Search this Blog

Friday, November 27, 2009

Issues setting up Cisco 2811 as a terminal server


We have trouble setting up a Cisco 2811 as a terminal server using HWIC16A card and an octal cable. For some of the lines it works, and for some the lines it does not. Every line has been setup as the same.

The “show line” command results in the following error message –
Line(s) not in async mode -or- with no hardware support: 20-513

The first line 10 are able to connect, but the 11th line is not able to connect to line 11. The following is the error message:
Router3#telnet 10.10.10.109 2012
Trying 10.10.10.109, 2012 ...
% Connection refused by remote host

Debugging options

1. Make sure that all the ports on the HWIC-16A card use the proper flow control, and also make sure that the devices connected to the octal cable are using the same method of flow control as well.
2. On the configuration of the HWIC lines, use the no exec command. The reason is that if any message is sent from the attached devices to the HWIC card (such as logging message) while there is no session running on that port, the router with the HWIC card will start an EXEC session for that port, thereby disabling the option to reverse telnet to that port.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Wednesday, November 25, 2009

Cat 6500 boot problem - Rommon NVRAM area is corrupted


This issues is with a Catalyst 6500 that contains two WS-SUP720 supervisors. When we try to boot the supervisors up, they show these messages:
FW[Mod 06]: sso_set_reg: ERR sso 2: reg 0x05 value 0x08 rc 0x80
FW[Mod 06]: sso_set_reg_direct: ERR sso 2: reg 0x47 value 0xA0 rc 0x80
FW[Mod 06]: sso_set_reg: ERR sso 2: reg 0x04 value 0x01 rc 0x80
FW[Mod 06]: sso_set_reg: ERR sso 2: reg 0x05 value 0x08 rc 0x80
*** System received a Software forced crash ***
signal= 0x17, code= 0x24, context= 0x44ae0504
PC = 0x41d73e94, SP = 0x4309e108, RA = 0x4106fad8
Cause Reg = 0x00003820, Status Reg = 0x34008002

I tried to boot with another IOS image from the flash memory but It didn’t solved the problem.

The output of the context command is:
rommon 4 > context
context: kernel context is not valid

Debugging options
  1. Please confirm and check that there is a bootldr file present with the "set" command
  2. Try to force the Sup to load with the "boot" command
  3. If the IOS image file is corrupt it will fail to boot. Try to ftp a new image down from rommon
  4. If the bootldr is lost then it needs to be replaced with a new image file via xmodem.

Click here to access the document that describes how you can recover from corrupt/lost IOS image (stuck in rommon) or how to recover if you have a corrupt/lost bootldr image file.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Cisco 6500 DFC Mismatch Minor error


The Ten Gig module is not coming up when we install it in the 6500 chassis. When we execute the “show module” we get a status of “PwrDown”. The following messages are also displayed.

C6KENV-SP-2-DFCMISMATCHMINOR: Module 7 DFC installed is incompatible with system operating mode. Power denied.

Debugging options –
  1. If the PFC mode is 3C and if you are trying to insert module with DFC type 3B, you will get this error.
  2. Reboot the 6500 switch to solve this problem. But there might be a performance degradation as a result of this. Also please click here to read details about the compatibility issues between PFC/DFC & CFC cards.
Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Tuesday, November 24, 2009

How to setup Hunt Group to work for a specific time.


Example - A group of extensions that have a call fwd when busy / no answer on their UDP profiles to the hunt pilot. This works 24 hours a day. How can we configure the hunt group to stop working after 6pm and any calls for an extension goes straight to voicemail

This can be achieved by using Time of day routing using time schedule ad time periods

Steps for configuration
  1. Enable the existing Hunt-Pilot in a time schedule partition. This partition should define the time period that you want it active for
  2. Create another DN with same hunt pilot number but different partition
  3. Execute a CFWall to voice mail on this DN
  4. Make sure that the Time schedule partition comes first on the CSS assigned to your IP phones
Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

CUE will not sync time with CME


We currently have a UC520 system that CUE time is incorrect on by 5 hours. We have set the time with both Configuration Assistant (the most current version) and from the command line. Last night we also attempted to set the ntp server while logged into CUE and get messages that follows:

UC500-CUE(config)> ntp server 192.168.10.1
WARNING!!! Could not reach 192.168.10.1 using NTP

Debugging options -
  1. Try to Ping 192.168.10.1 from the CUE module?
  2. Check your timezone in CUE
  3. Check for the "ntp master" command in CME
Check to make sure there are no routing issues from your CME to the Internet. If there is one you will not be able to contact outside time source for your CME. You can set routes on your router/firewall to fix this issue. You need to be able to ping 192.168.10.1 from CUE. Please verify and use the following config in your CME.
  • ntp master
  • ntp update-calendar
  • ntp server 66.96.30.35
as for the CUE config, make sure you have the following in place
  • no ntp server 10.1.10.1
  • no ntp server 192.168.10.1
  • ntp server 192.168.10.1 prefer
After this is in place, restart CUE and your time will sync with the CME time.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Monday, November 23, 2009

How to configure the router to NAT the traffic destined for the VPN tunnel and still access the Internet using the dynamic NAT on FastEthernet0/1?


We have a server with an IP address of 192.168.1.9 that needs to access a remote subnet of 192.168.50.0/24, across the Internet. However, before the server can access the remote subnet, the server's IP address needs to be NAT'ed to 10.1.0.1 because the remote VPN gateway (which is not under our control) provides access to other clients that have the same subnet addressing that we do on our LAN.

We have a Cisco 2801 (running c2801-advsecurityk9-mz.124-15.T9.bin) configured to do the NAT. This is the only gateway on our network.

When the server (192.168.1.9) attempts to ping devices on the 192.168.50.0/24 subnet, the VPN tunnel is successfully established. However, after that, the server is no longer able to access the Internet because the NAT translation for 192.168.1.9 has changed from the external IP of the router (FastEthernet0/1) to 10.1.0.1.

Instead of using a pool for NAT
192.168.1.9 -- 10.1.0.1 >> 192.168.50.x
acl 102 permit ip host 192.168.1.9 192.168.50.0 0.0.0.255
route-map RM-STATIC-NAT permit 10
match ip address 102
ip nat inside source static 192.168.1.9 10.1.0.1 route-map RM-STATIC-NAT extendable
acl 101 deny ip host 192.168.1.9 192.168.50.0 0.0.0.255
acl 101 per ip 192.168.1.0 0.0.0.255 any
ip nat inside source list 101 interface FastEthernet0/1 overload
***VPN access-list will use the source as 10.1.0.1...***
Whenever you make changes in NAT rules be sure of clearing the nat translations for the ip address/subnet for which rule is defined on router to ensure router creates the correct translation considering all ip nat rules configured on the device.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Cisco BGP inherits the metric value from IGP into the MED attribute


We have an eBGP peering with my client. I send only specific routers to the eBGP peer by using the network command in BGP. We receive those prefixes through OSPF in our route table. We don’t redistribute those routes to BGP, but use network command to advertise in BGP.

Whenever these prefixes are sent out to our eBGP peer, it take the IGP metric value and attaches it as MED value. This is affecting the route selection of our client who is in an MPLS cloud. How can this be rectified?

If the route injected into BGP (either using 'network' or 'redistribute' command) comes from an IGP, the MED is derived from the IGP metric, and the route is advertised to an eBGP neighbor with this MED.
Please set a metric value for all your routes to be sent to neighbor. This can be done by the following:
route-map set_metric permit 10
! matching criteria for route filtering here if needed
set metric
router bgp yourASN
neigh ebgp.neigh.ipaddress route-map set_metric out

Click here for more documentation on the process.

Another option is to inject routes into BGP using the 'aggregate-address' command, in which case the MED is not set.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Friday, November 20, 2009

Top 5 Tech Support questions on Cisco System's products


The most actively discussed Tech Support questions on the web for Cisco System's products (Nov 20th 2009)
  1. Ciscoworks LMS 3.2 Windows Device Center Missing Information
  2. Cannot Launch Easy VPN Server Wizard from SDM
  3. RICS0001:Internal Error in Cisco Call Manager
  4. DFM notifications in Cisco 2811 router issues
  5. The Cisco 1721 router is not saving configuration

Ciscoworks LMS 3.2 Windows Device Center Missing Information


The device center is missing informational links that used to be there. Is there any way to restore a default setting or add them back. For example, Under Summary, there is not Last Archive Configuration or Last Inventoried information. Under management Tasks, only one thing is listed. There used to be sync archive, reports and several other informational links. This happened to all devices. But the information is still available from going to other applications. This change occurred when we upgraded RME to version 4.3.1.

The PIDM database still has the devices linked to RME 4.3, but the version of RME is now 4.3.1. The fix requires an SQL query to be run against the cmf database. If you need additional help to perform this function please feel free to contact Cisco TAC, and they can walk through the steps. The other workaround is to to delete all the devices from DCR and rediscover them.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

DFM notifications in Cisco 2811 router issues


We are working on making adjustments to email notifications. We are getting backup activate notifications from c2811 router with ISDN T1 connection everytime a phone call is established. We have to completely remove the device for DFM monitoring to prevent email floods, our preference being to monitor this device for other activity and disable these false alerts. How can we accomplish this?

This can be accomplished by disabling this event for a specific group of interfaces. To do this
  1. Go to DFM > Configuration > Polling and Thresholds > Managing Thresholds.
  2. Select DFM > System Defined Groups > Interface Groups > Backup.
  3. Click View, then click View Interfaces.
  4. You should see your 2811 interfaces here. If so, exit this window, then click the Edit button.
  5. Check the box to disable all thresholds for this group.
  6. Save your changed, then go to Apply Changes under Polling and Thresholds, and you should be set.
Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

The Cisco 1721 router is not saving configuration after I switch off


The most common reason for a router not saving its config is that its config register has been set to ignore the startup config (typically a setting of 0x2142). The best way to check the setting is through the show version. If the config register is set to 0x2142, then use the config command config-register 0x2102 to fix it.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Thursday, November 19, 2009

What happens to traffic/spanning-tree when a link in an etherchannel fails?


If single physical interface that member of the etherchannel fails, traffic will be redirected to the second physical link and Etherchannel is still Active. Removal of a physical link from an Etherchannel bundle will result in a different bandwidth of the entire bundle and thus in a different link cost of the Port-channel interface. If the Port-channel interface was the root port, the root path cost of the switch will increase. As a result, the spanning tree on that switch or on other switches may select a different root port - this depends on the topology of the network.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Wednesday, November 18, 2009

Steps to recover the password on the Cisco router 1700 series without losing its configuration


1. Attach a terminal or PC with terminal emulation to the console port of the router. Use these terminal settings: 9600 baud rate, No parity, 8 data bits, 1 stop bit, No flow control

2. If you can access the router, type show version at the prompt, and record the configuration register setting. See Example of Password Recovery Procedure in order to view the output of a show version command. Note: The configuration register is usually set to 0x2102 or 0x102.

3. Use the power switch in order to turn off the router, and then turn the router back on. Important Notes: In order to simulate this step on a Cisco 6400, pull out and then plug in the Node Route Processor (NRP) or Node Switch Processor (NSP) card. In order to simulate this step on a Cisco 6x00 with NI-2, pull out and then plug in the NI-2 card.

4. Press Break on the terminal keyboard within 60 seconds of power up in order to put the router into ROMMON. If the break sequence does not work, refer to Standard Break Key Sequence Combinations During Password Recovery for other key combinations.

5. Type confreg 0x2142 at the rommon 1> prompt in order to boot from Flash. This step bypasses the startup configuration where the passwords are stored.

6. Type reset at the rommon 2> prompt. The router reboots, but ignores the saved configuration.

7. Type no after each setup question, or press Ctrl-C in order to skip the initial setup procedure.

8. Type enable at the Router> prompt. You are in enable mode and should see the Router# prompt.

9. Type configure memory or copy startup-config running-config in order to copy the nonvolatile RAM (NVRAM) into memory. Important: Do not type copy running-config startup-config or write. These commands erase your startup configuration.

10. Type show running-config. The show running-config command shows the configuration of the router. In this configuration, the shutdown command appears under all interfaces, which indicates all interfaces are currently shut down. In addition, the passwords (enable password, enable secret, vty, console passwords) are in either an encrypted or unencrypted format. You can reuse unencrypted passwords. You must change encrypted passwords to a new password.

11. Type configure terminal. The hostname(config)# prompt appears.

12. Type enable secret in order to change the enable secret password. For example: hostname(config)#enable secret cisco

13. Issue the no shutdown command on every interface that you use. If you issue a show ip interface brief command in privilege EXEC mode, every interface that you want to use should display up up. For example: Router#show ip interface brief

14. Type config-register . Where configuration_register_setting is either the value you recorded in step 2 or 0x2102 . For example: hostname(config)#config-register 0x2102

15. Press Ctrl-z or end in order to leave the configuration mode. The hostname# prompt appears

16. Type write memory or copy running-config startup-config in order to commit the changes

Click here for detailed documentation from Cisco


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Tuesday, November 17, 2009

Cannot Launch Easy VPN Server Wizard from SDM


We have an 837 and also an 877 set up in two different locations and seem to have the same issue with both...the issue is that I cannot launch the wizard even though the button is available... I press the button and nothing happens.

Make sure both IOS images support easy vpn
Also -- make sure Java is properly installed on your system and that you aren't popup-blocking the configuration window for EasyVPN.
Latest SDM requires your client to support:
Firefox 1.0.6 and later versions
Internet Explorer 5.5 and later versions
Netscape 7.1 and 7.2
Cisco SDM 2.4.1 requires Sun Java Runtime Environment (JRE). The following versions are supported:
JRE 1.5_09
JRE1.4.2_08
JRE 1.5.0_06
JRE 1.5.0_07

If you have already installed Java, try uninstalling Java 6 Update 15 and 7. The only Java that should remain is Java 5 update 16. The wizard should now properly launches in SDM.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Commands to determine the amount of TCP users that are hitting the firewall.


The show xlate detail command displays the following information:
{ICMP|TCP|UDP} PAT from interface:real-address/real-port to interface [acl-name]:mapped-address/mapped-port flags translation-flags
NAT from interface:real-address/real-port to interface [acl-name]:mapped-address/mapped-port flags translation-flags

The show conn will display all active connections.
show conn [count] | [detail] | [protocol tcp | udp | protocol] [{foreign | local} ip [-ip2]] [netmask mask]] [{lport | fport} port1 [-port2]]
show conn state [up] [,conn_inbound][,ctiqbe][,data_in][,data_out][,dump][,finin] [,finout][,h225][,h323][,http_get][,mgcp][,nojava][,rpc][,sip][,skinny][,smtp_data]
[,smtp_banner] [,sqlnet_fixup_data][,smtp_incomplete]
this will give all TCP conns through the firewall, but this won't give a count. You can always slap this into excel to get a count.

sh local-host | i TCP flow count. This will show the distinct TCP conns each host has. Adding them up will give the aggregate.

Click here to find details of all Cisco PIX Firewall Commands

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

"RICS0001:Internal Error,unable to process the collected data from the device." Unable to have their inventory collected in Cisco Call Manager.


Errors - Inventory: CISCO-ENTITY-ASSET-MIB attributes not supported by the device
Errors - SQL Anywhere Error -193 primary key for table "software Element" is not unique.

Debugging ideas
  1. Make sure that the CCMs support the ccmPhoneTable and the CISCO-CCM-MIB. The phones should also show up as end hosts in UT, so the switches to which they connect must also be managed by Campus Manager.
  2. Make sure that you have upgraded to the latest version of Campus software. CCM 5.x+ support wasn't added until 5.1.3
  3. Try walking its ccmPhoneTable using the SNMP Walk tool in Device Center. Make sure this is returning valid data.
  4. Make sure that the two CCMs had an SNMP service are enabled.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Connecting console port of other switches and routers to one 2950 switch


How can we connect the ethernet port of the 2950 switch to the console port of the other switches/routers? What is the best physical /logical configuration way to administer them; all at once using telnet ip/hostnames from a central switch?

First, begin by connecting one of the Ethernet ports on each one of your switches and routers to the 2950 and create an out of band management system. Then put all the devices in the same subnet including the 2950 and manage them. This allows the admin to open one session per device which makes configuration and troubleshooting very easy.

Please note that, Out-of-band management is a separate link into your network for management traffic only. Typically, this would be a dedicated management channel (e.g. DSL) to a terminal server which has connections to each network device via console connections. Conversely, in-band management uses the same link as your data, hence if there is any problem on the data link you have lost management as well.

Click here for the document that introduces cisco terminal server router bundle.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Monday, November 16, 2009

Basic Radius configuration and Debugging for Cisco 3750

What are the basic bare-bones radius configuration for a 3750. Assume that the radius server is listening on ports 1812-1813 just enough to have a client authenticate. Also what are the needs for the vty line config?

Basic configuration

aaa new-model
aaa authentication login default local group radius
radius-server host x.x.x.x auth-port 1812 acct-port 1813
You can also try running debug radius authentication to help identify any issues.


VTY lines

There is no need for anything on the vty lines. You can set

login authentication
under your line config but it is not always needed

Key

There is no need to setup a key, but you can set one as a best practice
radius-server key 0 thisismykey
Other useful commands are as follow -

ip radius source-interface
radius-server timeout 10

Debugging

If you are connected to your device via telnet and you have turned on radius authentication debugging, type terminal monitor at priv exec mode:

hostname#terminal monitor

this will redirect the debug (log) messages to your vty session. Once you have done this, start another session and try to authenticate, but do not use the username letmein as you have chosen to do local auth first and radius second, letmein is defined in the local database. Try a username that is not defined locally but is instead configured on your radius server and then watch for the output on the screen to get a clue as to why it is failing.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Friday, November 13, 2009

Remote Access VPN to ASA 5510 not passing traffic

We have a cisco client remote accessing into a 5510. Authentication works fine, secured routes info show correctly in my client, client reports that traffic is being encrypted, but I can't access any of the resources over the tunnel. But an output of a #sh crypto ipsec sa peer x.x.x.x command shows traffic is not being passed. Our l2l configuration works fine.

You are trying to pass some traffic to some internal networks that are not in your nat exemption acls (no-nat-inside, no-nat-dmz). Make sure in those no-nat acls you permit from the "inside" to the VPN client pool.

Other common causes:
-your internal routers may not have a route towards the ASA for the VPN client pool
-access-lists applied to the interfaces (show run access-group) may not permit the traffic from the "inside" network to the VPN clients
-Configure split-dns under the group-policy for your internal domain names

Cisco by default does not allow nat-t over udp. Adding the ipsec-udp enable under your group policy fixed my issue.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

What is the maximum number of class-maps that can be configured on Cisco 7200?


In Cisco IOS versions earlier than 12.2 you could define a maximum of only 256 classes, and you could define up to 256 classes within each policy if the same classes are reused for different policies. If you have two policies, the total number of classes from both policies should not exceed 256. If a policy includes Class-Based Weighted Fair Queueing (CBWFQ) (meaning it contains a bandwidth [or priority] statement within any of the classes), the total number of classes supported is 64.

In Cisco IOS versions 12.2(12),12.2(12)T, and 12.2(12)S, this limitation of 256 global class-maps was changed, and it is now possible to configure up to 1024 global class-maps and to use 256 class-maps inside the same policy-map."

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others

Cisco Routers. Concepts of forwarding metric in OSPF E1 and E2. When should you use these metric types? Why is OSPF better than RIP?


Basic design considerations between E1 and E2
E1 will include all hops within the path and is an accurate measure. Whereas a E2 (which is the default external type) will present the metric calculation upto the point of redistribution only. So if it traverses new links the metric will not provide additional measures. Consider EC2 as a metric strictly from ASBR towards the destination.

It is preferable to use Type 1 instead of Type 2 when the metrics match

1. Intra-area routes.
2. Inter-area routes.
3. External Type-1 routes.
4. External Type-2 routes.

O E1 are recommended when multiple ASBRs exist and you want to be sure that the best path to the exit point is used
O E1 routes are always preferred over O E2 routes regardless of seed metric
O E1 are seen as more complete information because the seed metric is added to the path cost to reach ASBR

If there are scenarios that has only one exit point, like internet access consider using O E2. The keys for getting the design correct is to understand the number of ASBRs and the number of exit points in your network. The O E1 routes give you more control but might result in an sub-optimized design when inter-area routing is involved.

Advantages of OSPF over RIP
  • With OSPF, there is no limitation on the hop count.
  • The intelligent use of VLSM is very useful in IP address allocation.
  • OSPF uses IP multicast to send link-state updates. This ensures less processing on routers that are not listening to OSPF packets. Also, updates are only sent in case routing changes occur instead of periodically. This ensures a better use of bandwidth.
  • OSPF has better convergence than RIP. This is because routing changes are propagated instantaneously and not periodically.
  • OSPF allows for better load balancing.
  • OSPF allows for a logical definition of networks where routers can be divided into areas. This limits the explosion of link state updates over the whole network. This also provides a mechanism for aggregating routes and cutting down on the unnecessary propagation of subnet information.
  • OSPF allows for routing authentication by using different methods of password authentication.
  • OSPF allows for the transfer and tagging of external routes injected into an Autonomous System. This keeps track of external routes injected by exterior protocols such as BGP.
Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Wednesday, November 11, 2009

Welcome to QSolved

Hello everyone. This is our first blog. We plan to bring to you a collection of articles on Technical Support for Hardware and Software products.
 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */