|
The master is elected based on a few things, put a higher priority on one with "switch X priority Y". 1 - 15, higher wins. "show switch" to verify. Depending on the fault the whole thing can poo poo. Unit faults will dump only one and the rest stay running. Monitor syslog for messages, make sure you have no loops or CPU burners. I also recommend default and reload a known good config - I have stacks that have blown up after renumbering or replacing units that just go into a crash loop.
|
#
?
May 1, 2015 22:39
|
|
|
|
| # ? Apr 24, 2024 14:20 |
|
|
I have the priorities set and they appear to be ignored completely (its supposed to choose the highest priority when electing a master). Unfortunately the syslog entries aren't complete, apparently the crash interrupts the ability to deliver syslog messages. I'm going to increase the local buffer so that we at least have 1 set of proper logs about the event. Show version gives an "address error" as the cause of the last reset. From some searching it looks like this could be a hardware/memory issue. I guess I'm not sure which tree to bark up here. Are the crashes happening and triggering a master re-election...then it uses the first switch up rule to assign the master role? Or is a master re-election triggering the crash? Unfortunately the logs being incomplete is really loving us here. This has been happening for a week or so and it's driving me nuts trying to figure out where to go. I wish we had money for a cisco support contract  Here's some screenshots:   The censored parts on the second image are just the name of the switch stack. Including the "System previously crashed with the following message: (SWITCH NAME)" which doesn't make any sense.
|
|
#
?
May 1, 2015 23:14
|
|
|
Moey posted:I have about a dozen of these. Only thing that pisses me off is the PoE model only will power 6 ports. It's only got a 100W PoE budget IIRC (12 @ 8W or 6 @ 15W then)
|
|
#
?
May 3, 2015 04:18
|
|
|
Spudalicious posted:So I've got two 3750E's in a simple stack, and we're having a problem where we get a crash, then a stack re-election and the stack master changes. I'm not sure if the stack master election is a symptom or a trigger for the crash at this point. Is there a crashinfo log being created? Read these links on how to see if there is one, and how to check it out: http://www.cisco.com/c/en/us/td/doc....html#wp1299349 http://www.cisco.com/c/en/us/support/docs/routers/12000-series-routers/15094-crashinfo.html Also you're running a 6 year old version of IOS. I know you said you don't have support, but have you got any other switches with a later version that can you lift the image from and stick it on your stack? There are an awful lot of bugs which could be exactly what you're experiencing (there were lots more, I just copied the first few relevant looking ones): https://tools.cisco.com/bugsearch/bug/CSCse44475 https://tools.cisco.com/bugsearch/bug/CSCse65252 https://tools.cisco.com/bugsearch/bug/CSCsx57195 https://tools.cisco.com/bugsearch/bug/CSCtr49434 Ahdinko fucked around with this message at 11:02 on May 4, 2015 |
|
#
?
May 4, 2015 10:51
|
|
|
nzspambot posted:It's only got a 100W PoE budget IIRC (12 @ 8W or 6 @ 15W then) They are completely fanless though. The whole thing is a heatsink, with the poe version having an additional heatsink on the back.
|
|
#
?
May 4, 2015 16:41
|
|
|
Crossposting from Enterprise WiFi- Has anyone used Junipers EX4200/4550 or EX4300/4600 switches? I'm re-doing our HQ and expanding onto another floor. There's two MPO fiber runs between the floors, 192 ports per floor that need 1GBE, POE, and mixed 10GBE. Combine this with 10 racks needing 1GBE and 10GB-SFP+. My other main office is a full Cisco shop, Nexus 7000/4506-E- but the current design lacks redundancy and has a dedicated basement DC that everything home runs to. We're planning on expanding out to a local DC and personally I would like to run Juniper MX's as my outside routers. I would like to explore the Cisco equivalent of the Juniper gear listed above if anyone has a recommendation.
|
|
#
?
May 4, 2015 19:44
|
|
|
the spyder posted:Crossposting from Enterprise WiFi- I am running a few sites with a virtual chassis consisting of 2x4550 and 2x4200 at their core. These are handling routing for their respective sites, as well as core/distribution switching.
|
|
#
?
