As per CISCO QoS document URL, IOS from 12.2(13)T support drop command in policy map. But our CISCO ASR 1013 having IOS of Version 15.2(1)S1 doesn't have drop syntax.How can we drop specific application using QoS in ASR 1013 of IOS version 15.2 and higher?,Can I allow few users for a particular application (like P2P) and drop other users based on users source IP?
View 2 RepliesI´m detecting on my ACE 20.
I´m monitoring the total number of concurrent sessions of my ACE 20 (using Cacti), and from time to time, with no discernable pattern, I see an instant drop of sessions to half...I don´t detect any disturbance with our traffic and service, I have no complaints, but it's a very accentuated drop.
I´m able to get 1 or 2 days withouth any suddent drop of connections, and then for no reason I pass from 500.000 to 200.000 sessions in a minute. Then they gradually go up again.
I´ve seen in ACE´s session table that she keeps a great number of half-open, or closed sessions, and those are counted as part of concurrent sessions. Is there any flush on ACE´s table when she reaches a certain number of closed TCP sessions or something like that?
I'm trying to setup a Application specific proxy. I have tried everything that I could find via Google search and nothing seems to work. All the proxy servers I have found seem to be centered around web browsers such as IE, and firefox.
View 2 Replies View Relatedis it possible to construct the L7 HTTP class-map expression to match all URLs except one? I have 1 correct url, for example: /correcturl.* and want to redirect requests to all other possible URLs to this one, without the need to list them all in "possitive match" statements.
View 6 Replies View RelatedCurrently using WCCP with squid for content filtering. One of our sites we connect to needs to see the connection coming from our public IP address, not the proxy server IP. I've created a acl in squid for direct lookup, but the website gets angry with the X-Forwarder-Header squid attaches to each packet. Is there a way in a cisco ASA 5505 to bypass wccp for a specific public ip address or url?
View 4 Replies View RelatedI am facing problem with ACE configuration. I want to redirect 443 traffic to my Proxy Server. But I am not able to do this. I want to redirect only subnet 192.168.80.0/24..Then only it is working but I dont have to have this policy to be applied on all the users only one subnet I want to have under HTTPS policy.
how can I apply the policy only on specific subnet so that port 443 traffic can be redirect and rest of all subnets can go direclty to Internet.
I use a router RV082 with load balancing. My problem is when I try to access a specific site, I get the error message that my IP address changes and I can not use 2 ip address. I want to specify an ip range to always use the same WAN port.
View 2 Replies View RelatedASA 5520 running 8.0.4
ASDM v.6.1
Need assistance understanding how in ASDM/Configuration/Site-to-Site VPN/Connection Profiles/ "Any Entry" I can specify that I only want to offer an IKE Proposal of pre-share-aes-256-sha?
The IKE Proposal field has a number of possible options including: pre-share-aes-256-md5, pre-share-3des-md5, pre-share-aes-256-sha, pre-share-aes-192-sha, pre-share-3des-md5, pre-share-aes-sha and pre-share-3des-sha.
I am able to pick a specific IPSec Proposal w/o issue but when I attempt to do the same for the IKE Proposal, and click OK the choice does not "stick" but rather returns to the entire list as defined above.
Is it possible to enable an absolute value rate limit using QOS on a HP ProCurve 5406 switch for a particular IP range on a specific port? Is there a way to configure our HP 5406 with an absolute rate limit on "WAN" port for that server's IP range? I would like to limit it to only being capable of sending 1Mbps worth of traffic over the head end at once.Everything in the documentation points towards priority queues, which as far as I can tell, isn't really what I want.Baring accomplishing this goal using rate limiting is there a better way to prevent our services from accidentally saturating this connection?i thimkong about somthing like that:
class ipv4 rate-limit-port-A1
match ip 10.136.0.0/16 any
exit
policy qos port-a1-ratelimit
class servers-to-be-slowed action rate-limit kbps 1000
exit
interface A1 service-policy port-a1-ratelimit inI'm not sure about this.
I have a Router 2801 with the run conf :
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.63
ip dhcp excluded-address 192.168.1.192 192.168.1.254
!
[code]....
I want to assign a specific IP to a specifig host by MAC .. for example i want the ip 192.168.1.10 to be assign to the host "client1" by mac.I've been creating a new dhcp pool static:
!
ip dhcp pool static
host 192.168.1.10 255.255.255.0
hardware-address xxxx.xxxx.xxxx
client-name client1
!
but the "client1" is still taking other ip.
Everytime I make a config change to one of the contexts on our ACE20, I get this message: Config Application in Progress. This command is queued to the system
If I run show download info, I get:
context : context1
Interface Download-status
--------------------------------------------------------------
187 In Progress
199 Pending
Regex download optimization status : Couldn't get status[TNRPC Timed out]
It eventually seems to complete, but it takes a very, very long time. We are running Version A2(3.5) [build 3.0(0)A2(3.5)].
Report run via Individual Web server URL’sThe report takes less than 20 minutes (average 15 minutes) to fetch and return the data. This is observed 9 out of 10 times.Report run via ACE Load Balanced URLThe report keeps on running for more than 20 minutes and never completes. The front end keeps showing report is running.The data in general when tested directly by running queries against the database (bypassing the platform) completes in 15-18 minutesThe network connectivity for each and every ports involved (Loadbalancer/Servers) have been throulgly checked.
View 6 Replies View RelatedI having a basic query in troubleshooting E1 link , here im facing packet drop in the link and we are testing by providing local loop and remote loop from the CSU/DSU at local point and at remote point . I have tried ping test while the loop is given at local point and remote point ie i have pinged my local serial interface IP address (eg 10.0.0.1 -local & 10.0.0.2 -remote ) in Remote Loop i could see no errors and drops and also the traffic on the interface output and input is the same(eg input rate 1000bps and output rate 1000bps) .My query is that when i am pinging the local interface IP does the icmp packet travels till the loop point and comes to the same interface(like a boomerang) .
ICMP packet
->->->->->->->->->->->->->->->
R1 Local CSU/DSU | Remote CSU/DSU (remote loop given )
O-----------O------------------------------O |--------------------------------------O R2
<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-|
We've had Cisco 1252 APs running on PoE (3750E gives the port 20W of power) for well over 3 years with no problems. These have not been touched, moved or configured since they went in.
All of sudden we're seeing these APs drop off the network and investigations reveal that they show as IEEE PD when you do a show power inline.
Some of these are slated to be replaced after the ports were changed, the cables replaced and port reset (also an old spare 1252 was inserted in to one of these ports and it came up fine, indicating an issue with these APs).
If it was one or two then maybe I could believe that the APs are at fault, but with so many (10 so far) I'm struggling to believe it. Could it be the code we are running on the switches? We are running 12.2(50)SE3.
my Cisco anyconnect VPN clients are able to access all of my internal networks accept to another site which has a IPSEC VPN site-to-site. The Cisco ASA forwards the packets destined to this remote site to a Cisco router which NATS the source addresses (pool 10.17.252.0/24) to a 192.168.46.0 range. The remote network is 155.x.x.x which I have included in my internal subnets object-group and added a route on the ASA to route it inside.
I have configured NAT so that it does not NAT anything from the anyconnect client range to the internal subnets. I am using version 8.3(2) and the NAT rule is:
nat (outside,inside) source static SSLPOOL SSLPOOL destination static INSIDE_NETS INSIDE_NETS
I can still not connect to the remote side via the VPN; when I run this throught packet-tracer, I get a failure on phase 6:
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Result:Drop reason: (acl-drop) Flow is denied by configured rule
I cant seem to work out what it is that is blocking it. The NAT rule above is rule 1 in case some other NAT rule is causing the issue..
i see that the wifi on the SRP Freezes. If i am connected via lan, i can still surf the net or connect to another access point on the network and surf. But the wiress devides connected to the SRP loose connectivity even though it shows that the wifi connection is connected. I am running on the latest firmware. this problem has started occcuring only recently
View 3 Replies View RelatedIXIA----DUT-----IXIA
| | |
|_______ |________|
DUT has redudant connections to IXIA. Im pumping traffic from IXIA and traffic takes PATH A .. When I shut PATH A, i expect traffic to shift to PATH B within 100ms (example). How do I test this ?
I have a problem with configuring of my vwic3-2mft-t1/e1 card on Cisco 2821 router. I need drop some raw data timeslots from E1 frame and then insert them into frame on other port. I enter the following commands:
card type e1 0 0
controller e1 0/0/0
tdm-group 0 timeslots 1-4
clock source line
controller e1 0/0/1
tdm-group 2 timeslots 1-4
[code]....
I find these commands in Cisco 1 and 2-port T1/E1 Multiflex Voice/WAN Interface Cards for the Cisco 1700 Series Router configuration guide for vwic2 cards.But this config is not working properly. show connect output is showing status of connection "UP", show controller e1 shows no errors on both e1 ports, but data not flows between ports.What am I doing wrong? Have vwic3 and vwic2 cards different configuration procedures or not?
I have a working configuration with a 2811 router at my remote site in which I take the T1 (point-to-point PRI) into port 0/0/0 on the dual-port vwic2-mft-t1/e1 card. Then I plug my PBX into the 0/0/1 port. I channelize the T1 so 1/2 of the channels are used for data (13-24) and channels 1-8 are passed through the vwic2 to the PBX. I'm using the connect tdm t1 0/0/0 0 t1 0/0/1 0 command to pass the voice calls through to the PBX.
I tried to upgrade the router to a 2911 with the same card and the same configuration copied and pasted over and as soon as I put the connect tdm t1 0/0/0 0 t1 0/0/1 0 statement in, I drop the data side of the T1 and lose my connection to the WAN. If I take the command back out, the WAN still doesn't come back up until I reboot the router.
Has the syntax changed? I have a case open with TAC but so far no luck, as they can't seem to figure out which group should take this case, voice or data..
ASA 5510 running without issues for a while but we needed extra port so added a 4GE SSM.
Having installed the 4GE SSM we had some issues with the card not liking a connection to our switches and only working by plugging directly from the server into the firewall, not great as we wanted extra servers on the line in the future. So we upgraded the firmware and no are at an impasse.
We have upgraded to 8.0(4)3 and now we cannot get any traffic through the port, we can't even connect to an external DNS server. Running a packet trace I get an immediate error on the first step '(l2_acl) FP L2 rule drop', and it appears as though the outside connection is down.
I have some experience on setting up basic port forwarding and NAT for internet access, webservers, mail but this has thrown me.
I verified that the VPN implemented between a static IP address and a dynamic IP address every time the GPRS router IP address change address, the VPN does not rise.
I attach the configuration implemented by ASA5505 dynamic side.How can I fix it?
: Saved
: Written by enable_15 at 06:45:34.029 UTC Sat Dec 3 2011
!
ASA Version 8.2(1)
!
hostname ASA2
[code]...
I've recently just moved house and we got Virgin Media 50mgs broadband installed with their wireless super hub which is also a Netgear product.However I first noticed up in my room I have weak signal on my wireless devices I have my Dell laptop, xbox 360 and desktop pc with wifi card.I researched this and went out and bought a Netgear wireless extender:
[code]...
Now this does work it gives me excellent signal but it keeps dropping the connection which is extremely frustrating when playing the xbox or on an online game on the pc.I contacted Netgear and all they suggested was updating the firmware
I currently have an issue with the wireless internet at home whilst watching videos, playing online games, completing homework etc... On the computers working over the wireless network there seems to be a randomly occurring drop out of the internet. My home network connection looks to be solid, but the internet drops out for around 5-10 seconds and then comes back.Here is a screenshot from Xirrus the wifi inspector program from the pc in my room connected via the network:[URL]The home network (Munasinghe and family) had a signal of -78 dBm.The second signal, Optus (name of ISP) wifi had a signal of -85 dBm. This signal value often decreases or disappears altogether.
View 1 Replies View RelatedThis is not a problem I would not have noticed save for starting to use Skype. Every 10 to 20 minutes, my internet drops out. This occurs whether my laptop is connected via LAN cable or wirelessly to the router. Skype drops down to one bar, then drops out, and tries repeatedly to redial, sometimes achieving a very scratchy voice call for several seconds before dropping out again. If you redial in 2 minutes, it is fine and achieves medium quality video calls. Whilst skype is floundering around, I can sometimes browse the internet, but sometimes it is offline. I have phoned my ISP and they claim no problems on their end. Beyond that I really don't know where to start on looking for the problem.
View 7 Replies View RelatedWell while browsing net on my mobile/laptop suddenly the Wifi get disconnected. But the wifi of access point does not drops. Its connected to the router in which wifi drops.Also the net on my desktop connected to the router via ethernet cable, does not go offline. I re,ain connected to net via Desktop even when wifi drops.
View 14 Replies View RelatedI had a Linksys Wireless-G router for a long time and had very good luck with it. However, I ended up getting a couple of Wireless-N devices and wanted to get a different router. I bought the Linksys E3000. I got it home and set it up, and at first it worked. Then it would all of a sudden drop everything connected to it. I would restart the router, and in short order it would drop all connections again. This completely baffled me for awhile, until I actually touched the bottom of the router, and it was quite hot. I had it laying flat on a a table, so I could never understand why it was getting so hot. Anyway...I stood it up on it's side and it worked for awhile. Then it would randomly drop various things connected to it. The last straw was when I was listening to internet on the Apple TV, while viewing the internet on my PC and it started dropping the connection every five minutes. Anyway, I have now hooked my Wireless-G Linksys back up and it is working great.
is Wireless-N even needed? I live in a small place, so I don't need it to reach a long distance, and I don't transfer a tremendous amount of date wirelessly, so that doesn't really matter. Should I even try to fix this router? I looked on the Linksys page and I am running the newest firmware.
We have a Cisco 4400 WLC running version 7.0.220.0 and are experiencing clients randomly dropping both broadcast and multicast at the same time. This is not specific to one area of the site and the duration of the MC/Brodacast loss varies. These comms outages don’t happen on all the clients at once but usually affect one client at a time. After a few minutes or a few hours, the client will start receiving the multicast without user intervention.
The site has Cisco 1522 AP's that have rather interesting logs where the DTLS sends fatal errors, followed by CAPWAP going into discovery state. Not sure if this has the same affect or if that's a completely seperate issue.I was told it could be the GTK but I don't believe 7.0.220 has this feature even enabled. The clients are Cisco 3230 and Cisco 1310's. The clients are running version 12.4(25d)JA1 while the 3230 router is running version 12.4(24)T7. What supporting logs or configs need to be shared to better troubleshoot. This has been going on for quite some time and is frustrating the end user as multicast is essential to the operation.
I have a 1841 router connected to an ISP (currently SDSL EFM 10Mbps through an ISP modem, the router and the model are connected with a FastEthernet interface). On another location I have a linux server.There is an ipsec tunnel (3des-sha esp) between the router and the linux server (actually done with a crypto mac).The router has a hierarchical QOS policy on the egress interface.When sending traffic from the network inside the router to the linux host without the ipsec tunnel, everything is working fine and throughput is correct.When sending traffic from the inside network to the linux host internal ip through the ipsec tunnel, some packets are lost and the traffic throughput decrease.When sending traffic through the tunnel in the reverse direction (from the linux host to the internal network), everything is fine.I looked at the QOS statistics and the dropped packets counters don't increase. I looked at the egress/ingress interface statistics and no packets dropped there.I lowered the MTU on the egress interface, but it didn't solve the problem. I played by sending various ping icmp packets size, but even small packets are sometimes lost.I tried to check the router CPU, but it seems relatively fine (<= 10%)I captured the traffic on both side, and I see the packets emitted, and then I can see that some of the esp packets of the corresponding side are not received, so it looks like the cisco router is the culprit. This 1841 router is running: 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(24)T4,How can I troubleshoot where and why those packets are lost?
View 0 Replies View RelatedI have a Cisco RV120W router with 1.0.4.10 firmware. The router drop the internet connections, freeze/timeout in admin interface randomly. How can I determine that this is the router's fault, or if it's the switch / internet access is causing it?
View 4 Replies View RelatedI am running ping between two Nexus 7018 over WAN link ,and I can see some set pattern of packet drop(7.40 % drop) with MTU size 1500.When I ping between my 6500 VSS pair and same Nexus 7018 over different SP WAN link on diffrent location , I am still getting same kind of packet drop (8% drop) with MTU 1500. Has any one else come across this issue with Nexus?
View 1 Replies View RelatedI have a Cisco 871W that periodically will drop its signal. how to configure this for maximum reliability? I set it to use chanel 2462.
View 1 Replies View Relatedhere's my setup :
office 1 :
rv042 hw3
ISP:Obtain an IP automatically
office 2 :
rv042 hw3
ISP:PPPoE
VPN tunnel between both rv042, everything's fine but when i try to ssh from office 2 to an office 1's server, my connection drops.
When it drops, i can still ping pc in office 1, this is really strange!if i change the office 2 ISP to another provider (obtain an IP automatically) everything's ok !
i try to use another PPPoE ISP for office 2 and it's doing the same thing!I've also tried other rv042 in both locations with the same setup and it's doing the same thing, so it's not a router issue.
i've tried older firmware and it's doing the same thing, so it's not a firmware issue!
I am trying to get users in the external identity store (AD) to be dropped directly into enable mode after being authenticated, since I don't know of a way to set an enable password for users in an external identity store. I think it has something to do with shell attributes but I'm not realy sure.
So here's what I tried.Linking identity group to external group and provide full command priviliges - enable still didn't work Creating duplicate users in the internal identity store and setting the password type field to AD1 - That gives me the ability to get to the enable password prompt hit enter on the blank promt then prompts for Old and new passwords but fails everytime with an Error in Authentication.