Any issues upgrading the IOS on a 921 router.How can i create a certificate for the new IOS? I've never had to do this for other IOS 15 upgrade?I've confirmed the IOS is not corrupt and if i upgrade the router in ROMMON the router boots correctly.
View 1 Replies
I've got a PIX 515e firewall on a branch site running version 7.2.4.7(LD) connecting via a VPN to an ASA at the HQ with 7.2.5 code running. After several hours it is no longer possible to ping either the PIX or hosts behind it on the branch LAN though the tunnel still shows as being up. In order to bring the link back up the local PIX has to be rebooted.The connection used to work with no problems when I was running PIX version 7.2.1 software but this had to be upgraded to 7.2.4 to support the new TCP normalization commands. VPN connections to other branch sites running PIX 7.2.1 remain active with no problems. The reason for the upgrade is to implement WAN acceleration between the sites however I still encounter this problem even when the WAN acceleration hosts are not installed.In addition to the software upgrade I added the following configuration to both the ASA and the PIX:
tcp-map wanx_tcpmap
synack-data allow
invalid-ack allow
seq-past-window allow
tcp-options range 28 28 allow
[code]....
The ASA originally had this code but the PIX did not and the VPN was stable, after upgrading the PIX and adding the code the link was no longer stable.
we have a Cisco ACS 1113 SE running v4.0.1.44 and are trying to upgrade it to v.4.2.0.124 following the instructions to upgrade it to v4.1.1.24 first.
We are using the following CD "ACS SE Overall Upgrade CD ACS 3.3.4 and 4,1,1,24 Upgrades"
We can download the 4.1.1.24 image to the ACS appliance via distribution server but the upgrade fails- we obtained the following console output when attempted upgrade was tried;
Upgrade package was not verified
Applying this upgrade package may corrupt the appliance
Continue at your own risk!
[Code].....
2950s work fine when upgrading the IOS using CNA. On all 2960s I get Failed to execute the command archive download-sw /overwrite /http iosFile
If I run the command using telnet and tftp server it works fine.
I have tried by deleting the old image then trying upgrade using CNA, but no luck
I am really stuck with router requirement for one of our client. I need 891 SEC router. I think this comes with advanced IP services. What I have is 1921, with IP Base. can I upgrade 1921, so it will become alternative to 891 SEC.
View 1 Replies View RelatedI am trying to upgrade an MSE from version 6 to 7.0.201.204. I am able to copy across all the files and have tried using WCS and FTP for the CISCO-MSE-L-K9-7-0-201-0-64bit.bin file but the installation procedure always fails.
I will download all the images again tonight. Is there a way to delete the images from the /opt/installers/ directory?
Also the upgrade procedure in the 7.0.201.204 is pretty bad, there is no detail in any of the steps.
Here is output from the upgrade -
[root@SDC-MSE-01 installers]# dirCISCO-MSE-L-K9-7-0-201-0-64bit.bin database_installer_part3_4.zipdatabase_installer_part1_4.zip database_installer_part4_4.zipdatabase_installer_part2_4.zip
[Code].....
I am trying to upgrade a brand new ISE 3395 from 1.0.3.337 to 1.0.4 (latest). It keeps failing with % Manifest file not found in the bundle Here is the output:
company-ise-01/admin# application upgrade ise-appbundle-1.0.4.573.i386.tar.gpg ftp
Save the current ADE-OS running configuration? (yes/no) [yes] ?
Generating configuration...
Saved the ADE-OS running configuration to startup successfully
Initiating Application Upgrade...
% Manifest file not found in the bundle
[code]...
I can't find anything about this for ISE, although there are a lot of topics for the same error for ACS.
How I can upgrade the iOS from CISCO 1921 ISR? Without losing my configurations.
View 3 Replies View RelatedI have a Cisco 1921 ISR Router with Security License running software version 15.0. I want to upgrade the router to 15.1. But I don't want to lose the security license that came with the router. When I look at the IOS downloads page on Cisco, all I see is universal images for all versions of 15.1.
My question is - where is the security license stored? In the IOS or programmed in somewhere else of the router? If I upgrade my router to one of the newer 15.1 universal images, will I lose my security license?
We want to puchase new Cisco ISR 1921/K9 . i want to know does it support the following sample IP-SLA commands
ip sla 2icmp-echo 172.16.1.2timeout 500frequency 1ip sla schedule 2 life forever start-time now
track 10 rtr 1 reachability
delay down 1 up 1
!
track 20 rtr 2 reachability
delay down 1 up 1
ip route 0.0.0.0 0.0.0.0 192.168.1.2 track 10ip route 0.0.0.0 0.0.0.0 172.16.1.2 track 20
Im asking above question because we will need to enable ip-sla on the mentioned router. as i read on the cisco webside, it says Cisco-ISR-1921/K9-IP Base support only IP-SLA RESPONDER feature nothing else. If Cisco-921/K9 does not support the above commands , should i go for ordering Cisco-1921-SEC/K9 ?
When I select Job Broser I get the following crash, LMS 3.2, server has been restarted but I continue to get the error. [code]
View 4 Replies View RelatedI'm running a Cisco 891 it has both crypto maps and ipsec VTI's running on the external interface. The cryto maps are for sites that do not have a cisco router and the Tunnels are for the sites that use crypto maps work perfectly fine. But I much prefer using unnels as it gives a routable interface, ospf works ect.
The tunnel interfaces will periodicly fail (Line protocol down) at no set interval, they will then not come back up again. To bring them back up I either have to shutdown and then re-enable the interface or run "clear cry ses rem *.*.*.*"
Logging with isakmp and ipsec errors provides the following:
55801: *May 1 10:31:16.015: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.55802: *May 1 10:31:16.015: ISAKMP:
[Code].....
My VRF Collector job has started failing. I have attached the contents of the vnmcollector.log file after setting debug level to DEBUG.
View 1 Replies View RelatedI've got a fully working 877w that I'm trying to get to boot from tftp, but I just can't seem to get that going.I have a tftp server running and can copy images back and forth without any trouble.I have this in my config:boot-start-markerboot system tftp c870-advipservicesk9-mz.124-24.T2.bin 192.168.1.200boot-end-markerDuring the boot process I get an error message that says there is a missing or illegal ip but I really don't see how that can be as my tftp server is 192.168.1.200 just like my config says.
View 16 Replies View RelatedMy tunnel had been running fine for a couple of months. Now, not so much.Here is some debug.
View 6 Replies View RelatedIm preparing a lab and I have 2 ASA 5520's. I have configured them for failover so the Primarys config will replicate over to the Secondary. They are connected via a 3560 switch. the switch ports are configured as access ports on vlan 1. Spanning-tree portfast is enabled
Firewall (Primary)
Cisco Adaptive Security Appliance Software Version 9.1(1) Device Manager Version 7.1(2)
Compiled on Wed 28-Nov-12 10:38 by buildersSystem image file is "disk0:/asa911-k8.bin"Config file at boot was "startup-config"
[Code].....
config collection is failing.in detail its partial success(config fetch is success but archieve is failed).
View 1 Replies View RelatedI'm currently unable to upgrade certain devices since Cisco Prime incorrect believes there is not enough room in the flash partition.For example.
Getting the following error messsage trying to upgrade some Cisco 871 routers: "Catastrophic - SWIM1200: Selected Flash partition requires minimum (28 MB) to upgrade selected software/image."The images are around 18 MB in size. Why does Cisco Prime thinks its 28 MB in size? Bug?
I have a rv016 that's been in 24x7 operation since I bought it a few years back. It is out of warranty. It is connected to three cable modems on WANs 1-3. Behind it are a bunch of PCs getting IPs via DHCP. There is a gateway to gateway vpn tunnel setup on wan3 to a rv082 at another site. There is a forwarding entry for http to an internal http server. Everything else is pretty much default.
The router is primarily used to aggregate bandwidth for uploading large numbers of photos. The systems behind the router initiate the uploads and the router automatically load balances the outgoing bandwidth.
This was all working fine until just recently. The ISP is Knology who is upgrading each of the 8m/768k cable modems to 25m/5m. They are also moving from DOCSIS 1 to DOCSIS 3. They are currently in the middle of this upgrade and have upgraded the modems to DOCSIS 3 as well as the speeds to 12m/2m. The problem is that the rv016 Network Service Detection, which is set to "Default Gateway" indicates that the modems fail randomly. Usually only one will be failed, but up to two will fail the Network Service Detection simultaneously.
Knology insists that there is nothing wrong with their modems. I have removed a modem from the rv016 when Network Service Detection indicates it is in a failed state and connected it directly to a computer. It will work, but it has a different IP address and default gateway. As soon as I connect it back to the rv016, it works there too, but on the original IP address and gateway. I've only tried this test this twice so far, so it is a bit inconclusive.
Speed tests behind the rv016 are the same as directly connected to one of the cable modems. The router works normally as it has for years. Nothing else is acting funny.
So my question is, is the rv016 failing or is the ISP having problems?
Backup failed on 2012/06/03 at 22:02:52. REASON: Unable to proceed with the backup operation as some files are being accessed by jobs. Reschedule the jobs such that the backup job does not coincide with other jobs.
Randomly the backup for lms 4.2 is failing. it has suceeded but majority of the time its failing. i have tried changing times but nothing seems to work. previously we were running 4.0.1 and had noproblems with the backup time.
Just found the bug
CSCtz29665
URL
I set up a connection from a laptop (Windows 7) that goes through a LAN proxy server to a secure ftp server (Windows Server 2003).The sftp server is assigned a public ip address.I opened the firewall at the destination and allowed port 22 traffic to the sftp server. Well, the connection is failing.I know for a fact the connection from the client laptop is making it to the sftp server.If I issue this command on the client laptop:
telnet sftpserver 22
The DOS screen clears and tells me the type of SSH server I'm connecting to. While this connection is still active, I logged into the destination sftp server and did a netstat command. I can see the address of the proxy server in the "Foreign Address" column of the netstat results. I also can see the proxy server address when I look at the Application Log on the sftp server, so I know the connection is making it to the sftp server.
I beleive the problem is the control port (return traffic) from the server back to the client. Something is being blocked or is misconfigured. I always thought the router negotiated the control port, and that the control port didn't need to be put into any firewalls.
For everybody else in the house the internet works fine on their devices, however, on my laptop and ipod it will often not allow me to connect for ages, but then finally connecting (without me changing anything)
View 3 Replies View RelatedI am able to use the lap top but not my desk PC.Browser keeps "failing" to recognize the DNS ? or my ports are blocked by a previous firewall ?
View 19 Replies View RelatedUPnP seems to be failing somewhere between a few hours and a few days. It will work as expected for a while after starting or restarting the router, but then trying to create any new UPnP mappings will fail, and the ones that have been already created usually stop working. The commandline client upnpc fails to locate the router automatically, and manually navigating to http://192.168.0.1:65530/rootDesc.xml in Chrome returns a connection reset error instead of the expected XML device description.I turned on debug messages in the logs, but there doesn't seem to be anything useful in there (though they also seem to be flooded with a bunch of IPv6 mDNS network hopping, so I'm going to try disabling that for a while and see if that works). I did update to 2.10 and still had the same issue with UPnP, however my wireless network kept going down (I guess a known issue) so I downgraded back to 2.07. After the downgrade, I reset the router and manually re-entered all my settings (i.e. I didn't import them).
View 14 Replies View RelatedI am not sure why but when I try to connect with my IPSEC VPN client, authentications are failing. The ldap test passes on the ASA but when I try to login, the VPN client gives me authentication failure even though debugs show authentication was successful.User 'test1' should be able to authenticate based on group membership.User 'test2' shouldn't be able to.I already removed the attribute-map to see if that was the problem but I am still failing authentication.
View 9 Replies View RelatedI've got an application running on a Windows 2008 server that I have verified as live on port 8085 at localhost. I've also verified on the server itself that port 8085(and in fact, all ports) are open right now. Despite this, I have no connection to this port on the server. Let me back up a bit an explain the architecture I'm working with.windows_server >> Switch >> Firewall >> Firewall >> InternetEverything but my server is managed by my hosting company who is insistent that this is a server issue. Is there a way to find out at what point my connection to port 8085 is failing? I feel like it's stopping at one of the Firewalls but need proof of this theory to get something done about it
View 3 Replies View RelatedI am having trouble getting the bridge to work. The setting is as follows: I have to buildings, separated by a road. Distance is apx 35-40 meters. From the main building there is a network which I am trying to extend to the other building by a wireless bridge. I am using two 1242 (autonomous) for this. I have also external directional antennas (7Db) mounted on a pole 8 meters above ground on each buildings. These are of course directed to eachother. The antennacabel used between the ap's are shielded Cisco-cables.
The config on the root AP:
dot11 ssid Valhalla01
authentication open
authentication key-management wpa version 1
[Code].....
I have upgraded to prime LMS 4.2.2 (from 4.0.1) and can not perform system or device upgrade. Using wireshark I can see why. it looks like LMS is trying to go to this old web [URL] to get software. I believe this was fixed years ago in bug CSCto46927.
Can I reapply bug fix CSCto46927 on 4.2.3 or is there another fix?
I have recently bought a used 2600XM, I was trying to boot it, I get some errors and end up being the ROMMON mode:
ystem Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1)
Copyright (c) 2003 by cisco Systems, Inc.
C2600 platform with 262144 Kbytes of main memory
getdirent: bad file magic number, possibly out of sync
boot: cannot determine first file name on device "flash:"
[code]...
Previously posted as C2900 - inward NAT partial success...
Running C2900-UNIVERSALK8-M, Version 15.0(1)M3 RELEASE SOFTWARE (fc2)
I have several sets of inward NAT defined (51001-51007, 52001-52007. 53001-53007),all to various internal addresses. When I attempted to add another set, the new onesdo not work and get a "timeout" error.
When I tried port 51008, it gets a timeout. When I changed 51008 to 51010, the 51010 now gets a timeout, and 51008 now gets "connection refused" (which I expect).The original sets all work, the new ones (added at the end of the lists) do not.When I am on any of the internal machines, the target (192.168.1.21) works fine.When I am "in the router", I can connect via the ssh command, so I know that therouter can talk to 192.168.1.21 on port 22 as expected.
We're running NCS 1.1.0.58. Since updating to this release from the 1.0 release, the 'Autonomous AP Client Status' and 'Lightweight Client Status' background tasks have been failing with message 'java.lang.NullPointerException'. I believe as a result of this that the 'Current Clients' tab on an AP monitoring screen just reports 'No data available'.
View 2 Replies View RelatedUsually the configuration files are fetched once every week. Lately, the Scheduled Config collection job is failing for all the devices. I have tried to “sync Archive” from LMS 3.2 on some devices but nothing happens. The switches out there are C3750, 2960, 2950, 3550, 3650 and some routers.The server is Win Ser 2003.
[URL]
I have an issue with the sf-300 switch model, which i am depolying in lapsafe trolleys. The approach is to wake the laptops from the guest VLAN (20) with WOL have them authenticate with 802.1x and use DVA to put the ports in VLAN14 so updates can be pushed to them over night.
I have configured 802.1x, guest vlan and DVA which works initially, all host wake from WOL, the laptops successfully authenticate and are assigned to the VLAN (14). This remains stable for a time then the hosts fail reauthentication. I have also noticed that when a host is disconnected from a port and patched into another port the initial port remains in the authenticated state and the new port authenticates the client but the hostnames are missing on the 'authenticated hosts' page of the GUI, DVA fails. The ports display a port-failure message for a time then moves to failed reauthentication.
The only way I can get it to work again is to reboot the box. From the logs I can see the macs of laptops being rejected and I can also see attribute 26 being ignored. See log below. I am unsure as to why host are initially authenticated but reauthentication fails, is it not the same process?.
I have 11 of these switches and have configured 6 which all display the same behaviour. These switches are not CISCO I do not understand why they have badged them. The protocols/standards are implemented differently. If you incuded 'general ports' as an answer in a CISCO exam you would fail. There are also other issues I have noticed with these boxes, I am not impressed!.
