I have a 2960X that i have a VTC client plugged into.  I'm running a sniffer on the VTC client and I see DSCP markings leaving the device with markings on it.  On the switch itself I have a monitor session configured to mirror the VTC port and I'm sniffing traffic in that location too.  The sniffer connected to the monitor port is NOT seeing any markings for DSCP?   Any idea on what could be causing this issue?!       SITE-OPS-AS-01#show mls qos QoS is disabled QoS ip packet dscp rewrite is disabled SITE-OPS-AS-01#   ... View more

I have the following lab setup in GNS3.  R1 & R2 are VPN endpoint at my datacenters and R3 is simulating a remote site.  What i'm trying to accomplish is having one tunnel from R3 to the datacenter that leverages both R1 & R2 using HSRP and stateful failover.  The configurations I'm attaching work, however the failover time is slow (30 sec+) and also fails when normalizing the solution.  Would there be some timers I can adjust or perhaps leverage something else to speed up this process?  Or would it just be best to scrap the HSRP solution and use two tunnels and let OSPF  failover?     R1: ! hostname r1 ! ipc zone default association 1 no shutdown protocol sctp local-port 5000 local-ip 172.16.1.2 remote-port 5000 remote-ip 172.16.1.3 ! redundancy inter-device scheme standby HA-Out security ipsec TUNNEL-PROFILE-SITE ! redundancy ! crypto ikev2 proposal IKEv2-PROPOSAL encryption aes-gcm-256 prf sha384 group 20 ! crypto ikev2 policy IKEv2-POLICY match fvrf any proposal IKEv2-PROPOSAL ! crypto ikev2 keyring IKEv2-KEYRING peer TO-SITE address 172.16.2.1 pre-shared-key cisco123 ! ! crypto ikev2 profile IKEv2-PROFILE-SITE match identity remote any authentication local pre-share authentication remote pre-share keyring local IKEv2-KEYRING ! crypto ipsec transform-set MYSET esp-gcm 256 mode tunnel ! crypto ipsec profile TUNNEL-PROFILE-SITE set transform-set MYSET set ikev2-profile IKEv2-PROFILE-SITE redundancy HA-Out stateful ! interface Loopback0 ip address 10.1.1.1 255.255.255.255 ! interface Tunnel208 description <== Datacenter Connection to SITE ==> ip unnumbered Loopback0 tunnel source 172.16.1.1 tunnel mode ipsec ipv4 tunnel destination 172.16.2.1 tunnel protection ipsec profile TUNNEL-PROFILE-SITE ! interface GigabitEthernet0/0 ip address 172.16.1.2 255.255.255.240 standby 1 ip 172.16.1.1 standby 1 priority 110 standby 1 preempt standby 1 name HA-Out duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 ip address 10.1.200.2 255.255.255.0 standby 0 name HA-In standby 1 ip 10.1.200.1 standby 1 priority 110 standby 1 preempt duplex auto speed auto media-type rj45 ! router ospf 1 passive-interface default no passive-interface Tunnel208 network 10.1.1.1 0.0.0.0 area 0 network 10.1.200.0 0.0.0.255 area 0 network 10.254.2.32 0.0.0.3 area 0 ! ip route 0.0.0.0 0.0.0.0 172.16.1.10 ! ! hostname r2 ! ipc zone default association 1 no shutdown protocol sctp local-port 5000 local-ip 172.16.1.3 remote-port 5000 remote-ip 172.16.1.2 ! redundancy inter-device scheme standby HA-Out security ipsec TUNNEL-PROFILE-SITE ! redundancy ! crypto ikev2 proposal IKEv2-PROPOSAL encryption aes-gcm-256 prf sha384 group 20 ! crypto ikev2 policy IKEv2-POLICY match fvrf any proposal