HSRP between Cisco 4321 and Cisco 887VA

Similar Questions

• Restricting calls between a subarea and specific extensions on Cisco VCS

  Hello, I use Cisco VCS 8.5.3, my goal is to restrict calls between a subarea and specific extensions.
  I tried following solutions:

  1. Download of XML strategy
  2. Use of political appeal web interface in order to limit calls

  XML file:

  
   
   

  
   
     
     

  
     
     

  
     
     

  
       
     

  
     
   

  
  
  

  But when I apply the XML file, or try using the web simple rule (for example: 11111 12222 destination source, dismiss the action) I'm still able to place the call to 11111 to 12222.

  What can be the cause of the problem and what else can I try to be able to prohibit calls between a particular Subzone and exentions?

  Attached, is an example of CPL script that should work.  Using this script, CPL, I was able to block calls to a subarea set to a destination alias located in the subzone of default and was always able to call any other end point in the default subfield without problem.  Note that you must enter the name of the subarea, as you have configured on the VCS, including spaces if they exist.

  The scenario is based on the example of CPL "limiting access to a local gateway" X8.5 VCS Administrator's Guide on pg 413, other documents of CPL reference and examples can be seen starting on pg 410.

• LAN-to-LAN tunnel between VPN 3000 and Cisco 1721

  Hello

  I have a current LAN-to-LAN tunnel configuration between VPN 3000 (3.6) and Cisco 1721 (12.2 (11) T).

  When I use the encryption = authentication and Des-56 = ESP\MD5\HMAC-128 for the IPSec Security Association, everything works fine.

  However, I would like to Turn off encryption for some time getting the speed improvements, so I changed

  Encryption = null esp (in 1721) and to "null" in VPN-3000.

  Now the tunnel is setup but I can spend only ICMP traffic. When I pass the traffic UDP\TCP the message below appears the Cisco 1721

  % C1700_EM-1-ERROR: error in packet-rx: pad size error, id 75, hen offset 0

  Has anyone seen this behavior?

  All those put in place an IPSec Tunnel with only the ESP authentication and NO encryption between VPN-3000 and Cisco 1721?

  Thanx------Naman

  Naman,

  Disable you the vpn Accelerator? "no accel crypto engine. Sure that you can't do with a null module vpn.

  Kurtis Durrett

• difference between cisco NAC agent and cisco Clean Access Agent

  Hi all

  If anyone has the idea on different between cisco NAC agent and cisco Clean Access Agent, please let us know your ideas.

  Thank you

  In 4.6, the agent has been revised and is now called the NAC agent.  Previous versions were called the clean access Agent.  So roughly, 4.5 and 4.1.3.2 agent are own access agents, and agents 4.6.x and 4.7.x are called NAC agents.

  Some of the changes are moving a lot of the agent configuration in an XML file, redesign of the GUI, adding a service portion (of the sort that the agent of heel is no longer necessary) and the best journaling agent.

• PPTP VPN between clients Windows and Cisco 2921 router

  Hi all!

  I have a problem with PPTP VPN between Windows clients and router Cisco 2921 with permission of RADIUS (IAS). When I try to connect to Cisco 2921 of Windows 7 by using MS-CHAP v2 I get the message 778: it was not possible to verify the identity of the server. Can I use PAP - power is OK. On Windows XP, the same situation.

  Cisco config:

  version 15.0

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  encryption password service

  !

  hostname gw.izmv

  !

  boot-start-marker

  boot-end-marker

  !

  logging buffered 51200 warnings

  !

  AAA new-model

  !

  AAA authentication ppp default local radius group of

  !

  AAA - the id of the joint session

  !

  clock timezone + 002 2

  !

  No ipv6 cef

  IP source-route

  IP cef

  !

  !

  Authenticated MultiLink bundle-name Panel

  !

  Async-bootp Server dns 192.168.192.XX

  VPDN enable

  !

  VPDN-Group 1

  ! PPTP by default VPDN group

  accept-dialin

  Pptp Protocol

  virtual-model 1

  echo tunnel PPTP 10

  tunnel L2TP non-session timeout 15

  PMTU IP

  adjusting IP mtu

  !

  redundancy

  !

  interface Loopback0

  IP 192.168.207.1 255.255.255.0

  !

