29, 2024 11:27 |
|
|
Check the physical layer. Maybe there is interference somewhere along the way. Sorry, didn't see that you checked all the ports. cptInsane0 fucked around with this message at 19:50 on Apr 20, 2009 |
|
#
?
Apr 20, 2009 19:47
|
|
|
Agrikk posted:Thanks Herv! If you are lazy and adventurous, and don't have much to lose just erase your startup config and zap the modified config over using tftp. e.g. wr net (to a tftp server on your PC) <modify config for NAT, save file> erase start copy tftp start Reload!
|
|
#
?
Apr 20, 2009 20:05
|
|
|
Lowen SoDium posted:I have one user who as a 7941 who says other people often say that he is garbled sounding and choppy. It doesn't seem to matter if he in calling inside or outside phones. Check for slurred speech and ask him to stop drinking before work 
|
|
#
?
Apr 20, 2009 20:22
|
|
|
Martytoof posted:Check for slurred speech and ask him to stop drinking before work That fixed it, thanks.
|
|
#
?
Apr 21, 2009 19:25
|
|
|
I can't actually find a simple answer to this, maybe you guys will know. If I buy a 3550-SMI, what exactly would I be buying from Cisco to enable use of the EMI IOS? I know the part number is CD-3550-EMI=, but is it physically some kind of chip that enables use of the EMI features or is it just a license to install the advanced software? I'm not trying to be sneaky and  about it, but I want to know if I buy an SMI L3 switch today if I'll be able to upgrade any 3550 to EMI down the road when I actually need to study those features, or do I need to buy a 3550-SMI that has specifically been built to be upgradeable to EMI, if that even makes sense. Hopefully someone gets the gist of what I'm trying to ask.
|
|
#
?
Apr 23, 2009 02:46
|
|
|
The switch can run either image. There is no hardware difference.
|
|
#
?
Apr 23, 2009 04:08
|
|
|
does anyone have experience with the client less RDP plugin for the ASA? Does it really not have a full screen/resizable screen option? None of the literature seems to indicate it and I really cannot see how that is possible in the day an age when so many other ssl vpn devices offer that functionality (at least the juniper and sonicwall devices that I am more familiar with)
|
|
#
?
Apr 24, 2009 05:29
|
|
|
Studebaker Hawk posted:does anyone have experience with the client less RDP plugin for the ASA? Does it really not have a full screen/resizable screen option? None of the literature seems to indicate it and I really cannot see how that is possible in the day an age when so many other ssl vpn devices offer that functionality (at least the juniper and sonicwall devices that I am more familiar with) Screen size is set inline with the RDP url. So to make the screen 800x600: rdp://192.168.50.5/?geometry=800x600 Fullscreen: rdp://192.168.50.5/?fullscreen=true (i think) If you click on the help link from the clientless portal you can see all the options that are available. The RDP client isn't written by Cisco. Its an open source project that we redistribute. http://properjavardp.sourceforge.net/
|
|
#
?
Apr 24, 2009 16:48
|
|
|
I should point out that that is different than the way Juniper does RDP on their IVE boxes, in that IVE based RDP simply calls the machines native mstsc.exe and directs it towards a local socket that is proxied through the SSL tunnel. Although that process isn't entirely perfect either.
|
|
#
?
Apr 24, 2009 17:43
|
|
|
jwh posted:I should point out that that is different than the way Juniper does RDP on their IVE boxes, in that IVE based RDP simply calls the machines native mstsc.exe and directs it towards a local socket that is proxied through the SSL tunnel.
|
|
#
?
Apr 25, 2009 00:32
|
|
|
oh god why??? I've got a pix515E where pings to/from it have really horrible latency, from 7ms up to 700ms. ...but when you enable icmp debugging, everything magically works. What gives? Any ideas? no debug posted:64 bytes from 10.0.0.1: icmp_seq=78 ttl=254 time=2.36 ms debug icmp trace posted:64 bytes from 10.0.0.1: icmp_seq=374 ttl=254 time=3.50 ms
|
|
#
?
Apr 25, 2009 00:33
|
|
|
jwh posted:I should point out that that is different than the way Juniper does RDP on their IVE boxes, in that IVE based RDP simply calls the machines native mstsc.exe and directs it towards a local socket that is proxied through the SSL tunnel. That RDP plugin is for for use with WebVPN, which is a portal thingie that can be customized. There is SSL VPN via AnyConnect which behaves like IPSEC RA. I haven't played with the Juniper solution, but I'm surprised they went that route. I know the client that we are distributing works pretty drat well under Windows, MacOS and Linux as its all Java. *shrug
|
|
#
?
Apr 25, 2009 01:01
|
|
|
CrazyLittle posted:oh god why??? The problem is only with to the box traffic? You don't see the same issue if you ping your router upstream from the PIX right? Assuming that is the case, its a scheduler thing. To the box traffic is handled at a lower priority then to the box traffic (IPSEC excluded).
|
|
#
?
Apr 25, 2009 01:03
|
|
|
falz posted:I was about to chime in and say that the Juniper SSLVPN boxes also supported some type of Java client for remote desktop as well, but I just tested from a non-windows workstation and it just says "This terminal session is not supported on your computer." Seems like a huge oversight on what is otherwise a stellar device. There are obviously workarounds as well, but that just seems odd to me. You can apparently use a Java based RPD client, but I've never tried it. I agree with it seeming like an oversight, too.
|
|
#
?
Apr 27, 2009 16:10
|
|
|
I have an 871 I use at home as my internet router. When I enabled the IOS firewall I stopped being able to VPN from a Windows VM to the ASA we have at work. I put my current configuration here: http://privatepaste.com/f3SBOZ5Nyd If I permit everything in the FIREWALL_ACL access list (line 139) then I am able to get it access the VPN fine. More specifically, the Windows machine is 192.168.1.200 and I am VPN'ing into work using the Cisco VPN client. I can actually VPN in and authenticate, but once I do I am not able to reach anything on the remote network. Allowing everything to pass through the inbound firewall access list allows me to access the remote network fine. How can I fix this? But more importantly, how would you troubleshoot it so I can learn from this? I tried bypassing the firewall and the only extra NAT translations I see is something like: code:edit: A little IOS info.. code:
|
|
#
?
Apr 27, 2009 18:28
|
|
|
FIREWALL_ACL isn't permitting ESP or ISAKMP. ESP is the IPSec bearer protocol (well, one of them). ISAKMP handles the key exchange that's required to set up the IPSec tunnel. The fact that you can authenticate is weird. Try rewriting the FIREWALL_ACL to something like: code:
|
|
#
?
Apr 27, 2009 18:43
|
|
|
Awesome, thanks jwh! 'permit esp any any' fixed it right up.
|
|
#
?
Apr 27, 2009 18:57
|
|
|
jwh posted:FIREWALL_ACL isn't permitting ESP or ISAKMP. ESP is the IPSec bearer protocol (well, one of them). ISAKMP handles the key exchange that's required to set up the IPSec tunnel. The fact that you can authenticate is weird. I know nothing about how the Cisco client does it, but generally speaking this is actually a fairly common situation with software VPN clients. Many of them use a proprietary method for the initial authentication and policy download, because doing it with pure IPSEC doesn't make for a great user experience. You can either do the initial auth & policy download over plain SSL TCP connection (for example) in which case the user only has to provide username/password & gateway IP, or you can do pure IPSEC & Xauth in which case the user needs a pre-configured profile with all the VPN settings, PSK etc... So you get situations like this where the user can login just fine, but they're never actually going to be able to send/receive any traffic once they have.
|
|
#
?
Apr 27, 2009 21:37
|
|
|
Tremblay posted:Screen size is set inline with the RDP url. So to make the screen 800x600: I saw the options...I just want something dynamically resizable! It sucks to have 3 different RDP links for different resolutions. And yes, the IVE does use mstsc.exe...it is just a lot more elegant in it's implementation, as you can have it fall back to the java version. I will see what I can come up with. edit: LAST ASA QUESTION! Can you segregate traffic utilizing different lines in a 2x ASA HA scenario? edit: multiple context mode? Studebaker Hawk fucked around with this message at 15:24 on May 7, 2009 |
|
#
?
Apr 27, 2009 22:35
|
|
|
My network experience with Cisco consists of managing 3548/2950 etc switches. I need to be able to set up a VPN tunnel so that machines on our datacentre network can access machines on our office network. At the moment we do this via pptp running on our server, which gives the server an IP address on our office network. But next steps involve having three or four servers and I can't do pptp for each one... so would prefer to do it in hardware and if I can achieve this functionality in the switch, even better. Would something like a PIX be usable for this?
|
|
#
?
