In case I configure duplicate IP addresses to the same VLAN(two interfaces in VLAN 1100 have IP address 192.168.2.2) I see following ARP messages rapidly(those six messages were received in less than 2ms time-frame)
View 2 RepliesI upgraded a pair of ASA 5520s from ASA 8.3 to ASA 8.4(4) this week and now my DMZ hosts cannot reliably communicate with eachother. I have a DMZ network of 10.20.20.16/28 configured. 10.20.20.17 is the ASA/Gateway and 10.20.20.19 is one host and 10.20.20.20 is another host. These two hosts had no problem communicating with eachother before the upgrade. Now, they usually cannot communicate with eachother. Occasionally they can communicate, but only for a few minutes. What is strange is I never had any access lists for these hosts to talk with eachother before the upgrade (because their traffic to eachother should have never reached the firewall) but now I needed to create an access list on the DMZ interface allowing these two hosts to talk. ICMP works fine, but only if the ACL is in place. TCP rarely works.
View 2 Replies View RelatedI am researching on the behaviors of routers when MTU is increased beyond the MTU set in the routers. Also, when I use jumbo frames instead of normal MTU, how does it affect the network. So, what I plan to do is
LAN_A -- > blackbox --> WAN --------> WAN --> blackbox --> LAN_B
All the traffic coming from LAN_A will be of size 1500 Bytes or less. The blackbox in the center will add an overhead of 4 bytes, recalculate the CRC and transmit the packet on the WAN side. I wanted to know that:
1- if my LAN router and WAN router, both are set at 1500 MTU, then will WAN router drop the packet if it receives a packet greater than 1500B ?
2- If i keep my LAN side to 1500 MTU and I switch my WAN router to Jumbo frames, how will this configuration affect the complete network ? Will it work or not ?
3- I want to add the overhead on every packet coming in from LAN side, so, what options do I have to achieve this goal ?
PS. All types of traffic can come from LAN side.
In the last 8 month I have been upgrated at least 6 Cisco ASA 5505 from 8.2(1) to 8.4(3) without problems, I did a minor changes and all related to rules due a problem with the migration.
View 1 Replies View RelatedWe have a lab network set up with a 7609 router as the central core. Scenario: Laptop with a SIP client. In the lab is a session border controller that will route signaling and media to a SIP gateway with a call agent (172.23.112.201) and a media "handler" (172.23.113.6). The call processing device will forward packets to an RF network (108.x.x.x) where an NCS cable modem sits.Call signaling works perfectly fine. However, RTP traffic from the laptop to the NCS phone is getting routed incorrectly. RTP traffic from the phone to the laptop works fine. [code]
Packet captures show the laptop to phone RTP packets are being routed back towards the corporate router. These time out with ICMP TTL exceeded packets. There are static routes for 172.23.113.0/27 to the optical interfaces that go to the SIP gateway. Interestingly, I can ping an IP on the SIP gateway (not used for media, but is pingable) in that static range (172.23.113.1) just fine from the 7609 (i.e. it's not getting routed to the corporate router). Unfortunately, the IP for the media endpoint on the SIP gateway is not pingable. Config for the 7609 is attached.
I have a weird situation with some switches.
Switch .55 can ssh into Switch .57 but cannot ssh into Switch .56.
Switch 56 can ssh into Switch 55 and ssh into Switch 57
Switch 57 can ssh into Switch 55 and ssh into Switch 56
The software on .56 is:
C3560 Software (C3560-IPBASEK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)
I noticed on .56, when I do a show ip ssh I get: SSH Enabled - version 1.5. It doesn't say version 1.99 like the others even when I configure version 2. Is this a bug I am running into?
We have instructed our user community to start their VPN sessions by connecting to our ASA 5520 with a browser to download (if necessary) and initiate the Anyconnect essentials VPN client. Everything was working fine until a few days ago.
We have had several people report the same problem. They connect with the browser, enter their login information and are greeted with our "authorized use only" message by the ASA. Then, instead of downloading (if necessary) and starting the VPN client software, the web page just goes back to the login prompt without displaying any error message. The client software is never downloaded or started.
We've been able to work around this by installing the client software manually (where necessary) and starting the VPN client from the start menu. However, this isn't our preferred solution because this method won't have them automatically picking up updated versions of the VPN client.
We have seen this behavior before when there was a pending Java update that had not been applied. However, that doesn't seem to be the case this time. Clients have recently updated to IE9, but I have personnally been running the Anyconnect client and launching through IE9 for months.
I'm trying to implement some best practices for ASA running on Software Release 8.2 and had a question about the default security-level behavior. Let's say I have 3 interfaces...
