The Cisco Short Questions Thread v12.4.9(WTF)

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)

«‹›431 »

Partycat: Oct 25, 2004

SwolenColon posted:

They will pull a renewed dhcp lease from the old server, as long as the pool is activated. If the pool is deactivated, the phones just sit there trying to configure an IP. There no static assignments in the dhcp pools, nor on the phones. The TFTP settings are also correct on both servers. We set up another test vlan, using the same settings, and a new phone pulled an address just fine, so the server seems to be ok. The settings on both servers have been mirrored and checked by three different people. The Windows machines swapped servers just as soon as the ip helper-address settings were put on the interface vlans, but these phones just refuse to relinquish the old dhcp server setting.

I hear you but other than toggling the release setting or hard power down on the phones , I'm not sure what else to tell you.

# ? Sep 29, 2013 22:04

Adbot: ADBOT LOVES YOU

# ? May 30, 2024 10:38

SwolenColon: Apr 4, 2002; Damn, I miss Vegas!

Yeah, no one seems to know of a way to make them swap over without software resetting each one (400+ phones, no thanks). Oh well, thanks for the help anyway.

# ? Sep 29, 2013 22:10

FatCow: Apr 22, 2002; I MAP THE FUCK OUT OF PEOPLE

e: Read that wrong.

Well to try and add some value, don't know about those models but 7960s had an SSH or telnet interface so you may be able to script a reset of them all.

FatCow fucked around with this message at 00:34 on Sep 30, 2013

# ? Sep 30, 2013 00:29

adorai: Nov 2, 2002; 10/27/04 Never forget; Grimey Drawer

SwolenColon posted:

Yeah, no one seems to know of a way to make them swap over without software resetting each one (400+ phones, no thanks). Oh well, thanks for the help anyway.

Are you using call manager? do a search for that IP range, select all, reset.

# ? Sep 30, 2013 00:48

abigserve: Sep 13, 2009; this is a better avatar than what I had before

You could also cycle the power on the switchports. I had to do a similar thing with 3000+ ip phones about two weeks ago.

# ? Sep 30, 2013 03:16

SwolenColon: Apr 4, 2002; Damn, I miss Vegas!

Thanks for the tips. We just blew away and re-input all of the scope settings two or three times, and it magically worked

:saddowns:

# ? Sep 30, 2013 06:31

Bob Morales: Aug 18, 2006; ~~Just wear the fucking mask, Bob~~

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!

We have two 24-port managed switches (Adtran, not Cisco) which are connected together via ethernet, and then our firewall hangs off the first switch

code:

[ Switch1 - 128.1.1.2 ] ------ [ Firewall - 128.1.1.254 ]
       |
[ Switch2 - 128.1.1.3 ]

The switches are setup to do routing (mostly for VLANs), but does it matter that the default route on switch2 is 128.1.1.2 (the IP of switch 1) and not the IP of the firewall?

Would it not not take the traffic or would it all go over the VLAN anyway?

# ? Sep 30, 2013 14:51

falz: Jan 29, 2005; 01100110 01100001 01101100 01111010

The router should be the gateway unless sw1 is a layer3 switch and that's how you want routing to happen.

# ? Sep 30, 2013 15:21

Bob Morales: Aug 18, 2006; ~~Just wear the fucking mask, Bob~~

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!

falz posted:

The router should be the gateway unless sw1 is a layer3 switch and that's how you want routing to happen.

It is a layer 3 switch. The problem is that the firewall vendor claims the express-cache on the switch is causing the failover to not work with the firewall.

There are 2 firewalls, .252 and .253, but they are seen as one IP - .250. So when one goes down, the 'update' never happens on the switch so all the traffic keeps going to the down firewall node.

# ? Sep 30, 2013 15:27

Dalrain: Nov 13, 2008; Experience joy,
Experience waffle,
Today.

Sounds like an ARP caching issue, the switch still associates the MAC of the original firewall with the "shared" IP, and until the firewall stepping in sends traffic to the switch, the table doesn't get updated.

Is it possible to have the standby firewall send some kind of traffic to the LAN side immediately when it takes over?

# ? Sep 30, 2013 15:36

Bob Morales: Aug 18, 2006; ~~Just wear the fucking mask, Bob~~

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!

Dalrain posted:

Sounds like an ARP caching issue, the switch still associates the MAC of the original firewall with the "shared" IP, and until the firewall stepping in sends traffic to the switch, the table doesn't get updated.

Is it possible to have the standby firewall send some kind of traffic to the LAN side immediately when it takes over?

Exactly.

The problem is we can't replicate it (it randomly happens every 3 weeks or so), I want to try flushing the cache when it happens. On the model of switch we have you can't turn express cache off, but on others you can.

What we do to 'fix' it is power down the primary firewall gateway, and it still doesn't start working until it comes back up. I figured if the link went down it would clear any cached addresses on that port.

# ? Sep 30, 2013 16:27

SamDabbers: May 26, 2003

What FHRP are you running on the firewalls? RFC-compliant VRRP should use a consistent MAC for the gateway IP to avoid this ARP caching issue entirely.

# ? Sep 30, 2013 17:55

Bob Morales: Aug 18, 2006; ~~Just wear the fucking mask, Bob~~

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!

SamDabbers posted:

What FHRP are you running on the firewalls? RFC-compliant VRRP should use a consistent MAC for the gateway IP to avoid this ARP caching issue entirely.

Check Point R75.20 on a pair of couple-generation-old DL360's

# ? Sep 30, 2013 18:12

madsushi: Apr 19, 2009; Baller.
#essereFerrari

Looking to set up a config mgmt/archiving solution for some Cisco gear (Nexus 5K and 7K, 4500-X, random IOS switches, maybe some ASAs while I'm at it). Anything reason NOT to go with RANCID? I haven't used it before, but from what I understand, it's what everyone uses (and free).

# ? Sep 30, 2013 19:43

ragzilla: Sep 9, 2005; don't ask me, i only work here

madsushi posted:

Looking to set up a config mgmt/archiving solution for some Cisco gear (Nexus 5K and 7K, 4500-X, random IOS switches, maybe some ASAs while I'm at it). Anything reason NOT to go with RANCID? I haven't used it before, but from what I understand, it's what everyone uses (and free).

Use RANCID. Or maybe the rancid-git fork if you want to use git for config storage, or want colorized diffs.

# ? Sep 30, 2013 19:45

ToG: Feb 17, 2007; Rory Gallagher Wannabe

This might be better asked in the Certification thread but has anyone taken the new ICND2 exam yet?

I have the CCENT from the ICND1 1.1 exam but I'm wondering if ICND2 2.0 will rely on information I 'should have learned' from ICND1 2.0. Missed my last ICND2 attempt at the older exam by around 100marks but I'm hoping to get the Cisco Press ICND2 2.0 book and sit the exam in three weeks.

# ? Sep 30, 2013 20:47

veedubfreak: Apr 2, 2005; by Smythe

This isn't really a short question because it requires a little bit of background, but I'm guessing it's something simple I'm overlooking and it's getting on my last god damned nerve.

With UCM 9.0 you can add a calling queue to hunt groups. Ok so I have a hunt group that does what it is supposed to do. But, when you call it, you just get the lovely Cisco hold music and that was apparently confusing the people calling it. So I was asked to add a message telling people they are going into queue. So I created a call handler. This call handler plays a message and the is supposed to transfer to the hunt group. Here's where the issue happens. I have a transfer rule in place but I can't get the fucker to work. It always dumps them back into the "after message action" and I can't seem to get it to do the transfer. Anyone know what I'm possibly missing?

TL:DR version. How do I make this call handler actually transfer to the huntgroup?

Ah, I was finally able to figure out what was missing. Apparently you have to forward the drat call handler back to itself to make the transfer rules do their job.

veedubfreak fucked around with this message at 17:05 on Oct 1, 2013

# ? Oct 1, 2013 16:31

Zuhzuhzombie!!: Apr 17, 2008; FACTS ARE A CONSPIRACY BY THE CAPITALIST OPRESSOR

Could someone inform me on how to disable %PARSER-5-CFGLOG_LOGGEDCMD messages whenever I make device changes?

# ? Oct 2, 2013 15:01

H.R. Paperstacks: May 1, 2006; This is America
My president is black
and my Lambo is blue

Zuhzuhzombie!! posted:

Could someone inform me on how to disable %PARSER-5-CFGLOG_LOGGEDCMD messages whenever I make device changes?

You have this (or similar) in your config:

code:

archive
 log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys
!

You can change the options underneath "archive".

EDIT: This can be a good thing for tracking changes or isolating who took down a device. It is part of our standard deployment. Storage space is cheap, syslog is just text and compresses very well if you are worried.

H.R. Paperstacks fucked around with this message at 15:42 on Oct 2, 2013

# ? Oct 2, 2013 15:37

geera: May 20, 2003

I have an ASA that I've been reading SNMP data from to monitor and graph the traffic on our outside interface. The other day, I put the PC that collects the SNMP data on a new VLAN and added an access rule to the ASA's SNMP settings to allow reads from the PC's new IP.

For some reason that I can't figure out, all of the SNMP reads are timing out since making these changes. It worked fine before, I changed the IP and added a new ASA access rule to match, and now they all time out. I can ping the ASA from the PC with no problems. Does anyone have any ideas?

Edit: there are no ACLs on the new VLAN or anything like that either. It's just a boring old no-frills VLAN.

# ? Oct 2, 2013 16:02

H.R. Paperstacks: May 1, 2006; This is America
My president is black
and my Lambo is blue

geera posted:

I have an ASA that I've been reading SNMP data from to monitor and graph the traffic on our outside interface. The other day, I put the PC that collects the SNMP data on a new VLAN and added an access rule to the ASA's SNMP settings to allow reads from the PC's new IP.

For some reason that I can't figure out, all of the SNMP reads are timing out since making these changes. It worked fine before, I changed the IP and added a new ASA access rule to match, and now they all time out. I can ping the ASA from the PC with no problems. Does anyone have any ideas?

Edit: there are no ACLs on the new VLAN or anything like that either. It's just a boring old no-frills VLAN.

Does the ASA have an interface in this new VLAN? If not, does it know how to get back to the new VLAN via a route elsewhere?

# ? Oct 2, 2013 16:15

captaingimpy: Aug 3, 2004; I luv me some pirate booty, and I'm not talkin' about the gold!; Fun Shoe

Are there any considerations, or horrible things that could happen, with enabling BGP dampening. One of my ISP's PE devices likes to flap and it's causing all kinds of fun (unfortunately, it's our preferred path out).

# ? Oct 2, 2013 18:43

tortilla_chip: Jun 13, 2007; k-partite

http://www.ripe.net/ripe/docs/ripe-580

I'd recommend voting with your money.

# ? Oct 2, 2013 18:52

geera: May 20, 2003

routenull0 posted:

Does the ASA have an interface in this new VLAN? If not, does it know how to get back to the new VLAN via a route elsewhere?

No interface, but there is a static route added for the new VLAN in the ASA. Feels like I've been wrestling with this forever and I'm sure it'll be something simple I've overlooked.

# ? Oct 2, 2013 19:06

H.R. Paperstacks: May 1, 2006; This is America
My president is black
and my Lambo is blue

geera posted:

No interface, but there is a static route added for the new VLAN in the ASA. Feels like I've been wrestling with this forever and I'm sure it'll be something simple I've overlooked.

How does this new vlan talk to the ASA that has an interface? You need a routed hop to get out of the vlan.

# ? Oct 2, 2013 21:15

Contingency: Jun 2, 2007; MURDERER

geera posted:

No interface, but there is a static route added for the new VLAN in the ASA. Feels like I've been wrestling with this forever and I'm sure it'll be something simple I've overlooked.

Depending on how VLAN routing is sorted out, you may have to add 'same-security-traffic permit inter-interface' or 'same-security-traffic permit intra-interface.'

# ? Oct 3, 2013 04:10

geera: May 20, 2003

routenull0 posted:

How does this new vlan talk to the ASA that has an interface? You need a routed hop to get out of the vlan.

There is a static route back to a 3560 (192.168.140.140) with an interface for that VLAN:

ASA posted:

route INSIDE 192.168.161.0 255.255.255.0 192.168.140.140 1

On the 3560:

3560 posted:

interface Vlan161
ip address 192.168.161.2 255.255.255.0
ip helper-address 192.168.200.201
standby 200 ip 192.168.161.1
end

C 192.168.161.0/24 is directly connected, Vlan161

I can ping the ASA from the PC on the new VLAN 161 that is trying to collect the SNMP data, that would indicate routing is working properly right?

# ? Oct 3, 2013 15:14

Jelmylicious: Dec 6, 2007; Buy Dr. Quack's miracle juice! Now with patented H-twenty!

geera posted:

There is a static route back to a 3560 (192.168.140.140) with an interface for that VLAN:

On the 3560:

I can ping the ASA from the PC on the new VLAN 161 that is trying to collect the SNMP data, that would indicate routing is working properly right?

Just a few more things to look at:
Is an SNMP-server configured on the ASA? What does "Show run snmp-server" tell you? If you had the old IP configured with the snmp-server host command, that basically acts like an access-list.

Does the SNMP server have the correct MIBs? Have you tried connecting with an SNMP tool manually?

Also, are there no access list on the transit VLAN of your 3560?

# ? Oct 3, 2013 15:35

geera: May 20, 2003

Jelmylicious posted:

Just a few more things to look at:
Is an SNMP-server configured on the ASA? What does "Show run snmp-server" tell you? If you had the old IP configured with the snmp-server host command, that basically acts like an access-list.

Does the SNMP server have the correct MIBs? Have you tried connecting with an SNMP tool manually?

Also, are there no access list on the transit VLAN of your 3560?

Yup, SNMP was working fine before I moved the PC to the new VLAN. I'm only using one OID to read the interface usage, not using any MIBs. When I try to connect using snmpwalk on the command line, I just get a timeout error (140.2 is the ASA):

snmpwalk posted:

10:46:00 [~]$: snmpwalk -v2c -c public 192.168.140.2 1.3.6.1.2.1.2.2.1.5.3
Timeout: No Response from 192.168.140.2

There aren't any ACLs applied anywhere on the 3560. Here's the snmp-server show output (the PC is 161.12):

ASA posted:

snmp-server group Authentication&Encryption v3 priv
snmp-server group No_Authentication_No_Encryption v3 noauth
snmp-server host INSIDE 192.168.161.12 poll community ***** version 2c
snmp-server contact IT Department
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart

I'm not using SNMP v3 anywhere, but I'm using the ASDM to configure SNMP so I'm guessing it put that v3 stuff in there for some reason.

# ? Oct 3, 2013 15:51

H.R. Paperstacks: May 1, 2006; This is America
My president is black
and my Lambo is blue

geera posted:

code:

snmp-server host INSIDE 192.168.161.12 poll community ***** version 2c

That is what needs to be changed to the new PC IP.

# ? Oct 3, 2013 16:03

geera: May 20, 2003

That is the new IP address of the PC. I wish it were something that simple :eng99:

We have a network engineer scheduled to come next week to do some Cisco voip stuff for us, so I might run this by him also to see if he can spot the problem.

# ? Oct 3, 2013 16:11

Count Thrashula: Jun 1, 2003; Death is nothing compared to vindication.; Buglord

What should I use in my test lab as a SNMP/traps collector? I don't have a corporate Cisco account so I can't evaluate ACS.

# ? Oct 3, 2013 16:33

H.R. Paperstacks: May 1, 2006; This is America
My president is black
and my Lambo is blue

QPZIL posted:

What should I use in my test lab as a SNMP/traps collector? I don't have a corporate Cisco account so I can't evaluate ACS.

Receive traps from a device? snmptrapd if you are running a linux system.

# ? Oct 3, 2013 16:39

dotster: Aug 28, 2013

geera posted:

That is the new IP address of the PC. I wish it were something that simple

We have a network engineer scheduled to come next week to do some Cisco voip stuff for us, so I might run this by him also to see if he can spot the problem.

If you can ping from the PC/SNMP device to the inside interface on your ASA and it is working then the network is not the issue. You could ping from the ASA to the PC to double check (make sure the PC firewall permits ICMP) if you like. You can debug SNMP on the ASA to see if you are seeing the connection from the PC and then see if you are getting any error messages.

As always be careful turning on debug on a production device, use an ACL if you are going to look at anything that may trigger on a large amount of traffic.

# ? Oct 3, 2013 16:40

single-mode fiber: Dec 30, 2012

veedubfreak posted:

This isn't really a short question because it requires a little bit of background, but I'm guessing it's something simple I'm overlooking and it's getting on my last god damned nerve.

With UCM 9.0 you can add a calling queue to hunt groups. Ok so I have a hunt group that does what it is supposed to do. But, when you call it, you just get the lovely Cisco hold music and that was apparently confusing the people calling it. So I was asked to add a message telling people they are going into queue. So I created a call handler. This call handler plays a message and the is supposed to transfer to the hunt group. Here's where the issue happens. I have a transfer rule in place but I can't get the fucker to work. It always dumps them back into the "after message action" and I can't seem to get it to do the transfer. Anyone know what I'm possibly missing?

TL:DR version. How do I make this call handler actually transfer to the huntgroup?

Ah, I was finally able to figure out what was missing. Apparently you have to forward the drat call handler back to itself to make the transfer rules do their job.

I'm pretty sure the whole point of including this feature is to just make you wish you bought UCCX, too.

# ? Oct 3, 2013 23:37

Zuhzuhzombie!!: Apr 17, 2008; FACTS ARE A CONSPIRACY BY THE CAPITALIST OPRESSOR

DHCP question.

Was trying to expand my DHCP pool from a /24 to a /23. However, merely accessing the DHCP pool (ip dhcp pool poolname) and then changing the network to a /23 (network 192.168.1.0 255.255.254.0) did not change the DHCP pool, but created two new entries while keeping the original as a /24. One was with the /23 network in it alone, while the other had the default gateway and options but no network statement.

I deleted all three pools and recreated one single one with a /23. It appeared at the end of the DHCP pool listing in the running config. My linux box connected directly to the network pulled a /23 IP just fine. My Windows box daisy chained through my IP phone did not, and my IP phone freaked out for a bit. I reverted my changes since we still had some people working in the office over the weekend. They did not complain of service loss.

When I changed back to the /24 I could browse fine, but I could not perform an ipconfig /renew. DHCP would time out. If I performed an ipconfig /release and then a /renew, I was able to pull an IP fine and did not get time out errors any more with just ipconfig /renew. Recreated this on several PCs in the office.

Just curious if anyone could provide some DHCP info. These were 3750 switches running a fairly up to date IOS.

c3750-ipservicesk9-mz.122-58.SE1.bin

# ? Oct 7, 2013 17:17

CrazyLittle: Sep 11, 2001; Clapping Larry

Zuhzuhzombie!! posted:

changing the network to a /23 (network 192.168.1.0 255.255.254.0)

Just FYI 192.168.1.0/23 is not a valid network subnet address.
192.168.0.0/23 is, and 192.168.1.0 is an IP address within that subnet.

/24 networks:
192.168.0.0 /24 (192.168.0.0 - 192.168.0.255)
192.168.1.0 /24 (192.168.1.0 - 192.168.1.255)
192.168.2.0 /24 (192.168.2.0 - 192.168.2.255)

/23 networks:
192.168.0.0 /23 (192.168.0.0 - 192.168.1.255)
192.168.2.0 /23 (192.168.2.0 - 192.168.3.255)

# ? Oct 7, 2013 18:44

Zuhzuhzombie!!: Apr 17, 2008; FACTS ARE A CONSPIRACY BY THE CAPITALIST OPRESSOR

I was wanting to use 192.168.4.0 - 192.168.5.255 for the range.

Would it have needed to be along classful boundaries anyway?

# ? Oct 7, 2013 19:41

BurgerQuest: Mar 17, 2009; by Jeffrey of YOSPOS

It is 'classless'.

# ? Oct 8, 2013 09:59

Adbot: ADBOT LOVES YOU

# ? May 30, 2024 10:38

Partycat: Oct 25, 2004

veedubfreak posted:

With UCM 9.0 you can add a calling queue to hunt groups.

There are a number of bugs that have been opened on this feature already with prompt issues and such. I'm eyeballing it because it is nicer than some of the other options available, and cheaper than UCCX, but wary.

# ? Oct 8, 2013 12:37

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)

«‹›431 »