Search this Blog

Saturday, July 31, 2010

What are the solutions for the Cisco 7942G Registration rejected:Security Error?

We have 150 phones,only 11 of them registered correctly and the rest give me the above error. Registration rejected:Security Error.

The phone load is currently SCCP42.8-5-2SR1S.

Tips:

We faced the same problem as well.

CUCM, CAPF and CTL service was running which we turned off. After deleting the Phones when i tried to re-register the phones they started to give me this error. "Registeration Rejected : Security Error" . We also switched the tftp from Publisher to a subscriber server.

Solution : We manually added each phone to the system since they were few phones. You can Use BAT to add the phones if you too many phone having the same problem.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Hiding the softkey CFA on 89xx and 99xx Cisco phones

We can't apply a specific softkey template on the phones 89xx and 99xx .We want to hide the softkey "CFA" which is present by default on the phones (for example, managers must not use this softkey to avoid issues with their call filtering system : line forwarded to the assistant...).Do we have the choice if we don't want to use these default softkeys (remove "CFA" softkey for example) ?

Regarding the 89XX and 99XX softkey settings, these can be controlled in the following location:

* Device > Phone > Common Phone Profile
* Device > Device Settings > Common Phone Profile > Feature Control Policy
* Device > Device Settings > Feature Control Policy

Through the Common Phone profile assigned to a phone you can control what softkeys are displayed.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

What are the Cisco Phone Features to work with 9951 phone?

We have 9951 phone on the CM 7.1.(3a) su1 and even video calls, but noticed that there is not a place in UCM to apply a softkey template and several features are missing such as DND, Park, Meetme, SNR, am we are missing something in the form of a patch. How can we get the Cisco Phone Designer to work with these phones?

Tips:

Feature Buttons and Softkeys. Please click here for the detailed table.

Table 7-4 provides information about some of the features that are available on softkeys, some that are available on dedicated feature buttons, and some that you need to configure as programmable feature buttons. An "X" in the table indicates that the feature is supported for the corresponding button type or softkey. Of the two button types and softkeys, only programmable feature buttons require configuration in Cisco Unified IP Phone administration.

Note: The Cisco Unified IP Phone 8961, 9951, and 9971 does not use softkey templates in Cisco Unified Communications Manager administration.

Please click here for additional information Cisco Unified IP Phone 8961, 9951, and 9971 Administration Guide for Cisco Unified Communications Manager 7.1

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Friday, July 30, 2010

How can we configure the Route patterns in Call manager without RGL?

We would like to set that all calls to a specific destination, were commuted to a Gateway A, and if all lines are busy, these calls are switched by Gateway B.

We have the following configuration :

Actual RP:

Route Pattern* : 9199.XXXXXX Partition: Outgoing Call Gateway or Route List: 10.201.30.250

New Configuration (In mind....)

Route Pattern* : 919953.XXXX Partition: Outgoing Call Gateway or Route List: Gateway A
Route Pattern* : 919953.XXXX Partition: Outgoing Call Gateway or Route List: Gateway B
IP Address Gateway A: 10.201.30.250
IP Address Gateway B: 172.17.20.10

We had thought to create a Route Group List with the two Routers (GW 10.201.30.250 and 172.17.20.10), but the actual configuration of the Route Patterns in the Call Manager, is using the Gateways in the configuration of Route Pattern (in the configuration RGL are not set).

How can we configure this requirements without RGL?

With this configuration:

Route Pattern* : 919953.XXXX Partition: Outgoing Call Gateway or Route List: Gateway A
Route Pattern* : 919953.XXXX Partition: Outgoing Call Gateway or Route List: Gateway B
If the lines in the Gateway A are busy the call is switched to the Gateway B? Or this is achieved only by setting RGL?

Cisco Call Manager version: 4.2

Tips:

Q/ New Configuration (In mind....)

Route Pattern* : 919953.XXXX Partition: Outgoing Call Gateway or Route List: Gateway A
Route Pattern* : 919953.XXXX Partition: Outgoing Call Gateway or Route List: Gateway B
A/ You can not have two identical route patterns on the same partition.

Q/ We had thought to create a Route Group List with the two Routers (GW 10.201.30.250 and 172.17.20.10), but the actual configuration of the Route Patterns in the Call Manager, is using the Gateways in the configuration of Router Pattern (in the configuration RGL are not set).

A/ If you want redundancy in Call Manager, then you need route group and route list. If you can not add your routers to a route group is because they're already associated with route pattern(s). First, dissociate them from all route patterns, then create the route group and finally the route list. Now you can associate your route pattern(s) to the new route list. Final configuration should look similar to:

Route Group Name: My_Route_Group

Current members: 10.201.30.250

172.17.20.10

Route List: My_Route_List

Selected Groups: My_Route_Group
Route Pattern: 9199.XXXXXX Partition: Outgoing Call Gateway or Route List: My_Route_List
Route Pattern: whatever Partition: Outgoing Call Gateway or Route List: My_Route_List

Q/ If the lines in the Gateway A are busy the call is switched to the Gateway B? Or this is achieved only by setting RGL?

A/ If your gateways are H.323, there's a way to achieve redundancy without involving Call Manager. This is done with redundant dial peers. I do not recommend it because that will not achieve the highest possible redundancy for your calls. For example, if gateway A is down, calls would never be routed to router B. However, if you configure a route list then Call Manager will be able to route your calls to gateway B without problem.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

WT24A7JA6FWC

How can we ugrade the call manager 4.0(2a) to CUCM 8.0?

We have a Call manager 4.0(2a) and want to upgrade to CUCM 8.0?Is there a path for this?

You need to go to 4.1(3) or 4.2(3) as the first hop.Then to a 6.X or 7.X, and then finally to 8.X.
Supported Cisco Unified Communications Manager Upgrades.Please click here for the document. It is not advised for a direct upgrade. Reach our licensing team at licensing@cisco.com and they can help you migrate the licenses, they'll let you know what info they need.

You need to know the MAC address from the licensing server (PUB usually) so until you know it, don't reach them as the license is binded to it. Please click here for Data Migration Assistant User Guide Release 6.0(1)

DMA assists you with the first step in migrating Cisco Unified Communications Manager data from versions 4.1(x) and 4.2(x) to Cisco Unified Communications Manager 6.0(1) by backing up this data in a format that Cisco Unified Communications Manager 6.0(1) can read.

You always need to be in the latest release of whatever train you're on. In the early days DMA lacked validation for this and you could get a DMA file from a 4.1(2) or a 4.2(1) CCM. Later this was enforced so you couldn't run DMA on any of those versions. Usually the versions are related to features is the upgrade path you can use.That is 6.1(5)/7.1(5) are closer to 8.5(1) feature wise than previous 6.X or 7.X releases, so it's easier to upgrade.

But notice that they are the latest releases for their trains.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Wednesday, July 28, 2010

moh-usb-audio quality has diminished in CUCM 7.1

A PC connected to a Griffin imic worked very well with my previous CCM 4.2 cluster , the PC played back mp3 songs to a high quality. Now I have upgraded the cluster to CUCM 7.1 and forced to use moh-usb-audio, the quality has diminished. There is a definite background hiss, even when the iPOD / PC is not plugged in and the song itself has a poor quality sound.

We have tried with different mp3 / wav formats and I have played around with the settings within the services > Cisco IP Voice Media Streaming App, such as:

1. MOH Fixed Audio Quality level

2. Codec

3. volume levels

The reason for not using the internal CCM MOH service was because of the poor quality the songs had after they were converted to g711.

Do we have to use the "Cisco" MOH-USB-AUDIO device or are there alternatives, has anyone got the Griffin working on CUCM 7?

Tips:

You won't get the Griffin iMic working with any linux-based CUCM simply because the OS and IP Voice Media Streaming App won't recognize the device.

To the original post in my experience hissing is typically caused be a high input gain from the audio source. I'd also look at potential grounding issues on the server itself (or the rack it's mounted in). Since the CUCM has no way to adjust the volume of MOH audio files it can only be adjusted at the source or from an intermediate device.

If you really can't get the USB audio device working to your satisfaction then one alternative would be using a router's FXO or E&M port for multicast MOH.For more details click here.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

SIP Trunk (XO Communications) on CME 7.x

We have an existing 2921 CME/CUE version 7.x which currently has a PRI to the PSTN. We are trying to switch over to a SIP trunk provided by XO Communications. Right now our DID numbers only match the last two digits of my ephone-dn number. For example my DID would be something like this 330-555-8510 and my ephone-dn would be 1210 we am using a num-exp for each DID number as a translation. So for the example we have the following: num-exp 3305558510 1210. Our CME router is not the main data router for the site's data network, but it is the default gateway for the phones. I have about 30 SCCP phones, and we have a few analog stations that I'm connecting to via pots dial-peers. Our plan is to plug the sip trunk, which is being delivered on a seperate /30 WAN segment by the carrier, into one of the unused ethernet ports on the CME and setting a route to the carrier's SIP network which will use that interface. For example, we have a default route pointing to the site's main gateway, and we have a more specific route for the carrier's SIP network pointing to the interface where our SIP trunk terminates.

We have added all of my VOIP Dial-peers and shutdown my pots dial-peers that were pointing to the PRI. When we do this and try to make a test call from one of my SCCP phones we get an intercept message from the carrier stating that the device we am using is not registered. If we add a secondary number to the ephone-dn as the full e.164 is our number we can make a call out, and we can make a call back in (on my test number). However when we make a call out, the caller ID shows up as unknown (this may be just because there is no association in the carrier's database with my test number...we have not ported my existing numbers over yet).

We would like to know what we need to do so that we't have to put a secondary dn on all of my ephone-dn's, is there any sort of translation (say, with a sip-profile maybe) that we can do so that when my endpoints attempt to register, the SIP header gets re-written from 1210@10.10.10.10 to 3305558510@10.10.10.10 going out, and gets inversely translated coming back in? If we do this with a sip-profile, can somebody share with me an example of how this is configred? There seems to be LOTS of SIP headers that can be re-written with a sip-profile and I need some advice on what to do.

Also, is there anything additional we need to do for my analog station devices? Currently We just have a station-id configured on the port, and a pots dial-peer sending the destination pattern to the port the fax machine is plugged into.

Tips:

You might try translation-profiles. It works for PSTN / H.323 voip calls and it should work for SIP calls too. Here's an example of how you might set it up:

voice translation-rule 1

rule 1 /^33055585\(..\)/ /12\1/

voice translation-rule 2

rule 1 /^12\(..\)/ /33055585\1/

voice transation-profile SIP_Inbound

translate called 1

voice translation-profile SIP_Outbound

translate calling 2

dial-peer voice 1000 voip

translation-profile incoming SIP_Inbound

translation-profile outgoing SIP_Outbound

Updated a typo on the first translation-rule.