May 5, 2015 13:31
|
|
|
Customer has two sites - an HQ with one ISP, and a DC with another. They're getting a dedicated metro e link run between the two and want the option to send traffic from the HQ to the DC and through the DC's ISP in the event that the HQ ISP goes down. I'm thinking the best way to do handle this is with EIGRP running on each firewall with two static default routes configured at the HQ and data center. Redistribute both static routes into EIGRP, keeping the AD of the default route at the HQ lower than the AD of the default route at the data center. Then, advertise the DC default route to the HQ firewall while not advertising the HQ default route to the DC. This way, the DC won't use the HQ in the event of an outage there. Does this sound viable?
|
|
#
?
May 6, 2015 15:20
|
|
|
psydude posted:Customer has two sites - an HQ with one ISP, and a DC with another. They're getting a dedicated metro e link run between the two and want the option to send traffic from the HQ to the DC and through the DC's ISP in the event that the HQ ISP goes down. Distribute default into the network at both locations like normal and just increase the path cost of the metroE link obscenely high.
|
|
#
?
May 6, 2015 15:31
|
|
|
I think I found an error in my data centre text book, but I want to run it by you guys to be sure. This is NX-OS specific Is it just me, or is the second "any" after the destination host address an error? pre:Write an ACL to deny unencrypted web traffic FROM any source TO host 10.10.1.110 Nexus7k(config-acl)# deny tcp any host 10.10.1.110 any eq 80
|
|
#
?
May 7, 2015 01:05
|
|
|
Ashley Madison posted:I think I found an error in my data centre text book, but I want to run it by you guys to be sure. This is NX-OS specific Yeah, that looks like an error to me. If it's from the Lammle guide, I think it's a known issue.
|
|
#
?
May 7, 2015 01:21
|
|
|
madsushi posted:Yeah, that looks like an error to me. If it's from the Lammle guide, I think it's a known issue. it is! I tried to find some official errata, but no dice. Thanks a lot!
|
|
#
?
May 7, 2015 01:57
|
|
|
cheese-cube posted:Anyone here familiar with Cisco Security Manager 4.7? I've been tasked with configuring it to use a SSL certificate issued by our internal-CA instead of the default self-signed one (Required to get AlgoSec to talk to it or something) and I'm having a hard time digging up good documentation. I've found some details in the built-in help but it's obtuse as hell and full of gaps (e.g. it says how to generate a CSR but it doesn't actually say where it puts it). I know what I'm doing when it comes to PKI however Cisco have managed to make it as difficult as possible. Just wanted to bring this back up incase anyone is having similar problems, turns out if you are using a Windows CA to sign the certificate then you are hosed, the certificate will verify and upload fine however Apache will fail to start and throw an exception in mod_ssl. Cisco TAC didn't believe me until I replicated the fault during a WebEx and they later confirmed the fault in their lab when using a Windows CA. We're still waiting on a fix from Cisco but honestly the CiscoWorks platform is rubbish and should be avoided. Any issue you have with it has to go to Cisco's internal development team and you won't hear much back.
|
|
#
?
May 12, 2015 19:51
|
|
|
Speaking of CSM: What is everyone using for FW policy management and how many rules do you look after? We have about 50k rules and I'm currently developing something in-house to do it - historically we have used flat files. Tufin looks pretty cool but it also looks pretty bloated with all the change management stuff.
|
|
#
?
May 13, 2015 04:47
|
|
|
cheese-cube posted:Just wanted to bring this back up incase anyone is having similar problems, turns out if you are using a Windows CA to sign the certificate then you are hosed, the certificate will verify and upload fine however Apache will fail to start and throw an exception in mod_ssl. Cisco TAC didn't believe me until I replicated the fault during a WebEx and they later confirmed the fault in their lab when using a Windows CA. We're still waiting on a fix from Cisco but honestly the CiscoWorks platform is rubbish and should be avoided. Any issue you have with it has to go to Cisco's internal development team and you won't hear much back. Cisco software has always been poo poo but for some stupid reason companies keep buying it. Ciscoworks/CSM/WLC all trash. Even IOS is pretty bad, but at least that can be somewhat forgiven because of the historical baggage. Kind of surprised they didn't move more toward a JunOS/bash cli thing. ate shit on live tv fucked around with this message at 05:57 on May 14, 2015 |
|
#
?
May 14, 2015 05:54
|
|
|
+1 for WLC/NCS/PIM being utterly obnoxious and obtuse.
|
|
#
?
May 14, 2015 13:33
|
|
|
We've deployed four ASA 5506-X's so far, and have run into problems activating the included FirePOWER Control licenses on each of them. An error is displayed saying that it's already been claimed, yet it generates a license file that's 0 bytes in length. We've had to contact TAC/licensing on every single one so far to get them to issue another PAK/license. What a PITA.
|
|
#
?