May 7, 2009 10:17
|
|
|
oversteer posted:My network experience with Cisco consists of managing 3548/2950 etc switches. Yep, the simple answer is a PIX, ASA or IOS Firewall enabled router. One VPN tunnel capable device must function as an endpoint at each site. (e.g. PIX to IOS FW, or ASA to Checkpoint) At first glance it looks like the 3548XL wont do it. Pretty sure a 3750 would. PIX is end of life'd, not sure what that means for your management. I have to get rid of mine at some point in the next year or so.
|
|
#
?
May 7, 2009 11:06
|
|
|
I would simply use low end ISRs, such as 871s or 1800s with protected GRE tunnels. That works well for very low cost, and is fairly easy to manage. You could even use DMVPN, so that in the future, you could add additional branch locations to the mix without any significant reengineering. http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008019d6f7.shtml
|
|
#
?
May 7, 2009 16:41
|
|
|
I'm driving myself insane trying to configure DHCP snooping on my 2960 I enable DHCP snooping on VLAN 10(testing vlan) and I set the trunk port as trusted, testing port as untrusted. I've got another PC on that vlan/switch listening with wireshark. The discover packetisn't making it to the dhcp server (it doesn't get a response) nor is it making it to my other PC. Is it because my DHCP server is behind a router?
|
|
#
?
May 7, 2009 20:10
|
|
|
Sojourner posted:I'm driving myself insane trying to configure DHCP snooping on my 2960 Routers do not by default forward what type of packets? A DHCP discovery is what type of packet? (Hint: you'll want to use iphelper command to help the packet along to your DHCP server.) H.R. Paperstacks fucked around with this message at 21:31 on May 7, 2009 |
|
#
?
May 7, 2009 21:19
|
|
|
jwh posted:I would simply use low end ISRs, such as 871s or 1800s with protected GRE tunnels. That works well for very low cost, and is fairly easy to manage. You could even use DMVPN, so that in the future, you could add additional branch locations to the mix without any significant reengineering. Thanks for the tip. Is it possible to set up two diverse routes with such a vpn, so that we can utilise two internet connections in our main office and still retain the vpn if one of the connections goes down? I was hoping to get something with a gig switch and vpn-capability in one box, but I'm assuming that it'll be cheaper to get something like the 1800 and a gigabit switch rather than do it all in one?
|
|
#
?
May 7, 2009 22:43
|
|
|
routenull0 posted:Routers do not by default forward what type of packets? A 2960 is what kind of device? (Hint: not a router, not even layer3 at that)
|
|
#
?
May 8, 2009 00:26
|
|
|
ragzilla posted:A 2960 is what kind of device? Sojourner posted:Is it because my DHCP server is behind a router? He's just snooping on the 2960, and indicates his DHCP is behind a router.
|
|
#
?
May 8, 2009 00:51
|
|
|
ragzilla posted:A 2960 is what kind of device? Reading is fundamental. https://www.rif.org/
|
|
#
?
May 8, 2009 01:31
|
|
|
Hi all. I have a site-to-site VPN configuration that is driving me crazy. We have an ASA 5520 at our main site and I am trying to setup an IPSEC VPN tunnel to an ASA 5505 at the remote site. Let's say the outside interface at the main site is 10.10.1.2 and the inside interface is 10.10.12.2. The whole main site has addressing that is 10.10.x.x. The remote site, including the 5505, is addressed 10.10.20.x. The tunnel gets built just fine. I can send traffic from the remote site to 10.10.7.1 for example, the tunnel gets built and traffic gets encrypted and sent through it. It gets decrypted at the main site end, but then goes nowhere. If I send traffic from anywhere on the main site, it gets to the inside interface, 10.10.12.2, and then does nothing. It seems like a routing problem on the main site 5520, but I have tried every combination of routes I can think of. I need a route in the 5520 for 10.10.x.x to get back to the rest of the main site, but having it there prevents all the traffic destined for the remote site from getting there. How can I get the 10.10.x.x stuff to go back into the main campus, while having the 20.x still go through the tunnel? Thanks for any help!
|
|
#
?
May 8, 2009 05:00
|
|
|
Wow, for the second time, I sort of figure things out right after posting in here. I was able to put in individual routes for just some subnets on the main campus, and that traffic works fine. I can do that for the subnets I need, but is there some way to do as I was thinking?
|
|
#
?
May 8, 2009 05:06
|
|
|
routenull0 posted:Routers do not by default forward what type of packets? When DHCP snooping is not enabled, it can get an address. The trusted port is the gig trunk. I actually mistyped my earlier post , its a 2950 that's giving me a problem. The funny thing is I do have it working on a 2960 in my test environment, but the same thing being applied to the 2950 just cause no dhcp packets to be forwarded past the switchport. My config for the 2960 and 2950 both are: All Switch ports untrusted, rate limited to 60 pps Trunk port trusted (no limit set) Option 82 enabled/disabled (tried both) Any thoughts? (sitting beside 2950 currently, console cable in hand)
|
|
#
?
May 8, 2009 14:39
|
|
|
Sojourner posted:When DHCP snooping is not enabled, it can get an address. The trusted port is the gig trunk. Is the DHCP server just over the trunk (but in the same vlan on another switch) and not beyond a ROUTED interface? That makes a difference.
|
|
#
?
May 8, 2009 15:01
|
|
|
Beyond a routed interface, behind the trunk. But so is the 2960 and that works. It is a mystery. *edit* Maybe if I included what I'm trying to do someone could point out other solutions. A few months ago we were attacked by a virus that made each infected PC a rogue DHCP server and it was causing some network problems, obviously. We were looking to stop that at the edge switches, and DHCP snooping seems to be the way to do it. If anyone knows of a better way, I'm open to suggestions. Sojourner fucked around with this message at 15:10 on May 8, 2009 |
|
#
?
May 8, 2009 15:05
|
|
|
Sojourner posted:Beyond a routed interface, behind the trunk. But so is the 2960 and that works. It is a mystery. iphelper has to be configured on that routed interface then. That would explain why it is working without DHCP snooping enabled.
|
|
#
?
May 8, 2009 15:07
|
|
|
routenull0 posted:iphelper has to be configured on that routed interface then. That would explain why it is working without DHCP snooping enabled. A helper address is set , still nothing  .*edit* Problem has been solved, id1ot error. Option 82 is implicitly enabled unless otherwise disabled, and it was causing forwarded packets to go off to neverland, and never return. Thank you cisco debug processes 
Sojourner fucked around with this message at 17:02 on May 8, 2009 |
|
#
?
May 8, 2009 15:12
|
|
|
Argh. Nobody at Cisco seems to be able to answer this simple question. I have a customer that wants an ASA 5505. They'd like to be able to have VPN access through a software client. They don't want to spend the extra money for the SSL VPN license, but Cisco's site statesquote:The Cisco VPN Client is included with all models of Cisco ASA 5500 Series Security Appliances(excluding ASA 5505). Customers with Cisco SMARTnet® support contracts and encryption entitlement may download the Cisco VPN Client from the Cisco Software Center at no additional cost. For customers without Cisco SMARTnet support contracts, a media CD containing the client software is available for purchase. This CD does not provide access to the most current patch releases. What I'm trying to figure out is does 'not included' mean it doesn't come in the box, but is available for download with a SMARTnet contract, or does it mean 'not supported on the 5505'?
|
|
#
?
May 14, 2009 18:36
|
|
|
Richard Noggin posted:Argh. Nobody at Cisco seems to be able to answer this simple question. I have a customer that wants an ASA 5505. They'd like to be able to have VPN access through a software client. They don't want to spend the extra money for the SSL VPN license, but Cisco's site states My read is 55x0 + SmartNET = free IPSEC client 5505 + SmartNET = no Your reseller or SE/AM should be able to clarify that/hook you up. Edit: I don't see any mention on the ordering guides about the IPSEC client. There should be a presales phone line on cisco.com. Give that ring and see what they say. Tremblay fucked around with this message at 18:58 on May 14, 2009 |
|
#
?
May 14, 2009 18:48
|
|
|
Remote access VPN is built into all ASA models. What they mean is that you're not entitled to download the client software. Connect the dots.
|
|
#
?
May 14, 2009 19:09
|
|
|
|
| # ? May 29, 2024 11:27 |
|
|
jbusbysack posted:Remote access VPN is built into all ASA models. What they mean is that you're not entitled to download the client software. But, quote:Customers with Cisco SMARTnet® support contracts and encryption entitlement may download the Cisco VPN Client from the Cisco Software Center at no additional cost. We have a SMARTnet contract and we have the encryption entitlement. I just got off the phone with Cisco for the third time, and they assured me that I would be able to download and use the VPN client software.
|
|
#
?
May 14, 2009 20:48
|
|