The translation-profiles do not modify the SIP headers directly, but they do modify the call information within CME which will affect how CME processes the call. When you apply a translation-profile to a dial-peer, that translation affects the information processed by the dial-peer. I believe the reason you are getting the unregistered error is your SIP provider won't let you place calls unless the calling number is a number that they have configured to your SIP trunk.

Your devices are registering with CME, not your service provider. Translations can sometimes be a little intimidating, but they are worth the effort and leave your solution much more scalable. The major distinction is that everything on the SIP trunk is done on a call-by-call basis, and your provider doesn't know anything about the state of the devices registered to CME.

We did find a good example on CCO, you might want to review this document

In this example they are using the dialplan-pattern command under the telephony-service configuration which automatically creates the expanded dial peers for each of the ephone-dn's. That just leaves your non-DID extensions and dial-peers that you have to build translations for.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Why loopback network 127.0.0.0?

Why do we need a whole network for loopback 127.0.0.0?

  • 127.0.0.1 is the standard IP address used for a loopback network connection. This means that if you try to connect to 127.0.0.1, you are immediately looped back to your own machine. 127.0.0.1 is also referred to as “localhost”, meaning ‘this computer’.127.0.0.0/8 - This block is assigned for use as the Internet host loopback address. A datagram sent by a higher level protocol to an address anywhere within this block should loop back inside the host.
  • Making a connection with a 127.0.0.1 loopback address is the same as making a connection with any remote computer on the network, but avoiding the local network interface hardware. It is widely used by application developers and system administrators with the intention of testing software/applications.
  • From RFC3330 - Special-Use IPv4 addresses -

  • 127.0.0.0/8 - This block is assigned for use as the Internet host
    loopback address. A datagram sent by a higher level protocol to an
    address anywhere within this block should loop back inside the host.
    This is ordinarily implemented using only 127.0.0.1/32 for loopback,
    but no addresses within this block should ever appear on any network
    anywhere [RFC1700, page 5].

  • In other words the whole of the 127.0.0.0/8 network is reserved for looping back to the host but it is general practice to only use 127.0.0.1.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

ASA5505 Routing Issue

We have recently added a layer2 leaf to my network configuring ASA's at each of my two locations. the remote site config is working fine but we have having major issues with my ASA5505. We use a tracked route to treat data going from my primary site to the remote site but the link keeps dropping.

Please see below some of our config.

interface Vlan1
nameif inside
security-level 100
ip address 192.168.16.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 83.147.148.134 255.255.255.252
!
interface Vlan3
nameif digiwebl2
security-level 90
ip address 192.168.160.10 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!

access-list L2_access_in extended permit icmp 192.168.160.0 255.255.255.0 192.168.160.0 255.255.255.0
access-list L2_access_in extended permit ip 192.168.20.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list L2_access_in extended permit icmp 192.168.20.0 255.255.255.0 192.168.16.0
255.255.255.0

access-group outside_access_in in interface outside
access-group L2_access_in in interface digiwebl2
route digiwebl2 192.168.20.0 255.255.255.0 192.168.160.254 255 track 1
route inside 172.31.60.0 255.255.255.0 192.168.16.254 1
route outside 0.0.0.0 0.0.0.0 83.147.148.133 1
route outside 192.168.20.0 255.255.255.0 83.147.148.133 254

If we plug into ether0/4 I cannot ping back to the 192.168.16.10 interface which leads me to think that there is a bug somewhere on the applicance.We have just had the device upgraded to version 7.2(5).

Tips:

If you plug into Eth0/4 then you will be on Vlan 3 which is the 192.168.160.x subnet. While on this subnet, you will only be able to ping the interface facing you, the Vlan3 interface at 192.168.160.10. This is by design and summarized here:



Note: For security purposes the security appliance does not support far-end interface ping, that is pinging the IP address of the outside interface from the inside network.

Once the ping issue from the interface back to the Firewall interface was resolved there was still little or no utilization of the layer2 pipe. The reason for this was that all users were working from previously learned paths which in this case was the VPN connection. this was identified through the

"sh conn address 192.168.16.57" - Our IP address. "sh conn" showed that all other users were using VPN also.

We issued a "clear conn all" and this dropped the ASA connection momentarily but it enforced the tracked route entry in the firewall and now over 90% of my traffic is using the Layer2.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Error #733100 - drop rate-1 exceeded

Getting the following 733100 events, and all are Scanning

ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 400; Current average rate is 56 per second, max configured rate is 200; Cumulative total count is 33887
ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 8 per second, max configured rate is 320; Current average rate is 13 per second, max configured rate is 160; Cumulative total count is 47709

Why am I getting events from less than the manually configured rates?

Here is the configuration changes output by show run

no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
no threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate scanning-threat rate-interval 600 average-rate 200 burst-rate 400
threat-detection rate scanning-threat rate-interval 3600 average-rate 160 burst-rate 320
no threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
no threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate syn-attack rate-interval 600 average-rate 25 burst-rate 50
threat-detection rate syn-attack rate-interval 3600 average-rate 20 burst-rate 40

In the configuration guide :it says "You can configure up to three commands with different rate intervals."

Do this mean there are three different types of command, or can we only manually adjust three out of the various basic threat detection settings?

Tips:

The document says that we can have 3 versions of the command

For example:-

threat-detection rate scanning-threat rate-interval 600 average-rate 200 burst-rate 400
threat-detection rate scanning-threat rate-interval 3600 average-rate 160 burst-rate 320
threat-detection rate scanning-threat rate-interval 800 average-rate 200 burst-rate 400

You will receive a log for which limit you reached in the log for every time you exceed the limit ("[ Scanning] drop rate-1 exceeded", or "[ Scanning] drop rate-2 exceeded").

You have configure 2 limits. If you are running also basic threat detection the basic limits are also matched and the logs will also reflect those.

From this document on preventing Network attacks from Cisco

"If you already configured this command as part of the basic threat detection configuration (see the "Configuring Basic Threat Detection" section), then those settings are shared with the scanning threat detection feature; you cannot configure separate rates for each feature."

If you are running 8.0.4, then this is defect "CSCsv42964: scanning-threat does not pick up the correct rate threshold in syslog".

It is a syslog generation bug so there is no workaround.You can disable the scanning threat. The syn-attack is a different event.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Problems in connecting VPN client on ipad to ASA- How do we monitor the ASA log?

We are trying to get the ipad to VPN to our Cisco ASA5520. We have all of the settings correct on both ends (We are able to vpn to the ASA using a Cisco871 as the remote client). For some reason the VPN client on the ipad isn't even getting to the ASA. How can we monitor the ASA logs to see if the connection is even being attempted and possibly find the failure?

Tips:

Try:-debug crypto isakmp

debug crypto ipsec

sh vpn-sessiondb remote ( to see if client is connected )

We configured ipad for remote vpn client , the user was able to connect to the 5520 but for some reason we had to use ip addresses to access but couldnt use internal dns names.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Tuesday, July 27, 2010

Multi-VRF on the CE. How can we set up the server??

We are running BGP between the service provider PE and the CE. We have a customer which has 2 different VRFs. They wish to purchase a server at the CE end which should be able to talk to both the VRFs. We can only think of setting up the server with 2 different NIC port, each connected to 1 VRF and doing static routes. This is not scalable so is there any other setup that can be done on either the PE or the CE end? The CE on our end is a 3750G.

Tips:

You don't have to have 2 NICs. You need to leak the VRFs together, so that resource (server) is shared between the 2 VRFs.

For example, on the CE route if you have vrf-a and vrf-b, you can configure vrf-c and add the server to vrf-c. Then you need to do export and import from vrf-a and vrf-b in to vrf-c and also from vrf-c to vrf-a and vrf-b.

Below is an example:

In this example vrf data and voice are imported into the dmz. dmz is the shared vrf and that is where you add the server vlan/subnet.

ip vrf data
rd 3:3
route-target export 3:3
route-target import 3:3
route-target import 5:5

ip vrf dmz
rd 5:5
route-target export 5:5
route-target import 5:5
route-target import 2:2
route-target import 3:3

ip vrf voice
rd 2:2
route-target export 2:2
route-target import 2:2
route-target import 5:5

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

How can we fix the missing AbbrDial Softkey on 7912? phones

The AbbrDial softkey is not showing up on 7912. We checked everything from the softkey template to the firmware and cannot find anything. speed dails work just fine (1 - 4) .But the problem started to occur after we upgraded call manager from 4.X to 7.X.

Tips:

This bug may apply if you are using SIP based phones with the new 7.1 off-hook abbreviated dialing feature. Please click here for the details and summary
A firmware upgrade will fix this issue

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Saturday, July 24, 2010

ASA capture utility / IP spoof- How do we identify the offending host?

We have received couple of notifications from ASA regarding IP spoof attempts:

:Jul 21 14:06:56 EDT: %ASA-session-2-106016: Deny IPspoof from (127.0.0.1) to 64.x.x.x on interface inside

We wanted to get some more info to eliminate any infected clients on out internal network. Did a research in cisco forum and configured access list to capture suspicious traffic:

ciscoasa(config)#access-list incap permit ip host 127.0.0.1 any
ciscoasa(config)#access-list incap permit ip any host 127.0.0.1
ciscoasa(config)#capture incap access-list incap interface inside

Here's the result of the "show capture incap":

6 packets captured

1: 12:13:25.984049 127.0.0.1.37948 > 65.x.x.x.80: S 662274405:662274405(0) win 5840
2: 12:13:28.975047 127.0.0.1.37948 > 65.x.x.x.80: S 662274405:662274405(0) win 5840
3: 12:16:45.147239 127.0.0.1.38511 > 65.x.x.x.80: S 850947795:850947795(0) win 5840
4: 12:16:48.137764 127.0.0.1.38511 > 65.x.x.x.80: S 850947795:850947795(0) win 5840
5: 14:06:53.636197 127.0.0.1.53661 > 64.x.x.x.80: S 984711035:984711035(0) win 5840
6: 14:06:56.629789 127.0.0.1.53661 > 64.x.x.x.80: S 984711035:984711035(0) win 5840
6 packets shown.

How can we identify the offending host on our inside network? Also the x-ed public IPs point to one of the local businesses and seems that it's their totally unsecured IIS server.Should we contact the IT department?

Tips:

  • Try looking at the MAC address of the offender and tracing it back through your switch to find out what machine it is coming from. Depending on your environment though (for example, if the host is a wireless client), this might not be too helpful. If the attacker can spoof their IP address, they could also be spoofing their MAC address.
  • If the capture is still in the ASA's memory, take a look at 'show capture detail' and the MAC address on the packets will be shown.
  • Either download the PCAP file of the capture, that would give you the full information, and you can view it with ethereal or wireshark. OR/ alternatively you can also do "show capture incap detail" and it will give you the mac address information as well.
Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

ASA 5520 Active/Standby Memory Upgrade 8.2 to 8.3

We're about to undertake the 8.2 to 8.3 upgrade. We understand that fail over config will not work if the pair has different memory. What is the plan on inserting the new memory,can we do it to minimize the downtime?

Tips:

Yes we can upgrade from 8.2 to 8.3 with zero downtime while performing the memory upgrade. We support this and we test for it.

Just install the image on one unit and set the boot variable, and then power it off. Install the memory on it, and then power it back on. It will boot up and convert the config and then do the failover config sync. Once complete, this unit will be running 8.3 as a standby. Next, make it Active and then perform the same functions on the peer.

Note that we do support mis-matched memory for short durations during the upgrade process so that you can perform zero downtime upgrades.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

%PM_SCP-SP-2-LCP_FW_ERR_INFORM. What is this error means?

Is there a solution for the message on a WS-X6748-GE-TX module

=> WS-C6509-E /// with redundant WS-SUP720-3B (s72033-ipservicesk9_wan-mz.122-18.SXF7.bin)

This message has caused the system to Power Down the module.

It is the first time the message has been met, not yet tried to insert the module in another slot but would like to know if it make you think of a hardware issue on the module, or a communication problem with the sup ?

------------------------------------------------------------------------------

%PM_SCP-SP-2-LCP_FW_ERR_INFORM: Module 3 is experiencing the following error: Interrupt counters cumulative, (10s
critical/noncritical): ROINT[0]: totalcalls=1670, p2aecc1=157, p2necc1=677, ecc2=1168, ffifopb2ar=324, ffifopb2n=826, argospktin=1, pb2arinterm=405, (746/232). ROINT[2]: totalcalls=1, aricjacrc=1. JAINT[0]: total=83, drri0=83, (9/0).

%PM_SCP-SP-1-LCP_FW_ERR_POWERDOWN: Module 3 will be powered down due to firmware error: RO[0] (746 critical int in the last 10s).

%C6KPWR-SP-4-DISABLED: power to module in slot 3 set off (excessive interrupt)

------------------------------------------------------------------------------

Tips:

%PM_SCP-6-LCP_FW_ERR_INFORM (x1): Module [dec] is experiencing the following error: [chars]
Explanation: This message indicates that the firmware of the module detected an error condition. The module is informing the supervisor engine about the error condition. [dec] is the module number, and [chars] is the error. This could be a transient issue.

Recommended Action:
  1. Try resetting the module (soft-reset) using the command hw-module reset.
  2. If the error message still displayed Power down the switch. Do the hard reset by pulling the module and resetting again. Power on the switch and monitor the error message.
  3. If the error persists, try resetting the module in another free slot. If the error still displayed when moved to other module then there is no fault with the chassis but module might be faulty.
  4. Issue the command show test {module_number} before and after physically reseating the module to make sure module is not faulty. Make sure you have configured set test diaglevel complete command (a reset is required to enable this diagnostic mode).
  5. If the error still persists with the module, you may have to replace the module.

%C6KPWR-SP-4-DISABLED: power to module in slot [dec] set [chars]

Explanation:This message indicates that the module in the indicated slot was powered off for the indicated reason. [dec] is the slot number, and [chars] indicates the
power status. In most cases this message appears at switch boot up/reload or at line card insertion and can be ignored.
Recommended Action: Ensure that this message appeared during normal operation of the switch. If so, try:
  1. Reset and firmly fix up the module in the chassis.
  2. Raise the diagnostic level to complete using the set diagnostic boot up level command.
  3. Reset the line card and see the command show diagnostic module for the test results on module. This will confirm hardware sanity of the line card.
  4. Monitor the switch operation. The recovery procedure depends on the reason indicated

%C6KPWR-4-DISABLED (x1): power to module in slot [dec] set [chars]

Explanation: The module in the indicated slot was powered off for the reason stated in the error message.

Recommended Action: Recovery depends on the indicated reason. Using the information provided in the error message, troubleshoot and resolve the power problem. If
necessary, replace defective components.

Please click here for more information on the message is described in 12.2SX error message guide.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Friday, July 23, 2010

How can we add new cisco unified IP Phone 9951 in CUCM 7.0.2?

We have a Cluster of Cisco Unified Communication Manager Version 7.0.2.20000-5 (Publisher and Subscriber) .And We have a Cisco Unified IP Phone 9951 and like to add this to the CUCM. How can we add this new Cisco unified IP Phone 9951 in CUCM?

Tips:

  1. 9951 is not available as a phone model on CUCM 7.0.2.
  2. You will need 7.1(3a)su1 at a minimum .Cisco Unified IP Phone 8900 and 9900 Series.
  3. Before using the Cisco Unified IP Phone with Cisco Unified Communications Manager, you must Install the latest firmware on all Cisco Unified Communications Manager servers in the cluster.
  4. Note You can install Cisco Unified Communications Manager 7.1(3) or 7.1(3a). After you install one of these releases, you must install Cisco Unified Communications Manager*** 7.1(3a)su1. ***
  5. Please click here for the Release Notes for Cisco Unified Communications Manager Release 7.1(3a)

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Tuesday, July 20, 2010

Problem in starting the VPN Client on Vista business.

Tried to install different versions of VPN client on my vista business (IBM x61) multiple times. But most of the time we are having problem to start the vpn client. error 56.

Recreate the service and solve this problem. The VPN Client worked fine after run this script.

createservice.bat

@echo off
echo *********************************
echo Installing Cisco VPN Service
echo *********************************

sc stop cvpnd
sc delete cvpnd
sc create cvpnd binPath= "%PROGRAMFILES%\Cisco Systems\VPN Client\cvpnd.exe" start= auto DisplayName= "Cisco VPN Service" depend= DNE
sc start cvpnd

Or Try using shrewsoft vpn client from shrew.net. It also works perfectly with vista/ win7 64 bit edition.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Monday, July 19, 2010

DB REPLICATION ERROR in CUCM 7.1.3

We are having an issue with dbreplication on CUCM 7.1.3, Sytem is an upgrade from version 4.X to 7.1.3 and has 1 pub 3 sub server. We install 1 Pub and 2 sub so far and having dbreplication problem .We went through util dbreplication stop and util dbreplication reset all and still having the same problem. On both sub servers Replicate_state shows 4.

Publisher
admin:show perf query class "Number of Replicates Created and State of Replication"
==>query class :

- Perf class (Number of Replicates Created and State of Replication) has instances and values:
ReplicateCount -> Number of Replicates Created = 427
ReplicateCount -> Replicate_State = 2

Subscriber
admin:show perf query class "Number of Replicates Created and State of Replication"
==>query class :

- Perf class (Number of Replicates Created and State of Replication) has instances and va lues:
ReplicateCount -> Number of Replicates Created = 0
ReplicateCount -> Replicate_State = 4

Tips:

Before resetting replication, check a few fundamental things. Execute the following commands and look for inconsistencies between nodes and with your expectations.

1. On each cluster node, check the network:

show network cluster

2. On each cluster node, validate the network

utils diagnose module validate_network

3. On each cluster node validate ntp

utils ntp status

  • Since you did a migration ,have you changed the host name and/or IP address of the cluster servers on install? If so, have to ensure that the server objects defined in CUCM match the IP/hostname for the subscriber nodes? Use the following command on the publisher node:
  • run sql select name,node id from process node
  • Does the output look correct? Also can check the CCMAdmin web interface (System>Servers). Also, look at the IP addresses and names from the first three commands.
  • Fix any issues you find as a result of the above discovery. Once you have resolved the issues then you can use "utils dbreplication reset all" from the publisher node.
  • Delete the sub server which is not used for backup purpose from system-> server page, restart the server , run the util dbreplication reset all command and everything should start to work fine.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Issues on Router 2801 - %Error show flash: (No device available)

2801Voice_Gateway_MI#show flash:

%Error show flash: (No device available)

2801Voice_Gateway_MI#show version

Cisco IOS Software, 2801 Software (C2801-SPSERVICESK9-M), Version 12.4(6)T7, RELEASE SOFTWARE (fc5)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Thu 29-Mar-07 05:41 by khuie

ROM: System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1)

2801Voice_Gateway_MI uptime is 46 weeks, 1 hour, 18 minutes

System returned to ROM by power-on

System restarted at 09:38:26 CEST Mon Aug 24 2009

System image file is "flash:c2801-spservicesk9-mz.124-6.T7.bin"

Cisco 2801 (revision 4.1) with 235520K/26624K bytes of memory.

Processor board ID FCZ091622WG

2 FastEthernet interfaces

4 ISDN Basic Rate interfaces

1 DSP, 8 Voice resources

DRAM configuration is 64 bits wide with parity disabled.

191K bytes of NVRAM.

Configuration register is 0x2102

2801Voice_Gateway_MI#show flash:

%Error show flash: (No device available).

What is the reason for the appearance of this error?

From the show version output, it seems like the flash card is not recognized by the hardware. Most likely it is a bad flash card issue or it could be a bad slot on the router as well. If you have a spare flash (know to be good) card, please try it on the router. If that is also not recognized, I would suspect the router itselve. You might have to get the router replaced.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Sunday, July 18, 2010

Details about C6509-E with the modules VS-S720-10G-C,WS-X6708-10G-3C, and WS-X6548-GE-45AF.

We are building C6509-E chassis that will have dual supes with the following modules

VS-S720-10G-C

Does this already come with the MFSC3/PFC3C

WS-X6548-GE-45AF

Does this already come with the WS-F6K-AF card

What is the difference between this and the WS-X6148A-GE-45AF line card?

WS-X6708-10G-3C

Does this already come with the WS-F6700-DFC3C card

VS-S720-10G-3C

Yes it does. BTW it is VS-S720-10G-3C.

WS-X6708-10G-3C

Yes, it does.

WS-X6548-GE-45AF

Yes it does

When you order using Cisco configuration tool you will see some items that have value of $0 and those are the cards that already come with the sup or module.

for example the below part number comes with SUP-720-VS and has a $0 value

Cisco VS-F6K-MSFC3 Catalyst 6500 Multilayer Switch Feature Card (MSFC) III

Regarding the difference between WS-X6548-GE-45AF and WS-X6148A-GE-45AF, one of the most important differences is the forwarding architecture:

- WS-X6148A-GE-45AF is a classic line card that uses the 32Gb shared bus - WS-X6548-GE-45AF is a CEF256 line card

More differences are the maximum Jumbo frame they support and their port buffer size:

- WS-X6148A-GE-45AF: Jumbo size up to 9216 bytes and 5.5MB of port buffer size per port . - WS-X6548-GE-45AF: Jumbo size up to1518 bytes and 1.4MB of port buffer size per 8 ports.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Top 5 Tech Support questions on Cisco System's products - 7/11/10 Weekly Update

The most actively discussed Tech Support questions on the web for Cisco System's products (Week of July 11th 2010)
  1. Where can we find SCCP Version in CUCM 7.0?
  2. How to implement Cisco ASA and replace Checkpoint
  3. Problems with FWSM 3.2(2)
  4. Problem in upgrading 7921 to 1.3.4sr1 on UCM 7.1.5
  5. Where can we find the Cisco 7206VXR G2 number of routing table entry?


Friday, July 16, 2010

ACL Nating issue

We have a 2811 router with 2 external "outside" interfaces Fa0/1 and Fa0/2/0. The problem is when it come to NAT inside source addresses, 'nat'ing only works for addresses listed in the first access list of the first NAT statement. Below are the config snippets.

interface FastEthernet0/1
ip address 172.24.170.39 255.255.255.128
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/2/0
ip address 10.1.1.198 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
access-list 30 permit 172.16.4.0 0.0.3.255
access-list 30 permit 172.16.8.0 0.0.3.255
access-list 30 permit 172.16.20.0 0.0.3.255
access-list 30 permit 192.168.100.0 0.0.0.255
access-list 31 permit 172.16.20.0 0.0.3.255 log
ip nat inside source list 30 interface FastEthernet0/1 overload
ip nat inside source list 31 interface FastEthernet0/2/0 overload
172.17.0.0/30 is subnetted, 1 subnets
C 172.17.254.4 is directly connected, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
S 172.16.20.0/22 [1/0] via 172.17.254.6
S 172.16.16.0/22 [1/0] via 172.17.254.6
S 172.16.12.0/22 [1/0] via 172.17.254.6
S 172.16.8.0/22 [1/0] via 172.17.254.6
S 172.16.10.14/32 [1/0] via 172.24.170.1
S 172.16.4.0/22 [1/0] via 172.17.254.6
172.24.0.0/16 is variably subnetted, 2 subnets, 2 masks
S 172.24.42.132/32 [1/0] via 172.24.170.1
C 172.24.170.0/25 is directly connected, FastEthernet0/1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S 10.8.0.0/16 [1/0] via 172.24.170.1
C 10.1.1.0/24 is directly connected, FastEthernet0/2/0
S 192.168.100.0/24 [1/0] via 172.17.254.6

For example client with IP 172.16.20.25 ping s 10.8.27.71 -> nat takes place with new source IP of fa0/1 which is 172.24.170.39 shown with debug below:
NAT*: s=172.16.20.25->172.24.170.39, d=10.8.27.71 [11077]
Now same client pings 10.1.1.254 but the router is still nating with new source ip of fa0/1
NAT*: s=172.16.20.25->172.24.170.39, d=10.1.1.254 [11175]
Why is it not using the routing table and 'nat'ing to fa0/2/0 ???

ACLs are checked from top to bottom. When you ping 10.1.x.x network, ACL 30 still gets matched and the since this ACL is associated with the first NAT statement, NAT takes place as per the first NAT statement.
The router has no way of knowing when to use the second NAT statement due to traffic getting already matched in ACL 30 and it having two outside NAT interfaces unless you use specific source and dest ie. using extended ACL.
It is suggested that you use extended ACL like below:
access-list 101 permit 172.16.4.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 172.16.8.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 172.16.20.0 0.0.3.255 10.8.0.0 0.0.255.255
access-list 101 permit 192.168.100.0 0.0.0.255 10.8.0.0 0.0.255.255
access-list 102 permit 172.16.20.0 0.0.3.255 10.1.1.0 0.0.0.255 log
ip nat inside source list 101 interface FastEthernet0/1 overload
ip nat inside source list 102 interface FastEthernet0/2/0 overload


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

What are the stes for the configuration of Auto Attendant TCL?

We have a Call Manager 7.1 and a Cisco 2851-V/K9 work as MGCP gateway of CM with E1-Trunk. We want to use TCL script on MGCP gateway as Auto-Attendant and have file its-CISCO.2.0.1.0.tcl. What are the steps for the configuration?

It probably won't work with an MGCP gateway. Please click here for the documentation to use after you convert the gateway to H.323 or SIP.
No need to configure CME. However, you may want SRST in CME mode

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Thursday, July 15, 2010

Where can we find SCCP Version in CUCM 7.0?


  1. The version is 17. Please click here for documentation on Network support for UCM7.x and SCCPv17.
  2. The version of SCCP is not determined by the CUCM, it's actually determined by whatever Firmware is loaded on the phone. If you want to find out what version of SCCP a phone is running, the best way I found was to create a test CME lab. Once the phone is registered with CME, then do a 'show ephone' command and it will display the SCCP version that phone's firmware is communicating with. The output looks like this:
ephone-1 Mac:XXXX.XXXX.XXXX TCP socket:[1] activeLine:0 REGISTERED in SCCP ver 17 and Server in ver 5
mediaActive:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0
IP:X.X.X.X 23648 7911 keepalive 132 max_line 2 dual-line
button 1: dn 1 number 2001 CH1 IDLE CH2 IDLE
Note: This command also works when phones are in SRST fallback mode, and you will see the version of SCCP as well.

As of CUCM 7.1(3), the latest firmware for most phones is 8.5(3) which does run SCCP version 17. But if you download the latest firmware for some phones, they are running SCCP version 19!

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Wednesday, July 14, 2010

Where can we find the Cisco 7206VXR G2 number of routing table entry?

Where do we find the maximum number of routing table entries Cisco 7206VXR G2 can handle, if possible, please also provide the reference.

NPEG2 comes with default RAM of 1GB which is well adequate to hold full internet routes. In our network, NPEG2 are running with 3.5 lakhs of internet routes still around 460MB of Processor memory free. BGP routes alone hold 41MB of memory ("show ip bgp sum" gives you memory hold by BGP). If you are opting to receive full internet feed, then select IOS which has BGP-Next Hop Tracking feature which reduces significant load on CPU due to BGP scanner.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Tuesday, July 13, 2010

Problem in upgrading 7921 to 1.3.4sr1 on UCM 7.1.5

We tried upgrading the 7921 phones from 1.3.3 to 1.3.4sr1. The UCM server has version 7.1.5.
  1. USB --> 99% and it just stops (stopped other nic's of the pc).
  2. Wifi --> same
  3. TFTP UCM --> tried the SGN file (stopped the tftp service), changed the device defaults.
  4. We uploaded the file in the root. Phone gives a error. The error says "Can't download image"
  5. We also tried the unpack the .TAR file and uploaded the .load file to UCM. Changed the device default settings. But the same error remains.
Upgrade to 1.3.3 worked fine.Tried several 7921 phones.

Debugging option

The .COP.SGN file should be installed through the OS Administration Install/Upgrade software mechanism. These statements sound as if you are manually uploading files to the TFTP server which will not work. Please click here for Cisco's and make sure that you do the publisher first so Informix gets updated.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Problems with FWSM 3.2(2)

We have FWSM with s/w 3.2(2). While we create the access list an error message appeared :

"ERROR: Unable to add, access-list config limit reached"


ThisFWSM single not multiple , we can't find the "resource acl-partition " command although it is found in the guide. Is this command applied only for multiple context? if yes , what are the method that can be used to solve this problem in single FW?

You can do "show resource usage".

Or "sh access-list | i element".

You are probably close to the 3.2 ACL limit (75K). Yes - the 'resource acl-partition' is supported only in multi-context mode. When you look at the Command Reference Guide, you will see that there is a dot only under the 'System' context in the Multiple Context mode. This implies that the command is only available via the System context:

Please click here for more details on Resource acl partition.

If you are seeing this issue on a single context FWSM, your only means of recourse are to reduce the number ACL entries that you have. This may be best accomplished by combining host access-lists entries into subnet entries. Any approach that you can use to make your access-lists "less specific" will oftentimes reduce the amount of resources that the ACL takes up.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

How to configure Span on 6500 Series?

How do we configure SPAN on 6500 series for SNORT IDS, it has multiple Vlan and all of that Vlan are of layer 2?

Following configuration will work for local span and will give all traffic output on the destination port which you have configured Gi9/10
monitor session 1 source Vlan 1-100 , 350
monitor session 1 destination interface G9/10

Check out the following link for span configuration on 6500 series switches.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Monday, July 12, 2010

What are the Cisco VPN cables that can use SHA-2?

Is there any documents for Cisco VPN capable device that can use SHA-2 as an ISAKMP hashing algorithm?
  1. Please refer to the SA 500 Series Security Appliances Administration Guide, ~ page 159. You can click here to access to Guide.
  2. The release Notes for Cisco ASR 1000 Series Aggregation Services Routers for Cisco IOS XE Release 2 is also another good source. You can click here to access the same.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

How to implement Cisco ASA and replace Checkpoint

The ASA 5510 which we are looking at to replace checkpoint Nokia IP260 clustered using VRRP
  1. Does the ASA support automatic fail over if one of nodes in a cluster fails ?
  2. We currently have ISP redundancy with checkpoint, does the Asa support that and is failover dynamic or a manual process ?
  1. Yes. The units monitor themselves and whoever is healthier is taking care of the traffic and they can fail over between each other automatically.
  2. Yes the ASA supports ISP redundancy and it is called route tracking.Please click here for further details.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Thursday, July 8, 2010

Details of Cisco ASA 5520. Does it support VPN?

How can we know that the Cisco ASA 5520 will support VPN.?Is there any additional module to be inserted ?

Yes, it supports VPNs. Please see table for more information on your model. You do not need any VPN modules is all integrated . You can also see firewall enabled/disabled features in output show version from firewall command line .

Please click here for more details and comparisons on the models
Please click here for details on VPN config examples RA or L2l etc.
Please click here to see a video introduction of the product. This will be very helpful to get you started with overall information of the firewall.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

How can we configure ASA 5505 from remote site using ASDM?

We like to administer the ASA 5505 from another site, which is linked via a site to site Ipsec LAN. How do we enable this feature?

You can administer an ASA remotely by using the public IP (via the Internet), or via the tunnel by reaching the private IP.You can reach the private IP by enabling the command:

management-access inside

Then you can access the ASA by its private IP via CLI or GUI

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */