Cisco :: 4404 - Debug WLC ACL Denied Statement
Jul 11, 2012
how to debug an ACL I've created on a 4404 WLC, specifically I want to monitor what packets are being denied by the ACL as something that should be working isn't
I've created an explicit deny statement at the end of the ACL and verified that the counter increases each time I try the problem software update.
What I can't work out is how to get the WLC to tell me what packets are being denied by the explicit deny statement, all I can find are 'show acl' commands which just give me the counts.
The equivalent on a router would be debug ip packet acl and adding the log keyword onto an ACE. I suppose I could configure a SPAN session on the WLC uplink to the switch but that seems overkill?
View 2 Replies
ADVERTISEMENT
Feb 6, 2013
I'm trying to sort out someone else's 800 series router config IOS 12.2 that was just added onto for years and never cleaned up. There are about 10 route map statements near the end. As far as I can tell, only two are being used. Doesn't a route map statment have to be called(referenced) in another statement in order to actually be used such as either under an interface or in a nat statement?
View 2 Replies
View Related
Jun 5, 2013
I am trying to create a very basic template in compliance manager that checks for interfaces that aren't members of specific VLANs. VLAN 10 being one of them. I want to match interfaces assigned to VLAN 20. According to the documentation I have read, the following range statement should work because 10 falls between 3 and 19:
Submode: interface [#.*Ethernet.*#]
- switchport access vlan [#[3-19]#]
With the preceeding statement, however, interfaces assigned to both VLAN 10 and VLAN 20 are matching the rule. With this specific rule (not a range), only interfaces w/VLAN 20 are processed by the template, which is expected. We actually have numerous VLANs that we want to exclude/include. I only mentioned VLANs 10 and 20 for brevity.
View 1 Replies
View Related
Jul 24, 2012
The host IP 84.204.x.x unable to announce through BGP
BGP configuration on Cisco 1841:
!
interface FastEthernet0.1201
encapsulation dot1Q 1201
ip address 172.18.11.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
code]....
View 4 Replies
View Related
May 13, 2013
I am having a problem w/ my PIX501 w/ "Cisco PIX Firewall Version 6.3(4)", upon issuing the command i get this WARNING, is this normal? because it works perfectly fine in version 7.2(2)..
THE ERROR:
PIX1(config)# nat (outside) 1 222.127.244.52 255.255.255.252
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
REFERENCE:
PIX1# sh nameif
nameif ethernet0 outside security0
nameif ethernet1 inside security100
View 2 Replies
View Related
Mar 22, 2012
i have 3 access-list configured IN | Out on my Border router (MARTIAN) ,i have to look which one block some of the traffic passing through ,for that matter i have enabled the below commands on my ISR 2900: with nothing output.
View 3 Replies
View Related
Oct 3, 2012
My tunnel had been running fine for a couple of months. Now, not so much.Here is some debug.
View 6 Replies
View Related
Mar 18, 2012
I have been using "debug ip packet" on a Cisco 2921 running IOS 15.1(4)M1. The problem I have is that, although I am using an ACL to limit the output, I am seeing some output that is distracting from what I am trying to see. Specifically, I am seeing the following:
Mar 19 20:22:36.135: IP: s=192.168.20.253, d=224.0.0.2, pak 30DB6D4C consumed in input feature , packet consumed, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
[ code]...
These would appear to be HSRP messages. But I don't understand why they are appearing when I configure "debug ip packet 101". The ACL is pretty simple:
access-list 101 permit icmp host 96.87.145.1 host 192.168.20.1
access-list 101 permit icmp host 192.168.20.1 host 96.87.145.1
So I thought the implicit "deny ip any any" would block these messages. I even tried to block them specifically using an extra line:
access-list 101 deny udp host 192.168.20.253 host 224.0.0.2 eq 1985
But still they show up!
View 3 Replies
View Related
Jun 26, 2012
Is there a way to debug syslog messages? Something like "debug ip syslog"?
View 11 Replies
View Related
Apr 17, 2012
Using 'debug ip packet acl# det on a 2911. On an older Cisco router you could set up an ACL
access-list 150 permit tcp any any eq 1023 and then run debug ip packet 151 det and this would give a good debug output for any traffic matching a TCP port of 1023.Now when I try this on a 29xx ( Version 15.1(4)M3 ) I get the screen filling with a lot of multicats HSRP communications.
I have tried rewriting the acl to have other deny statements after the permit to limit the source or destination hosts and/or the ports but the HSRP data is still there.
like this
access-list 150 permit tcp any any eq 1023
access-list 150 deny udp any any eq 1985(code)
View 1 Replies
View Related
May 23, 2011
Iam fairly new to Cisco IOS and am having trouble getting an IPSEC tunnel to come up between 2 cisco 881-s. I have entered both debug crypto isakmp and debug crypto verbose but when I try to ping an internal IP at the other location through my VLAN1 interface no debugging info comes up.
Also my ACL-s for the crypto maps show no activity. I have tried many things so my configuration files are starting to get really messy.
[code]...
View 1 Replies
View Related
Mar 5, 2012
I'm attempting to debug an ipsec tunnel on an ASA 5510 (8.4(3)) and when I turn on `debug crypto ipsec` and then execute `logging monitor` I get an constant stream of TCP debugging events, is it possible to only view ipsec messages?
View 2 Replies
View Related
Mar 2, 2011
Debug is not showing up on the console. I have configured logging console. My older switches, if an interface goes down or is brought up, it shows up on the console, but not on the new 4507s.
WS-C4507R-E
cat4500e-ipbase-mz.122-53.SG2.bin
TG-4507#sh loggingSyslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
[code]....
View 3 Replies
View Related
Apr 5, 2012
I'm troubleshooting one way audio with our anyconnect phones.I think it is a routing issue.typically I wouldnt run debug ip packet detail on a production router, however I just found out that you can use acl's to specify the traffic to be debugged.
R1(config)#access-list 199 permit tcp host 10.1.1.1 host 172.16.1.1
R1(config)#access-list 199 permit tcp host 172.16.1.1 host 10.1.1.1
R1(config)#end
R1#debug ip packet 199 detail
IP packet debugging is on (detailed) for access list 199
The use of debug commands requires the allocation of system resources like memory and processing power and in extreme situations can cause a heavily-loaded system to stall. Use debug commands with care. Use an ACL in order to selectively define the traffic that needs to be examined to reduce the impact of the debug command. Such a configuration does not filter any packets.
View 6 Replies
View Related
May 8, 2013
Any way of narrowing down a degub for a peer address only? For example, I currently run 'debug crypto isakmp 127' which captures everything, but can I run the same dVPN debug for peer address 1.1.1.1?I know you can run 'sh crypto ipsec sa peer 1.1.1.1'.We're using an ASA5520 (8.4.2).
View 2 Replies
View Related
Jan 30, 2013
I am quite new to wireless side and had a small Q regarding watching debug output while i am ssh to the WLC? I tried the other day and did not see any messages, now this could be for the reason that nothing triggered or perhaps it needs something like terminal monitor?? i couldnt find any such command. my WLC is 5508 running 7.3 version.
View 2 Replies
View Related
Sep 22, 2011
Where can I find information on using debug on the SGE2010P switches? The information in the admin and reference guides is extermely limited.
View 1 Replies
View Related
Mar 1, 2005
I have a 2600 with a PRI card, when I try to do an isdn test call int s1/0:23 ######### the debug constantly comes back with "Cause i = 0x83E020 - Mandatory information element missing" Vendor states he doesn't see the SDN 'flag' coming through. I have both the isdn nsf-service, and the dialer map configured to use a class with the outgoing sdn command.
View 10 Replies
View Related
Jan 10, 2012
I use a C892 router with the IOS c890-universalk9-mz.152-1.T.bin. I just ran the command "debug ip packet 151 detail" and then the router stopped to work because it was overloaded. The ACL151 I used is as follow:
Extended IP access list 151
10 permit ip host 10.1.1.1 host 91.1.1.1
In the syslog then I got hundred of messages from IPSec:
Jan 11 09:43:35.677: IP: s=10.80.10.254, d=10.64.19.99, pak 8A7453CC consumed in output feature , packet consumed, IPSec: to crypto engine(70), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
[code]....
For me it seems just like that this ACL is not applied and that I have a debug then for the whole traffic.
View 2 Replies
View Related
Feb 19, 2012
I have ASA5540 with asa712-k8.bin.
There is a plenty of tunnels ended and it works.But i have one tunnel, which doesn't work.I tried turn on "debug crypto isakmp" and it show this: RECV PACKET from 10.200.79.161 ISAKMP Header. [code]
So there is problem with IPSEC and with no matching SA, but i don't know which one.Then i try to turn on "debug crypto ipsec 255" but it displays nothing. [code]
View 1 Replies
View Related
Feb 13, 2012
I have a Cisco 857 which seems to be dropping connection on its public interface.I would like to see the logs of the ppp or something which may identify the problem of why the device has lots its connection.
I know what you can setup logs for a specific IP, but it is possible to setup logs for debug messages?Also what other logs would identify the problem?
View 3 Replies
View Related
Feb 22, 2011
What would cause debug output to not show on a remote session via telnet connection where you've enabled terminal monitor?
The reason I ask is I was working with a client and we were debugging WCCP. I ran the debug ip wccp packets and events commands, then entered terminal monitor. After this, we saw nothing. We should have at least seen particular WCCP-related packets because we saw the necessary cluster view was established which can't be done without the exchange of these packets.
Can having syslog (logging) configured cause the issue? Did I use the command incorrectly?
View 11 Replies
View Related
Feb 24, 2012
I've created a BVI2 where I bridged dot11 0.2 and vlan2 in order to have wired and wireless clients in the same vlan.Some wired client are not reachable from the lan. Wireless clients have no pbl in reaching each other.Monitoring a MAC address that is supposed to be behind the FA2 I have noticed that it moves to vlan2 when in fact it should be behind the FA2.Of course when "show mac-address-table" says it is behind Fa2 the ping to that MAC address works whereas when the TCAM reports it is behind vlan2 it doesn't. Once the MAC address is behind the vlan2 if I clear the mac-address-table and that mac-address is still put behinf Fa2 then the pings works again, sometime I have to perform twice the clear command before the MAC address goes back to the right location.I'd like to understand why the router moves that MAC address from Fa2 to vlan2 and that's the reason for my question in the subject.I don't have any problems for port Fa0 and Fa1."Show int fa2" doesn't show any problem/errors or the likes.BTW even if I force that MAC address to be statically behind FA2 the ping works fine but then stops and if I do "show mac-add" the static entry for it is still there... so looks like there us something that overrides that static entry. If clear everything and I have the mac-address be behind Fa2 then everything starts to work again. I used Fa3 instead of Fa2 and I get the same results.
IOS: c870-advipservicesk9-mz.151-3.T1.bin
View 5 Replies
View Related
Jan 7, 2013
what logging buffered 51200 debug do?i saw it on cisco 881 sec k9
View 1 Replies
View Related
Apr 28, 2012
i have WLC5508 and many 1142 AP . client have authenticated by ACS .but sometimes client's PC has occurred this pheonomenon. and has reconnectioned.
View 11 Replies
View Related
Jul 19, 2012
I have strange problem with 1800 router , I can't see any debug messaging , the ping from PC to this router is Ok , but no icmp debug appears , even I enable "debug ip icmp " the version of router is : C181X Software (C181X-ADVENTERPRISEK9-M), Version 12.4(6)T6
View 2 Replies
View Related
Oct 19, 2011
We are experiencing intermittent issues with the IPS on our ASA5585 vs 8.4(2). Probably something with the dataplane. So I want to keep debug cplane 255 activated and logged with log debug-trace setting to syslog server. But when session times out the debug command is cleared so the output stops. Since it is a intermittent issue I want to keep debug activated...Totally different behaviour then with routers which keeps it activated. how to keep debug activated on a ASA.
View 1 Replies
View Related
Sep 3, 2012
I have a message that appears when i run a debug on my switch :
Core1#pak 5884A9C consumed in input feature , packet consumed, MCI Check(63), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
View 1 Replies
View Related
Jul 4, 2012
I faced with strange behavior of Cisco 2901.I strat ospf process on router, do some ospf manipulations and than turn off ospf with
R1(config)#no router ospf 1
But after that when I start to change my config: shut/no shut interfaces I see OSPF debug messages
R1(config-fr-dlci)#interface Serial0/0/0.5 point-to-point
R1(config-subif)#sh
R1(config-subif)#
Jul 5 12:33:13.004: OSPF EVENT Se0/0/0.5: Route adjust
R1(config-subif)#
R1(config-subif)#
R1#sh
Jul 5 12:34:15.076: %SYS-5-CONFIG_I: Configured from console by consoleip pro
R1#sh ip protocols
*** IP Routing is NSF aware ***
How it can be? Thereis no OPSF process on R1.
View 6 Replies
View Related
Jul 29, 2012
I am currently configuring a Cisco 881 router and am having some vpn connection issues:I can connect with one user (me) and all other connection attempts form other users are denied. When I disconnect, other users can connect - the scenario is that only one user can connect at any given time.
Here is my config:
Building configuration...
Current configuration : 11423 bytes
!
! Last configuration change at 13:11:23 PCTime Fri Jul 27 2012 by zephyr1
! NVRAM config last updated at 13:25:30 PCTime Fri Jul 27 2012 by zephyr1
!
version 15.0
[code]....
View 1 Replies
View Related
Dec 11, 2011
I configured my ACS 5.1 correctly, but I get an "Access is denied to NCS" at the web login page. In the ACS i see a successful authentication.
View 14 Replies
View Related
Jan 1, 2012
I consider the NAT mechanism to be quite straight forward, but although the firewall ACLs allow the traffic, it is being denied. The ASDM log and packet-tracer indicate the problem being an ACL.
# the internal resource
object network mabe-mbp
host 10.0.0.36
!
# these are ALL of the rules on the outside/inside interfaces
access-list outside_access_in extended permit tcp host 1.2.3.90 any eq 12380 log disabled
access-list outside_access_out extended permit ip any any log
access-list inside_access_in extended permit ip any any log
access-list inside_access_out extended permit ip any any log (code)
View 2 Replies
View Related
Jan 3, 2012
I have a cisco 870 router which I'm trying to connect to my ISP all the interfaces are in a up, up state. But I'm unable to ping any IP address on the internet. When I do a debug ppp I can see that the username and password are correct with the dialer 1 interface as there is no errors and I can see success. But when I shutdown the atm0 interface and then do a no shutdown I see a message called authentication failed.How does the atm0 interface work with the dialer,Also I spoke to the ISP and they can't see any connection being made but the debug shows success. I also get a default gateway via the ISP but it is the incorrect default gateway as I can't ping the internet and the ISP confirms that the default gateway is incorrect.
View 33 Replies
View Related
