Cisco WAN :: 2801 Removes Service-policy Output From Tunnel
Jun 6, 2011
I run 2801 with 124-24.T3 and I have following problem: router is connected to internet over pppoe and ISP once per day breaks this link. so I get:
Jun 7 19:31:56.639 MSK: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
Jun 7 19:31:56.663 MSK: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
and I also have tunnel interface which endpoint is accessible over internet.
so I get:
Jun 7 19:31:56.679 MSK: %ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of Tunnel1 68844500 - looped chain attempting to stack
Jun 7 19:31:57.635 MSK: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
Jun 7 19:31:59.199 MSK: %TUN-5-RECURDOWN: Tunnel1 temporarily disabled due to recursive routing
this is not a problem, problem is that router when interface goes down removes service-policy output from it, so I receive such message every day from runcid:
ip ospf cost 1
ip ospf mtu-ignore
tunnel source Loopback1
tunnel destination 192.168.200.199
- service-policy output tunnel_mpr_gre
and have to restore policy manually.
View 1 Replies
ADVERTISEMENT
Nov 30, 2011
I encountered this problem with cisco 870 atm interface. I applied service-policy output, its being accepted but when you do a show run interface, it's not there.
View 5 Replies
View Related
Sep 26, 2012
I am facing issue while configuring service-policy output command in Cisco 7609-S router with c7600s72033-adventerprisek9-mz.122-33.SRE2.bin IOS. However, in the same series router having IOS c7600s72033-adventerprisek9-mz.122-33.SRC6.bin is supported service-policy output.Both the switch have WS-SUP720-3BXL SUP.
View 2 Replies
View Related
Jan 26, 2009
I have a 3750 switch (c3750-ipbasek9-mz.122-46.SE.bin) were i want to add bandwitdh limit pr. interface, doing the following:
ip access-list extended customer_A
permit ip any any
class-map match-all BW_10Mbps
[Code]....
When i trie to apply the "service-policy output 10 Mbps" to the interface, it says the service-policy output is not supported on the switch. Is this a software related isue ?
View 4 Replies
View Related
Apr 25, 2011
I am not able to configure Service policy output command in Cisco 2921 router.While configuring I am getting below error.Same config is working fine in Cisco 3845 router.I am suspectting the problem with license in IOS.
View 3 Replies
View Related
Jan 24, 2013
We are planning to implement the following policy map for egress traffic on an Nexus 7000:
policy-map type queuing dd-1p3q1t-8e-out-10G class type queuing 1p3q1t-8e-out-pq1 priority level 1 shape percent 10 class type queuing 1p3q1t-8e-out-q2 bandwidth remaining percent 5 class type queuing 1p3q1t-8e-out-q3 bandwidth remaining percent 5 class type queuing 1p3q1t-8e-out-q-default bandwidth remaining percent 90
We are using two N7K's to which is one N5K connected through a vPC. From the N5k we use a port-channel with 4 * 10G. Two of this four ports are connected to on N7K and the other two are connected to the other N7K. On the n/K's we are using vPC.
My question now are:
1. Where i have to connect the policy map? To the port-channel or on each physical interface?
2. When i have to connect this policy to the port-channel, how does i have to set the shape percent, when i would like to reserve 10% from the 40G? Does i have to set the shape value to 5% on each N7K because vPC?
View 1 Replies
View Related
Feb 28, 2012
We have a situation where services are stopped on the real servers. The probes fail and we confirm the services are not running on the server. We cannot access the ports from the ACE directly. We can still however acces the VIP on the TCP port (L4 VIP class-map). So we can still telnet to the VIP on the port from thr Client side of the network.This is on ACE 20 Modules deployed in Routed mode. The version of software is A2(3.3).
Tried removing multi-match and loadbalance policies as well as class-map and re-applying then re-appyling the service policy to interface. Same behavior,This is a problem at another level as some services are being monitored by GSS via TCP keep-Alive and this obviuosly causes a problem as the service then never goes off-line.
View 10 Replies
View Related
Feb 19, 2013
Am applying a policy map to gig0/0interface vlan xIf i apply to either one only it is ok but if i apply it to the other interface it says ''configuration fail''.Am not also given the option to apply it to a particular interface as the one below
service-policy QoS_policy interface inside
Routers 1921
2801
View 2 Replies
View Related
Nov 17, 2011
We have a cisco 2801 router in class which has a disabled password recovery. We tried almost everything, we cannot get into ROMmon and the break sequence doesn't work in any program (hyper terminal, putty, teraterm pro).
