|
ChimpyMonkey posted:Dear Cisco, I've used it to find (and even monitor!) bug IDs that TAC claim are affecting us, but trying to find anything yourself is usually a losing proposition unless it's sev1/sev2.
|
#
?
Oct 3, 2007 00:08
|
|
|
|
| # ? Apr 20, 2024 05:09 |
|
|
Girdle Wax posted:I've used it to find (and even monitor!) bug IDs that TAC claim are affecting us, but trying to find anything yourself is usually a losing proposition unless it's sev1/sev2. Oh I know all about hidden bugs etc. I'm refering to the "new" bug toolkit simply not working 90% of the time. I guess they've had some feedback indicating this already, seeing as the page now has this: "System Message: We are aware of intermittent tool instability, failed database connections, and blank results when attempting to view bug details and are working hard to resolve these issues. If you experience these issues, please try again later. We sincerely apologize for the inconvenience." Its a real pain in the butt, the old bug toolkit doesn't list the IOS revision I am running, and the new one doesn't work most of the time. Makes it kind of difficult to see if the issue I am having is a known bug or a new one.
|
|
#
?
Oct 3, 2007 06:29
|
|
|
Powercrazy posted:I'd question why you were doing that (why pass through those switches at all.) I just figured out that you can't do that with ethernet switches. So ignore that advice. You can with frame relay though 
|
|
#
?
Oct 3, 2007 17:35
|
|
|
Does anyone know how the expiration of the old CCNA tests is going to work? Like, if I take and pass the Intro test before it expires, but fail/don't take the ICND test until after the old test expires, does the previous test still count, and you can just take the new ICND 2 test and still get your CCNA? Someone told me you could split the tests, old and new, and still be ok, but I don't know how sure he was.
|
|
#
?
Oct 7, 2007 22:40
|
|
|
Any opinions on ASA codebase 8.x versus 7.2.X? Lately the 7.2.X has been going nuts, but I'm not sure if the 8.X is stable enough for production usage.
|
|
#
?
Oct 9, 2007 01:22
|
|
|
Panthrax posted:Does anyone know how the expiration of the old CCNA tests is going to work? Like, if I take and pass the Intro test before it expires, but fail/don't take the ICND test until after the old test expires, does the previous test still count, and you can just take the new ICND 2 test and still get your CCNA? Someone told me you could split the tests, old and new, and still be ok, but I don't know how sure he was. Just take the CCNA in 1 test! 
|
|
#
?
Oct 9, 2007 02:15
|
|
|
jbusbysack posted:Any opinions on ASA codebase 8.x versus 7.2.X? Lately the 7.2.X has been going nuts, but I'm not sure if the 8.X is stable enough for production usage. We've been running 8.x for a little over a month, it's been stable for us. I like the 6.x ASDM alot better, so I think it's worth the upgrade for that alone.
|
|
#
?
Oct 9, 2007 04:13
|
|
|
jwh posted:I feel like I'm beating a dead horse here, but Cisco came back to me finally and told me that, more or less, "IPSec client VPN termination against IOS is an afterthought," and that the recommended platform for client VPN termination is an ASA. Just figured I'd come back and mention that after a conference call with Cisco last week, I've been told that AT&T does in fact use SPA's for their virtualized remote-access stuff, as someone had suggested. Also, I was told that remote-access VPN on an IOS based platform isn't really a bad idea, provided you a). know what you're doing, b)., need the router functionality not presently available in the ASA code, or c). need fantastically huge pps (ala VPN SPA). Needless to say, I feel a little better. At least I don't feel like I'm teetering on the edge of the cliff.
|
|
#
?
Oct 15, 2007 21:28
|
|
|
Has anyone here ever successfully used the Certificate Authority feature of IOS for DMVPN authentication? ISAKMP wildcards are a no go in this environment. TAC has been giving me a blank stare for weeks, and my SE's don't know anyone that's used it either.
|
|
#
?
Oct 15, 2007 22:29
|
|
|
Figured I'd try a slight change of venue: Wanted: Network Engineer, Jersey City
|
|
#
?
Oct 16, 2007 02:45
|
|
|
I looked through the thread and didn't find an exact answer to my question, but I could've missed it in the 17 pages, so if I did, sorry! I'm trying to connect to my home network via vpn. I've tried two ways - Windows 2003 Remote Access Server with the Windows VPN client, and using my Cisco router (SOHO 91, 12.3(2)XC) as the endpoint with the Cisco VPN client (4.7). First, the Windows route. The ACLs and NAT I'm using are here: code:The second means - the Cisco route - works internally if I use the same above commands, and the following interface commands: code:Sorry for the long post - I can provide more of the config if it helps. I'd honestly be happy with any means, I just want to figure out where I'm going wrong after being so close. Any help would be appreciated! Edit: Ok - I got the Windows way working - I apparently needed a second NIC on the server. If anyone wouldn't mind explaining what I'm doing wrong on the Cisco side, I'd appreciate it, though. I can include any config pieces that I'm missing - just tell me what you need. Aaaaaaarrrrrggggg fucked around with this message at 18:01 on Oct 16, 2007 |
|
#
?
Oct 16, 2007 03:38
|
|
|
I'm having an issue with a cisco router running a CBAC firewall concerning passive ftp and I just know I'm doing some simple thing wrong, so I was hoping someone could help me out. Inbound on an extended IP access list: 10 permit tcp any any eq ftp 20 permit tcp any any eq ftp-data 30 permit tcp any any eq www 40 deny ip any any log Output on an extended IP access list: (this is just what autosecure popped in there) 10 deny tcp any any eq telnet log 20 deny tcp any any eq www log 30 deny tcp any any eq 22 log 40 permit ip any any log Active FTP works, HTTP connections work, but when I try a passive ftp connection it logs in happily but then times out when it tries to actually send anything. As soon as I remove the contents of the Inbound access list it starts working again. Anyone happen to see what I'm doing wrong?
|
|
#
?
Oct 16, 2007 21:27
|
|
|
casseopei posted:Inbound on an extended IP access list: Try 10 permit tcp any any eq ftp established 20 permit tcp any any eq ftp-data established Passive mode uses "ephemeral" ports and the access list is doing it's job and blocking them...
|
|
#
?
Oct 16, 2007 21:32
|
|
|
bort posted:Try Thanks very much for the information, unfortunately it still doesn't work. I altered the above by replacing 10 and 20 with your entries and when that didn't work tried a second time by adding my old entries as 15 and 25.
|
|
#
?
Oct 16, 2007 21:50
|
|
|
Can you post this fw policy: ip inspect myfw
|
|
#
?
Oct 16, 2007 21:59
|
|
|
Tremblay posted:Can you post this fw policy: I assume you mean me - here's the list: code:
|
|
#
?
Oct 16, 2007 23:33
|
|
|
Doh. Sorry I'm retarded I meant the guy having FTP issues. For your issue try pulling the ip nat outside off your internet facing interface and see if it works.
|
|
#
?
Oct 17, 2007 04:43
|
|
|
Tremblay posted:Can you post this fw policy: I hope this is what you want: if not, just let me know, and thank you! Session audit trail is enabled Session alert is enabled one-minute (sampling period) thresholds are [400:500] connections max-incomplete sessions thresholds are [400:500] max-incomplete tcp connections per host is 50. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 14400 sec -- udp idle-time is 1800 sec dns-timeout is 7 sec Inspection Rule Configuration cuseeme alert is on audit-trail is on timeout 3600 ftp alert is on audit-trail is on timeout 3600 http alert is on audit-trail is on timeout 3600 rcmd alert is on audit-trail is on timeout 3600 realaudio alert is on audit-trail is on timeout 3600 smtp max-data 20000000 alert is on audit-trail is on timeout 3600 tftp alert is on audit-trail is on timeout 30 udp alert is on audit-trail is on timeout 15 tcp alert is on audit-trail is on timeout 3600 EDIT: The actual config file says: ip inspect audit-trail ip inspect udp idle-time 1800 ip inspect dns-timeout 7 ip inspect tcp idle-time 14400 ip inspect name autosec_inspect cuseeme timeout 3600 ip inspect name autosec_inspect ftp timeout 3600 ip inspect name autosec_inspect http timeout 3600 ip inspect name autosec_inspect rcmd timeout 3600 ip inspect name autosec_inspect realaudio timeout 3600 ip inspect name autosec_inspect smtp timeout 3600 ip inspect name autosec_inspect tftp timeout 30 ip inspect name autosec_inspect udp timeout 15 ip inspect name autosec_inspect tcp timeout 3600 casseopei fucked around with this message at 14:34 on Oct 17, 2007 |
|
#
?
Oct 17, 2007 14:31
|
|
|
casseopei posted:Thanks very much for the information, unfortunately it still doesn't work. I altered the above by replacing 10 and 20 with your entries and when that didn't work tried a second time by adding my old entries as 15 and 25. Hurf, that makes sense. You'll need some statement that explicitly allows the port negotiation. E.g.: code:code:
|
|
#
?
Oct 17, 2007 18:55
|
|
|
bort posted:Hurf, that makes sense. You'll need some statement that explicitly allows the port negotiation. E.g.: Awesome! Thanks. From what I had read I kind of figured that was what was wrong, and I tried permit tcp any any gt 1023 established and it wouldn't work, but I just had to take established out of there. Rock on. As an additional question, if (for example, whatever, it applies to everything) permit tcp any any eq www works, but permit tcp any host 192.168.1.237 [that's the computer it's going to] eq www doesn't work, what would you guess the issue is? In this example, I'm using ip nat inside source static tcp 192.168.1.237 80 interface FastEthernet0/0 80 to get traffic to the computer.. am I doing something horribly wrong or just missing something? Thank you again.
|
|
#
?
Oct 17, 2007 20:32
|
|
|
I'd guess that your NAT rule restricting it to port 80 stops the return traffic from an HTTP request, which comes on a high port. Sort of the same problem as your passive mode issue. I'm having a difficult time visualizing your network setup, so I can't write a rule for you.
|
|
#
?
Oct 19, 2007 15:43
|
|
|
casseopei posted:Awesome! Thanks. From what I had read I kind of figured that was what was wrong, and I tried permit tcp any any gt 1023 established and it wouldn't work, but I just had to take established out of there. Rock on. Your ACL needs to be for your outside address, not your inside. ie, permit tcp any host <outside ip> eq www Your NAT statement is already redirecting all your port 80 traffic to your internal address, so in your example there really is no functional or security difference between using the permit tcp any host or permit tcp any any command.
|
|
#
?
Oct 19, 2007 17:39
|
|
|
Note - I am not knowledgeable in Cisco at all, but I need to start learning fast! Has anyone set up redundant/backup WAN connections using an ASA 5505 or a PIX? According to this config example, it's certainly possible, but this statement bothers me: Cisco posted:This configuration provides a relatively inexpensive way to ensure that outbound Internet access remains available to users behind the security appliance. As described in this document, this setup may not be suitable for inbound access to resources behind the security appliance. Advanced networking skills are required to achieve seamless inbound connections. These skills are not covered in this document. I need to be able to have inbound access during a failover scenario. I don't know what they mean by "advanced networking skills", but in my mind, having the appropriate DNS entries, ACLs, and static NAT maps bound to the backup interface would provide what I'm looking for. Can anyone confirm/deny?
|
|
#
?
Oct 22, 2007 17:18
|
|
|
Richard Noggin posted:I need to be able to have inbound access during a failover scenario. I don't know what they mean by "advanced networking skills", but in my mind, having the appropriate DNS entries, ACLs, and static NAT maps bound to the backup interface would provide what I'm looking for. Can anyone confirm/deny? Well that depends, what they mean is when your first connection goes down you need someway to notify the outside world that they need to take a different route to get into your network. To do this seamlessly, you need to have your own ASN and have BGP properly configured.
|
|
#
?
Oct 22, 2007 19:05
|
|
|
Help me out here guys, I'm having a bit of a problem. I spent the weekend bringing up a second 6509 in one of our datacenters, and redoing all of our access switches. All of the access switches now have trunks to both core switches (clearly this is a fascinating new idea that is going to change the way the industry thinks about switching). Everything's gone great, generally, except for one older 4510R running an older IOS image (12.2(18)EW). Whenever rapid spanning-tree is enabled on the 4510, it works fine for a while, and then suddenly whole vlans will stop forwarding for between five and thirty seconds. Then everything goes back to normal, and there's no indication of what might have happened. Spanning-tree debugging doesn't indicate a root bridge change, and I've disconnected all redundant trunks to this switch, but the problem persists. Since it's Monday morning now, and this is an end-user facing switch, I had to disable spanning tree entirely to stop the problem, but that isn't tenable in the long run. I've already opened a Sev3 with the tac, but I'm just wondering if anybody has any thoughts, or has run into anything weird like this. I'm not very layer-2 savvy, so it's entirely possible I'm just doing something stupid.
|
|
#
?
Oct 22, 2007 20:09
|
|
|
dwarftosser posted:Well that depends, what they mean is when your first connection goes down you need someway to notify the outside world that they need to take a different route to get into your network. To do this seamlessly, you need to have your own ASN and have BGP properly configured. Or a global load balancing appliance sitting out in a datacenter somewhere, but that's just swapping 1 SPoF for another.
|
|
#
?
Oct 23, 2007 05:51
|
|
|
jwh posted:Everything's gone great, generally, except for one older 4510R running an older IOS image (12.2(18)EW). -spanning-tree problem persists when topology reduced to no loops to block -nothing in logs -debug shows nothing Sounds like some obscure code issue. I dunno, try upgrading the code and see what happens. Other then that, try running the same debugs on whatever the 4510 is uplinked to.
|
|
#
?
Oct 23, 2007 12:08
|
|
|
dwarftosser posted:Well that depends, what they mean is when your first connection goes down you need someway to notify the outside world that they need to take a different route to get into your network. To do this seamlessly, you need to have your own ASN and have BGP properly configured. Assume we just wanted mail - a lower priority MX record pointing to the backup interface would suffice then?
|
|
#
?
Oct 23, 2007 13:54
|
|
|
Richard Noggin posted:Assume we just wanted mail - a lower priority MX record pointing to the backup interface would suffice then? Sure will.
|
|
#
?
Oct 23, 2007 16:31
|
|
|
Is it possible to break out individual serial T1s (for MLPPP, bonded t1) from a ATM-IMA card? I've got this card in one of our 7206VXR routers, and want to run a MLPPP connection for lab/testing purposes, and I can't seem to find any configuration notes on google. We were originally using this card for a 8x T1 IMA interface, but have since upgraded that connection to a DS3. Now that this card is vacant I want to putz around with configuring it a little. IMA WAN DS1 Port adapter, 8 ports PA-IMA-T1
|
|
#
?
Oct 23, 2007 19:05
|
|
|
Richard Noggin posted:Assume we just wanted mail - a lower priority MX record pointing to the backup interface would suffice then? Quick non-cisco interjection. Some systems will send to the lower priority MX record no matter what, so it has to be up and accepting data even if the primary is up. This is probably the case, but if you are paying for a standby connection from a datacenter, this isn't always the case (that, or the standby has crazy data rates that will bite you in the rear end)
|
|
#
?
Oct 23, 2007 21:31
|
|
|
CrazyLittle posted:Is it possible to break out individual serial T1s (for MLPPP, bonded t1) from a ATM-IMA card? Eh? MLPPP and ATM-IMA are two totally different types of link bonding. I really doubt you're going to get anywhere with this. Actually, without a spare ATM switch I don't think you're going to be able to do anything with the IMA card.
|
|
#
?
Oct 23, 2007 21:55
|
|
|
inignot posted:Eh? MLPPP and ATM-IMA are two totally different types of link bonding. I really doubt you're going to get anywhere with this. Actually, without a spare ATM switch I don't think you're going to be able to do anything with the IMA card. That's why I'm asking. MLPPP is a software implementation on top of whatever interfaces you put into the bundle, right? So if I could break out individual Serial T1's instead of using the IMA bundle, couldn't I do MLPPP? Basically I have that IMA card with 8 ports in my lab, and I've got a 2611 with two WIC-T1s in it. I was wondering what it would take to connect the two together.
|
|
#
?
Oct 23, 2007 22:03
|
|
|
Just got some new toys at work: Oh look boxes! I wonder whats in them..  Some ONS 15454E  And 4 of these. Hm, I wonder if they can handle my linux-iso torrent! Think I can put DD-WRT on them? 
nex fucked around with this message at 23:02 on Oct 23, 2007 |
|
#
?
Oct 23, 2007 22:58
|
|
|
CrazyLittle posted:That's why I'm asking. MLPPP is a software implementation on top of whatever interfaces you put into the bundle, right? So if I could break out individual Serial T1's instead of using the IMA bundle, couldn't I do MLPPP? Basically I have that IMA card with 8 ports in my lab, and I've got a 2611 with two WIC-T1s in it. I was wondering what it would take to connect the two together. Ok, here's the short way to test this. Try to use "encap ppp" on one of your IMA interfaces.
|
|
#
?
Oct 23, 2007 23:19
|
|
|
inignot posted:Ok, here's the short way to test this. Try to use "encap ppp" on one of your IMA interfaces. Well yeah, that doesn't work since it's still an ATM/IMA interface. I was wondering if there was some way to configure one of the ports as a serial T1 like you can with the VWIC-2MFT-T1 cards. At this point I might just dig around and see if I can find a spare ethernet PA card & ethernet WIC to test with. Thanks though.
|
|
#
?
Oct 24, 2007 00:11
|
|
|
inignot posted:Sounds like some obscure code issue. I dunno, try upgrading the code and see what happens. Other then that, try running the same debugs on whatever the 4510 is uplinked to. Yeah, it's looking like a code issue- at least, that's my read on it. We didn't have time to try and upgrade the code before I had to get on the airplane, unfortunately. Oh well, they can run with a single trunk for a while.
|
|
#
?
Oct 24, 2007 00:50
|
|
|
EoRaptor posted:Quick non-cisco interjection. Some systems will send to the lower priority MX record no matter what, so it has to be up and accepting data even if the primary is up. This is probably the case, but if you are paying for a standby connection from a datacenter, this isn't always the case (that, or the standby has crazy data rates that will bite you in the rear end) There will be three MX entries, and look something like this: 10 primaryWAN 20 secondaryWAN 30 offsiteBackup My understanding is that the configuration I posted above will leave both interfaces up to outside traffic, but inside traffic is routed through the primary interface as long as it's up. It's going to be used in a small business to provide a T1 backup to the cable modem, after Comcast left them without internet service for 3+ weeks. Richard Noggin fucked around with this message at 16:21 on Oct 24, 2007 |
|
#
?
Oct 24, 2007 12:02
|
|
|
Is there an adapter to convert the serial console cable to USB? I just got my Thinkpad at work and didn't realize it doesn't have a serial port. It's not critical, but it would be nice to have.
|
|
#
?
Oct 29, 2007 15:13
|
|
|
|
| # ? Apr 20, 2024 05:09 |
|
|
InferiorWang posted:Is there an adapter to convert the serial console cable to USB? I just got my Thinkpad at work and didn't realize it doesn't have a serial port. It's not critical, but it would be nice to have. take your pick: http://www.newegg.com/Product/ProductList.aspx?Submit=ENE&DEPA=0&Description=usb+serial&x=31&y=39 Personally I use the Keyspan one, but that's because I use a macbook pro, and it was the only compatible one on the market at the time I bought it.
|
|
#
?
Oct 29, 2007 20:16
|
|