I have a requirement to test a system through an ASR 100X to a RS-530 Serial connected modem in loopback.
The key components are:
Anrirsu Tester (DCE) <--------> ASR <----------> Modem(Baseband in loopback)
The ASR is a single device with two connected serial interfaces, one to the tester (S0/1/0) and the other to the modem (S0/1/1), what I essentially need to do is create a transparent bridge between two interfaces on the same device.
This used to be easy on ISR running a standard IOS using 'Bridge Group #' commands, however this command has been deprecated, I have looked into BDI but this would appear to be Ethernet only, there must be some way to achieve this.
The reason for needing this is to test end to end comms on a Satcom site through the router at 8Mbps (RS-530) to carry our BER tests (BERT) over extended serial cable distances up to and including 11 metres.
Any assistance is gratefully received, if any more information is required, please let me know.
... View more
I have a requirement to preserve markings end to end across a network utilising 3750X switches, I am marking the packets without a problem, but due to the rewriting function the marking is being overwritten by ther COS-->DSCP maps. To simplify the scenario I have set up a test environment (see Diagram) and am using ICMP as a simple test using ICMP to test with Both 3750 have 12.2(35)SE5 3750-1 mls qos mls qos rewrite ip dscp ip access-list extended ICMP permit icmp any any Class-map ICMP match access-group name ICMP policy-map TEST class ICMP set dscp 46 int g1/0/1 switchport mode access swicthport access vlan 100 spanning-tree portfast mls qos vlan-based int vlan100 ip address x.x.x.x service-policy input TEST I have used wireshark to verify that the packets are being marked, with the' mls qos rewrite ip dscp' they are, without rewriting does not occur. Moving my sniffer to the 3750-2 I am monitoring the Layer3 connection (marking preserved), however on the layer 2 trunk the marking has been reset to 0 , if I remove the 'mls qos rewrite ip dscp' from 3750-2 then I see the marking on the layer 2 trunk, however I am then unable to remark anything generated on this switch. I believe with the 'mls qos rewrite ip dscp' enabled the L3 to L2 transistion removes the IP DSCP sets the COS to 0 and themnthe COS to DSCP mapping ensures the DSCP is set back to 0. I have tried implementing additional marking policies on 3750-2 but to no avail. What I need is assistance ensuring that that a frame / packet marked in 3750-1 can keep it's marking to the end system over layer 3 and a layer 2 trunk. The only place I wan t the marking to be stripped off is when the dot1q tag is removed as it goes through an access port. Any help is very much appreciated.
... View more
I am having the exact same problem utilising TACACS+ / CHAP through ACS 5.2. Using the older version 4.2 it works without issue. During troubleshooting the problem we discovered that if we cahnge the router to use PAP and not CHAP the authentication works fine and passes information via the identity store. Changing it back to CHAP breaks the connection andw e are unable to authorise a user, complains about being in the wrong domain. Still do not have a solution, other than move to PAP which is obviously less secure. It is potentially an issue with CHAP and TACACS not working properly together on ACS 5.2, all documentation discusses RADIUS / CHAP. Look forward to any other information / assistance any has to offer.
... View more
I have upgraded to version 8.2(2) and am still experiencing the same problem. I have an account with a password expirying in 10 days, if I set the 'Password Management' on the ASA to anything less than 10 days the user is allowed access, however if I set it to 10 days or more there are no expiry warning messages and the user is denied access, the ASA log shows the password expirying. 5|Apr 19 2010|10:28:06|713904|||||IP = 192.168.20.102, Received encrypted packet with no matching SA, dropping 3|Apr 19 2010|10:28:06|713194|||||Group = LDAP-RAS-ACCESS, Username = me, IP = 192.168.20.102, Sending IKE Delete With Reason message: No Reason Provided. 3|Apr 19 2010|10:28:06|713048|||||Group = LDAP-RAS-ACCESS, Username = me, IP = 192.168.20.102, Error processing payload: Payload ID: 14 6|Apr 19 2010|10:28:06|725007|10.20.10.14|22452|||SSL session with server inside:10.20.10.14/22452 terminated. 6|Apr 19 2010|10:28:06|113005|||||AAA user authentication Rejected : reason = Password is expiring : server = B-ACS-LDAP-SERVER : user = me 6|Apr 19 2010|10:28:06|725002|10.20.10.14|22452|||Device completed SSL handshake with server inside:10.20.10.14/22452 6|Apr 19 2010|10:28:06|725005|10.20.10.14|22452|||SSL server inside:10.20.10.14/22452 requesting our device certificate for authentication. 6|Apr 19 2010|10:28:06|725001|10.20.10.14|22452|||Starting SSL handshake with server inside:10.20.10.14/22452 for TLSv1 session. Cheers
... View more
VPN Client Password Expiry issue. ASA 5510 running 8.2(1) image Cisco VPN Client 5.0.01.0600 Windows Active Directory server 2003 I am currently having issues with the password expiry feature within remote connections authenticating with the Active Directory server. The Secure LDAP connection is configured and working with user authenticating with Active Directory and getting the correct dynamic policy based on the AD group Membership. If I set the ‘Users must Change password at next login’ flag on the Active directory user account, the remote user is prompted to enter a new password at the first login as expected. I have entered the ‘Password management’ command on the ASA profile to achieve this, however I was also expecting to get a warning message telling the users ‘Password will expire in n days’ this does not occur. I have set up an account that has the password due to expire in 12 days, logged into a local windows system to ensure the message is definitely being displayed and the password is set to time out, I have also set ‘password-management password-expire-in-days 14’ (have tried other values) on the ASA. However the ASA log states the password has expired and aborts the connection. What do I need to do to get this warning message to the end-remote user. Any assistance is gratefully received. Cheers Steve aaa-server LDAP-RAS-ACCESS protocol ldap aaa-server LDAP-RAS-ACCESS (inside) host B-ACS-LDAP-SERVER timeout 5 server-port 636 ldap-base-dn cn=Users,dc=testrig,dc=company,dc=com ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password * ldap-login-dn cn=administrator,cn=Users,dc=testrig,dc=company,dc=com ldap-over-ssl enable server-type microsoft ! tunnel-group LDAP-RAS-ACCESS type remote-access tunnel-group LDAP-RAS-ACCESS general-attributes address-pool RAS-VPN-POOL authentication-server-group LDAP-RAS-ACCESS authentication-server-group (inside) LDAP-RAS-ACCESS accounting-server-group ACS-RAS-ACCESS strip-realm password-management password-expire-in-days 13 strip-group tunnel-group LDAP-RAS-ACCESS ipsec-attributes pre-shared-key * tunnel-group LDAP-RAS-ACCESS ppp-attributes no authentication chap no authentication ms-chap-v1 authentication ms-chap-v2
... View more