I have two cisco 2821 routers (12.4(3a)) doing IPSec and I would like to graph (using SNMP) some counters which are shown using "show crypto engine accel stat", however, I have not been able to find which MIB resp. OID I need to acces.
View 9 RepliesIn my test lab , I have a CISCO 1841 with a AIM-VPN/BPII-PLUS board , everything was working fine , until I would like to see the difference with and without the accelerator.Sins the moment that the IOS told me that he will change to SW accelerator instead of HW accelerator , I can not make it work anymore.I have a copy of the full working configuration before I did this , I have put it back on my router but still NO VPN. [code]
View 2 Replies View RelatedI have applied named access-list in output direction on 1GE interface on GSR12400 (IOS XR 3.4),but there is no matches. Counters doesn't increase although access-list blocks or permits certain packets (access-list works as it should).
View 2 Replies View RelatedFor 10 days, I have had massive upload volumes (2 - 7 GB) per day on my home network, not sure why. I am not downloading streaming video or any videos. We have several computers on our network, and I am not sure which one is diong all of this uploading. So, I installed AnalogX Netstat version 2.15 to monitor the stats on my computer, and it shows all totals for incoming and outgoing are "0kb", which I know isn't true.Why isn't it measuring my transmission? I am running Windows 7.
It shows local machine IP x.x.x.x, device All TCP/IP devices, and "remote" worked - I was able to ping url..successfully. But no stats are being measured at all. Not even CPU usage.
I've enabled RDP on a laptop, but I can't connect to it. Pinging the laptop works. nmap shows ports open, but not RDP. netstat on the laptop shows nothing listening on 3389. I've also tried rebooting. [code]
View 1 Replies View RelatedFor a config on a 2821 router with IOS 15.1?I've setup an internal web server and am able to acccess it from outside our network but not from inside (on a separate internal LAN - 192.168.10.0). When on the internal LAN - DNS points to the Public IP for the web server - so we'd need to route through the Public IP to access the web server.
What is the best way to allow access to the web server XX.XX.XX.231 from 192.168.10.0 network?
Related Config Lines to Allow Access to Web Server
NAT
ip nat inside source static tcp 192.168.1.230 80 XX.XX.XX.231 80 extendable
ip nat inside source static tcp 192.168.1.230 443 XX.XX.XX.231 443 extendable
ACL
ip access-list extended WAN
permit tcp any host XX.XX.XX.231 eq 443
permit tcp any host XX.XX.XX.231 eq www
[code]....
The router is 2821 and is setup to perform static NAT from one internal ip address mapping to one external ip address for each of our servers (inside the LAN): [code] Servers all have internal ip addresses and each of them represented to the outside world by their public ip address with above command on the router. Here is the problem.When I'm in a server (for example 192.168.0.210) and try to access other servers by their public ip addresses (i..e. *.*.*.211) the connection fails. However, When i try to access the same server by it's private IP address (i.e. 192.168.0.211) it works!
My issue is i don't want to modify windows host file for a manual mapping (for example mail.mydomian.com goes to 192.168.0.211 rather than *.*.*.211) because we host many domains and just doesn't make sense to do it one by one.So we must be able to access our servers by their public IP addresses in order for us our applications works correctly.
We have 6 brnaches configured with NAC Module in Cisco 2821 ISR router. The WAN link being used to connect all the branch to the HQ CAM is via WIMEX wireless Broadband. The bandwidth is 2MB.OOBVG is the mode used. All branches were working well last 1 year. Last month it is suddently disconnected from the CAM.I opened the TAC. Cisco history of TAC experience, We have total 6 TAC enginners tried one by one still the problem not resolved. The following are the findings
1. Timing is accurate between CAS-CAM
2. Shared secret key correct
3. SSL temp certificate ok also image being used it 4.6.1.
4.Tcpdump from both CAM and shows some initial packet drops of 10 sec with the below CAM log
I believe that NAC is not a matured products and the problem like this even by Cisco TAC can not solve.
We have recently deployed several Ciso 887VAW (IOS 15.1(4)M4) to customer premises and I have come to realise counters show extremely high (not at all accurate) output rate and packets on all of them. [code]
View 2 Replies View RelatedMy customer recently deployed WLCs and WCS in their environment. However, recently they experienced slow performance. To futher finding out the root cause, I generated the 802.11 counters report from the WCS and noticed the following parameters is shown. Tx/Rx Fragment Count/Sec and FCS Error Count/Sec
1. Can I make the assumptions that the overall transfer of packet rate in that interval is the Total of Tx/Rx Fragment Count/Sec and FCS Error Count/Sec?
2. If the output rate of Tx/Rx Fragment Count/Sec and FCS Error Count/Sec are the same, does it mean that 50% of the packet are corrupted and this high FCA Error Count/Sec will cause performance degradation to the wireless througphput?
3. What is the baseline of the FCS Error Count/Sec that is acceptable? As for the case with wired, 1% error rate is acceptable. Will wireless have the same baseline?
Short of rebooting, is there a way to clear this counter on an ASA 5505?
sh int
Traffic Statistics for "inside":
39514338 packets input, 3103793436 bytes
13578097 packets output, 15566854561 bytes
[Code] ....
I notice strange input rates on the interfaces of a 881 router:
show int fa4
..
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec
..
30 second input rate 85000 bits/sec, 11 packets/sec
30 second output rate 16000 bits/sec, 9 packets/sec
221434 packets input, 287889736 bytes
..
..
142286 packets output, 15683576 bytes, 0 underrun
How can 11 packets/sec be 85000 bits/sec -- average packet size of 8KB?. The total packets input (221434 packets versus 287+ MB) also shows this kind of a 10KB+ average packet size. There is ahardly any traffic through the router when the above snapshot was taken so 11 packets/sec sounds right, but not the 85Kbits/sec.
The router is running c880data-universalk9-mz.151-4.M4.bin and config is simple with a single Vlan (inside NAT) with a public IPs on fa4 and a couple of IPs for dynamic NAT. Everything works fine except for these interface counters that look worng.
I have ACS 5.1, I have created a user with privilege 15. I need to allow a single command by command set. I have configured command set. in command set setting i have unchecked "Permit any command that is not in the table below"
and added command as below.
Grant Command Argument
Permit clear counters
its allowing me to run clear counters, good is its not allowing to show run and configuration t commands. And problem is i can run reload command also even show interface commands.I just want to allow clear counters command only.
I am having ACS 5.2. I have to configure a user which would have privilege 7 access and addition to this, a user can run "clear counters" command.how to configure cammand set for "clear counters"?Can i run clear counters by privilege 7?
View 2 Replies View RelatedUsing an ACE 4710 we have a user setup with the Network-Monitor role which allows the user to view config, interface status, etc. We would also like to allow this user to clear the interface error counters as well, but nothing else.
View 2 Replies View RelatedI have a WLC 2106 with 3 APs. Everything works and users can connect, but the throughput seem to be lower than it should (it is around 8Mbps and should be around 30-50Mbps). And all speed and duplex has been accounted for.
I am trying to understand the stats that I see for the 802.11 MAC counters I under the Wireless APs.on the controller.
That screenshot is attached. I see high numbers for the following areas:
- Tx Failed Count
- RTS Failure Count
- FCS Error Count
what these mean and what could cause this? Maybe these are normal and not a concern.
we have a 878 router and we want to mark traffics when entering on its lan interface.its lan interface is a layer 2 interface and we have created vlan interface and assosiated lan interface to that vlan.on vlan interface itself there is no service-policy command so we have to put serive-policy command on interace fast 0 itself which is layer 2 port.when we assign service-policy to fast 0 it doesnt work and it does not mark any traffic also class default counters doesnt increase to indicate any traffic is passing even it is not getting marked. ios version is advipservices.124.9T. How to mark traffic on this port. ii dont know why service-policy command is supported on layer 2 interface when it doesnt work at all.
View 3 Replies View RelatedWe're running a simple policy map on a 3750 stack (IOS version 12.2(53)SE2), but the route-map counters do not show any matches:
NYKIRDRCX01#sh route-map
route-map remote-route, permit, sequence 51
Match clauses:
ip address (access-lists): remoteACL
Set clauses:
ip next-hop 192.168.101.5
Policy routing matches: 0 packets, 0 bytes
However, I've confirmed via our netflow monitor that the traffic we're trying to send to the appropriate next hop is, indeed, getting there correctly.
I've seen issues in the past with a 3750 not reporting counters correctly.
i am new to MPLS on cisco routers. For our interoperability testing i need MPLS tunnel counters output ( data sent out and data received.). i am not able to find this information in cisco user guide. As per standard it is defined in MIB table mplsTunnelPerfTable of stdte.mib.
View 7 Replies View RelatedI am attempting to monitor bandwidth utilization of the WAN port for the RV180 via SNMP and I am getting strange results. If a 256MB file is transferred from a remote server (without compression), the ifInOctets counter doesn't increment by anything resembling 256MB:
$ snmpget -v2c -c public 192.168.1.1 IF-MIB::ifInOctets.5 IF-MIB::ifOutOctets.5
IF-MIB::ifInOctets.5 = Counter32: 365402138
IF-MIB::ifOutOctets.5 = Counter32: 32610053
[Code].....
I'm reasonably certain that the .5 interface is the WAN port based on the value of ipAdEntIfIndex.X.X.X.X, but even if that were not the case, none of the other interfaces increment by a value close to the amount of data transfered. SNMP monitoring of a WAP121 on the same subnet returns expected results. I can only assume that SNMP on the RV180 is completely broken.
The router has the latest firmware available (1.0.1.9). There is only one network connection and the RV180 is the default gateway for all internal hosts.
This is a continuation of my last post in which I need to apply ACLs to the physical ports within Etherchannels. The switch is a Catalyst 2970 running IOS 12.2. These Etherchannels are configured as trunks with 2 VLANS allowed on each trunk.I have applied an inbound ACL on the physical ports that filters based on layer 3 and layer 4 traffic. The issue that I am seeing is that the counters for the ACL are not increasing even though the ACL is clearly doing its job. At the end of the ACL I have an entry of "permit ip any any". Removing this from the list causes connectivity problems to the server on this port. Adding it back and everything is back to normal. However the counters don't increase. At first I thought maybe this wasn't supported on this switch but then I noticed the counter had increased to "2 matches" later in the day. What is the normal behavior is for this switch and does it support logging on an ACL entry as well.
View 2 Replies View RelatedI can't remember clearing the log with a clear counters. Router is a CISCO 3925-CHASSIS (revision 1.1) with C3900-SPE100/K9..System image file is "flash: c3900-universalk9-mz.SPA.150-1.M4.bin"..I did a : clear counters, enter. got this standard message >> Clear "show interface" counters on all interfaces [confirm], enter and it CLEARED the LOG BUFFER as well !!!! never seen that before. Its a newly turned up router, repurposed from another part of our network.
View 1 Replies View RelatedIve got a 494810ge switch, and this parameters are important for me:
sh int gi 1/4 counters detail
Port InBytes InUcastPkts InMcastPkts InBcastPkts
Gi1/4 252819467437788 173264735013 10827 760
Port OutBytes OutUcastPkts OutMcastPkts OutBcastPkts
Gi1/4 36657317030233 280590958051 5248439 5443194
Port InPkts 64 OutPkts 64 InPkts 65-127 OutPkts 65-127
Gi1/4 558420918 205564441592 2627477631 60865368994
[code]....
Some parameters i can get by snmp (InBytes,InUcastPkts,InMcastPkts, and so on from out), but how can i take other parameters? I would like to do it by snmp but i did not find proper oids. Now I making a sheme like this: eem every 90 seconds takes this info and writes it down to file into nvram and then send it by scp to server, where file is processed by monitoring system script. It is not very good, cause cisco system cpu sometimes spikes of this and i dont know a resourse of nvram, how much times can i write to it?
I've got an SG300-10 connected back to back (trunked) with a Cisco 3560X switch, across a fibre link and am seeing some big inconsistencies in terms of unicast data transferred across the ports between them.
During a night time window of 4am - 6am I run backups which involves a large copy of files, that almost saturates a GigE link - we can see from the 3560X end that the link is running at a bit over 800MBit/sec of throughput, sustained. The duration of this transfer is consistent with the size of the files being transferred (ie just over an hour, and is what I'd expect for a data transfer of about that amount). Back-of-the-envelope calculations indicate that the 3560X is measuring this data throughput correctly.
However on the SG300 end of the link, which is also being polled by the same application (Cacti), I'm observing spikey counts of only around 20MBit/sec during that window. These counters are very obviously incorrect - there's a huge amount more data moving across the port than that. The incorrect calculations are showing on both the trunk port out of the SG300 (uplink) as well as the interface where the NAS is connected in (which is an access port).
Cacti is polling the OID: .1.3.6.1.2.1.2.2.1.16.57 which translates to IF-MIB::ifOutOctets.57 = Counter32.I'm running version 1.3.0.62 but this problem is not new to this release - previous releases and 1.2 based releases also had this problem.
It looks like multicast traffic may be being counted correctly (that's only a suspicion though), however what I am certain of is that there is a very large discrepancy with the unicast traffic counts.Is this OID the correct one to be using for this switch?
how I can check the qos counters and stats for interfaces on my cat 6509 ?
View 1 Replies View Relatedwhich models of HP ProCurve or Dell PowerConnect support 64-bit IF-MIB counters, or for that matter any other manufacturer (Zyxel?) (snmpv2 or v3, OID .1.3.6.1.2.1.31.1.1.1.6)I believe pretty much any Cisco Catalyst above a 2950 do, however don't believe any of the SG series do. I realize I could pick up a 2960G for $1500-2k and be good to go, but I forsee a larger switch purchase in the future, but still could use a switch in the meantime that was able to allow accurate monitoring of closet uplink bandwidth?
View 1 Replies View Relatedhow can I clear the counters of the policy-map statistics in an 7600 and the 1841 router?
View 6 Replies View RelatedIn my Cisco ASA 5510 in release 8.2, I have an extrage behavior in the output of "show service-police" command. The issue is that I create a class-map to limit trafic in one of ASA interfaces and I applied in a service policy. This is the configuration:
access-list ACL-Limitada extended permit ip host srv-proxy any
access-list ACL-Limitada extended permit ip any host srv-proxy
access-list ACL-Limitada extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp-data
access-list ACL-Limitada extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp
access-list ACL-Limitada extended permit tcp any 192.168.10.0 255.255.255.0 eq ftp-data
access-list ACL-Limitada extended permit tcp any 192.168.10.0 255.255.255.0 eq ftp
[code]...
vlan interface and physical interface (that is serving for this vlan ) have different input/output counters, there is only one physical interface in this vlan .
sh int vlan 64
30 second input rate 9000 bits/sec, 9 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
[Code]....
I have this situation, I need to establish an IP sec communication to another site but I need to identify all my packets sent, as a different networks as my local one. for example: my local network is 10.5.0.0/24 and I need to sent packets as 10.6.0.0/24. I suppose that I need to do Nat with this IPs. But in this router Nat is already applied to outbound traffic to Internet. How can I apply this NAT to crypto map only?
My router is a Cisco 877 with 12.4 IOS an this is the relevant configuration, crypto map vpn it´s used to sent traffic to second site.
crypto isakmp policy 2 encr 3des authentication pre-share group 2crypto isakmp key xxxxxxxxx address XX.XX.XX.XX
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
crypto map vpn 1 ipsec-isakmp set peer XX.XX.XX.XX
[ code]....
I'm trying to get several VPN tunnels up. It seems that only 1 map can be assigned to the WAN interface (fa4). Is this true or is there an 'extended' map like ACLs?
View 1 Replies View RelatedI have to connect one of our it labors with some ec2 instances in amazon vpc. I downloaded a configuration file from amazon which starts with the command
crypto isakmp policy 200
My router tells me that he does not know crypto isakmp.
I searched on the internet and found that i have to install a specific license, but unfortunately i cannot find which license i have to install.
The show license command show following licenses
AdvIpServices active
AdvSecurity active
advsecurity_npe, ios-ips-update, waas_Express no state displayed
ssl_vpn active but eula not accepted
I found that i can accept the eula license with license boot module c880-data technology-package SSL_VPN command
But this command is also not available on my device. getting the crypto isakmp command working?
I have a 2650XM 16mb flash, 64 mb ram. 12.2(12a). now I want to buy 12.4(25d) with crypto. How much is it? And where can I buy it ?
View 10 Replies View Related