We have routers that use EEM scripts tied to tracked objects for the purposes of internet circuit failover. These routers have a primary cable connection and a cellular backup. The EEM scripts are supposed to monitor connectivity through the primary connection and if it fails for whatever reason then remove some static routes and fail over to the cellular card. When the primary connection comes back online the EEM scripts are supposed to shutdown the cellular card and reinstate the routes.
Lately we've noticed higher than normal usage on the cellular cards and when I logged into some of the routers the routes pointing to the primary connection were not in the config. This tells me that the EEM script for bringing the primary connection back isn't firing at all. I am not sure how to tell if the script ran at all or has some other issue that would prevent it from installing the routes.
Here are the EEM scripts and tracked objects:
event manager applet PRIMARY_UP
event track 6 state up maxrun 240
action 1000 if $FLAPPING eq "1" goto 1019"
action 1001 cli command "enable"
action 1002 cli command "configure terminal"
action 1003 cli command "ip route vrf CORP 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp 253"
action 1004 cli command "ip route vrf OFFICE 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp"
action 1005 cli command "ip route vrf STORE 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp"
action 1006 cli command "ip route vrf GUEST 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp"
action 1007 cli command "ip route vrf POS 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp"
action 1008 cli command "ip route vrf VENDOR 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp"
action 1009 cli command "interface Cellular0/0/0"
action 1010 cli command "shutdown"
action 1011 wait 5
action 1012 cli command "no shutdown"
action 1013 cli command "end"
action 1014 cli command "clear policy-firewall session"
action 1016 cli command "clear ip nat translation forced"
action 1017 syslog msg "NAT Translations Flushed"
action 1018 syslog priority critical msg "PRIMARY_CIRCUIT_UP"
action 1019 exit
event manager applet PRIMARY_DOWN
event track 6 state down maxrun 240
action 1000 if $FLAPPING eq "1" goto 1024"
action 1001 cli command "enable"
action 1002 cli command "configure terminal"
action 1003 cli command "interface gigabitEthernet 0/0"
action 1004 cli command "shutdown"
action 1005 cli command "exit"
action 1006 cli command "no ip route vrf CORP 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp 253"
action 1007 cli command "no ip route vrf OFFICE 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp"
action 1008 cli command "no ip route vrf STORE 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp"
action 1009 cli command "no ip route vrf GUEST 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp"
action 1010 cli command "no ip route vrf POS 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp"
action 1011 cli command "no ip route vrf VENDOR 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp"
action 1012 cli command "interface gigabitEthernet 0/0"
action 1013 cli command "no shutdown"
action 1014 cli command "end"
action 1015 cli command "clear policy-firewall session"
action 1017 policy FLAPPING_ACTIVATE
action 1018 cli command "clear ip nat translation forced"
action 1019 syslog msg "NAT Translations Flushed"
action 1020 cli command "clear ip bgp all 65000"
action 1022 syslog priority critical msg "PRIMARY_CIRCUIT_DOWN"
action 1023 policy FLAPPING_ACTIVATE
action 1024 exit
track 1 ip sla 1
delay down 60 up 60
track 2 interface Tunnel301 line-protocol
delay down 60 up 60
track 3 interface Tunnel302 line-protocol
delay down 60 up 60
track 4 list threshold percentage
track 5 ip sla 2
delay down 60 up 60
track 6 list threshold percentage
ip sla 1
dns google.com name-server 22.214.171.124
ip sla schedule 1 life forever start-time now
ip sla 2
dns microsoft.com name-server 126.96.36.199
ip sla schedule 2 life forever start-time now
I am not an EEM guru but the lines that have me concerned are the two lines with $FLAPPING that have an extra set of double-quotes at the end. I don't know if that is tripping up the interpreter or not.
Also, I don't know how to make sure these scripts actually fire or not. I suppose I could try to down one of the primary ports and see what syslog says, but I thought I would check the forums for any obvious mistakes first.
Please let me know if there is anything else I can provide to help solve this issue.
... View more
I'll answer my own question here so hopefully others see it. There are three bug reports that I found on this, CSCul24955, CSCub28748, and CSCts86208.
It doesn't look like this issue will be fixed anytime soon.
... View more
I am trying to get CPI version 3.1 working with RADIUS with RSA SecurID tokens and not having any luck with it. The problem that I am seeing is that CPI is sending two Access-Request messages for each authentication attempt from the login page of the WebGUI.
While two Access-Requests are fine for "local" users, it simply does not work with one-time passwords. Has anybody else ran into this and is there a fix for this behavior?
Thanks in advance!
... View more
Hello, We currently have a pair of Nexus 7K connected to a VSS pair of 6509 switches via a metro ethernet service. The Nexus is partitioned into two VDCs, one for the core layer and the other for distribution (the third is default with no user data). The distribution runs VPC for access aggregation and the core VDC is layer 3 only. The VSS pair of switches is a collapsed core. There are two metro ethernet circuits that we have configured as layer 3 ports (no VPC!) and we are running MPLS/VPN over these metro circuits with OSPF as the IGP. The distribution VDC and the VSS pair are PE routers with the core VDC acting as a P router. The issue is reachability between the core VDC and the VSS pair. I cannot successfully MPLS ping/traceroute between loopback interfaces unless I force-explicit-null. I can however, MPLS ping/traceroute from the distribution VDC and the VSS pair without having to force-explicit-null. I checked several times and all my interfaces are labeled. I am thinking this is a PHP issue, but I can't confirm/deny that. Production traffic is working just fine through the core VDC except for this MPLS ping/traceroute problem. I'm afraid that this will make troubleshooting more difficult for people other than myself, so I am asking for advice on how to potentially resolve this. Attached is a simple visio showing the connectivity overview. Any help on this matter is greatly appreciated. Thank you, AJ Schroeder
... View more
The router did not seem to like it when I tried to log the ACL: MyRouter(config)#ip access-list extended SDM_IP MyRouter(config-ext-nacl)# remark CCP_ACL Category=1 MyRouter(config-ext-nacl)# permit icmp any any log class-map SDM_IP : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map SDM_IP will not work properly MyRouter(config-ext-nacl)# permit udp any any log class-map SDM_IP : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map SDM_IP will not work properly MyRouter(config-ext-nacl)# permit tcp any any log class-map SDM_IP : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map SDM_IP will not work properly MyRouter(config-ext-nacl)# permit ip any any log class-map SDM_IP : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map SDM_IP will not work properly So I let it go through and it did not appear to hit the ACL either: MyRouter#sho ip access-list | b SDM_IP Extended IP access list SDM_IP 10 permit icmp any any log 20 permit udp any any log 30 permit tcp any any log 40 permit ip any any log I have since took the logging part off since it didn't seem to have an effect.
... View more
Hello group, I have an EasyVPN server setup on my personal router (1861) so that I can access my home network when I am on the road. Apparently the Cisco VPN client and Windows 7 do not play nicely together, but I finally got my computer to nail up a tunnel and send encrypted traffic towards my router. However, I am not able to reach anything on my local LAN (192.168.0.0/24) from my laptop over a VPN connection. I have tried ping, http, RDP, with no success. The internet is still browsable on the laptop because of the split tunneling. When I look at the status of the VPN connection from my laptop, I see sent/encrypted packets incrementing, but nothing received. I am using ZBFW and VTI with my VPN server. I did try disabling the ZBFW with the same results, in fact, I don't see anything in the log stating packets are dropped to/from the ezvpn zone. I have been really racking my brains trying to get this working, so hopefully someone here can spot where I went wrong. Here is a copy of my (messy) config file: version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname MyRouter ! boot-start-marker boot system flash flash:c1861-advipservicesk9-mz.124-24.T7.bin boot-end-marker ! ! card type command needed for slot/vwic-slot 0/2 logging message-counter syslog logging buffered 16384 no logging console ! aaa new-model ! ! aaa authentication login default local aaa authentication login ciscocp_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network ciscocp_vpn_group_ml_1 local ! ! aaa session-id common clock timezone Chicago -6 clock summer-time CDT recurring mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 crypto pki token default removal timeout 0 ! crypto pki trustpoint TP-self-signed-1445602082 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1445602082 revocation-check none rsakeypair TP-self-signed-1445602082 ! ! crypto pki certificate chain TP-self-signed-1445602082 certificate self-signed 01 30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31343435 36303230 3832301E 170D3132 30353239 31353039 30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34343536 30323038 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100D465 136AB645 8BC3B71C ED37D188 C5379D34 11AC19A6 4E4CF964 E49FE347 B5A81DED 59B4D5DA BF604557 2A4738A4 115AF64F 97BE7172 757D3EB1 26470703 5E0A7BBD 86DF2ED0 4C828B08 C41C59BA FD7D967D 65433707 5A11A031 392138B8 74638F73 D9169F6D 91F44800 B0766582 D5A765FA 9C480B41 9B8AC8DE 254151C3 85670203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603 551D1104 1C301A82 18504F4C 4B2D4757 312E616A 73636872 6F656465 722E6E65 74301F06 03551D23 04183016 80148FC0 A44BB98F 0CAC193F 68AD46BE 7B6E8BC9 1FD3301D 0603551D 0E041604 148FC0A4 4BB98F0C AC193F68 AD46BE7B 6E8BC91F D3300D06 092A8648 86F70D01 01040500 03818100 0D300973 50FDB092 6AA75D95 4DEE853D 6E19925B 0FECC24C D44ACCCC 73F30B84 665C8D76 E52409C7 6F219ECE 38B583B1 0D0562E3 8336DB68 7FD4FF0A 2C0F00C6 57BBD31B 9830A8FE 95D92CDC 9CBE3EA1 B703DA12 47676BCF 877373A1 07916A5A A7F6675B 2620EF9C 62D6C141 21AB2701 7B17E18C E9582CB5 BD6D4952 277ED6D8 quit dot11 syslog ! no ip source-route ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 172.16.0.254 ip dhcp excluded-address 192.168.248.251 192.168.248.254 ip dhcp excluded-address 192.168.208.254 ip dhcp excluded-address 192.168.0.251 192.168.1.254 ! ip dhcp pool Workstations import all network 192.168.0.0 255.255.255.0 default-router 192.168.0.254 domain-name example.com lease 3 ! ip dhcp pool Guest_DMZ network 172.16.0.0 255.255.255.0 default-router 172.16.0.254 dns-server 188.8.131.52 184.108.40.206 ! ip dhcp pool VoIP network 192.168.248.0 255.255.255.0 default-router 192.168.248.254 option 150 ip 192.168.248.254 ! ! no ip bootp server ip domain name example.com ip port-map user-xbl-ctrl-udp port udp 3074 description XBOX Live control protocol over UDP ip port-map user-xbl-ctrl-tcp port tcp 3074 description XBOX Live control protocol over TCP ip port-map user-xbl-auth port udp 88 description XBOX Live Authentication ip ddns update method DynDNS HTTP add http://username:firstname.lastname@example.orgemail@example.com /nic/update?system=dyndns&hostname=<h>&myip=<a> remove http://username:firstname.lastname@example.orgemail@example.com /nic/update?system=dyndns&hostname=<h>&myip=<a> interval maximum 28 0 0 0 interval minimum 28 0 0 0 ! no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! parameter-map type inspect audit audit-trail on ! ! ! voice service voip allow-connections sip to sip no supplementary-service sip moved-temporarily no supplementary-service sip refer fax protocol cisco sip registrar server expires max 3600 min 3600 outbound-proxy dns:pbxes.org ! ! ! voice class codec 1 codec preference 3 g726r16 codec preference 4 g726r24 codec preference 5 g726r32 codec preference 6 g711alaw codec preference 7 g711ulaw ! ! ! ! ! ! ! ! ! ! ! ! ! ! voice-card 0 dsp services dspfarm ! ! ! object-group network VoIP-Phones 192.168.248.0 255.255.255.0 ! ! spanning-tree vlan 2 priority 24576 spanning-tree vlan 3 priority 24576 spanning-tree vlan 4 priority 24576 vtp mode transparent username XXXXXXXXXX privilege 15 password XXXXXXXXXXXXXX ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group EasyVPN-Group key XXXXXXXXXXXXXX pool SDM_POOL_1 acl ACL-Split-Tunnel crypto isakmp profile ciscocp-ike-profile-1 match identity group EasyVPN-Group client authentication list ciscocp_vpn_xauth_ml_1 isakmp authorization list ciscocp_vpn_group_ml_1 client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto ipsec profile CiscoCP_Profile1 set transform-set ESP-3DES-SHA set isakmp-profile ciscocp-ike-profile-1 ! ! archive log config hidekeys ! ! vlan 2 name LAN ! vlan 3 name Guest_DMZ ! vlan 4 name VoIP ! ip tcp synwait-time 10 ip ftp username XXXXXXXXXXXXX ip ftp password XXXXXXXXXXXXXXXX ip ssh time-out 30 ip scp server enable ! class-map type inspect sip match-any Disable-Strict-SIP-cmap match request method invite match protocol-violation class-map type inspect match-any Traceroute-cmap match access-group name Traceroute class-map type inspect match-all Allow-NTP-cmap match access-group name Allow-NTP class-map type inspect match-any SDM_AH match access-group name SDM_AH class-map type inspect match-any Allow-TFTP-out-cmap match access-group name Allow-TFTP-out class-map type inspect match-all RouterManagement match access-group name RouterManagement class-map type inspect match-any SIP-Traffic-cmap match protocol sip class-map type inspect match-any CME-Traffic-cmap match protocol skinny class-map type inspect match-any Protocol-P2P-cmap match protocol edonkey signature match protocol gnutella signature match protocol kazaa2 signature match protocol fasttrack signature match protocol bittorrent signature class-map type inspect match-all SDM_IP match access-group name SDM_IP class-map type inspect match-any SDM_ESP match access-group name SDM_ESP class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC match protocol isakmp match protocol ipsec-msft match class-map SDM_AH match class-map SDM_ESP class-map type inspect match-all SDM_EASY_VPN_SERVER_PT match class-map SDM_EASY_VPN_SERVER_TRAFFIC class-map type inspect match-any Allow-DNS-cmap match access-group name Allow-DNS class-map type inspect match-all Allow-VPN-Outbound-cmap match access-group name ACL-Allow-VPN-Outbound class-map type inspect match-any Guest_DMZtoOutside-cmap match protocol dns match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol http match protocol tcp match protocol udp class-map type inspect match-any ICMPecho-cmap match access-group name ICMPecho class-map type inspect match-any Protocol-IM-cmap match protocol ymsgr Yahoo-Servers match protocol msnmsgr MSN-Servers match protocol aol AOL-Servers class-map type inspect match-all RouterDataTransfer match access-group name RouterDataTransfer class-map type inspect match-all DDNS-Update-cmap match access-group name ACL-DDNS-Update class-map type inspect match-any XBOX-class match protocol user-xbl-ctrl-udp match protocol user-xbl-ctrl-tcp match protocol user-xbl-auth class-map type inspect match-all InsideToOutside-HTTP-cmap match protocol http class-map type inspect match-any ICMPreply-cmap match access-group name ICMPreply class-map type inspect match-any Allow-DHCP-cmap match access-group name Allow-DHCP class-map type inspect match-any InsideToOutside-cmap match protocol dns match protocol https match protocol ftp match protocol icmp match protocol imap match protocol pop3 match protocol tcp match protocol udp class-map type inspect match-any Allow-TFTP-in-cmap match access-group name Allow-TFTP-in ! ! policy-map type inspect InsideToRouter-pmap class type inspect ICMPecho-cmap inspect class type inspect ICMPreply-cmap pass class type inspect Allow-DHCP-cmap pass class type inspect Allow-DNS-cmap inspect class type inspect RouterManagement inspect class type inspect Allow-NTP-cmap inspect class class-default drop policy-map type inspect RouterToInside-pmap class type inspect ICMPecho-cmap inspect class type inspect Traceroute-cmap inspect class type inspect Allow-DHCP-cmap pass class type inspect RouterDataTransfer inspect class class-default drop policy-map type inspect sip Disable-Strict-SIP-pmap class type inspect sip Disable-Strict-SIP-cmap allow policy-map type inspect Guest_DMZtoOutside-pmap class type inspect Guest_DMZtoOutside-cmap inspect class class-default drop policy-map type inspect Guest_DMZtoRouter-pmap class type inspect ICMPecho-cmap inspect class type inspect ICMPreply-cmap pass class type inspect Allow-DHCP-cmap pass class class-default drop policy-map type inspect OutsideToRouter-pmap class type inspect SDM_EASY_VPN_SERVER_PT pass class type inspect ICMPecho-cmap inspect class type inspect ICMPreply-cmap pass class type inspect Allow-DHCP-cmap pass class type inspect Allow-DNS-cmap inspect class class-default drop log policy-map type inspect RouterToOutside-pmap class type inspect ICMPecho-cmap inspect class type inspect Traceroute-cmap inspect class type inspect Allow-DHCP-cmap pass class type inspect Allow-NTP-cmap inspect class type inspect SIP-Traffic-cmap inspect service-policy sip Disable-Strict-SIP-pmap class type inspect Allow-DNS-cmap inspect class type inspect DDNS-Update-cmap pass class type inspect Allow-VPN-Outbound-cmap pass class class-default drop log policy-map type inspect VoiceToRouter-pmap class type inspect Allow-DHCP-cmap pass class type inspect Allow-TFTP-in-cmap pass class type inspect CME-Traffic-cmap inspect class class-default drop log policy-map type inspect RouterToVoice-pmap class type inspect Allow-DHCP-cmap pass class type inspect Allow-TFTP-out-cmap pass class class-default drop log policy-map type inspect RouterToGuest_DMZ-pmap class type inspect ICMPecho-cmap inspect class type inspect Traceroute-cmap inspect class type inspect Allow-DHCP-cmap pass class class-default drop policy-map type inspect InsideToOutside-pmap class type inspect XBOX-class inspect class type inspect Protocol-IM-cmap inspect class type inspect Protocol-P2P-cmap inspect class type inspect InsideToOutside-cmap inspect class class-default drop policy-map type inspect OutsideToInside-pmap class type inspect XBOX-class inspect class class-default drop policy-map type inspect sdm-permit-ip class type inspect SDM_IP pass class class-default drop log ! zone security Inside zone security Outside zone security Guest_DMZ zone security Voice zone security ezvpn-zone zone-pair security InsideToOutside source Inside destination Outside service-policy type inspect InsideToOutside-pmap zone-pair security OutsideToInside source Outside destination Inside service-policy type inspect OutsideToInside-pmap zone-pair security OutsideToRouter source Outside destination self service-policy type inspect OutsideToRouter-pmap zone-pair security Guest_DMZtoOutside source Guest_DMZ destination Outside service-policy type inspect Guest_DMZtoOutside-pmap zone-pair security Guest_DMZtoRouter source Guest_DMZ destination self service-policy type inspect Guest_DMZtoRouter-pmap zone-pair security RouterToGuest_DMZ source self destination Guest_DMZ service-policy type inspect RouterToGuest_DMZ-pmap zone-pair security InsideToRouter source Inside destination self service-policy type inspect InsideToRouter-pmap zone-pair security RouterToInside source self destination Inside service-policy type inspect RouterToInside-pmap zone-pair security VoiceToRouter source Voice destination self service-policy type inspect VoiceToRouter-pmap zone-pair security RouterToVoice source self destination Voice service-policy type inspect RouterToVoice-pmap zone-pair security sdm-zp-in-ezvpn1 source Inside destination ezvpn-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-out-ezpn1 source Outside destination ezvpn-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination Outside service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination Inside service-policy type inspect sdm-permit-ip zone-pair security RouterToOutside source self destination Outside service-policy type inspect RouterToOutside-pmap bridge irb ! ! ! ! interface FastEthernet0/0 description Internet ip ddns update hostname example.com ip ddns update DynDNS host example.com ip address dhcp no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly zone-member security Outside duplex auto speed auto auto discovery qos ! interface FastEthernet0/1/0 switchport access vlan 2 ! interface FastEthernet0/1/1 switchport access vlan 2 ! interface FastEthernet0/1/2 switchport access vlan 2 switchport voice vlan 2590 ! interface FastEthernet0/1/3 switchport access vlan 2 switchport voice vlan 2590 ! interface FastEthernet0/1/4 switchport access vlan 2 switchport voice vlan 4 ! interface FastEthernet0/1/5 description AP2 switchport access vlan 2 ! interface FastEthernet0/1/6 switchport access vlan 2 switchport voice vlan 2590 ! interface FastEthernet0/1/7 description AP1 switchport trunk native vlan 2 switchport trunk allowed vlan 1-3,1002-1005 switchport mode trunk ! interface FastEthernet0/1/8 switchport access vlan 2 switchport voice vlan 2590 ! interface Dot11Radio0/5/0 no ip address shutdown ! ! interface Virtual-Template1 type tunnel ip unnumbered Vlan2 ip nat inside ip virtual-reassembly zone-member security ezvpn-zone tunnel mode ipsec ipv4 tunnel protection ipsec profile CiscoCP_Profile1 ! interface Vlan1 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown ! interface Vlan2 description $FW_INSIDE$ ip address 192.168.0.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat inside ip virtual-reassembly zone-member security Inside ! interface Vlan3 description Guest DMZ LAN ip address 172.16.0.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly zone-member security Guest_DMZ ! interface Vlan4 ip address 192.168.248.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly zone-member security Voice ! ip local pool SDM_POOL_1 172.31.1.1 172.31.1.254 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 X.X.X.X no ip http server ip http authentication local ip http secure-server ! ! ip nat pool NAS-NAT-POOL 192.168.0.250 192.168.0.250 netmask 255.255.255.0 type rotary ip nat inside source static tcp 192.168.0.242 3074 interface FastEthernet0/0 3074 ip nat inside source static udp 192.168.0.242 3074 interface FastEthernet0/0 3074 ip nat inside source static udp 192.168.0.242 88 interface FastEthernet0/0 88 ip nat inside source route-map NAT interface FastEthernet0/0 overload ip nat inside destination list NAS-NAT pool NAS-NAT-POOL ! ip access-list extended ACL-Allow-VPN-Outbound permit udp any any eq isakmp permit udp any eq isakmp any permit udp any any eq non500-isakmp permit udp any eq non500-isakmp any ip access-list extended ACL-DDNS-Update permit tcp any any eq www permit tcp any any eq 443 ip access-list extended ACL-Split-Tunnel permit ip 192.168.0.0 0.0.0.255 any permit icmp 192.168.0.0 0.0.0.255 any permit tcp 192.168.0.0 0.0.0.255 any permit udp 192.168.0.0 0.0.0.255 any ip access-list extended NAS-NAT permit tcp any any range 6881 6889 permit udp any any eq 6881 ip access-list extended Allow-DHCP permit udp any eq bootps any eq bootpc permit udp any eq bootpc any eq bootps permit udp any any eq bootpc permit udp any any eq bootps ip access-list extended Allow-DNS permit udp any any eq domain permit udp any eq domain any permit udp any gt 1023 any eq domain ip access-list extended Allow-NTP permit udp any any eq ntp ip access-list extended Allow-TFTP-in remark CCP_ACL Category=16 permit udp object-group VoIP-Phones host 192.168.248.254 ip access-list extended Allow-TFTP-out remark CCP_ACL Category=16 permit udp host 192.168.248.254 object-group VoIP-Phones ip access-list extended ICMPecho permit icmp any any echo ip access-list extended ICMPreply permit icmp any any host-unreachable permit icmp any any port-unreachable permit icmp any any ttl-exceeded permit icmp any any packet-too-big ip access-list extended Internal-Subnets deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 permit ip 192.168.0.0 0.0.0.255 any ip access-list extended RouterDataTransfer permit tcp host 192.168.0.254 host 192.168.0.250 eq 22 permit tcp host 192.168.0.254 host 192.168.0.250 eq www permit tcp host 192.168.0.254 host 192.168.0.250 eq 443 permit tcp host 192.168.0.254 host 192.168.0.250 eq ftp permit tcp host 192.168.0.254 host 192.168.0.250 gt 1024 ip access-list extended RouterManagement permit tcp any any eq 22 permit tcp any any eq 443 ip access-list extended SDM_AH remark CCP_ACL Category=1 permit ahp any any ip access-list extended SDM_ESP remark CCP_ACL Category=1 permit esp any any ip access-list extended SDM_IP remark CCP_ACL Category=1 permit icmp any any permit udp any any permit tcp any any permit ip any any ip access-list extended Traceroute permit udp any range 32768 65535 any range 33434 33523 ! ! ! ! ! route-map NAT permit 10 match ip address Internal-Subnets ! ! tftp-server flash:APPS-1.2.1.SBN alias APPS-1.2.1.SBN tftp-server flash:/phone/7941-7961/apps41.9-1-1TH1-16.sbn alias apps41.9-1-1TH1-16.sbn tftp-server flash:/phone/7941-7961/cnu41.9-1-1TH1-16.sbn alias cnu41.9-1-1TH1-16.sbn tftp-server flash:/phone/7941-7961/cvm41sccp.9-1-1TH1-16.sbn alias cvm41sccp.9-1-1TH1-16.sbn tftp-server flash:/phone/7941-7961/dsp41.9-1-1TH1-16.sbn alias dsp41.9-1-1TH1-16.sbn tftp-server flash:/phone/7941-7961/jar41sccp.9-1-1TH1-16.sbn alias jar41sccp.9-1-1TH1-16.sbn tftp-server flash:/phone/7941-7961/SCCP41.9-1-1SR1S.loads alias SCCP41.9-1-1SR1S.loads tftp-server flash:/phone/7941-7961/term41.default.loads alias term41.default.loads tftp-server flash:/phone/7941-7961/term61.default.loads alias term61.default.loads ! control-plane ! bridge 2 protocol ieee bridge 2 route ip bridge 3 protocol ieee bridge 3 route ip call threshold global cpu-avg low 68 high 75 call threshold global total-mem low 75 high 85 ! ! voice-port 0/0/0 ! voice-port 0/0/1 ! voice-port 0/0/2 ! voice-port 0/0/3 ! voice-port 0/1/0 ! voice-port 0/1/1 ! voice-port 0/1/2 ! voice-port 0/1/3 ! voice-port 0/4/0 auto-cut-through signal immediate input gain auto-control description Music On Hold Port ! ! mgcp fax t38 ecm ! ! ! dial-peer voice 2 voip description **Outgoing Call to SIP Trunk** destination-pattern [2-9]......... voice-class codec 1 session protocol sipv2 session target sip-server session transport udp dtmf-relay rtp-nte no vad ! dial-peer voice 1 voip description *** Incoming call to - -- Generic -- - SIP Trunk *** session protocol sipv2 session target sip-server incoming called-number .T ! dial-peer voice 3 voip destination-pattern 1[2-9]......... session protocol sipv2 session target sip-server ! ! sip-ua credentials username XXXXXXXXXXX password XXXXXXXXXX realm pbxes.org authentication username XXXXXXXXXXXXX password XXXXXXXXXXXX timers connect 100 registrar dns:pbxes.org expires 3600 sip-server dns:pbxes.org ! ! ! telephony-service max-ephones 12 max-dn 48 ip source-address 192.168.248.254 port 2000 max-redirect 5 auto assign 1 to 10 load 7961 SCCP41.9-1-1SR1S time-zone 8 time-format 24 date-format dd-mm-yy max-conferences 4 gain -6 moh music-on-hold.au transfer-system full-consult create cnf-files version-stamp Jan 01 2002 00:00:00 ! ! ephone-dn 2 number 1001 no-reg both name Joe User ! ! ephone 1 device-security-mode none mac-address 001D.A266.C871 type 7961 button 1:2 ! ! ! ephone 2 device-security-mode none mac-address 0025.8417.68CB type 7961 button 1:2 ! ! ! line con 0 exec-timeout 30 0 privilege level 15 logging synchronous no modem enable line aux 0 exec-timeout 30 0 line vty 0 4 exec-timeout 30 0 transport input ssh ! ntp source FastEthernet0/0 ntp update-calendar end
... View more
Milan, In my lab just the traceroutes weren't working properly, the remote CE router responded to pings. In our production network I have seen what you are describing as tracerouting "through" a router and having it work OK. I never thought anything about it since I was always trying to get to devices behind the routers and not necessarily the router itself. I went back and re-read the Cisco documentation on unreachable messages to make sure I have a clear understanding what I am turning on and off. I understand the security reasons for disabling 'ip unreachables' in a production environment but it really caused me some grief in the lab. Best regards, AJ Schroeder
... View more
Herve, That was exactly the issue! I removed that from all the interfaces in my lab and I am able to traceroute between CE routers without issue. The routers were behaving exactly as configured. Thank you very much for the help. AJ Schroeder
... View more
Hello group, I have setup a test lab in GNS3 that will (hopefully) make it into the production network. The goal is to eventually get an Enterprise MPLS/VPN running in the core of the production network and beyond, similar to a service provider. Anyway, in my test lab, I have a setup like this (sorry for the crude drawing): CE-A-----PE-----PE-----CE-B I am using IS-IS as the IGP, MP-BGP to establish the VPN, and both CE-facing interfaces are in the same VRF. I have established BGP peering between CE and PE nodes and I see all "customer" routes with a "sho ip bgp vpnv4 all". So far so good. Where I am running into an issue is with ICMP, namely traceroutes. I cannot traceroute between CE-A and CE-B in either direction, I get as far as the remote PE interface and then the traceroute times out. Debugs of ICMP reveal that I am getting a TTL expired message on the sending CE router so I tried "no mpls ip propogate-ttl" on the PE routers and that didn't make a difference either. I have made sure that CEF is enabled on all routers. In this particular test lab I am using all T1 interfaces as interconnects, but I wouldn't think that MTU would be an issue with ICMP. I've read that this particular configuration is possible without P routers so I take that as I have something messed up somewhere. If someone could please point me in the right direction it would be much appreciated. I have attached my configuration files. Thank you in advance, AJ Schroeder
... View more
Rob, You hit the nail on the head, I stopped the services and removed the two files you described and things are working normally again. I confirmed that our server group did their yearly updates recently and the Microsoft KB that was mentioned in the Cisco bug report was installed on the system. Thank you very much for the help and prompt response! AJ Schroeder
... View more
Hello, Not sure when this started, but I noticed the following error when trying to go to the report generator in RME: CRIN0014: Operation failed while connecting to JRM. Make sure jrm and/or CTMJrmWrapper services are running. I went and made sure all that I downloaded and applied all patches available to Common Services and RME and this did not do anything. The server is connected to ACS and I re-joined them and re-registered all my applications. The other thing I am noticing is when I go to do practically anything in RME that involved the device selector RME shows 0 devices, but in the RME home page I see all 900+ of my devices listed as "normal". This is a weird issue that just came out of nowhere. Has anyone seen behavior like this in the past? Not sure what I would need to post as far as log files, etc. but I can provide them as needed. Any help would be appreciated. Thanks, AJ Schroeder
... View more
Hello group, I have RME 4.1.1 installed and I am attempting to generate either a PSIRT or an End Of Sale/End Of Life report. I start the report from RME->Reports->Report Generator and input all the appropriate information (CCO user/pass, email, etc) and then click "Finish". I get the popup that says to get Report Jobs for the status of the report, and as fast as I can navigate to Report Jobs I see that the job failed. So I check invreports.log and this line stands out in particular: [ Fri Oct 01 13:45:38 CDT 2010 ],ERROR,[main],com.cisco.nm.rmeng.inventory.reports.job.JobExecutor,runReport,773,Authorization failure for ajschroedercom.cisco.nm.rmeng.util.NotAuthorizedUserException: ajschroeder I do have my Ciscoworks server integrated with ACS, so I reregistered my apps with ACS, and restarted ACS and Daemon Manager with no luck, I even applied the patch described in the following doc: https://supportforums.cisco.com/docs/DOC-9080 I am confident that I am missing something, but I have no idea what. I have attached my invreports.log As always, any help would greatly be appreciated, AJ Schroeder
... View more
Here is the error that I get when trying to remove devices from the dcrcli command (this is with the local admin account): Exception in thread "main" com.cisco.nm.dcr.DCRException: Authorization Failed at com.cisco.nm.dcr.LocalDCR.getMatchingDevices(Unknown Source) at com.cisco.nm.dcr.DCRProxy.getMatchingDevices_DIRECT(Unknown Source) at com.cisco.nm.dcr.DCRProxy.getMatchingDevices(Unknown Source) at com.cisco.nm.dcr.DCRcli.performDel(Unknown Source) at com.cisco.nm.dcr.DCRcli.start(Unknown Source) at com.cisco.nm.dcr.DCRcli.main(Unknown Source) I also tried with the system identity account and got rejected as well: Error in Delete Device: User is not authorized to perform the task on device. Hope this helps, AJ Schroeder
... View more
Hello group, Just joined our new Ciscoworks server to our ACS server per the documentation and everything went fine except for the device import from LMS to ACS. Anyway, I have gone through and added a bunch of our devices to ACS manually and now they show up in CS, RME, etc. However, there is now a disproportionate amount of devices that are not in ACS versus devices in ACS. My question is simply, can I remove those devices that are listed as "Not configured in ACS"? I tried to use the dcrcli command from the LMS server, but I get an error resembling a permission denied. Is a purge of devices possible? Many thanks in advance, AJ Schroeder
... View more