  !

  interface GigabitEthernet0/0

  Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE $ 0/0

  IP 192.168.192.XXX 255.255.255.0

  IP 192.168.192.XX 255.255.255.0 secondary

  IP nat inside

  IP virtual-reassembly

  automatic duplex

  automatic speed

  !

  !

  interface GigabitEthernet0/1

  no ip address

  Shutdown

  automatic duplex

  automatic speed

  !

  !

  interface GigabitEthernet0/2

  Description - Inet-

  no ip address

  NAT outside IP

  IP virtual-reassembly

  automatic duplex

  automatic speed

  PPPoE enable global group

  PPPoE-client dial-pool-number 1

  No cdp enable

  !

  !

  interface virtual-Template1

  IP unnumbered Loopback0

  IP mtu 1492

  IP virtual-reassembly

  AutoDetect encapsulation ppp

  by default PPP peer ip address pool

  PPP mppe auto encryption required

  PPP authentication ms-chap-v2

  !

  !

  interface Dialer1

  the negotiated IP address

  NAT outside IP

  IP virtual-reassembly

  encapsulation ppp

  Dialer pool 1

  Dialer-Group 1

  PPP authentication pap callin

  PPP pap sent-username DSLUSERNAME password DSLPASSWORD

  No cdp enable

  !

  !

  IP local pool PPP 192.168.207.200 192.168.207.250

  IP forward-Protocol ND

  !

  !

  overload of IP nat inside source list NAT_ACL interface Dialer1

  IP nat inside source static tcp 192.168.192.XX 25 expandable 25 82.XXX.XXX.XXX

  IP nat inside source static tcp 192.168.192.XX 1352 82.XXX.XXX.XXX 1352 extensible

  IP route 0.0.0.0 0.0.0.0 Dialer1

  !

  NAT_ACL extended IP access list

  deny ip 192.168.192.0 0.0.0.255 192.168.YYY.0 0.0.0.255

  deny ip 192.168.192.0 0.0.0.255 192.168.YYY.0 0.0.0.255

  deny ip 192.168.192.0 0.0.0.255 192.168.YYY.0 0.0.0.255

  deny ip 192.168.192.0 0.0.0.255 192.168.YYY.0 0.0.0.255

  permit tcp 192.168.192.0 0.0.0.255 any eq www

  permit tcp 192.168.192.0 0.0.0.255 any eq 443

  permit tcp 192.168.192.0 0.0.0.255 any eq 1352

  permit tcp host 192.168.192.XX no matter what eq smtp

  permit tcp 192.168.192.0 0.0.0.255 any eq 22

  permit tcp host 192.168.192.XX no matter what eq field

  permit tcp host 192.168.192.XX no matter what eq field

  permit tcp host 192.168.192.XX no matter what eq field

  allowed UDP host 192.168.192.XX matter what eq field

  allowed UDP host 192.168.192.XX matter what eq field

  allowed UDP host 192.168.192.XX matter what eq field

  !

  host 192.168.192.XX auth-port 1645 1646 RADIUS server acct-port

  Server RADIUS IASKEY key

  !

  control plan

  !

  !

  !

  Line con 0

  line to 0

  line vty 0 4

  line vty 5 15

  !

  Scheduler allocate 20000 1000

  end

  Debugging is followed:

  14:47:51.755 on 21 oct: PPP: Alloc context [294C7BC4]

  14:47:51.755 on 21 oct: ppp98 PPP: Phase is

  14:47:51.755 on 21 oct: ppp98 PPP: using AAA Id Unique = 8 b

  14:47:51.755 on 21 oct: ppp98 PPP: permission NOT required

  14:47:51.755 on 21 oct: ppp98 PPP: via vpn, set the direction of the call

  14:47:51.755 on 21 oct: ppp98 PPP: treatment of connection as a callin

  14:47:51.755 on 21 oct: ppp98 PPP: Session Session handle [62] id [98]

  14:47:51.755 on 21 oct: ppp98 TPIF: State of the event [OPEN] [initial check]

  14:47:51.755 on 21 oct: ppp98 PPP LCP: switch to passive mode, State [stopped]

  14:47:53.759 on 21 oct: ppp98 PPP LCP: exit passive mode, State [departure]

  14:47:53.759 on 21 oct: LCP ppp98: O CONFREQ [departure] id 1 len 19

  14:47:53.759 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

  14:47:53.759 on 21 oct: ppp98 TPIF: AuthProto MS-CHAP-V2 (0x0305C22381)

