Hi, We have an ACS cluster and sometimes the replication between the 2 ACS servers is gone. I would like to monitor this if it is down we would get a notification about that. Does anyone know which specific oid gives information about the database status of the Cisco ACS in cluster environment?   Thanks,   Andras ... View more

Hi,   the environment is the following:   |border-switch|--|core-switch|--|server-access-switch|--|linux-server| There is a managmenet vlan. This vlan ip range is: 172.16.1.0/24. The linux-server is in this vlan and the management interface of the border-switch is also in this vlan. Linux server is 172.16.1.15/24 and border-switch is 172.16.1.34/24. The linux-server is monitoring the border-switch with icmp and snmp. It works, but from time to time the linux-server cannot reach the border-switch icmp fails, snmp queries fail. The connection recovers only if I ping the border-switch from the core-switch! I think this should be a L2 related issue but I do not have idea where to look. Does anybody have any idea why this is happening?   Thanks,   Andras ... View more

Hello, I have built an environmnet where ASA firewalls terminte ipsec vpn connection for Avaya Hard Phones. (Avaya Hard Phones have the ability to create vpn to other party and using this secure tunnel for voice traffic.) The vpn connection is working but sometimes unexpectedly terminiates and this is what I see on ASA log files: Jan 17 13:33:31 10.36.200.61 %ASA-5-713068: Group = VpnPhone, Username = VpnPhoneUsername1, IP = 176.63.x.x, Received non-routine Notify message: Invalid Payload (1) Jan 17 13:33:39 10.36.200.61 %ASA-5-713068: Group = VpnPhone, Username = VpnPhoneUsername1, IP = 176.63.x.x, Received non-routine Notify message: Invalid Payload (1) Jan 17 13:33:47 10.36.200.61 %ASA-5-713068: Group = VpnPhone, Username = VpnPhoneUsername1, IP = 176.63.x.x, Received non-routine Notify message: Invalid Payload (1) Jan 17 13:33:53 10.36.200.61 %ASA-6-602304: IPSEC: An outbound remote access SA (SPI= 0xE9D75704) between 195.56.x.x and 176.63.x.x (user= VpnPhoneUsername1) has been deleted. Jan 17 13:33:53 10.36.200.61 %ASA-6-602304: IPSEC: An inbound remote access SA (SPI= 0x2BE03030) between 176.63.x.x and 195.56.x.x (user= VpnPhoneUsername1) has been deleted. Jan 17 13:33:55 10.36.200.61 %ASA-3-713902: Group = VpnPhone, Username = VpnPhoneUsername1, IP = 176.63.x.x, QM FSM error (P2 struct &0x73e0f658, mess id 0x7510c1a9)! Jan 17 13:33:55 10.36.200.61 %ASA-5-713259: Group = VpnPhone, Username = VpnPhoneUsername1, IP = 176.63.x.x, Session is being torn down. Reason: Lost Service Jan 17 13:33:55 10.36.200.61 %ASA-6-713273: Group = VpnPhone, Username = VpnPhoneUsername1, IP = 176.63.x.x, Deleting static route for client address: 10.136.11.25 Jan 17 13:33:55 10.36.200.61 %ASA-4-113019: Group = VpnPhone, Username = VpnPhoneUsername1, IP = 176.63.x.x, Session disconnected. Session Type: IPsecOverNatT, Duration: 2d 0h:28m:12s, Bytes xmt: 29983482, Bytes rcv: 3864271, Reason: Lost Service Jan 17 13:33:55 10.36.200.61 %ASA-6-737016: IPAA: Freeing local pool address 10.136.11.25 I do not find the cause of this error. Do you have any idea? few info about vpn settings: I am using main mode, no-pfs, xauth. PH1: 3des-sha1-esp PH2: 3des-sha1 Thanks, Andras ... View more

Hi, I am trying to create a solution what would consist the following: Avaya hard phones would vpn into the corporate network. Vpn authentication would be based on certificates. As I getting into the implementation I found out that one of the key points of the solution is to using SCEP to enroll the certificates from CA server to the avaya hardphones.  And here comes my trouble: I would like to use a cisco router as a CA server for this solution but when the phones try to enroll the certificate I got this error on the router: Sep 23 13:36:16.935: CRYPTO_CS: received a SCEP GetCACert request Sep 23 13:36:16.939: CRYPTO_CS: CA certificate sent Sep 23 13:36:19.515: CRYPTO_CS: received a SCEP request, 2263 bytes Sep 23 13:36:19.519: CRYPTO_CS: read SCEP: registered and bound service SCEP_READ_DB_2    Sep 23 13:36:19.519: CRYPTO_CS: failed to open signed data Sep 23 13:36:19.519: CRYPTO_CS: read SCEP: unregistered and unbound service SCEP_READ_DB_2    Sep 23 13:36:19.519: CRYPTO_CS: failed to read SCEP request I enabled the following debug options: PKI:   Crypto PKI Msg debugging is on   Crypto PKI Trans debugging is on   Crypto PKI Certificate Server debugging is on   Crypto PKI Validation Path debugging is on Cisco router is a cisco 2811 router with the following IOS: Cisco IOS Software, 2800 Software (C2800NM-IPBASEK9-M), Version 15.1(4)M6, RELEASE SOFTWARE (fc2) Thanks, Andras ... View more