Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About Difan Zhao
Stats
Member since
08-16-2007
649
Posts
28
Helpful
4
Solutions
Certifications
01-08-2020
09:50 AM
I am trying to test the anyconnect VPN on my 4331 router. It is running the latest 16.9.4 firmware. I am following this document https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/xe-16-9/sec-conn-sslvpn-xe-16-9-book/sec-conn-sslvpn-ssl-vpn.html However, at the step to create the ssl profile, I found that the command is not available anyconnect(config)#crypto ssl profile ?
% Unrecognized command
anyconnect(config)#crypto ssl ?
policy Define SSL policies
proposal Define ssl Proposal Is this a licensing problem? What license do I need to run the anyconnect SSL VPN? Here is my license status Technology Package License Information:
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
appxk9 appxk9 Permanent appxk9
uck9 uck9 Permanent uck9
securityk9 securityk9 Permanent securityk9
ipbase ipbasek9 Permanent ipbasek9 Thanks, Difan
... View more
Labels:
01-08-2020
08:46 AM
Hi Karstan, yes I do - Version 16.6.6 I have also tried to factory reset the router and configured the pki the first thing and I still got the same error... I will read your link. Thanks for that. Hi Karsten, I apologize for replying without reading your link... I did not know there was a bug. I thought you just asked a general question. I will upgrade to the latest and try again. Thanks!
... View more
01-07-2020
01:51 PM
I am playing with the anyconnect vpn on my spare 2921 router. When I follow the instruction to create a trustpoint and enroll a self-signed cert, I got this error: crypto pki trustpoint my-trustpoint
enrollment selfsigned
subject-name CN=anyconnect.pason.com
rsakeypair my-rsa-keys
!
(config)#crypto pki enroll my-trustpoint
% Include the router serial number in the subject name? [yes/no]: yes
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
% Attempt to request a certificate failed: status = FAIL As a troubleshooting step, I tried to enable the HTTP secure server, I also got this error anyconnect(config)#ip http secure-server
Failed to generate persistent self-signed certificate.
Secure server will use temporary self-signed certificate. Any idea why? Is it because I don't have a license? Thanks!
... View more
Labels:
01-06-2020
05:01 PM
Hi there, I have a requirement to build a VPN tunnel to a network on a Windows XP box. There is no option to use a newer Windows because the app only works on the Windows PC. I can't find any VPN client that would still support the XP so I researched and tried this L2TP IPSec thing. First of all, it works fine on my Windows 10 box. Here is my config aaa authentication ppp VPDN_AUTH local
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
username test password 0 test
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 14
!
crypto isakmp key cisco123 address 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set L2TP-transform-XP esp-3des esp-md5-hmac
mode transport
!
crypto dynamic-map L2TP-map 10
set nat demux
set transform-set L2TP-transform-XP
set pfs group14
!
!
crypto map L2TP 10 ipsec-isakmp dynamic L2TP-map
!
interface GigabitEthernet0/0/0
ip address <public Internet IP>
negotiation auto
crypto map L2TP
!
ip route 0.0.0.0 0.0.0.0 <gw> On the Windows XP, it just says no response. On the IOS router (2921), when I compare the debug between a working Win10 with it, the difference is that right after the ISAKMP/IPSec stuff, there are L2TP activity (with the debug l2tp all) for the Win10, but nothing for the WinXP. Here is the last few lines of the debug isakmp and IPsec. I also verified that there is isakmp and ipsec SA both established. *Jan 6 23:10:52.894: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
*Jan 6 23:10:52.894: ISAKMP: (1034):Received IPSec Install callback... proceeding with the negotiation
*Jan 6 23:10:52.894: ISAKMP: (1034):Successfully installed IPSEC SA (SPI:0x9BD9B713) on GigabitEthernet0/0/0
*Jan 6 23:10:52.895: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 69.58.16.68:64916 f_vrf: Internet Id: 192.168.237.188
*Jan 6 23:10:52.895: ISAKMP-PAK: (1034):sending packet to 69.58.16.68 my_port 4500 peer_port 64916 (R) QM_IDLE
*Jan 6 23:10:52.895: ISAKMP: (1034):Sending an IKE IPv4 Packet.
*Jan 6 23:10:52.895: ISAKMP: (1034):Node 1, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Jan 6 23:10:52.896: ISAKMP: (1034):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
*Jan 6 23:10:52.901: ISAKMP-PAK: (1034):received packet from 69.58.16.68 dport 4500 sport 64916 Internet (R) QM_IDLE
*Jan 6 23:10:52.901: ISAKMP: (1034):deleting node 1 error FALSE reason "QM done (await)"
*Jan 6 23:10:52.901: ISAKMP: (1034):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
L2TP#
*Jan 6 23:10:52.901: ISAKMP: (1034):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
*Jan 6 23:10:52.901: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 6 23:10:52.901: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
<<< For the Win10, the L2TP messages would start >>> Any ideas where it went wrong? Thanks!
... View more
Labels:
12-30-2019
11:31 AM
Sorry for the late response... The email notification for your response was blocked by our email spam filter... I will receive the switches in the new year and try it myself. The switches were at a remote office. As per my onsite personnel, he did press it for more than 30 seconds. I will report back. Thank you.
... View more
12-30-2019
11:28 AM
Sorry for the late response... The email notification for your response was blocked by our email spam filter... I can't get in the ROMMON. The message just kept on repeating without allowing me to enter the mode
... View more
12-19-2019
08:52 PM
Hi guys, I tried to upgrade a 3850 switch from the 3.2.3 to 16.9.4 in the install mode. After the upgrade, the switch does not come up. It is cycling through these messages constantly... BOOT=flash:packages.conf
CFG_MODEL_NUM=WS-C3850-48PW-SZ
CLEI_CODE_NUMBER=IPMW700ARB
ECI_CODE_NUMBER=466864
LINUX_COREMASK=15
MAC_ADDR=E0:89:9D:25:F1:80
MANUAL_BOOT=no
MODEL_NUM=WS-C3850-48P
MODEL_REVISION_NUM=R0
MOTHERBOARD_ASSEMBLY_NUM=73-14442-10
MOTHERBOARD_REVISION_NUM=A0
MOTHERBOARD_SERIAL_NUM=FOC18452NVE
POE1_ASSEMBLY_NUM=73-14095-01
POE1_REVISION_NUM=B0
POE1_SERIAL_NUM=FOC1845403L
POE2_ASSEMBLY_NUM=73-14095-01
POE2_REVISION_NUM=B0
POE2_SERIAL_NUM=FOC18452FQD
RECOVERY_BUNDLE=sda9:cat3k_caa-recovery.bin
STKPWR_ASSEMBLY_NUM=73-11956-08
STKPWR_REVISION_NUM=B0
STKPWR_SERIAL_NUM=FOC184500TW
SYSTEM_SERIAL_NUM=FCW1845C1SB
TAN_NUM=800-37564-03
TAN_REVISION_NUMBER=A0
TERMLINES=0
USB_ASSEMBLY_NUM=73-12923-05
USB_REVISION_NUM=C0
USB_SERIAL_NUM=FOC18451JHY
VERSION_ID=V04
TEMPLATE=advanced
BSI=0
CALL_HOME_DEBUG=00000
DIAG_DEBUG=000000000000
ABNORMAL_RESET_COUNT=0
SWITCH_PRIORITY=14
RET_2_RTS=23:00:14 UTC Mon Oct 7 2019
SWITCH_NUMBER=2
RANDOM_NUM=1157071131
▒▒▒▒▒▒▒0▒▒▒▒▒▒▒▒,▒▒▒▒<many many more of these>▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒BAUD=9600
BOOT=flash:packages.conf
CFG_MODEL_NUM=WS-C3850-48PW-SZ
CLEI_CODE_NUMBER=IPMW700ARB
ECI_CODE_NUMBER=466864
LINUX_COREMASK=15
MAC_ADDR=E0:89:9D:25:F1:80
MANUAL_BOOT=no
MODEL_NUM=WS-C3850-48P
MODEL_REVISION_NUM=R0
MOTHERBOARD_ASSEMBLY_NUM=73-14442-10
MOTHERBOARD_REVISION_NUM=A0
MOTHERBOARD_SERIAL_NUM=FOC18452NVE
POE1_ASSEMBLY_NUM=73-14095-01
POE1_REVISION_NUM=B0
POE1_SERIAL_NUM=FOC1845403L
POE2_ASSEMBLY_NUM=73-14095-01
POE2_REVISION_NUM=B0
POE2_SERIAL_NUM=FOC18452FQD
RECOVERY_BUNDLE=sda9:cat3k_caa-recovery.bin
STKPWR_ASSEMBLY_NUM=73-11956-08
STKPWR_REVISION_NUM=B0
STKPWR_SERIAL_NUM=FOC184500TW
SYSTEM_SERIAL_NUM=FCW1845C1SB
TAN_NUM=800-37564-03
TAN_REVISION_NUMBER=A0
TERMLINES=0
USB_ASSEMBLY_NUM=73-12923-05
USB_REVISION_NUM=C0
USB_SERIAL_NUM=FOC18451JHY
VERSION_ID=V04
TEMPLATE=advanced
BSI=0
CALL_HOME_DEBUG=00000
DIAG_DEBUG=000000000000
ABNORMAL_RESET_COUNT=0
SWITCH_PRIORITY=14
RET_2_RTS=23:00:14 UTC Mon Oct 7 2019
SWITCH_NUMBER=2
RANDOM_NUM=1157071131 I have tried with reboot. I have tried with pressing mode button while plugging in the power and continue to hold. These message just kept on repeating. I never get the "switch:" prompt. Any idea why? Thanks!
... View more
Labels:
11-17-2019
08:38 AM
Thanks Giuseppe! However, as per this document, the fragmentation is supported on the ASR routers... https://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/guide-c07-735942.html#_Toc436723625 """ Some service providers are unwilling or unable to provide larger MTU values for their WAN circuits. If that is the case, the ASR 1000 router can perform fragmentation of the OTV transported data. The Nexus 7000 switch does not have this capability. Mixed ASR 1000 and Nexus 7000 OTV networks with fragmentation enabled on the ASR 1000 are not supported. """
... View more
11-16-2019
12:54 PM
I want to implement OTV in my network with the ASR routers. But as usual, I am testing and studying it in my VIRL lab first. First of all, there is no ASR in VIRL. I am using CSR instead. I am assuming that the behavior would be the same between the ASR and CSR. Here is my config. Everything works except the fragmentation. My topology is super simple: SW1 --- Gi3 CSR01 Gi2 --- Layer 2 switch --- Gi2 CSR02 Gi3 --- SW2 CSR01 otv site bridge-domain 1
otv fragmentation join-interface GigabitEthernet2
otv site-identifier 1111.1111.1111
otv isis Overlay1
log-adjacency-changes all
otv isis Site
!
interface Overlay1
no ip address
otv join-interface GigabitEthernet2
otv adjacency-server unicast-only
service instance 3 ethernet
encapsulation dot1q 3
bridge-domain 3
!
interface GigabitEthernet3
no ip address
service instance 1 ethernet
encapsulation untagged
bridge-domain 1
!
service instance 3 ethernet
encapsulation dot1q 3
bridge-domain 3
! CSR02 otv site bridge-domain 1
otv fragmentation join-interface GigabitEthernet2
otv site-identifier 2222.2222.2222
otv isis Overlay1
otv isis Site
!
interface Overlay1
no ip address
otv join-interface GigabitEthernet2
otv use-adjacency-server 123.123.123.1 unicast-only
service instance 3 ethernet
encapsulation dot1q 3
bridge-domain 3
!
interface GigabitEthernet3
description to iosvl2-2
service instance 1 ethernet
encapsulation untagged
bridge-domain 1
!
service instance 3 ethernet
encapsulation dot1q 3
bridge-domain 3
! The SW1 and SW2 just have a trunk port connected with the CSR routers. I created a vlan3 interface (10.0.3.1 and 10.0.3.2 on the two switches, respectively) for testing. Ping with 1458 works but not 1459. iosvl2-1#ping 10.0.3.2 size 1458 re 5
Type escape sequence to abort.
Sending 5, 1458-byte ICMP Echos to 10.0.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/9/18 ms
iosvl2-1#ping 10.0.3.2 size 1459 re 5
Type escape sequence to abort.
Sending 5, 1459-byte ICMP Echos to 10.0.3.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5) Where did I do it wrong? Is there any debug command that can help me troubleshoot this? Thanks! Difan
... View more
- Tags:
- otv
Labels:
11-08-2019
08:29 AM
Got confirmation from the Cisco TAC engineer Untagged packets (native VLAN) forwarding for xconnect that is configured on the dot1q subinterface is not supported https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/wan_lserv/configuration/xe-16/wan-lserv-xe-16-book/wan-l2-tun-pro-v3-xe.html#GUID-023CAAE3-1F8D-41FE-91F1-8CEF0F6023A6 Kind of sad and wondering why... Now I have to think about how to do different VLANs without breaking STP...
... View more
11-07-2019
01:03 PM
I changed the vlan numbers to be the same on both ends but kept them both being the "native" vlan and the connection is still broken... Is L2TPv3 just don't like a connection with the vlan tag?
... View more
11-07-2019
09:26 AM
I am testing a setup that I have an L2TPv3 tunnel between two routers and the pseudowires are configured on the dot1q sub-interfaces. 1. It is working with both ends use the same VLAN number (which is 2 in my virl lab) 2. It is working with both ends using the different VLAN number (2 on the left side and 22 on the right side). The switch would complain about the inconsistent VLAN in the STP errors, but with bpdufilter enabled, the ping will work. 3. It is not working with the different VLAN numbers and both VLAN numbers are configured as the "Native VLAN" on each side. My topology is like sw1 Gi0/1 ---(trunk)--- Gi0/3 rt1 --- rt3 Gi0/3 ---(trunk)--- sw2 Gi0/1 Here is my config sw1: interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
!
interface Vlan2
ip address 2.2.2.1 255.255.255.0
! rt1: pseudowire-class psw
encapsulation l2tpv3
ip local interface Loopback0
!
