Search this Blog

Wednesday, November 30, 2011

3750G IOS upgrade issue

We upgraded ourIOS to the current version from the cisco download site. Now when we log into the switch with the GUI from IE we only get the express setup page. We applied the settings and reboot the switch and it still comes back to express setup.
System image file is "flash:/c3750-ipservicesk9-mz.122-55.SE4/c3750-ipservicesk9-mz.122-55.SE4.bin"

You might be running 12.2(50) and later you need CNA 5.0 . Please click here to download it.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Tuesday, November 29, 2011

Archive Command on Catalyst 3750 - Time-Period not working

We implemented the following configs on my Catalyst 3750 with IOS versiion 12.2(50)SE3, but our configs are not being backed up every day like it's suppose to be:

archive
path tftp://10.6.0.90/$h-config-$t
write-memory
time-period 1400

As soon as we do the write command or the archive config command, a copy of our configs are sent to our tftp server. But, nothing is written to our TFTP every day like the time-period command indicates in our configs.


Can you try
!
config t
!
archive
path tftp://10.6.0.90/$h-config-$t
time-period 1440
end
!
!
wr mem
!

to verify

show archive
show run


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Saturday, November 19, 2011

How do you configure Cisco ASA multiple context mode

We are looking for some clarification regarding running a Cisco ASA in transparent mode with multiple contexts. Our current network design is the following - Collapsed Core/Aggregation Layer running Cisco 3750s. The 2 Cisco 3750s are using SVIs with HSRP for default gateways per customer with a total of 8 customers. Each customer is segregated into seperate VLANs with Cisco 2960 switches used in the Access layer. Each customer has 2 Cisco 2960 switches with redundant uplinks to the Core/Aggregation layer. Customers are spanning tree loadbalanced between core/aggregation switches. What we need to now do is add two transparent firewalls into the mix in either an active/active or active/standby setup. We need the firewalls to support all 8 customers, therefore we are guessing they need to run in multiple context mode. Having read into this it has left me somewhat confused as to how to integrate them into the above setup as a bump in the wire so to speak.

You would need to create 8 transparent contexts (one per customer) and assign 2 vlans in the same subnet to each customer. For example:vlan 1 and 11 for customer 1vlan 2 and 20 for customer 2vlan 3 and 30 for customer 2and so on.

Please click here for config examples to setup Multiple modes, transparent firewall with Outside access.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Tuesday, November 15, 2011

Cisco 7609 RSP720-3CXL-GE "mls cef maximum-routes"

We receive syslog warnings that we run to the threshold for the maximum supported mpls routes in the CEF table, below some information.
What is the impact/risc if the threshold is exceeded?
What is the service impact when increasing the settings?
What do we do with the redundant sup720?
is there some good documentation on this? in particular the RSP720-3CXL-GE (I found some old stuff on CATOS and sup32)
ASDGTS1CRT01#sh mls cef maximum-routes
FIB TCAM maximum routes :
=======================
Current :-
-------
IPv4 - 450k
MPLS - 384k
IPv6 + IP Multicast - 88k (default)
ASDGTS1CRT01#sh mls cef sum
Total routes: 750214
IPv4 unicast routes: 375897
IPv4 Multicast routes: 3
MPLS routes: 374036
IPv6 unicast routes: 0
IPv6 multicast routes: 0
EoM routes: 278

Actually RSP720-3CXL can get up to 1M of IPv4 +MPLS routes. Your current values are 450k+384K=834K. So you have some room to increase that:
- Theoretically this maximum number of routes can be adjusted by the following commands:
mls cef maximum-routes ip 500
mls cef maximum-routes mpls 500
reload
500 or any number that can support all the routes.
- Please be aware that if we change the maximum number of IPv4 + MPLS routes to 1M, there will be little resource for IPv6 and Multicast.
IPv4 - 500k
MPLS - 500k
IPv6 + IP Multicast - 8k (default)
- Also changing that you can exaust all available memory in TCAM. In some cases that can lead to CEF auto switch off to resume the normal operation of router. In turn this can lead for packets to be processed switched. So fine tuning should be done accurately.


- If total is below the Processor limit - then CEF just stop storing routes above limit to TCAM - and those can be software switched increasing CPU load. If it will be close to physical limit - then memory can be exausted and in some corner cases CEF can be auto switched off to resume normal operation of router.

- you need to reload to apply changes, also reaching the maximum limits can sometime lead to CEF problems due to no memory

- Redundant SUP does not participate in control plane decisions - it just synch it's state with active one. Nothing more

Whole reload needed as this should be populated to TCAM.
If you just reload standby - it would still get in synch with active and get current TCAM values from it thus your changes will not be applied. Thus Maintenance Window should be organized for that. But I would also start checking the routes - if there is any possibility to remove some. You don't have too much room for TCAM increase so might soon get it filled as well and then you ill reach HW limit. So possibly a good chance to start revising those now.
Though that is really depends on your NW.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Monday, November 14, 2011

Spanning- tree priority with VPC

We are deploying a pair of Nexus 3064 switches in a VPC and they will handle all of the Layer 3 Routing and switching for a small data center. Do we need to test their spanning tree priority the same if they will be configured as a VPC? Example:Primary - 4096, secondary - 4096.

Having the same bridge priority is not a requirement to maintain vPC consistency. Even if you had the highest bridge priority in the secondary, your vPC primary would forward BPDUs in vPC domain. quoted from "Cisco NX-OS Virtual PortChannel: Fundamental Design Concepts..." "vPC by default ensures that only the primary switch forwards BPDUs on vPCs. This modification is strictly limited tovPC member ports. As a result, the BPDUs that may be received by the secondary vPC peer on a vPC port areforwarded to the primary vPC peer through the peer link for processing. Note: Non-vPC ports operate like regular spanning-tree ports. The special behavior of the primary vPC memberapplies uniquely to ports that are part of a vPC."

Please click here for the Design Guide for Cisco NX-OS
Please click here for spanning tree design guidelines

Having the same (highest) priority would also be no problem because in the non-vPC context (i.e. classic spanning tree topology) there would be a tie-breaker (lowest MAC) to elect the root.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Thursday, November 10, 2011

VPN 2 ISP's Main Office - 1 ISP BranchOffice Gateway Problem

We currently have an exchange server located at our head office IP address 192.168.0.10 with a Cisco Firewall/modem at gateway address 192.168.0.254. Connecting to the Internet picking up exchange mail and web browsing for the PC’s attached to Head office
We recently installed an additional Cisco VPN Router at address 192.168.0.253 (head Office) with its own isp connection to allow the remote office to connect ot our server and hopefully access exchange mail, accounting software etc.

A VPN Tunnel has been setup between Head office and the remote office; the tunnel stays connected and works fine. We can ping or connect to any computer at the remote office from the head office.

The problem is that we can’t ping or connect to any computers at the head office from the remote site that don’t the have the Cisco’s VPN Router’s IP address of (192.168.0.253)

The IP range at the Remote Office is 192.168.12.1-254 Gateway Address is 192.168.12.1

We can ping any Computer at head Office from the remote Office if the gateway address in the PC at the Head Office is changed to 192.168.0.253
Is there any way to translate IP address’s to allow access to Servers/printers at the Head Office from the Remote Office?
Remote Office IP Range
192.168.12.1 - 192.168.12.254
DNS Server (Windows 2008 Standard Server) 192.168.12.20
Gateway Ip 192.168.1.1

Head Office IP Range
192.168.0.1 – 192.168.0.254
DNS Server (Windows 2003 Standard Server) 192.168.0.254
Gateway Ip 192.168.0.10

Other Severs I need to get access to Head Office from the Remote Office
192.168.0.10 Exchange/active directory server
192.168.0.20 Aristocrat Database Server
192.168.0.4 Document Server

Routers – Cisco 8-Port VPN Routers Model No RV082

Looks like you have a routing issue at the head office.

Basically, you have two different routers, but only one default route - so, since you don't have an entry for the network at the remote end, the traffic is sent to the default gateway - which doesn't know where to send the traffic, so drops it off.

You can do one of two things.

1) Connect the two routers to the same layer 2 domain (which it seems you may have already), and put a static route into the device at 192.168.0.254 basically saying "anything for network 192.168.12.0/24, send via 192.168.0.253" - not sure of the exact format for this because I've not worked with these apparent Linksys devices before, but on an IOS router you would do something like

ip route 192.168.12.0 255.255.255.0 192.168.0.253

on the device at 192.168.0.254

2) Put a static route for the 192.168.12.0/24 network into every device/PC/server on the 192.168.0.0 network - in a windows machine it goes something like this

route add -p 192.168.12.0 mask 255.255.255.0 192.168.0.253

Option 1 is easier and has the benefot of only needing to be done on one device, but may lead to issues with redirects or traffic load levels on your main router.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

RV220W Critical error

We were trying to adjust some parameters on the administrative interface on the Rv220w when we got the message 'A critical error encountered while loading web page'. At this point the admin web page was 'locked', and we had to close the page and log back in again. We were trying to adjust the remote logging parameters when this happened. We checked in the logs, but there was no information about this problem.

critical error is encountered when attempting to configure settings for remote logging to a syslog server.

This is a known bug in the product and the issue has been fixed. Please contact Cisco Support Center if you need this fix immediately.

Work Around:
Enable email logging on the Administration > Logging >Remote Logging Configuration page.

Note: you do not need a real Email server in the LAN to apply the workaround.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Monday, November 7, 2011

Top 5 Tech Support questions on Cisco System's products - Weekly Update Nov 1st

The most actively discussed Tech Support questions on the web for Cisco System's products (Week of Nov 1st 2011)
  1. 2950T IOS Update Failure
  2. Cat6500 w/Sup-720 sup-bootdisk error
  3. Traceroute output !A * !A
  4. DMVPN Tunnel Stuck in Exstart/BDR
  5. CAT 4500 error 4900M - %C4K_SWITCHINGENGINEMAN-4-VFEICINTERRUPTICCERR:

2950T IOS Update Failure

We are trying to update a switch we bought to the latest IOS using the Cisco Network Assistant but the it is failing becasue it's saying we don't have the space.

In the CLI we get,

Switch#dir all-filesystems
Directory of flash:/
2 -rwx 109 Mar 01 1993 00:01:47 +00:00 info
3 -rwx 270 Jan 01 1970 00:01:37 +00:00 env_vars
7 -rwx 3081999 Mar 01 1993 00:03:23 +00:00 c2950-i6q4l2-mz.121-22.EA1
.bin
8 drwx 2688 Mar 01 1993 00:05:25 +00:00 html
90 -rwx 109 Mar 01 1993 00:05:26 +00:00 info.ver
7741440 bytes total (1233920 bytes free)
Directory of nvram:/
30 -rw- 0 startup-config
31 ---- 0 private-config
32768 bytes total (32716 bytes free)
Directory of system:/
2 dr-x 0 memory
1 -rw- 1133 running-config
No space information available

How do we clear all this out to make room for the new IOS. We are trying to install ( c2950-i6k2l2q4-mz.121-22.EA14.bin ).

Use CLI directly to upgrade your IOS. Not sure why the Cisco Network Assistant is refusing to upgrade your IOS. Yes, it would need to delete the current image and store in the new one but that is how the upgrade is supposed to happen.

Try the follow steps -
  • Place the new image on a network server into a folder that is accessible either via HTTP, FTP or TFTP from the switch. Let's assume it is HTTP (recommended).
  • Verify that the switch can ping the server.
  • Use the delete flash:c2950-i6q4l2-mz.121-22.EA1.bin command to delete the existing IOS image from the FLASH on your switches
  • Use the copy http://X.X.X.X/some_path/c2950-i6k2l2q4-mz.121-22.EA14.bin flash: command to copy the new IOS image from the HTTP on the server X.X.X.X (replace with appropriate IP address and path) to your FLASH
  • After the transfer is complete, enter the global configuration mode and enter the command boot system flash:/c2950-i6k2l2a4-mz.121-22.EA14.bin to configure the switch to immediately boot the new image
  • Exit the configuration mode, save your configuration, reload your switch


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Cat6500 w/Sup-720 sup-bootdisk error


We are trying to upgrade the IOS on a 6500 Sup-720 and we are getting an error.

Loading s72033-advipservicesk9_wan-mz.122-33.SXI3.bin from 10.9.0.81 (via Vlan2): !
%Error writing sup-bootdisk:/s72033-advipservicesk9_wan-mz.122-33.SXI3.bin (Bad service code). We can't seem to find anything about this particular error.

This means the IOS is unable to read the sup-bootdisk and its contents. May be the filesystem might have got corrupted.

Please try formating/erasing the sup-bootdisk?
- command may be something like "format sup-bootdisk" or "erase sup-bootdisk"
MAKE SURE YOU DON'T REBOOT THE SUP ENGINE AFTER FORMATING OR ERASING THE SUP-BOOTDISK, have an IOS in another disk and point your boot system command to the IOS which is on another disk, because during reboot if the SUP is not able to read an IOS from sup-bootdisk then it will go to rommon mode....


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Friday, November 4, 2011

Traceroute output !A * !A

We are getting this output doing a traceroute:

Router# trace 172.20.5.51

1 10.1.15.42 0 msec 0 msec 4 msec
2 172.20.10.26 !A * !A

Everything is fine.
The IP 172.20.5.51 is a loopback of the same device that has the 172.20.10.26 on a physical interface (so the packet is getting to the destination fine, connectivity is fine).

But we haven't found the meaning of the !A * !A output.

The !A indicates an "Administratively Prohibited" reply was received from the remote node, the * indicates the probe timed out.

Perhaps the node at 172.20.10.26 has an access list on the interface which denies ICMP replies in some form or another.

Please click here for document that contains a list of the Cisco traceroute replies in it.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Thursday, November 3, 2011

DMVPN Tunnel Stuck in Exstart/BDR


We have a network consisting of 13 routers all of which connect via DMVPN. Two of the routers are hubs, one with an OSPF priority of 255 and the other 253. All spoke routers form an adjacency (FULL/DR) with the router with a priority of 255. All routers trying to form an adjacency with the other hub stay stuck in the EXSTART/BDR state and eventually transition to DOWN/DROTHER due to "too many retransmissions."

We have tried using the ip ospf mtu-ignore on both the hub and spoke router. We have ran debug ip ospf adj on both hub and spoke and I don't see any error signifying mtu mismatch. We have also tried increasing the retransmit-interval on the spoke. We have verified that the hello, dead, wait, and retransmit timers are the same.

Here are possible reasons for why you get stuck on EXSTART phase:
  1. MTU problem, meaning the routers can only ping a packet of a certain length.
  2. Access list is blocking the unicast packet.
  3. NAT is running on the router and is translating the unicast packet.
  4. Both routers have the same router ID (mis-configuration).
  5. You can try adding "tunnel path-mtu-discovery" on all of your interfaces.
  6. It could be that your nhrp maps and/or you nhs configs are a bit off. double check them making sure they are correct.
  7. Also, you can do a debug ip ospf events on both routers and see who is not sending the hellos.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Wednesday, November 2, 2011

CAT 4500 error 4900M - %C4K_SWITCHINGENGINEMAN-4-VFEICINTERRUPTICCERR:


We have recently upgraded a number of these model switches to cat4500e-ipbasek9-mz.122-54.SG1.bin ... about 12 weeks ago. Of the 6 that we upgraded, one has had the following triggered on it.

Nov 1 13:54:54.049 ACDT: %C4K_SWITCHINGENGINEMAN-4-VFEICINTERRUPTICCERR: VFE IC iccErr interrupt. valid: 1 errStatus: 0x2000000 replyBusParity: 0xBD replyBusLog.rep: 0x8000000 0x180000C7400 log.rep: 0xF8082600000000 0x0 0x0 0x101035A extLog.rep: 0xFF00000000 0x0 0x0 0x0 tcamIfRxErrStatus.rep: 0x2000000 IC CAM stsReg.rep: 0x0 0
Nov 1 14:04:56.113 ACDT: %C4K_SWITCHINGENGINEMAN-4-VFEICINTERRUPTICCERR: VFE IC iccErr interrupt. valid: 1 errStatus: 0x2000000 replyBusParity: 0xBD replyBusLog.rep: 0x8000000 0x180000C7400 log.rep: 0xF8082600000000 0x0 0x0 0x101035A extLog.rep: 0xFF00000000 0x0 0x0 0x0 tcamIfRxErrStatus.rep: 0x2000000 IC CAM stsReg.rep: 0x0 0
Nov 1 14:14:58.173 ACDT: %C4K_SWITCHINGENGINEMAN-4-VFEICINTERRUPTICCERR: VFE IC iccErr interrupt. valid: 1 errStatus: 0x2000000 replyBusParity: 0xBD replyBusLog.rep: 0x8000000 0x180000C7400 log.rep: 0xF8082600000000 0x0 0x0 0x101035A extLog.rep: 0xFF00000000 0x0 0x0 0x0 tcamIfRxErrStatus.rep: 0x2000000 IC CAM stsReg.rep: 0x0 0
Nov 1 14:25:00.237 ACDT: %C4K_SWITCHINGENGINEMAN-4-VFEICINTERRUPTICCERR: VFE IC iccErr interrupt. valid: 1 errStatus: 0x2000000 replyBusParity: 0xBD replyBusLog.rep: 0x8000000 0x180000C7400 log.rep: 0xF8082600000000 0x0 0x0 0x101035A extLog.rep: 0xFF00000000 0x0 0x0 0x0 tcamIfRxErrStatus.rep: 0x2000000 IC CAM stsReg.rep: 0x0 0
Nov 1 14:35:02.305 ACDT: %C4K_SWITCHINGENGINEMAN-4-VFEICINTERRUPTICCERR: VFE IC iccErr interrupt. valid: 1 errStatus: 0x2000000 replyBusParity: 0xBD replyBusLog.rep: 0x8000000 0x180000C7400 log.rep: 0xF8082600000000 0x0 0x0 0x101035A extLog.rep: 0xFF00000000 0x0 0x0 0x0 tcamIfRxErrStatus.rep: 0x2000000 IC CAM stsReg.rep: 0x0 0
Nov 1 14:45:04.373 ACDT: %C4K_SWITCHINGENGINEMAN-4-VFEICINTERRUPTICCERR: VFE IC iccErr interrupt. valid: 1 errStatus: 0x2000000 replyBusParity: 0xBD replyBusLog.rep: 0x8000000 0x180000C7400 log.rep: 0xF8082600000000 0x0 0x0 0x101035A extLog.rep: 0xFF00000000 0x0 0x0 0x0 tcamIfRxErrStatus.rep: 0x2000000 IC CAM stsReg.rep: 0x0 0
Nov 1 14:55:06.417 ACDT: %C4K_SWITCHINGENGINEMAN-4-VFEICINTERRUPTICCERR: VFE IC iccErr interrupt. valid: 1 errStatus: 0x2000000 replyBusParity: 0xBD replyBusLog.rep: 0x8000000 0x180000C7400 log.rep: 0xF8082600000000 0x0 0x0 0x101035A extLog.rep: 0xFF00000000 0x0 0x0 0x0 tcamIfRxErrStatus.rep: 0x2000000 IC CAM stsReg.rep: 0x0 0

What concerns me is that there was nothing in the logs preceding this alarm .. documentation reflects that it's an informative message and no action is required ... but why would it keep repeating on a 10 minute cycle since it was first triggered?

What you have seen are the correctable parity errors. To learn more about Parity Errors please click here for CCO documentations. Please click here for documentation on troubleshooting line cards.

In general that is usually transient if seen once - or HW problem in case of mulitple occurrencies. So if that is still scrolling - please consider the replacement of Supervisor (RMA). The scrolling message is confusing and possibly should be addressed in SW. However the root cause for it is HW parity error. The reload should stop this error - on re-occurrence replace it.

In regards to scrolling message It can be both - DE actually need to look into the code. SO if that parity error stays there as not correctable and switch is doing regular routine and finds that again and again - thus the continious logs. I guess nothing can be changed in the way it handles that.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.
 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */