IGMP Snooping Question

July 12, 2015, 1:30 pm

≫ Next: How Long Should the Foundation labs take you

While doing the catalyst snooping labs I noticed that if you do not enable PIM on the port of the switch that is simulating a multicast device, the other switches that are functioning as L2 switches will not list any of the IGMP groups joined by the multicast switch in the show ip igmp snooping group command output.

If you enable PIM on the multicast switch, the L2 switch sees the PIM message, marks the port as a mrouter port, and then shows the IGMP groups joined by the multicast switch in the show ip igmp snooping output.

If IGMP snooping listens to IGMP reports then how come it must also hear a PIM message to mark the port as a mrouter port which will then allow it to snoop the multicast group?

Normal multicast clients will not be running PIM thus there ports will not be marked as Mrouter ports so it does not make sense a port has to be an mrouter port for IGMP snooping to work.

Any help would be apprecaited, thank you.

↧

How Long Should the Foundation labs take you

April 19, 2015, 11:35 pm

≫ Next: VTP section

≪ Previous: IGMP Snooping Question

Hi Guys

What kind of time frame are we expected to do the labs in?

Should we be doing them in 4hrs or so?

↧

VTP section

March 12, 2015, 7:23 am

≫ Next: L2VPN / VPLS Troubleshooting

≪ Previous: How Long Should the Foundation labs take you

Hello all,

I don't understand why it doesn't work ! It's an easy part... However, when I apply :

SW1:
vtp domain CCIE                       
vtp mode server                       
!
vlan 21,22,121,122,124,221,222,239

SW2:
vtp mode client

SW3:
vtp mode client

SW4:
vtp mode client

SW2, SW3 and SW4 don't synchronize with SW1. Domain name is CCIE_VTP instead of CCIE and vlans are not created for the clients.

Do you have any idea, please ? Thank you :)

↧

L2VPN / VPLS Troubleshooting

July 13, 2015, 6:56 am

≫ Next: RIPv2 Conditional Default Routing

≪ Previous: VTP section

Hi Gents,

Anyway we can more efficiently troubleshoot L2 VPN / VPLS services for service instability / packet loss?

Regards,

CYS.

↧

RIPv2 Conditional Default Routing

July 13, 2015, 1:53 am

≫ Next: Full Scale Troubleshooting Lab 1

≪ Previous: L2VPN / VPLS Troubleshooting

Hello There!

The task is solved with access lists as well as with prefix lists.

Can anyone explain why not also a Track object as the basis for a route-map is sufficient to me?

Thanks and regards!

Oli

Track Object:

---

R4#sh track 1

Track 1

IP route 150.1.9.9 255.255.255.255 reachability

Reachability is Up (RIP)

1 change, last change 00:02:06

First-hop interface is Tunnel0

Tracked by:

Route Map 0

R4#

---

Route-map

---

R4#sh route-map test

route-map test, permit, sequence 10

Match clauses:

track-object 1

Set clauses:

Policy routing matches: 0 packets, 0 bytes

---

↧

Full Scale Troubleshooting Lab 1

June 20, 2015, 4:55 am

≫ Next: DMVPN issue

≪ Previous: RIPv2 Conditional Default Routing

Hello,

I just started with Full scale troubleshooting Lab 1 and just found out how difficult it can be especially finsihing it under two hours.

I jsut wanted to ask anyone for tips if there are ways to identify the issue if it is related to control-plane policing and EEM? The troubleshooting Lab1 used a lot of this and it took me awhile to identify it, actually I found it by reading the full config which is very time consuming.

So I was wondering if there are debug commands for this? Or you just make in part of the routine in your troubleshooting?

Thanks,

Jason

↧

DMVPN issue

April 16, 2015, 12:20 am

≫ Next: VLAN multicast traffic over Unicast OTV tunnel.

≪ Previous: Full Scale Troubleshooting Lab 1

I'm having an issue with a couple of branch routers not playing ball with dmvpn. My hubs are Cisco 4k series routers and working for 90% of the other sites. With other 4k series routers as spokes the config works fine. But trying to get a 1900 or 1800 series spoke router working is a nightmare, the crypto and dmvpn config won't come up properly. Below is an example of the branch config WHEN THE TNUNEL WORKS (firstly I will show you the config that actually works on either the 1800 or 1900 series spoke router).

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key xxxxxxx address 0.0.0.0 0.0.0.0

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10 periodic

crypto ipsec transform-set DMVPN_TSet esp-aes esp-sha-hmac

crypto ipsec profile DMVPN

set security-association lifetime seconds 120

set transform-set DMVPN_TSet

interface Tunnel0

description Tunnel to dmvpnhub1

bandwidth 8192

ip address 172.31.220.5 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication xxxxxxx

ip nhrp map multicast 204.75.81.65

ip nhrp map 172.31.220.1 204.75.81.65

ip nhrp network-id 1

ip nhrp holdtime 600

ip nhrp nhs 172.31.220.1

ip tcp adjust-mss 1360

qos pre-classify

keepalive 10 3

tunnel source Dialer1

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile DMVPN shared

ip route 204.75.81.65 255.255.255.255 Dialer1

Now, when I apply the following config to make the dmvpn use a front door vrf, the tunnel breaks and won't come up.

ip vrf dmvpnvrf

rd 1:1

crypto keyring dmvpnkeyring vrf dmvpnvrf

pre-shared-key address 0.0.0.0 0.0.0.0 key xxxxxx

ip route vrf dmvpnvrf 0.0.0.0 0.0.0.0 di1

int di1

ip vrf forwarding dmvpnvrf

ip address negotiated

int tun0

tunnel vrf dmvpnvrf

int tun1

tunnel vrf dmvpnvrf

If I shut all interfaces down, clear the crypto and dmvpn sessions, then bring it all up, i get some debugs showing the crypto goes to QM_IDLE (indicating it works), and then goes down again. I will provide these debugs below. Please note that there are some NAT-T messages in the debug, but my router ain't using NAT so I don't know why I've getting NAT-T in the debugs.

06650r2#

Apr 16 07:07:44.633 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Apr 16 07:07:44.633 GMT: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Apr 16 07:07:44.633 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Apr 16 07:07:44.633 GMT: ISAKMP:(0): sending packet to 204.75.81.65 my_port 500 peer_port 500 (I) MM_NO_STATE

Apr 16 07:07:44.633 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

06650r2#

Apr 16 07:07:46.689 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:07:46.689 GMT: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Apr 16 07:07:46.689 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:07:46.689 GMT: ISAKMP:(0): sending packet to 195.143.92.34 my_port 500 peer_port 500 (R) MM_SA_SETUP

Apr 16 07:07:46.689 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

Apr 16 07:07:48.076 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:07:48.076 GMT: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Apr 16 07:07:48.076 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:07:48.076 GMT: ISAKMP:(0): sending packet to 195.81.160.82 my_port 500 peer_port 500 (R) MM_SA_SETUP

Apr 16 07:07:48.076 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

Apr 16 07:07:48.112 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:07:48.112 GMT: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Apr 16 07:07:48.112 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:07:48.112 GMT: ISAKMP:(0): sending packet to 213.39.51.226 my_port 500 peer_port 500 (R) MM_SA_SETUP

Apr 16 07:07:48.112 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

Apr 16 07:07:48.120 GMT: ISAKMP (0): received packet from 213.39.51.226 dport 500 sport 500 dmvpnvrf (N) NEW SA

Apr 16 07:07:48.120 GMT: ISAKMP: Created a peer struct for 213.39.51.226, peer port 500

Apr 16 07:07:48.120 GMT: ISAKMP: New peer created peer = 0x662FC558 peer_handle = 0x80000019

Apr 16 07:07:48.120 GMT: ISAKMP: Locking peer struct 0x662FC558, refcount 1 for crypto_isakmp_process_block

Apr 16 07:07:48.120 GMT: ISAKMP: local port 500, remote port 500

Apr 16 07:07:48.120 GMT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 668F896C

Apr 16 07:07:48.120 GMT: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Apr 16 07:07:48.120 GMT: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

Apr 16 07:07:48.120 GMT: ISAKMP:(0): processing SA payload. message ID = 0

Apr 16 07:07:48.124 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID seems Unit

06650r2#y/DPD but major 69 mismatch

Apr 16 07:07:48.124 GMT: ISAKMP (0): vendor ID is NAT-T RFC 3947

Apr 16 07:07:48.124 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

Apr 16 07:07:48.124 GMT: ISAKMP (0): vendor ID is NAT-T v7

Apr 16 07:07:48.124 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID is NAT-T v3

Apr 16 07:07:48.124 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

Apr 16 07:07:48.124 GMT: ISAKMP:(0): vendor ID is NAT-T v2

Apr 16 07:07:48.124 GMT: ISAKMP:(0):found peer pre-shared key matching 213.39.51.226

Apr 16 07:07:48.124 GMT: ISAKMP:(0): local preshared key found

Apr 16 07:07:48.124 GMT: ISAKMP : Scanning profiles for xauth ...