IKEv2-PROPOSAL ! crypto ikev2 keyring IKEv2-KEYRING peer TO-SITE address 172.16.2.1 pre-shared-key cisco123 ! ! crypto ikev2 profile IKEv2-PROFILE-SITE match identity remote any authentication local pre-share authentication remote pre-share keyring local IKEv2-KEYRING ! crypto ipsec transform-set MYSET esp-gcm 256 mode tunnel ! crypto ipsec profile TUNNEL-PROFILE-SITE set transform-set MYSET set ikev2-profile IKEv2-PROFILE-SITE redundancy HA-Out stateful ! interface Loopback0 ip address 10.1.1.2 255.255.255.255 ! interface Tunnel208 description <== Datacenter Connection to SITE ==> ip unnumbered Loopback0 tunnel source 172.16.1.1 tunnel mode ipsec ipv4 tunnel destination 172.16.2.1 tunnel protection ipsec profile TUNNEL-PROFILE-SITE ! interface GigabitEthernet0/0 ip address 172.16.1.3 255.255.255.240 standby 1 ip 172.16.1.1 standby 1 priority 105 standby 1 name HA-Out duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 ip address 10.1.200.3 255.255.255.0 standby 0 name HA-In standby 1 ip 10.1.200.1 standby 1 priority 105 duplex auto speed auto media-type rj45 ! router ospf 1 passive-interface default no passive-interface Tunnel208 network 10.1.1.2 0.0.0.0 area 0 network 10.1.200.0 0.0.0.255 area 0 network 10.254.2.32 0.0.0.3 area 0 ! ip route 0.0.0.0 0.0.0.0 172.16.1.10 ! ! hostname r3 ! crypto ikev2 proposal IKEv2-PROPOSAL encryption aes-gcm-256 prf sha384 group 20 ! crypto ikev2 policy IKEv2-POLICY match fvrf any proposal IKEv2-PROPOSAL ! crypto ikev2 keyring IKEv2-KEYRING peer TO-DC01 address 172.16.1.1 pre-shared-key cisco123 ! ! crypto ikev2 profile IKEv2-PROFILE-DC01 match identity remote any authentication local pre-share authentication remote pre-share keyring local IKEv2-KEYRING ! crypto ipsec transform-set MYSET esp-gcm 256 mode tunnel ! crypto ipsec profile TUNNEL-PROFILE-DC01 set transform-set MYSET set ikev2-profile IKEv2-PROFILE-DC01 ! interface Loopback0 ip address 10.10.1.1 255.255.255.255 ! interface Tunnel208 description <== Datacenter Connection ==> ip unnumbered Loopback0 tunnel source 172.16.2.1 tunnel mode ipsec ipv4 tunnel destination 172.16.1.1 tunnel protection ipsec profile TUNNEL-PROFILE-DC01 ! interface GigabitEthernet0/0 ip address 172.16.2.1 255.255.255.240 duplex auto speed auto media-type rj45 bfd template sample no cdp enable ! ! router ospf 1 passive-interface default no passive-interface Tunnel208 network 10.10.1.1 0.0.0.0 area 0 network 10.254.2.32 0.0.0.3 area 0 ! ip route 0.0.0.0 0.0.0.0 172.16.2.10 !   ... View more

I'm trying to use 'method-est' for enrollment on solution I'm working and whenever I start the process of 'crypto pki authenticate <TRUSTPOINT>' it fails.  I'm not getting any sort of response whatsoever I believe because of a TLS handshake failure I'm seeing with wireshark.  There is not much documentation for EST on cisco.com so I'm struggling to figure out what my next steps are.  I'm using a CertAgent CA from InfoSecCorp and it has EST enabled because I can request the root cert fine when I use postman and just do a GET request.   ! crypto pki trustpoint RED-CA enrollment profile RED-CA-PROFILE fqdn site-ops-ie-01.domain.com subject-name cn=site-ops-ie-01.domain.com revocation-check crl rsakeypair SITE-OPS-IE-01.key 4096 ! crypto pki profile enrollment RED-CA-PROFILE method-est authentication url https://10.1.12.29:443/.well-known/est/certagent/ca7/cacerts enrollment url https://10.1.12.29:443/.well-known/est/certagent/ca7/simpleenroll reenrollment url https://10.1.12.29:8443/.well-known/est/certagent/ca7/simplereenroll enrollment credential RED-CA source-interface Loopback0 !  Here is the debug: Feb 4 20:17:54.724: EST_CLIENT: Process timer event Feb 4 20:17:54.724: EST_CLIENT: Process queue event Feb 4 20:17:54.724: EST_CLIENT: Process starting enrollment Feb 4 20:17:54.733: EST_CLIENT: CSR created successfully MIIEkTCCAnkCAQAwLjEsMCoGCSqGSIb3DQEJAhYdQ0FDQy1PUFMtSVItMDEuQUZQ .... TRUNCATED ......... EHgyUwYrBm0cRoB+Hc1KHzSTdmARvGvrDnKpbn1NqiyTZkdA1k02Bei6QMiw51XK EPjJ+ei9znCPmbF0HwYnn5mYrE1K Feb 4 20:17:54.733: EST_CLIENT : En/Re enroll URL : https://10.1.12.29:8443/.well-known/est/certagent/ca7/simpleenroll/simpleenroll Feb 4 20:17:54.733: EST_CLIENT: Send http request Feb 4 20:17:54.734: EST_CLIENT: have http response 3 tid Feb 4 20:17:54.734: status_code : 0 Feb 4 20:17:54.734: status_string : Feb 4 20:17:54.734: content_type : Feb 4 20:17:54.734: content_encoding : Feb 4 20:17:54.734: content_length : 4294967295 Feb 4 20:17:54.734: Location : Feb 4 20:17:54.734: Server : Feb 4 20:17:54.734: EST_CLIENT: Process queue event Feb 4 20:17:54.734: EST_CLIENT: enrollment response status = 0 Feb 4 20:17:54.734: EST http send request failed Feb 4 20:17:54.734: EST_CLIENT: retrying in 30 seconds ... View more

! crypto ikev2 proposal IKEv2-PROPOSAL encryption aes-cbc-256 integrity sha512 group 15 ! crypto ikev2 policy IKEv2-POLICY match fvrf any proposal IKEv2-PROPOSAL ! crypto ikev2 keyring IKEv2-KEYRING peer TO-CENT address 172.16.33.130 identity fqdn cent-ops-ie-01.domain.com pre-shared-key cisco123 ! peer TO-HPNX address 172.16.10.130 identity fqdn hpnx-ops-ie-01.domain.com pre-shared-key cisco123 ! ! crypto ikev2 profile IKEv2-PROFILE-CENT match identity remote fqdn domain domain.com identity local fqdn cacc-ops-ie-01.domain.com authentication local pre-share authentication remote pre-share keyring local IKEv2-KEYRING ! crypto ikev2 profile IKEv2-PROFILE-HPNX match identity remote fqdn domain domain.com identity local fqdn cacc-ops-ie-01.domain.com authentication local pre-share authentication remote pre-share keyring local IKEv2-KEYRING ! crypto ipsec transform-set MYSET esp-aes 256 esp-sha512-hmac mode tunnel ! crypto ipsec profile TUNNEL-PROFILE-CENT set transform-set MYSET set ikev2-profile IKEv2-PROFILE-CENT ! crypto ipsec profile TUNNEL-PROFILE-HPNX set transform-set MYSET set ikev2-profile IKEv2-PROFILE-HPNX ! interface Tunnel108 description <== Datacenter Connection to HPNX ==> ip address 10.254.1.33 255.255.255.252 ip ospf authentication key-chain OSPF-KEY-CHAIN tunnel source GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel destination 172.16.10.130 tunnel protection ipsec profile TUNNEL-PROFILE-HPNX ! interface Tunnel109 description <== Datacenter Connection to CENT ==> ip address 10.254.1.37 255.255.255.252 ip ospf authentication key-chain OSPF-KEY-CHAIN tunnel source GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel destination 172.16.33.130 tunnel protection ipsec profile TUNNEL-PROFILE-CENT ! ... View more

I've been trying to get 2547oDMVPN with 'mpls nhrp' setup in a VIRL environment and I have gotten it work with some of the examples I've seen online, but all the examples online have had the hub as the route reflector and have used the Tunnel interface for BGP peering.  If I use my Tunnel interface as my iBGP peer source things work, but if I don't, then for some reason things stop? Here is the output of some of my show commands that I believe to be the issue, but I don't know how to fix.  In the 'show ip cef vrf CLASS detail' I see the prefix and it gets recursively resolved to my tunnel interface.  In the 'show mpls forwarding-table' it says to drop the labels?  I attached my entire VIRL topology in case that would be helpful.  Thank you in advance for any help.   show mpls forwarding-table IR-01#show mpls forwarding-table Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or Tunnel Id Switched interface 305 202 0.0.0.0/0[V] 0 drop 307 205 10.10.1.0/24[V] 0 drop 308 No Label 10.30.1.0/24[V] 0 aggregate/CLASS 313 307 10.50.1.0/24[V] 0 drop IR-01#show ip cef vrf CLASS detail IPv4 CEF is enabled and running VRF CLASS 17 prefixes (17/0 fwd/non-fwd) Table id 0x2 Database epoch: 0 (17 entries at this epoch) 0.0.0.0/0, epoch 0, flags [rib defined all labels, default route] local label info: other/305 recursive via 10.10.0.251 label 202 recursive via 10.10.0.250/31 nexthop 1.0.2.10 Tunnel102 0.0.0.0/8, epoch 0 Special source: drop drop 0.0.0.0/32, epoch 0, flags [receive] Special source: receive receive 10.10.1.0/24, epoch 0, flags [rib defined all labels] local label info: other/307 recursive via 10.10.0.251 label 205 recursive via 10.10.0.250/31 nexthop 1.0.2.10 Tunnel102 10.30.1.0/24, epoch 0, flags [attached] local label info: other/308 attached to Null0 10.30.1.0/31, epoch 0, flags [attached, connected] attached to Loopback1 10.30.1.1/32, epoch 0, flags [receive, local, source eligible] Interface source: Loopback1 flags: local, source eligible receive for Loopback1 10.30.1.32/30, epoch 0, flags [attached, connected, cover dependents, need deagg] Covered dependent prefixes: 2 need deagg: 2 attached to GigabitEthernet0/2.20 10.30.1.32/32, epoch 0, flags [receive] Interface source: GigabitEthernet0/2.20 flags: none Dependent covered prefix type cover need deagg, cover 10.30.1.32/30 receive for GigabitEthernet0/2.20 10.30.1.33/32, epoch 0, flags [receive, local, source eligible] Interface source: GigabitEthernet0/2.20 flags: local, source eligible receive for GigabitEthernet0/2.20 10.30.1.35/32, epoch 0, flags [receive] Interface source: GigabitEthernet0/2.20 flags: none Dependent covered prefix type cover need deagg, cover 10.30.1.32/30 receive for GigabitEthernet0/2.20 10.50.1.0/24, epoch 0, flags [rib defined all labels] local label info: other/313 recursive via 10.50.0.251 label 307 recursive via 10.50.0.250/31 nexthop 1.0.2.10 Tunnel102 127.0.0.0/8, epoch 0 Special source: drop drop 224.0.0.0/4, epoch 0 Special source: drop drop 224.0.0.0/24, epoch 0, flags [receive] Special source: receive receive 240.0.0.0/4, epoch 0 Special source: drop drop 255.255.255.255/32, epoch 0, flags [receive] Special source: receive receive ... View more