Cisco Switching/Routing :: Local Authentication Failing On 2911?
May 2, 2012
I have a new 2911 that I am trying to bring up but local authentication is failing. I know I have typed the username and password correctly but no go. When I try to http in it is failing as well. I even create a "Cisco, Cisco" account. I have a console connection and even that is failing.
I have a 2911 router inside our network with both DHCP and DNS enabled. Everything works fine except since we use this router we are not being able to go to the network neighbourhood in Windows and look up machines by name (or typing \diskstation for example). Connecting by IP works fine but not by local machine names.
Should I trunk the port to the AP or not. I have a WLC 5508 in the head office and have AP in the remote office. I do not want traffic in the remote office to traverse the wan back to the WLC. I want the users at the remote office to use the local sub net at the remote site.
Should I then trunk the AP port on the switch to the AP as I have multiple ssid's with different sub nets?
I am not sure why but when I try to connect with my IPSEC VPN client, authentications are failing. The ldap test passes on the ASA but when I try to login, the VPN client gives me authentication failure even though debugs show authentication was successful.User 'test1' should be able to authenticate based on group membership.User 'test2' shouldn't be able to.I already removed the attribute-map to see if that was the problem but I am still failing authentication.
I have an issue with the sf-300 switch model, which i am depolying in lapsafe trolleys. The approach is to wake the laptops from the guest VLAN (20) with WOL have them authenticate with 802.1x and use DVA to put the ports in VLAN14 so updates can be pushed to them over night.
I have configured 802.1x, guest vlan and DVA which works initially, all host wake from WOL, the laptops successfully authenticate and are assigned to the VLAN (14). This remains stable for a time then the hosts fail reauthentication. I have also noticed that when a host is disconnected from a port and patched into another port the initial port remains in the authenticated state and the new port authenticates the client but the hostnames are missing on the 'authenticated hosts' page of the GUI, DVA fails. The ports display a port-failure message for a time then moves to failed reauthentication.
The only way I can get it to work again is to reboot the box. From the logs I can see the macs of laptops being rejected and I can also see attribute 26 being ignored. See log below. I am unsure as to why host are initially authenticated but reauthentication fails, is it not the same process?.
I have 11 of these switches and have configured 6 which all display the same behaviour. These switches are not CISCO I do not understand why they have badged them. The protocols/standards are implemented differently. If you incuded 'general ports' as an answer in a CISCO exam you would fail. There are also other issues I have noticed with these boxes, I am not impressed!.
I'm somewhat new to ACS and am trying to complete a migration from 4 to 5.3.Currently, I've got ACS joined to my (2003) domain, and it shows status connected (although the test connect fails). I have aaa working without issue for TACACS, but all RADIUS authentication is currently failing. Logs show the message below: "24401 could not establish connection with acs active directory agent"I'm not seeing anything telling in the logs on the domain controllers.
Previously posted as C2900 - inward NAT partial success...
Running C2900-UNIVERSALK8-M, Version 15.0(1)M3 RELEASE SOFTWARE (fc2)
I have several sets of inward NAT defined (51001-51007, 52001-52007. 53001-53007),all to various internal addresses. When I attempted to add another set, the new onesdo not work and get a "timeout" error.
When I tried port 51008, it gets a timeout. When I changed 51008 to 51010, the 51010 now gets a timeout, and 51008 now gets "connection refused" (which I expect).The original sets all work, the new ones (added at the end of the lists) do not.When I am on any of the internal machines, the target (192.168.1.21) works fine.When I am "in the router", I can connect via the ssh command, so I know that therouter can talk to 192.168.1.21 on port 22 as expected.
We are attempting to PXE boot from clients obtaining their DHCP lease information from DHCP pools configured on our 4506. The PXE server, and the client are configured in separate VLANs. We have configured option 66 to point to the PXE server IP address, and the bootfile option to point to the PXE boot configuration filename. On the client side SVI, we also have configured the ip helper-address command to point to the PXE server (which also acts as another DHCP server for redundancy).
The PXE boot continuously fails stating it is unable to find the configuration file. If we remove the DHCP pool from the 4506, and allow the client to receive their DHCP lease info from the secondary server (Windows 2k8 - same server as PXE server), they PXE boot with no issues.
We have no problem obtaining DHCP info, just completion of the PXE process.
We have an issue where switches are failing weekly in a switch closet. In the past month we have gone through several 3750G switches and a couple 4510s. The power supplies have eventually made a popping noise and had to be replaced. on the 4510s we've tried two chassis and gone through several power supplies.The switches have been behind UPS systems so should be receiving conditioned power.Could load from the PoE devices really be causing this? I wouldn't think it's power since they are behind a UPS.
I've just noticed an error I've never seen before in our switch logs. We have a stack of 6 Cat3750G-48TS-E switches. The first two in the stack have been up for just over a year and I've only just noticed this error. Thus far, I haven't noticed any symptoms - I just stumbled upon this error while checking for something else.
As far as I can tell, this has only popped up once and it was 2 days ago. Unfortunately, due to an incorrect firewall rule, our syslogs were not getting to our syslog server so I don't have any historical logs to check against, but it hasn't happened since.
The error I've seen is as follows:-
Jun 5 17:04:03.288: * ManagementInterfaceInitialized exception in port-asic 0 (N16FujitsuSwitch.com.au-2) Jun 5 17:04:03.288: ***********************************************************
We have just under 500 switches in production (various models but for this discussion we'll stick with 3750's). All are currently running tar IOS (web based). We want to upgrade the IOS from c3750-ipbasek9-tar.122-55.SE1.tar to.122-55.SE5 but some of our switches do not have enough flash to upgrade successfully. We use CiscoWorks to distribute our software upgrades. I know you can lower the flash requirements on the IOS in CiscoWorks, which I have done (changed from 16Mb down to 12Mb) and the upgrade still fails.
1) How far can I lower the flash installation requirements in Ciscoworks and what are the ramifications?
2) If we decide to change from the tar IOS version to the bin IOS version because we don't even use the web based features anyway, is there an easy way to do this? (CiscoWorks will not upgrade an image from tar to bin)
I have a number of 3560CG-8PC-S switches. My intention for them is to act as kind of gateway L3 switches - one for each satellite site. My thinking was simply to have an L3 device at the gateway to each of those sites so that any inter-vlan traffic within each site can stay within the site rather than having to traverse the relatively slow radio links to get back to the 3750X stack in the core. They are also, however, going to be directly serving client devices
My issue is that for some reason, when connecting a new device (laptop etc) to one of the access ports on the 3560's, the port behaves as if it's being blocked. No DHCP addresses go through, the indicator remains orange, and the clients have no connectivity. However, if I wipe the config, I get a VLAN 1 IP address for my client no problems at all. And to make matters more confusing, only two out of my four 3560's are doing this. The other two have exactly the same config, but work perfectly.To that end, I'm loading the config below. I've followed that by the show running-config output, and show ip interface brief outputs.
I am trying to run TDR tests on a 3750G (ver12.2). The switch ports have 3502 series access points attached to them. When ever I run the test the results all show "Not Completed". I understand that this means the test failed but this happens with any port I try.
Uhg. I deployed a 3560G a week ago and it was crashing... so I replaced it Sep 7 around 16:00 and now this one is crashing. Different logs.
Version 12.2(55)EX3 Sep 6 18:06:08: %PLATFORM-1-CRASHED: Debug Exception (Could be NULL pointer dereference) Exception (0x2000)! Sep 6 21:05:18: %PLATFORM-1-CRASHED: Data TLB Miss Exception (0x1100)! Sep 7 04:12:43: %PLATFORM-1-CRASHED: Debug Exception (Could be NULL pointer dereference) Exception (0x2000)! Sep 7 05:35:09: %PLATFORM-1-CRASHED: Debug Exception (Could be NULL pointer dereference) Exception (0x2000)! Sep 7 08:21:37: %PLATFORM-1-CRASHED: Data TLB Miss Exception (0x1100)! Sep 7 11:13:18: %PLATFORM-1-CRASHED: Data TLB Miss Exception (0x1100)!
Replacement Version 12.2(55)EX2 Sep 7 16:34:48: %PLATFORM-1-CRASHED: Debug Exception (Could be NULL pointer dereference) Exception (0x2000)! Sep 8 03:39:38: %PLATFORM-1-CRASHED: Data TLB Miss Exception (0x1100)! Sep 8 18:26:06: %PLATFORM-1-CRASHED: Data TLB Miss Exception (0x1100)! Sep 9 18:14:38: %PLATFORM-1-CRASHED: Debug Exception (Could be NULL pointer dereference) Exception (0x2000)!
More detailed syslogs are in the attaced 'crash-logs.txt' file.
The device is running OSPF (it is in an NSSA). I have several other devices configured almost the same running the same IOS in my network and they are working fine.This does make the third out-of-box 3560C Cisco that has failed on me within a few days.
I am using Cisco 2911 & IOS version is 15.1. My problem is that after some days (e.g. 15-20 days), the routing table suddenly stops updating & then I have to enter the default route again to make it up. I am using Track 1 to track default route here. After primary link goes down, the Track is also going down but after coming the primary link up, the track is not coming up. So, I have to add the default route again to make it up.
after installation of demo versions of 2900-SEC-TEMP & 2911-2921-SSLVPN-TEMP & rebooting the 2911 router I do not have access SSL commands.Show license indicates that 2900-SEC-TEMP & 2911-2921-SSL-TEMP licenses are active but NOT IN USE.