interface GigabitEthernet0/3.2
encapsulation dot1Q 2 native
no cdp enable
xconnect 192.168.0.3 2 encapsulation l2tpv3 pw-class psw
end
! 192.168.0.3 is rt3's loopback IP rt3: pseudowire-class psw
encapsulation l2tpv3
ip local interface Loopback0
!
interface GigabitEthernet0/3.22
encapsulation dot1Q 22 native
no cdp enable
xconnect 192.168.0.1 2 encapsulation l2tpv3 pw-class psw ! 192.168.0.1 is the rt1's loopback sw2: interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 22
switchport mode trunk
!
interface Vlan22
ip address 2.2.2.2 255.255.255.0 The pseudowire is up on both ends rt1: iosv-1#sh xconnect interface g0/3.2 detail
Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State
UP=Up DN=Down AD=Admin Down IA=Inactive
SB=Standby HS=Hot Standby RV=Recovering NH=No Hardware
XC ST Segment 1 S1 Segment 2 S2
------+---------------------------------+--+---------------------------------+--
UP pri ac Gi0/3.2:2(Eth VLAN) UP l2tp 192.168.0.3:2 UP
Interworking: vlan Session ID: 3656408470
Tunnel ID: 3142981728
Protocol State: UP
Remote Circuit State: UP
pw-class: psw rt2: iosv-3#sh xconnect interface g0/3.22 detail
Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State
UP=Up DN=Down AD=Admin Down IA=Inactive
SB=Standby HS=Hot Standby RV=Recovering NH=No Hardware
XC ST Segment 1 S1 Segment 2 S2
------+---------------------------------+--+---------------------------------+--
UP pri ac Gi0/3.22:22(Eth VLAN) UP l2tp 192.168.0.1:2 UP
Interworking: vlan Session ID: 687488009
Tunnel ID: 1088534909
Protocol State: UP
Remote Circuit State: UP
pw-class: psw However, the ping between switch 1 and 2 between their vlan IPs are not working. The STP packets are not received on either end too... Is there a limitation with this setup? Thanks
... View more
- Tags:
- l2tpv3
- pseudowire
Labels:
10-23-2019
11:23 AM
Thanks Georg. That's what suspected too. I will try to use EEM to accomplish it. Thank you for your effort into this.
... View more
01-14-2020
Hi Balaji, here is my show ver output. I have also opened up a ticket
and they told me that it is no...
Created by
Difan Zhao
in VPN
01-08-2020
01-08-2020
I am trying to test the anyconnect VPN on my 4331 router. It is running
the latest 16.9.4 firmware. ...
Created by
Difan Zhao
in VPN
01-08-2020
01-08-2020
Thank you Karsten, the upgrade fixed the problem.
Created by
Difan Zhao
in VPN
01-08-2020
01-08-2020
Hi Karstan, yes I do - Version 16.6.6I have also tried to factory reset
the router and configured th...
01-07-2020
I am playing with the anyconnect vpn on my spare 2921 router. When I
follow the instruction to creat...
01-06-2020
Hi there,I have a requirement to build a VPN tunnel to a network on a
Windows XP box. There is no op...
01-02-2020
Is there a way to copy a file or text from an HTTPS source? When I do
"copy ?", I only see http, not...
Created by
Difan Zhao
in Switching
12-30-2019
12-30-2019
Sorry for the late response... The email notification for your response
was blocked by our email spa...
Created by
Difan Zhao
in Switching
12-30-2019
12-30-2019
Sorry for the late response... The email notification for your response
was blocked by our email spa...
Created by
Difan Zhao
in Switching
12-19-2019
12-19-2019
Hi guys,I tried to upgrade a 3850 switch from the 3.2.3 to 16.9.4 in the
install mode. After the upg...
11-17-2019
Thanks Giuseppe!However, as per this document, the fragmentation is
supported on the ASR
routers...h...
11-16-2019
I want to implement OTV in my network with the ASR routers. But as
usual, I am testing and studying ...
Created by
Difan Zhao
in Routing
11-08-2019
11-08-2019
Got confirmation from the Cisco TAC engineer Untagged packets (native
VLAN) forwarding for xconnect ...
Created by
Difan Zhao
in Routing
11-07-2019
11-07-2019
I changed the vlan numbers to be the same on both ends but kept them
both being the "native" vlan an...
Public Statistics
| Date Registered | 08-16-2007 09:43 AM |
| Date Last Visited | 01-15-2020 09:05 AM |
| Total Messages Posted | 649 |
| Total Helpful Votes Received | 28 |
Helpful Votes Given To
.jpg "VIP Mentor"){kind=icon}
Helpful Votes From
| User | Helpful Count |
|---|---|
| 5 | |
| 5 | |
| 5 | |
| 5 | |
| 5 |