Apr 16 07:07:48.124 GMT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

Apr 16 07:07:48.124 GMT: ISAKMP: encryption AES-CBC

Apr 16 07:07:48.124 GMT: ISAKMP: keylength of 256

Apr 16 07:07:48.124 GMT: ISAKMP: hash SHA

Apr 16 07:07:48.124 GMT: ISAKMP: default group 2

Apr 16 07:07:48.124 GMT: ISAKMP: auth pre-share

Apr 16 07:07:48.124 GMT: ISAKMP: life type in seconds

Apr 16 07:07:48.124 GMT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

Apr 16 07:07:48.124 GMT: ISAKMP:(0):atts are acceptable. Next payload is 0

Apr 16 07:07:48.124 GMT: ISAKMP:(0):Acceptable atts:actual life: 0

Apr 16 07:07:48.124 GMT: ISAKMP:(0):Acceptable atts:life: 0

Apr 16 07:07:48.124 GMT: ISAKMP:(0):Fill atts in sa vpi_length:4

Apr 16 07:07:48.124 GMT: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

Apr 16 07:07:48.124 GMT: ISAKMP:(0):Returning Actual lifetime: 86400

Apr 16 07:07:48.124 GMT: ISAKMP:(0)::Started lifetime timer: 86400.

Apr 16 07:07:48.128 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

Apr 16 07:07:48.128 GMT: ISAKMP (0): vendor ID is NAT-T RFC 3947

Apr 16 07:07:48.128 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

Apr 16 07:07:48.128 GMT: ISAKMP (0): vendor ID is NAT-T v7

Apr 16 07:07:48.128 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID is NAT-T v3

Apr 16 07:07:48.128 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

Apr 16 07:07:48.128 GMT: ISAKMP:(0): vendor ID is NAT-T v2

Apr 16 07:07:48.128 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Apr 16 07:07:48.128 GMT: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

Apr 16 07:07:48.128 GMT: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Apr 16 07:07:48.128 GMT: ISAKMP:(0): sending packet to 213.39.51.226 my_port 500 peer_port 500 (R) MM_SA_SETUP

Apr 16 07:07:48.128 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

Apr 16 07:07:48.128 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Apr 16 07:07:48.132 GMT: ISAKMP:(0):Old State =

06650r2# IKE_R_MM1 New State = IKE_R_MM2

06650r2#

Apr 16 07:07:50.736 GMT: ISAKMP (0): received packet from 213.39.109.98 dport 500 sport 500 dmvpnvrf (R) MM_SA_SETUP

Apr 16 07:07:50.736 GMT: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

Apr 16 07:07:50.736 GMT: ISAKMP:(0): retransmitting due to retransmit phase 1

Apr 16 07:07:51.236 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:07:51.236 GMT: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

Apr 16 07:07:51.236 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:07:51.236 GMT: ISAKMP:(0): sending packet to 213.39.109.98 my_port 500 peer_port 500 (R) MM_SA_SETUP

06650r2#

Apr 16 07:07:51.236 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

06650r2#

Apr 16 07:07:54.632 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Apr 16 07:07:54.632 GMT: ISAKMP:(0):peer does not do paranoid keepalives.