I have a 2911 router. One interface is configured external (WAN) and two interfaces are configured on separate internal private subnets. What is the configuration to allow all traffic in both directions between the two internal subnets?
I have installed a cisco 2911 router and the cisco usb console drivers on my pc, win 7 64 bit.however when I use putty and open the com port assigned it just goes blank, I am using the usb port on my laptop to connect and using the cisco usb console cable provided
I've got two routers, Cisco 2911's with 15.1(4)M1 on one and 15.0(1)M5 on another.
I'm trying to set up ip sla for vrrp tracking but the commands seem gimped? I don't even have an option for ip sla <operation number>. All I've got is ip sla responder/server/key-chain.
we are in the planning phase for a network upgrade. We have two C2960 Switches connected via one (L2) Etherchannel (4x1 Gbit/s) which works very well. In the next phase we would like to upgrade our router to an 2911 series which has 3 gb interfaces. and indeed we would like to create an etherchannel as well. our plan is to use 2 of the 2911 to connect to the first 2960 switch and the one left to the other 2960. i think we will achieve some redundancy with this config.
connected DSL directly to 2900 series router , but as DSL public IP is not static (dynamic) its difficult to access Router when out of home, any other means to access router without static IP
I have 2 2911 routers that will be connected via fiber with an ethernet Gig handoff to each router. Each router will then be connected to local networks on a second ethernet interface on the router. I have always connected routers via serial connections so this is new to me. Outside of the usual ethernet interface addressing configuration, is there anything else that would need to be configured on the 2 routers?
we have bought 2911 router recently has to set up VOIP line seperately for the network we have two two broadband service provider:
1. how can i use 1 line as an active and other line as a failover(when 1 line is down other line should automatically bear the traffic).clear config will be useful. NATTING using MAtch address objects( roughly )
broadband service provider 1: 97.89.X.X 255.255.252.0 broadband service provider 2: 10.0.x.x 255.255.240.0
2. there are only 20 users to set up a voip line now. here we have telecom provider where they should route the traffic to make any international calls( say telecom public ip 200.200.109.110)from lan - wan everything is allowed from wan -lan we have to allow only telcom provider IP(200.200.109.110)
I would like to ask if how can we determine by mear physical inspection if the power supply of a CISCO2911/K9 router is AC, POE or DC? Do we have images of the actual spare power supply?
We have purchased a number of 2911 routers.We got Base & security license as we wanted to enable encryption. However we probably wont use the security.We are replacing 2811 routers.Unfortunately the 2811 routers have FXS ports with 2 - 4 POTS handsets - I completely forgot about these ports when I was ordering.Now I have VIC3-FXS cards which are ok in the 2911 but unfortunately I cant get them to work.I am missing PVDMs (well adapters anyway), and even if I got them the router wont take any commands relating to voice due to the license.Is is possible to 'rehost' the security and turn it into a UC ?I am new to these 2911 and Licensing.
I have a Cisco 2911 router and a Cisco 2960 switch at a remote location.I have a user who will work out of this office a few days out of the week and will need to obtain the same IP address everytime the user visits this office. This office has no file server, no dhcp server. I have the user's MAC address and for now, the user is getting an IP address that is leased for 30 days. I'm trying to find the best way to configure either the router or switch or both so that each time this user connects to this office, that user device will always pull the same IP address and of course no other device will use that IP.
I've did some research in creating a small vlan possibly, and assigning it specifically to the port# that the user's desk is at, but not sure if that's the best way or exactly sure how it'll work. I'm currently studying for my CCNA so this is all new to me and I'm trying to do research and test without obviously causing production issues especially given this is a remote site and I access these devices via putty. I can however drive to the site if needed for testing, but I'd like to have a good grasp on what method I'll be using that will work before I actually make the trip.
The layout of the equipments are as such,other equipment <--> 2911 Router <--> Ether-Switch/3925 Router <--> 7206 <--> Internet,During certain times at night, the 2911 exhibits cpu load, high packet loss and an increase in bandwidth of at least twice it's normal amount. this results in packet loss in all the other equipment. I am attempting to locate who was demanding such a high burst but so far the graphs display normal rates for all the other equipment.Because the 2911 demands an increase from the 7206, the 7206 is able to accommodate this as it still has balance BUT my other equipment that are connected to the 7206 takes a drop in bandwidth as well. the graph shows that when the 7206 bursts higher, the rest of my other links take a slight drop in bandwidth.Also, the graph from Ether-switch to 2911 indicates the bandwidth hike BUT the graph from 2911 to ether-switch does not display the same thing as due to the cpu load, the data is somehow not captured properly.