  14:47:53.759 on 21 oct: ppp98 TPIF: MagicNumber 0xF018D237 (0x0506F018D237)

  14:47:53.759 on 21 oct: ppp98 TPIF: event [UP] State [departure at REQsent]

  14:47:54.351 on 21 oct: ppp98 TPIF: I CONFREQ [REQsent] id 0 len 18

  14:47:54.351 on 21 oct: ppp98 TPIF: MRU 1400 (0 x 01040578)

  14:47:54.351 on 21 oct: ppp98 TPIF: MagicNumber 0x2F7C5F7E (0x05062F7C5F7E)

  14:47:54.351 on 21 oct: ppp98 TPIF: PFC (0 x 0702)

  14:47:54.351 on 21 oct: ppp98 TPIF: RAC (0 x 0802)

  14:47:54.351 on 21 oct: LCP ppp98: O CONFNAK [REQsent] id 0 len 8

  14:47:54.351 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

  14:47:54.351 on 21 oct: ppp98 TPIF: State of the event [receive ConfReq-] [REQsent to REQsent]

  14:47:54.751 on 21 oct: ppp98 TPIF: I CONFACK [REQsent] id 1 len 19

  14:47:54.751 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

  14:47:54.751 on 21 oct: ppp98 TPIF: AuthProto MS-CHAP-V2 (0x0305C22381)

  14:47:54.751 on 21 oct: ppp98 TPIF: MagicNumber 0xF018D237 (0x0506F018D237)

  14:47:54.751 on 21 oct: ppp98 TPIF: State of the event [receive ConfAck] [REQsent to ACKrcvd]

  14:47:54.915 on 21 oct: ppp98 TPIF: I CONFREQ [ACKrcvd] id 1 len 18

  14:47:54.915 on 21 oct: ppp98 TPIF: MRU 1400 (0 x 01040578)

  14:47:54.915 on 21 oct: ppp98 TPIF: MagicNumber 0x2F7C5F7E (0x05062F7C5F7E)

  14:47:54.915 on 21 oct: ppp98 TPIF: PFC (0 x 0702)

  14:47:54.915 on 21 oct: ppp98 TPIF: RAC (0 x 0802)

  14:47:54.915 on 21 oct: LCP ppp98: O CONFNAK [ACKrcvd] id 1 len 8

  14:47:54.915 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

  14:47:54.915 on 21 oct: ppp98 TPIF: State of the event [receive ConfReq-] [ACKrcvd to ACKrcvd]

  14:47:55.275 on 21 oct: ppp98 TPIF: I CONFREQ [ACKrcvd] id 2 len 18

  14:47:55.275 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

  14:47:55.275 on 21 oct: ppp98 TPIF: MagicNumber 0x2F7C5F7E (0x05062F7C5F7E)

  14:47:55.275 on 21 oct: ppp98 TPIF: PFC (0 x 0702)

  14:47:55.275 on 21 oct: ppp98 TPIF: RAC (0 x 0802)

  14:47:55.275 on 21 oct: LCP ppp98: O CONFACK [ACKrcvd] id 2 len 18

  14:47:55.275 on 21 oct: ppp98 TPIF: MRU 1464 (0x010405B8)

  14:47:55.275 on 21 oct: ppp98 TPIF: MagicNumber 0x2F7C5F7E (0x05062F7C5F7E)

  14:47:55.275 on 21 oct: ppp98 TPIF: PFC (0 x 0702)

  14:47:55.275 on 21 oct: ppp98 TPIF: RAC (0 x 0802)

  14:47:55.275 on 21 oct: ppp98 TPIF: State of the event [receive ConfReq +] [ACKrcvd to open]

  14:47:55.295 on 21 oct: ppp98 PPP: Phase is AUTHENTICATING,

  14:47:55.295 on 21 oct: ppp98 MS-CHAP-V2: O CHALLENGE id 1 len 28 of 'gw.izmv '.

  14:47:55.295 on 21 oct: ppp98 TPIF: State is open

  14:47:55.583 on 21 oct: ppp98 MS-CHAP-V2: I ANSWER id 1 len 71 of "domain\username".

  14:47:55.583 on 21 oct: ppp98 PPP: Phase TRANSFER, tempting with impatience

  14:47:55.583 on 21 oct: ppp98 PPP: Phase is AUTHENTICATING, unauthenticated user

  14:47:55.587 on 21 oct: ppp98 PPP: request sent MSCHAP_V2 LOGIN

  14:47:55.591 on 21 oct: ppp98 PPP: received LOGIN response PASS

  14:47:55.591 on 21 oct: ppp98 PPP AUTHOR: author data NOT available

  14:47:55.591 on 21 oct: ppp98 PPP: Phase TRANSFER, tempting with impatience

  14:47:55.595 on 21 oct: Vi3 PPP: Phase is AUTHENTICATING, authenticated user

  14:47:55.595 on 21 oct: Vi3: given msg No. MS_CHAP_V2

  14:47:55.595 on 21 oct: Vi3 MS-CHAP-V2: SUCCESS O id 1 len 46 msg is "tG @ #QDD @(@B@ (@[email protected]/ ** / @I @:[email protected]/ ** / @@@ EJFDE)).

  14:47:55.595 on 21 oct: Vi3 PPP: Phase is in PLACE

  14:47:55.595 on 21 oct: Vi3 CPIW: protocol configured, start state cf. [original]

  14:47:55.595 on 21 oct: Vi3 CPIW: State of the event [OPEN] [Initial report on startup]

  14:47:55.595 on 21 oct: Vi3 CPIW: O CONFREQ [departure] id 1 len 10

  14:47:55.595 on 21 oct: Vi3 CPIW: address of 192.168.207.1 (0x0306C0A8CF01)

  14:47:55.595 on 21 oct: Vi3 CPIW: event [UP] State [begins to REQsent]

  14:47:55.595 on 21 oct: Vi3 CCP: protocol configured, start state cf. [original]

  14:47:55.595 on 21 oct: Vi3 CCP: State of the event [OPEN] [Initial report on startup]

  14:47:55.595 on 21 oct: Vi3 CCP: O CONFREQ [departure] id 1 len 10

  14:47:55.595 on 21 oct: Vi3 CCP: MS - PPC supported bits 0 x 01000060 (0 x 120601000060)

  14:47:55.595 on 21 oct: Vi3 CCP: event [UP] State [begins to REQsent]

  14:47:55.599 on 21 oct: % LINK-3-UPDOWN: Interface virtual-access.3, changed State to

  14:47:55.603 on 21 oct: % LINEPROTO-5-UPDOWN: Line protocol on Interface virtual-access.3, changed State to

  14:47:56.027 on 21 oct: Vi3 LCP: I have TERMREQ [open] id 3 len 16

  14:47:56.027 on 21 oct: Vi3 LCP: (0x2F7C5F7E003CCD740000030A)

  14:47:56.027 on 21 oct: Vi3 CPIW: event [BOTTOM] State [REQsent on startup]

  14:47:56.027 on 21 oct: Vi3 CPIW: State of event [CLOSE] [begins with initial]

  14:47:56.027 on 21 oct: Vi3 CCP: event [BOTTOM] State [REQsent on startup]

  14:47:56.027 on 21 oct: Vi3 PPP DISC: MPPE required not negotiated

  14:47:56.027 on 21 oct: Vi3 PPP: sending Acct event [low] id [8B]

  14:47:56.027 on 21 oct: Vi3 CCP: State of event [CLOSE] [start with initial]

  14:47:56.027 on 21 oct: Vi3 LCP: O TERMACK [open] id 3 len 4

  14:47:56.027 on 21 oct: Vi3 LCP: event [receive TermReq] State [Open to stop]

  14:47:56.027 on 21 oct: Vi3 PPP: Phase ENDS

  14:47:56.027 on 21 oct: Vi3 LCP: event [CLOSE] [off status of closing]

  14:47:56.675 on 21 oct: Vi3 PPP: block vaccess to be released [0x10]

  14:47:56.675 on 21 oct: Vi3 LCP: event [CLOSE] State [closing closing]

  14:47:56.679 on 21 oct: Vi3 LCP: event [BOTTOM] State [closing on Initial]

  14:47:56.679 on 21 oct: Vi3 PPP: compensation AAA Id Unique = 8 b

  14:47:56.679 on 21 oct: Vi3 PPP: unlocked by [0x10] always locked by 0 x [0]

  14:47:56.679 on 21 oct: Vi3 PPP: free previously blocked vaccess

  14:47:56.679 on 21 oct: Vi3 PPP: Phase is BROKEN

  14:47:56.679 on 21 oct: % LINK-3-UPDOWN: Interface virtual-access.3, changed State to down

  14:47:56.683 on 21 oct: % LINEPROTO-5-UPDOWN: Line protocol on Interface virtual-access.3, state change downstairs

  I'll be very grateful for any useful suggestions

  We had the same problem using MS-CHAP-V2 and 3945 router using IOS 15.2. When you add the same combination of username/password locally it worked fine but it wasn't no of course of the solution. We have solved this problem by adding the following line in the config file:

  AAA authorization network default authenticated if

  This is because Windows 2000 clients require the use of a statement of authorization aaa in the router config. Maybe it was default (and therefore not shown) previous iOS releases.

  Success!

  Wil Schenkeveld

• VPN site-to-site between Cisco 2801 Sonicwall TZ 215

  Hi all

  I'm scratching my head on this one.

  I'm trying to set up a VPN tunnel between a Cisco 2801 (my end) and a Sonicwall TZ215 (remote end).  We seem to be getting through Phase 1 very well, he keeps tanking on Phase 2.  There is no conflict between the LAN and remote systems, so I would rather avoid NAT and just be able to reach the remote server by the private side address.

  I have a border router (Cisco 2801) keep the VPN on and a Cisco PIX below that.  Traffic is marked in my PIX to lead our fiber rather than the route by default whenever he needs to go on a VPN, it is certainly taking the right path.  On my PIX I have this in my NAT0, although I did all the tests of the Cisco 2801 hoping to get just the tunnel up first without overcomplicating things.

  I have 2 other virtual private networks running on this device and one using 3DES using AES, I just copied the config for a very similar functioning VPN (change the IP address and policy number). When you use 3DES it seems to pass Phase 1 very well, fails to Phase 2.  If you use AES, it fails to Phase 1.

  Here is a screenshot of the config, I am using on the 2801:

  ****

  interface FastEthernet0/1
  IP (public IP address of the router) 255.255.255.224
  NAT outside IP
  IP virtual-reassembly
  automatic duplex
  automatic speed
  outside_map card crypto

  crypto ISAKMP policy 40

  BA 3des
  md5 hash
  preshared authentication
  Group 2

  # address AAA isakmp encryption key. BBB. CCC. DDD (end point remote sound in Sonicwall)

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set hryak ah-sha-hmac esp - aes 256
  Crypto ipsec transform-set ESP-AES256-MD5-esp - aes 256 esp-md5-hmac

  outside_map 40 ipsec-isakmp crypto map
  the AAA value peer. BBB. CCC. DDD (remote public ip address)
  game of transformation-ESP-3DES-MD5
  match address 140

  access list 140 permit host ip (our global NAT) BBB. CCC DDD. EEE 0.0.0.255 (remote side private network 24)
  access list 140 permit tcp host (our global NAT) BBB. CCC DDD. EEE 0.0.0.255 (remote side private network 24)

  What I see in my syslog is:

  2016-04-20 13:39:01 Local7.Debug 10.239.20.1 50: * Apr 20 20:02:48.056: IPSEC (ipsec_process_proposal): proxy unsupported identities
  2016-04-20 13:39:01 Local7.Debug 10.239.20.1 51: * Apr 20 20:02:48.056: ISAKMP: (4706): IPSec policy invalidated proposal with error 32
  2016-04-20 13:39:01 Local7.Debug 10.239.20.1 52: * Apr 20 20:02:48.056: ISAKMP: (4706): politics of ITS phase 2 is not acceptable! (local [ROUTER_PUBLIC_IP] remote [REMOTE_PUBLIC_IP])
  2016-04-20 13:39:01 Local7.Debug 10.239.20.1 53: * 20:02:48.060 Apr 20: ISAKMP: (4706): node-660087920 error suppression REAL reason "QM rejected."
  2016-04-20 13:39:16 Local7.Debug 10.239.20.1 54: * 20:03:02.816 Apr 20: map_db_find_best found no corresponding card
  2016-04-20 13:39:16 Local7.Debug 10.239.20.1 55: * Apr 20 20:03:02.816: IPSEC (ipsec_process_proposal): proxy unsupported identities
  2016-04-20 13:39:16 Local7.Debug 10.239.20.1 56: * Apr 20 20:03:02.816: ISAKMP: (4706): IPSec policy invalidated proposal with error 32
  2016-04-20 13:39:16 Local7.Debug 10.239.20.1 57: * Apr 20 20:03:02.816: ISAKMP: (4706): politics of ITS phase 2 is not acceptable! (local [ROUTER_PUBLIC_IP] remote [REMOTE_PUBLIC_IP])
  2016-04-20 13:39:16 Local7.Debug 10.239.20.1 58: * 20:03:02.820 Apr 20: ISAKMP: (4706): node-765628656 error suppression REAL reason "QM rejected."