May 14, 2015 15:17
|
|
|
Honestly sounds like your vendor screwed up when they ordered them originally.
ate shit on live tv fucked around with this message at 18:15 on May 14, 2015 |
|
#
?
May 14, 2015 18:12
|
|
|
Powercrazy posted:Honestly sounds like your vendor screwed up when they ordered them originally. The PAKs for the control license are included in the box with the firewall. edit: TAC just confirmed that this is a known issue. Richard Noggin fucked around with this message at 20:06 on May 14, 2015 |
|
#
?
May 14, 2015 19:00
|
|
|
abigserve posted:Speaking of CSM: What is everyone using for FW policy management and how many rules do you look after? As a TAC engineer who supports CSM, please stop using CSM.
|
|
#
?
May 14, 2015 19:26
|
|
|
cheese-cube posted:Just wanted to bring this back up incase anyone is having similar problems, turns out if you are using a Windows CA to sign the certificate then you are hosed, the certificate will verify and upload fine however Apache will fail to start and throw an exception in mod_ssl. Cisco TAC didn't believe me until I replicated the fault during a WebEx and they later confirmed the fault in their lab when using a Windows CA. We're still waiting on a fix from Cisco but honestly the CiscoWorks platform is rubbish and should be avoided. Any issue you have with it has to go to Cisco's internal development team and you won't hear much back. Ok so we finally identified the root cause and managed to get it working. When you upload the certificate using the lovely "SSLUtil.pl" script it combines any root/intermediate CA certificates you give it into a single X.509 certificate file which it then drops in the "<CSM_INSTALL_DIR>\MDC\Apache\conf\ssl" directory along with the signed certificate. Turns out that the script was mangling the combined root/intermediate certificate chain file that it generates by inserting a bunch of random spaces. Manually editing the file to remove the spaces fixed it up and allowed Apache to start without throwing an error. gj cisco Partycat posted:+1 for WLC/NCS/PIM being utterly obnoxious and obtuse. Seconding NSC being obtuse as hell. I actually logged-on to our NSC install today for the first time as I was on a UCS Administration course and wanted to see how port-profiles are configured on our 1000Vs. I swear it took me a solid 10 minutes of clicking around to find the drat things. IMO NSC beats WLC for being obtuse by a wide margin. Pile Of Garbage fucked around with this message at 11:25 on May 15, 2015 |
|
#
?
May 15, 2015 11:16
|
|
|
Is it wrong that I quite like WLC? The menus in ISE and Prime never make any sense to me though
|
|
#
?
May 15, 2015 12:27
|
|
|
Before I make an effort post, has anyone here used CSoIP/TDM Pseudowires before? Looking into possibly using it to replace some long haul TDM circuits we have today.
|
|
#
?
May 15, 2015 13:29
|
|
|
General networking question: I need to a do a sniff/port mirror for a capture that could take a really long time (like more than a day) while we try to capture a very specific bad VoIP call. Can anyone recommend the best way to go about doing that?
|
|
#
?
May 15, 2015 18:45
|
|
|
Ashley Madison posted:General networking question: I need to a do a sniff/port mirror for a capture that could take a really long time (like more than a day) while we try to capture a very specific bad VoIP call. Can anyone recommend the best way to go about doing that? If you have a *nix-ish system that you can get the traffic to somehow (span/mirror on the switch, or if it's passing through a router/firewall appliance that runs *nix underneath) the "dumpcap" program from the tcpdump suite is my favorite way to do it. You can set it to capture files in a rolling buffer or split files by time/packets/bytes to make it easier to go back through the data. If it's remote there's a way to tunnel tcpdump over SSH using FIFOs so you can store the capture locally even from a device on the other side of the planet. I do this all the time when troubleshooting my hosted customers and can go in to more detail if needed.
|
|
#
?
May 15, 2015 18:55
|
|
|
wolrah posted:If you have a *nix-ish system that you can get the traffic to somehow (span/mirror on the switch, or if it's passing through a router/firewall appliance that runs *nix underneath) the "dumpcap" program from the tcpdump suite is my favorite way to do it. You can set it to capture files in a rolling buffer or split files by time/packets/bytes to make it easier to go back through the data. The traffic we're trying to capture is from the network port of a voice border controller that's in the same LAN, just in a different VLAN. It has port mirror capabilities built in, so I just have to switch it on and connect it. It's where to dump the capture that I have to figure out. I don't have access to a *nix-ish system unfortunately. The best I can think of just just dropping a PC and letting it sit and eat. I don't know if Wireshark has the ability to rotate a long-running capture?
|
|
#
?
May 15, 2015 19:59
|
|
|
Wireshark can rotate log files by time or by file size. I would also set up a capture filter so you're only recording VOIP traffic instead of filling up the file with unrelated traffic.
|
|
#
?
May 15, 2015 20:08
|
|
|
Filter as granular as you can. A full day of capturing is a HUGE unwieldy amount of data even split up into multiple file.
|
|
#
?
May 15, 2015 20:17
|
|
|
Eh, a full day of capturing one phone worth of voice traffic is about 1.4GB if that phone was in use literally 100% of the time without silence suppression. In the real world where most phones don't get used more than an hour or two in a day my largest single customer with nearly 500 extensions does around 10GB/day. It's not too bad if you're not capturing to a potato. I would not recommend just firing up Wireshark and hoping for the best though, in my experience it gets slow and crashy when dealing with more than a gigabyte or two. You don't want to have the problem happen and it turns out Wireshark ate poo poo hours earlier. dumpcap is bundled and will be right there next to wireshark.exe on a Windows system, so if you don't have a *nix box I'd still recommend using dumpcap to actually do the capture and just use Wireshark to view the results. This should get you started: code:Replace 4.2.2.2 with the IP address of the VoIP server or device to monitor, or just put any tcpdump-style filter string in the quotes and it'll sit there quietly capturing away until you kill it with Control-C. If you want shorter captures change the duration, it's set to one hour in my example, and of course you can change the output filename to something more descriptive.
|
|
#
?
May 15, 2015 21:46
|
|
|
Filthy Lucre posted:Wireshark can rotate log files by time or by file size. I would also set up a capture filter so you're only recording VOIP traffic instead of filling up the file with unrelated traffic. 1) Use a Capture Filter (NOT a display filter) to only get the bits you want. 2) If you only need the headers, you can limit the capture size to like 150 bytes and drop the rest (this is done in the capture options) so you just get the header info for each packet (which is usually enough, unless you need the whole payload). 3) Set Wireshark to rotate between like 10x 1GB files (again, capture options, multiple files, ring buffer with 10 files, next file every 1 gigabyte).
|
|
#
?
May 15, 2015 21:47
|
|
|
That is a lot of really useful information! Thanks everyone  I'm going to give it a test run next week and see how it goes.e: wolrah posted:Eh, a full day of capturing one phone worth of voice traffic is about 1.4GB if that phone was in use literally 100% of the time without silence suppression. In the real world where most phones don't get used more than an hour or two in a day my largest single customer with nearly 500 extensions does around 10GB/day. It's not too bad if you're not capturing to a potato. Unfortunately it's a very intermittent echo problem that only occurs between an internal phone and an external PSTN caller. I have to capture almost everything instead of a single phone and hope that they report to me when the problem pops up
|
|
#
?
May 16, 2015 02:03
|
|
|
Ashley Madison posted:That is a lot of really useful information! Thanks everyone I had this pop up once and it was an issue with the 4-to-2-to-4 wire conversion on the carrier side. It would only pop up when they would call / get calls from that particular carrier (it was long-distance Sprint iirc). Basically there is some echo detection stuff built in that was getting borked. Unfortunately I can't remember if the carrier fixed it or if there was some arcane setting (this was ShoreTel) that we set to fix it.
|
|
#
?
May 16, 2015 02:08
|
|
|
madsushi posted:I had this pop up once and it was an issue with the 4-to-2-to-4 wire conversion on the carrier side. It would only pop up when they would call / get calls from that particular carrier (it was long-distance Sprint iirc). Basically there is some echo detection stuff built in that was getting borked. Unfortunately I can't remember if the carrier fixed it or if there was some arcane setting (this was ShoreTel) that we set to fix it. That's very interesting. When it happened was the echo heard on both ends? In our scenario the internal VoIP user can hear their own voice echo back at them, but the external caller doesn't hear anything unusual. Running a debug syslog and traffic sniff came directly from Sonus, the vendor for our border controller.
|
|
#
?
May 16, 2015 03:07
|
|
|
Echo is an analog problem. Replace the user's phone. If it's a 5200 you can get a media trace from the SBC. No idea on the 1k/2ks since they aren't a 'real' Sonus device.
|
|
#
?
May 16, 2015 04:55
|
|
|
FatCow posted:Echo is an analog problem. Replace the user's phone. it's a 2k 
|
|
#
?
