|
Sepist posted:Try making a second IKE policy using all non-defaults and see if you get the same thing, that is weird. I have seen quite a few times where the only way to fix a phase 1 failure was actually reloading the ASA. I did that too :/ I really hope it isn't resolved by reloading the ASA, because wtf is that? This isn't critical production infrastructure (yet) so rebooting isn't a big deal but still rebooting devices is sometihng that I'd expect to do like 10+ years ago, not now.
|
#
?
Dec 5, 2013 23:01
|
|
|
|
| # ? Jun 3, 2024 19:45 |
|
|
Wondering if anyone has seen anything like this before: We have a SIP connection with a carrier over an IP Sec tunnel. I am not sure what their exact models are, but on our end we have the IPSec tunnel hitting a Palo Alto. Extremely infrequently they will send 6 SIP Invites of which we only see the 6th and response with a TRYING before they cancel. It's not necessarily Cisco specific, but I figured if anyone had seen anything like this it might be here.
|
|
#
?
Dec 5, 2013 23:31
|
|
|
What is the default IOS-XR behavior in the following scenario? HQ <--> LER1 <--> LER2 <--> Branch I have two label edge routers that are directly connected. The customer's HQ is connected to one LER and their branch office is connected to another LER. There is no LSR between the two LERs. If a customer sends data from their HQ to their Branch, how will penultimate hop popping affect the label structure? My expectation would be that two labels are applied at the PE ingress interface (peered with the HQ) and the outside label is popped off as it leaves the egress interface to the other LER. I have run this by everyone I know and no one has been able to say confidently how this will work. Can anyone confirm or deny my suspicions? Edit: My technical explanation to support my idea. The packet enters the ingress subinterface at the PE untagged and, per default MPLS behavior, it should be tagged twice and forwarded into the MPLS network. The outer label determines the path the packet travels from the first LER to the second LER and the inner label identifies the egress VRF. Since LER1 and LER2 are iBGP peers (using loopback interfaces; important, or PHP will break the LSP), the LER1 router should reference its LFIB and pop the outer label and forward the traffic to LER2. LER2 will then reference its LFIB, pop the final label and forward the traffic according to its routing table. What is wrong about this understanding? Protokoll fucked around with this message at 02:08 on Dec 6, 2013 |
|
#
?
Dec 6, 2013 01:46
|
|
|
Powercrazy posted:I really hope it isn't resolved by reloading the ASA, because wtf is that?
|
|
#
?
Dec 6, 2013 03:02
|
|
|
Powercrazy posted:Nope still nothing. I haven't set up a dynamic crypto map entry before. How should the ASA's tunnel group (which contains the PSK used to derive the hash) look? falz posted:This has been a solution to many ASA (and pix) related IPSec issues I've had in the past. In at least a few of those cases that was after re-IPing the outside interface which apparently confused it. There was a bug that resulted in a stuck SPI, and your only recourse was to reboot. This was fixed in later revisions of 8.2 and 8.3 though, so it shouldn't be a problem these days.
|
|
#
?
Dec 6, 2013 04:14
|
|
|
Powercrazy posted:*Dec 5 21:11:33.263: ISAKMP:(0):Old State = IKE_I_AM1 New State = IKE_I_AM1 The IOS side is trying to do aggressive mode but the ASA doesn't have any AM configuration. Is there any reason you would want to do aggressive mode (just say no)? Otherwise just remove that config and do main mode, which is more of a standard for site to site tunnels. On my phone so quoting is a pain, but remove that ISAKMP peer configuration all together OR add in aggressive mode config on the ASA. Don't do the second option. MM for life. DeNofa fucked around with this message at 14:32 on Dec 6, 2013 |
|
#
?
Dec 6, 2013 14:29
|
|
|
There is no config for AM mode on an ASA IIRC, only config to disable it
|
|
#
?
Dec 6, 2013 14:33
|
|
|
Protokoll posted:What is the default IOS-XR behavior in the following scenario? LER2 will advertise an outer label of 3 (implicit-null) for transport to it and then the inner label will be an arbitrary value corresponding to the service. LER1 will push the arbitrary inner label only, switch the packet to LER2, and then LER2 will pop the label. LER1#sh mpls forwarding prefix LER2_LOOP/32 Should show an outgoing label of Pop. tortilla_chip fucked around with this message at 15:34 on Dec 6, 2013 |
|
#
?
Dec 6, 2013 15:23
|
|
|
Found a great little ASA syslog bug. If syslog reporting is using TCP and the ASA loses connection to the syslog server, it blocks most if not all traffic. I see this reported as a "security feature". I mean, I guess shutting down the entire network is "secure" but that's not really something you want to happen in production.
|
|
#
?
Dec 6, 2013 15:43
|
|
|
DeNofa posted:The IOS side is trying to do aggressive mode but the ASA doesn't have any AM configuration. Is there any reason you would want to do aggressive mode (just say no)? Otherwise just remove that config and do main mode, which is more of a standard for site to site tunnels. Yea I would usually use Main Mode, but I had read that for an unknown end point of an ipsec tunnel, that I would need to use Aggressive Mode. And yes afaik the ASA will happily do Aggressive Mode unless explicitly disabled. In anycase i'm working with TAC now, so I can't wait for their configuration to fail and then spending another day or to on something as mundane as a site to site ipsec tunnel  I haven't even gotten to the complicated part yet... e: Finally got that resolved. The root issue is that an explicit Aggressive Mode isn't required even though the documentation (and the ASA warning messages) imply it is. What happens is the client, in this case the router, starts in Main Mode, Because of the dynamic crypto map, the ASA then tells the router to try again in aggressive mode, aggressive mode starts, and then the Tunnel comes up normally. So Hurrah, it's working. Time for the complicated part.... ate shit on live tv fucked around with this message at 18:37 on Dec 6, 2013 |
|
#
?
Dec 6, 2013 17:29
|
|
|
Mulloy posted:Wondering if anyone has seen anything like this before: We have a SIP connection with a carrier over an IP Sec tunnel. I am not sure what their exact models are, but on our end we have the IPSec tunnel hitting a Palo Alto. Extremely infrequently they will send 6 SIP Invites of which we only see the 6th and response with a TRYING before they cancel. Has the other side provided captures that show they're really sending 6 SIP invites? You could try and packet cap on the palo tunnel interface. Or, if there's not a lot of traffic, just look for ESP packets that would correspond to their SIP invites. I would be trying to make sure the SIP invites are in fact making it out of their infrastructure.
|
|
#
?
Dec 6, 2013 19:30
|
|
|
Oh hey, a pair of 4948s. Let's set them up! Or not.
|
|
#
?
Dec 7, 2013 03:30
|
|
|
Nice.
|
|
#
?
Dec 7, 2013 08:58
|
|
|
Has anyone ever seen a case where a network cable will only work when plugged in one way? That is to say that one specific end must be in the jack and the other must be in the machine, and if you reverse them then you'll lose connectivity. I'd never heard of this before until a few days ago when I experienced it in a widespread fashion here.
|
|
#
?
Dec 7, 2013 18:05
|
|
|
I'd imagine that kind of issue is caused by one machine with nonstandard metal connectors so after the first time you plug that cable in it's bent out of shape and won't work at anything other than that one interface. An damage will be extremely difficult to detect with just casual observation. Alternatively the socket has been plugged in for so long that the copper pings have oxidized in a specific configuration that won't make contact to any other interface. The short answer is metal fatigue.
|
|
#
?
Dec 8, 2013 01:31
|
|
|
Now that Cisco owns them, what's everyone's opinion on Meraki? My boss seems to think they're going to be a really awesome solution because ~*the cloud*~, and I have to say that having cloud-based config backups is a really alluring idea.
|
|
#
?
Dec 10, 2013 15:20
|
|
|
QPZIL posted:Now that Cisco owns them, what's everyone's opinion on Meraki? It's a fantastic product. If you take one of their webinars they'll send you a free AP to keep. The idea is if you get to use it hands on and see how awesome it is you'll love it, and it works.
|
|
#
?
Dec 10, 2013 18:15
|
|
|
less than three posted:It's a fantastic product. If you take one of their webinars they'll send you a free AP to keep. The idea is if you get to use it hands on and see how awesome it is you'll love it, and it works. Do we have a link to one of these webinars? I'm definitely interested in checking out the product
|
|
#
?
Dec 10, 2013 18:28
|
|
|
Langolas posted:Do we have a link to one of these webinars? https://meraki.cisco.com/freeap They sent the AP amazingly quick as well, I was expecting to wait weeks for it. I'm from the UK and I needed to provide them with my company's VAT number, and someone called me almost immediately after signing up to talk to me about the webinar. He wasn't pushy or anything, I just explained that we currently sold a competitors product and I'd like to check out the Meraki equipment, he was fine with that and signed me up to a webinar. I've not have chance to set it up properly but the webinar was worth watching.
|
|
#
?
Dec 10, 2013 19:38
|
|
|
What do people use for out of band remote access to remote sites? Right now we have another router that we are using as a terminal server with Dial-In access. Obviously this is less than ideal from a security standpoint, not to mention ease of management (have to have a modem).
|
|
#
?
Dec 10, 2013 19:55
|
|
|
Powercrazy posted:What do people use for out of band remote access to remote sites? Right now we have another router that we are using as a terminal server with Dial-In access. Obviously this is less than ideal from a security standpoint, not to mention ease of management (have to have a modem). I like the Lantronix SLC boxes
|
|
#
?
Dec 10, 2013 20:04
|
|
|
Possibly dumb question about fiber. I have this media converter on one end of a link: And then on the other end of the link I have a full-sized switch and the fiber goes into that, the connectors look the same on this end, then I use one whole RJ45 cable to connect it to a router. In a quest to remove some poo poo from my rack, I planned on making a VLAN and using one of the fiber ports another switch but it requires a cable that looks like this:  I connected the fiber to the switch, but I don't get a link light. What gives? There's a pretty standard looking (to me) fiber patch panel that both cables go to.
|
|
#
?
Dec 10, 2013 20:11
|
|
|
Is it multimode? Did you try flipping the tx/rx on one end?
|
|
#
?
Dec 10, 2013 20:20
|
|
|
jwh posted:I like the Lantronix SLC boxes Do those have built in internet connectivity or what? I'm looking to address the actually out-of-band access part. Assuming the wan circuits are down and I need to access the remote office.
|
|
#
?
Dec 10, 2013 20:31
|
|
|
Bob Morales posted:Possibly dumb question about fiber. I have this media converter on one end of a link: That's a 100Meg media converter - if you're attempting to plug it into a gigabit SFP then the link won't come up.
|
|
#
?
Dec 10, 2013 21:14
|
|
|
Powercrazy posted:Do those have built in internet connectivity or what? I'm looking to address the actually out-of-band access part. Assuming the wan circuits are down and I need to access the remote office. You can either slap a modem onto it or use a cellular modem. Or both, I think. They're nice boxes, and they're not that expensive.
|
|
#
?
Dec 10, 2013 21:36
|
|
|
chestnut santabag posted:That's a 100Meg media converter - if you're attempting to plug it into a gigabit SFP then the link won't come up. Yep. That's it - you probably used a 1000-base SX fiber SFP in your switch. You probably need one of these for the switch instead: Cisco Linksys MFEFX1 mini-GBIC SFP Transceiver Module - 1 x 100Base-FX - SFP (mini-GBIC) 
|
|
#
?
Dec 10, 2013 21:48
|
|
|
Thanks for the help. I have switch that I just replaced with a pair of 1gb fiber ports that I can use to replace the old 100mb switch on the other end and that should work.
|
|
#
?
Dec 10, 2013 22:04
|
|
|
CrazyLittle posted:Yep. That's it - you probably used a 1000-base SX fiber SFP in your switch. You probably need one of these for the switch instead: Of note is that Linksys SFPs (even the Cisco SMB branded ones) don't work in Catalyst switches without doing that one hidden command that voids all your warranties. I don't know of any regular Cisco branded 100Meg SFPs - would these work in Gig interfaces? Turns out there are and they do work in Gig interfaces: http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6578/product_data_sheet0900aecd801f931c.html chestnut santabag fucked around with this message at 17:39 on Dec 11, 2013 |
|
#
?
Dec 11, 2013 17:34
|
|
|
chestnut santabag posted:Of note is that Linksys SFPs (even the Cisco SMB branded ones) don't work in Catalyst switches without doing that one hidden command that voids all your warranties. Using third party optics and the hidden command to enable them does not void your warranty, it just means that when you talk to TAC they will not support that setup if they think the problem is related to the optics. If you have a Cisco optic and you swap it and the problem persists you will get help, so it is a good idea to have enough supported optics around for this kind of situation. Warranties don't really get voided in most cases, the vendor can deny a claim based on something you did that that you did that is not supported.
|
|
#
?
Dec 11, 2013 20:05
|
|
|
Anyone planning on attending NANOG60 in Atlanta come February? Looking at possibly attending depending on the presentation list is released next week.
|
|
#
?
Dec 11, 2013 21:01
|
|
|
So I've got the following output of a CBWFQ QoS policy, applied in the outbound direction on an interface:code:single-mode fiber fucked around with this message at 23:50 on Dec 19, 2013 |
|
#
?
Dec 12, 2013 03:25
|
|
|
Have you seen this? This might shed some light on what's going on. http://www.cisco.com/en/US/tech/tk543/tk544/technologies_tech_note09186a0080094612.shtml
|
|
#
?
Dec 12, 2013 17:52
|
|
|
single-mode fiber posted:So I've got the following output of a CBWFQ QoS policy, applied in the outbound direction on an interface: It depends on IOS version. One will show only actually seen precedence matches and another will show the output you got. Try changing config to "random-detect dscp-based" for even more awesome output.
|
|
#
?
Dec 12, 2013 21:04
|
|
|
H.R. Paperstacks posted:Anyone planning on attending NANOG60 in Atlanta come February? Looking at possibly attending depending on the presentation list is released next week.
|
|
#
?
Dec 12, 2013 21:06
|
|
|
I ended up biting the bullet and calling TAC. Originally the problem was that BGP to the RRs on the far end was flapping like wild whenever the site started hitting like 10% of their circuit capacity. So, I was expecting to find tail drops in the P2 queue (presumably the keepalives), since that was explicitly just for CS6 kind of stuff, not the P4 queue. But, after looking over some other sites, they're having a lot of weird QoS poo poo go on, they just haven't noticed yet (or don't care).
|
|
#
?
Dec 13, 2013 01:09
|
|
|
single-mode fiber posted:I ended up biting the bullet and calling TAC. Originally the problem was that BGP to the RRs on the far end was flapping like wild whenever the site started hitting like 10% of their circuit capacity. So, I was expecting to find tail drops in the P2 queue (presumably the keepalives), since that was explicitly just for CS6 kind of stuff, not the P4 queue. But, after looking over some other sites, they're having a lot of weird QoS poo poo go on, they just haven't noticed yet (or don't care).  . Heck, I stick routing traffic in its own dedicated class with a pool of bandwidth all to itself usually.
|
|
#
?
Dec 13, 2013 01:54
|
|
|
The overall setup looked like this. Curious part is that the P2 queue does get an awful lot of matches (far more transmitted packets than what showed up as class 6 transmit packets in the P4 queue), and 0 drops of any kind. code:single-mode fiber fucked around with this message at 23:51 on Dec 19, 2013 |
|
#
?
Dec 13, 2013 03:40
|
|
|
Powercrazy posted:What do people use for out of band remote access to remote sites? Right now we have another router that we are using as a terminal server with Dial-In access. Obviously this is less than ideal from a security standpoint, not to mention ease of management (have to have a modem). 
|
|
#
?
Dec 13, 2013 05:02
|
|
|
|
| # ? Jun 3, 2024 19:45 |
|
|
I’m having a problem with ASDM I’m really hoping someone here can shed some light on. The device is a FWSM in a 6513. It’s running in transparent mode and there are 8 bridge groups in one context (doubt this matters). I’m trying to do cleanup of a bunch of rules that are no longer used. I’m finding that as I delete them, I can’t delete the associated objects. If I use the “where used” tool, I get this:  That’s ACL as opposed to Access Rules, which is what’s visible from the GUI. Here’s an example of one that shows both:  Note that it is ACL 17, but that distribute_inside list is only 10 rules long according to ASDM:  From the CLI, these mystery ACLs show up when I show access-list, but they don’t appear in show running-config. They all appear to be rules that have existed in the past and were deleted. I can back these rules out one by one from the CLI, but there are hundreds, and I don’t want to run into this again. Can anyone tell me what’s going on here? e: Even if I never touch ASDM again (and I'm considering it) about 5 other people will. KS fucked around with this message at 05:56 on Dec 13, 2013 |
|
#
?
Dec 13, 2013 05:41
|
|