|
This is only minorly related to Cisco but eh... here it goes. I have a sister company I help out with a 2 node stack of Dell 5548 powerconnects. They are having some strange issues where their network speed will drop considerably. Like going from hundreds of MB/s to KB/s. I have been fidling with it for a bit but I am not too familiar with Dell units. I cannot seem to find much rhyme nor reason why it is doing this. They were having the problem this morning and on a whim, I unplugged all the gear and immediately replugged it in to different ports on the same switch. The network speed instantly returned. Strangest thing. I am ultimately going to replace the units but I am just super curious as to why it is doing this. Are these just trash switches? Is there something else I should be looking at?
|
#
?
Jun 15, 2012 15:48
|
|
|
|
| # ? Apr 25, 2024 18:16 |
|
|
Duplex mismatch? Autonegotiation can be weird, try setting the ports and interfaces manually to full-duplex (and speed whatever). I don't know Dell switches from a bar of soap but if you can, check for collisions on the interface statistics.
BurgerQuest fucked around with this message at 16:55 on Jun 15, 2012 |
|
#
?
Jun 15, 2012 16:43
|
|
|
Almost sounds like a broadcast storm to me. I'd recommend checking the cpu and throughput counters on the switch's console during normal use compared to when the problem occurs.
|
|
#
?
Jun 15, 2012 17:07
|
|
|
We're having a rash recently of people unable to establish a VPN connection to our ASA 5505. We typically use ShrewSoft's client, which just times out when trying to connect. The official Cisco client says it's connected, and the connection shows up in the ASDM, but you can't ping any hosts inside the network. The strange thing is, a big group of people are completely unaffected; it seems to only be newer machines that we've configured recently, even though we're using the same versions of VPN clients and the same VPN connection profiles we've been using for years. Our VPN configuration in the ASA hasn't changed since we migrated to it off a PIX 515E a few years ago. debug crypto ipsec gets this error, I'm pretty sure it's when someone affected tries to connect but I'm not 100% on that yet: code:
|
|
#
?
Jun 15, 2012 21:48
|
|
|
My workplace just got a new Cisco 1800 series router to replace our old almost-home-based (Cisco RV042) hardware, and I'm struggling with a problem with it. Both my boss and I are programmers, and we make up the IT department. Neither of us have any experience with this level of router, so we paid the company we bought it from set it up for us. The issue that we are facing is that several times a day, our connection seems to go down - but it's not. Traffic stops except that you can still ping locations; even locations on the VPN. Rebooting the router fixes this temporarily. It doesn't seem to happen on any sort of schedule at all. We are using DSL, and we have an add-on card with an additional WAN port, so that we can load-balance two connections to help our upload.  I don't believe that this is affecting it, as currently the extra WAN is setup as a failover right now, because the tech from the company couldn't get load balancing working.As far as working with the router, I've used CCP and could modify the VPN settings. My job is IT for a small but rapidly growing grocery store chain with currently 5 locations; three of which we can't get a static IP from the ISP without paying super-huge-megabux. This is as far into the depth of the router that I dare venture. If there's any ideas, that would be super helpful. I could probably learn how to connect to the router and program it directly, but right now my experience is with CCP. Edit: I've had their tech guy look at it, but he hasn't seen anything wrong in the logs or the stats while it's happening. He was able to connect to the router during one of these events remotely, which again makes me want to rule out problems with the ISP. Sudden Infant Def Syndrome fucked around with this message at 21:54 on Jun 15, 2012 |
|
#
?
Jun 15, 2012 21:52
|
|
|
Symptomatically, what do you mean when you say things seem to stop, but they don't? I understand that you can still ping, so what doesn't work when this condition occurs?
|
|
#
?
Jun 15, 2012 21:55
|
|
|
Nothing else. No web traffic, no shared files. Edit: I think web traffic works a bit. DNS seems to resolve.
|
|
#
?
Jun 15, 2012 22:01
|
|
|
inignot posted:Belated congratulations and condolences. Have fun 
|
|
#
?
Jun 15, 2012 22:15
|
|
|
Can any of you guys recommend a good network design best practices/fundamentals book?
|
|
#
?
Jun 15, 2012 22:16
|
|
|
Mierdaan posted:We're having a rash recently of people unable to establish a VPN connection to our ASA 5505. We typically use ShrewSoft's client, which just times out when trying to connect. The official Cisco client says it's connected, and the connection shows up in the ASDM, but you can't ping any hosts inside the network. Reload the ASA. I had a very, very similar problem, only thing was it was ezvpn to an 1800 series instead of a client machine. Show crypto ipsec sa showed the tunnel was up, remote side tunnel was up, traffic was being decrypted by the ASA but was never being encrypted and was spitting out a similar error. One "wr" and "reload" later, no other config changes, ba-bam boom! Worth a try if you can do it.
|
|
#
?
Jun 16, 2012 09:38
|
|
|
abigserve posted:Reload the ASA. Thanks for the suggestion. I tried it over the weekend but it didn't fix our issue. I just spent an hour on the phone with Cisco and they pinned it on a DNE problem. I uninstalled both VPN clients, ran winfix, rebooted, ran dneupdate, reinstalled the Cisco client and all is right with the world again. I still can't get the ShrewSoft client to negotiate from an affected machine (though it works fine for some users) but that's a fight for another day I guess.
|
|
#
?
Jun 18, 2012 16:50
|
|
|
e: nevermind, I'm even dumber than I thought.
some kinda jackal fucked around with this message at 17:18 on Jun 18, 2012 |
|
#
?
Jun 18, 2012 17:05
|
|
|
ragzilla posted:I haven't had to dig into password recovery on XR platforms (CRS/ASR/GSRXR), I imagine it's a little more in depth. It's similar to an IOS router; just use rommon commands to boot with an empty config. They have a quick guide here: https://supportforums.cisco.com/docs/DOC-15870 Eletriarnation fucked around with this message at 17:27 on Jun 18, 2012 |
|
#
?
Jun 18, 2012 17:23
|
|
|
Does anyone know the specs for the screws that come with the rackmount kit for a 2950? I'm missing one and it's a nusiance. It's about 10mm long and countersunk.
|
|
#
?
Jun 18, 2012 17:28
|
|
|
All sorts of fun questions popping up, Has anyone played around with Cisco FabricPath at all and do you think its worth it at all?
|
|
#
?
Jun 18, 2012 20:31
|
|
|
ToG posted:Does anyone know the specs for the screws that come with the rackmount kit for a 2950? I'm missing one and it's a nusiance. It's about 10mm long and countersunk. Bring it to a hardware store or a Lowes, they should have a panel where you can figure out the thread size and pitch.
|
|
#
?
Jun 18, 2012 21:11
|
|
|
I think racks typically just take 10-32 screws. I don't know if you can find countersunk or recessed screws at Lowes but really just any screw will do to hold it in.
|
|
#
?
Jun 18, 2012 21:53
|
|
|
Martytoof posted:I think racks typically just take 10-32 screws. I don't know if you can find countersunk or recessed screws at Lowes but really just any screw will do to hold it in. I'm presuming by the counter sunk part that he's missing a screw that secures the rack mount ears to the router chassis.
|
|
#
?
Jun 18, 2012 23:02
|
|
|
Oh my god I have made like a thousand wrongposts in the last 24 hours, I should get off the internet for a while  (good catch)
|
|
#
?
Jun 18, 2012 23:04
|
|
|
They probably won't have those screws at a hardware store. I have plenty of dead 2600, XL switches, etc that have them. PM me your address and I'll tape one to a postcard and mail one to you or something.
|
|
#
?
Jun 19, 2012 02:39
|
|
|
Make sure you differentiate between Catalyst 2950 screws and 2600 router screws since they're different from what I recall.
|
|
#
?
Jun 19, 2012 05:37
|
|
|
I've heard it mentioned that there were significant changes to the ASA code made around 8.3- could someone elaborate on that? I'm afraid I haven't been on an ASA since 7.x, and while I remember it as being an improvement to 6, I'm not sure what's markedly different in 8.3 and beyond (aside from the network object textual changes).
|
|
#
?
Jun 19, 2012 21:24
|
|
|
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html
|
|
#
?
Jun 19, 2012 21:33
|
|
|
jwh posted:I've heard it mentioned that there were significant changes to the ASA code made around 8.3- could someone elaborate on that? In addition to the ACL differences (huge), they also support EIGRP and other niceties now. No CDP/LLDP though.
|
|
#
?
Jun 19, 2012 23:10
|
|
|
jwh posted:I've heard it mentioned that there were significant changes to the ASA code made around 8.3- could someone elaborate on that? Network object NAT makes NAT less terrible Policy NAT replaces with pre/post NAT rules- a lot more flexible. You can pre-NAT to override 1:1 when needed.
|
|
#
?
Jun 19, 2012 23:43
|
|
|
gently caress cisco and their stupid license macs that magically change in CUCM.
|
|
#
?
Jun 20, 2012 01:01
|
|
|
falz posted:They probably won't have those screws at a hardware store. I have plenty of dead 2600, XL switches, etc that have them. PM me your address and I'll tape one to a postcard and mail one to you or something. Yeah they don't, Seems a funny size. Thanks for the offer though. I've managed to source one through a friend who necro'd them from dead switches. CrazyLittle posted:Make sure you differentiate between Catalyst 2950 screws and 2600 router screws since they're different from what I recall. Alot of them are different slightly as I found out.. It's a nuisance.
|
|
#
?
Jun 20, 2012 16:38
|
|
|
ragzilla posted:back to the future- ACLs use inside IPs again Hmm weird. I actually liked writing access control that was considered "pre NAT," but maybe I was in the minority.
|
|
#
?
Jun 20, 2012 20:30
|
|
|
jwh posted:Hmm weird.
|
|
#
?
Jun 21, 2012 01:45
|
|
|
For the ASA upgrade, it is a pain if you use NAT control, have many NATs, or you don't have a test environment. The document for upgrading has gotten better by calling out some of the gotchas, but it should still have huge sirens around each of the callouts on that document. Also, make sure that you sacrifice at least two chickens and a banana to the ASA gods as you write your upgrade plan. Do the same before you begin the upgrade, but add your weekend to the sacrifice.
|
|
#
?
Jun 21, 2012 12:38
|
|
|
We didn't disable nat control on a few ASA's before upgrading...the horror.
|
|
#
?
Jun 22, 2012 13:15
|
|
|
are interface security levels now largely cosmetic?
|
|
#
?
Jun 22, 2012 15:11
|
|
|
Does anybody have any experience with Cisco APs in Rogue Detector mode? I'd like to have one per site, but it seems stupid to blow an entire AP on nothing but wired network sniffing. So ideally, I'd like something as cheap as possible that can still do rogue detection. I'm thinking something like the Aeronet 1000. I'm checking on this with my Cisco SE, but I'm guessing they'll try to sell me something new - I'm really fine with anything. So my question is, what's the cheapest thing I could get that would do rogue sniffing?
|
|
#
?
Jun 22, 2012 22:31
|
|
|
Kenfoldsfive posted:Does anybody have any experience with Cisco APs in Rogue Detector mode? I'd like to have one per site, but it seems stupid to blow an entire AP on nothing but wired network sniffing. So ideally, I'd like something as cheap as possible that can still do rogue detection. I'm thinking something like the Aeronet 1000. I should be using one in a pure rogue detection mode but all of my AP's will detect Rogue AP's anyways. There may be benefits of actually having an ap dedicated to it but I get by and satisfy PCI requirements without one.
|
|
#
?
Jun 22, 2012 22:48
|
|
|
Langolas posted:I should be using one in a pure rogue detection mode but all of my AP's will detect Rogue AP's anyways. There may be benefits of actually having an ap dedicated to it but I get by and satisfy PCI requirements without one. My understanding of it is APs in normal mode will detect rogues with no access protection (wep/wpa/etc), connect to them, and then try to ping the WLC to determine if it's a wired rogue. An AP in rogue detector mode will turn its radios off and sniff ARP traffic on the LAN, which it correlates with detected AP MACs - if a MAC appears on both a rogue AP and in an ARP request, you've got a rogue on the LAN.
|
|
#
?
Jun 23, 2012 00:51
|
|
|
Kenfoldsfive posted:Does anybody have any experience with Cisco APs in Rogue Detector mode? I'd like to have one per site, but it seems stupid to blow an entire AP on nothing but wired network sniffing. So ideally, I'd like something as cheap as possible that can still do rogue detection. I'm thinking something like the Aeronet 1000. IŽd try to buy something cheap (but relatively new) offsetting the chance they cut support for the device in newer software. Have a look at the 1040. Definitely stay away from the 1131.
|
|
#
?
Jun 24, 2012 10:48
|
|
|
I never had a bad time with the 1131s. They run extremely hot though. I'm surprised they haven't burned more buildings down. Anyhoo, rogue detection with Cisco wireless kit is full of exciting caveats, the totality of which will make you question whether rogue detection is even worth your time. At best, you get to leave it "on" and tell your auditors it's "on". Good luck if any of the SSIDs have any encryption, though, since you won't be able to associate to them and conduct the ping test back to the WLC. Oh, and dedicated rogue monitor radios don't help either if somebody plugs a Linksys into your network. You'll never see the client ARP frames on both sides, so you won't trigger the rogue alert.
|
|
#
?
Jun 26, 2012 15:39
|
|
|
Looks like we're moving to a new ISP, quote:1.4 Traffic Management. Is this a common thing to do? Can we do egress rate limiting like this with an ASA 5505?
|
|
#
?
Jun 26, 2012 15:46
|
|
|
You should be able to google for 'asa rate limit' and adapt something from there. It's done in a kinda weird way (to my mind). There are still so many vestigial remnants of global configuration in ASA that really ought to be under interfaces directly, if you ask me.
|
|
#
?
Jun 26, 2012 16:49
|
|
|
|
| # ? Apr 25, 2024 18:16 |
|
|
jwh posted:I never had a bad time with the 1131s. They run extremely hot though. I'm surprised they haven't burned more buildings down. Indeed they are great APs. But they are getting very old and support will likely be cut way before the 1040s. jwh posted:Good luck if any of the SSIDs have any encryption, though, since you won't be able to associate to them and conduct the ping test back to the WLC. jwh posted:Oh, and dedicated rogue monitor radios don't help either if somebody plugs a Linksys into your network. You'll never see the client ARP frames on both sides, so you won't trigger the rogue alert.
|
|
#
?
Jun 26, 2012 17:55
|
|