Cisco VPN :: 2921 - IPSec Tunnel Random Packet Drops

Mar 15, 2013

I'm trying to troubleshoot a random packet drop issue for an IPSec tunnel between two VTIs. For over a month, we didn't see any issue, and starting today, we have up to 30% packet loss across an IPSec tunnel.
 
After some analysis, I concluded that the packet loss happens somewhere on the path from the uc520 to the 2921. Packet counts show up correctly on the uc520 physical egress interface, but the packet count is low on the ingress interface on the 2921.

Pings outside the tunnel along the same path are fine.
 
I also cleared the tunnels on both ends and after they reestablished, the issue was still present.
 
Any pointers on finding where the packets get lost?
  
rr-hq-2921#ping 10.1.13.1 source g0/1 rep 100         
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:

[Code].....

View 3 Replies


ADVERTISEMENT

Cisco VPN :: Configuring IPSec VPN Tunnel ISR 2921 Router With Watchguard?

Aug 28, 2012

I am configuring a vpn ipsec tunnel with cisco isr 2921 router and Watchguard edge 1250e. I have the watchguard configured so I just need to make sure I have everything setup on the cisco side. At this point, there is no communication as I am not sure if I configured it correctly. Should I do the crypto map on g 0/0 or dialer 1?
 
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef

[code]......

View 4 Replies View Related

Cisco Firewall :: PIX515 / 2821 / 2921 / Getting GRE IPsec Tunnel Setup?

Apr 18, 2013

We are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router.  I am attempting to setup a GRE tunnel over IPsec back to the main office.  The main office consists of a PIX515, a 2821 router, and a 2921 router.  
 
There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices.  The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well.   The default route is to use the ASA.   We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515.  Right now I am not able to get the tunnel setup.  It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls.  I will show the output of that command below. 
 
Main Office The external address     198.40.227.50. The loopback address   10.254.10.6 The tunnel address        10.2.60.1
 Offsite Datacenter The external address     198.40.254.178 The loopback address   10.254.60.6 The tunnel address        10.2.60.2
 
The main office PIX515 Config :

PIX Version 7.2(2)
!
interface Ethernet0
mac-address 5475.d0ba.5012
nameif outside
security-level 0
ip address 198.40.227.50 255.255.255.240

[code]....

View 2 Replies View Related

Cisco WAN :: 1841 / Packet Drop In Ipsec Tunnel?

Oct 23, 2012

I have a 1841 router connected to an ISP (currently SDSL EFM 10Mbps through an ISP modem, the router and the model are connected with a FastEthernet interface). On another location I have a linux server.There is an ipsec tunnel (3des-sha esp) between the router and the linux server (actually done with a crypto mac).The router has a hierarchical QOS policy on the egress interface.When sending traffic from the network inside the router to the linux host without the ipsec tunnel, everything is working fine and throughput is correct.When sending traffic from the inside network to the linux host internal ip through the ipsec tunnel, some packets are lost and the traffic throughput decrease.When sending traffic through the tunnel in the reverse direction (from the linux host to the internal network), everything is fine.I looked at the QOS statistics and the dropped packets counters don't increase. I looked at the egress/ingress interface statistics and no packets dropped there.I lowered the MTU on the egress interface, but it didn't solve the problem. I played by sending various ping icmp packets size, but even small packets are sometimes lost.I tried to check the router CPU, but it seems relatively fine (<= 10%)I captured the traffic on both side, and I see the packets emitted, and then I can see that some of the esp packets of the corresponding side are not received, so it looks like the cisco router is the culprit. This 1841 router is running: 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(24)T4,How can I troubleshoot where and why those packets are lost?

View 0 Replies View Related

Cisco VPN :: 2921 Site-2-Site IPSEC VPN Tunnel Will Not Come Up

Dec 5, 2012

I am setting up a IPSEC VPN tunnel between a Cisco 2921 and ASA 550x. [code]

View 6 Replies View Related

Random Packet Loss 100%?

Feb 19, 2013

I have recently switch internet to Time Warner. Since the day I got it, i have experienced random packet losses of 100%. I have called time warner and they are going to send a tech out. But i would like to know more about this before he comes. I have replaced the modem with a brand new one. Surfboard SB5101N from the one i was leasing from them. They both do the same thing. I have made sure all my Drivers are up to date. I have replaced the coax cable and Ethernet cable and ran my Anti Virus and Spyware program. It does it more during online game, I have reinstalled the game and was having no problems with the ATT Dsl i had before this.

View 14 Replies View Related

Cisco WAN :: 2921 - Debug IP Packet

Mar 18, 2012

I have been using "debug ip packet" on a Cisco 2921 running IOS 15.1(4)M1. The problem I have is that, although I am using an ACL to limit the output, I am seeing some output that is distracting from what I am trying to see. Specifically, I am seeing the following:
 
Mar 19 20:22:36.135:  IP: s=192.168.20.253, d=224.0.0.2, pak 30DB6D4C consumed in input feature , packet consumed, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
[ code]...
 
These would appear to be HSRP messages. But I don't understand why they are appearing when I configure "debug ip packet 101". The ACL is pretty simple:
 
access-list 101 permit icmp host 96.87.145.1 host 192.168.20.1
access-list 101 permit icmp host 192.168.20.1 host 96.87.145.1
 
So I thought the implicit "deny ip any any" would block these messages. I even tried to block them specifically using an extra line:
 
access-list 101 deny   udp host 192.168.20.253 host 224.0.0.2 eq 1985
 
But still they show up!

View 3 Replies View Related

Random Few Hours Of Burst Packet Loss?

Apr 2, 2011

For about 7/24th of the day it'll be fine. But the rest of the day it will be riddled with burst packet loss. For example when I'm pinging.It'll go "Done

Done
Done
Done
Done
Request timed out
Timed out
Timed out

[code]....

Due to how it's only certain times it happens and other times it's perfect leads me to believe it's my ISP.

View 9 Replies View Related

Cisco WAN :: 1941 Router - Enable IPSec Virtual Tunnel Interface With Tunnel Mode IPv4

Sep 23, 2012

I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?

View 4 Replies View Related

Cisco Routers :: Set A VPN IpSec Tunnel GW To GW Tunnel Between RV110W

Oct 17, 2012

I am using a Cisco RV110W (Firmware 1.2.09) in a branch and I would like to create a VPN Tunnel to another site that has a Cisco RV042 (firmware v4.2.1.02)
 
What would be the correct Configuration? the current configuration I am using is
 
in the RV042 i am using
 
Check Enable 
Local Group Setup
Local Security Gateway Type : IP Only
IP Address : RV042 Pulbic IP address

[Code].....

View 3 Replies View Related

Cisco WAN :: 2921 - Diagnose Output Drops

Mar 2, 2011

I have some problems on my newly purchased wan routers Cisco 2921 with 15.1T3
 
on the wan interface is see "ouput drops" this is gigabit ethernet on both sides , but the ISP delivers 30mbit/s on this line.
 
ellslr1#sh int gig 0/2GigabitEthernet0/2 is up, line protocol is up  Hardware is CN Gigabit Ethernet, address is 1cdf.0f26.beb2 (bia 1cdf.0f26.beb2)  Description: *** WAN ***  Internet address is x.x.x.x/x  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,     reliability 255/255, txload 1/255, rxload 1/255  Encapsulation ARPA, loopback not set  Keepalive set (10 sec)  Full Duplex, 1Gbps, media type is RJ45  output flow-control is unsupported, input flow(code)

View 6 Replies View Related

Cisco WAN :: 2921 / VTI Tunnel On Two Different ISP?

Mar 28, 2012

i have one interesting problem with local PBR on 2921 router. Here is the case,On HQ site there is 2921 router with two directly connected ISP, and there is Branch which is connected to only one ISP. The configuration should be to connect HQ router to Branch router with two VTI tunnels, so that each tunnel on HQ site should be terminated on different ISP, and EIGRP will be monitoring each VTI status.The problem is on HQ site, there is only one way to specify router with LOCAL PBR configuration, so router should send on ISP1 terminated tunnel traffic to ISP1, and on ISP2 interface terminated tunnel traffic to ISP2.
 
As I know this configuratino should work, but I could't make it work on c2900-universalk9-mz.SPA.151-4.M4.bin IOS, and on c2900-universalk9-mz.SPA.152-2.T1.bin.
 
 Here is simple config:
  
ISP1 ip is 1.1.1.1
ISP2 ip is 2.2.2.2
3.3.3.3 is Branch ip address.
!
ip vrf BRANCH

[code]....
 
when I configure one default static route, it starts workig, but both tunnels go with specified ISP, and also there is no vrf problem,when there is no any vrf config it also don't work. gre tunnels also dont work.

View 4 Replies View Related

Connection Intermittently Drops At Random Times

May 9, 2012

We recently moved and upgraded our internet service from 1.5 Mbps to 4Mbps with CenturyLink. However, since our service was activated last Thursday, the internet connection intermittently drops and will not recover unless I reboot the modem. The period of up-time will last anywhere between fifteen seconds to several hours, usually falling along the five-to-ten minute range. No difference when using ethernet/wifi. The DSL light stays on, and the Internet light remains on as well.

View 11 Replies View Related

D-Link DIR-655 :: Wired Connection Random Drops?

Apr 12, 2011

I should start by saying I am no novice when it comes to networks but this router has been nothing but a issue since day one.

*The Setup - 2 wired PCS, 2 Wired Macs, 1 Wireless Iphone, 1 Wireless Ipad.
WPA2 Only / AES key, Channel 6, G/N only, Hidden SSID.

*The Problem - 95% of the time the wireless and wired is running fine. However, Sometimes randomly webpages on the computer will stop loading... but heres the kicker... other internet connected programs like Ventrilo, or torrents, or games will still be working and running from the net like there is no problem. When this happens the internet browsers on the macs and PCs will say page cannot be displayed instantly. Happens to all computers at the same time. After about 10min the webpages will load again. I have 16mbs internet and while this is happening my games and voice chat programs do not go up in ping at all.

I have turned off QoS since that made the most sence... but other then that I have no been able to figure it out. I even turned off wireless while it was happening and it still didnt fix it. A sure fire way to fix it is to restart the router.

I am 100% stumped. Do I just have a bad out of the box router? it is only 2 weeks old.

View 14 Replies View Related

Cisco WAN :: 7200 / 2921 With VTI IPsec

May 20, 2013

We have a Cisco 7204 G1 running c7200-advipservicesk9-mz.122-33.SRE7.bin and we're having a lot of difficulties getting a VTI working to a Cisco 2921 with adv. security. I've ruled out that the 2921 is at fault by successfully establishing a VTI to another 2921 and a 7200 running a different IOS release.
 
We see the tunnel come up, but when I sent a ping from the 2921 to the 7204 there isn't a reply. When I look at the results on the 7204 from a 'sh crypto engine connection active', I see the decrypt counters increase, but I don't see the Encrypt counters increase as it's trying to reply to the ping.  I'm not sure if this is because there is an issue with the encryption or whether there might be a more fundamental issue with the router not replying to the pings.
 
I've tried the following IOS releases (c7200-advipservicesk9-mz.122-33.SRE7 & c7200-advipservicesk9-mz.122-33.SRE6) and they all behave the same way - this makes me think it might be a config issue rather than and IOS bug which is what I first thought. c7200-advipservicesk9-mz.122-33.SRE7.bin.  
 
sh crypto engine connections active
Crypto Engine Connections 

   ID Interface       Type  Algorithm           Encrypt  Decrypt IP Address
    1 Tu10             IPsec 3DES+SHA                 0       31 10.5.5.1
    2 Tu10             IPsec 3DES+SHA                19         0 10.5.5.1
1001 Tu10           IKE   SHA+3DES                  0        0 10.5.5.1
 
Here is a copy of my config on the 7204 - the other end (Cisco 2921) is configured in the same way.
 
crypto isakmp policy 1
encr 3des
authentication pre-share
[code].....

View 16 Replies View Related

Cisco Switches :: SGE 2000 / 2010 - Random Port Drops

Jan 6, 2013

Lately I've noticed some strange behavior on some of the switch ports. When I go through the logs my SGE2000/2010 stack, I see that some of the ports randomly lose their connection:
 
2147482703 05-Jan-2013 04:11:43  Warning %LINK-W-Down:  2/g14        2147482704 05-Jan-2013 03:35:20  Warning %STP-W-PORTSTATUS: 2/g33: STP status Forwarding        2147482705 05-Jan-2013 03:34:50  Informational %LINK-I-Up:  2/g33        2147482706 05-Jan-2013 03:34:47  Warning %LINK-W-Down:  2/g33        2147482707 05-Jan-2013 03:34:19  Informational %LINK-I-Up:  2/g33        2147482708 05-Jan-2013 03:34:17  Warning %LINK-W-Down:  2/g33        2147482709 05-Jan-2013 03:34:15  Informational %LINK-I-Up:  2/g33        2147482710 05-Jan-2013 03:34:14  Warning
[code]....       
 
I'm having trouble locating the source of the problem. The devices connected to the port are servers and desktops. This happens frequently throughout the day, but not always on the same ports. What could cause the random drops?

View 8 Replies View Related

Network Access Drops For 10 Seconds At Random Times

Nov 7, 2011

We have a bunch of computers(70 aprox) connected to a domain. Since couple weeks ago very strange issues started occuring, internet and network access(path to network share is lost) would come up at random times and on different machines and would last for about 10-20 seconds it would re-connect again.All the computers are using private addresses.Most machines are windows 7, some are xp.Using Windows server 2003 as dc.Since the occurance is so random it's very hard to pin point the cause.

View 1 Replies View Related

Cisco VPN :: 2921 And 1941 EAP TLS Fragmentation Across VPN Tunnel

May 7, 2012

I am having an issue authenticating users via 802.1x/EAP-TLS across an IPSec tunnel. I am using route-based VPN with SVTI configuration on a 2921 and 1941. I have the following settings defined:

- Under the tunnel interfaces:
- MTU 1390
- MSS 1350
- PMTUD
- Under the ingress LAN interface
- route-map to set the DNF bit to 0
- On the RADIUS Server (2008 NPS)
- Framed-MTU: 1300
 
This had been working for months until I got a call last week about users not being able to authenticate to our secured SSID. I fired up wireshark and also used my client monitor tool in my wireless NMS to watch what is going on. I see all of the access-request and access-challenge exchanges, but the final exchange never happens. In both captures you can see messages with id's 77-81, but message id 82 isn't shown in the wireshark capture, only fragments are. In the client monitor capture you can see that message id 82 is 1726 bytes in length. Now, if I capture packets on my local LAN, the 1726 byte packet is properly fragmented and users can authenticate just fine.

I have scoured the Internet trying to find a setting that I must have missed, but I can't. I've tried adjusting the Framed-MTU, all the way down to 1100.

View 1 Replies View Related

Draytek 2830n Router / Wireless Connection Drops Out At Random Sometimes

Jun 14, 2011

I'm having some rather odd issues with my wireless connectivity. Running a draytek 2830n router. The wireless connection drops out at random sometimes, at other times it connects (shows full reception) but does allow any kind of internet connection. Plugging in by lan cable allows normal function.I have no clue whats going on but I did just notice that shutting down one of the laptops connected to the network (Dell lx502) appears to have solved the problem for the moment. I've not had a chance to test this as a long term solution. However I believe this is the only laptop with a dual band wifi card.This problem was also occurring on our previous router, a draytek 2820vn but the symptoms were a bit different and this laptop was not there at the time.Is it possible for one machine to knock out an entire wireless network? The other change I made yesterday was to activate the bind ip to mac function on the router for our new NAS as I was messing around with ftp configurations.

View 1 Replies View Related

Motorola Surfboard Sb5101 Modem / Random Connection Drops?

Mar 5, 2011

I have a Motorola surfboard sb5101. Provider is comcast.I have never had any problem with my equipment until now. Here is whats going on. I bought a used sb5101 a week ago so that I would not have to pay the rental fee anymore. Comcast activated it, and it worked fine for a week or two. The other night I got disconnected from XBOX live randomly in the middle of a game. Thought maybe just a hickup, no biggie. Well it happened 3 more times in a few hours, then again the next day.So thinking maybe this used modem is bad, I plugged back in the rental from comcast which I still had. Worked fine for a while, then the same thing, random dissconnects after 10 min, 30 min, 2 hrs into a game...etcOn both modems, the 1st and 4th green light are solid, the 2nd and 3rd green light are flashing when the connection from LIVE drops.So I'm starting to think know that neither of the modems are bad. I then try going directly to the modem instead of the router, never had any problems with the router but figured I try.I even went into the attic and got rid of the 4 way splitter that feeds cable into all the bedrooms and put in a 2 way instead hooking up only the cable line im using for xbox. Thought maybe the signal is getting degraded to bad, eventhough never had a problem before.So now I'm practically hooked up right to the line coming off the street, ethernet cord plugged directly into the modem, no router. Still dropping connections randomly with same 2nd and 3rd light flashing.The connection needs to be completely stable for multiple hours.Also, I called comcast when I had to reactivate the rental modem, so they did refreshed that modem and reactivate it, but still had the disconnects the next day.

View 7 Replies View Related

Cisco VPN :: 1841 / 1801 - Random L2L IPSEC VPN Disconnect

Aug 9, 2011

Network Setup
===========

2 Site to Site VPN tunnels has been established, it is a hub and spoke topology. The hub is ASA5520 and the 2 spoke are a 1841 and 1801 router. The tunnel is able to pass traffic, it's a full tunnel VPN.The tunnel randomly disconnect for no reason. When I check the logs I can see some errors :

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0x5F822579(1602364793), srcaddr=y.y.y.y
%CRYPTO-4-IKMP_NO_SA: IKE message from y.y.y.y has no SA and is not an initialization offer
 
The actual address have been replace by x.x.x.x and y.y.y.y. I frequently have to peform clear crypto isakmp on the spoke routers to revive the VPN tunnels. Is there a way the tunnel can be re-establish again without manual intervention?This keep happening on a random basis and I have living with it for years. I have looked at cisco website troubleshooting tips and but no luck in finding out how to resolve it.
 
Below is my config on one of the spoke router:
==================================
Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version 12.4(24)T3, RELEASE SOFTWARE (fc2)
crypto isakmp policy 10encr 3deshash md5authentication pre-sharegroup 2crypto isakmp key @@@@@@ address y.y.y.ycrypto isakmp invalid-spi-recoverycrypto isakmp keepalive 30 periodiccrypto isakmp nat keepalive 20!!crypto ipsec transform-set tset1 esp-3des esp-md5-hmaccrypto ipsec df-bit clear!crypto map ipsecvpn 10 ipsec-isakmp
set peer y.y.y.yset transform-set tset1match address vpn@spoke!archivelog config  hidekeys!!!!!interface FastEthernet0ip address x.x.x.x 255.255.255.248ip nat outsideip virtual-reassemblyduplex autospeed autocrypto map ipsecvpn!interface FastEthernet1!interface FastEthernet2!interface FastEthernet3!interface FastEthernet4!interface FastEthernet5!interface

[code]....

View 4 Replies View Related

Cisco VPN :: 2921 / Split Tunnel VPN Connected But No Gateway

Jul 10, 2012

I followed:[URL]And my VPN connection is established on 2921.However when I successfully connected to the router via VPN,  ipfoncfig shows default gateway being 255.0.0.0,My CISCO2921 GI0/0 has default 10.10.10.1 IP assigned, I want to access this interface with CISCO CP.

View 2 Replies View Related

Cisco VPN :: Create VPN Tunnel Between ASA5520 And 2921 Router

Sep 21, 2011

I am getting the following errow message while trying to create a VPN tunnel between an ASA5520 and a 2921 router. [code]

View 9 Replies View Related

Linksys Wireless Router :: E1200 Drops Connections At Random Intervals

Jun 29, 2012

Router is connected to my ISP with the option Keep alive and redial value of 20 seconds (the lowest i can set). There are two distinct problems: Router drops connections at random intervals. It can happen once a day or several times a day. It always happens overnight (so every morning it isn't connected). This doesn't seem to be related to ISP as direct connection to computer is stable.The Keep alive option isn't working. When it drops connection it isn't trying to re-eastablish it for at least 2 minutes (the longest i have waited so far, 6 times the redial value configured). Producing external traffic (e.g. constant pinging of some host by IP address, refreshing some web page) doesn't work. When i log on to admin console (browser based) simply clicking connect button brings connection back online. I've even been looking at status page constantly refreshing to see if it ever made a single attempt and it appears it didn't.I did my "homework" before posting (upgraded FW to 2.0.02 build 3, finetuned MTU).

View 2 Replies View Related

Cisco VPN :: 2921 Virtual-ice Independent Instances For Ipsec Tunneling

Sep 28, 2011

I have one Cisco ISR 2921 with VPN module. I'd like to be able to use it in order to "virtual-ice" independent instances for ipsec tunneling.
 
What I need is something like Asa security contexts, but the problem with Asa contexts is that don't support Vpns.
 
I'd like to use something like independent crypto maps, so if I need to take one down, or reconfigure, I need the others to keep working. It'll be for a production environment that must be up 99.9999

View 1 Replies View Related

Packet Drops On Wireless Lan Network?

Feb 28, 2012

I need topics on wireless network packet drops and how to improve the network on wireless lan

View 1 Replies View Related

Cisco WAN :: 1760 - Packet Drops In Serial Interface

Feb 11, 2013

We have a Cisco 1760 router . We are facing sevier packet drops in the serial interface.
 
When i swap the router with another router link is working working fine.
 
Troubleshooting steps taken

1.       Swap the serial cable with another working cable : no change in state

2.       Reconfigure the encapsulation commands (with PPP and HDLC) : no change in state

3.       Try with a decreased MTU packet Ping : no change in state

4.       Decreased the Input queue and increased the output queue size using   hold-queue in command : Comparatively the packet drop is reducing but still a 10 percent drop is happening.

View 1 Replies View Related

Cisco Switching/Routing :: 2921 / Catalyst 3560 - Router Interface Input Queue Drops?

Nov 6, 2011

i have an 2921 connected to an Catalyst 3560. My router interface shows quite a lot of input queue drops. Load is not too much max 5/255.

View 1 Replies View Related

Cisco WAN :: Maximum Number Of Configurable GRE Tunnel Interfaces On 2921-HSEC+ / K9 Router?

Jul 16, 2012

what is a maximum number of configurable gre tunnel interfaces on CISCO2921-HSEC+/K9 router?

View 2 Replies View Related

Cisco :: 12000 SNMP MIB OID For POS Interface Output Packet Drops

Jan 30, 2012

MIB OID and the values.also i want to know the values og output packet and output packet drops MIB OID values of POS interface on GSR router (12000).because i am getting many output packet drops on these pos interface.how do i get these values from the router.

View 1 Replies View Related

Cisco :: Wireless AP 1262 Getting Packet Drops While Buffering Videos

Apr 2, 2013

We are having 1262 Access point model and we are getting packet drops when 20  users are connected and users do Video streaming and buffering online.
 
Even our AD IP address also getting packet drops during the users are connected and using youtube or someother video sites.

View 11 Replies View Related

Cisco VPN :: ASA5540 L2L IPSec And Packet Filtering

Mar 24, 2013

I need to set up several L2L ipsec tunnels using ASA 5540 (8.2) as a central node and ASA 5505s (8.4) for branch offices. So far I've configured ipsec for the sake of testing between a 5540 and one of 5505, but it blocks ICMP between hosts behind ASAs. Although there's an echo response from 5540's inside interface (172.30.0.1) to echo requests from a host behind ASA 5505 and I see ipsec counters growing. I still can't figure it out despite hurting my eyes with cisco manuals for the relevant ASA software versions.

One thing I couldn't understand in the 8.4 documentation - it says I need ACLs to allow ipsec traffic on outside if I don't NAT/PAT it. Isn't it achieved with "sysopt connection permit-vpn" or do I have to do it manually? I've actually tried adding access-groups for the "in" traffic on outside and those ACLs get hits on both ASAs.
 
The packet-tracer shows some weird DROP at phase 6 on 5505, but I see no rule denying this traffic and the description doesn't mention implicit rules. [code]

View 1 Replies View Related

Cisco Switching/Routing :: Packet Drops On Queue On 6509 Even Though QOS Is Disabled

Mar 9, 2013

I can see drops on the 6509 Queue for interface gi1/6 , qos is disabled globaly with qos disabled all packets are in one Queue using best effort my question is if I can see drops using the sh queueing int Gi1/6 command  why I am not seeing any drops when I run the Sh int (interface number )  command. [code]

View 7 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved