Search this Blog

Sunday, December 20, 2009

Weekly Update - Top 5 Tech Support questions on Cisco System's products


The most actively discussed Tech Support questions on the web for Cisco System's products (Week of Dec 14th 2009)
  1. CM-PUB (10.11.1.110) failed; Errors adding a subscriber to a CM 5.x cluster
  2. Unknown Device Type in Call Manager
  3. Unable to change AD of D EX route
  4. End hosts missing on LMS 3.2
  5. CME 7.1 FXS Conferencing Problem

CM-PUB (10.11.1.110) failed; Errors adding a subscriber to a CM 5.x cluster


We are adding a subscriber to a CM cluster in 5.13. We get the following error/screen
  1. Configuration validation with CM-PUB (10.11.1.110) failed
  2. Could not send/receive UDP packets to publisher on port 8500

Diagnostic Steps
  1. verify that versions of CallManager are identical (Publisher and the new Subscriber), network connectivity between them, that the name of Subscriber was added in the Publisher Administration (this is the first step when you go to install the server).
  2. reboot the publisher and click to pass the error again
  3. Make sure your create the SUB in the PUB config before installing it
  4. If you receive errors that point to DNS doesn't have records for CCM servers then there could be problems with DNS config. To workaround this issue install a isolated vlan pub and sub.
  5. Alternatively, move Publisher and the new Subscriber to a vlan with no access to DNS server, and in the installation procedure skip the dns validation when it says that you cannot reach that server.
  6. Also, you can try the other option to remove the DNS config in all servers before installing the new subscriber.
  7. Please click here for more details on how to configure DNS server through CLI
  8. If both server's are in the same network and if you are using a IPSEC tunnel then apply the following command to the wan interface: crypto ipsec df-bit clear
Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Unknown Device Type in Call Manager


Our Campus Manager is not properly identifying one of our switches. The device is a Catalyst 3548 running 12.0(5.2). Management station to device reports it is reachable for both telnet and snmp read and write. The Supported Device Table indicates that this sysObjectID is supported. We are running everything at the latest patch levels. Specifically, our CM is Version 5.2.1 and our CM Devcice Package is 6.0. Yet, the device remains"unknown".

Diagnostic Steps
  1. The most common error for unknown devices is the SNMP community string not being set correctly. Verify that it is showing up correctly under the Common Services ---> Devices and Credential Management --->Device Management --> Expand All Devices and search for the problematic device and update the credential and snmp RO and RW community strings.
  2. Then re-run data collection and launch topology services.
If the above steps does not work, get the following information.
  1. Enable debug from data collection under Campus Manager ---> Administration ---> Debugging Options --> Data Collection and select the "topo module".
  2. Also enable Debug under Campus Manager ---> Administration --> Debugging Options --> Topology and change Debug level to "trace".
  3. Start a new data collection.
  4. Launch Topology Map again.
  5. Upload the ani.log file from CSCOpx/log/ani.log
  6. From the Java Console, copy and paste the outputs to a text file.
Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Unable to change AD of D EX route


We have DDC-WAN-R1 and Core switch. We have few static routes on Core switch which we have redistributed into EIGRP. DDC-WAN-R1 and Core switch is on EIGRGP too. Our target is to modify local EX EIGRP distance on DDC-WAN-R1 which is getting D EX 172.28.20.0/24 from Core.


But our distance on DDC-WAN-R1 is still showing 170. We do not want to change AD of all external EIGRP. We would like to change only for 172.28.20.0.

Unfortunately you can NOT change AD of external eigrp route for spicific network/subnet not like the internal route. The only way to change external eigrp route is using the command distance eigrp.

EIGRP has its own distance EIGRP command - distance eigrp internal-distance external-distance

Please click here for further details.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Friday, December 18, 2009

wpa and wpa2 on the same SSI


Can we have wpa and wpa2 on the same SSID available for both kind of users?