May 16, 2015 20:48
|
|
|
FatCow posted:Before I make an effort post, has anyone here used CSoIP/TDM Pseudowires before? I've done a fair amount on 7200s and MWR2941s without any major issues. I also did an evaluation on the ASR901 and ME3600CX at FCS. Hopefully the code has gotten better, but as I recall the timing preservation across the PW was horrible.
|
|
#
?
May 18, 2015 17:41
|
|
|
So strat 1 timing is pretty much required on both ends? Having it on one side is no problem, the other side is going to bump the cost up a good bit. How long were your circuits? I'm looking at doing regional to cross country DS3s.
|
|
#
?
May 19, 2015 04:27
|
|
|
Having timing sources on both sides wouldn't have helped, the issue was with the QoS buffers on the ASR901/ME3600 introducing a large amount of jitter. Running a T-BERD test across the emulated T1 would show a lot of errored frames due to timing.This was all intra-LATA backhaul to a MSC/MTSO, but the carrier need solid timing for their NodeB boxes.
|
|
#
?
May 19, 2015 14:08
|
|
|
wolrah posted:If it's remote there's a way to tunnel tcpdump over SSH using FIFOs so you can store the capture locally even from a device on the other side of the planet. I do this all the time when troubleshooting my hosted customers and can go in to more detail if needed. Ooh, this sounds sexy. I wouldn't mind getting my hands on this info. If you don't want to put it here, you can email my username @ gmail. Thanks!
|
|
#
?
May 19, 2015 15:29
|
|
|
|
| # ? Apr 24, 2024 14:20 |
|
|
Panthrax posted:Ooh, this sounds sexy. I wouldn't mind getting my hands on this info. If you don't want to put it here, you can email my username @ gmail. Thanks! It's all good, it's pretty simple between two *nix boxes. There's probably a way to do this on Windows but I haven't bothered to figure it out since I can just X forward Wireshark from my server when I want to do a remote GUI capture on my Windows box. On your capture machine you need to open two terminals. The first step is to create the FIFO we'll use. code:Then we use SSH command line forwarding to launch tcpdump directly on the remote machine: code:The "-i" parameter specifies the interface to capture from, in this case eth0. "-s 0" tells it to not truncate any packets. The downsides of doing this are that the remote upload bandwidth must be sufficient for what you're capturing, and it only flushes the buffer after a certain number of bytes (IIRC 65536) so if what you're monitoring is small and rare you might need to run this for a while before the remote host actually sends you anything. If you know the packets you're looking for will never exceed a certain size or don't care about anything but the headers you can cut this back. "-w -" tells it to output raw pcap format to stdout which is what our remote end will be looking for. Normally tcpdump output is somewhat human readable, but you're not looking for a human to read it. "port 5060" is just an example capture filter. If you're capturing low-traffic stuff but still want it to be close to real-time you can work around the issue with "-s 0" above by adding some other kind of traffic to the capture filter (I usually use "or icmp" and then start pinging the host to generate that traffic) and just filter the garbage out locally. "> /tmp/pcap" redirects stdout from the SSH session to the FIFO At this point the SSH session should be stalled before it would even ask for a password because there's nothing listening on the FIFO. If you see it going ahead you probably did something wrong and it's writing to a file instead. This isn't necessarily bad of course if you want a file instead, but in this case we're trying to get it to a local application in real-time. Now switch over to your other terminal and launch your capture application of choice. I'm going to use Wireshark as the example, but it works with most other applications that deal with libpcap. code:"-i /tmp/pcap" tells it to capture from the FIFO as if it was an interface. At this point your terminal with the SSH session will now be prompting for a password if applicable or will do the key authentication and when that's complete you should see tcpdump say it's capturing on the requested interface. Wireshark will then start capturing from the incoming stream. You may need to vary it up depending on the specific configuration of the remote device. OpenWRT for example does not seem to set PATH properly when trying to execute a command directly from the SSH command line so in that case you need to use the absolute path to the tcpdump executable. BSD devices like pfSense don't use a standard interface naming scheme so you'll have to figure out the correct one on your own. Anything with a roughly *nix-ish environment works on either end, the only real requirement is that the remote side has tcpdump or something equivalent that can send PCAP format data to stdout. I've been doing this for years with Linux and BSD powered router/firewall devices as the remote end and Mac or Linux machines as the local end.
|
|
#
?
May 19, 2015 17:37
|
|