i already created a vpn server on my 878 router.. so that i can connect with ip-sec (cisco vpn client) to this router and network..
all working great... however... when i also want to allow multicast traffic over my vpn connection. do i then need a GRE vpn? or what?or is this only needed when you use a site to site vpn..?And how can i enable this?
I have started to notice an increase in traffic from all my LAN workstations to the multicast address of 224.0.1.20, all with the same destination port (79). IANA shows this address as reserved for "experimental testing". Are there any typical applications or protocols that use this multicast address? My first thought was malware running on the hosts but it's a little tricky to prove.
View 5 Replies View RelatedI have a 3560X switch with interfaces 36-48 on the same LAN. All interfaces are switchports. Hosts on 38, 39 and 40 are multicast senders: all sending to the same single multicast address. Hosts on 36 and 37 are receivers, having joined that multicast group. I created an SVI for the LAN and put it in ip pim passive. (That is the only PIM mode allowed for an SVI with my IOS.) Show ip igmp snooping groups shows that 36 and 37 are the only interfaces in this group. I attach a laptop to interface 42 and Wireshark, and the laptop is receiving the multicast traffic. The laptop does not join the group. I expect it would not see the traffic.
View 4 Replies View RelatedI ' m not able to configure the asa 5510 to allow the multicast traffic to pass through ASA.The multicast traffic have to pass from inside interface to outside interface.Can I configure the multicast traffic to pass through asa with a static nat ?
View 1 Replies View Relateddoes 6500 with SUP-720 support nat on multicast traffic?
i know it support Multicast service reflection based on SXI4 which can facilitate me on destination address nat.
but if i need only source nat, does the defualt NAT feature supported on multicast traffic ?
I am trying to resolve a situation where we need to send multiple (2 atleast) multicast feeds from a source to our multilayer switch (3560x).
The problem with the source is that it can only send a feed to a single switch at a given time. It can not send 2 (identical) feeds to two 3560x devices (on 2 different subnets/vlans). I was wondering if i could make the two 3560x devices appear as 1 device (using virtual chassis system or a similar feature). I am running ip services IOS feature set (c3560e-universalk9-mz.122-58.SE2.bin).
Attached setup i am planning for testing multicast output from different vendors using VLC and STB. This Setup made to test the picture quality between the vendors at the same time on the multi viewer screen.
1) Only a 2960 Gig port switch with only one L2 v lan with IGMP snooping enabled.
In this scenario where Source and receivers are in the same L2 v lan ( no L3 interface is involved) hope i would able to test all the multicast sources with out any additional configuration on the Cisco switch.
I have configured multicast (ip pim dense-mode) on two 2911 routers that are connected by a Multilink (3Mbps) Wan connection.The configuration work fine for awhile and sometimes all day but at some point one of the Multilink interfaces stop passing multicast traffic.I perform a sh multilink 1 on the interfaces and one interfaces show the multicast packets incrementing and the other does not, it just stops.The only fix for this is to hard reboot both routers and the multicast traffic begins to flow once again.
View 3 Replies View RelatedI have configured multicast(ip pim dense-mode) on two 2911 that are connected by a Multilink( 3 Mbps) Wan connection.The configuration works fine for awhile and sometimes all day but at some point one of the Multilink interfaces stops passing multicast traffic.I perform a SH Multilink 1 on the interfaces and one show multicast packets incrementing and one does not, it just stops.The problem acts like there is a buffer that gets full and after that happens it just stops working.
View 2 Replies View RelatedI am having trouble getting some multicast traffic across a link. I have a 3750G setup, with IP routing and IP multicast routing, between two laptops. This will eventually sit between two networks that cannot be physically connected to each other for security reasons. I have static joins on the ports but cannot see the multicast traffic on the receiver. I am attaching the latest config. The sender(10.10.4.2) sits on gi1/0/24 and the receiver(10.10.3.2) sits on gi1/0/1. I am using VLC to test this and it will connect if I point the receiver to the address of the sender, but will not receive any multicast. The multicast traffic is not making it to the 10.10.3 side, I used wire shark to verify that it was not making it across.
View 3 Replies View RelatedOne of our Cat5513 has been displaying a lot of the error message below:
%SYS-4-P2_WARN: 8/Invalid traffic from multicast source address 01:00:5a:52:4c:4d on port 8/58
The frequency of this is quite disturbing. What this error is about? Module no.8 is our Gigabit Ethernet WS-X5410. Can that multicast address be mapped to an IP address or unicast mac-addresS? How can i go about resolving this?
Multicasting. The configuration is I have a 6506 as my core switch receiving multicasts from an interface assigned to VLAN10. I have a monitor port setup with a PC running Observer which says multicasts are being received on the core switch. On a different interface on the core switch I have a 2960G switch connected to it and this interface is on VLAN 10. The 2960G switch has a workstation connected to it that needs to receive the multicasts. How do I configure the 6506 and/or the 2960G to process the multicast traffic?
View 0 Replies View RelatedI have two Catalyst 6506 in VSS mode with VS-S720-10G running 12.2(33)SXI1 IP SERVICES.I have two firewalls that communicate on to the other through a dedicated VLAN created on Catalyst 6506.
One firewall is able to ping the other one on this dedicated VLAN but if I send multicast traffic from firewall-1 I didn't receive it on firewall-2.I found a bug related to multicast issues on Cisco WS-C6509-E with VS-S720-10G. The bug ID is CSCtc59038.
Why do we need MP-BGP (and not BGP) to exchange multicast prefixes between multicast domains?
View 2 Replies View RelatedI try to pass multicast traffic between two vrf on the same 3750 switch. I have IP services IOS and sdm template routing.
here is my config:
ip routing
!
ip vrf vpn2
rd 1:1
mdt default 232.1.1.1
route-target export 1:1
route-target import 1:1
[code]....
Now I'm stuck - I don't know what to do to pass multicast traffic. Do I have any chance to run this config on 3750 chassis?Perhaps "Configuring Multicast VPN Extranet Support" document will be useful, but it concerns Catalyst 6500? [URL]
I have been trying to conect a Cisco VPN client through an ASA and it makes the connection but doesn't allow any traffic through. The ASA does have a site to site VPN attached to the outside interface.I suppose the first question is it possible to allow VPN client to connect through an ASA 5500 from the inside network when there are Site to Site VPN's already attached to the outside interfaces?If possible then what have I missed. I have tried adding NAT exempt for the traffic between the internal networks and "an IPSEC pass thru Inspect Map".
View 4 Replies View RelatedI have a few ASAs with L2Ls in a hub-and-spoke fashion, works great. All ASAs are 8.2(1). I've tried to add remote-vpn to the HQ ASA. I have this working on a PIX 6.3 box at HQ, but have not been able to make it work completely on the ASA.
Just to check, I also set up remote client vpn access on one of the spoke ASAs, and that actually did go well. Applying the equivalent config on the HQ ASA - won't function.
The problem with the HQ ASA remote client vpn is that after completed phase 1 & 2, the traffic goes one way only, from client side towards the ASA. I e remote side only encaps, no decaps; ASA side only decaps, no encaps. If the remote client pings a host on the inside (i e behind the HQ ASA) the packets arrive, and are returned towards the ASA (a correct route for the remote vpn network is in place on the inside host). However, it seems as if the ASA doesn't send that traffic back into the tunnel, but rather sends it unencrypted through the default route (doing a traceroute from the inside host for instance suggests this).
The ONLY way I can pass traffic towards the remote client is by initiating a ping from within the HQ ASA, it's the only time I get encaps on the ASA side and decaps on the remote side of the tunnel. Interestingly, it's actually the "ping outside 192.168..." that works, doing an "inside" ping fails. Compare this to the spoke ASA and its remote vpn client, there an inside ping is succesful, but not a outside ping, i e the spoke ASA functions as expected with its remote vpn. Given that the configs on the two ASAs are the same for remote client access, I would have expected both to work, not only one of them. But then, the HQ ASA has more lines of code, and I guess that something there gets in the way. [code]
How can we check when we connect using VPN client software if traffic is getting encrypted ?
View 7 Replies View RelatedI have ASA 5510 8.4 Firewall where more than 20 Site to Site VPN Clients are configured on it. how to see the traffic for one Specific Site to Site VPN.Actually this site to site vpn is always keep dropping for every minute. I'm sure its a problem at the other end.The remaining 19 VPNS are UP and working without any problem. How to see the traffic for specific vlan.More over we dont have any syslog server in our network. Is their any chance we can check the traffic on the firewall?
View 6 Replies View RelatedI have a client with a WLC 2504 that wants to route "guest" users through a gateway appliance "radiusgateway.com" and all others through the network. It appears to me this would require the use of two fa ports on the WLC. One directly connected to the radiusgateway (which is connected to a switchport) and the other fa interface connected directly to a switchport bypassing the proxy server.
My issue is, "how do you segment the ssid traffic via the WLC". The interfaces cia the gui aren't that intelligent, there's an enable and logging drop down. Via the command line, I didn't see any methods of routing traffic.
I have an ASa 5510 and setup remote dial in users.
I wanted to use the windows 7 built in client and also the draytek site to site VPN options however when they connect VPN traffic will not work however when i use the cisco VPN client then everything works fine.
All the VPN's connect pretty quickly.In the syslog I a getting errors when i try and ping something: [code]
I am using a RV110W as a VPN client to establish a VPN conection since some months. So far everything works fine. But all traffic is routet thru the VPN tunnel. Now I try only to route specific adresses thru the tunnel but not the internet acess.
RV110W is in Gateway mode
WAN interface is connected with internet
I am using PPTP with PAP and MPPE for VPN
so far no static routes (I could not set e.g. a route to 0.0.0.0 because web-interface says its not a valid adress)
Goal is to route only traffic for the target network thru tunnel and the rest direct via WAN interface.
I have a web application behind a SSL-offloading CSS 11506 that may require the server to be able to use a SSL connection as soon as it is established. At least I'm troubleshooting a problem that is starting to look like this is a possibility.
The default behavior seems to be to not start the SYN/SYN-ACK sequence with the real server until the client starts talking first (such as send an http get request), even though the SSL termination part is done and ready.
Any way to change this behavior? The scenario is a webapp. Client side starts more than one SSL session to the server, but only uses one immediately. The client knows it has more than one connection and may have told the server so. Like a control plus data channel(s) arrangement. The client opens all the connections (full SSL handshake on all channels), starts using the control channel, and expects the server to start talking on the data channel. However, since the client hasn't sent anything down that TCP connection first... the server doesn't have it.
I don't think this would occur when the server is doing the SSL... as it should have all the TCP connections as soon as the SSL handshakes are done.
i have a strange issue with an HSRP Setup. I have two (S1+S2) 3560 as Core/Distribution Layer. Inter-vlan routing are enabled on both Switches. S1 and S2 are connected with an ether channel over four fibre ports. S3 -S5 are the (L2) access layer.
Gi0/1 on S1 and S2 are L3 ports, connect to a Linux Firewall.
HSRP is enabled, S1 is the active router and the STP root bridge.
But, my monitoring via cacti show me, that the Gi0/1 on S2 is active, too! But it should not be active? Only if S1 fails, should S2 the active switch.A client from the access ports on S3 - 5 gets traffic from the Internet via Gi0/1 from S2. Gi0/1 on S1 is active too, but will send mostly traffic to the Internet. Why is S2 active and why route it traffic from the Internet to the client?
A user with Easy VPN client connects to a 876 ISR (router A). This router also has a site-to-site VPN to another 876 ISR (router B). What I want to achieve is that the user dials in to router A and can access the network on the remote end of the site-to-site tunnel (router B) In diagram:
user (192.168.18.x) - Easy VPN - Router A (192.168.16.x) - sitetosite - Router B (192.168.17.x)
I have added routes in router B to the 192.168.18.x network with router A as next hop, but I can't reach the other segment.
i have a question about tunneling a software EasyVPN client to a client ASA Network. It looks like this:
EasyVPN Server 192.168.202.0/24 Network extension mode to Client EasyVPN ASA 192.168.1.0/24 This works fine in both directions. But now i want to connect the client ASA network via EasyVPN software client from outside. The user are already able to connect to the ASA Server on its static outside IP obtaining an IP from a 192.168.21.0/24 pool. This works fine. But how am i able to connect to the 192.168.1.0/24 network from this client?
how to make the java SSH thin client applet bigger in SSL VPN Clientless portal?It works and all that but the window is literally half the size of the monitor and unworkable. You can't even hit tab! (tab moves focus around the browser...)I am using the latest java applet (Oct 2012) and ASA OS 8.4(5)
View 3 Replies View RelatedDo the problem caused by the modems itself or it just sign of faulty Ethernet switch (using 20 port Allied Telesis ethernet switch).
Sometimes I cannot connect to internet due to "unidentified network" buy i can resolve this problem by restarting my modem + switch.
We have cisoc 2821 at one of branch and created five sub inetrfaces for different vlans.Output of Show interface shows very frequent increase in the input error count.I have changed the physical cable and switch port on the other side.But still error rate is increasing.When the traffic is less error rate is low but with high traffic it is increasing drastically.My router process is very less(4%) only.What could be possible reason. [code]
View 8 Replies View RelatedWe are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.
View 1 Replies View RelatedI am testing limit bandwith using my ASA 8.2, i am trying to limit internet access for certains users , i order to save Bandwith for the important things but i can´t get any limitation
My configuration is the following, the acces list is just for my pc in order to test, and the service policy is applied to outside interface (called internet in my case) for incoming traffic
access-list Internet_mpc_1 extended permit ip host 172.16.127.70 any class-map Internet-class-TEST match access-list Internet_mpc_1 policy-map Internet-policy-web class Internet-class-TEST police output 1024000 1500
service-policy Internet-policy-web interface Internet
With show service policy i can´t see any activity on the policy , but if i do a similar configuration for inside interface outgoing traffic i can see packets allowed and dropped
I have an ASA 5520 with the below config
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?
We have a Cisco 2811 running ITP IOS. On that router we run the SMPP service. A client on the network connects to this service, and we need to capture the traffic for debug.
I've tried traffic-export, but I cannot see any outbound traffic.I'm guessing that this is due to the fact that the outbound SMPP traffic is not transit traffic as it is generated by the router itself.
Is there any way to capture the outbound traffic?