Site to Site VPN between ISR4331(Data Center) and 25 branches with RV042 and dynamic public IP address

Similar Questions

• Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170

  I'm trying to implement a VPN site-to site between our data center and office.  The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170.  I managed to configure the two so that the vpn connects.  Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop.  Can anyone help?

  The config below has had IPs/passwords has changed.

  External Datacenter: 1.1.1.4

  External office: 1.1.1.1

  Internal data center: 10.5.0.1/24

  Internal office: 10.10.0.1/24

  : Saved
  :
  ASA Version 8.2 (1)
  !
  hostname datacenterfirewall
  mydomain.tld domain name
  activate the password encrypted
  passwd encrypted
  names of
  name 10.10.0.0 OfficeNetwork
  10.5.0.0 DatacenterNetwork name
  !
  interface Vlan1
  nameif inside
  security-level 100
  10.5.0.1 IP address 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  1.1.1.4 IP address 255.255.255.0
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  passive FTP mode
  clock timezone IS - 5
  clock to summer time EDT recurring
  DNS server-group DefaultDNS
  buydomains.com domain name
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  inside_access_in list extended access permit icmp any one
  inside_access_in list extended access permitted tcp a whole
  inside_access_in list extended access udp allowed a whole
  inside_access_in of access allowed any ip an extended list
  outside_access_in list extended access permit icmp any one
  outside_access_in list extended access udp allowed any any eq isakmp
  IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
  pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
  IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
  pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
  outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
  outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
  outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
  outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  IP verify reverse path to the outside interface
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 623.bin
  don't allow no asdm history
  ARP timeout 14400
  NAT-control
  Global 1 interface (outside)
  NAT (inside) 1 0.0.0.0 0.0.0.0
  inside_access_in access to the interface inside group
  Access-group outside_access_in in interface outside
  Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
  Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 10.5.0.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
  Crypto dynamic-map ciscopix 1 transform-set walthamoffice
  Crypto dynamic-map ciscopix 1 the value reverse-road
  map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
  dynmaptosw interface card crypto outside
  crypto isakmp identity address
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 13
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  lifetime 28800
  crypto ISAKMP policy 30
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  No encryption isakmp nat-traversal
  Telnet 10.5.0.0 255.255.255.0 inside
  Telnet timeout 5
  SSH 10.5.0.0 255.255.255.0 inside
  SSH timeout 5
  Console timeout 0
  management-access inside
  dhcpd address 10.5.0.2 - 10.5.0.254 inside
  dhcpd allow inside
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  NTP server 66.250.45.2 source outdoors
  NTP server 72.18.205.157 source outdoors
  NTP server 208.53.158.34 source outdoors
  WebVPN
  attributes of Group Policy DfltGrpPolicy
  VPN-idle-timeout no
  username admin password encrypted
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
  pre-shared-key *.
  !
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  !
  context of prompt hostname
  Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
  : end

  Mattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.

  Add the statement of rule sheep in asa and try again.

  NAT (inside) 0-list of access pixtosw

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

  Concerning

• Troubleshooting IPSec Site to Site VPN between ASA and 1841

  Hi all

  in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

  I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

  I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

  It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

  On the ASA:

  Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

  address of the peers: 217.86.154.120
  Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

  access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
  local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
  current_peer: 217.xx.yy.zz

  #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: 39135054
  current inbound SPI: B2E9E500

  SAS of the esp on arrival:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4374000/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001
  outgoing esp sas:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4373976/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  Output of the command: "sh crypto isakmp his."

  HIS active: 4
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 4

  IKE Peer: 217.xx.yy.zz
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  On the 1841

  1841 crypto isakmp #sh its
  IPv4 Crypto ISAKMP Security Association
  DST CBC conn-State id
  217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

  1841 crypto ipsec #sh its

  Interface: Dialer1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Interface: virtual Network1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

  Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

  I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

  It's the running of the 1841 configuration

  !
  version 15.1
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  encryption password service
  !
  host name 1841
  !
  boot-start-marker
  start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
  boot-end-marker
  !
  logging buffered 51200 notifications
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  !
  AAA - the id of the joint session
  !
  iomem 20 memory size
  clock timezone PCTime 1
  PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
  dot11 syslog
  IP source-route
  !
  No dhcp use connected vrf ip
  !
  IP cef
  no ip bootp Server
  IP domain name test
  name of the IP-server 194.25.2.129
  name of the IP-server 194.25.2.130
  name of the IP-server 194.25.2.131
  name of the IP-server 194.25.2.132
  name of the IP-server 194.25.2.133
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  object-group network phone
  VoIP phone description
  Home 172.20.2.50
  Home 172.20.2.51
  !
  redundancy
  !
  !
  controller LAN 0/0/0
  atm mode
  Annex symmetrical shdsl DSL-mode B
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  isakmp encryption key * address 62.aa.bb.cc
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  map SDM_CMAP_1 1 ipsec-isakmp crypto
  Description Tunnel to62.aa.bb.cc
  the value of 62.aa.bb.cc peer
  game of transformation-ESP-3DES-SHA
  PFS group2 Set
  match address 100
  !
  !
  !
  interface FastEthernet0/0
  DMZ description $ FW_OUTSIDE$
  10.10.10.254 IP address 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  automatic duplex
  automatic speed
  !
  interface FastEthernet0/1
  Description $ETH - LAN$ $FW_INSIDE$
  IP 172.20.2.254 255.255.255.0
  IP access-group 100 to
  IP nat inside
  IP virtual-reassembly
  IP tcp adjust-mss 1412
  automatic duplex
  automatic speed
  !
  ATM0/0/0 interface
  no ip address
  No atm ilmi-keepalive
  !
  point-to-point interface ATM0/0/0.1
  PVC 1/32
  PPPoE-client dial-pool-number 1
  !
  !
  interface Dialer1
  Description $FW_OUTSIDE$
  the negotiated IP address
  IP mtu 1452
  NAT outside IP
  IP virtual-reassembly
  encapsulation ppp
  Dialer pool 1
  Dialer-Group 2
  PPP authentication chap callin pap
  PPP chap hostname xxxxxxx
  PPP chap password 7 xxxxxxx8
  PPP pap sent-name of user password xxxxxxx xxxxxxx 7
  map SDM_CMAP_1 crypto
  !
  IP forward-Protocol ND
  IP http server
  local IP http authentication
  IP http secure server
  !
  !
  The dns server IP
  IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
  IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
  IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
  IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
  IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
  !
  logging trap notifications
  Note category of access list 1 = 2 CCP_ACL
  access-list 1 permit 172.20.2.0 0.0.0.255
  Note access-list category 2 CCP_ACL = 2
  access-list 2 allow 10.10.10.0 0.0.0.255
  Note access-list 100 category CCP_ACL = 4
  Note access-list 100 IPSec rule
  access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  Note CCP_ACL the access list 101 = 2 category
  Note access-list 101 IPSec rule
  access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 101 permit ip 172.20.2.0 0.0.0.255 any
  Note access-list 102 CCP_ACL category = 2
  Note access-list 102 IPSec rule
  access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 102 permit ip 10.10.10.0 0.0.0.255 any
  !

  !
  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 101
  !
  allowed SDM_RMAP_2 1 route map
  corresponds to the IP 102
  !
  !
  control plan
  !
  !
  Line con 0
  line to 0
  line vty 0 4
  length 0
  transport input telnet ssh
  !
  Scheduler allocate 20000 1000
  NTP-Calendar Update
  NTP 172.20.2.250 Server prefer
  end

  As I mentioned previously: suspicion is much appreciated!

  Best regards

  Joerg

  Joerg,

  ASA receives not all VPN packages because IOS does not send anything.

  Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

  The problem seems so on the side of the router.

  I think that is a routing problem, but you only have one default gateway (no other channels on the router).

  The ACL 100 is set to encrypt the traffic between the two subnets.

  It seems that the ACL 101 is also bypassing NAT for VPN traffic.

  Follow these steps:

  Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

  I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

  Federico.

• Branch 5505, 1 circuit ISP, Dual - peer VPN Configuration for Data Center & Track Options

  Hi all

  I have a data center with two lines of ISP redundancy and two ASA 5520 for redundancy VPN to my branches.  Each of my branches has 1 ASA 5505 with a base license and 1 ISP circuit. Currently all my VPN tunnels are built for data center main circuit ISP only, so if one goes down, I'm toast.  I need to fix this. Problem is, I don't know how I can control failover on 5505 with 1 single line branch.  Please see my picture for an example of how he looks at it right now.

  So the problem is that the data center LAN my branch has to go to is identical regardless of which circuit of data center is in the. And I know the ASA rules say only 1 VPN tunnel can be active at a time if flow are the same.  So in this case, I know you usually do:

  card crypto outside_map 1 set 12.x.xxx.20 50.xxx.xx.190 counterpart

  and then configure route followed to control when cut down the primary counterpart and turn back up by peers. But where I have only 1 ISP on the side of the branch, I'll only have 1 default route: route outside 0.0.0.0 0.0.0.0 3.3.3.2 1, will be used that the active end counterpart is the primary or the secondary data center. Also, since I did not have a second track, I can't configure followed on the main road with an SLA that defines the trigger conditions, because there is nothing to ensure the follow-up of the routing.

  How is - a would handle a situation like this? Are there other features that can be taken off the roads?  I really need to be able to define "num-package 5 ' in ALS so my sites are not beat all day, but once again, without something to follow, I can't really set up a meaningful SLAS.  Any help is appreciated.

  Thanks for the additional explanation. It helps to clarify your environment. EIGRP running on the Remote would be a nice option, but I'm not sure that it is supported on the SAA. I ran EIGRP to remote peers using IOS routers (using the two ACCORD with IPsec and VTI tunnels tunnels) and it was very effective. But on the SAA, I believe that we must seek an alternative.

  It seems to me that using reverse road Injection as part of your VPN site-to-site should work. With IPP the ASA inserts a static route to remote resources when the VPN tunnel is negotiated and traffic can flow. If you redistribute the static in EIGRP EIGRP then must learn the ways of any ASA a currently active tunnel. And who should provide the dynamic rollover you need.

  HTH

  Rick

• can we do vMotion between two data center

  Dear team,

  Can we do vMotion between two data center (esxi5, x)

  Can we do SVMotion between two data center (esxi5, x)

  Note: it is not a physical data center, it is a virtual data center

  can we do vMotion between clusters (esxi5.x)

  can we do SVMotion between clusters (esxi5.x)

  concerning

  Mr. VMware

  Can we do vMotion between two data center (esxi5, x)

  NO, you can't.

  Can we do SVMotion between two data center (esxi5, x)

  Yes, as long as data warehouses are shared.

  can we do vMotion between clusters (esxi5.x)

  Yes, as they perform the same CPU families.

  can we do SVMotion between clusters (esxi5.x)

  Yes, as long as data warehouses are shared.

• PowerCLI Script required to identify all clusters in a data center and all hosts within each cluster and calculate it using cpu and ram, avg, min, and max.

  Hi all

  I'm new to powercli and try to create a script to list all clusters in a data center and all hosts in a cluster and calculate min, max and avg cpu usage and ram by the host and cluster. So far, I have tried the below but I can't publish the results of my script.

  $Function = @)
  ForEach ($DataCenter Get-Data Center)
  {
  ForEach ($cluster in ($DataCenter |)) Get - Cluster)) - need help to post the information here and confirm if this is correct or not.
  {
  ForEach ($hosts in ($cluster |)) Get - VMHost))
  {
  ForEach ($vms to ($hosts |)) Get - VM)) - do not know if I called you here functions properly
  {
  $allvms = @)
  $allhosts = @)
  $hosts = get-VMHost
  $vms = get - Vm

  {foreach ($vms in $hosts)
  $hoststat = "" | Select the host name, MemMax, MemAvg, MemMin, CPUMax, CPUAvg, CPUMin
  $hoststat. Host name = $vmHost.name
  
  $statcpu = get-Stat-entity ($vmHost) - start (get-date). AddDays(-30)-Finish (Get-Date) - MaxSamples 10000 - stat cpu.usage.average
  $statmem = get-Stat-entity ($vmHost) - start (get-date). AddDays(-30)-Finish (Get-Date) - MaxSamples 10000 - stat mem.usage.average

  $cpu = $statcpu | Measure-object-property value - average - Maximum - Minimum
  $mem = $statmem | Measure-object-property value - average - Maximum - Minimum
  
  $hoststat. CPUMax = $cpu. Maximum
  $hoststat. CPUAvg = $cpu. Average
  $hoststat. CPUMin = $cpu. Minimum
  $hoststat. MemMax = $mem. Maximum
  $hoststat. MemAvg = $mem. Average
  $hoststat. MemMin = $mem. Minimum
  $allhosts += $hoststat
  }
  }
  }
  }
  }

  $Function | Select the host name, MemMax, MemAvg, MemMin, CPUMax, CPUAvg, CPUMin | Export-Csv "c:\Function.csv" - noTypeInformation

  Any help on this is much appreciated.

  [Ordered] casting was introduced in v3 PowerShell.

  For PowerShell v2, you can use

  $vms = get - VM

  $stat = 'cpu.usage.average ','mem.usage.average '.

  $start = (get-Date). AddDays(-31)

  $report = get-Stat-entity $vms - start $start - Stat $stat - ErrorAction SilentlyContinue |

  Group-object - property {$_.} @entity.name} | %{

  $cpu = $_. Group | where {$_.} MetricId - eq "cpu.usage.average"} | Measure-object-property value - average - Maximum - Minimum

  $mem = $_. Group | where {$_.} MetricId - eq "mem.usage.average"} | Measure-object-property value - average - Maximum - Minimum

  New-object PSObject-property @ {}

  Datacenter = Get-Datacenter - VM $_. Group [0]. Entity | Select the name of ExpandProperty-

  Cluster Cluster Get - VM = $_. Group [0]. Entity | Select the name of ExpandProperty-

  VMHost = $_. Group [0]. Entity.Host.Name

  Name = $_. Group [0]. @entity.name

  CpuMin = $cpu. Minimum

  CpuAvg = $cpu. Average

  CpuMax = $cpu. Maximum

  MemMin = $mem. Minimum

  MemAvg = $mem. Average

  MemMax = $mem. Maximum

  }

  }

  $report | Sort-Object-property Datacenter, Cluster, VMHost name |

  Export Csv report.csv - NoTypeInformation - UseCulture

• Problem link DB between active Data Guard and reports application database

  My version of the 11.2.0.2.0 and OS database is Oracle Solaris 10 9/10.
  I am facing a problem in my custody of data Active data base for purposes of tax. Active Data guard information is as below.
  
  SQL > select name, database_role, open_mode from v$ database;
  
  NAME DATABASE_ROLE OPEN_MODE
  --------- ---------------- --------------------
  ORCL PHYSICS READ SHALL ONLY APPLY
  
  Detail of the problem is less than
  ------------------------------
  I have created a db link (name: DATADB_LINK) between active data guard and report of application of data base for purposes of tax.
  SQL > create database DATADB_LINK link to connect to HR identified by HR using 'DRFUNPD ';
  Database link created.
  
  But when I run a query using db link to my database of enforcement report I got this error below.
  
  ORA-01555: snapshot too old: rollback segment number 10 with the name ' _SYSSMU10_4261549777$ ' too small
  ORA-02063: preceding the line of DATADB_LINK
  
  Then I see logfile named database alart Active Data Guard and get below error
  
  ORA-01555 caused by the following SQL statement (SQL ID: 11yj3pucjguc8, time of request = 1 sec, SNA: 0x0000.07c708c3): SELECT "A2". "' BUSINESS_TRANSACTION_REFERENCE ', 'A2 '. "' BUSINESS_TRANSACTION_CODE ', MAX (CASE 'A1'. "TRANS_DATA_KEY"WHEN "feature' AND 'A1'." " END OF TRANS_DATA_VALUE"), MAX (CASE 'A1'. "TRANS_DATA_KEY" WHEN 'otherFeature' THEN 'A1' '. "" END OF TRANS_DATA_VALUE")
  
  But the interesting point if I run the query report directly in the Active Data Guard database, I got never error.
  
  So it's a problem of link DB between active Data Guard and other databases?

  Fazlul Kabir Mahfuz wrote:
  My version of the 11.2.0.2.0 and OS database is Oracle Solaris 10 9/10.
  I am facing a problem in my custody of data Active data base for purposes of tax. Active Data guard information is as below.

  SQL > select name, database_role, open_mode from v$ database;

  NAME DATABASE_ROLE OPEN_MODE
  --------- ---------------- --------------------
  ORCL PHYSICS READ SHALL ONLY APPLY

  Detail of the problem is less than
  ------------------------------
  I have created a db link (name: DATADB_LINK) between active data guard and report of application of data base for purposes of tax.
  SQL > create database DATADB_LINK link to connect to HR identified by HR using 'DRFUNPD ';
  Database link created.

  But when I run a query using db link to my database of enforcement report I got this error below.

  ORA-01555: snapshot too old: rollback segment number 10 with the name ' _SYSSMU10_4261549777$ ' too small
  ORA-02063: preceding the line of DATADB_LINK

  Then I see logfile named database alart Active Data Guard and get below error

  ORA-01555 caused by the following SQL statement (SQL ID: 11yj3pucjguc8, time of request = 1 sec, SNA: 0x0000.07c708c3): SELECT "A2". "' BUSINESS_TRANSACTION_REFERENCE ', 'A2 '. "' BUSINESS_TRANSACTION_CODE ', MAX (CASE 'A1'. "TRANS_DATA_KEY"WHEN "feature' AND 'A1'." " END OF TRANS_DATA_VALUE"), MAX (CASE 'A1'. "TRANS_DATA_KEY" WHEN 'otherFeature' THEN 'A1' '. "" END OF TRANS_DATA_VALUE")

  But the interesting point if I run the query report directly in the Active Data Guard database, I got never error.

  So it's a problem of link DB between active Data Guard and other databases?

  Check this statement that applies to your environment

  * ORA-01555 on Active Data Guard Standby Database [1273808.1 ID] *.

  also

  http://asktom.Oracle.com/pls/asktom/f?p=100:11:0:P11_QUESTION_ID:8908307196113

• Moving Cluster to new data center and move ASM Lun

  Hello
  
  My question is for an upcoming project. We want to grow our three existing node on our other data Center cluster. Servers will be moved and would re - ip, but Oracle, CRS and ASM houses remain intact.
  
  We have our ASM on EMC Clariion disks. The idea is to use EMC Replication Manager to replicate the LUNS on EMC Clarion in the other data center and to present them to the cluster.
  
  My question is if it looks like a valid plan, or I think to simplistic?
  
  Will keep it even replicated LUN the ASM disk identity and data in order to be recognized and available in start?
  
  In addition, in order to minimize downtime, we want to move a single node of the cluster first, then others do appear later.
  
  Thanks for your opinions.

  Linux-RAC-Admin wrote:
  My question is for an upcoming project. We want to grow our three existing node on our other data Center cluster. Servers will be moved and would re - ip, but Oracle, CRS and ASM houses remain intact.

  We have our ASM on EMC Clariion disks. The idea is to use EMC Replication Manager to replicate the LUNS on EMC Clarion in the other data center and to present them to the cluster.

  My question is if it looks like a valid plan, or I think to simplistic?

  Will keep it even replicated LUN the ASM disk identity and data in order to be recognized and available in start?

  Hello

  To replicate ASMDISK success, all databases in the Diskgroup must be down or in backup mode.
  Replication starts with the online database (IE database in backup mode hot) needs attention, because all data/redo/controlfile files will be copied in use (i.e. corrupt), be necessary will perform database recovery.

  I think that you already have this doc, but I write anyway.
  http://www.EMC.com/collateral/hardware/white-papers/h2104-EMC-CLARiiON-DB-Stor-Sol-Oracle-10G-Oracle-11g-CLARiiON-Stor-repltn-WP.PDF
  >

  In addition, in order to minimize downtime, we want to move a single node of the cluster first, then others do appear later.

  The plan seems good.
  Build a step by step mapping all changes and good luck.

  Kind regards
  Levi Pereira

• 2 one-Site VPN between HQ, Site A and Site B

  Dear brothers,

  Really I need your kindly help on Site 2 Site VPN.

  We have a HQ and 2 Sites (Site A Site & B), and we think to set up VPN Site-2-Site between them now.

  HQ--> 3845 router (will be the hub)--> a given vlan 11 & vlan voice 21

  Site A--> router 2901 (will be the Spoke1)--> a given vlan 12 & vlan voice 22

  Site B--> router 1941 (will be the Spoke2)--> a given vlan 13 & vlan voice 23

  So my questions are:

  1 - when the VPN going up, are only the HQ VLAN data & voice will be able to reach the Site & A B data & Voice VLAN and Vice versa?

  2 - when the VPN is going up, are that the Site has data & Voice VLAN will be able to reach the Site B Data & Voice VLAN and Vice versa?

  Thank you

  Hello

  I think this example explains what you need:http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation...

  Kind regards

  Averroès.

• Site to Site VPN between PIX and Linksys RV042

  I am trying to create a tunnel between a 506th PIX and a Linksys RV042 vpn .  I configured the Phase 1 and Phase 2 as well as the transformation defined and interested traffic and connected to the external interface, but it will not create the tunnel.  Configurations are as follows:

  506th PIX running IOS 6.3

  part of pre authentication ISAKMP policy 40
  ISAKMP policy 40 cryptographic 3des
  ISAKMP policy 40 sha hash
  40 2 ISAKMP policy group
  ISAKMP duration strategy of life 40 86400
  ISAKMP key * address 96.10.xxx.xxx netmask 255.255.255.255
  access-list 101 permit ip 192.168.21.0 255.255.255.0 192.168.1.0 255.255.255.0crypto map Columbia_to_Office 10 ipsec-isakmp
  crypto Columbia_to_Office 10 card matches the address 101
  card crypto Columbia_to_Office 10 set peer 96.10.xxx.xxx
  10 Columbia_to_Office transform-set ESP-3DES-SHA crypto card game
  Columbia_to_Office interface card crypto outside

  Linksys RV042

  Configuration of local groups
  IP only
       IP address: 96.10.xxx.xxx
  Type of local Security group: subnet
  IP address: 192.168.1.0
  Subnet mask: 255.255.255.0

  Configuration of the remote control groups
  IP only
  IP address: 66.192.xxx.xxx
  Security remote control unit Type: subnet
  IP address: 192.168.21.0
  Subnet mask: 255.255.255.0

  IPSec configuration
  Input mode: IKE with preshared key
  Group Diffie-Hellman phase 1: group2
  Phase 1 encryption: 3DES
  Authentication of the phase 1: SHA1
  Life of ITS phase 1: 86400
     
  Phase2 encryption: 3DES
  Phase2 authentication: SHA1
  Phase2 life expectancy: 3600 seconds
  Pre-shared key *.

  I'm a novice on the VPN. Thanks in advance for your expertise.

  Yes, version PIX 6.3 does not support HS running nat or sh run crypto.

  Please please post the complete config if you don't mind.

  Please also try to send traffic between subnets 2 and get the output of:

  See the isa scream his

  See the ipsec scream his

• FabricPath or OTV between two data center using Direct fiber cable

  Hello

  I have two data center both of them has the same equipment N7k, N5k and N2k, and we want the dataCenter being active/active, I'm really confused to use OTV or FabricPath characteristic, if someone can help me with my scenario and explain to me what is the best solution and advantage and disadvantage between OTV and PabrcPath.

  Many thanks in advance

  Hi Steven,

  No problem, I'll go through your points as completely as possible. I advise you to read more about these protocols, maybe if you have access to INE or similar, see their videos on this. I would also like to say again that I have not seen all documentation Cisco indicating that FabricPath to be used as a DCI.

  With regard to the way fabric you ask what follows...

   1. only can use it between two datacenters of you have more we can't, please correct me?

  No, you can use the path of fabric with more than two data centers, but even with OTV, you can use it with more than two data centers.

   2. HSRP localization can not be implemented as OTV. However You can have two differnet Gateways at the Data Center 1 and 2 using two different HSRP groups. If server is moved dynamically from, (i didn't understand this point can you please explain with example?

  OK, so this is a GREAT topic. Location of HSRP CAN be implemented with OTV, but cannot be implemented with fabric path. First hop redundancy protocols can be localized and is supported by Cisco with OTV, this basically allows the same default gateway to reside in two of your data centers providing the ACTIVE/ACTIVE configuration. So no matter where your VM is, they did not change their default, even if gateway your servers to move to the other datacenter.

  If we didn't have this, we would have only an active member of HSRP divided between DC and things would be extremely troublesome in regard to traffic flows. A virtual machine in DC2 VLAN needs to talk to host in VLAN B. But the default gateway is completely in DC1. So frame is sent to the ICD in DC1, then the gateway by default, routes packets VLAN B. This VLAN B lies in fact in DC2, so now it has to go all the way back to DC2. You get my point...? :)

  With localization happen only local to the domain controller. If all servers / VMS in the domain controller can speak locally to its "own" default gateway.

   3. unknown unicast flooding (can you give me an example?)

  Unknown unicast traffic is unicast packets/images with unknown destination mac address. By default, switches are flooding this type of traffic to all ports in the VLAN. With path of fabric that would take place during your DCI, but with OTV, it is all taken care locally, so massive savings on bandwidth here and it is much more effective.

   4. ARP optimization between Data Center (can you give an example regarding ARP optimization?)

  There is another function of OTV, which makes it far superior on the way of tissue. Essentially, we are reducing the volume of traffic passing through the transport infrastructure (i.e. ICD)

  When ARP, host in DC1 to host that responds in DC2, we use links and there is travel time of package that might be minimal, but is not the most optimal. OTV AED - or edge device spy ARP response and subsequently knows that this mapping exists from there. ARP takes place after the first Protocol, the EDA almost proxy ARP to DC1 so the ARP request locally does not have to travel to DC2.

   5. Typically two flows (Odd VLANs by OTV-VDC-1 and even vlans by OTV-VDC-2) carry the entire layer 2 traffic flow between the two Data Centes. Hence the load balancing the links is not efficient. ( (can you explain compare with FabricPath if you have example?)

  IMHO, it's bad and good. Balance the workload of the OTV if you have more than an AED on site. VLAN strange appointment via an AED, even numbered VLAN go through the other. Depending on traffic on VLANs, this could become unbalanced. Fabric used by all its links to mac addresses 'route' to the respective SID - ID switch she needs to do. So perhaps a better uniformity of split here.

   6. VLAN scalability for OTV is lower than FabricPath as of this content writing. (can you explain what this mean i didn't understand it)

  I completely disagree with this comment. I too do not understand.

   7. Resiliency of FabricPath network is better than OTV in some failure scenarios.(can me an example ?)

  I also disagree with that. Resilience of path of fabric could be same as OTV or perhaps better. However, my personal experience is that OTV fine tuning with things like BFD failover is much faster!

  Fabric is good because the control of aircraft ISIS and its operation is admirable, but could say the same for the OTV.

  Lets say one of the DCI links had to die, the transmission of the tissue path would continue through the other links, then perhaps for low latency, high frequency, environments that would be beneficial. OTV will change the EDA and re - learn mac, announced by other AEDS, addresses, but as I said, the time could be extremely minimal and tuning. This isn't a big deal, unless you need under second time convergence!

  I hope that I have answered your questions, I recommend use for your DCI OTV, use the path of fabric for your inside of local switching in your DC. This has been implemented repeatedly and the links I sent you the models validated Cisco also point out.

  Remember - fabric has been built to be a step towards TRILL, and replacement of protocols spanning-tree, OTV was built especially for the dci. They are both built and examples of specific design. It makes no sense to get these confused or mixed up, unless there is a real and pressing the case.

  Joel conclusion is right, use the right tools for the job. If the use case is good for the FP then OK, if not, OTV.

  Rcmnd - reading http://www.packetmischief.ca/2013/04/23/DCI-series-overlay-transport-vir...

  These are just my thoughts.

  Bilal (CCIE #45032)

• Connection between Windows media center and Xbox is lost when you try to watch movies

  I start watching movies via the windows media center and after a few minutes it turns off and it says that the connection between my pc and the xbox has been lost, I have previously watched movies like this with no problems and have not changed the settings of any sort help it would be appreciated

  Hi samperry,

  What is you receive the exact error message?

  Method 1: You can follow the steps mentioned in the article below
  What happens if the connection to the Windows Media Center computer is lost?

  Method 2:  You can see the steps outlined in the article below, which deals with a similar question

  Error: Session Terminated (when connecting a console Xbox 360 to a computer running Windows Media Center)
  http://support.Microsoft.com/kb/911123

• How to calculate the difference between a Date column and the Date yesterday in the analysis (in the formula in the column)

  . For example, I need to calculate the difference between a date column, 'Table_Name '. "' Column_Name ' and (Current_Date-1). I tried different ways to do this. But nothing seems to work.

  Try the below formula.

  Replace "Time". "" Date "with your column.

  TIMESTAMPDIFF (SQL_TSI_DAY, "Time". "Date", TIMESTAMPADD (SQL_TSI_DAY-1, CURRENT_DATE))

  Thank you!

• Orchestrator 5.1 REPORT-all the virtual machines in the data center and create a CSV file

  Hello

  What I basically want to do is create a report CSV of all virtual machines in the data center with various information (VMname, domain name FULL, IPaddress, status, data warehouses, tools etc...).  The export list in the client feature is insufficient (especially for any KPI report).

  Problem: (workflow is still under construction so real email send does not not and need to clean the code)

  I am stuck at the part of the creation of a table that can be parsed correctly in the CSV file.  2 ways I've tried will produce a report of single object or combine all of the table into a single string (where I am now).  I think the main problem I have is that I have to create a 2D within my service to push toward the final table that is written to the CSV format.  Basically, I do not understand how to push my variables in a loop of a table.

  Any help or assistance?

  Thank you

  B

  BOOM!

  Added some comments, removed the hardcoded in the csv temp file, deleted path the hardcoded port 25 for SMTP - mail settings should come from the configuration of the MAIL plug-in. And fixed / confirmed that the workflow now includes the attachment for e-mail and ends with success!

• Site to Site VPN between 5510 and 5505

  Am trying to get a VPN site-to site and the race between a branch office and our main office. I have the settings in place, but I'm trying to determine if it's my settings or the provider DSL, Verizon.

  They have a 5505 with a static IP is connected by cable modem. Their 5505 I can ping external IP of my 5510 without problem. All the settings are correct on both sides; they reflect the same settings and yet static VPN is not launched.

  Is there some sort of CLI command I must issue to bring it?

  Also, I was wondering if maybe my 2821 prevents all VPN traffic because it doesn't have to be re - NAT'ed to the 192.168.250.0/23 and 192.168.252.0/24 subnets.

  Simply to traffic of their 192.168.40.0 in our 192.168.250.0/23 VOIP subnet subnet.

  Join a basic outline. I can provide the configs for almost everything

  Hello

  you have two instances of sequence card crypto with parameters similar (except transform set). Get rid of the rest of sequences card crypto:

  On the ASA Satellite:

  no card crypto outside_map 2 match address outside_cryptomap

  no card crypto outside_map 2 set pfs

  no card crypto outside_map 2 peers set smivpn.sorensonmedia.com

  no card crypto outside_map 2 the transform-set ESP-3DES-MD5 value

  No crypto outside_map 2 set security-association life card seconds 28800

  No kilobytes of life card crypto outside_map 2 set security-association 4608000

  no card crypto outside_map 2 the value reverse-road

  About the ASA company:

  No crypto outside_map 1 game card address outside_1_cryptomap_1

  no card crypto outside_map 1 set pfs

  no card crypto outside_map 1 set cda.asa5505 counterpart

  no card crypto outside_map 1 the value transform-set ESP-3DES-SHA

  no card crypto outside_map 1 lifetime of security association set seconds 28800

  No kilobytes of life card crypto outside_map 1 set security-association 4608000

  no card crypto outside_map 1 the value reverse-road

  Then check and capture debugs.

  HTH

  Sangaré