While you can enable both it is preferred to select only 1 of them, but if you choose to have both enabled then we recommend that you configure them as follows:
  1. WPA - TKIP Only
  2. WPA2 - AES Only

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

End hosts missing on LMS 3.2


The End hosts are missing on LMS 3.2. We recently upgrade LMS 2.6 to 3.2 and we have close to 38,000 end hosts. The old CW reflected the correct number of end hosts however the new one is only reporting 28,000 end hosts. When we did down, there are no end hosts collected. There are at least close to 250 switches. all these switches are managed by CM. When we run UT from CM or Device center we got a response "no end host".

Debugging steps
  1. Make sure you're running Campus Manager 5.2.1. If you haven’t upgraded your Campus Manager, please upgrade it immediately. There are a number of UT issues in CM 5.x, and 5.2.1 contains almost all of the recent fixes (Dec'09)
  2. Troubleshooting involves enabling "user tracking" debugging for the User Tracking Server acquisition process. After running a new acquisition, the ut.log contains the details. You would then go through that log looking for errors relating to the missing switches.
  3. Campus > Admin > Debugging Options > User Tracking Server.
  4. If the switches show up as green with proper icons on the Campus topology map. The switches must have been data collected before UT will find end hosts on them.
  5. Additionally, try the show run, show ver, and show mac, and show int status from one of these switches, to debug further.
  6. Lastly try getting more details from the NMSROOT/campus/etc/cwsi/portData.xml and vlanData.xml files
Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Wednesday, December 16, 2009

CME 7.1 FXS Conferencing Problem


We have a Polycom conference phone connected to a FXS port on a 2851 running CME7.1. We have configured the port to be controlled by SCCP via the stcapp command. The phone can make and receive internal and external calls without any issues, but I run into problems when trying to conference 3 parties.
Conferencing doesn't work when an external number is dialed and then another external or internal is dialed. This results in a transfer between the two parties dialed and the originating extension drops out.
On the first call which was successful at 09:03:10.384 there is a SoftKeyEventMessage displayed and two lines down it is detected as a conference softkey.
On the second call which was unsuccessful at 09:05:46.749 there is a SoftKeyEventMessage displayed and two lines down it is detected as a transfer softkey.

Diagnostic Steps
  1. Try to execute a hook flash a second time instead of the conference button.
  2. Please check the values under Telephony-Services. If you have it configured to transfer-pattern .T blind change this to transfer-pattern .T and this should solve the problem.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

How to configure two Cisco switches (3560) for redundancy? HSRP or VRRP?


We have two 3560 switches at one of our location and we would like to make them redundant. What is the best way to achieve redundancy. What are the pros and cons between Stack and HSRP?

You cannot stack 3560 switches doesn’t support Cisco’s stack wise technology that 3750's support. You can use HSRP or VRRP. They are the preferred method for router redundancy.

Configuration steps to maintain redundancy on the 3560 switches
  1. Use ether channel’s to between the switches, and bundle more than one gig ports (to increase capacity and redundancy)
  2. Configure L2 trunk on the ether channel connectivity between switches, to span the vlans between the 3560 switches
  3. Configure Layer 3 SVIs for the VLANs between the switches, and have HSRP/VRRP configured between the L3 SVI's.. eg.. VLAN 100 on switch 1 - 192.168.1.1 , VLAN 100 on switch 2 - 192.168.1.2 , HSRP VIP - 192.168.1.3... configure pre-empt etc on hsrp
  4. Configure the edge switches (if any) with L2 trunks to these 3560 switches
  5. Configure the default gateways for the VLANs (say VLAN 100 taken before) to the HSRP VIP between the switches (192.168.1.3)
  6. Standardize your configurations on switches, and use best practice Layer 2/Layer 3 parameters to have best results.. for eg, you can enable bpdu guard, portfast, root guard, RSTP etc on these switches for reliable use of resources

Please note that HSRP is good, but will only use one switch at a time unless you set-up 2 groups. HSRP is typically used for fail over set-up. Setting up ether channels is a great practice since this will bind the two together.
Please click here for more details to configure HSRP
Please click here for more details to configure VRRP

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Friday, December 11, 2009

How to map a FXO trunk line (PSTN) on a DN.


We would like to map a certain FXO trunk line to our extension so any incoming/outgoing call would be to/from our IP Phone. Now we can do something about the incoming calls, redirecting them to our extension using the 'connection plar' but when it comes to outgoing calls, we cannot do this (or don't know) unless we give that voice port a different destination pattern and creating new route pattern for it. If there is any way that this can be achieved with my current H.323 setup or do we have to migrate to something else like MGCP?

Option 1 – Configuring using CSS and PT
You can't have an empty route pattern so:
Create a translation pattern that is empty (that IS permitted), and use the "Called Party Transform Mask" to change the number to 888
Create an 888 route pattern and point it at the gateway - pass all three digits out
On the gateway create a dial-peer with a destination-pattern of 888 - you don't need the digit-strip command since it is on by default.
The gateway should sieze the FXO and you should hear dial-tone form the CO.

Option 2 the Gateway
Please click here for details.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

CMSUB-ISL-IPT Error Cisco CallManager. Phones registered to different subscriber cannot communicate


We have 4 CUCM in PUB-SUB scenario. PUB and 3 SUBs with cucm 6.0

Everything was working fine but from last few days we are facing an issue, Phones registered with Subscriber A can communicate with phones on Subscriber B and C both Phones registered to Subscriber B can communicate with subscriber A but not Subscriber C Phones registered to Subscriber C cannot communicate with subscriber B but they can communicate with subscriber A There are times when subscriber C phones can communicate with Subscriber B phones but it’s very rare. I have verified DB replication status and its 2 I have tried to insert phones from subscriber C Admin page and it works. There no latency or packet drops issues between Subscriber to Subscriber and Publisher to subscriber.

Error message in application logs
CMSUB-ISL-IPT Error Cisco CallManager : 26: Dec 10 18:04:19.6 UTC : %CCM_CALLMANAGER-CALLMANAGER-3-SDLLinkOOS: SDL link to remote application out of service. Local node ID:12 Local Application ID.:100 Remote IP address of remote application:10.100.200.12 RemoteNodeID:1 Remote application ID.:100 Unique Link ID.:12:100:1:100 Cluster ID:StandAloneCluster Node ID:CMSUB-ISL-IPT

Debugging options

  1. To rule out any SDL issues, perform a cluster reboot to resync the SDL
  2. If replication is fine look at SDL layers to find out the issue
  3. Look for version mismatches or errors in the app log
  4. There might be a DB replication issue within the cluster. Basically, while the SDL link to that node is out of service - the replication for the entire cluster is considered bad. With the Linux appliance, a reboot typically works but depending on how long the issue has been going on and the trigger for problem, it may not. Look at the utils dbreplication commands. There are some that you run on each server first, see what happens, and then if that doesn't work then you can initiate a repair operation from the publisher server. This is all done via CLI. Note that the repair operation may (and likely will) take quite a while to complete. Once you start it, let it run and wait for it to complete. Then use RTMT to verify DB replication. You can also use command line operation on each server or the Unified Reporting.
  5. Run tests to verify that you don’t have an issue at the network - either logical or physical. For some reason, the Pub either might think it can't communicate at the SDL layer to this particular subscriber.
  6. You may also have a bad NIC or failed teaming configuration - there are lots of possibilities
  7. Verify and confirm that there is nothing wrong with the NIC, packet loss over the network, QoS, etc. Other factors could be if this is a subscriber that was recently added to the cluster or if there was a recent upgrade on the nodes that may be causing an issue.
Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Thursday, December 10, 2009

How to generate Interface Utilisation Report from HUM (LMS 3.2)


We would like to create a report from HUM (LMS3.2) that graphs the TX and RX utilization (and errors if possible) of an interface on my Cisco 6509 switch. Is there a way to do this? How can we generate a report covering a longer period, instead of a set period of time (last 24hrs)?

Steps Involved
  1. Create a poller for your device which monitors all the interfaces you need. You would use the built-in Interface Utilization and Interface Errors templates. Once the poller is running, you can view the poller report under HUM > Reports > Report Management, or you can view the specific Quick Report for interface utilization or errors. You can schedule either of these reports.
  2. You can generate reports covering longer period by copying a quick report to a new quick report, or by defining a customer report. Then you can specify the date range for which the report should cover.
  3. Also this can be scheduled. When you copy the Quick Report, the middle pane of the report definition window allows you to schedule it. By default, it runs immediately, but you can schedule it to run daily, weekly, or monthly as well.
  4. Always check to make sure your 3750 is properly configured for SNMP so that the ifTable and ifXTable are readable.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

CSDiscovery does not work


Issues with the CSDiscovery process in Common Services 3.3 running on Windows Server 2003. Somehow the process ignores what we have configured as discovery settings.
All that we have configured can been seen stored in the CSDiscovery-config.xml file. But discovery starts and stops immediately and does not discover a single device. Also the information on the summary page does not correspond to the one in the CSDiscovery-config.xml file.

Debugging options

  1. Discovery maintains multiple copies of this file. The file under NMSROOT/conf/csdiscovery is the one used for ad hoc discoveries.
  2. When you schedule a Discovery job, the current settings are copied to the job. However, when you modify the Discovery settings later on, the job config is not changed. Therefore, adjust the Discovery settings to your liking in the GUI, then delete all currently scheduled Discovery jobs. Then start a new Discovery, and see if it does what you want.
  3. The screens might reflect some old LMS 3.1 information. Try doing the following -
* Shutdown Daemon Manager
* Delete all files and directories under NMSROOT/MDC/tomcat/work/Standalone/localhost
* Restart Daemon Manager

4. To rule out any browser-cache related issues try viewing the discovery settings from a new client.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Wednesday, December 9, 2009

The user receives the " %VPN_HW-1-PACKET_ERROR:slot: 0 errors " error message

Our users get this error message when VPN service module is used on a Cisco router with IOS version 12.4

Resolution

Verify the cause of the problem by disabling the cef switching by issuing these commands:
(conf)# no ip cef
(conf-if)# no ip route-cache
(conf-if# no ip mroute-cache

For a workaround, issue these commands:
change tcp adjust-mss on interfaces
change crypto ipsec df-bit

This is a notification message seen on the console of the decrypting peer that tells the user that IPSec packets have been received out of order.

These are the reasons for this message:
  1. Fragmentation. Fragmented crypto packets are process switched. This forces the fast-switched packets to be sent to the VPN card ahead of the process-switched packets. If enough fast-switched packets are processed ahead of the process-switched packets, the ESP or AH sequence number for the process-switched packet will get stale, and when the packet arrives at the VPN card, it's sequence number is outside of the replay window. This causes either the AH or ESP sequence number errors, depending on which encapsulation you are using.
  2. Stale cache entries. This instance can also occur when a fast-switch cache entry gets stale, and the first packet with a cache miss gets process switched.
This is a notification message seen on the console of the decrypting peer that tells the user that IPSec packets have been received out of order.

These are the reasons for this message:

1. Fragmentation. Fragmented crypto packets are process switched. This forces the fast-switched packets to be sent to the VPN card ahead of the process-switched packets. If enough fast-switched packets are processed ahead of the process-switched packets, the ESP or AH sequence number for the process-switched packet will get stale, and when the packet arrives at the VPN card, it's sequence number is outside of the replay window. This causes either the AH or ESP sequence number errors, depending on which encapsulation you are using.
2. Stale cache entries. This instance can also occur when a fast-switch cache entry gets stale, and the first packet with a cache miss gets process switched.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Tuesday, December 8, 2009

OSPF not working on new link


Currently we have ospf running on our network between R1,R2+R3(linear - See diag), ospf is configured on each router to use loop address(/32) as it's router-id. We introduced a link between R1+R3, and ospf is not working - we see R1 + R3 sending hellos via the new link, but not receiving any reply over this new link(ping connectivity is working fine) - our guess is that the routes for the loop addresses that ospf is using as router-id, are currently learnt via ospf via R2, and this is causing ospf on the new link to fail? We have confirmed that ospf is definitely enabled on the new interfaces, and have disabled passive interface on them.

Debugging options
  1. If you issue 'show ip ospf interface', you should see the network OSPF type - if it set to NON-BROADCAST, you must configure a neighbor statement under the OSPF process or change the OSPF network to 'broadcast' or 'point-to-point'.
  2. If you have MD5 enabled, try disabling MD5 and see if the OSPF comes up, if it does make sure the same MD5 password is entered on both devices.
  3. MTU mismatch can affect adjacencies.
  4. You can try the 'ip opsf mtu-ignore' command or make sure the MTU matches on the neighbors.
  5. Both of your routers may think they are the DR and your are using a /30 address as IP address for both side. Confirm and check if anything is blocking the OSPF multicast address. You can try to change it to unicast. int xxxx ; ip ospf network non-broadcast ; router ospf xx ; neighbor x.x.x.x
  6. Try by setting priority in one interface. This will make one Router as DR , another with lowest priority as BDR. interface XXXX ; ip ospf priority X (range value 0-255)
  7. Try to configure both the interface as OSPF Point to Point. interface XXXX ; ip ospf network point-to-point
Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

How do you automatically shut down FastEhernet port when flooding occurs?


We have a cisco 3550 24 port switch. We would like to configure our fast Ethernet such that when flooding occurs through any of the Fast Ethernet port then a port automatically shuts down. Subsequently then the port is re-started after few minutes automatically. We have to set re-start timing on the port or disable the port so it does not affect the other Fast Ethernet ports.

Options
  1. storm-control can help but it drops traffic exceeding a threshold it doesn't put the port in shutdown.
  2. you can also think of using another related feature called block flooding that allows to drop multicast and unknown unicast
both features work inbound on received traffic. The command to broadcast storm-control at 1% on FastEthernet port in cisco 3550 Switch is listed below

int fas0/x

storm-control broadcast level 1

Click here to read more details on “Blocking flooded traffic on an Interface”

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Catalyst Express 500 - How to modify advanced settings


What is the path to modify advanced settings through the browser e.g. http://switchname/en/privilege/15/ etc. We would like to modify more settings that are not displayed in the main GUI.

Options

There are two ways to accomplish this -
  1. "http://IP_address/exec/cli" this will give you the cli interface of the switch
  2. If you want a GUI then download CNA on the computer that will give you more options to configure the switch. Please click here to download it.
Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Monday, December 7, 2009

Cisco 7206 in boot mode


We installed (NPE-G2) card on 7206VXR when we rebooted we lost the config. Our router displays router(boot)#

The "router(boot)#" prompt means that router has a corrupt or has lost the Cisco IOS image. Please make sure that you have the correct IOS on the PCMCIA for the processor for example:

  1. c7200p-xxxx-xxxx.bin (where p is for NPE-G2)
  2. c7200-xxxx-xxxxx.bin this is for a NPE-G1 processor card

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Thursday, December 3, 2009

CUCM 7.1(3) TFTP Auth Fail. 7941G stuck in firmware upgrade loop.


We have a brand new 7941G phone that we attempted to change from SCCP to SIP for testing. We placed the contents of the firmware zip file into a tftp directory and pointed DHCP option 66 to that tftp server and started the upgrade process. The phone grabbed the term41.default.loads file several times over several reboots but now it appears to be stuck in a loop. It no longer tries to pull any files from the tftp server, it just sits with the upgrading screen and then occasionally reboots itself.

Debugging Steps
  1. Please confirm the Firmware rev loaded on the TFTP server. You cannot go straight to 8.5.3. You will need to have 8.5.2, 8.5.2 SR1 and 8.5.3 all on the TFTP server, with the loads file from 8.5.2 having overwritten the others on the TFTP server.
  2. If your phone displays the Cisco Splash screen, but with a circle with a dot in it bottom left hand side, and after a short while come up Auth Fail? If so, that is the phone being unable to find a suitable firmware version.
  3. Download and put the 8.5.2 & 8.5.2SR1 firmwares on your TFTP server ( copying 8.5.2 last, so the correct term41.default.loads file is present.
  4. Remove the voice vlan then configure the access vlan with the voice vlan number. The same voice vlan number used as the access vlan
  5. IP addressing assigned by DHCP should have been the same.
  6. Once the firmware loads correctly, the access vlan and voice vlan can be configured to the original settings.
  7. The phone should then be able to upgrade to 8.5.2, then 8.5.2SR1 and finally to 8.5.3.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

6509 VSS failover issues


We have configured a 6509 VSS to test our failover scenarios. There is a primary and a secondary switch for backup purposes. To simulate the testing, first we shut down the primary switch and we noticed that all the traffic that is going through secondary switch. Then we restarted the primary switch. But now we observe that the secondary switch is restarting all the ports. Its takes 50 sec to come back resulting in a down time. Any pointers to what issue could be? We user BFD for dual active detection.

Debugging steps
  1. Delete priority and preemption, save your config and test again
  2. Remove priority and preemption
  3. Make sure to SAVE the config
  4. Now reboot again and test
In a scenario where you do not have priority and preemption, if you reboot both switches at the same time, switch-1 will always be the primary and switch-2 is the back up where you don't have access to make any config changes.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Buffering in line card 6748 vs 6148A. Criteria for the right design.


What are the specific difference in the buffering on these 2 cards. Specifically, the 6748 card has a lower per-port tx (1.2 or 1.3Mb) buffer than the 6148A card (5.2 Mb). We would like to know how this affects the 6148 card and why is it better to use the 6748 in a high bandwidth environment (Assuming we take out the DFC). The 6148A is a classic line card and as such would use the classic bus whereas the 6748 card would use the 2 x 20Gb connection to the fabric but doesn't the per port buffering become critical if there is a large amount of traffic rate.

The data contention will occur on the backplane, not on egress. On egress, you will be connected to a device that will perform line rate data thus buffering will have minimum use. That's one reason why you see this values being so low. Depending on your requirements, if you have a Sup720, a 6748 would be sufficient. But if you only have a Sup32 then the 6148 line card becomes mandatory.

In the Catalyst 6500 architecture, access into the switch fabric itself is almost never the bottleneck. Rather, on the transmit side, one or several ports are the likely destination for a majority of the packets entering the switch. As such, the receive-side port buffers on the Ethernet modules are relatively small compared to the transmit-side port buffers.

Click here to learn more about the Buffers, Queues & Thresholds on Catalyst 6500 Ethernet Modules

The 6148 does not have a connection to the switch fabric, it connects to the Supervisor via the bus (32Gbps shared connection). The 67xx modules have access to the switch fabric.

Buffers add latency into the data flow. You don't want latency in a switched network so large buffers in a line card can be counterproductive. While large buffers in the classic line card can be a marketing ploy for competitive reasons, classic line cards are often targeted for workstation connections. You don't want large buffers & latency while connecting to servers and inter switch links - you want the packet to have the same latency and speed entering and exiting a switch hardware. To mitigate the lack of buffers, it is often recommended to configure flow-control.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Wednesday, December 2, 2009

VPN user authenticated but cannot ping inside interface


We currently have a pair of PIX 515e's that are being replaced. We have the ASA here in the office and we are trying to get as much configuration done as possible before we move it into production. At the office we are behind a cable modem and the IP of that device is set as the the default route in our ASA when we do our testing.

When it's time to test we connect the cable modem to the outside interface and our laptop to the inside interface and begin testing.

We authenticate and connect with the VPN client and we can ping our laptop that we have connected directly to the inside interface on the ASA but we are unable to ping the inside interface. The log shows a build-up and and tear-down of the ICMP requests but we still get no response on the vpn client side. It seems like the traffic isn't making it back out to the VPN tunnel.

Configure "management-access inside" then you can access/ping the inside interface over a vpn tunnel.

Without this command you can only access the inside interface from the inside.

Apart from ping this will also enable you to telnet to the inside interface over the tunnel, and use ASDM.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

How to remove a Line from Cisco 6500


Here is our configuration

spanning-treemode rapid-pvst
spanning-tree extend system-id
no spanning-tree vlan 200,210,220,230,240,250,300,310,320,330,340
spanning-tree vlan 1-2,100,110,120,130,140,150 priority 24576
spanning-tree vlan 200,210,220,230,240,250,300,310,320,330,340 priority 28672
diagnostic bootup level minimal

We don't want to have the second spanning-tree vlan line to show up at all. We did the "no" command but it just added another line of code.

Try this in config mode:

no spanning-tree vlan 200,210,220,230,240,250,300,310,320,330,340 priority 28672

spanning-tree vlan 200,210,220,230,240,250,300,310,320,330,340

This should resolve it.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Friday, November 27, 2009

Issues setting up Cisco 2811 as a terminal server


We have trouble setting up a Cisco 2811 as a terminal server using HWIC16A card and an octal cable. For some of the lines it works, and for some the lines it does not. Every line has been setup as the same.

The “show line” command results in the following error message –
Line(s) not in async mode -or- with no hardware support: 20-513

The first line 10 are able to connect, but the 11th line is not able to connect to line 11. The following is the error message:
Router3#telnet 10.10.10.109 2012
Trying 10.10.10.109, 2012 ...
% Connection refused by remote host

Debugging options

1. Make sure that all the ports on the HWIC-16A card use the proper flow control, and also make sure that the devices connected to the octal cable are using the same method of flow control as well.
2. On the configuration of the HWIC lines, use the no exec command. The reason is that if any message is sent from the attached devices to the HWIC card (such as logging message) while there is no session running on that port, the router with the HWIC card will start an EXEC session for that port, thereby disabling the option to reverse telnet to that port.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Wednesday, November 25, 2009

Cat 6500 boot problem - Rommon NVRAM area is corrupted


This issues is with a Catalyst 6500 that contains two WS-SUP720 supervisors. When we try to boot the supervisors up, they show these messages:
FW[Mod 06]: sso_set_reg: ERR sso 2: reg 0x05 value 0x08 rc 0x80
FW[Mod 06]: sso_set_reg_direct: ERR sso 2: reg 0x47 value 0xA0 rc 0x80
FW[Mod 06]: sso_set_reg: ERR sso 2: reg 0x04 value 0x01 rc 0x80
FW[Mod 06]: sso_set_reg: ERR sso 2: reg 0x05 value 0x08 rc 0x80
*** System received a Software forced crash ***
signal= 0x17, code= 0x24, context= 0x44ae0504
PC = 0x41d73e94, SP = 0x4309e108, RA = 0x4106fad8
Cause Reg = 0x00003820, Status Reg = 0x34008002

I tried to boot with another IOS image from the flash memory but It didn’t solved the problem.

The output of the context command is:
rommon 4 > context
context: kernel context is not valid

Debugging options
  1. Please confirm and check that there is a bootldr file present with the "set" command
  2. Try to force the Sup to load with the "boot" command
  3. If the IOS image file is corrupt it will fail to boot. Try to ftp a new image down from rommon
  4. If the bootldr is lost then it needs to be replaced with a new image file via xmodem.

Click here to access the document that describes how you can recover from corrupt/lost IOS image (stuck in rommon) or how to recover if you have a corrupt/lost bootldr image file.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.
 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */