Site to Site VPN between ISR4331(Data Center) and 25 branches with RV042 and dynamic public IP address
Hi, we just got router ISR4331. We will use this router to our datacenter as pummel hub. Not to mention that it will be the static IP address. Our goal is to connect 30 small offices to the Datacenter by VPN site-to-site. All of our offices a RV042 router and DSL connection, so dynamic public IP. How to accomplish this task. Before the VPN connection is stable and the need not to configure tunnels frequently.
Thank you
GM
Hello
Please check the config below:
HUBS:
crypto ISAKMP policy 1
BA 3des
!
BA 3des
!
Tags: Cisco Security
Similar Questions
-
Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170
I'm trying to implement a VPN site-to site between our data center and office. The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170. I managed to configure the two so that the vpn connects. Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop. Can anyone help?
The config below has had IPs/passwords has changed.
External Datacenter: 1.1.1.4
External office: 1.1.1.1
Internal data center: 10.5.0.1/24
Internal office: 10.10.0.1/24
: Saved
:
ASA Version 8.2 (1)
!
hostname datacenterfirewall
mydomain.tld domain name
activate thepassword encrypted
passwdencrypted
names of
name 10.10.0.0 OfficeNetwork
10.5.0.0 DatacenterNetwork name
!
interface Vlan1
nameif inside
security-level 100
10.5.0.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
1.1.1.4 IP address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
buydomains.com domain name
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
inside_access_in list extended access permit icmp any one
inside_access_in list extended access permitted tcp a whole
inside_access_in list extended access udp allowed a whole
inside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit icmp any one
outside_access_in list extended access udp allowed any any eq isakmp
IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP verify reverse path to the outside interface
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 623.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 10.5.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
Crypto dynamic-map ciscopix 1 transform-set walthamoffice
Crypto dynamic-map ciscopix 1 the value reverse-road
map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
dynmaptosw interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 13
preshared authentication
aes-256 encryption
sha hash
Group 2
lifetime 28800
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 10.5.0.0 255.255.255.0 inside
Telnet timeout 5
SSH 10.5.0.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
management-access inside
dhcpd address 10.5.0.2 - 10.5.0.254 inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 66.250.45.2 source outdoors
NTP server 72.18.205.157 source outdoors
NTP server 208.53.158.34 source outdoors
WebVPN
attributes of Group Policy DfltGrpPolicy
VPN-idle-timeout no
username admin passwordencrypted
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *.
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
!
context of prompt hostname
Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
: endMattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.
Add the statement of rule sheep in asa and try again.
NAT (inside) 0-list of access pixtosw
Concerning
-
Troubleshooting IPSec Site to Site VPN between ASA and 1841
Hi all
in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.
I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).
I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.
It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),
On the ASA:
Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.
address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.ccaccess extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001Output of the command: "sh crypto isakmp his."
HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEOn the 1841
1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE1841 crypto ipsec #sh its
Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.
Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.
I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!
It's the running of the 1841 configuration
!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
endAs I mentioned previously: suspicion is much appreciated!
Best regards
Joerg
Joerg,
ASA receives not all VPN packages because IOS does not send anything.
Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)
The problem seems so on the side of the router.
I think that is a routing problem, but you only have one default gateway (no other channels on the router).
The ACL 100 is set to encrypt the traffic between the two subnets.
It seems that the ACL 101 is also bypassing NAT for VPN traffic.
Follow these steps:
Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.
I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.
Federico.
-
Hi all
I have a data center with two lines of ISP redundancy and two ASA 5520 for redundancy VPN to my branches. Each of my branches has 1 ASA 5505 with a base license and 1 ISP circuit. Currently all my VPN tunnels are built for data center main circuit ISP only, so if one goes down, I'm toast. I need to fix this. Problem is, I don't know how I can control failover on 5505 with 1 single line branch. Please see my picture for an example of how he looks at it right now.
So the problem is that the data center LAN my branch has to go to is identical regardless of which circuit of data center is in the. And I know the ASA rules say only 1 VPN tunnel can be active at a time if flow are the same. So in this case, I know you usually do:
card crypto outside_map 1 set 12.x.xxx.20 50.xxx.xx.190 counterpart
and then configure route followed to control when cut down the primary counterpart and turn back up by peers. But where I have only 1 ISP on the side of the branch, I'll only have 1 default route: route outside 0.0.0.0 0.0.0.0 3.3.3.2 1, will be used that the active end counterpart is the primary or the secondary data center. Also, since I did not have a second track, I can't configure followed on the main road with an SLA that defines the trigger conditions, because there is nothing to ensure the follow-up of the routing.
How is - a would handle a situation like this? Are there other features that can be taken off the roads? I really need to be able to define "num-package 5 ' in ALS so my sites are not beat all day, but once again, without something to follow, I can't really set up a meaningful SLAS. Any help is appreciated.
Thanks for the additional explanation. It helps to clarify your environment. EIGRP running on the Remote would be a nice option, but I'm not sure that it is supported on the SAA. I ran EIGRP to remote peers using IOS routers (using the two ACCORD with IPsec and VTI tunnels tunnels) and it was very effective. But on the SAA, I believe that we must seek an alternative.
It seems to me that using reverse road Injection as part of your VPN site-to-site should work. With IPP the ASA inserts a static route to remote resources when the VPN tunnel is negotiated and traffic can flow. If you redistribute the static in EIGRP EIGRP then must learn the ways of any ASA a currently active tunnel. And who should provide the dynamic rollover you need.
HTH
Rick
-
can we do vMotion between two data center
Dear team,
Can we do vMotion between two data center (esxi5, x)
Can we do SVMotion between two data center (esxi5, x)
Note: it is not a physical data center, it is a virtual data center
can we do vMotion between clusters (esxi5.x)
can we do SVMotion between clusters (esxi5.x)
concerning
Mr. VMware
Can we do vMotion between two data center (esxi5, x)
NO, you can't.
Can we do SVMotion between two data center (esxi5, x)
Yes, as long as data warehouses are shared.
can we do vMotion between clusters (esxi5.x)
Yes, as they perform the same CPU families.
can we do SVMotion between clusters (esxi5.x)
Yes, as long as data warehouses are shared.
-
Hi all
I'm new to powercli and try to create a script to list all clusters in a data center and all hosts in a cluster and calculate min, max and avg cpu usage and ram by the host and cluster. So far, I have tried the below but I can't publish the results of my script.
$Function = @)
ForEach ($DataCenter Get-Data Center)
{
ForEach ($cluster in ($DataCenter |)) Get - Cluster)) - need help to post the information here and confirm if this is correct or not.
{
ForEach ($hosts in ($cluster |)) Get - VMHost))
{
ForEach ($vms to ($hosts |)) Get - VM)) - do not know if I called you here functions properly
{
$allvms = @)
$allhosts = @)
$hosts = get-VMHost
$vms = get - Vm{foreach ($vms in $hosts)
$hoststat = "" | Select the host name, MemMax, MemAvg, MemMin, CPUMax, CPUAvg, CPUMin
$hoststat. Host name = $vmHost.name
$statcpu = get-Stat-entity ($vmHost) - start (get-date). AddDays(-30)-Finish (Get-Date) - MaxSamples 10000 - stat cpu.usage.average
$statmem = get-Stat-entity ($vmHost) - start (get-date). AddDays(-30)-Finish (Get-Date) - MaxSamples 10000 - stat mem.usage.average$cpu = $statcpu | Measure-object-property value - average - Maximum - Minimum
$mem = $statmem | Measure-object-property value - average - Maximum - Minimum
$hoststat. CPUMax = $cpu. Maximum
$hoststat. CPUAvg = $cpu. Average
$hoststat. CPUMin = $cpu. Minimum
$hoststat. MemMax = $mem. Maximum
$hoststat. MemAvg = $mem. Average
$hoststat. MemMin = $mem. Minimum
$allhosts += $hoststat
}
}
}
}
}$Function | Select the host name, MemMax, MemAvg, MemMin, CPUMax, CPUAvg, CPUMin | Export-Csv "c:\Function.csv" - noTypeInformation
Any help on this is much appreciated.
[Ordered] casting was introduced in v3 PowerShell.
For PowerShell v2, you can use
$vms = get - VM
$stat = 'cpu.usage.average ','mem.usage.average '.
$start = (get-Date). AddDays(-31)
$report = get-Stat-entity $vms - start $start - Stat $stat - ErrorAction SilentlyContinue |
Group-object - property {$_.} @entity.name} | %{
$cpu = $_. Group | where {$_.} MetricId - eq "cpu.usage.average"} | Measure-object-property value - average - Maximum - Minimum
$mem = $_. Group | where {$_.} MetricId - eq "mem.usage.average"} | Measure-object-property value - average - Maximum - Minimum
New-object PSObject-property @ {}
Datacenter = Get-Datacenter - VM $_. Group [0]. Entity | Select the name of ExpandProperty-
Cluster Cluster Get - VM = $_. Group [0]. Entity | Select the name of ExpandProperty-
VMHost = $_. Group [0]. Entity.Host.Name
Name = $_. Group [0]. @entity.name
CpuMin = $cpu. Minimum
CpuAvg = $cpu. Average
CpuMax = $cpu. Maximum
MemMin = $mem. Minimum
MemAvg = $mem. Average
MemMax = $mem. Maximum
}
}
$report | Sort-Object-property Datacenter, Cluster, VMHost name |
Export Csv report.csv - NoTypeInformation - UseCulture
-
Problem link DB between active Data Guard and reports application database
My version of the 11.2.0.2.0 and OS database is Oracle Solaris 10 9/10.
I am facing a problem in my custody of data Active data base for purposes of tax. Active Data guard information is as below.
SQL > select name, database_role, open_mode from v$ database;
NAME DATABASE_ROLE OPEN_MODE
--------- ---------------- --------------------
ORCL PHYSICS READ SHALL ONLY APPLY
Detail of the problem is less than
------------------------------
I have created a db link (name: DATADB_LINK) between active data guard and report of application of data base for purposes of tax.
SQL > create database DATADB_LINK link to connect to HR identified by HR using 'DRFUNPD ';
Database link created.
But when I run a query using db link to my database of enforcement report I got this error below.
ORA-01555: snapshot too old: rollback segment number 10 with the name ' _SYSSMU10_4261549777$ ' too small
ORA-02063: preceding the line of DATADB_LINK
Then I see logfile named database alart Active Data Guard and get below error
ORA-01555 caused by the following SQL statement (SQL ID: 11yj3pucjguc8, time of request = 1 sec, SNA: 0x0000.07c708c3): SELECT "A2". "' BUSINESS_TRANSACTION_REFERENCE ', 'A2 '. "' BUSINESS_TRANSACTION_CODE ', MAX (CASE 'A1'. "TRANS_DATA_KEY"WHEN "feature' AND 'A1'." " END OF TRANS_DATA_VALUE"), MAX (CASE 'A1'. "TRANS_DATA_KEY" WHEN 'otherFeature' THEN 'A1' '. "" END OF TRANS_DATA_VALUE")
But the interesting point if I run the query report directly in the Active Data Guard database, I got never error.
So it's a problem of link DB between active Data Guard and other databases?Fazlul Kabir Mahfuz wrote:
My version of the 11.2.0.2.0 and OS database is Oracle Solaris 10 9/10.
I am facing a problem in my custody of data Active data base for purposes of tax. Active Data guard information is as below.SQL > select name, database_role, open_mode from v$ database;
NAME DATABASE_ROLE OPEN_MODE
--------- ---------------- --------------------
ORCL PHYSICS READ SHALL ONLY APPLYDetail of the problem is less than
------------------------------
I have created a db link (name: DATADB_LINK) between active data guard and report of application of data base for purposes of tax.
SQL > create database DATADB_LINK link to connect to HR identified by HR using 'DRFUNPD ';
Database link created.But when I run a query using db link to my database of enforcement report I got this error below.
ORA-01555: snapshot too old: rollback segment number 10 with the name ' _SYSSMU10_4261549777$ ' too small
ORA-02063: preceding the line of DATADB_LINKThen I see logfile named database alart Active Data Guard and get below error
ORA-01555 caused by the following SQL statement (SQL ID: 11yj3pucjguc8, time of request = 1 sec, SNA: 0x0000.07c708c3): SELECT "A2". "' BUSINESS_TRANSACTION_REFERENCE ', 'A2 '. "' BUSINESS_TRANSACTION_CODE ', MAX (CASE 'A1'. "TRANS_DATA_KEY"WHEN "feature' AND 'A1'." " END OF TRANS_DATA_VALUE"), MAX (CASE 'A1'. "TRANS_DATA_KEY" WHEN 'otherFeature' THEN 'A1' '. "" END OF TRANS_DATA_VALUE")
But the interesting point if I run the query report directly in the Active Data Guard database, I got never error.
So it's a problem of link DB between active Data Guard and other databases?
Check this statement that applies to your environment
* ORA-01555 on Active Data Guard Standby Database [1273808.1 ID] *.
also
http://asktom.Oracle.com/pls/asktom/f?p=100:11:0:P11_QUESTION_ID:8908307196113
-
Moving Cluster to new data center and move ASM Lun
Hello
My question is for an upcoming project. We want to grow our three existing node on our other data Center cluster. Servers will be moved and would re - ip, but Oracle, CRS and ASM houses remain intact.
We have our ASM on EMC Clariion disks. The idea is to use EMC Replication Manager to replicate the LUNS on EMC Clarion in the other data center and to present them to the cluster.
My question is if it looks like a valid plan, or I think to simplistic?
Will keep it even replicated LUN the ASM disk identity and data in order to be recognized and available in start?
In addition, in order to minimize downtime, we want to move a single node of the cluster first, then others do appear later.
Thanks for your opinions.Linux-RAC-Admin wrote:
My question is for an upcoming project. We want to grow our three existing node on our other data Center cluster. Servers will be moved and would re - ip, but Oracle, CRS and ASM houses remain intact.We have our ASM on EMC Clariion disks. The idea is to use EMC Replication Manager to replicate the LUNS on EMC Clarion in the other data center and to present them to the cluster.
My question is if it looks like a valid plan, or I think to simplistic?
Will keep it even replicated LUN the ASM disk identity and data in order to be recognized and available in start?
Hello
To replicate ASMDISK success, all databases in the Diskgroup must be down or in backup mode.
Replication starts with the online database (IE database in backup mode hot) needs attention, because all data/redo/controlfile files will be copied in use (i.e. corrupt), be necessary will perform database recovery.I think that you already have this doc, but I write anyway.
http://www.EMC.com/collateral/hardware/white-papers/h2104-EMC-CLARiiON-DB-Stor-Sol-Oracle-10G-Oracle-11g-CLARiiON-Stor-repltn-WP.PDF
>In addition, in order to minimize downtime, we want to move a single node of the cluster first, then others do appear later.
The plan seems good.
Build a step by step mapping all changes and good luck.Kind regards
Levi Pereira -
2 one-Site VPN between HQ, Site A and Site B
Dear brothers,
Really I need your kindly help on Site 2 Site VPN.
We have a HQ and 2 Sites (Site A Site & B), and we think to set up VPN Site-2-Site between them now.
HQ--> 3845 router (will be the hub)--> a given vlan 11 & vlan voice 21
Site A--> router 2901 (will be the Spoke1)--> a given vlan 12 & vlan voice 22
Site B--> router 1941 (will be the Spoke2)--> a given vlan 13 & vlan voice 23
So my questions are:
1 - when the VPN going up, are only the HQ VLAN data & voice will be able to reach the Site & A B data & Voice VLAN and Vice versa?
2 - when the VPN is going up, are that the Site has data & Voice VLAN will be able to reach the Site B Data & Voice VLAN and Vice versa?
Thank you
Hello
I think this example explains what you need:http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation...
Kind regards
Averroès.
-
Site to Site VPN between PIX and Linksys RV042
I am trying to create a tunnel between a 506th PIX and a Linksys RV042 vpn . I configured the Phase 1 and Phase 2 as well as the transformation defined and interested traffic and connected to the external interface, but it will not create the tunnel. Configurations are as follows:
506th PIX running IOS 6.3
part of pre authentication ISAKMP policy 40
ISAKMP policy 40 cryptographic 3des
ISAKMP policy 40 sha hash
40 2 ISAKMP policy group
ISAKMP duration strategy of life 40 86400
ISAKMP key * address 96.10.xxx.xxx netmask 255.255.255.255
access-list 101 permit ip 192.168.21.0 255.255.255.0 192.168.1.0 255.255.255.0crypto map Columbia_to_Office 10 ipsec-isakmp
crypto Columbia_to_Office 10 card matches the address 101
card crypto Columbia_to_Office 10 set peer 96.10.xxx.xxx
10 Columbia_to_Office transform-set ESP-3DES-SHA crypto card game
Columbia_to_Office interface card crypto outsideLinksys RV042
Configuration of local groups
IP only
IP address: 96.10.xxx.xxx
Type of local Security group: subnet
IP address: 192.168.1.0
Subnet mask: 255.255.255.0Configuration of the remote control groups
IP only
IP address: 66.192.xxx.xxx
Security remote control unit Type: subnet
IP address: 192.168.21.0
Subnet mask: 255.255.255.0IPSec configuration
Input mode: IKE with preshared key
Group Diffie-Hellman phase 1: group2
Phase 1 encryption: 3DES
Authentication of the phase 1: SHA1
Life of ITS phase 1: 86400
Phase2 encryption: 3DES
Phase2 authentication: SHA1
Phase2 life expectancy: 3600 seconds
Pre-shared key *.I'm a novice on the VPN. Thanks in advance for your expertise.
Yes, version PIX 6.3 does not support HS running nat or sh run crypto.
Please please post the complete config if you don't mind.
Please also try to send traffic between subnets 2 and get the output of:
See the isa scream his
See the ipsec scream his
-
FabricPath or OTV between two data center using Direct fiber cable
Hello
I have two data center both of them has the same equipment N7k, N5k and N2k, and we want the dataCenter being active/active, I'm really confused to use OTV or FabricPath characteristic, if someone can help me with my scenario and explain to me what is the best solution and advantage and disadvantage between OTV and PabrcPath.
Many thanks in advance
Hi Steven,
No problem, I'll go through your points as completely as possible. I advise you to read more about these protocols, maybe if you have access to INE or similar, see their videos on this. I would also like to say again that I have not seen all documentation Cisco indicating that FabricPath to be used as a DCI.
With regard to the way fabric you ask what follows...
1. only can use it between two datacenters of you have more we can't, please correct me?
No, you can use the path of fabric with more than two data centers, but even with OTV, you can use it with more than two data centers.
2. HSRP localization can not be implemented as OTV. However You can have two differnet Gateways at the Data Center 1 and 2 using two different HSRP groups. If server is moved dynamically from, (i didn't understand this point can you please explain with example?
OK, so this is a GREAT topic. Location of HSRP CAN be implemented with OTV, but cannot be implemented with fabric path. First hop redundancy protocols can be localized and is supported by Cisco with OTV, this basically allows the same default gateway to reside in two of your data centers providing the ACTIVE/ACTIVE configuration. So no matter where your VM is, they did not change their default, even if gateway your servers to move to the other datacenter.
If we didn't have this, we would have only an active member of HSRP divided between DC and things would be extremely troublesome in regard to traffic flows. A virtual machine in DC2 VLAN needs to talk to host in VLAN B. But the default gateway is completely in DC1. So frame is sent to the ICD in DC1, then the gateway by default, routes packets VLAN B. This VLAN B lies in fact in DC2, so now it has to go all the way back to DC2. You get my point...? :)
With localization happen only local to the domain controller. If all servers / VMS in the domain controller can speak locally to its "own" default gateway.
3. unknown unicast flooding (can you give me an example?)
Unknown unicast traffic is unicast packets/images with unknown destination mac address. By default, switches are flooding this type of traffic to all ports in the VLAN. With path of fabric that would take place during your DCI, but with OTV, it is all taken care locally, so massive savings on bandwidth here and it is much more effective.
4. ARP optimization between Data Center (can you give an example regarding ARP optimization?)
There is another function of OTV, which makes it far superior on the way of tissue. Essentially, we are reducing the volume of traffic passing through the transport infrastructure (i.e. ICD)
When ARP, host in DC1 to host that responds in DC2, we use links and there is travel time of package that might be minimal, but is not the most optimal. OTV AED - or edge device spy ARP response and subsequently knows that this mapping exists from there. ARP takes place after the first Protocol, the EDA almost proxy ARP to DC1 so the ARP request locally does not have to travel to DC2.
5. Typically two flows (Odd VLANs by OTV-VDC-1 and even vlans by OTV-VDC-2) carry the entire layer 2 traffic flow between the two Data Centes. Hence the load balancing the links is not efficient. ( (can you explain compare with FabricPath if you have example?)
IMHO, it's bad and good. Balance the workload of the OTV if you have more than an AED on site. VLAN strange appointment via an AED, even numbered VLAN go through the other. Depending on traffic on VLANs, this could become unbalanced. Fabric used by all its links to mac addresses 'route' to the respective SID - ID switch she needs to do. So perhaps a better uniformity of split here.
6. VLAN scalability for OTV is lower than FabricPath as of this content writing. (can you explain what this mean i didn't understand it)
I completely disagree with this comment. I too do not understand.
7. Resiliency of FabricPath network is better than OTV in some failure scenarios.(can me an example ?)
I also disagree with that. Resilience of path of fabric could be same as OTV or perhaps better. However, my personal experience is that OTV fine tuning with things like BFD failover is much faster!
Fabric is good because the control of aircraft ISIS and its operation is admirable, but could say the same for the OTV.
Lets say one of the DCI links had to die, the transmission of the tissue path would continue through the other links, then perhaps for low latency, high frequency, environments that would be beneficial. OTV will change the EDA and re - learn mac, announced by other AEDS, addresses, but as I said, the time could be extremely minimal and tuning. This isn't a big deal, unless you need under second time convergence!
I hope that I have answered your questions, I recommend use for your DCI OTV, use the path of fabric for your inside of local switching in your DC. This has been implemented repeatedly and the links I sent you the models validated Cisco also point out.
Remember - fabric has been built to be a step towards TRILL, and replacement of protocols spanning-tree, OTV was built especially for the dci. They are both built and examples of specific design. It makes no sense to get these confused or mixed up, unless there is a real and pressing the case.
Joel conclusion is right, use the right tools for the job. If the use case is good for the FP then OK, if not, OTV.
Rcmnd - reading http://www.packetmischief.ca/2013/04/23/DCI-series-overlay-transport-vir...
These are just my thoughts.
Bilal (CCIE #45032)
-
Connection between Windows media center and Xbox is lost when you try to watch movies
I start watching movies via the windows media center and after a few minutes it turns off and it says that the connection between my pc and the xbox has been lost, I have previously watched movies like this with no problems and have not changed the settings of any sort help it would be appreciated
Hi samperry,
What is you receive the exact error message?
Method 1: You can follow the steps mentioned in the article below
What happens if the connection to the Windows Media Center computer is lost?Method 2: You can see the steps outlined in the article below, which deals with a similar question
Error: Session Terminated (when connecting a console Xbox 360 to a computer running Windows Media Center)
http://support.Microsoft.com/kb/911123 -
. For example, I need to calculate the difference between a date column, 'Table_Name '. "' Column_Name ' and (Current_Date-1). I tried different ways to do this. But nothing seems to work.
Try the below formula.
Replace "Time". "" Date "with your column.
TIMESTAMPDIFF (SQL_TSI_DAY, "Time". "Date", TIMESTAMPADD (SQL_TSI_DAY-1, CURRENT_DATE))
Thank you!
-
Orchestrator 5.1 REPORT-all the virtual machines in the data center and create a CSV file
Hello
What I basically want to do is create a report CSV of all virtual machines in the data center with various information (VMname, domain name FULL, IPaddress, status, data warehouses, tools etc...). The export list in the client feature is insufficient (especially for any KPI report).
Problem: (workflow is still under construction so real email send does not not and need to clean the code)
I am stuck at the part of the creation of a table that can be parsed correctly in the CSV file. 2 ways I've tried will produce a report of single object or combine all of the table into a single string (where I am now). I think the main problem I have is that I have to create a 2D within my service to push toward the final table that is written to the CSV format. Basically, I do not understand how to push my variables in a loop of a table.
Any help or assistance?
Thank you
B
BOOM!
Added some comments, removed the hardcoded in the csv temp file, deleted path the hardcoded port 25 for SMTP - mail settings should come from the configuration of the MAIL plug-in. And fixed / confirmed that the workflow now includes the attachment for e-mail and ends with success!
-
Site to Site VPN between 5510 and 5505
Am trying to get a VPN site-to site and the race between a branch office and our main office. I have the settings in place, but I'm trying to determine if it's my settings or the provider DSL, Verizon.
They have a 5505 with a static IP is connected by cable modem. Their 5505 I can ping external IP of my 5510 without problem. All the settings are correct on both sides; they reflect the same settings and yet static VPN is not launched.
Is there some sort of CLI command I must issue to bring it?
Also, I was wondering if maybe my 2821 prevents all VPN traffic because it doesn't have to be re - NAT'ed to the 192.168.250.0/23 and 192.168.252.0/24 subnets.
Simply to traffic of their 192.168.40.0 in our 192.168.250.0/23 VOIP subnet subnet.
Join a basic outline. I can provide the configs for almost everything
Hello
you have two instances of sequence card crypto with parameters similar (except transform set). Get rid of the rest of sequences card crypto:
On the ASA Satellite:
no card crypto outside_map 2 match address outside_cryptomap
no card crypto outside_map 2 set pfs
no card crypto outside_map 2 peers set smivpn.sorensonmedia.com
no card crypto outside_map 2 the transform-set ESP-3DES-MD5 value
No crypto outside_map 2 set security-association life card seconds 28800
No kilobytes of life card crypto outside_map 2 set security-association 4608000
no card crypto outside_map 2 the value reverse-road
About the ASA company:
No crypto outside_map 1 game card address outside_1_cryptomap_1
no card crypto outside_map 1 set pfs
no card crypto outside_map 1 set cda.asa5505 counterpart
no card crypto outside_map 1 the value transform-set ESP-3DES-SHA
no card crypto outside_map 1 lifetime of security association set seconds 28800
No kilobytes of life card crypto outside_map 1 set security-association 4608000
no card crypto outside_map 1 the value reverse-road
Then check and capture debugs.
HTH
Sangaré
Maybe you are looking for
-
Netflix constantly buffering?
OK so I have the blu - ray Sony BDP-s580 player. Since I bought it a year ago I couldn't netflix almost 100% of the time of the vapor. When start a steam netflix shows my connection speed to 0.9mpbs, and throughout the video, she'll de.6 to 1.0. I ha
-
J053ea HP Envy 17 - using the touchpad and keyboard simultaneously
I just bought the laptop of HP Envy 17 in Windows 8. One problem I have is when running games such as Call of Duty, I need to be able to use the touchpad with the keyboard to control the game properly. It seems that, once I have a key that is presse
-
What windows installation updated kb2419632, on my Windows XP SP3 machine. The update works fine, but after that I restarted, my projects VB6 using DAE fail to connect to the database, reports a Type mismatch. I deleted the update and everything is
-
Pavilion TouchSmart PC 20-f323, how to boot from a DVD?
My client has a 20-f323 HP Pavilion TouchSmart PC with Windows 8 on it and wants to downgrade and install Windows 7 Pro instead. However, my first question is, how to start my Windows 7 Pro DVD on the TouchSmart PC? I can not even find a boot menu o
-
Pavillion dv7 4177nr: VGA output problem and catalyst control start link
I don't know if the problems are related or if I made things worse. It started with an error message on uo start saying that there is a problem with Catalyst Control fail to start. He always allowed did not work me to function normally until, in fr