Apr 16 07:07:54.632 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 204.75.81.65)

Apr 16 07:07:54.632 GMT: ISAKMP: Unlocking peer struct 0x668EE114 for isadb_mark_sa_deleted(), count 0

Apr 16 07:07:54.632 GMT: ISAKMP: Deleting peer node by peer_reap for 204.75.81.65: 668EE114

Apr 16 07:07:54.632 GMT: ISAKMP:(0):deleting node 1202920501 error FALSE reason "IKE deleted"

Apr 16 07:07:54.632 GMT: ISAKMP:(0):deleting node -2119501275 error FALSE reason "IKE deleted"

Apr 16 07:07:54.632 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Apr 16 07:07:54.632 GMT: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

Apr 16 07:07:54.936 GMT: ISAKMP:(0): SA request profile is (NULL)

Apr 16 07:07:54.936 GMT: ISAKMP: Created a peer struct for 204.75.81.65, peer port 500

Apr 16 07:07:54.936 GMT: ISAKMP: New peer created peer = 0x668EE114 peer_handle = 0x8000001E

Apr 16 07:07:54.936 GMT: ISAKMP: Locking peer struct 0x668EE114, refcount 1 for isakmp_initiator

Apr 16 07:07:54.936 GMT: ISAKMP: local port 500, remote port 500

Apr 16 07:07:54.936 GMT: ISAKMP: set new node 0 to QM_IDLE

Apr 16 07:07:54.936 GMT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 665F5600

Apr 16 07:07:54.936 GMT: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

Apr 16 07:07:54.936 GMT: ISAKMP:(0):found peer pre-shared key matching 204.75.81.65

Apr 16 07:07:54.936 GMT: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Apr 16 07:07:54.940 GMT: ISAKMP:(0): constructed NAT-T vendor-07 ID

06650r2#

Apr 16 07:07:54.940 GMT: ISAKMP:(0): constructed NAT-T vendor-03 ID

Apr 16 07:07:54.940 GMT: ISAKMP:(0): constructed NAT-T vendor-02 ID

Apr 16 07:07:54.940 GMT: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Apr 16 07:07:54.940 GMT: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

Apr 16 07:07:54.940 GMT: ISAKMP:(0): beginning Main Mode exchange

Apr 16 07:07:54.940 GMT: ISAKMP:(0): sending packet to 204.75.81.65 my_port 500 peer_port 500 (I) MM_NO_STATE

Apr 16 07:07:54.940 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

06650r2#

Apr 16 07:07:56.688 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:07:56.688 GMT: ISAKMP:(0):peer does not do paranoid keepalives.

Apr 16 07:07:56.688 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 195.143.92.34)

Apr 16 07:07:56.688 GMT: ISAKMP: Unlocking peer struct 0x661043E0 for isadb_mark_sa_deleted(), count 0

Apr 16 07:07:56.688 GMT: ISAKMP: Deleting peer node by peer_reap for 195.143.92.34: 661043E0

Apr 16 07:07:56.688 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

06650r2#

Apr 16 07:07:56.688 GMT: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_DEST_SA

Apr 16 07:07:58.076 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:07:58.076 GMT: ISAKMP:(0):peer does not do paranoid keepalives.

Apr 16 07:07:58.076 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 195.81.160.82)

Apr 16 07:07:58.076 GMT: ISAKMP: Unlocking peer struct 0x66577DF0 for isadb_mark_sa_deleted(), count 0

Apr 16 07:07:58.076 GMT: ISAKMP: Deleting peer node by peer_reap for 195.81.160.82: 66577DF0

Apr 16 07:07:58.076 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Apr 16 07:07:58.076 GMT: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_DEST_SA

Apr 16 07:07:58.112 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:07:58.112 GMT: ISAKMP:(0):peer does not do paranoid keepalives.

Apr 16 07:07:58.112 GMT: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 213.39.51.226)

Apr 16 07:07:58.112 GMT: ISAKMP: Unlocking peer struct 0x6661AD08 for isadb_mark_sa_deleted(), count 0

06650r2#

Apr 16 07:07:58.112 GMT: ISAKMP: Deleting peer node by peer_reap for 213.39.51.226: 6661AD08

Apr 16 07:07:58.112 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Apr 16 07:07:58.112 GMT: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_DEST_SA

Apr 16 07:07:58.120 GMT: ISAKMP (0): received packet from 213.39.51.226 dport 500 sport 500 dmvpnvrf (R) MM_SA_SETUP

Apr 16 07:07:58.120 GMT: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

Apr 16 07:07:58.120 GMT: ISAKMP:(0): retransmitting due to retransmit phase 1

Apr 16 07:07:58.620 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

06650r2#

Apr 16 07:07:58.620 GMT: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Apr 16 07:07:58.620 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:07:58.620 GMT: ISAKMP:(0): sending packet to 213.39.51.226 my_port 500 peer_port 500 (R) MM_SA_SETUP

Apr 16 07:07:58.620 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

06650r2#

Apr 16 07:08:00.736 GMT: ISAKMP (0): received packet from 213.39.109.98 dport 500 sport 500 dmvpnvrf (R) MM_SA_SETUP

Apr 16 07:08:00.736 GMT: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

Apr 16 07:08:00.740 GMT: ISAKMP:(0): retransmitting due to retransmit phase 1

Apr 16 07:08:01.240 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:08:01.240 GMT: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

Apr 16 07:08:01.240 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:08:01.240 GMT: ISAKMP:(0): sending packet to 213.39.109.98 my_port 500 peer_port 500 (R) MM_SA_SETUP

06650r2#

Apr 16 07:08:01.240 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

06650r2#

Apr 16 07:08:04.939 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Apr 16 07:08:04.939 GMT: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Apr 16 07:08:04.939 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Apr 16 07:08:04.939 GMT: ISAKMP:(0): sending packet to 204.75.81.65 my_port 500 peer_port 500 (I) MM_NO_STATE

Apr 16 07:08:04.939 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

06650r2#

Apr 16 07:08:08.075 GMT: ISAKMP (0): received packet from 195.81.160.82 dport 500 sport 500 dmvpnvrf (N) NEW SA

Apr 16 07:08:08.075 GMT: ISAKMP: Created a peer struct for 195.81.160.82, peer port 500

Apr 16 07:08:08.075 GMT: ISAKMP: New peer created peer = 0x661043E0 peer_handle = 0x80000013

Apr 16 07:08:08.075 GMT: ISAKMP: Locking peer struct 0x661043E0, refcount 1 for crypto_isakmp_process_block

Apr 16 07:08:08.075 GMT: ISAKMP: local port 500, remote port 500

Apr 16 07:08:08.075 GMT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6501348C

Apr 16 07:08:08.075 GMT: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Apr 16 07:08:08.075 GMT: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

Apr 16 07:08:08.079 GMT: ISAKMP:(0): processing SA payload. message ID = 0

Apr 16 07:08:08.079 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

Apr 16 07:08:08.079 GMT: ISAKMP (0): vendor ID is NAT-T RFC 3947

Apr 16 07:08:08.079 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

Apr 16 07:08:08.079 GMT: ISAKMP (0): vendor ID is NAT-T v7

Apr 16 07:08:08.079 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID is NAT-T v3

Apr 16 07:08:08.079 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

Apr 16 07:08:08.079 GMT: ISAKMP:(0): vendor ID is NAT-T v2

Apr 16 07:08:08.079 GMT: ISAKMP:(0):found peer pre-shared key matching 195.81.160.82

Apr 16 07:08:08.079 GMT: ISAKMP:(0): local preshared key found

Apr 16 07:08:08.079 GMT: ISAKMP : Scanning profiles for xauth ...

Apr 16 07:08:08.079 GMT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

Apr 16 07:08:08.079 GMT: ISAKMP: encryption AES-CBC

Apr 16 07:08:08.079 GMT: ISAKMP: keylength of 256

Apr 16 07:08:08.079 GMT: ISAKMP: hash SHA

Apr 16 07:08:08.079 GMT: ISAKMP: default group 2

Apr 16 07:08:08.079 GMT: ISAKMP: auth pre-share

Apr 16 07:08:08.079 GMT: ISAKMP: life type in seconds

Apr 16 07:08:08.079 GMT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

Apr 16 07:08:08.079 GMT: ISAKMP:(0):atts are acceptable. Next payload is 0

Apr 16 07:08:08.079 GMT: ISAKMP:(0):Acceptable atts:actual life: 0

Apr 16 07:08:08.079 GMT: ISAKMP:(0):Acceptable atts:life: 0

Apr 16 07:08:08.079 GMT: ISAKMP:(0):Fill atts in sa vpi_length:4

Apr 16 07:08:08.079 GMT: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

Apr 16 07:08:08.079 GMT: ISAKMP:(0):Returning Actual li

06650r2#fetime: 86400

Apr 16 07:08:08.083 GMT: ISAKMP:(0)::Started lifetime timer: 86400.