  Any suggestions where I can look or some next steps?

  Thank you very much!

  Hello

  According to the newspapers, the issue seems to be with the crypto ACL (interesting traffic):

  2016-04-20 13:39:01 Local7.Debug 10.239.20.1 50: * Apr 20 20:02:48.056: IPSEC (ipsec_process_proposal): proxy unsupported identities

  I see that you use permit tcp in the crypto ACL (acl 140) and you also use IP on the first line, so I don't see the relevance of the tcp protocol used.

  Could have checked the ACL permitted by SonicWall, are partner?

  Kind regards

  Aditya

  Please evaluate the useful messages.

• LAN to Lan tunnel between ASA 5505 and 3030.

  I am unable to build a tunnel vpn site-to-site between an ASA 5505 and our Cisco 3030.  I tried all possible combinations except one that will work.  I am able to ping each peer on the other site.  Someone at - it a config between two tunnels of Lan to Lan to work between a 5505 and 3030 that works.  Thank you

  Hello

  Please visit this link using config:

  http://www.Cisco.com/c/en/us/support/docs/security/VPN-3000-series-conce...

  Kind regards

  Aditya

  Please evaluate the useful messages.

• Example of configuration, VPIM between the unity and Unity express

  I neet to configure the network of VPIM between unit w/Exchange and 3rd-party voice messaging system and want to familize functionality. That's the analogy between unity and unity express research. I can understand between the unit and Exchange, but do not know how it works between Exchange and the express unit. specually the requirement of the domain.

  Can I get the sample configuration for configuring VPIM between unit w/Exchange network and the express unit?

  Thanks in advance,

  Networking VPIM can be used for networking between Unity and Unity Express, just as it can be used for networking with a third-party system, however, each have their own implementation. Unity Express does not connect to the Exchange. I suggest you re-read the chapter ' using VPIM for Networking with Cisco Unity Express or other Cisco Unity Systems "to http://www.cisco.com/en/US/products/sw/voicesw/ps2237/products_feature_guide_chapter09186a0080449a39.html and Cisco Unity Express Networking guide at http://www.cisco.com/en/US/partner/products/sw/voicesw/ps5520/prod_configuration_basics09186a008035bbdb.html.

  A third-party system would have concepts comparable to the implementation of unity VPIM, but would not exactly be the same - see the documentation of that system for details.

• Setting port channel between UCS - FI and MDS 9124 (Mode F)

  Dear team,

  We tried to create the channel of port between UCS FI and MDS 9124

  But the port channel do not take action in mode F on MDS 9124

  FI is in host FC end Mode

  We have allowed FC uplink on FI trunking

  We have activated NPIV on MDS

  We have activated the MDS trunk

  FI and MDS in default VSAN

  To check that we have changed the way FI FC channels mode and switch port became active, but in E mode

  When we enabled CF trunking of uplink on the port mode FI channels and FC Switching became active in mode TE

  but in both cases above, showflogi database shows WWPN of SAN alone does not have the any fi.

  How to achieve this?

  Have read that no need to change the mode switching mode of CF swicthing and keep FC Endhost way

  SO how to channel ports with mode F MDS and FI (Display Mode as NProxy)

  What is it has nothing to do with the MDS NX - OS version? (https://supportforums.cisco.com/thread/2179129)

  If yes how to put as license for ports came with the camera and we don't have any CAP/PAK or license file as she came

  with license

  Also, we saw 2 files available for download (m9100-s2ek9-kickstart - mz.5.2.8 .bin and m9100-s2ek9 - mz.5.2.8 .bin b b) to use

  Thanks and greetings

  Jose

  Hi Jo Bo.

  What version of the software if your MDS race?

  On your UCS do connect nxos and show ficelleStringString ficelleT inteface and find the mac address.

  It is possible that you could be hitting the bug below. If this is the case, you may need to update the firmware on your MDS.

