r&s mpls ttl-propagte - show labels in trace

April 18, 2015, 10:31 am

≪ Previous: CCIE SPv4 Kickoff Online Seminar

I have a functioning MPLS lab using the "sim" from Cisco noone should be using ;)

bascially it's a star of P routers using ospf mpls ldp autoconfig area 0 command - it's functioning.

PE config is following (nothing special actually)

router bgp 100 bgp router-id 80.1.1.1 bgp log-neighbor-changes no bgp default ipv4-unicast neighbor 80.2.2.2 remote-as 100 neighbor 80.2.2.2 update-source Loopback0 ! address-family ipv4 neighbor 80.2.2.2 activate neighbor 80.2.2.2 send-community exit-address-family ! address-family vpnv4 neighbor 80.2.2.2 activate neighbor 80.2.2.2 send-community extended neighbor 80.2.2.2 next-hop-self exit-address-family ! address-family ipv4 vrf CUST1 redistribute connected redistribute ospf 1010 neighbor 192.168.1.111 remote-as 10 neighbor 192.168.1.111 activate neighbor 192.168.1.111 next-hop-self exit-address-family

there are CE routers connected to the PE's and using BGP for PE-CE

doing the traceroute CE-CE loopbacks

CPE2#traceroute 192.168.100.1 source lo0

Type escape sequence to abort.

Tracing the route to 192.168.100.1

VRF info: (vrf in name/id, vrf out name/id)

1 192.168.99.2 0 msec 0 msec 1 msec

2 * * *

3 * * *

4 * * *

5 192.168.1.111 [AS 100] 1 msec * 1 msec

is there anything special I have to do to get the routers to show the MPLS path / routers

the IP network in the MPLS P routers is not being redistributied into BGP in any way

- Benni

↧

CCIE Security Bootcamp Workbook

April 15, 2015, 6:47 am

≫ Next: IKEv2 S2S VON between ASA and Router

≪ Previous: r&s mpls ttl-propagte - show labels in trace

Dears,

Im trying to load the CCIE Security Bootcamp Workbook Technology Tasks on the Racks.

But all I can load is the Technology solutions?

Is my workbook missing something that can’t be loaded onto the racks ?

Thank you :)

↧

IKEv2 S2S VON between ASA and Router

March 3, 2015, 12:51 am

≫ Next: N1Kv - ERSPAN Task

≪ Previous: CCIE Security Bootcamp Workbook

Dears,
I am configuring IKEv2 site to ste vpn between ASA and router. Sometimes the tunnel comes up and sometimes it does not. I am choosing random encryption/integrity protocols ans setting prf on ASA same as integrity algorithm.

Are there any limitations on some algorithms?

Here is an example for a non working config. Plz advise if i missed anything:
Tunnel IPs:
ASA: 192.168.1.11
Router: 192.168.2.1

interesting traffic:
ASA: 192.168.11.0/24
R1: 150.1.1.0/24

ASA config:
access-list 101 extended permit ip 192.168.11.0 255.255.255.0 150.1.1.0 255.255.255.0
crypto ipsec ikev2 ipsec-proposal ikeprop
protocol esp encryption aes
protocol esp integrity sha-1
crypto map mymap 10 match address 101
crypto map mymap 10 set peer 192.168.2.1
crypto map mymap 10 set ikev2 ipsec-proposal ikeprop
crypto map mymap interface outside
crypto ikev2 policy 10
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
tunnel-group 192.168.2.1 type ipsec-l2l
tunnel-group 192.168.2.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key cisco
ikev2 local-authentication pre-shared-key cisco

Router config:
access-list 101 permit ip 150.1.1.0 0.0.0.255 192.168.11.0 0.0.0.255
crypto ikev2 proposal ikeprop
encryption aes-cbc-128
integrity sha1
group 5
crypto ikev2 keyring ASA
peer 192.168.1.11
address 192.168.1.11
pre-shared-key local cisco
pre-shared-key remote cisco
!
crypto ikev2 profile ikeprof
match identity remote address 192.168.1.11 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local ASA
crypto ipsec transform-set myset esp-aes esp-sha-hmac
mode tunnel
crypto map mymap 10 ipsec-isakmp
set peer 192.168.1.11
set transform-set myset
set ikev2-profile ikeprof
match address 101
int g0/0
crypto map mymap

↧

N1Kv - ERSPAN Task

April 19, 2015, 4:50 am

≫ Next: Question about BGP Configuration LAB- Establishing iBGP Peerings

≪ Previous: IKEv2 S2S VON between ASA and Router

Dear All,

As per the ERSPAN in N1K Lab task, the traffic to/from Win2k8-www-3 need to be sent to a remote server connected to N5K. In the solution, the "show int status" shows Win2k8-www-3 is connected to veth13 but the ERSPAN session is configured with "source interface veth12". And the configuration on N5K shows the source ip as the ESXi host 10.0.115.12 but Win2k8-www-3 resides on the ESXi host 10.0.115.11. I am confused if this configuration is a typo or am i missing something theoritically.