Apr 16 07:08:08.083 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

Apr 16 07:08:08.083 GMT: ISAKMP (0): vendor ID is NAT-T RFC 3947

Apr 16 07:08:08.083 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

Apr 16 07:08:08.083 GMT: ISAKMP (0): vendor ID is NAT-T v7

Apr 16 07:08:08.083 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID is NAT-T v3

Apr 16 07:08:08.083 GMT: ISAKMP:(0): processing vendor id payload

Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

Apr 16 07:08:08.083 GMT: ISAKMP:(0): vendor ID is NAT-T v2

Apr 16 07:08:08.083 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Apr 16 07:08:08.083 GMT: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

Apr 16 07:08:08.083 GMT: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Apr 16 07:08:08.083 GMT: ISAKMP:(0): sending packet to 195.81.160.82 my_port 500 peer_port 500 (R) MM_SA_SETUP

Apr 16 07:08:08.083 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

Apr 16 07:08:08.087 GMT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Apr 16 07:08:08.087 GMT: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

Apr 16 07:08:08.123 GMT: ISAKMP (0): received packet from 213.39.51.226 dport 500 sport 500 dmvpnvrf (R) MM_SA_SETUP

Apr 16 07:08:08.123 GMT: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

Apr 16 07:08:08.123 GMT: ISAKMP:(0): retransmitting due to retransmit phase 1

06650r2#

Apr 16 07:08:08.623 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:08:08.623 GMT: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

Apr 16 07:08:08.623 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:08:08.623 GMT: ISAKMP:(0): sending packet to 213.39.51.226 my_port 500 peer_port 500 (R) MM_SA_SETUP

Apr 16 07:08:08.623 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

06650r2#

Apr 16 07:08:10.739 GMT: ISAKMP (0): received packet from 213.39.109.98 dport 500 sport 500 dmvpnvrf (R) MM_SA_SETUP

Apr 16 07:08:10.739 GMT: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

Apr 16 07:08:10.739 GMT: ISAKMP:(0): retransmitting due to retransmit phase 1

Apr 16 07:08:11.239 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Apr 16 07:08:11.239 GMT: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Apr 16 07:08:11.239 GMT: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Apr 16 07:08:11.239 GMT: ISAKMP:(0): sending packet to 213.39.109.98 my_port 500 peer_port 500 (R) MM_SA_SETUP

06650r2#

Apr 16 07:08:11.239 GMT: ISAKMP:(0):Sending an IKE IPv4 Packet.

↧

VLAN multicast traffic over Unicast OTV tunnel.

July 10, 2015, 2:20 am

≫ Next: INE Workbook Provided Initial Configurations Not Working

≪ Previous: DMVPN issue

Can we allow vlan multicast traffic over Unicast OTV tunnel?

if yes, kindly suggest the way/commands.

↧

INE Workbook Provided Initial Configurations Not Working

July 13, 2015, 3:10 pm

≫ Next: RIPv2 Reliable Conditional Default Routing

≪ Previous: VLAN multicast traffic over Unicast OTV tunnel.

Good evening,

I am using the INE provided initial router configurations from the workbook and I am having problems using configure replace with the IPv6 files.

When I use the configure replace command with the IPv6 files I receieve an error stating that the file specified is not a valid configuration file. If I use another file, say basic.bgp.routing/R1.txt, the router executes the configuration replace command without issue.

I have seen issues in the past where typos would cause the issue and when fixed the error would go away however I have found no typos. When I diff a working config with one of the configurations that is not working, other than the major contents of the configuration, nothing is different.

If I copy and paste the files that are not working via configure replace into the terminal window, they enter in without any error.

While this is a work around, it slows my labbing down a lot as I am tftping the files from a tftp server each time I change task. However I cannot do this with the IPv6 files due to the invalid file error.

Anyone have any ideas of what else I can look at to see if there is a problem?

Thank you

↧

RIPv2 Reliable Conditional Default Routing

December 25, 2014, 11:29 am

≫ Next: Study Group - Raleigh/Cary/Apex Area - North Carolina

≪ Previous: INE Workbook Provided Initial Configurations Not Working

Greetings,

I'm working on this lab and having trouble wrapping my head around the concept. Why the static route to a bogus network?

I miss be missing something but cant get it.

Any suggestions for study materials on this?

Thank you in advance!

Debbie

↧

Study Group - Raleigh/Cary/Apex Area - North Carolina

June 18, 2015, 3:50 am

≫ Next: Task 1.5 - 802.1q Native VLAN

≪ Previous: RIPv2 Reliable Conditional Default Routing

I'm looking to form a study group in the Raliegh/Cary/Apex area, in NC. Im looking for people who are about 6 months from taking their lab test. I recent took my test (fail) and will be refocusing my efforts on my lab strategy and troublshooting practice.

Feel free to contact me at adriansizemore@hotmail.com

↧

Task 1.5 - 802.1q Native VLAN

April 30, 2012, 8:27 am

≫ Next: Full Scale Lab 3 - Is it possible in 5h??

≪ Previous: Study Group - Raleigh/Cary/Apex Area - North Carolina

Hi Guys,

Little question here this is not technical related but I think this is important from Exam point of view.

In 1.5 they specifically ask to set SW1, we know that changing the native vlan on 1 switch will generate error on other but they never mention to do anything on other switches.

I think I did not get the question right. Because in the solution they changed it on every switch.

So, what I concluded by this is that we have to make sure we also do the configuration related to the task on other devices wheather it is mentioned or not.

I will appreciate the feed back.

Regards

Mahir

↧

Full Scale Lab 3 - Is it possible in 5h??

July 13, 2015, 11:23 am

≫ Next: ccie materials

≪ Previous: Task 1.5 - 802.1q Native VLAN

Hi,

I completed the full scale lab 3 yesterday. But it took me 11 hours to complete. (Failed)

I did have one or two problems to find the solution, but almost everything was "smooth". I did not check the solution yet, so I may have had many mistakes.

But, my point here is time. Can it be done in only 5 hours? It is to big with many requests and restrictions. Take the multicast task, for example. Multicast is straight forward to config, right? But the task request also 2 GRE tunnels with redundancy plus mcast BGP with 4 neighbors plus some traffic engineering. And it didn't stopped there. There is also a problem with redistribution loop introduced (intentionally?) some tasks earlier plus ... the time is gone.

Have you done FS Lab 3 in 5 hours or less? Is this lab longer then the real lab?

Paulo

↧

ccie materials

July 13, 2015, 12:02 pm

≫ Next: OTV and FHRPs

≪ Previous: Full Scale Lab 3 - Is it possible in 5h??

dear

i am ccnp rns , i want to get my ccie , i would like to ask about the books to begin with to get the written exam first .

i have routing tcp/ip volume 1 (2th edition)

routing tcp/ip volume 11.

is that enough for the written exam.

thanks

↧

OTV and FHRPs

July 14, 2015, 6:10 am

≫ Next: CCNP VIRL files?

≪ Previous: ccie materials

Hello Team,

Usually when we speak about OTV and FHRPs, we think about filtering the messages with VLAN ACLs, ARP Inspection ACLs and OTV ACLs.

But the question I have may sound strange but why do we need to do this filtering ?

The OTV documents says that OTV already does some kind of FHRP localization. For example, this document says:

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/DCI/whitepaper/DCI3_OTV_Intro/DCI_1.html#wp1186074

"The last capability introduced by OTV is to filter First Hop Redundancy Protocol (FHRP—HSRP, VRRP, and so on) messages across the logical overlay. This is required to allow for the existence of the same default gateway in different locations and optimize the outbound traffic flows (server to client direction)."

In fact, when we configure HSRP/VRRP between sites extended by OTV, the FHRP peers never finish the process of seeing each other. Each peer says Active/Master for its site.

The only error message that can be seen is this one:

ARP-3-DUP_VADDR_SRC_IP

This is due to the GARP sent by each peer and tunneled by OTV. This doesn’t seem to affect the FHRP state.

So, why do we need to do the filtering ? Just to optimize things ? Drop the packets before they hit the OTV process ? And avoid the ARP error messages ?

Thanks.

Regards,

Antonio Soares, CCIE #18473 (RS/SP)
amsoares@netcabo.pt

http://www.ccie18473.net

↧

CCNP VIRL files?

July 14, 2015, 7:26 am

≫ Next: OSPF Transit flag Bug (15.3T)?

≪ Previous: OTV and FHRPs

Hi,

has anyone managed to create Cisco VIRL files for the CCNP switch and route labs? I'm having issues with not being able to match the same/correct interfaces.

regards,

Frazer

↧

OSPF Transit flag Bug (15.3T)?

July 14, 2015, 7:47 am

≫ Next: Getting the Exam before it Expires

≪ Previous: CCNP VIRL files?

V5 Lab Topology

In order for R3 to get to the 155.1.58.0 network, it has to use R5 as the next hop.

If you install a virtual-link from R3 to R2, and raise the cost from R3 to R5, R3 will use area 5 as transit to get to the 155.1.58.0 network.

Before VL in Area 5:

R3#sh ip route 155.1.58.0

Routing entry for 155.1.58.0/24

Known via "ospf 1", distance 110, metric 1010, type inter area

Last update from 155.1.0.5 on Tunnel0, 00:55:17 ago

Routing Descriptor Blocks:

* 155.1.0.5, from 150.1.5.5, 00:55:17 ago, via Tunnel0

Route metric is 1010, traffic share count is 1

After VL in Area 5:

R3(config-router)#do sh run | i router ospf|neighbor

router ospf 1

neighbor 155.1.0.5 cost 65000

Routing entry for 155.1.58.0/24

Known via "ospf 1", distance 110, metric 1011, type inter area

Last update from 155.1.23.2 on Ethernet0/1.23, 00:02:10 ago

Routing Descriptor Blocks:

* 155.1.23.2, from 150.1.5.5, 00:02:10 ago, via Ethernet0/1.23

Route metric is 1011, traffic share count is 1

The transit rule states that, a non-backbone area CAN be used as transit, IF the path through it, to the destination, is lower then the path through Area 0; IF the transit capability flag is set to TRUE. This rule also applies to inter, over intra-area routes.

NOW, if i keep the VL in Area 5, but turn off transit capability (and reload all ospf processes), the expected behavior is that R3 will refer the backbone since the "transit capability flag" is off; this simply did not happen for IOS code 15.3T.

R2(config-router)#do sh run | i router ospf|virtual|capability

router ospf 1

no capability transit

area 5 virtual-link 150.1.3.3

R3(config-router)#do sh run | i router ospf|virtual|capability

router ospf 1

no capability transit

area 5 virtual-link 150.1.2.2

R3(config-router)#do sh ip route 155.1.58.0

Routing entry for 155.1.58.0/24

Known via "ospf 1", distance 110, metric 1011, type inter area

Last update from 155.1.23.2 on Ethernet0/1.23, 00:19:39 ago

Routing Descriptor Blocks:

* 155.1.23.2, from 150.1.5.5, 00:19:39 ago, via Ethernet0/1.23

Route metric is 1011, traffic share count is 1

Am I missing something here with this?

↧

Getting the Exam before it Expires

July 14, 2015, 8:50 am

≫ Next: 6.2 (VRF Provisioning) and 3560 capabilities

≪ Previous: OSPF Transit flag Bug (15.3T)?

Hi,

I am new to INE and it feels good. I am taking the 640-461 exam at the last date possibile (the test center in my city has no availability in Aug).

I am compiling a list of questions for later to benefit from your experience.

Cheers,

Ali

↧

6.2 (VRF Provisioning) and 3560 capabilities

July 14, 2015, 9:18 am

≫ Next: SSL VPN hostscan

≪ Previous: Getting the Exam before it Expires

I was trying to use the new format for configuring VRFs and noticed on the 3560 if I try to enable the ipv6 address-family, I get the following error:

SW2(config-vrf)#address-family ipv6
IPv6 VRF not supported for this platform or this template

I tried adjusting the sdm template from dual-ipv4-and-ipv6 default to dual-ipv4-and-ipv6 routing (it kindof makes sense), but no luck. Feature navigator suggests my current versions might support the feature (although it's hard to know for certain exactly what they call the feature from the list).

Does anyone have this functionality, and if so what version of the IOS do you have? I'm running ipservices 12.2-58.SE2.

It may not actually matter however; I haven't looked if not having ipv6 running in the vrf will cause any issues later.

↧

SSL VPN hostscan

July 7, 2015, 6:36 pm

≫ Next: Section 6.6 (6.6 MPLS Backup Routing)

≪ Previous: 6.2 (VRF Provisioning) and 3560 capabilities

Hi everyone,

Is there a way to have hostscan enabled only for anyconnect client? The endpoint assessment via web browser is annoying. I always have problems with Java.

Regards

↧