Licensing of 1001 ASR

Hello, try as I might I can't find a document that says;

'How to enable encryption on a 1001 ASR' or "enable advanced ip features" on the 1001 ASR.

Can anyone help please. My Kit list.

Cisco ASR1001 system, Crypto, 4 GE built-in, double P/S

Cisco ASR1001 4 GB of DRAM

Advanced Services Cisco ASR 1000 IP license

ASR 1001-Cisco IOS XE - UNIVERSAL ENCRYPTION

License of IPSEC for ASR1000 series

Upgrade from 2.5 Gbps to 5Gbps license for ASR 1001

What is the process to activate the characteristic 2.5gbps to 5gbps or encryption?

Thank you

Chris

Chris,

All licenses feature Cisco ASR 1000 are focused on the honor; in other words, they are not applied through a product Activation Key (PAK), except for the "technology package licenses" and the license upgrade (2.5 to 5 Gbps) performance on Cisco ASR 1001 models.

(http://www.cisco.com/en/US/prod/collateral/routers/ps9343/product_bulletin_c07-448862.html)

Q. what are the key new features with the Cisco ASR 1001 compared to other ASR 1000 Series routers chassis?

A. The Cisco ASR 1001 series introduced the concept of the integrated daughter (IDC) card, which is an element scalable nonland on the chassis of the ASR 1001 to provide capabilities (e/s). At the time of the first ship (FCS) client, the Cisco ASR 1001 is available in 3 different versions: the ASR 1001 frame base (part number ASR1001), ASR1001-2XOC3POS with a daughter card chassis integrated with 2 ports ASR1001-4XT3 with a daughterboard integrated with 4-port T3 and OC3 POS. The second phase of the ASR 1001 launched a new 3 chassis: ASR1001-hard DRIVE with built in 160 GB hard drive; the ASR1001-4X1GE with an integrated daughter card providing 4ports 1GE. and the ASR1001-8XCHT1E1 with an integrated daughter card providing multiplexed 8-port T1/E1. In addition, the Cisco ASR 1001 is the first chassis of the Cisco ASR 1000 series, which implements the activation of the software which is the same concept of activation of software as seen on other Cisco offerings, for example on the router Cisco ISR G2 Series. 2 different types of licences will be applied to the FCS, via the activation of the software. First of all, the sets of features offered through the basis of intellectual (K9 and non - K9), Advanced IP Services (K9 and non - K9) and Advanced Enterprise Services (K9 and non - K9). Second, the upgrade of the default execution of 2.5 Gbit/s to 5 Gbps is possible via a license to upgrade performance enabled software (part number to use when ordering of three chassis ASR1001 for the upgrade of 5 Gbps performance is FSL-ASR1001 - 5 G). Other features such as firewalls, encryption is expected to be activated on the 1001 ASR in the future software.

How to activate a license once you have a PAK (product authorization key):

1. go to www.cisco.com/go/license

2. tap the PAK you received on the form and submit it;

3 activate the license on the ASR1000.

FAQ on https://tools.cisco.com/SWIFT/Licensing/jsp/Cisco%20Licensing%20FAQ%20-%20June%202011.pdf

For software activation orders, appointments on:

http://www.Cisco.com/en/us/docs/iOS/CSA/configuration/guide/csa_commands.html

HTH.

Cheers, Gustavo

Tags: Cisco Support

Similar Questions

  • UNI-DIRECTIONAL on 1001 ASR feature

    Hello

    I have a router ASR 1001 last 3.9.2S current execution code.

    The Uni-directional feature was introduced in 3.9 S

    However...

    With the license of IPBase the Uni-directional command does not appear in configuration mode.

    But when I activate the trial license AdvancedIPServices and restart, the UNI-DIRECTIONAL command appears now in Setup mode.

    I don't see that it documented anywhere in the reference command/notes version IOS XE etc. you need to have the Advanced IP Services feature set allowed to use UNI-DIRECTIONAL on the ASR feature 1001. Anyone know if this is correct or is it an error or a bug?

    See you soon

    Hello

    Which can be seen in the browser functionality. If you select s 3.9 and Ip Base you want to see the unidirectional link detection section (you can filter by function name using like match stringUniDir). If you select Advanced featureset Services - you will find in the list.

    Niko

  • Nuance ASR OUT_OF_SERVICE subsystem

    Hello

    We have a CM 4.1.3 and IPCC 3.5.3

    With the IPCC, we also have licenses, TTS and ASR (3 TTS and ASR 3)

    I have the problem that the service of the ASR is OUT_OF_SERVICE. TTS works very well.

    When I restart the system or do a restart of the engine, I can see both services during initialization.

    After awhile the TTS is IN_SERVICE and works fine, but the ASR is going after 2-3 minutes initializing OUT_OF_SERVICE.

    These are the messages:

    352: Jan 26 EET % MIVR-SS_ENT_SRV-1 17:28:53.628 - SS_OUT_OF_SERVICE:Enterprise Server Subsystem in out of service:

    "353: jan 26 17:29:20.394% MIVR-SS_NUAN_ASR-7-UNK EET:"nlm"with vpid '3802' on ' 10.10.50.2 ' is not running.

    "354: jan 26 17:29:20.394 EET % MIVR-SS_NUAN_ASR-7 - UNK:Not all processes on AppServer ' 10.10.50.2 ' are running

    "355: jan 26 17:30:20.396% MIVR-SS_NUAN_ASR-7-UNK EET:"recserver"with vpid '3804' on ' 10.10.50.2 ' is not running.

    "356: jan 26 17:30:20.396 EET % MIVR-SS_NUAN_ASR-7 - UNK:Not Speechserver ' 10.10.50.2 ' all the processes are running

    357: Jan 26 17:30:20.396 EET % MIVR-SS_NUAN_ASR-7 - SUBSYSTEM_NUAN_ASR_WN_STATUS_CHANGED_OOS:WatcherNetwork status has changed: WN_OUT_OF_SERVICE: Integer Msg = 1

    358: Jan 26 17:30:20.396 EET % MIVR-SS_NUAN_ASR-3 - SS_OUT_OF_SERVICE:Nuance ASR subsystem is OUT_OF_SERVICE:

    359: Jan 26 17:30:20.396% MIVR-SS_NUAN_ASR-1-ModuleRunTimeFailure EET: Real-time failure Nuance ASR: Module = Nuance ASR subsystem, Cause of failure = 1, failure Module = SS_NUAN_ASR

    Strange thing is that TTS works.

    CM, IPCC and Nuance TTS/ASR are installed together.

    Someone at - it any idea why this happens?

    JH

    This is a new installation of shade on 3.5 2 or 3.5 (3) you can run in the CSCsc96390bug. There is a hard-coded license file which expires on 12/31/2005. Nuance ASR will initialize and then go out of service, however, TTS will remain in service.

    You can quickly verify this by setting the date of your IPCCx server to a date prior to 12/31/2005. If Nuance ASR goes into service, then you will need get the fix from the Cisco TAC to correct this problem.

  • Problem with IKEv2 routes w using PSK and RADIUS

    Hello

    I have a 7 881 + (15.2 (4) M2) connected to a 1001 ASR (03.07.01.S) via the Internet. The goal is to set up DVTI on the ASR, use FlexVPN on the CPE and inject crypto IKEv2 itineraries in the VRF on the EP for subnets protected on the SCE when using pre-shared key for authentication and RADIUS to return the attributes.

    I can get the tunnel works fine, but I can't get the cryptographic routes.

    My configs:

    7 881 + CPE:

    Crypto ikev2 keyring Keychain-CPE

    peer ASR

    address

    pre-shared key abcd

    !

    Profile of crypto ikev2 IKEV2-PROFILE-CPE

    match one address remote identity 255.255.255.255

    identity local fqdn cpe.ipsec.net

    sharing front of remote authentication

    sharing of local meadow of authentication

    Keyring key chain local-CPE

    DPD 30 2 periodic

    !

    Crypto ipsec transform-set esp - TFS-AES256-SHA-HMAC-aes 256 esp-sha-hmac

    tunnel mode

    !

    by default the crypto ipsec profile

    game of transformation-TFS-AES256-SHA-HMAC

    profile ikev2 IKEV2-PROFILE-CPE

    !

    Crypto ikev2 client flexvpn FLEX

    Peer 1

    Customer inside Loopback0

    customer connect Tunnel0

    !

    interface Loopback0

    IP 255.255.255.255

    !

    interface Tunnel0

    the negotiated IP address

    source of tunnel Dialer2

    ipv4 ipsec tunnel mode

    dynamic tunnel destination

    tunnel protection ipsec default profile

    PE OF THE ASR:

    Authorization group to the network IPSEC-AUTHOR of AAA AAA-GROUP-IPSEC-RADIUS

    !

    Crypto ikev2 60 2 dpd periodicals

    !

    Profile of crypto ikev2 IKEV2-PROFILE-ASR

    corresponds to fvrf FVRF

    match identity fqdn remote domain ipsec.net

    sharing front of remote authentication

    sharing of local meadow of authentication

    Keyring aaa IPSEC-AUTHOR

    AAA authorization user psk IPSEC-AUTHOR list

    virtual-model 1

    !

    Crypto ipsec transform-set esp - TFS-AES256-SHA-HMAC-aes 256 esp-sha-hmac

    tunnel mode

    !

    by default the crypto ipsec profile

    game of transformation-TFS-AES256-SHA-HMAC

    the value of RADU ikev2-profile

    answering machine only

    !

    type of interface virtual-Template1 tunnel

    no ip address

    source of tunnel GigabitEthernet0/0/3

    ipv4 ipsec tunnel mode

    tunnel vrf FVRF

    tunnel protection ipsec default profile

    Definition of RADIUS user name:

    CPE. IPSec.net

    Tunnel-Password = abcd,

    Framed-IP-Address = 172.16.0.254,

    Box-IP-Netmask = 255.255.255.254,

    Cisco-avpair = "ip:interface - config = vrf forwarding test",

    Cisco-avpair = "" ip:interface - config = address ip 172.16.0.255 255.255.255.254 ","

    Cisco-avpair = 'ipsec:route - value = interface',

    Cisco-avpair = "ipsec:route - value prefix = 32",

    Cisco-avpair = "ipsec:route - accept = any"

    The tunnel interface is coming on the CPE, the virtual access interface is implemented on the ASR. I could use BGP to Exchange routing between EP and CPE information, but I want to use IKE.

    I think the problem is because I don't know how to call a permission policy IKEv2 on PBS (in which I could set up a list of access for the ). But on the CPE, I have the following limitations:

    I want to use PSK for authentication, but no RADIUS server is available. So, the only other option for PSK authentication is a Keyring set locally, as there is no way to use a user name defined locally (local authentication) with a set of keys.

    So how can I trigger an IKEv2 authorization under the profile of IKEv2 policy?

    CPE (config-ikev2-profile) list of psk #aaa user authorization?

    The WORD AAA list name

    If I set a local aaa authorization list, then all authentication fails:

    AAA authorization network default local

    Profile of crypto ikev2 IKEV2-PROFILE-CPE

    by default the AAA user psk authorization list

    * 15:52:27.042 Dec 20 UTC: IKEV2-3-NEG_ABORT %: negotiation failed due to the ERROR: exchange Auth failed

    And there is no way to trigger that the authorization policy if I do not set the command above, is not it? I tried to modify the authorization policy by default with access list, but it is not taken into account.

    If I use a card with an access-list and IKEv2 encryption, I can get directions crypto on the ASR. But I want to use FlexVPN on the CPE.

    Is there a way to do this?

    Also the IOS configuration guides are not too useful

    Thank you

    Radu

    . "09:12:42.299 Dec 21 UTC: IKEv2:IKEv2 local AAA asks author ' 87.84.214.31 '.

    . "09:12:42.299 Dec 21 UTC: IKEv2:IKEv2 local AAA - political ' 87.84.214.31 ' does not exist.

    . 09:12:42.299 Dec 21 UTC: authorization IKEv2:IKEv2 162 error

    Not sure how resembles your config, but here it says that it cannot find

    ikev2 crypto 87.84.214.31 permission policy

    <...>

    If it is configured?

  • Cisco asr 1001 compatible fiber modules

    Hello

    We recently purchased a cisco asr 1001 router and I have a number of interface units. I want to fill these with fiber modules.

    Can you tell me what fiber modules are compatible Please? SFP regular ok to use or is there a special series of asr of FPS to use?

    Thank you very much

    Paul

    Paul,

    You reason that GLC - T & GLC - SX - MM is not supported with the ASR1000 platform.

    The following link confirms that:

    http://www.Cisco.com/en/us/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_6981.html#wp131775

    More FPS are supported with ASR1000 platform:

    SFP-GE-T

    SFP-GE-S
    SFP-GE-L
    SFP-GE-Z
    CWDM SFP
    DWDM SFP

    GLC-BX-D
    GLC-BX-U

    I handled a similar case yesterday where GLC - T wouldn t aith ASR1k & I confirmed that it would be not be funded in the future as well.

    HTH,

    Amit

  • DMVPN spoke of issues after migration double ISR2 3925 hub to ASR-1001 X

    Hello world

    After our hub solution migration DMVPN double ISR2 3925 to ASR - 1001 X (running asr1001x - universalk9.03.12.03.S.154 - 2.S3 - std.SPA.bin) we started to have some problems with tunnels rays beat (which goes up and down) and sometimes never came.

    Running 'show dmvpn' speak it is stuck in State PNDH to our hub. To solve the problem, we run 'stop' and then 'non-stop' on the tunnel interface to actually speak that DMVPN Monte. Also runs "clear encryption session " on the shelf often solves the problem. So, it seems that the question has something to do with IPSEC.

    When the problem occurred, and then debug crypto ipsec, crypto, crypto isakmp and crypto engine socket the following can be seen on the hub:

     Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Sending NOTIFY DPD/R_U_THERE protocol 1 spi 140130067548488, message ID = 629121681 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): seq. no 0x64B2238C Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): sending packet to  my_port 500 peer_port 500 (I) QM_IDLE Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Sending an IKE IPv4 Packet. Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):purging node 629121681 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jun 25 10:01:41 SUMMERT: ISAKMP (46580): received packet from  dport 500 sport 500 ISP1-DMVPN (I) QM_IDLE Jun 25 10:01:41 SUMMERT: ISAKMP: set new node 3442686097 to QM_IDLE Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): processing HASH payload. message ID = 3442686097 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): processing NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 0, message ID = 3442686097, sa = 0x7F72986867D0 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): DPD/R_U_THERE_ACK received from peer , sequence 0x64B2238C Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):deleting node 3442686097 error FALSE reason "Informational (in) state 1" Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jun 25 10:01:42 SUMMERT: IPSEC: delete incomplete sa: 0x7F729923A438 Jun 25 10:01:42 SUMMERT: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jun 25 10:01:42 SUMMERT: ISAKMP:(46580):purging node 1111296046 Jun 25 10:01:44 SUMMERT: ISAKMP (46580): received packet from  dport 500 sport 500 ISP1-DMVPN (I) QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP: set new node 928225319 to QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing HASH payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing SA payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Checking IPSec proposal 1 Jun 25 10:01:44 SUMMERT: ISAKMP: transform 1, ESP_AES Jun 25 10:01:44 SUMMERT: ISAKMP: attributes in transform: Jun 25 10:01:44 SUMMERT: ISAKMP: encaps is 2 (Transport) Jun 25 10:01:44 SUMMERT: ISAKMP: SA life type in seconds Jun 25 10:01:44 SUMMERT: ISAKMP: SA life duration (basic) of 3600 Jun 25 10:01:44 SUMMERT: ISAKMP: SA life type in kilobytes Jun 25 10:01:44 SUMMERT: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 Jun 25 10:01:44 SUMMERT: ISAKMP: authenticator is HMAC-SHA Jun 25 10:01:44 SUMMERT: ISAKMP: key length is 256 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):atts are acceptable. Jun 25 10:01:44 SUMMERT: CRYPTO_SS(TUNNEL SEC): Active open, socket info: local  /255.255.255.255/0, remote  /255.255.255.255/0, prot 47, ifc Tu3300 Jun 25 10:01:44 SUMMERT: IPSEC(recalculate_mtu): reset sadb_root 7F7292E64990 mtu to 1500 Jun 25 10:01:44 SUMMERT: CRYPTO_SS(TUNNEL SEC): Sending Socket Ready message Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing NONCE payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing ID payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing ID payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):QM Responder gets spi Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Node 928225319, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Node 928225319, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT Jun 25 10:01:44 SUMMERT: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer  Jun 25 10:01:44 SUMMERT: IPSEC(crypto_ipsec_update_ident_tunnel_decap_oce): updating profile-shared Tunnel3300 ident 7F7298B2BF80 with lookup_oce 7F7296BF5440 Jun 25 10:01:44 SUMMERT: IPSEC(create_sa): sa created, (sa) sa_dest= , sa_proto= 50, sa_spi= 0x14F40C56(351538262), sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 27873 sa_lifetime(k/sec)= (4608000/3600), (identity) local= :0, remote= :0, local_proxy= /255.255.255.255/47/0, remote_proxy= /255.255.255.255/47/0 Jun 25 10:01:44 SUMMERT: IPSEC(create_sa): sa created, (sa) sa_dest= , sa_proto= 50, sa_spi= 0x3B4731D7(994521559), sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 27874 sa_lifetime(k/sec)= (4608000/3600), (identity) local= :0, remote= :0, local_proxy= /255.255.255.255/47/0, remote_proxy= /255.255.255.255/47/0 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Received IPSec Install callback... proceeding with the negotiation Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Successfully installed IPSEC SA (SPI:0x14F40C56) on Tunnel3300 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): sending packet to  my_port 500 peer_port 500 (I) QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Sending an IKE IPv4 Packet. Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Node 928225319, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2 Jun 25 10:01:44 SUMMERT: ISAKMP (46580): received packet from  dport 500 sport 500 ISP1-DMVPN (I) QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP: set new node 1979798297 to QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing HASH payload. message ID = 1979798297 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 351538262, message ID = 1979798297, sa = 0x7F72986867D0 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): deleting spi 351538262 message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):deleting node 928225319 error TRUE reason "Delete Larval" Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):peer does not do paranoid keepalives. Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x3B4731D7) Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):deleting node 1979798297 error FALSE reason "Informational (in) state 1" Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jun 25 10:01:44 SUMMERT: IPSEC: delete incomplete sa: 0x7F729923A340 Jun 25 10:01:44 SUMMERT: IPSEC(key_engine_delete_sas): delete SA with spi 0x3B4731D7 proto 50 for  Jun 25 10:01:44 SUMMERT: IPSEC(update_current_outbound_sa): updated peer  current outbound sa to SPI 0 Jun 25 10:01:44 SUMMERT: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jun 25 10:01:44 SUMMERT: CRYPTO_SS(TUNNEL SEC): Sending request for CRYPTO SS CLOSE SOCKET

     #sh pl ha qf ac fe ipsec data drop ------------------------------------------------------------------------ Drop Type Name Packets ------------------------------------------------------------------------ 3 IN_US_V4_PKT_FOUND_IPSEC_NOT_ENABLED 127672 19 IN_OCT_ANTI_REPLAY_FAIL 13346 20 IN_UNEXP_OCT_EXCEPTION 4224 33 OUT_V4_PKT_HIT_IKE_START_SP 1930 62 IN_OCT_MAC_EXCEPTION 9 #sh plat hard qfp act stat drop | e _0_ ------------------------------------------------------------------------- Global Drop Stats Packets Octets ------------------------------------------------------------------------- Disabled 1 82 IpFragErr 170536 246635169 IpTtlExceeded 4072 343853 IpsecIkeIndicate 1930 269694 IpsecInput 145256 30071488 Ipv4Acl 2251965 215240194 Ipv4Martian 6248 692010 Ipv4NoAdj 43188 7627131 Ipv4NoRoute 278 27913 Ipv4Unclassified 6 378 MplsNoRoute 790 69130 MplsUnclassified 1 60 ReassTimeout 63 10156 ServiceWireHdrErr 2684 585112

    In addition, after you run "logging dmvpn rate-limit 20' on the hub

     %DMVPN-3-DMVPN_NHRP_ERROR: Tunnel292: NHRP Encap Error for Resolution Request , Reason: protocol generic error (7) on (Tunnel:  NBMA: )

    On the talks both the following can be seen debugging as well:

     *Jun 25 09:17:26.884: ISAKMP:(1032): sitting IDLE. Starting QM immediately (QM_IDLE ) *Jun 25 09:17:26.884: ISAKMP:(1032):beginning Quick Mode exchange, M-ID of 1599359281 *Jun 25 09:17:26.884: ISAKMP:(1032):QM Initiator gets spi *Jun 25 09:17:26.884: ISAKMP:(1032): sending packet to  my_port 500 peer_port 500 (R) QM_IDLE *Jun 25 09:17:26.884: ISAKMP:(1032):Sending an IKE IPv4 Packet. *Jun 25 09:17:26.884: ISAKMP:(1032):Node 1599359281, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Jun 25 09:17:26.884: ISAKMP:(1032):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 *Jun 25 09:17:26.940: ISAKMP (1032): received packet from  dport 500 sport 500 Global (R) QM_IDLE *Jun 25 09:17:26.940: ISAKMP:(1032): processing HASH payload. message ID = 1599359281 *Jun 25 09:17:26.940: ISAKMP:(1032): processing SA payload. message ID = 1599359281 *Jun 25 09:17:26.940: ISAKMP:(1032):Checking IPSec proposal 1 *Jun 25 09:17:26.940: ISAKMP: transform 1, ESP_AES *Jun 25 09:17:26.940: ISAKMP: attributes in transform: *Jun 25 09:17:26.940: ISAKMP: encaps is 2 (Transport) *Jun 25 09:17:26.940: ISAKMP: SA life type in seconds *Jun 25 09:17:26.940: ISAKMP: SA life duration (basic) of 3600 *Jun 25 09:17:26.940: ISAKMP: SA life type in kilobytes *Jun 25 09:17:26.940: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *Jun 25 09:17:26.940: ISAKMP: authenticator is HMAC-SHA *Jun 25 09:17:26.940: ISAKMP: key length is 256 *Jun 25 09:17:26.940: ISAKMP:(1032):atts are acceptable. *Jun 25 09:17:26.940: IPSEC(ipsec_process_proposal): proxy identities not supported *Jun 25 09:17:26.940: ISAKMP:(1032): IPSec policy invalidated proposal with error 32 *Jun 25 09:17:26.940: ISAKMP:(1032): phase 2 SA policy not acceptable! (local  remote ) *Jun 25 09:17:26.940: ISAKMP: set new node -1745931191 to QM_IDLE *Jun 25 09:17:26.940: ISAKMP:(1032):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 834718720, message ID = 2549036105 *Jun 25 09:17:26.940: ISAKMP:(1032): sending packet to  my_port 500 peer_port 500 (R) QM_IDLE *Jun 25 09:17:26.940: ISAKMP:(1032):Sending an IKE IPv4 Packet. *Jun 25 09:17:26.940: ISAKMP:(1032):purging node -1745931191 *Jun 25 09:17:26.940: ISAKMP:(1032):deleting node 1599359281 error TRUE reason "QM rejected" *Jun 25 09:17:26.940: ISAKMP:(1032):Node 1599359281, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Jun 25 09:17:26.940: ISAKMP:(1032):Old State = IKE_QM_I_QM1 New State = IKE_QM_I_QM1 *Jun 25 09:17:34.068: ISAKMP (1032): received packet from  dport 500 sport 500 Global (R) QM_IDLE *Jun 25 09:17:34.068: ISAKMP: set new node 1021264821 to QM_IDLE *Jun 25 09:17:34.072: ISAKMP:(1032): processing HASH payload. message ID = 1021264821 *Jun 25 09:17:34.072: ISAKMP:(1032): processing NOTIFY DPD/R_U_THERE protocol 1 spi 0, message ID = 1021264821, sa = 0x32741028 *Jun 25 09:17:34.072: ISAKMP:(1032):deleting node 1021264821 error FALSE reason "Informational (in) state 1" *Jun 25 09:17:34.072: ISAKMP:(1032):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Jun 25 09:17:34.072: ISAKMP:(1032):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jun 25 09:17:34.072: ISAKMP:(1032):DPD/R_U_THERE received from peer , sequence 0x64B2279D *Jun 25 09:17:34.072: ISAKMP: set new node 716440334 to QM_IDLE *Jun 25 09:17:34.072: ISAKMP:(1032):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 834719464, message ID = 716440334 *Jun 25 09:17:34.072: ISAKMP:(1032): seq. no 0x64B2279D *Jun 25 09:17:34.072: ISAKMP:(1032): sending packet to  my_port 500 peer_port 500 (R) QM_IDLE *Jun 25 09:17:34.072: ISAKMP:(1032):Sending an IKE IPv4 Packet. *Jun 25 09:17:34.072: ISAKMP:(1032):purging node 716440334 *Jun 25 09:17:34.072: ISAKMP:(1032):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE *Jun 25 09:17:34.072: ISAKMP:(1032):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jun 25 09:17:35.356: ISAKMP:(1032):purging node 206299144

    Obviously something seems to be wrong Phase 2 not to come. But why is it going up after having erased the session encryption or close the tunnel interface and activate the interface of tunnel has spoken?

    Very weird. Also, in looking at att the hub debugging messages it seems that Cryptography is associated with evil Tu3300 tunnel interface when it is Tu2010. Normal or Bug?

    The configuration of the hub looks like this:

     crypto keyring ISP1-DMVPN vrf ISP1-DMVPN pre-shared-key address 0.0.0.0 0.0.0.0 key  crypto isakmp policy 10 encr aes authentication pre-share crypto isakmp keepalive 10 3 periodic crypto isakmp nat keepalive 10 crypto isakmp profile ISP1-DMVPN keyring ISP1-DMVPN match identity address 0.0.0.0 ISP1-DMVPN keepalive 10 retry 3 crypto ipsec transform-set AES256-MD5 esp-aes 256 esp-md5-hmac mode tunnel crypto ipsec transform-set AES256-SHA-TRANSPORT esp-aes 256 esp-sha-hmac mode transport crypto ipsec profile ISP1-DMVPN set transform-set AES256-SHA AES256-SHA-TRANSPORT set isakmp-profile ISP1-DMVPN vrf definition ISP1-DMVPN description DMVPN-Outside-ISP1 rd 65527:10 ! address-family ipv4 exit-address-family ! ! interface TenGigabitEthernet0/0/0 no ip address ! interface TenGigabitEthernet0/0/0.71 description VPN;ISP1-DMVPN;Outside;VLAN71 encapsulation dot1Q 71 vrf forwarding ISP1-DMVPN ip address  255.255.255.128 no ip proxy-arp ip access-group acl_ISP1-DMVPN_IN in ! ip route vrf ISP1-DMVPN 0.0.0.0 0.0.0.0  name ISP1;Default ip access-list extended acl_ISP1-DMVPN_IN permit icmp any any permit esp any host  permit gre any host  permit udp any host  eq isakmp permit udp any host  eq non500-isakmp deny ip any any vrf definition 2010  description CUSTA - Customer A  rd 65527:2010 route-target export 65527:2010 route-target import 65527:2010 ! address-family ipv4 exit-address-family ! ! interface Tunnel2010 description CUSTA;DMVPN;Failover-secondary vrf forwarding 2010 ip address 10.97.0.34 255.255.255.240 no ip redirects ip mtu 1380 ip nhrp map multicast dynamic ip nhrp network-id 2010 ip nhrp holdtime 120 ip nhrp server-only ip nhrp max-send 1000 every 10 ip tcp adjust-mss 1340 tunnel source TenGigabitEthernet0/0/0.71 tunnel mode gre multipoint tunnel key 2010 tunnel vrf ISP1-DMVPN tunnel protection ipsec profile ISP1-DMVPN shared router bgp 65527 ! address-family ipv4 vrf 2010 redistribute connected metric 10 redistribute static metric 15 neighbor 10.97.0.39 remote-as 65028 neighbor 10.97.0.39 description spokerouter;Tunnel1 neighbor 10.97.0.39 update-source Tunnel2010 neighbor 10.97.0.39 activate neighbor 10.97.0.39 soft-reconfiguration inbound neighbor 10.97.0.39 prefix-list EXPORT-IVPN-VRF2010 out neighbor 10.97.0.39 route-map AllVRF-LocalPref-80 in neighbor 10.97.0.39 maximum-prefix 5000 80 default-information originate exit-address-family

    Configuring spoke:

     crypto keyring DMVPN01 pre-shared-key address 0.0.0.0 0.0.0.0 key  crypto isakmp policy 10 encr aes authentication pre-share crypto isakmp invalid-spi-recovery crypto isakmp profile DMVPN01 keyring DMVPN01 match identity address 0.0.0.0 keepalive 10 retry 3 crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec transform-set AES256-SHA-TRANSPORT esp-aes 256 esp-sha-hmac mode transport crypto ipsec profile DMVPN01 set transform-set AES256-SHA-TRANSPORT set isakmp-profile DMVPN01 vrf definition inside rd 65028:1 route-target export 65028:1 route-target import 65028:1 ! address-family ipv4 exit-address-family ! interface Tunnel1 description DMVPN to HUB vrf forwarding inside ip address 10.97.0.39 255.255.255.240 no ip redirects ip mtu 1380 ip nhrp map 10.97.0.33  ip nhrp map multicast  ip nhrp map 10.97.0.34  ip nhrp map multicast  ip nhrp network-id 1 ip nhrp holdtime 120 ip nhrp nhs 10.97.0.33 ip nhrp nhs 10.97.0.34 ip nhrp registration no-unique ip nhrp registration timeout 60 ip tcp adjust-mss 1340 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 2010 tunnel protection ipsec profile DMVPN01 shared router bgp 65028 ! address-family ipv4 vrf inside bgp router-id 172.28.5.137 network 10.97.20.128 mask 255.255.255.128 network 10.97.21.0 mask 255.255.255.0 network 10.97.22.0 mask 255.255.255.0 network 10.97.23.0 mask 255.255.255.0 network 172.28.5.137 mask 255.255.255.255 neighbor 10.97.0.33 remote-as 65527 neighbor 10.97.0.33 description HUB1;Tunnel2010 neighbor 10.97.0.33 update-source Tunnel1 neighbor 10.97.0.33 timers 10 30 neighbor 10.97.0.33 activate neighbor 10.97.0.33 send-community both neighbor 10.97.0.33 soft-reconfiguration inbound neighbor 10.97.0.33 prefix-list IROUTE-EXPORT out neighbor 10.97.0.33 maximum-prefix 5000 80 neighbor 10.97.0.34 remote-as 65527 neighbor 10.97.0.34 description HUB2;tunnel2010 neighbor 10.97.0.34 update-source Tunnel1 neighbor 10.97.0.34 timers 10 30 neighbor 10.97.0.34 activate neighbor 10.97.0.34 send-community both neighbor 10.97.0.34 soft-reconfiguration inbound neighbor 10.97.0.34 prefix-list IROUTE-EXPORT out neighbor 10.97.0.34 route-map AllVRF-LocalPref-80 in neighbor 10.97.0.34 maximum-prefix 5000 80 exit-address-family

    If more information is needed, please say so.

    Any help or advice would be greatly appreciated!

    Thank you!

    It is possible that you touch it--the failure of negotiations of phase 2:

    https://Tools.Cisco.com/bugsearch/bug/CSCup72039/?reffering_site=dumpcr

    [Too little detail to say with certainty:]

    M.

  • ASR vs router ISR for encrypted traffic

    I'm looking for a router that can handle up to 1 Gbps of traffic encrypted through a GRE over IPSec connection.  We currently use a 2951-SEC/K9, who overcomes to 80 MB/s @ 70% of the CPU.  I've been watching 3945 SRI but question if an ASR 1001-X would be a better choice for this project.  Someone saw on routers ISR vs ASR?   3945 do has the same bandwidth encrypted cap that the 2951 have?

    Hello

    I can't serve you with measures or similar at the moment.
    But I did intensive tests in the past with SRI and ASR with crypto.

    From my experience, I can tell you that ASR is the choice much better if it's crypto and QoS, etc.. The ASR have pretty good cryptographic chips on board, and you just need to allow their (SEC/K9).

    I did not use ASR 1006 1001-X remote ASR, but only with the first ESP shipped and I could easily encrypt 1 Gbps. ASR 1001-X has an ESP much more sharp with up to 20Gbps troughput, and up to 8 Gbps of crypto (activated license). If you must certainly not run into problems with this unit.

    It is also much more future-proof since you can concede more performance. So if you can afford an ASR, I'd certainly go for it.

    Kind regards
    Markus

  • "bgp as path bestpath ignores" in 1006 ASR

    Hi all

    I want to configure BGP to ignore as the path for the best choice of path to the router ASR 1006. But in BGP configuration mode, this isn't the option as path access list. It's showing as unrecognized command.

    RTR1(config-router)#bgp bestpath ?
    

    compare-routerid  Compare router-id for identical EBGP paths
    

    cost-community    cost community
    

    igp-metric        igp metric
    

    med               MED attribute
    

    prefix-validate   Prefix origin validation
    

    RTR1(config-router)#

    IOS version details are:

    RTR1#sh ver
    

    Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.2(4)
    

    S, RELEASE SOFTWARE (fc4)
    

    Technical Support: http://www.cisco.com/techsupport
    

    Copyright (c) 1986-2012 by Cisco Systems, Inc.
    

    Compiled Mon 23-Jul-12 20:02 by mcpre
    

    IOS XE Version: 03.07.00.S
    

    Cisco IOS-XE software, Copyright (c) 2005-2012 by cisco Systems, Inc.
    

    All rights reserved.  Certain components of Cisco IOS-XE software are
    

    licensed under the GNU General Public License ("GPL") Version 2.0.  The
    

    software code licensed under GPL Version 2.0 is free software that comes
    

    with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
    

    GPL code under the terms of GPL Version 2.0.  For more details, see the
    

    documentation or "License Notice" file accompanying the IOS-XE software,
    

    or the applicable URL provided on the flyer accompanying the IOS-XE
    

    software.
    

    ROM: IOS-XE ROMMON
    

    RTR1 uptime is 31 weeks, 17 hours, 51 minutes
    

    Uptime for this control processor is 31 weeks, 17 hours, 53 minutes
    

    System returned to ROM by reload
    

    System restarted at 23:29:29 IST Sat Apr 6 2013
    

    System image file is "bootflash:/asr1000rp2-adventerprisek9.03.07.00.S.152-4.S.bin"
    

    Last reload reason: PowerOn

    Any help would be appreciated.

    Thanks to all in advance

    Irfan,

    The command can be hidden, but maybe it can be accepted if you type in its entirety. See here, this is a 2691 12.4 (15) T13 IOS:

    R1(config)#router bgp 1
    

    R1(config-router)#bgp bestpath ?
    

    compare-routerid  Compare router-id for identical EBGP paths
    

    cost-community    cost community
    

    med               MED attribute
    

    R1(config-router)#bgp bestpath as-path ?
    

    % Unrecognized command
    

    R1(config-router)#bgp bestpath as-path ignore ?
    

    % Unrecognized command
    

    R1(config-router)#bgp bestpath as-path ignore
    

    R1(config-router)#do show run | sec router bgp
    

    router bgp 1
    

    no synchronization
    

    bgp log-neighbor-changes
    

    bgp bestpath as-path ignore
    

    no auto-summary

    Best regards

    Peter

  • Update of IOS on ASR 1002 X

    How to upgrade IOS on ASR 1002 X?

    FROM or set the initialization variable and reload. It is autonomous only pass no available redundant peer.

    Current version: asr1002x - universalk9.03.07.03.S.152 - 4.S3.SPA.bin

    Target version: asr1002x - universalk9.03.07.05.S.152 - 4.S5.SPA.bin

    License level: adventerprise
    License type: Permanent
    Then reload license level: adventerprise

    See the redundancy
    Redundant system information:
    ------------------------------
    Available system availability = 1 year, 14 weeks, 4 days, 12 hours, 59 minutes
    Failovers system known = 0
    Chess = 0 pending
    Last reason passage = none

    Material = Simplex Mode
    Configured the redundancy Mode = not redundant
    Redundancy of functioning mode = not redundant
    Maintenance = disabled mode
    Communication = down the reason: failure

    Current processor information:
    -------------------------------
    Active location = slot 6
    Current software status ACTIVE
    Operating time in current state = 1 year, 14 weeks, 4 days, 12 hours, 59 minutes
    Image Version software = Cisco IOS, IOS - XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.2 (4) S3, RELEASE SOFTWARE (fc1)
    Technical support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2013 by Cisco Systems, Inc.
    Updated Saturday, April 19, 13 13:40 by mcpre
    BOOT =
    Configuration register = 0 x 2102

    Peer (slot: 7) information is not available because it is "DISABLED" State.

    Kind regards

    Ramanantsoa Somiyani

    If he is autonomous, simply change the variable initialization. It does not need licensing, it will always time out that there is no redundancy.

  • License expired Message Server

    After starting MAC OS Server 5.2 websites and create a new Web site (actually a mirror of an existing site of very simple server implementation) I open Safari and try the URL and I get the message:

    Please ask your server administrator to install the license.

    If you are the administrator, please connect to the administration.

    The Web site service is set to point to the static IP address of my Mac - Pro running MAC OS Server. All files are in place. If I use https://aaa-macpro.local/default , I see the default Web site.

    But if I try to arroyohome.com which is the URL of my Web site which is set to point to the static address of the Mac - Pro MAX OS Server operation you get this server license expired Message. I do not use certificates at this stage

    The problem is resolved. I uninstalled MAC OS Server and started from scratch. After making sure that I was the only person in my network and also by ensuring that the server created a DNS entry for my server, I made the tutorial on websites (Lesson 1) and tested that the default Web sites are created correctly and that everything started working.

    BTW, the server license expiration message was / is incorrect. Browsers were all complaining about certificates and refusing to accept the ones I created. Expired "500 Server license" error is a catch-all message. The site that I am hosting is not encrypted, but MAC OS Server encrypts the default Web site on port 80, which may () caused a lot of questions because I was deploy my site. On lesson 2

    Step 7. Check the redirection to the secure site

    I disabled this function for my deployed site...

  • Alternative software that replaces the Quicktime 7 Pro registration License Options

    With the news that Quicktime 7 Pro is no longer listing sale keys, what program I can use that makes the changes audio/video and other features that had Quicktime 7 Pro. $30 is a good price for these simple options.

    There is no license for QuickTime Player X Pro because it includes virually all features for free.

    Is there a specific function that you cannot perform in QT X?

  • Any card reader (driving us license and insurance card we) smart is available for iOS Device?

    I want to develop an application for iOS iPad kiosk for patients where patient can check-in in slippery sound driver's license or insurance card by card reader please suggest me if these (reader) hardware available that can be integrated with iOS app.

    I know it is a barcode scanner because I've seen it used in the elections, a couple of years.

    And there is magnetic tape (square) scanners that people use with their iPads.

    You may simply wish to Google and see what happens. Your question is somewhat a matter of niche, so may not find many answers here.

  • License of Windows machine 10 virtual (digital rights) can be transferred to Bootcamp?

    I have 10 Windows in a virtual machine on my Mac. I upgraded to 10 Windows in Windows 7 in the virtual machine. So my Windows 10 license (called) right digital and connected to my Microsoft account. I am eligible to activate Windows on the same material again. Now my question is: can I use the same digital rights to install and activate windows on Bootcamp on the same Mac? Does anyone have an idea on what makes say by the same hardware for Windows 10?

    Ask Microsoft on their licensing policies and their operation licenses.

  • License number

    I want to make sure you have the non-free license for Firefox, it means we'll get high performance.

    If someone wants you to pay for Firefox, stay away!

  • Can I get a license for my track finished for use of Film/TV?

    Hi, I would like someone from Apple please answer this question for me, I think I asked before when it bought the software but cannot find the transcript.

    If I create a song/track in Logic Pro X mainly using sound libraries provided as part of the program, can I get a license my track finished out for TV/film use without any legal return of Apple?

    Thank you

    Yes, you are ready to go!  You just can't take a drum loop and resell it as a drum loop - it must be in something other than assets distributed by apple. You can take this drum loop, use it in a movie or a song and it is free of rights.

    You can't buy a brick and sell like a brick - but you can buy a brick, use it in a home and sell the House.

    (How's this for a silly analogy)

    Logic Pro X and MainStage 3:

    Using free content included in

    Commercial works

    Learn more about the ways in which you are allowed to use the free content provided with Logic Pro X and MainStage 3.

    The State of license agreements for software Logic Pro X and MainStage 3:

    The Apple software may contain sample content including but not limited to the work, audio files, audio loops, built-in sound files, graphics, images, impulse responses, photographs, samples, sound games, sound settings, video files or similar assets ("sample content"). This sample content is owned by Apple and/or its licensors and is protected by applicable intellectual property and other laws, including but not limited to copyright. Except as otherwise provided, sample all the content included in the Apple software can be used on a basic free to create your own soundtracks for your film projects, video, audio and. You may broadcast and/or distribute your own tapes created using the contents of the sample; However, individual active content sample not commercially or otherwise distributable on a standalone basis, nor may they be repackaged in whole or in part as audio samples, clipart, music, sound effects, sound files, sound libraries, animation stock or similar assets.

Maybe you are looking for

  • Mailbox does not

    Hello I've updated to macOS Sierra and have some problems with the mailbox. Whenever I try to send a large file via icloud/send the message that the mail cannot be sent via icloud since the file is too large and only 28.3 MB can be sent. Yes, I activ

  • launchd and UserEventAgent using CPU excessive

    My iMac has fonctionnee slow down a lot, but not all, of the time.  In Activity Monitor CPU usage usually settles down for something like this a few minutes after the connection: There are periods where the CPU usage returns to normal. The CPU usage

  • Stereo microphone, Sony ECM-XYST1M and camcorder DCR-TRV103

    Looking fot an external microphone. The stereo microphone, Sony ECM-XYST1M will work with the Sony DCR - TRV 103 camcorder?

  • function arraytoimage

    According to MAX I development vision 8.5.1 installed but I can not find Imaq image Board.  I know that used to be part of the package.  What have I not installed?

  • Upgrade of wired wireless Officejet Pro 8500 series A909a

    Can I put my Officejet Pro 8500 A909a to wireless by installing the 802.11 card?