Could you please someone help me to understand this.

↧

Question about BGP Configuration LAB- Establishing iBGP Peerings

April 19, 2015, 9:42 am

≫ Next: Distant IBGP peering when multiple interface available

≪ Previous: N1Kv - ERSPAN Task

Obviously this is a no-brainer to establish iBGP peering ... but the question I have regards why the INE solution selects certain ip addresses over others. A router will have multiple paths to another router ... and yet there does not seem to be any consistency as to why it chooses one interface over another.

Does it really matter which interface I select to establish the peering? Just want to make sure I am not missing something here.

Case in point ... R6 peers with R3 through R7. I was thinking lower RTO. Yet R7 peers with R1 though R6 .. higher RTO. I only mentiin RTO because the EIGRP metrics are equal .. so I don't know what the tie-breaker is.

R6#show ip eigrp neigh
EIGRP-IPv4 Neighbors for AS(100)
H   Address                 Interface       Hold Uptime   SRTT   RTO Q Seq
                                            (sec)         (ms)       Cnt Num
2   155.1.67.7               Fa0/0.67          12 00:28:59    2   200 0 6
1   155.1.146.4             Fa0/0.146         11 00:29:03    1   200 0 11
0   155.1.146.1             Fa0/0.146         11 00:29:07 816 4896 0 17

R7#show ip eigrp neigh
EIGRP-IPv4 Neighbors for AS(100)
H   Address                 Interface       Hold Uptime   SRTT   RTO Q Seq
                                            (sec)         (ms)       Cnt Num
1   155.1.37.3              Fa0/0.37          13 00:26:48    3   200 0 19
0   155.1.67.6              Fa0/0.67          11 00:26:50 1596 5000 0 12

↧

Distant IBGP peering when multiple interface available

July 18, 2014, 6:41 am

≫ Next: How many rack rental hours are required to complete CCNA 200-120 workbooks

≪ Previous: Question about BGP Configuration LAB- Establishing iBGP Peerings

On the first BGP lab iBGP peerings are formed. Since all Rs have multiple interfaces and IGP reachability to all is present I was expecting that any interface would be ok for the peering,but this is not the case.Is there a rule that I should follow to be certain that a specific interface will be OK for IBGP peering ?Is there anything to do with the fact that some are virtual tunnel interfaces ?

Thank you

↧

How many rack rental hours are required to complete CCNA 200-120 workbooks

April 19, 2015, 7:02 pm

≫ Next: pim snooping ?

≪ Previous: Distant IBGP peering when multiple interface available

Hello all ,

I am planning on renting the racks and practicing for my CCNA 200-120 exam , if anyone has an average idea from past experience on how many rental hours may I require to complete all the lab tasks, considering I have no previous experience on any network equipment.

Thanks

↧

pim snooping ?

April 19, 2015, 4:05 pm

≫ Next: IOS-XR as PE running Mulicast VPN - Loopback vRF not responding to Mping

≪ Previous: How many rack rental hours are required to complete CCNA 200-120 workbooks

what is pim snooping for ? I did search cisco config guides and main books for term, nothing.

there is such command ip pim snooping (link to ref) but it does not tell u much; in fact tells nothing.

↧

IOS-XR as PE running Mulicast VPN - Loopback vRF not responding to Mping

April 9, 2015, 6:28 pm

≫ Next: Multicast Tunneling

≪ Previous: pim snooping ?

Hi.

I am simulating LAB4 of workbook.

IOS-XR as PE.

I tried to join one of it's loopback and physical interface (both VRF enabled) to a multicast group.

I noticed, the physical interface responds to multicast ping, but loopbacks do not.

Is this a default behavior or IOS-XR?

Or am I missing something?

If the PE-to-CE link is responding and the local loopback is not, I cant see any problem with multicast configurations.

anyone, please advise.

thanks

↧

Multicast Tunneling

March 16, 2015, 12:31 pm

≫ Next: How to Register Alcatel 40X8 IP Phones on Cisco 2901 CME

≪ Previous: IOS-XR as PE running Mulicast VPN - Loopback vRF not responding to Mping

Hi,

this task is driving me crazy, i have configured the routers as its shown in the solution the neighbour from R9 side looks okay and up but from R5 side its down, BTW i am using IOU on GNS3, any idea or this is IOU issue

↧

How to Register Alcatel 40X8 IP Phones on Cisco 2901 CME

April 19, 2015, 11:48 pm

≫ Next: DMVPN issue

≪ Previous: Multicast Tunneling

Please See my configure

ip dhcp pool voice
network 192.168.10.0 255.255.255.0
next-server 192.168.10.1
domain-name cisco.com
dns-server 192.168.10.1
default-router 192.168.10.1
option 150 ip 192.168.10.1
option 66 ip 192.168.10.1
!
!
no ip domain lookup
ip domain name cisco.com
ip dhcp-server query lease retries 5
ip dhcp-server 192.168.10.1
ip cef
multilink bundle-name authenticated
!
!
voice service voip
qsig decode
allow-connections h323 to h323
allow-connections sip to sip
no supplementary-service h450.2
no supplementary-service h450.3
h323
sip
bind control source-interface GigabitEthernet0/0
bind media source-interface GigabitEthernet0/0
registrar server expires max 600 min 60
no call service stop
!
voice register global
mode cme
source-address 192.168.10.1 port 5060
max-dn 200
max-pool 42
authenticate realm 192.168.10.1
timezone 21
time-format 24
date-format D/M/Y
file text
create profile sync 0008342444941519
!
voice register dn 1
number 6001
allow watch
name local IP1
mwi
!
voice register pool 1
id mac 0080.9F94.2A08
number 1 dn 1
presence call-list
dtmf-relay rtp-nte
username 6200 password 6200
codec g711ulaw
no vad
!
!
tftp-server flash:dat4028
tftp-server flash:dat4028G
tftp-server flash:noe4028
tftp-server flash:noe4028G
tftp-server flash:sipconfig
tftp-server flash:sipconfig.txt
tftp-server flash:sipconfig-00809f7c5fb9.txt
tftp-server flash:sipconfig-00809f942a08.txt
tftp-server flash:bin4028
tftp-server flash:bin4028G
tftp-server flash:noe40x8
tftp-server flash:noe40x8G
tftp-server flash:bin40x8G
tftp-server flash:dat40x8G
tftp-server flash:datsip4028G
tftp-server flash:nosip4028G
tftp-server flash:noesip4028G
tftp-server flash:binsip4028G
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 100
ip address 192.168.10.1 255.255.255.0
ial-peer voice 2107 pots
destination-pattern 2...
incoming called-number ....
clid restrict
supplementary-service qsig call-forward
direct-inward-dial
forward-digits all
!
dial-peer voice 1 voip
preference 1
destination-pattern 6...
session protocol sipv2
session target ipv4:196.168.10.1
dtmf-relay sip-notify
codec g711ulaw
no vad
!
sip-ua
authentication username 6200 password 7 1544595C54 realm 192.168.10.1
no remote-party-id
retry invite 2
retry register 10
timers connect 100
mwi-server ipv4:192.168.10.1 expires 86400 port 5060 transport tcp
registrar dns:cisco.com expires 3600
sip-server dns:192.168.10.1
host-registrar
!
!
!
gatekeeper
no shutdown
!
telephony-service
max-ephones 42
max-dn 200
ip source-address 192.168.10.1 port 5060
auto assign 1 to 200
cnf-file location flash:
max-conferences 8 gain -6
call-forward pattern .T
web admin system name admin password admin
dn-webedit
time-webedit
transfer-system full-consult
transfer-pattern .... blind
create cnf-files version-stamp 7960 Apr 16 2015 06:52:18
!
!
ephone-dn 1 dual-line
number 6001
name Local IP1
huntstop channel
!

↧

DMVPN issue

April 16, 2015, 12:20 am

≫ Next: No IP MTU Command Needed With VTI?

≪ Previous: How to Register Alcatel 40X8 IP Phones on Cisco 2901 CME

I'm having an issue with a couple of branch routers not playing ball with dmvpn. My hubs are Cisco 4k series routers and working for 90% of the other sites. With other 4k series routers as spokes the config works fine. But trying to get a 1900 or 1800 series spoke router working is a nightmare, the crypto and dmvpn config won't come up properly. Below is an example of the branch config WHEN THE TNUNEL WORKS (firstly I will show you the config that actually works on either the 1800 or 1900 series spoke router).

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key xxxxxxx address 0.0.0.0 0.0.0.0

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10 periodic

crypto ipsec transform-set DMVPN_TSet esp-aes esp-sha-hmac

crypto ipsec profile DMVPN

set security-association lifetime seconds 120

set transform-set DMVPN_TSet

interface Tunnel0

description Tunnel to dmvpnhub1

bandwidth 8192

ip address 172.31.220.5 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication xxxxxxx

ip nhrp map multicast 204.75.81.65

ip nhrp map 172.31.220.1 204.75.81.65

ip nhrp network-id 1

ip nhrp holdtime 600

ip nhrp nhs 172.31.220.1

ip tcp adjust-mss 1360

qos pre-classify

keepalive 10 3

tunnel source Dialer1

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile DMVPN shared

ip route 204.75.81.65 255.255.255.255 Dialer1

Now, when I apply the following config to make the dmvpn use a front door vrf, the tunnel breaks and won't come up.

ip vrf dmvpnvrf

rd 1:1

crypto keyring dmvpnkeyring vrf dmvpnvrf

pre-shared-key address 0.0.0.0 0.0.0.0 key xxxxxx

ip route vrf dmvpnvrf 0.0.0.0 0.0.0.0 di1

int di1

ip vrf forwarding dmvpnvrf

ip address negotiated

int tun0

tunnel vrf dmvpnvrf

int tun1

tunnel vrf dmvpnvrf

If I shut all interfaces down, clear the crypto and dmvpn sessions, then bring it all up, i get some debugs showing the crypto goes to QM_IDLE (indicating it works), and then goes down again. I will provide these debugs below. Please note that there are some NAT-T messages in the debug, but my router ain't using NAT so I don't know why I've getting NAT-T in the debugs.

06650r2#

Apr 16 07:07:44.633 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Apr 16 07:07:44.633 GMT: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Apr 16 07:07:44.633 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Apr 16 07:07:44.633 GMT: ISAKMP:(0): sending packet to 204.75.81.65 my_port 500 peer_port 500 (I) MM_NO_STATE

Apr 16 07:07:44.633 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

06650r2#

Apr 16 07:07:46.689 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:07:46.689 GMT: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Apr 16 07:07:46.689 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:07:46.689 GMT: ISAKMP:(0): sending packet to 195.143.92.34 my_port 500 peer_port 500 (R) MM_SA_SETUP

Apr 16 07:07:46.689 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

Apr 16 07:07:48.076 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:07:48.076 GMT: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Apr 16 07:07:48.076 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:07:48.076 GMT: ISAKMP:(0): sending packet to 195.81.160.82 my_port 500 peer_port 500 (R) MM_SA_SETUP

Apr 16 07:07:48.076 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

Apr 16 07:07:48.112 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:07:48.112 GMT: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Apr 16 07:07:48.112 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:07:48.112 GMT: ISAKMP:(0): sending packet to 213.39.51.226 my_port 500 peer_port 500 (R) MM_SA_SETUP

Apr 16 07:07:48.112 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

Apr 16 07:07:48.120 GMT: ISAKMP (0): received packet from 213.39.51.226 dport 500 sport 500 dmvpnvrf (N) NEW SA

Apr 16 07:07:48.120 GMT: ISAKMP: Created a peer struct for 213.39.51.226, peer port 500

Apr 16 07:07:48.120 GMT: ISAKMP: New peer created peer = 0x662FC558 peer_handle = 0x80000019

Apr 16 07:07:48.120 GMT: ISAKMP: Locking peer struct 0x662FC558, refcount 1 for crypto_isakmp_process_block

Apr 16 07:07:48.120 GMT: ISAKMP: local port 500, remote port 500

Apr 16 07:07:48.120 GMT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 668F896C

Apr 16 07:07:48.120 GMT: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Apr 16 07:07:48.120 GMT: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

Apr 16 07:07:48.120 GMT: ISAKMP:(0): processing SA payload. message ID = 0

Apr 16 07:07:48.124 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID seems Unit

06650r2#y/DPD but major 69 mismatch

Apr 16 07:07:48.124 GMT: ISAKMP (0): vendor ID is NAT-T RFC 3947

Apr 16 07:07:48.124 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

Apr 16 07:07:48.124 GMT: ISAKMP (0): vendor ID is NAT-T v7

Apr 16 07:07:48.124 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID is NAT-T v3

Apr 16 07:07:48.124 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID is NAT-T v2

Apr 16 07:07:48.124 GMT: ISAKMP:(0):found peer pre-shared key matching 213.39.51.226

Apr 16 07:07:48.124 GMT: ISAKMP:(0): local preshared key found

Apr 16 07:07:48.124 GMT: ISAKMP : Scanning profiles for xauth ...

Apr 16 07:07:48.124 GMT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

Apr 16 07:07:48.124 GMT: ISAKMP: encryption AES-CBC

Apr 16 07:07:48.124 GMT: ISAKMP: keylength of 256

Apr 16 07:07:48.124 GMT: ISAKMP: hash SHA

Apr 16 07:07:48.124 GMT: ISAKMP: default group 2

Apr 16 07:07:48.124 GMT: ISAKMP: auth pre-share

Apr 16 07:07:48.124 GMT: ISAKMP: life type in seconds

Apr 16 07:07:48.124 GMT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

Apr 16 07:07:48.124 GMT: ISAKMP:(0):atts are acceptable. Next payload is 0

Apr 16 07:07:48.124 GMT: ISAKMP:(0):Acceptable atts:actual life: 0

Apr 16 07:07:48.124 GMT: ISAKMP:(0):Acceptable atts:life: 0

Apr 16 07:07:48.124 GMT: ISAKMP:(0):Fill atts in sa vpi_length:4

Apr 16 07:07:48.124 GMT: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

Apr 16 07:07:48.124 GMT: ISAKMP:(0):Returning Actual lifetime: 86400

Apr 16 07:07:48.124 GMT: ISAKMP:(0)::Started lifetime timer: 86400.

Apr 16 07:07:48.128 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

Apr 16 07:07:48.128 GMT: ISAKMP (0): vendor ID is NAT-T RFC 3947

Apr 16 07:07:48.128 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

Apr 16 07:07:48.128 GMT: ISAKMP (0): vendor ID is NAT-T v7

Apr 16 07:07:48.128 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID is NAT-T v3

Apr 16 07:07:48.128 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID is NAT-T v2

Apr 16 07:07:48.128 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Apr 16 07:07:48.128 GMT: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

Apr 16 07:07:48.128 GMT: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Apr 16 07:07:48.128 GMT: ISAKMP:(0): sending packet to 213.39.51.226 my_port 500 peer_port 500 (R) MM_SA_SETUP

Apr 16 07:07:48.128 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

Apr 16 07:07:48.128 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Apr 16 07:07:48.132 GMT: ISAKMP:(0):Old State =

06650r2# IKE_R_MM1 New State = IKE_R_MM2

06650r2#

Apr 16 07:07:50.736 GMT: ISAKMP (0): received packet from 213.39.109.98 dport 500 sport 500 dmvpnvrf (R) MM_SA_SETUP

Apr 16 07:07:50.736 GMT: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

Apr 16 07:07:50.736 GMT: ISAKMP:(0): retransmitting due to retransmit phase 1

Apr 16 07:07:51.236 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:07:51.236 GMT: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

Apr 16 07:07:51.236 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:07:51.236 GMT: ISAKMP:(0): sending packet to 213.39.109.98 my_port 500 peer_port 500 (R) MM_SA_SETUP

06650r2#

Apr 16 07:07:51.236 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

06650r2#

Apr 16 07:07:54.632 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Apr 16 07:07:54.632 GMT: ISAKMP:(0):peer does not do paranoid keepalives.

Apr 16 07:07:54.632 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 204.75.81.65)

Apr 16 07:07:54.632 GMT: ISAKMP: Unlocking peer struct 0x668EE114 for isadb_mark_sa_deleted(), count 0

Apr 16 07:07:54.632 GMT: ISAKMP: Deleting peer node by peer_reap for 204.75.81.65: 668EE114

Apr 16 07:07:54.632 GMT: ISAKMP:(0):deleting node 1202920501 error FALSE reason "IKE deleted"

Apr 16 07:07:54.632 GMT: ISAKMP:(0):deleting node -2119501275 error FALSE reason "IKE deleted"

Apr 16 07:07:54.632 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Apr 16 07:07:54.632 GMT: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

Apr 16 07:07:54.936 GMT: ISAKMP:(0): SA request profile is (NULL)

Apr 16 07:07:54.936 GMT: ISAKMP: Created a peer struct for 204.75.81.65, peer port 500

Apr 16 07:07:54.936 GMT: ISAKMP: New peer created peer = 0x668EE114 peer_handle = 0x8000001E

Apr 16 07:07:54.936 GMT: ISAKMP: Locking peer struct 0x668EE114, refcount 1 for isakmp_initiator

Apr 16 07:07:54.936 GMT: ISAKMP: local port 500, remote port 500

Apr 16 07:07:54.936 GMT: ISAKMP: set new node 0 to QM_IDLE

Apr 16 07:07:54.936 GMT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 665F5600

Apr 16 07:07:54.936 GMT: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

Apr 16 07:07:54.936 GMT: ISAKMP:(0):found peer pre-shared key matching 204.75.81.65

Apr 16 07:07:54.936 GMT: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Apr 16 07:07:54.940 GMT: ISAKMP:(0): constructed NAT-T vendor-07 ID

06650r2#

Apr 16 07:07:54.940 GMT: ISAKMP:(0): constructed NAT-T vendor-03 ID

Apr 16 07:07:54.940 GMT: ISAKMP:(0): constructed NAT-T vendor-02 ID

Apr 16 07:07:54.940 GMT: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Apr 16 07:07:54.940 GMT: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

Apr 16 07:07:54.940 GMT: ISAKMP:(0): beginning Main Mode exchange

Apr 16 07:07:54.940 GMT: ISAKMP:(0): sending packet to 204.75.81.65 my_port 500 peer_port 500 (I) MM_NO_STATE

Apr 16 07:07:54.940 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

06650r2#

Apr 16 07:07:56.688 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:07:56.688 GMT: ISAKMP:(0):peer does not do paranoid keepalives.

Apr 16 07:07:56.688 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 195.143.92.34)

Apr 16 07:07:56.688 GMT: ISAKMP: Unlocking peer struct 0x661043E0 for isadb_mark_sa_deleted(), count 0

Apr 16 07:07:56.688 GMT: ISAKMP: Deleting peer node by peer_reap for 195.143.92.34: 661043E0

Apr 16 07:07:56.688 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

06650r2#

Apr 16 07:07:56.688 GMT: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_DEST_SA

Apr 16 07:07:58.076 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:07:58.076 GMT: ISAKMP:(0):peer does not do paranoid keepalives.

Apr 16 07:07:58.076 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 195.81.160.82)

Apr 16 07:07:58.076 GMT: ISAKMP: Unlocking peer struct 0x66577DF0 for isadb_mark_sa_deleted(), count 0

Apr 16 07:07:58.076 GMT: ISAKMP: Deleting peer node by peer_reap for 195.81.160.82: 66577DF0

Apr 16 07:07:58.076 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Apr 16 07:07:58.076 GMT: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_DEST_SA

Apr 16 07:07:58.112 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:07:58.112 GMT: ISAKMP:(0):peer does not do paranoid keepalives.

Apr 16 07:07:58.112 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 213.39.51.226)

Apr 16 07:07:58.112 GMT: ISAKMP: Unlocking peer struct 0x6661AD08 for isadb_mark_sa_deleted(), count 0

06650r2#

Apr 16 07:07:58.112 GMT: ISAKMP: Deleting peer node by peer_reap for 213.39.51.226: 6661AD08

Apr 16 07:07:58.112 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Apr 16 07:07:58.112 GMT: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_DEST_SA

Apr 16 07:07:58.120 GMT: ISAKMP (0): received packet from 213.39.51.226 dport 500 sport 500 dmvpnvrf (R) MM_SA_SETUP

Apr 16 07:07:58.120 GMT: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

Apr 16 07:07:58.120 GMT: ISAKMP:(0): retransmitting due to retransmit phase 1

Apr 16 07:07:58.620 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

06650r2#

Apr 16 07:07:58.620 GMT: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Apr 16 07:07:58.620 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:07:58.620 GMT: ISAKMP:(0): sending packet to 213.39.51.226 my_port 500 peer_port 500 (R) MM_SA_SETUP

Apr 16 07:07:58.620 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

06650r2#

Apr 16 07:08:00.736 GMT: ISAKMP (0): received packet from 213.39.109.98 dport 500 sport 500 dmvpnvrf (R) MM_SA_SETUP

Apr 16 07:08:00.736 GMT: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

Apr 16 07:08:00.740 GMT: ISAKMP:(0): retransmitting due to retransmit phase 1

Apr 16 07:08:01.240 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:08:01.240 GMT: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

Apr 16 07:08:01.240 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:08:01.240 GMT: ISAKMP:(0): sending packet to 213.39.109.98 my_port 500 peer_port 500 (R) MM_SA_SETUP

06650r2#

Apr 16 07:08:01.240 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

06650r2#

Apr 16 07:08:04.939 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Apr 16 07:08:04.939 GMT: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Apr 16 07:08:04.939 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Apr 16 07:08:04.939 GMT: ISAKMP:(0): sending packet to 204.75.81.65 my_port 500 peer_port 500 (I) MM_NO_STATE

Apr 16 07:08:04.939 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

06650r2#

Apr 16 07:08:08.075 GMT: ISAKMP (0): received packet from 195.81.160.82 dport 500 sport 500 dmvpnvrf (N) NEW SA

Apr 16 07:08:08.075 GMT: ISAKMP: Created a peer struct for 195.81.160.82, peer port 500

Apr 16 07:08:08.075 GMT: ISAKMP: New peer created peer = 0x661043E0 peer_handle = 0x80000013

Apr 16 07:08:08.075 GMT: ISAKMP: Locking peer struct 0x661043E0, refcount 1 for crypto_isakmp_process_block

Apr 16 07:08:08.075 GMT: ISAKMP: local port 500, remote port 500

Apr 16 07:08:08.075 GMT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6501348C

Apr 16 07:08:08.075 GMT: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Apr 16 07:08:08.075 GMT: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

Apr 16 07:08:08.079 GMT: ISAKMP:(0): processing SA payload. message ID = 0

Apr 16 07:08:08.079 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

Apr 16 07:08:08.079 GMT: ISAKMP (0): vendor ID is NAT-T RFC 3947

Apr 16 07:08:08.079 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

Apr 16 07:08:08.079 GMT: ISAKMP (0): vendor ID is NAT-T v7

Apr 16 07:08:08.079 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID is NAT-T v3

Apr 16 07:08:08.079 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID is NAT-T v2

Apr 16 07:08:08.079 GMT: ISAKMP:(0):found peer pre-shared key matching 195.81.160.82

Apr 16 07:08:08.079 GMT: ISAKMP:(0): local preshared key found

Apr 16 07:08:08.079 GMT: ISAKMP : Scanning profiles for xauth ...

Apr 16 07:08:08.079 GMT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

Apr 16 07:08:08.079 GMT: ISAKMP: encryption AES-CBC

Apr 16 07:08:08.079 GMT: ISAKMP: keylength of 256

Apr 16 07:08:08.079 GMT: ISAKMP: hash SHA

Apr 16 07:08:08.079 GMT: ISAKMP: default group 2

Apr 16 07:08:08.079 GMT: ISAKMP: auth pre-share

Apr 16 07:08:08.079 GMT: ISAKMP: life type in seconds

Apr 16 07:08:08.079 GMT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

Apr 16 07:08:08.079 GMT: ISAKMP:(0):atts are acceptable. Next payload is 0

Apr 16 07:08:08.079 GMT: ISAKMP:(0):Acceptable atts:actual life: 0

Apr 16 07:08:08.079 GMT: ISAKMP:(0):Acceptable atts:life: 0

Apr 16 07:08:08.079 GMT: ISAKMP:(0):Fill atts in sa vpi_length:4

Apr 16 07:08:08.079 GMT: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

Apr 16 07:08:08.079 GMT: ISAKMP:(0):Returning Actual li

06650r2#fetime: 86400

Apr 16 07:08:08.083 GMT: ISAKMP:(0)::Started lifetime timer: 86400.

Apr 16 07:08:08.083 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

Apr 16 07:08:08.083 GMT: ISAKMP (0): vendor ID is NAT-T RFC 3947

Apr 16 07:08:08.083 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

Apr 16 07:08:08.083 GMT: ISAKMP (0): vendor ID is NAT-T v7

Apr 16 07:08:08.083 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID is NAT-T v3

Apr 16 07:08:08.083 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID is NAT-T v2

Apr 16 07:08:08.083 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Apr 16 07:08:08.083 GMT: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

Apr 16 07:08:08.083 GMT: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Apr 16 07:08:08.083 GMT: ISAKMP:(0): sending packet to 195.81.160.82 my_port 500 peer_port 500 (R) MM_SA_SETUP

Apr 16 07:08:08.083 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

Apr 16 07:08:08.087 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Apr 16 07:08:08.087 GMT: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

Apr 16 07:08:08.123 GMT: ISAKMP (0): received packet from 213.39.51.226 dport 500 sport 500 dmvpnvrf (R) MM_SA_SETUP

Apr 16 07:08:08.123 GMT: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

Apr 16 07:08:08.123 GMT: ISAKMP:(0): retransmitting due to retransmit phase 1

06650r2#

Apr 16 07:08:08.623 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:08:08.623 GMT: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

Apr 16 07:08:08.623 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:08:08.623 GMT: ISAKMP:(0): sending packet to 213.39.51.226 my_port 500 peer_port 500 (R) MM_SA_SETUP

Apr 16 07:08:08.623 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

06650r2#

Apr 16 07:08:10.739 GMT: ISAKMP (0): received packet from 213.39.109.98 dport 500 sport 500 dmvpnvrf (R) MM_SA_SETUP

Apr 16 07:08:10.739 GMT: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

Apr 16 07:08:10.739 GMT: ISAKMP:(0): retransmitting due to retransmit phase 1

Apr 16 07:08:11.239 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:08:11.239 GMT: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Apr 16 07:08:11.239 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:08:11.239 GMT: ISAKMP:(0): sending packet to 213.39.109.98 my_port 500 peer_port 500 (R) MM_SA_SETUP

06650r2#

Apr 16 07:08:11.239 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

↧

No IP MTU Command Needed With VTI?

April 17, 2015, 2:51 pm

≫ Next: WLC Local Web Authentication

≪ Previous: DMVPN issue

Can someone explain why the IP MTU command is not needed with IPSec VTI but is with GRE?
In the INE ATC Brian references two reasons:
1. With VTI, the DF bit can be copied to the ESP header.
2. With VTI, the router can see the transform sets and calculate the available MTU for data since it knows what encryption algorithms are used.

Number 2 does not make sense to me. Why would the router not see the encryption algorithms used in the transform set with GRE?

Thanks

↧

WLC Local Web Authentication

April 20, 2015, 10:54 am

≫ Next: DC Lab Sheduled Brussels

≪ Previous: No IP MTU Command Needed With VTI?

Hello,

I was doing the WLC Local Web Authentication lab this morning. After exactly entering the commands in order to get familiar with the environment I was faced with the fact that the redirect for logon did not occur. The policy manager state for the connected client showed WEBAUTH_REQD but I was only getting page could not be displayed errors. Is DNS supposed to be working before the authentication? Because it did not for me on the wifi client pc. But even then, I expected to be redirected but it did not occur. I folllowed and checked the steps as described in the lab task twice, but I could not find something I might have forgotten.

Any suggestions?

I had a similar experience with the PEAP (EAP-MSCHAPv2) FlexConnect Mode lab. All the steps have been done, the wifi client was authenticated but did not receive an ip address from dhcp. It looked like I missed some configuration step for dhcp, but I could not figure that out either.

Jacko

↧

DC Lab Sheduled Brussels

April 13, 2015, 3:23 am

≫ Next: IP VRF Forwarding vs tunnel vrf

≪ Previous: WLC Local Web Authentication

Hi,

I have my DC lab sheduled in Brussels on the 25th of Spetember 2015. I just found out that INE have a boot camp in London 9th - 20th of Novemeber.

What would really like to do is to do the DC bootcamp with INE and shedule the Exam for the beginning of December, for this i have a couple of problems;

I cant see any dates available in Decmeber, is this because its fully booked? or can the exam not be sheduled that far in advance?

Thanks in advance.

↧

IP VRF Forwarding vs tunnel vrf

March 25, 2015, 10:15 am

≫ Next: ipsec s2s vpn question

≪ Previous: DC Lab Sheduled Brussels

Hello Everyone

Not sure if this question was asked already but do you know the main difference between IP VRF Forwarding and tunnel vrf and when to use the options?

Also, do you know if these topics are covered in the training video?

↧

ipsec s2s vpn question

April 20, 2015, 7:08 am

≫ Next: How Long Should the Foundation labs take you

≪ Previous: IP VRF Forwarding vs tunnel vrf

Hello there.

Actually, I asked this question on another forum, but haven't yet receive an answer, so, I'm asking it here, even it's really not CCIE-level question.

I've got couple of questions concerning ipsec s2s vpn. Hope someone will help me, because i can't get answers to my dumb questions.

Q1:
I'm just labbing a simple topology in gns3 and playing around trying to understand ipsec s2s vpn.
And i got confusedwith this:

when defining ISAKMP policy you can specify a lifetime

crypto isakmp policy 10
lifetime ?
<60-86400> lifetime in seconds

even if you define this only on one side, the lowest value would be taken and IKE phase 1 will last only 60 seconds for example.
The main question is - when 60 seconds are gone, IKE phase 2 tunnel (ipsec) feels ok, it's doesn't get purged, it passes traffic through, everything is ok

So... my confusion is - i thought that phase 2 can not exist without underlying alive and up phase 1. Am i wrong?

Q2:
Default ipsec SA lifetime is 1 hour.
After 1 hour both sides will purge ipsec SA and try to estabilish new one with the brand new key for symmetric-key enc algorithm.
Am i right?

I've got Q3, but i should get answer to one of these to correctly state my Q3.

Thanks a lot, sorry for my english.

↧

How Long Should the Foundation labs take you

April 19, 2015, 11:35 pm

≫ Next: My LAB CRASHED DURING MY CCIE EXAM

≪ Previous: ipsec s2s vpn question

Hi Guys

What kind of time frame are we expected to do the labs in?

Should we be doing them in 4hrs or so?

↧

My LAB CRASHED DURING MY CCIE EXAM

October 27, 2014, 11:19 am

≫ Next: Quick MPLS TE "show mpls forwarding" question

≪ Previous: How Long Should the Foundation labs take you

Hi guys, I had taken my exam on 24th OCT 2014 and during my exam there was power outage and all the PC got rebooted with all other candidated and Proctor struggled 2 hours to make the lab back online but my lab portal was not opening and again he struggled to make my lab portal open, and he succeeded to bring back me my lab portal but my all results were messed up and the also the router session was messed up , opening R7 making R8 to open , i called Proctor to check and after spending 10 more minutes he told me sorry he cant do anything this is hardware failuer and i cannot no more longer sit in teh lab and can leave the exam room , and if i didnt get satisfactory result i may can open the case with cisco . Although i have completed my whole lab and had save each of my topics but they send me failed result. now i had opened my case with cisco and let C what they will do with me . any one can give me suggestions.

↧

Quick MPLS TE "show mpls forwarding" question

March 30, 2015, 10:51 am

≫ Next: NSSA and Default Routing

≪ Previous: My LAB CRASHED DURING MY CCIE EXAM

Ok, so here's a silly question, but one I'm going to ask anyhow. When setting up a TE tunnel, my undestanding is that the LDP based LSP is replaced by the TE LSP as a normal part of the operations. On the head end, however, once the tunnel is up and in us (using autoroute announce)e, the MPLS forwarding table looks like this:

2008 [T] No Label 66.66.66.66/32 0 Tu1 point2point
2009 [T] Pop Label 6.6.6.6/32 0 Tu1 point2point

6.6.6.6 is the dest loopback, while 66.66.66.66 is a loopback used just to inject a route into the topology. My question is why is 6.6.6.6 "pop label" while 66.66.66.66 is "no label"? It seems like the label is probably being popped sop that the TE labels can be used, so that's not all that surprising, but IIRC "no label" basically means that it's going out a non-mpls interface. Show mpls int includes tunnel 1. So, while I'm sure it's total minutia, this has been gnawing at me for a week or two now.

↧