Cisco Switching/Routing :: Nexus 5500 Duplicate ICMP Echo-replay
Nov 24, 2012
I am experiencing inconsistent echo-replay from devices connected via VPC to Nexus 5500s while pinging from the Nexus exec prompt.
In some cases I receive normal response when pinging from one Nexus, but no response when pinging from the other switch. In other instance I receive normal response to one Nexus, and duplicate replays to the other. It looks like a VPC related bug. NXOS is 5.1.3.N2.1
5501# ping 10.12.12.232
PING 10.12.12.232 (10.12.12.232): 56 data bytes
64 bytes from 10.12.12.232: icmp_seq=0 ttl=253 time=8.585 ms
64 bytes from 10.12.12.232: icmp_seq=0 ttl=254 time=9.227 ms (DUP!)
64 bytes from 10.12.12.232: icmp_seq=1 ttl=253 time=1.011 ms
64 bytes from 10.12.12.232: icmp_seq=2 ttl=253 time=8.097 ms
64 bytes from 10.12.12.232: icmp_seq=2 ttl=254 time=9.429 ms (DUP!)
64 bytes from 10.12.12.232: icmp_seq=3 ttl=253 time=18.195 ms
64 bytes from 10.12.12.232: icmp_seq=4 ttl=253 time=8.807 ms(code)
View 5 Replies
ADVERTISEMENT
Feb 13, 2012
Need to clarify if ip sla icmp echo operation is supported in catalyst 3kx switches (ip services)? on the configuration guide, commands are available, but on the feature navigator, i can't find the feature, only ip sla video operation. i don't have a device to test on here.
View 2 Replies
View Related
Sep 19, 2011
Recently I had came across 1 issue where one of the server IP had conflicted with VIP of Nexus core switch. The blade server was physically connected to Nexus Distribution switch which in turn connects to Nexus core. Neither Nexus core nor distribution had generate any logs in regards to IP conflict which ideally happens on Cisco catalyst switches. I haven't find any document on cisco as well as on internet for this issue . I dont know what logging need to enable on Nexus for this specific case . There are different logging levels define for every feature like hsrp, ip,monitor etc...
We have Nexus 7k with latest release 4.2(6) Software
BIOS: version 3.22.0
kickstart: version 4.2(6)
system: version 4.2(6)
View 5 Replies
View Related
Jan 22, 2012
Have a very peculiar issue with IP SLA. Firstly, the architecture.
1) There are two sites - A & B. Both have their own internet connection.
2) Sites A & B are connected via MPLS.
3) Both sites have the below topology.
3750 CORE --> FIREWALL -->ROUTER ---> INTERNET
4) 3750 has a Default route pointing to firewall .
5) MPLS router is connected to 3750. A default information is originated via BGP to MPLS at each location. So that default route is learnt as a backup path from any location if it has to lose its local internet.
6) IP SLA has been configured at each location to track the default route using icmp-echo to hit a public IP (i.e 4.2.2.2 as an example).
Issue?ICMP probes from Site-A via its local internet fails abruptly. I can reach the public IP mentioned above from my firewall pretty fine, but not from my 3750. Whenever i remove the tracking from the static default route & push in the plain default route without tracking, it works fine. Again, if i add the tracking back, it will work fine for an hour or so & then fails back again. To my bad, Site-B had recently gone offline due to some natural calamity. So, there is no other path for internet.
My config looks pretty simple
track 10 ip sla 1 reachability
!
ip sla 1
icmp-echo 4.2.2.2 source-ip 10.1.254.1
frequency 180
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts
!
ip route 0.0.0.0 0.0.0.0 10.1.254.1 track 10
I am running IOS version 12.2(53)SE2 (IPservices images).
View 3 Replies
View Related
Apr 16, 2013
I have ASA 5510 with soft version 8.4(5) installed. There are two interfaces:
IP 1.1.1.1/24 - inside
IP 2.2.2.1/24 - outside
I have configured PAT, so network 1.1.1.0/24 gets NATted to 2.2.2.2 address. Everything works fine, except I can't reach 2.2.2.2 via ICMP from the internet.
X.X.X.X 2.2.2.2 Deny inbound icmp src OUTSIDE:X.X.X.X dst OUTSIDE:2.2.2.2 (type 8, code 0)
But I have configured an access list allowing ICMP from any to any: access-list outside_access_in extended permit icmp any any
Thus address 2.2.2.1, which is binded to outside interface itself, is perfectly reachable via ICMP.
I've got two questions:
1) Is there a way to fix it? It will be handy for diagnostic purposes.
2) is it possible to configure the secondary IP address on the interface on ASA? I've read, that there are some complications.
View 6 Replies
View Related
Jan 14, 2013
I'm having problem getting ICMP echo monitoring on outside interface to work. I've set: icmp permit host monitoring_station_adress outside but I still get:
%ASA-3-313001: Denied ICMP type=8, code=0 from monitoring_station_adress on interface outside. I'm trying to directly monitor ip on ASAs interface outside.
I have access-group tied to "in" direction on interface outside. Do I still have to put "permit icmp" rules despite the fact that icmp permit outside command is set?
View 4 Replies
View Related
Feb 7, 2013
How do I disable ICMP echo on ea4500 - I don't see anywhere either in Connect or directly on the router web interface that allows this.
View 1 Replies
View Related
Apr 19, 2013
How to you setup ip routing on a Nexus 5500 I want to do vlan routing between an Nexus 5500 and Catalyst 3750. Nothing clever just have the 2 switches talk and vlans route between the two.
View 3 Replies
View Related
Mar 17, 2012
Is there an official Cisco-Page with the always-up-to-date recommended NX-OS-Releases for the Nexus 5000, just as there is URL
If there is no such page: What Release can be recommended?
We got new N596 & N2232 this week, and are using L2-LAN only, no L3,no FCoE- or FC-Ports. The command 'vPC orphan-ports suspend' is the newest feature used, so 5.0(3)N2(1) would be the oldest possible release.
Before I install 5.1(3)N1(1a) and then have to do a distruptive downgrade to 5.0(3)N2(2b), I'd like to be assured that the new one is already recommended as mature enough.
View 1 Replies
View Related
Dec 13, 2011
In order to meet our requirements we had to configure PAT for TCP 80 on 2 external IP addresses to one internal IP in DMZ. TCP port 80 is being translated for both external IP addresses and it works as expected. However, since we have migrated to ASA both external IP addresses don't respond to ICMP echo requests generating following error:
%ASA-3-106014: Deny inbound icmp src outside:<Source IP> dst outside:<Destination IP> (type 8, code 0)
Previously we have been using Cisco router to achieve the same objective and it worked well.I have noticed that when I add "same-security-traffic permit intra-interface" to a configuration the message mentioned above stops appearing in a logs.
As far as I can tell ASA sends packet back through outside interface, despite the fact that appliance advertises its mac address in response to arp request for the same external IP address.Is there any way to make ASA realise that it should respond to ICMP echo requests on external IP addresses that have forwarding setup?
I do realise that ICMP would work in 1-to-1 NAT scenario, but we can't apply 1-to-1 NAT for 2 external IP addresses to point to one internal IP address.
View 11 Replies
View Related
Jan 16, 2012
IOS we used for limiting access for a group we used configuration of snmp-server views like following
snmp-server group backupgroup v3 priv read backupview write backupview access 20 snmp-server view backupview ccCopyTable included could not find out how to achive this config in NX-OS on Nexus5500
View 2 Replies
View Related
Jun 26, 2012
Are there any dependencies on VTP on the Nexus platforms like the 5500 or 7000? In IOS P V LAN required VTP Transparent mode however I cannot find any reference to this for the Nexus platform. Are there any other features that would require the use of VTP? By default VTP is turned off on nexus and has to be enabled with the feature command so is there any benefit to running VTP in transparent mode vs off?
View 1 Replies
View Related
May 4, 2011
There is very little and quite diverse Information regarding the if, where and how of a Nexus 5000 or 5500 series Switch and support for IEEE 802.1AE Link Layer Encryption (also called MACsec).
For example: the official FAQ denies that the Nexus 5500-series supports 802.1AE at all, while the data sheet says that only "downlink ports" are supported (host access).
On the Nexus 7000 platform the 802.1AE link layer encryption is part of TrustSec (feature cts) and much better documented.
The Question is: If and under which circumstances (configuration, L3 modules, license, NX/OS version) does a Nexus 5k or 5500 series Switch support 802.1AE on 1G or 10G interfaces that are directly connected to a Nexus 7000 (with the necessary cts feature licensed/configured)?
View 2 Replies
View Related
Jan 8, 2013
Does the Nexus 5548/5596 switch support OSPF ECMP?
Also on OSPF and ECMP, the load-balancing method at the multiple links for Catalyst 3750 is per IP packet or per destination IP?
View 2 Replies
View Related
Jul 28, 2012
Nexus 5500 support auto negotiation on 1gig sfp port? There is an end device that only support auto negotiation and cannot be manually set speed/duplex.
View 0 Replies
View Related
Jan 20, 2013
I have a Nexus 5500 which is the core of our network and we have access layer switches uplinked to it. I know by default the qos markings will be trusted.
1. On a trunk uplink from an access layer switch to the Nexus, I have "mls qos trust dscp". Will the DSCP marking be preserved when it reaches the Nexus?
2. How do I do prioritization of voice traffic on an uplink on Nexus based on DSCP EF?
View 3 Replies
View Related
May 1, 2011
two 6509 chassis with VSS configuration.One of those chassis have one FWSM installed and the configuration is like this:
Switch: firewall multiple-vlan-interfacesfirewall switch 1 module 3 vlan-group 1firewall vlan-group 1 3-5,7,8,10,200 interface Vlan200 ip address 10.50.50.1 255.255.255.252end
I am not receiving icmp replays from the fswm interfaces if i try to ping 172.20.80.1 from 10.50.50.2.I do not see any debuging info in the logsI successfully ping 10.50.50.2 from the inside networks int the cat6500, but int the network 172.20.80.0, can not ping 10.50.50.2.
View 1 Replies
View Related
Dec 4, 2011
I am working with a strange problem at the minute with HP's NIC Teaming with Transmision Load Balancing.We have a HP blade system the Server is connected to 2 cisco 3020's and then those 2 switches are connected to a 3750 Stack consisting of 2 Members.
Theres an LACP ether channel consisting of 4 Gigabit Ethernet Ports to each 3020 from the 3750 Stack.They both have exactly the same configuration and all ports are up and the channel looks healthy.
When setting the Preference order on the server if I set the NIC connected to the 1st Cisco 3020 as primary i.e. Tx/Rx then everything is fine.If I set the NIC Connected to the 2nd Cisco 3020 as primary then all seems fine i.e. I can ping it, it can access services outside its own vlan and the internet. It cannot however ping anything connected to the same subnet and VLAN on the 3750 Stack.
Doing a packet capture on a server connected to the VLAN on the 3750 stack I can see the Echo Requests coming in and the server sending an echo Reply but the echo reply never gets back to the server with the teamed NICs.
I did a Layer 2 traceroute and all looked fine, all the MAC Tables were good.I thought maybe it was a layer 2 loop causing the problems but I have checked and re-checked STP and can't find any problems. STP has picked up one intentional loop and blocked it.
I've raised a ticket with HP to see if they can point me in the right direction but I don't think it is a problem with there Drivers. It definately seems like a networking problem.
View 5 Replies
View Related
Jun 27, 2012
Is it really the case that the ASA will not generate ICMP Host Unreachable messages for sub nets connected to any of its interfaces (in breach of RFC1812) as claimed here: [URL]
I'm investigating a situation where an organization uses ASAs to control traffic between different v lans in their internal production systems as well as Internet traffic. They are having problems with internal load balancing because the ASAs do not (as currently configured) generate Host Unreachable packets. Can this be changed in the configuration or not? I have to say, if it can't then I'd urge them to find something else to route between their internal sub nets.
View 5 Replies
View Related
Apr 9, 2012
I have just moved to the 3750X switch and have connected it to a 6509E. From the beginning I was having OSPF encryption errors, followed by flood warnings, LSA issue's, duplicate IP's which is baffling me.
There are no IP's which match on either switch however the 3750X was continually power recycling causing the interfaces drop continually.Even after disconnecting from the 6509 the 3750X continue to behave in the same manner. Could there be some issue with this switch?
View 6 Replies
View Related
Mar 19, 2012
I have a duplicate router ID problem that is confusing to me. A 6509 and 4510 swich both show the same router ID, but only the 6500 has the router ID IP address configured in it. We are running EIGPR. The 6509 has L0 as 164.72.239.1 configured, which is it's router ID. The 4510 doesn't have 164.72.239.1 configured on it, yet that's what it's router ID is. Below are a few show commands displaying this - and as you can see from the 'show run | include 239' from the 4510 there is no 164.72.239.1 configured on it:
6509 chassis
interface Loopback0ip address 164.72.239.1 255.255.255.255end
RS6509-Core-A#sh ip eigrp topIP-EIGRP Topology Table for AS(1)/ID(164.72.239.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s -
[Code].....
why the 4510 has that router ID?
I know I can configure a different router ID on the 4510, but I'm curious as to why it is the way it is.
View 3 Replies
View Related
Mar 14, 2013
I have two 2960's in this new environment that I am administering. I am receiving a message on one unit (Designate it 2960-2) of %IP-4-DUPADDR: Duplicate address 192.168.168.8 on Vlan1, sourced by 3037.a63e.540. The "sourced by" address is the 2960-1. I do not know how these units were originally set up. How can I determine where the duplicate address is originating from.When I perform an ARP -a the address that corresponds to the 192.168.168.8 is the mac address of the ethersvi interface on the 2960-1. I
View 3 Replies
View Related
Feb 24, 2013
Trying to apply this config to a 2900 router and getting this error message. [code] This works ok in in a 2800 router using 12.4(25d) spservices IOS
Not working on 2911 using 15.2(3)T2 ipbase image.
View 3 Replies
View Related
Mar 7, 2012
In NX-OS release 4.2(8) a feature was introduced to supress duplicate IP address warning messages in DCI environments.When using the same HSRP addresses in both DCs but blocking the HSRP exchange, ARP still detects these duplicate configuration and writes log messages. There obviously is a feature to suppress this but I do not find any reference how to enable it.url...
View 1 Replies
View Related
Mar 9, 2011
I am running ping between two Nexus 7018 over WAN link ,and I can see some set pattern of packet drop(7.40 % drop) with MTU size 1500.When I ping between my 6500 VSS pair and same Nexus 7018 over different SP WAN link on diffrent location , I am still getting same kind of packet drop (8% drop) with MTU 1500. Has any one else come across this issue with Nexus?
View 1 Replies
View Related
Nov 12, 2012
I have created 5 new 2 Gig port channels on a 6513 WS-X6516A-GBIC blade connecting to 5 4510R+E switches. 3 of the 5 Port-channels show up/up. 2 show down/down. However, for the 2 showing down, a duplicate Po interface was created with an "A" appended to the name that shows up/up. E.g:
Port-channel26 unassigned YES unset down down
Port-channel26A unassigned YES unset up up
Each of the 4510s has a second 2Gig PO to another 6513 with an identical config and all of those come up fine.
View 2 Replies
View Related
May 11, 2010
I've run in to this on 3750G's in a various sized stacks. We apply port security for a mac address on a single port (not existing on more than one port - that's a different issue that appears in multiple posts already).In this case:
1) We do a 'sho mac address-table and see that the device with the mac address in question lives on one port, port 1/0/x.
2) We apply mac port security for this exact same mac address to the same port it is already attached to. switch(config)#int g2/0/2 switch(config-if)#switchport port-security mac-address 001a.1ec8.abcd
3) Get this error: 'Found duplicate mac-address 001a.1ec8.abcd'.We again confirm that that is the only port on the entire switch that has this mac-address.Try the command again, same error.
4) We do a bunch of show commands, get in and out of the switch, go back and then try it again, and now it works, same command, same port and same mac address.
-Aging is default 300
-These are Cisco wireless AP's attached to the switch
-This occurs on different switches with different ports using different mac addresses, always same symptoms.
View 6 Replies
View Related
Oct 23, 2012
I have some question about HSRP in 3750 switch. I have two Cisco 3750 switch which configured HSRP. Let say, we have interface vlan 100 that join in HSRP group member 1. The configuration on both switch is like as follows :
SWI-3750-A (Active)
==========
interface Vlan100
description *** gateway User NPL ***
[Code]....
View 8 Replies
View Related
Apr 17, 2013
If I monitor a trunkport on the rootbridge in both directions I get Duplicate Multicast Packets on the perticular VLAN. The first guess is, that this is worked as designed and not a IOS Bug (Platform CAT6500 SUP720 IOS 12.2(33)SXI9 ) Until know I only found an old Cisco press link from 2002 with this subject.
View 2 Replies
View Related
Feb 23, 2011
We are facing issue of continous packet discards On nexus4001L link (int po2) to Nexus5020 switch. Nexus4001L is installed in IBM blade center server and we have FCOE enabled in this setup. [code]
View 2 Replies
View Related
Mar 15, 2013
I have been tasked to replace the existing Cat 6500 and 3750 switches by Nexus 7000 and Nexus 2000.I was told initially my boss plans to get 2 x Nexus 7000 and then eventually blow up to 4 x Nexus 7000s.For Nexus, is there a list of tasks / points that i need to consider for building the initial design?
Can i just link the Nexus 7000 like the following?
N7k-A ========= N7k-B
| |
lots of N2ks lots of N2ks
View 12 Replies
View Related
Dec 22, 2011
Struggle to find the SNMP MIBS of the Nexus 5000 FEX tranceivers.
View 3 Replies
View Related
May 16, 2012
We had a core switch (4503), distribution switches and access in our network and consists of many vlans. Almost all vlans uses DHCP Pools. But for few vlans DHCP is not yet configured. Recently one of the rogue user in vlan 1 gave the corresponding interface vlan ip of core switch (gateway) as his ip and caused a prolonged network outage for the vlan. Any way we are going to seggregate vlan 1 into different vlans, but before that we need a temporary plan to block such kinds of attack.What are the possible ways we can avoid the network outage problem even if a user gave the gateway ip to the machine?
View 3 Replies
View Related