  Add MAC YES '002a6a', '8c604f', '00defb' for 5 k/UCS-FI

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCty04686

  Symptom:

  Link change cannot connect any other Nexus or other Cisco Switch in mode VAN with a port channel F.   Question can be viewed in older versions of 5.1

  5.1.3.N1.1a

  but not later

  5.1.3.N2.1c

  Release. Question is also found in

  5.2 (1) N1 (1)

  and

  6.0 (2) N1 (1)

  and later versions.

  Conditions:

  Nexus configured for the link SAN PortChannels or NPIV Nexus mode connected to the UCS via regular F port channel where UCS VAN VAN edge mode switch: YES switch manufactured FI or another Cisco UCS Port WWN: xx:xx:00:2 has: 6a: xx:xx:xx or xx:xx:8 c: 60:4f:xx:xx:xx

  Workaround solution:

  Turn-off on Nexus 5 k TF-port question link mode does not happen with standard F-PORT SAN to remove Portchannel config

  Other Description of the problem:

  To check question collect please see the flogi-event history internal errors whenever the port is attempted OLS, AMENDMENTS, PBA counters will increment. This can be determined via the following output, view port internal info to see all the internal-historic port of error events

• Setting up a VPN between a WRVS4400N and ASA device

  I'm a newbie when it comes to Cisco devices and I have a problem setting a VPN between a local and a seat some distance away.

  Here, our local office, we have a device Cisco WRVS4400N Small Business.

  At Headquarters, they have a feature of Cisco ASA.

  We must set up a point to point VPN and I have no idea how to proceed with these devices.

  To compound things, resources, I'm at the other end in an unknown entity that also does not seem to have a lot of experience with this.

  Is there any type of step by step guide for such a configuration?

  If not, can someone please help with this?

  Hello William,.

  I would call 1866-606-1866 Support Center for assistance on the side the tunnel then the entire side of the ASA WRVS has to do is match the settings. If the side ASA needs support with which we can transfer more TAC.

  Cisco Small Business Support Center

  Randy Manthey

  CCNA, CCNA - security

• 1841 can route between tunnel GRE and IPSEC tunnel?

  Hello everyone!

  See the image below.

  Main office (10.0.1.0/24 LAN) and branch (10.0.2.0/24 LAN) are connected through the GRE tunnel.

  The third office (10.0.3.0/24) is attached to the second branch via IPSEC.

  Is there the way to establish the connection between the third and the main office through cisco 1841?

  Is it possible to perform routing, perhaps with NAT?

  In fact we need connection with a single server in the main office.

  Thank you

  Hello

  It is possible to build this configuration.

  the IPSEC connection between 10.0.3.x and 10.0.2.x should also encapsulate the traffic to main office.

  Steps to follow:

  Central office, to shift traffic to 10.0.3.x above the GRE tunnel.

  The second part, add the 10.0.3.x - 10.0.1.x selection of traffic to the ACL IPSEC with the third

  The third part, add the 10.0.3.x - 10.0.1.x selection of traffic to the ACL IPSEC with the second pane.

  Please rate if this helped.

  Kind regards

  Daniel

• authentication between the ACS and AD

  Hello

  I would like to know what kind of authentication mechanism ACS 5.1 use to speak with Active Directory. Does simply use MSCHAP, MSCHAPv2 or PAP. By default, it uses PAP to talk between the Cisco IOS and the AEC on the 5.1.

  If you llook at the default admin tab and click on allowed protocols---> he mentions PAP.

  Should I use a safe means of transport between the ACS and AD. IDF, so anyone can say the authentication mechanism?

  Thank you

  Any meeting of directors like telnet, ssh and comfort they always use PAP as an authentication method.

  Although communication pap can be captured and read in this case in clear text. However, since we have Ganymede in use, he always encrypt the whole package with shared secret defined on the IOS and ACS/GANYMEDE so if you capture traffic between the radius and the device you won't be able to decipher it without the key.

  In case you have Ray then using SSH (Putty) so that it can help you for a safe communication.

  ACS and AD support PAP, CHAP, MSCHAPv1 and MSCHAPv2.

  However, the administration does not work on another method of authentication except PAP.

  HTH

  Regds,

  Jousset

  Note the useful posts ~

• Help with a VPN tunnel between ASA 5510 and Juniper SSG20

  Hello

  We have a customer wanting to configure a VPN Site to Site tunnel between a new purchased 5510 of ASA located in his direction with its Juniper SSG20 Office, located in the main office. We contacted HP and they send us a Cisco professional to do the job.

  After 2 days from 16:00 to 22:00 and error and countless hours of research online and nunerous calls, we are still unable to get traffic from the network of agencies to enter the tunnel.

  Main branch
  1.1.1.2                                 1.1.1.1
  -----                                               -----------
  192.168.8.0/24 | ASA|-----------------------------------| Juniper |    192.168.1.0/24
  -----                                               -----------
  192.168.8.254 192.168.1.254

  According to Cisco professionals, the tunnel is now in place but no traffic through. We are unable to ping anything on the network on the other side (192.168.1.0/24). We receive timeout ping all the time. The Cisco professional told us it's a routing or NAT problem and he's working on a solution!

  Through research, I came across a post on Experts-Exchange (here) [the 1st comment on the original post] which States "...". that both sides of the VPN must have a different class of LAN for the VPN to work... " Would that be our problem?

  It has become a critical issue to the point that he had to replace the Cisco ASA with a temporary Juniper SSG5 on another subnet (192.168.7.0/24) to get the tunnel upward and through traffic until the ASA VPN issue is resolved and I didn't need to say that the client is killing us!

  Help is very appreciated.

  Thank you

  1. Yes, ping package from the interface of the ASA is considered valuable traffic to the LAN of Juniper.

  SAA, need you traffic from the interface source ASA's private, because interesting to determine by crypto ACL MYLIST traffic between 192.168.8.0/24 and 192.168.1.0/24.

  You will also need to add the following configuration to be able to get the ping of the interface of the ASA:

  management-private access

  To initiate the ping of the private interface ASA:

  ping 192.168.1.254 private

  2. the default time before the next generation of new key is normally 28800 seconds, and if there is no interesting traffic flowing between 2 subnets, he'll tear the VPN tunnel down. As soon as there is interesting traffic, the VPN tunnel will be built automatically into the next generation of new key. However, if there is traffic before generating a new key, the new tunnel will be established, and VPN tunnel will remain standing and continue encrypt and decrypt traffic.

  Currently, your configuration has been defined with ITS lifetime of 3600 seconds GOLD / 4608000 kilobytes of traffic before the next generate a new key (it will be either 3600 seconds, or 4608000 kilobytes period expires first). You can certainly change it by default to 28800 seconds without configuring kilobytes. SA life is negotiated between the ASA and Juniper, and whatever is the lowest value will be used.

  Hope that helps.

• What is the difference between codec primary and secondary codec in cts-3000?

  Hello

  I'm a novice on telepresence. This community is only a place to resolve issues for me.

  What is the difference between codec primary and secondary codec in cts-3000?

  I know the primary function of the codec. but I don't know exactly of secondary function of codec.

  Help me please.

  Hello

  On a CTS 3000 system, you have 1 codec primary and secondary 2 codecs. Secondary codecs are responsible for the camera left and right and view the connections. They communicate the main codec via an Ethernet cable.

  Here is a guide to the installation of a CTS-3000 so that you can see the routing of cables.

  http://www.Cisco.com/c/en/us/TD/docs/Telepresence/cts_3000/guide/3000_assembly_guide/CH08_Routing_Power_and_Signal_Cables.html

  In addition, if you are interested to learn more about the telepresence as of last year, Cisco introduced the video CCNA certification track. Maybe it's something you are interested in.

  https://learningnetwork.Cisco.com/community/certifications/ccna_video

  PEI

• switching between Mac OS and Win 7 VM (full screen)

  I just got a mac a week to begin to understand/test to see if it will be a viable option for our company. I also bought vmware fusion to run windows 7 on. I was at the research/tent all night to figure out if & how to switch between mac os x and windows 7, more particularly when I win 7 mode full screen?

  We had a consultant of cisco in our office awhile back and that he used the same configuration, but I swear I saw him by activating / deactivating one back between the BONES in mode full-screen. It would be some keys on the keyboard and windows 7 screen would slip up on the screen on Mac OS. I asked him what he was using and he said merger.

  is this possible to do?

  I think I installed fusion light instead of the full version, which would be the cause? I would like the full version installed, but I didn't install the AV that accompanies it.

  Another way to switch is to use the Mac command + Tab (change of application) to change between Mac applications and out of the VM in full screen.  I always use spaces and VMware "locked" to one of the spaces.  When I pass as described above need me in general to another space which is all Mac applications.