-inside (security-level 100)
-dmz (security-level 50)
-outside (security-level 0)
I have an ACL on the inside interface allowing http access to anywhere. Because of the ACL, the implicit higher to lower security level access is nullified. Correct?
I do NOT have any ACL on the dmz interface applied. So, would the servers in the dmz be allowed outbound access to the Internet due to the default higher to lower security level behavior?
Document at url... is quite interesting,One of these goes about the behavior of a switch (2960-S and 3750G) when QoS is not enabled vs the one when QoS is simply enabled with "mls qos".What additional commands, beside "mls qos", would be needed so as to simulate as accurately as possible the switch's behavior when QoS is not enabled?
View 3 Replies View RelatedI have a small business and i have all my computers connected via D-Link Des-1016D, a 16 port fast ethernet desktop switch. Yesterday all stop working the router lights were off, the computers couldn't be reached. so went to a store and bought a new one, but now i find someone that said to me that this could be a simply thing to repair and that i could do it myself. But it's some how impossible for me to just open the case.
View 1 Replies View RelatedI was doing a moving job for relatives and had to set their network back up. In a state of fatigue I plugged a higher voltage cord into the router by mistake. Now, even with the right cord, the power lights won't come on. It still gets hot , so I know electricity is getting inside. I believe I shorted the Zener diode or blew a capacitor and would like to repair. Problem is, the case is smarter than I am, can't see a way to open it. It's a D-Link Model: DIR-615.
View 2 Replies View RelatedIn setup for old RV042 (V1), when updating / adding Mac addresses, the table is always sorted by IP addresses. But in the new oneRV042 (V3) I have, even with latest firmware 4.2.1.02 the list is random, thereby increasing the chance of user entering DUPLICATE IP addr with diff Mac addr. That will result in conflict.If the firmware sorts the DHCP entries by ip addresses, user would be able to catch duplicate ip errors even if the system does not flag the errors. All Cisco smart engineers can you all get the dhcp entries SORT by ip addresses.
View 2 Replies View RelatedI configure multiple static RPs and one of the ACLs denies a source will it move on to the next entry that covers it in another acl? [code] i.e. 1.1.1.1 will be used as the RP for 224 to 238 and 2.2.2.2 will be used as the RP for 239.Will that work correctly, i.e. if a source is trying to register with the router and its for the group 239.1.1.1, will it be denied against the first RP and then permitted against the second RP?
View 2 Replies View RelatedI had bued a WRP400-G2 device today and found 3 problems here (after upgrade firmware to latest). But biggest problem is that I can't open a bug case in TAC becouse I bued device from retailer and have only one year warranty. Is it possible to contact technical support of Cisco by email or Web site? It will be a problem to contact cisco support by call.
View 4 Replies View RelatedWe have 5 wap54g and before few days I got below mention issue.
This is the issue with the MAC-address of the Linksys Access points. After resetting the APs to the Factory default mode, all the APs MACaddress has changed to one particular MAC id I.e. 00-90-4C-91-00-01.whether I was using mac security function earlier.And let me know how to raise a case in cisco small business .
In case customers buy IP transit(there is a BGP session between ISP and customer), they often ask for default route and for example prefixes from local internet-exchanges. What is the advantage to have default route + certain smaller(for example /17, /18 and /24) prefixes?
View 4 Replies View RelatedI understand that on ACSv5 you can use either "show udi" or "show inventory" to find out the S/N of your ACS appliance....i.e. the S/N that you will use to open a TAC case....however, this particular install is a VM install and when I type either of those commands, under S/N the only thing I see is this: Serial: Cisco-VM-SN.how can I actually locate the S/N of ACS ona VM install to open a case with TAC?
View 1 Replies View Relatedwe have a new ACS 5.2 server, and are having a problem with the case sensitivity of ACS. Basically, what is happening is that some users are capitalizing the first letter of their AD username, and it's causing ACS to deny their access due to the case of their username. For example:
Username yyy0h22 grants admin access to a device. However, Username Yyy0h22 denies access to a device.
Is there a way to make it so that no matter uppercase or lowercase, we are giving this person access? Without having to make a different rule for each permutation?
I've just been testing QOS on 3560 with version 15.0(1) and it seems the the default qos trust behavior on access ports has changed. By default the trust state of a port is not to trust anything, however rather than rewriting the DSCP value of the incoming packets and settign it to 0 the switch now seems to leave the DSCP value unchanged.
SW04-C3560(config)# do sh mls qos int g0/2
GigabitEthernet0/2
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
[Code]......
I have a 4507R that will be using track and sla for failover/failback on two WAN circuits going out of my switch. Is there a way to configure an email notification, or some other sort of notification to let me know which route is being used, especially when the failover kicks over to by backup route.
View 2 Replies View RelatedCan't get my router to reognize my usb3.0 ssi 1359ru raid kabinett.
View 1 Replies View RelatedI want to configure a Cisco Wireless Lan Controller (4400 and 5500 series) with to data ports for failover? I think the primary and secondary ethernet connections should be configured as trunks. I cannot find anything on CCO about this or on the internet per se. I know how to configure for failover with APs but cannot find anything on how to configure the controller in case an the ethernet port goes down.
View 7 Replies View RelatedI am going to be putting an SG200-08 (8 port switch) inside a 2U rack mount chassis. To enhance cooling I thought I would remove the outer case. Are there, or would there be any issues with using the switch with the cover removed?
View 2 Replies View RelatedWe have one core switch and we are planning to add a 6509. Both are none VSS.All the access switches are Catalyst 3560 series.
We plan to have all 3560s to have a link to each of the core. Without VSS, it is not possible to etherchannel to both core switches correct?What protocol should I configure to prevent in case one core fails? HSRP, VRRP, GLBP?
Do I need to run spanning tree protocol? if so which one?What is the best way to connect from each Catalyst 3560 for load balancing and redundancy? One to each core?
I purchased a WRT160N router last Friday. After setting it up, everything seemed to work fine, but after a couple of hours, the router stopped responding to any requests. The LEDs stayed on as if nothing had happened, but the router was dropping everything coming from both the WAN and a wired LAN interface. Since than, I had to restart it 3 times during the last 3 days.The firmware is 1.53.0, which seems to be the latest firmware for the European market - even when I try to get a newer firmware, this site only offers the US version 1.02.2.Should I update the firmware to the US version 1.02.2 ? Is there any difference between the 1.53.0 and the 1.02.2 version ? Is there a way to restore the original firmware in case the update fails ? I haven't found any link to 1.53.0 version..Also, does this firmware updating affect my warranty ?
View 9 Replies View RelatedI'm seeing a TON of traffic in my ASA logs (via ASDM) indicating the following:"Duplicate TCP SYN from inside: (valid internal address of one of our laptops)/50164 to inside: (address on our other subnet, still trying to trace it)/9100 with different initial sequence number"This looks like an attack to me, likely someone's downloaded something they shouldn't have and got an infected laptop. Why it's trying to "call home" to something inside our network is what puzzles me, though.Is there any VALID reason I would see these sort of messages in my log?
View 3 Replies View RelatedEveryday a few of the computer will error with "A duplicate name exists on the network:" A quick Google search shows the same answer EVERYWHERE on the internet. So I changed the names of a few of the computers too something I knew was unique. Still though the problem persists/ it afters the two XP bases computers the most, but my main workstations (windows 7 sp1) has had this error a few times, although it appears to have left for a while. I have a feenas server but Active directory is not turned on.My router is a e4200. I was using DHCP server on there (and would very much still like to) although I have turning it off, rebooted both the router and the computers but to no avail.
View 19 Replies View RelatedI'm running web server on Linux Redhat when i run
# /etc/init.d/tomcat status
I got a number of lines:
warning, got duplicate tcp line
warning, got duplicate tcp line
warning, got duplicate tcp line
warning, got duplicate tcp line
Tomcat running in normal mode Also , I can see that Tomcat unstability makes some strange behaviour in the system overall.
I have tried changing adapter settings, did the ipconfig /release, renew and still no luck.
View 1 Replies View RelatedCisco 2500 series access servers show line usage with the "show line" command:
View 2 Replies View RelatedWe have LMS 4.2 installed and added devices;Now if for example a device is not reachable we get two messages with same failure ;only the component name is different
- one event with "dns" in component name
- one with "dns(ip)" in component name
dns == hostname
Using windows xp. how do i find and delete network name?
View 1 Replies View RelatedI am installing a advance ip service licnese on cisco 861 router but it gives the following error message
Router#license install flash:FCZ143294BM_20110221232946625.licInstalling licenses from "flash:FCZ143294BM_20110221232946625.lic"Installing...Feature:advsecurity...Failed:% Error: Duplicate licenseInstalling...Feature:advipservices...Failed:% Error: Duplicate license0/2 licenses were successfully installed2/2 licenses were existing licenses0/2 licenses were failed to install
Router#
Also show ver shows the following
License Information for 'c860-data' License Level: advsecurity Type: Permanent Next reboot license Level: advsecurity