Redundancy of RADIUS in IOS config
Hello
I need to implement servers Radius (ISE PSN) failover/redundancy on switches Cisco 4 radius servers. We have no dedicated load balancers in use. As far as I understand there are two options in IOS:
1. use "radius server retry reorganize method" in IOS
2 using the load balancing feature integrated IOS ' method load-balance-server radius less outstanding.
The question is what is the advisable to use it in case of ISE? What are the advantages and disadvantages?
Thank you!
As long as you have all of your ISE servers configured in the n and they are all synced, you should be good to go. I made many deployments of ISE and never had to use one of the commands you listed.
That being said, if the "radius server balance the load method allows less pending" If you want to try to share the load between the servers of the ISE.
I hope this helps!
Thank you for evaluating useful messages!
Tags: Cisco Security
Similar Questions
-
Redundant replication AIP SSM - 20 Config?
I have two ASA in a redundant configuration. Each of them has a PURPOSE SSM-20 in. If I make changes to the SSM-20 'live' is there a way to write the config more than the ASA which is in standby mode?
SSM-20 before need to have its own unique IP address or can she share address of the SSM "primary"?
NO.. configs are not replicated for SSM... CSCsb61072 has been filed for this
SSM-20 secondary cannot share primary IP address or vice versa
-
Redundancy for transparent firewall IOS
One way to implement redundancy in IOS (12.3.7.T) transparent firewall?
If this isn't the case, is that it works with PIX 7.0 with failover?
Thank you
No and no. No mechanism for failover in FW IOS and two code bases are independent of each other so that they work together as a failover pair. You will need two PIX to failover.
I hope this helps.
Scott
-
Cisco IOS - failed login Admin
Hello
I configured Cisco IOS to authenticate via a server RADIUS (Cisco's ISE). By mistakely I put all authentication via RADIUS only.
Now, I can not connect via RADIUS but unable to connect through credetials local Admin of Cisco IOS and for this reason I am not able to access the privileged commands.
Is there a way back so this connection by admin (SMAP) would be possible and not on the SHELF?
I do not have access to 'configure', 'enable the RADIUS user commands '.
That worked before? BTW, what code IOS are you running?
What error you see on the IOS command line interface when ISE is DOWN and you're trying to connect with the local user account?
Do you have local authentication as a method of failover? You have paper before IOS config you locked?
You can check that the ISE live authentication records if the user is authenticated by the radius server. Can you use the RADIUS credentials, go to LSE > operations > authentication > records messages.
Did you write the changes? If this is not the case, the last resort would be to RELOAD.
~ BR
Jatin kone* Does the rate of useful messages *.
-
L2TP/IPSEC: IOS <>- Android
Hello
is there a working solution L2TP/IPSEC VPN between Cisco IOS and Android 2.1?
I'm trying to get my mobile online, but the connection is complete after 10 sek.
Any tips?
Harald
My IOS config:
VPDN enable
!
VPDN-group l2tpvpn
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
no authentication of l2tp tunnel
!username privilege 15 secret password user
door-key crypto l2tpvpn
pre-shared key address 0.0.0.0 0.0.0.0 test key
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
life 3600test key crypto isakmp 0.0.0.0 address 0.0.0.0
Crypto ipsec transform-set esp-3des esp-sha-hmac L2TP-TS
!
Dynvpn crypto dynamic-map 1
Set nat demux
game of transformation-L2TP-TSmap CRYPTOMAP 20-isakmp ipsec crypto dynamic dynvpn
interface virtual-Template1
IP unnumbered Ethernet0
the peer default VPN ip address pool
KeepAlive 5
PPP authentication ms-chap-v2interface BVI1
IP address 212.xxx.xxx.xxx 255.255.255.0
NAT outside IP
IP virtual-reassembly
by default auto-configured IPv6 address
enable IPv6
card crypto CRYPTOMAP
!
local pool IP VPN 172.17.0.1 172.17.0.10Some debugs:
IOS #.
Jul 2 16:00:01.800 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.800 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.800 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.804 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.804 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.808 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.808 it IS: ISAKMP:(0:13:HW:2): politics of ITS phase 2 is not acceptable! (local 212.xxx.xxx.xxx remote 80.xxx.xxx.xxx)
Jul 2 16:00:01.816 it IS: ISAKMP: (0:13:HW:2): node-1463956874 error suppression REAL reason "QM rejected."
Jul 2 16:00:01.816 it IS: ISAKMP (0:268435469): unknown entry IKE_MESG_FROM_PEER, IKE_QM_EXCH: node-1463956874: State = IKE_QM_R EADY
Jul 2 16:00:01.820 it IS: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode failed with the peer to 80.xxx.xxx.xxxIOS #.
Jul 2 16:00:32.695 it IS: L2X: Parse AVP flag 0, len 8, 0 x 8000 (M)
16:00:32.695 2 Jul CEST: L2X: Parse SCCRQ
Jul 2 16:00:32.695 it IS: L2X: Parse AVP 2 flag, len 8, 0 x 8000 (M)
16:00:32.699 2 Jul CEST: L2X: Protocol Version 1
Jul 2 16:00:32.699 it IS: L2X: Parse AVP 7, len 15, flag 0 x 8000 (M)
Jul 2 16:00:32.699 it IS: L2X: anonymous host name
Jul 2 16:00:32.699 it IS: L2X: Parse AVP 3, len 10, flag 0 x 8000 (M)
16:00:32.699 2 Jul CEST: L2X: framing course 0 x 3
Jul 2 16:00:32.703 it IS: L2X: Parse AVP 9 flag, len 8, 0 x 8000 (M)
16:00:32.703 2 Jul CEST: L2X: Tunnel ID 3545 assigned
Jul 2 16:00:32.703 it IS: L2X: Parse AVP 10 flag, len 8, 0 x 8000 (M)
16:00:32.703 2 Jul CEST: L2X: Rx 1 window size
Jul 2 16:00:32.703 it IS: L2X: no missing AVPs in SCCRQ
Jul 2 16:00:32.703 it IS: L2X: I SCCRQ, flg TLS, worm 2, len 69, NL 0 ns 0, nr 0
contiguous Pak, size 69
C8 02 00 45 00 00 00 00 00 00 00 00 80 08 00 00
00 00 00 01 80 08 00 00 00 02 01 00 80 00 00 0F
00-07-61 6TH 6TH 6F 6F 79 6 75 73 80 0 A 00 00 00
03 00 00 00 03 80 08 00 00 00 09 0D 80 08 00 D9
00 00 0 A 00 01
Jul 2 16:00:32.707 it IS: L2TP: I LNP SCCRQ anonymous 3545
Jul 2 16:00:32.711 it IS: LNP 55994 L2TP: authorization of Tunnel began to host anonymous
Jul 2 16:00:32.711 it IS: LNP 55994 L2TP: new tunnel created for remote anonymous, address 80.xxx.xxx.xxx
Jul 2 16:00:32.715 it IS: L2X: response to author Tunnel L2X info not found
Jul 2 16:00:32.715 it IS: LNP 55994 L2TP: O SCCRP anonymous 3545 tnlid
Jul 2 16:00:32.715 it IS: LNP 55994 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
16:00:32.715 2 Jul CEST: LNP 55994 L2TP: Parse SCCRP
Jul 2 16:00:32.719 it IS: LNP 55994 L2TP: Parse AVP 2, len 8, flag 0 x 8000 (M)
16:00:32.719 2 Jul CEST: LNP 55994 L2TP: Protocol Version 1
Jul 2 16:00:32.719 it IS: L2TP 55994 LNP: Parse AVP 6 flag, len 8, 0 x 0
16:00:32.719 2 Jul CEST: LNP 55994 L2TP: Firmware Ver 0 x 1120
Jul 2 16:00:32.719 it IS: LNP 55994 L2TP: Parse AVP 7, len 9, flag 0 x 8000 (M)
16:00:32.719 2 Jul CEST: LNP 55994 L2TP: Hostname IOS
Jul 2 16:00:32.723 it IS: L2TP 55994 LNP: flag of Parse AVP 8, len 25, 0 x 0
16:00:32.723 2 Jul CEST: LNP 55994 L2TP: name provider Cisco Systems, Inc.
Jul 2 16:00:32.727 it IS: LNP 55994 L2TP: Parse AVP 10, len 8, flag 0 x 8000 (M)
16:00:32.727 2 Jul CEST: LNP 55994 L2TP: Rx 300 window size
Jul 2 16:00:32.727 it IS: LNP 55994 L2TP: Parse AVP 9, len 8, flag 0 x 8000 (M)
16:00:32.727 2 Jul CEST: LNP 55994 L2TP: assigned Tunnel ID 55994
Jul 2 16:00:32.727 it IS: LNP 55994 L2TP: Parse AVP 3, len 10, flag 0 x 8000 (M)
16:00:32.727 2 Jul CEST: LNP 55994 L2TP: framing course 0 x 0
Jul 2 16:00:32.731 it IS: LNP 55994 L2TP: Parse AVP 4, len 10, flag 0 x 8000 (M)
16:00:32.731 2 Jul CEST: LNP 55994 L2TP: bearer Cap 0 x 0
Jul 2 16:00:32.731 it IS: LNP 55994 L2TP: O SCCRP, flg TLS, worm 2, len 106, LNP 3545, ns 0 nr 1
C8 02 00 6A 00 00 00 00 00 01 80 08 00 00 D9 0D
00 00 00 02 80 08 00 00 00 02 01 00 00 08 00 00
00 06 11 20 80 09 00 00 00 07 49 53 00 19 00 4F
00 00 08 43 69 73 63 6F 20 53 79 73 74 65 6 D 73
2 20 49 6 2 63 80...
Jul 2 16:00:32.735 it IS: LNP 55994 L2TP: setting channel delay retransmission positioned in 1 seconds
Jul 2 16:00:32.735 it IS: LNP 55994 L2TP: Tunnel of status change from idle to wait-ctl-reply
Jul 2 16:00:32.887 it IS: LNP 55994 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
16:00:32.887 2 Jul CEST: LNP 55994 L2TP: Parse SCCCN
Jul 2 16:00:32.887 it IS: LNP 55994 L2TP: no missing AVPs in SCCCN
Jul 2 16:00:32.887 it IS: LNP 55994 L2TP: I SCCCN, flg TLS, worm 2, len 20, LNP 55994 ns 1, n ° 1
contiguous Pak, size 20
C8 02 00 14 DA 00 00 00 01 00 01 80 08 00 00 BA
00 00 00 03
Jul 2 16:00:32.891 it IS: LNP 55994 L2TP: O ZPL ctrl ack, flg TLS, worm 2, len 12, LNP 3545, ns 1, n ° 2
C8 02 00 00 00 00 01 00 02 D9 0D 0C
Jul 2 16:00:32.891 it IS: LNP 55994 L2TP: I LNP SCCCN anonymous 3545
Jul 2 16:00:32.895 it IS: LNP 55994 L2TP: Tunnel of change of State of wait-ctl-reply to set up
Jul 2 16:00:32.895 it IS: LNP 55994 L2TP: SM established State
Jul 2 16:00:33.091 it IS: LNP 55994 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
16:00:33.091 2 Jul CEST: LNP 55994 L2TP: Parse ICRQ
Jul 2 16:00:33.091 it IS: LNP 55994 L2TP: Parse AVP 14, len 8, flag 0 x 8000 (M)
16:00:33.091 2 Jul CEST: LNP 55994 L2TP: assigned Call ID 43765
Jul 2 16:00:33.091 it IS: LNP 55994 L2TP: Parse AVP 15, len 10, flag 0 x 8000 (M)
16:00:33.091 2 Jul CEST: LNP 55994 L2TP: serial number 1986235932
Jul 2 16:00:33.091 it IS: LNP 55994 L2TP: no missing AVPs in ICRQ
Jul 2 16:00:33.095 it IS: LNP 55994 L2TP: I ICRQ, flg TLS, worm 2, len 38, LNP 55994 ns 2, n ° 1
contiguous Pak, size 38
C8 02 00 26 DA 00 00 00 02 00 01 80 08 00 00 BA
00 00 00 0 A 80 08 00 00 00 0E AA 80 0 A 00 00 F5
0F 00 76 63 8F 1 C
Jul 2 16:00:33.095 it IS: LNP 55994 L2TP: I LNP ICRQ anonymous 3545
Jul 2 16:00:33.099 it IS: nl/Sn 55994/18 L2TP: change of State of Session idle for wait-connect
Jul 2 16:00:33.099 it IS: L2TP 55994/18 LNP/Sn: accepted ICRQ, new session created
Jul 2 16:00:33.099 THATS: uid:25 LNP/Sn 55994/18 L2TP: O ICRP to anonymous 3545/43765
Jul 2 16:00:33.099 THATS: uid:25 LNP/Sn 55994/18 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
Jul 2 16:00:33.103 THATS: uid:25 LNP/Sn 55994/18 L2TP: Parse IPRC
Jul 2 16:00:33.103 THATS: uid:25 LNP/Sn 55994/18 L2TP: Parse AVP 14, len 8, flag 0 x 8000 (M)
Jul 2 16:00:33.103 THATS: uid:25 LNP/Sn 55994/18 L2TP: call ID assigned 18
Jul 2 16:00:33.103 THATS: uid:25 LNP/Sn 55994/18 L2TP: O IPRC, flg TLS, len 28, LNP 3545, lsid 18, rsid 43765, worm 2, ns 1, no. 3
C8 02 00 1 C F5 00 01 00 03 80 08 00 00 AA D9 0D
00 00 00 0 B 80 08 00 00 00 0E 00 12
Jul 2 16:00:33.107 it IS: LNP 55994 L2TP: setting channel delay retransmission positioned in 1 seconds
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: Parse ICCN
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: Parse AVP 24, len 10, flag 0 x 8000 (M)
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: connect speed 100000000
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: Parse AVP 19, len 10, flag 0 x 8000 (M)
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: framing Type 3
Jul 2 16:00:33.263 THATS: uid:25 LNP/Sn 55994/18 L2TP: no missing AVPs to ICCN
Jul 2 16:00:33.263 THATS: uid:25 LNP/Sn 55994/18 L2TP: I ICCN, flg TLS, worm 2, len 40, LNP 55994, 18, rsid 43765 lsid, ns 3, n ° 2
contiguous Pak, size 40
C8 02 00 28 DA 00 12 00 03 00 02 80 08 00 00 BA
00 00 00 0 C 80 0 A 00 00 00 18 05 F5 E1 00 0 A 80
00 00 00 13 00 00 00 03
Jul 2 16:00:33.263 THATS: uid:25 LNP/Sn 55994/18 L2TP: O ZPL ctrl ack, flg TLS, worm 2, len 12, LNP 3545, 18, rsid 43765 lsid, ns 2, nr 4
C8 02 00 00 00 00 02 00 04 D9 0D 0C
Jul 2 16:00:33.267 THATS: uid:25 LNP/Sn 55994/18 L2TP: I have anonymous LNP 3545 ICCN, cl 43765
Jul 2 16:00:33.267 THATS: uid:25 LNP/Sn 55994/18 L2TP: change of State of waiting Session - connect to wait-for-service-selection-iccn
Jul 2 16:00:33.275 THATS: uid:25 LNP/Sn 55994/18 L2TP: O SLI to anonymous 3545/43765
Jul 2 16:00:33.275 THATS: uid:25 LNP/Sn 55994/18 L2TP: sending send 0xFFFFFFFF ACCM and receive ACCM 0xFFFFFFFF
Jul 2 16:00:33.275 it IS: LNP 55994 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
16:00:33.275 2 Jul CEST: LNP 55994 L2TP: Parse SLI
Jul 2 16:00:33.275 it IS: LNP 55994 L2TP: Parse AVP 35, len 16, flag 0 x 8000 (M)
Jul 2 16:00:33.279 it IS: LNP 55994 L2TP: O SLI, flg TLS, worm 2, len 36, LNP 3545, ns 2 nr 4
C8 02 00 24 AA D9 00 02 00 04 80 08 00 00 0D F5
00 00 00 10 80 10 00 00 00 23 00 00 FF FF FF FF
FF FF FF FF
Jul 2 16:00:33.279 it IS: LNP 55994 L2TP: setting channel delay retransmission positioned in 1 seconds
Jul 2 16:00:33.283 THATS: ppp25 PPP: send a Message [dynamic Bind response]
Jul 2 16:00:33.283 THATS: ppp25 PPP: via vpn, set the direction of the call
Jul 2 16:00:33.283 THATS: ppp25 PPP: treatment of connection as a callin
Jul 2 16:00:33.283 THATS: ppp25 PPP: id of Session Session handle [A300003D] [25]
Jul 2 16:00:33.283 THATS: ppp25 PPP: Phase is ESTABLISHING, Passive open
Jul 2 EST 16:00:33.283: ppp25 TPIF: State is listening
Jul 2 EST 16:00:33.475: ppp25 TPIF: I CONFREQ [listen] id 1 len 24
Jul 2 EST 16:00:33.475: ppp25 TPIF: MRU 1400 (0 x 01040578)
Jul 2 EST 16:00:33.479: ppp25 TPIF: ACCM 0x00000000 (0 x 020600000000)
Jul 2 EST 16:00:33.479: ppp25 TPIF: MagicNumber 0x81EDA0D1 (0x050681EDA0D1)
Jul 2 EST 16:00:33.479: ppp25 TPIF: PFC (0 x 0702)
Jul 2 EST 16:00:33.479: ppp25 TPIF: RAC (0 x 0802)
Jul 2 16:00:33.479 THATS: ppp25 PPP: required authorization
Jul 2 EST 16:00:33.479: ppp25 TPIF: O CONFREQ [listen] id 1 len 25
Jul 2 EST 16:00:33.483: ppp25 TPIF: ACCM 0x000A0000 (0x0206000A0000)
Jul 2 EST 16:00:33.483: ppp25 TPIF: AuthProto MS-CHAP-V2 (0x0305C22381)
Jul 2 EST 16:00:33.483: ppp25 TPIF: MagicNumber 0x1D3AB2DD (0x05061D3AB2DD)
Jul 2 EST 16:00:33.483: ppp25 TPIF: PFC (0 x 0702)
Jul 2 EST 16:00:33.483: ppp25 TPIF: RAC (0 x 0802)
Jul 2 EST 16:00:33.483: ppp25 TPIF: O CONFNAK [listen] id 1 len 8
Jul 2 EST 16:00:33.487: ppp25 TPIF: MRU 1500 (0x010405DC)
Jul 2 EST 16:00:33.635: ppp25 TPIF: I CONFACK [REQsent] id 1 len 25
Jul 2 EST 16:00:33.635: ppp25 TPIF: ACCM 0x000A0000 (0x0206000A0000)
Jul 2 EST 16:00:33.639: ppp25 TPIF: AuthProto MS-CHAP-V2 (0x0305C22381)
Jul 2 EST 16:00:33.639: ppp25 TPIF: MagicNumber 0x1D3AB2DD (0x05061D3AB2DD)
Jul 2 EST 16:00:33.639: ppp25 TPIF: PFC (0 x 0702)
Jul 2 EST 16:00:33.639: ppp25 TPIF: RAC (0 x 0802)
Jul 2 EST 16:00:33.647: ppp25 TPIF: I CONFREQ [ACKrcvd] id 2 len 20
Jul 2 EST 16:00:33.647: ppp25 TPIF: ACCM 0x00000000 (0 x 020600000000)
Jul 2 EST 16:00:33.647: ppp25 TPIF: MagicNumber 0x81EDA0D1 (0x050681EDA0D1)
Jul 2 EST 16:00:33.647: ppp25 TPIF: PFC (0 x 0702)
Jul 2 EST 16:00:33.647: ppp25 TPIF: RAC (0 x 0802)
Jul 2 EST 16:00:33.651: ppp25 TPIF: O CONFACK [ACKrcvd] id 2 len 20
Jul 2 EST 16:00:33.651: ppp25 TPIF: ACCM 0x00000000 (0 x 020600000000)
Jul 2 EST 16:00:33.651: ppp25 TPIF: MagicNumber 0x81EDA0D1 (0x050681EDA0D1)
Jul 2 EST 16:00:33.651: ppp25 TPIF: PFC (0 x 0702)
Jul 2 EST 16:00:33.651: ppp25 TPIF: RAC (0 x 0802)
Jul 2 EST 16:00:33.651: ppp25 TPIF: State is open
Jul 2 16:00:33.655 THATS: uid:25 LNP/Sn 55994/18 L2TP: O SLI to anonymous 3545/43765
Jul 2 16:00:33.655 THATS: uid:25 LNP/Sn 55994/18 L2TP: sending sending ACCM 0x00000000 and receive ACCM 0x000A0000
Jul 2 16:00:33.655 THATS: ppp25 PPP: Phase is AUTHENTICATING,
Jul 2 16:00:33.659 THATS: ppp25 MS-CHAP-V2: O CHALLENGE id 1 len 24 'IOS '.
Jul 2 16:00:33.847 THATS: ppp25 MS-CHAP-V2: I ANSWER id 1 len 59 of 'user '.
Jul 2 16:00:33.847 THATS: ppp25 PPP: Phase TRANSFER, tempting with impatience
Jul 2 16:00:33.851 THATS: ppp25 PPP: Phase is AUTHENTICATING, unauthenticated user
Jul 2 16:00:33.851 THATS: ppp25 PPP: request sent MSCHAP_V2 LOGIN
Jul 2 16:00:33.891 THATS: ppp25 PPP: received LOGIN response PASS
Jul 2 16:00:33.891 THATS: ppp25 PPP: Phase TRANSFER, tempting with impatience
Jul 2 16:00:33.891 THATS: ppp25 PPP: send a Message [Local connection]
Jul 2 16:00:33.899 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: virtual interface created for the unknown, bandwidth 100000 Kbps
Jul 2 16:00:33.899 THATS: ppp25 PPP: link [Virtual - Access3.1]
2 Jul EST 16:00:33.903: Vi3.1 PPP: Send Message [static response Bind]
Jul 2 16:00:33.903 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: change of State of Session waiting-for-service-selection-iccn Workbench
Jul 2 16:00:33.903 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: VPDN session upwards
Jul 2 16:00:33.907 THATS: Vi3.1 PPP: Phase is AUTHENTICATING, authenticated user
2 Jul EST 16:00:33.911: Vi3.1 PPP: LCP AUTHOR asked
2 Jul EST 16:00:33.911: Vi3.1 PPP: sent CPIW AUTHOR request
2 Jul EST 16:00:33.911: Vi3.1 TPIF: received AAA AUTHOR response PASS
2 Jul EST 16:00:33.915: Vi3.1 IPCP: received AAA AUTHOR response PASS
Jul 2 16:00:33.915 THATS: Vi3.1 MS-CHAP-V2: SUCCESS O id 1 len 46 msg is "S = D216E8EA91BF8126B5CF3D0CAA7AFF2B580216AA".
Jul 2 16:00:33.919 THATS: Vi3.1 PPP: Phase is in PLACE
Jul 2 16:00:33.919 THATS: Vi3.1 CPIW: O CONFREQ [Closed] id 1 len 10
2 Jul EST 16:00:33.919: Vi3.1 CPIW: address 192.168.0.254 (0x0306AC1000FE)
Jul 2 16:00:33.919 THATS: Vi3.1 PPP: process pending ncp packets
Jul 2 16:00:34.067 THATS: Vi3.1 CCP: I CONFREQ [not negotiated] id 1 len 15
2 Jul EST 16:00:34.067: Vi3.1 CCP: deflate 0 x 7800 (0x1A047800)
2 Jul EST 16:00:34.067: Vi3.1 CCP: MVRMA 0 x 7800 (0 x 18047800)
2 Jul EST 16:00:34.067: Vi3.1 CCP: BSDLZW 47 (0x15032F)
Jul 2 EST 16:00:34.071: Vi3.1 TPIF: Protocol of 21 O PROTREJ [open] id len 2 CCP
2 Jul EST 16:00:34.071: Vi3.1 TPIF: (0x80FD0101000F1A047800180478001503)
2 Jul EST 16:00:34.071: Vi3.1 TPIF: (0x2F)
Jul 2 16:00:34.071 THATS: Vi3.1 CPIW: I CONFREQ [REQsent] id 1 len 28
Jul 2 16:00:34.071 THATS: Vi3.1 CPIW: CompressType VJ 15 slots CompressSlotID (0x0206002D0F01)
2 Jul EST 16:00:34.075: Vi3.1 CPIW: address 0.0.0.0 (0 x 030600000000)
2 Jul EST 16:00:34.075: Vi3.1 IPCP: PrimaryDNS 0.0.0.0 (0 x 810600000000)
2 Jul EST 16:00:34.075: Vi3.1 CPIW: SecondaryDNS 0.0.0.0 (0 x 830600000000)
2 Jul EST 16:00:34.075: Vi3.1 AAA/AUTHOR/CPIW: start. We want his address 0.0.0.0 0.0.0.0
2 Jul EST 16:00:34.075: Vi3.1 AAA/AUTHOR/CPIW: fact. We want his address 0.0.0.0 0.0.0.0
Jul 2 16:00:34.079 THATS: Vi3.1 CPIW: pool returned 172.17.0.1
Jul 2 16:00:34.079 THATS: Vi3.1 CPIW: O CONFREJ [REQsent] id 1 len 10
Jul 2 16:00:34.079 THATS: Vi3.1 CPIW: CompressType VJ 15 slots CompressSlotID (0x0206002D0F01)
Jul 2 16:00:34.079 THATS: Vi3.1 CPIW: I CONFACK [REQsent] id 1 len 10
2 Jul EST 16:00:34.079: Vi3.1 CPIW: address 172.16.0.254 (0x0306AC1000FE)
Jul 2 16:00:34.283 THATS: Vi3.1 CPIW: I CONFREQ [ACKrcvd] id 2 len 22
2 Jul EST 16:00:34.283: Vi3.1 CPIW: address 0.0.0.0 (0 x 030600000000)
2 Jul EST 16:00:34.287: Vi3.1 IPCP: PrimaryDNS 0.0.0.0 (0 x 810600000000)
2 Jul EST 16:00:34.287: Vi3.1 CPIW: SecondaryDNS 0.0.0.0 (0 x 830600000000)
Jul 2 16:00:34.287 THATS: Vi3.1 CPIW: O CONFNAK [ACKrcvd] id 2 len 22
2 Jul EST 16:00:34.287: Vi3.1 CPIW: address of 172.17.0.1 (0x0306AC110001)
2 Jul EST 16:00:34.287: Vi3.1 IPCP: PrimaryDNS 1.1.1.1 (0x8106D918C242)
2 Jul EST 16:00:34.287: Vi3.1 CPIW: SecondaryDNS 2.2.2.2 (0x83065262438E)
Jul 2 16:00:34.291 it IS: LNP 55994 L2TP: 3 added to resendQ, updated nr 4 and sent through peer review
Jul 2 16:00:34.295 it IS: LNP 55994 L2TP: O SLI, flg TLS, worm 2, len 36, LNP 3545, ns 3 nr 4
C8 02 00 24 0D AA 00 03 00 04 80 08 00 00 F5 D9
00 00 00 10 80 10 00 00 00 23 00 00 00 00 00 00
0 A 00 00 00
Jul 2 16:00:34.447 THATS: Vi3.1 CPIW: I CONFREQ [ACKrcvd] id 3 len 22
2 Jul EST 16:00:34.447: Vi3.1 CPIW: address of 172.17.0.1 (0x0306AC110001)
2 Jul EST 16:00:34.447: Vi3.1 IPCP: PrimaryDNS 1.1.1.1 (0x8106D918C242)
2 Jul EST 16:00:34.451: Vi3.1 CPIW: SecondaryDNS 2.2.2.2 (0x83065262438E)
Jul 2 16:00:34.451 THATS: Vi3.1 CPIW: O CONFACK [ACKrcvd] id 3 len 22
2 Jul EST 16:00:34.451: Vi3.1 CPIW: address of 172.17.0.1 (0x0306AC110001)
2 Jul EST 16:00:34.451: Vi3.1 IPCP: PrimaryDNS 1.1.1.1 (0x8106D918C242)
2 Jul EST 16:00:34.451: Vi3.1 CPIW: SecondaryDNS 2.2.2.2 (0x83065262438E)
Jul 2 16:00:34.451 THATS: Vi3.1 CPIW: State is open
Jul 2 16:00:34.459 THATS: Vi3.1 CPIW: install road to 172.17.0.1
Jul 2 16:00:35.303 it IS: LNP 55994 L2TP: setting channel delay retransmission positioned in 1 secondsIOS #ping 172.17.0.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 172.17.0.1, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 156/160/172 ms
IOS #.Jul 2 EST 16:00:45.547: Vi3.1 TPIF: I TERMREQ [open] id 3 len 16 (0 x 557365722072657175657374)
Jul 2 EST 16:00:45.547: Vi3.1 TPIF: O TERMACK [open] id 3 len 4
Jul 2 16:00:45.547 THATS: Vi3.1 PPP: sending Acct event [low] id [F0D]
Jul 2 16:00:45.547 THATS: Vi3.1 PPP: Phase ENDS
Jul 2 16:00:45.955 it IS: LNP 55994 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
16:00:45.955 2 Jul CEST: LNP 55994 L2TP: Parse StopCCN
Jul 2 16:00:45.955 it IS: LNP 55994 L2TP: Parse AVP 9, len 8, flag 0 x 8000 (M)
16:00:45.959 2 Jul CEST: LNP 55994 L2TP: Tunnel ID 3545 assigned
Jul 2 16:00:45.959 it IS: LNP 55994 L2TP: Parse AVP 1, len 8, flag 0 x 8000 (M)
Jul 2 16:00:45.959 it IS: L2X: lead (6): 6: applicant is either stopped
Jul 2 16:00:45.959 it IS: code (0) error: no error
Jul 2 16:00:45.959 it IS: LNP 55994 L2TP: no missing AVPs in StopCCN
Jul 2 16:00:45.959 it IS: LNP 55994 L2TP: I StopCCN, flg TLS, worm 2, len 36, LNP 55994 ns 4, no. 4
contiguous Pak, size 36
C8 02 00 24 DA 00 00 00 04 00 04 80 08 00 00 BA
00 00 00 04 80 08 00 00 00 09 0D 80 08 00 00 D9
00 01 00 06
Jul 2 16:00:45.963 it IS: LNP 55994 L2TP: O ZPL ctrl ack, flg TLS, worm 2, len 12, LNP 3545, ns 4, no. 5
C8 02 00 00 00 00 04 00 05 D9 0D 0C
Jul 2 16:00:45.967 it IS: LNP 55994 L2TP: I LNP StopCCN anonymous 3545
Jul 2 16:00:45.967 it IS: LNP 55994 L2TP: changing the status of the Tunnel created for withdrawal
Jul 2 16:00:45.967 it IS: LNP 55994 L2TP: tunnel of Shutdown
Jul 2 16:00:45.967 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: disconnect (L2X) IETF: 9/Ascend nas-error: 65/VPDN Tunnel down / installation fails
Jul 2 16:00:45.967 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: destruction of session
Jul 2 16:00:45.967 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: change of State of Session bench in slow motion
Jul 2 16:00:45.971 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: judgment of accounting sent
Jul 2 16:00:45.971 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: session without commitment of the IDB
Jul 2 16:00:45.971 THATS: Vi3.1 VPDN: interface reset
Jul 2 16:00:45.975 THATS: Vi3.1 PPP: block vaccess to be released [0 x 19]
Jul 2 16:00:45.975 it IS: LNP 55994 L2TP: Tunnel State closing down all by destroying the session
Jul 2 16:00:45.975 it IS: LNP 55994 L2TP: changing the State of closing down to the idle-Tunnel
Jul 2 16:00:46.179 THATS: Vi3.1 PPP: link broken down notification
Jul 2 EST 16:00:46.179: Vi3.1 TPIF: State is closed
Jul 2 16:00:46.179 THATS: Vi3.1 PPP: Phase is BROKEN
Jul 2 16:00:46.179 THATS: Vi3.1 CPIW: State is closed
2 Jul EST 16:00:46.183: Vi3.1 PPP: unlocked by 0 x [1] always locked by 0 x [18]
2 Jul EST 16:00:46.183: Vi3.1 PPP: unlocked by [0x10] always locked by [0 x 8]
2 Jul EST 16:00:46.183: Vi3.1 PPP: Send Message [logout]
2 Jul EST 16:00:46.183: Vi3.1 PPP: unlocked by [0x8] always locked by 0 x [0]
Jul 2 16:00:46.183 THATS: Vi3.1 PPP: free previously blocked vaccess
Jul 2 16:00:46.187 THATS: Vi3.1 CPIW: Remove the road to 172.17.0.1Harold,
I need of debugs more to be sure, but it seems that the quick mode ipsec fails (phase 2). Try changing your transformation set to use "transport mode", because I believe that required for l2tp/ipsec.
If it does not, it should be him debugs full for "debug crypto isakmp" and "debug crypto ipsec".
-Jason
-
Permission of AAA with ACS Shell-games
Hi all
I use a router cisco 871 running that version 12.4 (11) T advanced IP Services.
I have difficulty getting permission to AAA to work properly with ACS.
I am able to configure ACS fine users and assign them shell and private level 7.
I then install a set of Shell Auth and enter the issuance of orders and configure.
When I log in as a user, I get an exec with a level of 7 priv no problem, but I never seem to be able to
to access global configuration mode by typing in conf (or set up) terminal or t.
If I type con? It is the only command connect, configure is never an option...
The only way I can get this to work is by entering the command:
privilege exec level 7 Configure terminal
I thought the whole purpose of the ACS Shell Set to provide this information to the router?
It's frustrating
The ACS server is set up with the Shell Set named Level_7 order authorization
It is attributed to the relevant groups and I have the 'Unmatched orders' option selected in the 'license '.
The "unmatched Args allowed" is also selected.
See an extract of my IOS config below:
AAA new-model
!
!
AAA group Ganymede Server + ACS
Server 10.90.0.11
!
AAA authentication login default group local ACS
AAA authorization exec default group ACS
AAA authorization commands 7 by default local ACS group
!
Cisco radius-server host 10.90.0.11 keys
!
!
privilege exec level 7 Configure terminal
privilege exec level 7 set up
privilege exec level 7 show running-config
privileges exec level 7 show
!
Hope you can help me with this one...
PS I tried with orders of privilege on the router and remove the router and just keep getting the same results!
Hello
So now,
You're actually using two different options and trying to couple then together. What I would say is you either use authorization Command Shell function or play with level privileges. Not mixed together both.
Above scenario might work, if you move orders to focus on level 6 and give the 7 user privilege level. He couldn't be sure. Try it and share the results.
That's what I suggest that orders back to a normal level.
Provided below are the steps to set up the shell command authorization:
-------------------------------------------
Follow these steps on the router:
-------------------------------------------
! - is the desired username
! - is the password
! create - us a local user name and password
! - in case we are not able to get authenticated via
! - our Ganymede server +. To provide a backdoor.
password username 15 privilege
! - To apply the aaa on the router model
AAA new-model
! - Following command is to specify our ACS
! - location of the server, where is the
! - ip address of the ACS server. And
! - is the key which must be the same during the FAC and the router.
radius-server host key
! - To get the authentication of users through ACS, when they try to log - in
! - If our router is unable to join the ACS, we will use
! - our local user name & the password that we created above. This
! - we prevent locking.
AAA authentication login default group Ganymede + local
AAA authorization exec default group Ganymede + local
AAA authorization config-commands
AAA authorization commands 0 default group Ganymede + local
AAA authorization commands 1 default group Ganymede + local
AAA authorization commands 15 default group Ganymede + local
! - Sequence of commands are for posting to the activity of the user.
! - When the user connects to the device.
AAA accounting exec default start-stop Ganymede group.
AAA accounting system default start-stop Ganymede group.
orders accounting AAA 0 arrhythmic default group Ganymede +.
orders accounting AAA 1 by default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
--------------------
ACS configuration
--------------------
[1] Goto 'Profile components shared' a-> 'Shell command authorization sets'-> 'Add '.
Provide any name at all.
provide sufficient description (if necessary)
(a) for full administrative access set.
In the unmatched controls, select 'allow '.
(b) for all access limited.
In the unmatched controls, select "decline."
And in the field above 'Add a command' box, type in the box below and the main command "permit unmatched Args" Order under allow.
For example: If we want the user to only have access to the following commads:
opening of session
Logout
output
Enable
Disable
Show
Then, the configuration should be:
-----------------------------------------------
-Allowed unparalleled Args.
-----------------------------------------------
connection permit
permit disconnection
exit permits
Select the permit
disable the permit
license terminal configuration
ethernet interface license
permits 0
to see the running-config
------------------------------------------------
in example above, user will be allowed to run only from commands. If the user tries to run the interface ethernet 1', the user will get "failed command authorization.
[2] press 'submit '.
[3] Goto Group on which we want to apply these command authorization set. Select 'change settings '.
(more...)
-
Direct Login mode with CAT OS using Ganymede +.
Hello
I use RADIUS for authentication on IOS, and switches CAT OS. When I connect the IOS ones, coming directly to the activation of the mode.
When I connect to the switch CAT OS with the same user, I get only in exec mode. So, I have to enter the mode activate manually with the "Ganymede user password" as "enable password.
My wish is to connect directly to the activation of the mode with switches CAT!
Thanks in advance...
IOS config:
-----------
AAA new-model
RADIUS-server key xxxx
RADIUS-server host a.b.c.d
AAA of default login authentication group Ganymede + activate
AAA authorization exec default group Ganymede + authenticated if
AAA authorization commands 15 default group Ganymede + authenticated if
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
line vty 0 4
by default the authentication of connection
Config from cat BONE:
--------------
define a.b.c.d primary RADIUS server
Ganymede Set tent 5
Disable directedrequest Set Ganymede
Set Ganymede key xxxxxx
the value of timeout Ganymede 5
set authentication login Ganymede turn off the console
set authentication login Ganymede activate telnet primary
set authentication enable Ganymede turn off the console
set authentication enable Ganymede activate telnet primary
set the local connection authentication enable console
set the local connection authentication enable telnet
console game of authentication enable local enable
set the local enable authentication enable telnet
@rtogonon
It is a command of IOS!
Michael
-
GANYMEDE + configured on the router and the router is in ACS. I can ping from the ACS, but the router cannot establish a connection to authenticate users.
AAA server Ganymede group + hq_acs-1
Server 10.20.17.2
Ganymede IP source-interface GigabitEthernet0/0
!
AAA authentication login default group Ganymede + local
AAA authorization config-commands
AAA authorization exec default group Ganymede + local
AAA authorization commands by default group Ganymede + local 10
AAA authorization commands 15 default group Ganymede + local
nested AAA accounting
AAA accounting newinfo periodic update 60
AAA accounting auth-proxy default start-stop Ganymede group.
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
AAA accounting network default start-stop Ganymede group.
Default connection accounting AAA power Ganymede group.
AAA accounting system default start-stop Ganymede group.
AAA accounting resource by default start-stop Ganymede group.
BigTree_3945 #sh ip int br
Interface IP-Address OK? Method State Protocol
GigabitEthernet0/0 10.4.3.1 YES NVRAM low low
GigabitEthernet0/1 10.12.10.26 YES NVRAM up up
Serial0/2/0 unassigned YES NVRAM low low
Serial0/2/0.602 10.12.15.10 YES NVRAM low low
11:08:13.673 Apr 13: MORE: Queuing AAA request authentication 79 for the treatment
11:08:13.673 Apr 13: MORE: treatment demand beginning 79 authentication id
11:08:13.675 Apr 13: MORE: authentication start package created for 79 (cisscdb)
11:08:13.675 Apr 13: MORE: using the 10.20.17.2 Server
11:08:13.675 Apr 13: HIGHER (0000004F) / 1BDD9C34/NB_WAIT/0: started 5 sec timeout
11:08:18.676 Apr 13: HIGHER (0000004F) / 0/NB_WAIT/1BDD9C34: expired
11:08:18.676 Apr 13: HIGHER (0000004F) / 1BDD9C34/NB_WAIT/0: expired, cleaning
11:08:18.676 Apr 13: HIGHER (0000004F) / 0/1BDD9C34: the package of treatment response
11:08:25.834 Apr 13: MORE: Queuing AAA request authentication 79 for the treatment
11:08:25.834 Apr 13: MORE: treatment demand beginning 79 authentication id
11:08:25.834 Apr 13: MORE: authentication start package created for 79 (cisscdb)
11:08:25.834 Apr 13: MORE: using the 10.20.17.2 Server
11:08:25.834 Apr 13: HIGHER (0000004F) / 1BDD9C34/NB_WAIT/0: started 5 sec timeout
11:08:30.836 Apr 13: HIGHER (0000004F) / 0/NB_WAIT/1BDD9C34: expired
11:08:30.836 Apr 13: HIGHER (0000004F) / 1BDD9C34/NB_WAIT/0: expired, cleaning
11:08:30.836 Apr 13: HIGHER (0000004F) / 0/1BDD9C34: the package of treatment response
11:08:43.689 Apr 13: TAC: using default Ganymede groups ' Ganymede"list."
11:08:43.689 Apr 13: TAC +: opening TCP/IP 10.20.17.2/49 Timeout = 5
11:08:51.057 Apr 13: MORE: Queuing AAA request authentication 79 for the treatment
11:08:51.057 Apr 13: MORE: treatment demand beginning 79 authentication id
11:08:51.057 Apr 13: MORE: authentication start package created for 79 (cisscdb)
11:08:51.057 Apr 13: MORE: using the 10.20.17.2 Server
11:08:51.057 Apr 13: HIGHER (0000004F) / 1BDD9C34/NB_WAIT/0: started 5 sec timeout
11:08:54.692 Apr 13: TAC +: TCP/IP open to 10.20.17.2/49 failed - connection has expired; remote host does not
11:08:54.692 Apr 13: MORE: Queuing AAA accounting request treatment 76
11:08:54.692 Apr 13: MORE: treatment of the accounting application id 76
11:08:54.692 Apr 13: MORE: sending AV task_id = 332
11:08:54.692 Apr 13: MORE: sending AV timezone = EDT
11:08:54.692 Apr 13: MORE: AV = shell shipping service
11:08:54.692 Apr 13: MORE: sending AV start_time = 1334329734
11:08:54.692 Apr 13: MORE: sending AV priv-lvl = 15
11:08:54.692 Apr 13: MORE: sending AV cmd = show logging
11:08:54.692 Apr 13: MORE: request for accounts created for 76 (n20j03t)
11:08:54.692 Apr 13: MORE: using the 10.20.17.2 Server
11:08:54.692 Apr 13: HIGHER (0000004C) / NB_WAIT/1/20FD90EC: started 5 sec timeout
11:08:56.058 Apr 13: HIGHER (0000004F) / 0/NB_WAIT/1BDD9C34: expired
11:08:56.058 Apr 13: HIGHER (0000004F) / 1BDD9C34/NB_WAIT/0: expired, cleaning
11:08:56.058 Apr 13: HIGHER (0000004F) / 0/1BDD9C34: the package of treatment response
11:08:59.693 Apr 13: HIGHER (0000004C) / NB_WAIT/1/20FD90EC: expired
11:08:59.693 Apr 13: HIGHER (0000004C) / NB_WAIT/1/20FD90EC: expired, cleaning
11:08:59.693 Apr 13: 1/HIGHER (0000004C) / 20FD90EC: the package of treatment response
BigTree_3945 #.
The AAA Client IP address
10.4.3. * 10.12.15.10
Key
Group of network devices
Test
NJT
AccessLink
(Not assigned)
Authenticate using
GANYMEDE + (Cisco IOS)
RADIUS (Cisco Aironet)
RADIUS (Cisco BBSM)
RADIUS (Cisco IOS/PIX)
RADIUS (Cisco VPN 3000)
RADIUS (Cisco VPN 5000)
RADIUS (IETF)
RADIUS (Mount)
RADIUS (Juniper)
RADIUS (Nortel)
RADIUS (Sepi)
Connect GANYMEDE + single AAA Client (stop recording in accounting in case of failure).
The 10.12.10. range * is listed under the HQ site.
Your help is greatly appreciated.
You said that you can ping the router ACS, have you tried the GigabitEthernet 0/0 interface packages (that is those THAT GANYMEDE + will attempt to use, given the configuration you have posted) supply?
What is the network path between the router and look like ACS (IE, a firewall, NAT, etc.)?
Can you connect to port 49 to the IP address of the router GBA, GigabitEthernet 0/0 of supply packages?
Using VRF?
Which version of IOS?
-
dot1x system-auth-control on 62xx and all port/traffic goes down?
Hello
with three VLANS, and now presenting only certain ports that I do the dot1x:
RD (config) #dot1x # system - auth - control enable
RD (config) #aaa authentication dot1x default # spot within a RADIUS to RADIUS
RD (config) #interface ethernet 1/g1 # bind it to a port
RD #dot1x (config-if-1/g1) auto # config dot1x port-control
I assumed dot1x must be forced/enabled on port/int per basis and before it's done there's no dot1x, but it seems that - dot1x system-auth-control - does not wait for anything and everything stops instantly.
Is this desired behavior?
And if yes then how introduced little by little dot1x, looking fixedly with an ethernet port that are configured as here:
1/g1
Flow control: enabled
Port: g1/1
Belonging to a VLAN: access mode Mode
Operating parameters:
PVID: 1
Capture filtering: enabled
Acceptable frame type: no label
Default priority: 0
GVRP status: Disabled
Protected: disabled
-Other - or ITU (q)
Port 1/g1 is a member of:
Rule of VLAN name evacuation Type
---- --------------------------------- ----------- --------
1 by default not marked by default
Static configuration:
PVID: 1
Capture filtering: enabled
Acceptable frame type: no label
Port 1/g1 is configured statically:
Output name rule of VLAN
---- --------------------------------- -----------
Prohibition of VLAN:
Name of VLAN
---- ---------------------------------
A lot! Thank you
L.
OK, you can implement other dot1x controls without having them no effect on the switch until the "dot1x system-auth-control' is given.
I will certainly take a look at your other post.
-
MLAG CORE + OF THE BATTERY TO ACCESS TO THE
Hi all
We replace our Powerconnect with N2048 switches to the access layer and N4032 (2) at the base. I have never used stacking in the past and has been hope manage members as one. Could it not also their delay to the kernel for redundancy and to stack switches access? The core could be stacked as well, but I read MLAG is faster for failover.
Should I have a problem with this config?
Thanks for any advice.
Charles
Stacked switches act as a logical switch, which means you can use any port on a switch in the stack as a LAG member. The N-series manages group up to 8 ports. With a stack you will usually spread the LAG on multiple switches. This creates a scenario where you have spend a little redundancy and link redundancy.
Example of config should look like this:
Console (config) # interface gigabitethernet 0/1/1
Console # channel-group 1 active mode
output console #.
Console (config) # interface gigabitethernet 0/2/1
Console # channel-group 1 active mode
output console #.
Console (config) # interface port-channel 1
console switchport mode trunk #.
-
RestAPI and automated deployment Support
Hello
We are currently migrating a CSR 1000v to AWS customer but have problems to automate the deployment. I've found a few contradictory documents who first asserted that the RestAPI was not available on the CSR1000v FRIEND but felt that he was in fact checking FRIEND once it has been initialized and running. I wasn't however able to use the restapi without first logging in and create a user since CSR is started and initially using a key and user ec2. I expect to help answering the following questions:
- A user can be specified before initiating CSR 1000v for the first time, so that the RestAPI are accessible to first start without connection manually create this ssh user and if so, how?
-J' saw that there were documents with an example on how reach HA using the EEM to make a change of route. One of the documents said he was using a machine virtual linux helper to run these route changes, the other document made it seem as if the EEM applet actually did change of route schedule without access to a virtual machine for assistance. Are there tools available on CSR in TCL form or any other aws which would allow CSR to send messages SNS to aws api or other API call natively without the use of a virtual machine in linux support?
-CSR 1000v for openstack document shows the ability to offer some changes to running configuration before the first start using the
FVO - env.xml and or iosxe_config.txt. If all properties can be specified to be applied to the running-config to startup the instance of CSR and how it specifies these properties?
Thanks for any help in this matter. We found the CSR to satisfy our needs, just to adapt to CSR in our deployment strategies.
Some very good questions and answers should certainly be added to our future guides and documents. In the meantime, I'll try to help out with as much detail here as I can... It is in fact a way to pre-configure the CSR on AWS when first starting. AWS includes a feature called "UserData", which is a text field that can be supplied in an instance during the deployment. Machines virtual Linux can use this blob of text to allow a user to execute a script during the first boot, or in the case of CSR, allow us to use it to inject the IOS CLI commands when you first start. The UserData field can be specified using the AWS, provision of tools, including the portal, API, CLI, CloudFormation, etc. The only real trick to this, is adding at the beginning of each line CLI with a numeric index. Here is an example of a block of text, you could provide as UserData for the boot of CSR with a name of user and password configured pre:
iOS-config-0001 = username privilege 15 password test123 test123
If you need to add other commands, you can just increase the number of "ios-config-xxxx" at the beginning of each line. AWS has a size of 16 KB for the string UserData, so be aware of this limitation.
You could also go further and use CloudFormation to provision the CSR as well as any additional infrastructure, and the UserData field can be supplies in this scenario as well. I've attached a file to this message, which contains an example of a CloudFormation model. You'll notice it includes the same piece of UserData to start the name of user and password for access to the API, and it also opens the default API port in the AWS security group.
OK to the next question...
For high availability functionality, we need is no longer the use of a helper VM. The script that initiates the call to API AWS has been integrated in the CSR itself, so the EEM can call directly. The following link will guide you in the correct steps for EEM using without the assistance of VM:
http://www.Cisco.com/c/en/us/TD/docs/solutions/Hybrid_Cloud/Intercloud/CSR/AWS/CSRAWS/CSRAWS_4.html
I hope this helps get you started with a few new options of commissioning. :)
-
ISA500 site by site ipsec VPN with Cisco IGR
Hello
I tried a VPN site by site work with Openswan and Cisco 2821 router configuration an Ipsec tunnel to site by site with Cisco 2821 and ISA550.
But without success.
my config for openswan, just FYI, maybe not importand for this problem
installation of config
protostack = netkey
nat_traversal = yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4:!$RIGHT_SUBNET
nhelpers = 0
Conn rz1
IKEv2 = no
type = tunnel
left = % all
leftsubnet=192.168.5.0/24
right =.
rightsourceip = 192.168.1.2
rightsubnet=192.168.1.0/24
Keylife 28800 = s
ikelifetime 28800 = s
keyingtries = 3
AUTH = esp
ESP = aes128-sha1
KeyExchange = ike
authby secret =
start = auto
IKE = aes128-sha1; modp1536
dpdaction = redΘmarrer
dpddelay = 30
dpdtimeout = 60
PFS = No.
aggrmode = no
Config Cisco 2821 for dynamic dialin:
crypto ISAKMP policy 1
BA aes
sha hash
preshared authentication
Group 5
lifetime 28800
!
card crypto CMAP_1 1-isakmp dynamic ipsec DYNMAP_1
!
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
!
Crypto ipsec transform-set ESP-AES-SHA1 esp - aes esp-sha-hmac
crypto dynamic-map DYNMAP_1 1
game of transformation-ESP-AES-SHA1
match address 102
!
ISAKMP crypto key
address 0.0.0.0 0.0.0.0 ISAKMP crypto keepalive 30 periodicals
!
life crypto ipsec security association seconds 28800
!
interface GigabitEthernet0/0.4002
card crypto CMAP_1
!
I tried ISA550 a config with the same constelations, but without suggesting.
Anyone has the same problem?
And had anyone has a tip for me, or has someone expirense with a site-by-site with ISA550 and Cisco 2821 ipsec tunnel?
I can successfully establish a tunnel between openswan linux server and the isa550.
Patrick,
as you can see on newspapers, the software behind ISA is also OpenSWAN
I have a facility with a 892 SRI running which should be the same as your 29erxx.
Use your IOS Config dynmap, penny, you are on the average nomad. If you don't have any RW customer you shoul go on IOS "No.-xauth" after the isakmp encryption key.
Here is my setup, with roardwarrior AND 2, site 2 site.
session of crypto consignment
logging crypto ezvpn
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
lifetime 28800
!
crypto ISAKMP policy 2
BA 3des
md5 hash
preshared authentication
Group 2
lifetime 28800
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 4
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 5
BA 3des
preshared authentication
Group 2
life 7200
ISAKMP crypto address XXXX XXXXX No.-xauth key
XXXX XXXX No.-xauth address isakmp encryption key
!
ISAKMP crypto client configuration group by default
key XXXX
DNS XXXX
default pool
ACL easyvpn_client_routes
PFS
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac FEAT
!
dynamic-map crypto VPN 20
game of transformation-FEAT
market arriere-route
!
!
card crypto client VPN authentication list by default
card crypto VPN isakmp authorization list by default
crypto map VPN client configuration address respond
10 VPN ipsec-isakmp crypto map
Description of VPN - 1
defined peer XXX
game of transformation-FEAT
match the address internal_networks_ipsec
11 VPN ipsec-isakmp crypto map
VPN-2 description
defined peer XXX
game of transformation-FEAT
PFS group2 Set
match the address internal_networks_ipsec2
card crypto 20-isakmp dynamic VPN ipsec VPN
!
!
Michael
Please note all useful posts
-
I'm trying to connect to my router Cisco VPN Client 4.8 of Pentecost Cisco1811 Pentecost rsa - sig (certificate). On the Cisco VPN Client I resive username request I spend. When I insert them on the 1811 I resive this message on the console
% CRYPTO-6-VPN_TUNNEL_STATUS: Group: does not exist
My ios config is:
AAA new-model
!
!
local VPNUSER AAA authentication login
local AAA VPNUSER authorization network
!
AAA - the id of the joint session
!
resources policy
!
!
!
IP cef
No dhcp use connected vrf ip
DHCP excluded-address IP 192.168.10.1
!
SDM-IP dhcp pool pool
import all
network 192.168.10.0 255.255.255.0
default router 192.168.10.1
Rental 2 0
!
!
no ip domain search
"yourdomain.com" of the IP domain name
!
! Crypto pki token by default user pins *.
Crypto pki token removal timeout 30 default
!
Crypto pki trustpoint TP-self-signed-2095781077
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2095781077
revocation checking no
rsakeypair TP-self-signed-2095781077
!
Crypto pki trustpoint CA_Server
Terminal registration
Serial number no
full domain name no
IP address no
password
name of the object O = 5100, OU = customs, CN = ROUTER1
revocation checking no
rsakeypair SDM-RSAKey-1180596453000
!
!
TP-self-signed-2095781077 crypto pki certificate chain
string CA_Server crypto pki certificates
!
crypto ISAKMP policy 10
BA 3des
Group 2
ISAKMP crypto identity dn
!
ISAKMP crypto client configuration group guest_group
DNS 10.1.1.3
pool vpnpool
!
!
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
!
Crypto-map dynamic dynmap 10
game of transformation-ESP-3DES-MD5
!
!
list of authentication of card crypto client vpn_map VPNUSER
card crypto vpn_map VPNUSER isakmp authorization list
client configuration address card crypto vpn_map throw
client configuration address card crypto vpn_map answer
vpn_map 10 card crypto ipsec-isakmp dynamic dynmap
!
What can I do
What is the OU on the certificate you have for the customer?
What is guest_group or something else?
Thank you
Gilbert
-
Hello world.
We plan to connect two locations via VPN with Internet access (each with their different ISP). Each branch has a router 3745 with a T5 IOS Version 12.2 (8). Does anyone know if it is possible to configure these routers to provide this solution?
If so, does anyone know any document/text in Cisco' site that can guide us on how to set it up?
Thanks in advance,
Marcelle.
do a show version to see what exact IOS version you are running, as well as the flash and RAM totals. It's certainly enough router to run a compatible version of IOS IPSec, but it might be possible that these units should not be enough ram and or flash for such IOS images.
is an IOS IOS config tunnel
-
PIX 6.2 to 7.1 conversion
Hi all, well I am new to the PIX world so if anyone can help, here goes.
Y at - it a tool that converts a PIX 6.x ios configs to 7.1. I'm leaving a PIX 506 a 525.
If you use lines, you can convert them to ACL using the OCC tool available here:
http://www.Cisco.com/cgi-bin/tablebuild.pl/PIX
other that that, there is no tool for what you need. most of the commmands will be the same. It will be easier if you first upgrade the 506 to 6.3 (5) well.
Maybe you are looking for
-
Respected HP engineers sweet good morning Sir My PC hardware is HP EliteDesk 800 G1 TWR PC intel core i7 4770, 8 gb x 2 ram intel 64-bit hd 4600 .windows 8 enterprise. HP 2311 L01 2.21 LED monitor BIOS, video version 9.18.10.3204 widespread driver ve
-
How can I connect my iphone to my iPad 2 Air 5s?
How to connect my iPhone 5 s for my my iPad 2 Air, download my contacts?
-
How can I measure time my Boolean indicator light lights up. Joined the VI Thank you
-
What I need to install in another pc without LabView and wants use executable Vi
Hi, everyone, please, help me I want to use another VI without LabVIEW PC executable, what I have to do to run the VI.exe? Thank you
-
When you use icon editor, all of a sudden the font size grew so great that I can't type what whatsoever in the container box. Is it possible to reduce the font size to a desirable level?