Here is the log from hyperterminal:
System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)Technical Support: [URL].Copyright (c) 2004 by cisco Systems, Inc.PLD version 0x10GIO ASIC version 0x127c2801 processor with 131072 Kbytes of main memoryMain memory is configured to 64 bit mode with parity disabledReadonly ROMMON initializedPASSWORD RECOVERY FUNCTIONALITY IS DISABLEDprogram load complete, entry point: 0x8000f000, size: 0xc100Initializing ATA monitor library.......program load complete, entry point: 0x8000f000, size: 0xc100Initializing ATA monitor library.......program load complete, entry point: 0x8000f000, size: 0xd49718Self decompressing the image :
[code].....
View 5 Replies
View Related
Oct 23, 2011
We are evaluating Cisco ACS 5.2 and I can not delete a service policy that was created. The message we receive is " the item that you are trying to delete is being referenced by other items". I am new to ACS, but I did go through each tab in the manager multiple times.
View 5 Replies
View Related
Apr 8, 2011
I am Using Windows 7 32-Bit, and my Network usually works fine, and my internet has been working fine up until recently. However about a month (maybe more) I noticed a problem that kept cutting me off occasionally and said Diagnostic Policy was not started, I troubleshooted it and it was fine. Much more recently this has been happening more frequently and troubleshooting it doesn't solve the problem. I can get online for 10-15 Mins then I am cut off again. Restarting the computer often fixes it but not always. I went to Services and found the Diagnostic Policy Service is not running, I press start and receive this error message.
The Diagnostic Policy Service service on local computer started and then stopped. Some services stop automatically if they are not in use by services or programs.I am quite sure my loss of Internet is due to this as this is a network related service and what the troubleshooter always finds to be the problem. Other Computer/Devices in the house connect to the internet fine with no loss of connection so it has nothing to do with that. I have tried various fixes like uninstalling network adapter drivers, and checking permissions in Registry but it has not worked.
View 4 Replies
View Related
Jan 10, 2013
I have the following scenario: Pair of Cisco 887VA routers acting as Layer 3 for Voice/Data VLANs with a pair of 2960 LAN Base switches acting as Cores and possibly then 2960 LAN Lites hanging off them as access switches. Our Service Provider has provided an example config where the class-maps match based on dscp values for the QOS policy applied to the DSL circuits. We can obviously trust the attached phones but I want to be able to mark data traffic on my core switches based on destination IP/port to allow application definition. My major question is can I have a service policy on my Layer 2 uplinks to the routers where the linked classes setting dscp vlaues are based on class-maps matching on the contents of IP access lists based while at the same time not remarking the EF marked packets from the phones?
View 7 Replies
View Related
Feb 21, 2013
I have an issue about ACS v5.3 Appliance.I have an ACS v 5.3 wo authenticate wireless users, together with a cisco wlc. One profile is to corporate users and the second profile is to guest.
The corporate users should authenticate with Active Directory and the guest with WLC. Guest users should authenticate with the ACS Local Database. I have configurate two service selection policy that match with protocol Radius. The first rule is to users of Active Directory and the second is to users in
the Local Database of ACS.When i try to authenticate users with active directory is OK, but when try to authenticate users with Local Database (Guest Portal) the ACS try to find the
the internal user in the Active Directory, because math the first rule, and the second profile can not authenticate.When I change the order, first the Rule of internal users and second the rule of users of Active Directory, the internal users can authenticate in to ACS, but
the users in the Active Directory can not authenticate.I think my ACS only authenticate the first rule of radius to Active Directory, no two rules of radius in the same time. Or maybe exists an issue in OS of the ACS.The authentication by separately is OK.
View 5 Replies
View Related
Jan 16, 2012
Configuring Cisco 2951 router using Cisco Configuration Professional. I have created a zone based firewall on the router and have created a zone policy for network traffic between two LANs or two zones. I need a create a rule for new traffic that should allow a custom user defined service to flow between the two zones associated with with two LANs.
The problem is How do I created a custom service that I can use for the new traffic rule? I created a network service object as shown in the screenshot below:However, when I am adding the new rule, this service object does not appear in the user defined service in the protocols tree box as shown in the screenshot below:
What is the proper way to create a custom user defined service? I was not able to create it using Class map by the way because again I did not find the service object group in the user defined service when creating a class map.
View 2 Replies
View Related
Mar 21, 2013
I got this 3640, trying to apply a service-policy (output and input), but seems like I do it something wrong...because he only apply the output policy... here the config, I already try to config the service police inside the fa0/0, but is not showed at all, he only show the output, its like I never apply that
View 1 Replies
View Related
Aug 7, 2012
Have installed an 887VA on the end of a ADSL connection. The provider has specified EF 150 on the link. The router is configured using a Virtual Template.
If the Virtual Template has a service policy applied, we don't have connectivity to their main site - although the CD and PPP lights are lit. As soon as the service policy is removed, we have connectivity.
We've had three sites with the same problem. Two of the sites don't have QoS specified on the link but had the same problem if the service policy was applied.
Hardware - CISCO887VA-SEC-K9
Software - 15.1(4)M4
=== config snippets
class-map match-all Voicematch access-group 10
policy-map Dscpclass Voice priority 150class class-default
interface ATM0
bandwidth 1143
bandwidth receive 12334
[code]....
View 3 Replies
View Related
Mar 31, 2011
i'm triyng to establish a vpn ipsec tunnel between my cisco2801 and a cyberoam equipment, at the end point.Debugging isakmp, i have this output, where xxx.xxx.xxx.xxx is the remote peer address, and yyy.yyy.yyy.yyy is mine.What can i try?
Apr 1 14:48:12.542: ISAKMP:(0): SA request profile is (NULL)Apr 1 14:48:12.542: ISAKMP: Created a peer struct for xxx.xxx.xxx.xxx, peer port 500Apr 1 14:48:12.542: ISAKMP: New peer created peer = 0x661C2D4C peer_handle = 0x80000003Apr 1 14:48:12.542: ISAKMP: Locking peer struct 0x661C2D4C, refcount 1 for isakmp_initiatorApr 1 14:48:12.542: ISAKMP: local port 500, remote port 500Apr 1 14:48:12.542: ISAKMP: set new node 0 to QM_IDLE Apr 1 14:48:12.542: insert sa successfully sa = 66DF4F5CApr 1 14:48:12.542: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.Apr 1 14:48:12.542: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xxxApr 1 14:48:12.542: ISAKMP:(0): constructed NAT-T vendor-07 IDApr
[URL]
View 2 Replies
View Related
Nov 10, 2011
I have some trouble with that policy-map on my 2960 or 3560 switches with LAN base 12.2(53)SE2. I want to use that feature to catch video traffic from webcams in laptops which can't send dscp values out of the box. This is my test config to check if the function is working: catch every traffic from my workstation for testing, access-list 101 permit ip any any, class-map match-all CL_TEST
1. I can't see any counters with the command "sh policy-map interface FastEthernet 0/1". Cisco tells that this command is not possible. But how I can see if the policy is working correct?
2. When I did the configuration I can't see any packets with dscp af41 on the out going interface on the switch with "sh mls qos int gi0/1 statistic" as I expected. After reloading the switch I see the pakets with af41. Okay for that moment. But.After that I changed something in the policy-map. Only "set ip dscp ef" for a second test.
Generating some traffic I see only packets with af41 as before I changed the policy-map. No traffic with ef on the outgoing interface.
View 4 Replies
View Related
Jul 18, 2011
I've run a across a strange issue that I've not encountered before and after the things I've tried am beginning to think it's a limitation of the router itself. What I have are 3 Cisco 1941 routers that are all endpoints for a customer's MPLS network. STL is the headquarters and both remote offices have a link back this router. Each of the remote locations only have 1 serial interface. It is a flat network with few routes and a small shoretel voip system running across it. Each router is running C1900 Software (C1900-UNIVERSALK9-M), Version 15.0(1)M5, RELEASE SOFTWARE (fc2).
QoS is configured as follows on each router:
class-map match-any AutoQoS-VoIP-Remark
match ip dscp ef
match ip dscp cs3
match ip dscp af31
class-map match-any AutoQoS-VoIP-Control-UnTrust
match access-group name AutoQoS-VoIP-Control
class-map match-any AutoQoS-VoIP-RTP-UnTrust
[code]....
If I try to apply the policy map to serial0/0/0, I get the following error:
% policy map utoQos-Policy-Untrust not configured
I've tried to create a different policy map with the same settings and get the same error. We thought that when it was first set up, each interface belonged to the same network, so we separated things out (hence the .252 mask). I'm not sure what else to try and I'm hoping its something painfully simple that I'm missing.
View 2 Replies
View Related
Jan 7, 2013
We have a problem with some websites being blocked every now and then. Everyone inside can access this external website for weeks, and then suddenly it's not available for a few hours, and then it comes back. All without me making any changes to the firewall, ASA5510. The external website that has nothing to do with us can be accessed from anywhere outside our network, example on my iphone through Verizon.
We have not set up any rules about blocking websites, all I found was the Default Service Policy. After backing up and then deleting the rule we are able to access all sites.
View 2 Replies
View Related
Jun 2, 2013
i just configured a C6K VSS with Sup2T, 15.1SY IOS software and a WS6724-SFP module with the follwing cos config:
auto qos default
table-map cos-discard-class-map
map from 0 to 0
map from 1 to 8
map from 2 to 16
[code]....
After applying the service policy to one interfac of the WS6724-SFP module the policy is deployed to all interfaces of the module. So far it should be ok but after a short time all interface of the module begin to go down an up and down and up ... flapping.
View 1 Replies
View Related
Feb 7, 2012
In my Cisco ASA 5510 in release 8.2, I have an extrage behavior in the output of "show service-police" command. The issue is that I create a class-map to limit trafic in one of ASA interfaces and I applied in a service policy. This is the configuration:
access-list ACL-Limitada extended permit ip host srv-proxy any
access-list ACL-Limitada extended permit ip any host srv-proxy
access-list ACL-Limitada extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp-data
access-list ACL-Limitada extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp
access-list ACL-Limitada extended permit tcp any 192.168.10.0 255.255.255.0 eq ftp-data
access-list ACL-Limitada extended permit tcp any 192.168.10.0 255.255.255.0 eq ftp
[code]...
View 1 Replies
View Related
Dec 24, 2012
i would like to know the possibility to use mls qos trust dscp with service-policy in the IOS ver.12.2(25)SEE2.The specific version is not possible to configure like below.
Cat3750(config-if)#do sh run int f1/0/1
Building configuration...
[code]....
View 8 Replies
View Related
Jan 6, 2013
interface Vlan24
description Internal Wireless Internet
ip address 10.x.0.1 255.255.254.0
[Code]....
So, I am trying to limit the bandwidth used by this vlan. The service-policy output statement works, the service-policy input statement does not. My test is to get on that vlan and go to speedtest.net. My download speeds are about 3.5Mb/s, my upload speeds are about 20Mb/s.
it has something to do with this:
sh mls qos ip
QoS Summary [IPv4]: (* - shared aggregates, Mod - switch module Sid - Switch Id)
Int Sid Mod Dir Class-map DSCP Agg Trust Fl AgForward-By AgPoliced-By
[Code].....
View 1 Replies
View Related
May 4, 2011
is there a way to assigen a QoS service policy via Radius to an Caltalyst 4500/3750 Switchport?
in detail, we would like to assign this policy
policy-map SET_EF class class-default set dscp ef
to an interface. All traffic should be marked with a defined DSCP value.
This works find when doing it statically with
interface FastEthernet2/1 service-policy input SET_EF
but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k [URL]
unfortunately this seems to not work on Catalyst 45k and 37k.
In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
4503-E#sh aaa attributes AAA ATTRIBUTE LIST: Type=1 Name=disc-cause-ext Format=Enum Type=2 Name=Acct-Status-Type Format=Enum
[Code]......
View 1 Replies
View Related
Nov 17, 2012
I have seen an error in GRE configured between two routers over WAN. i am monitoring the WAN link and GRe tunnel via WhatsupGold NMS and it reported that Gre tunnel having packet loss sometimes and this time it affects the services and traffic passing over tunnel.sh int t101 shows output drops . is that the problem ? i have read that i have to adjust MTC size but i tried to change the tunnel MTU to 1400 but still sh int t101 shows MTU as 1514 ? What could be the problem of output drops in my tunnel link. [code]
View 1 Replies
View Related
Dec 20, 2012
I have an ASA 5510 deployed and we are getting a tonne of port scanning traffic (who isn't these days) and ping traffic.The threat scanning thresholds seem a bit too high and was wondering if there is a way to use a Service Policy Rule to perform a Shun/Block of the hosts rather than the firewall simply blocking the request via the ACL and sending a reply.
In other words, if I do nothing, I know the ACL is protecting the resources but it is still replying to the client connection. I want the end result to be the same as a "Shun" where the connection is dropped and no reply is sent. how to employ Service Policy Rules to thwart Port Scanning and/or IP Spoofing?
View 2 Replies
View Related
Jul 9, 2012
Example config
int g2/24
service-policy output test
#and/OR
int g2/24.10
encap dot1q 10
ip address 10.1.1.1 255.255.255.0
service-policy output test
View 5 Replies
View Related
May 1, 2012
i need to recover a router Cisco 2801. I lost the password and the "no service password-recovery" is configured. I have done many attempts with the procedure in this link :URL
View 9 Replies
View Related
Jun 3, 2012
I am trying to confgure a L2L VPN tunnel to a service provider using an ASA 5505.My problem is that the service provider will not accept traffic from a LAN subnet, they will only accept traffice from a public IP.We have a small public subnet of x.x.x.50/255.255.255.248, our public IP (outside interface IP on the ASA 5505) is x.x.x.50 and the service provider wants to see traffic coming from us on x.x.x.51How can I NAT our LAN subnet (10.0.0.0/24) to one public IP (x.x.x.51)?
View 14 Replies
View Related
Feb 5, 2011
So I have a Cisco PIX 506e that I've modified a bit, but am quite happy w/ when it comes to performance and configuration (I can actually set up the VPN server w/o too much thought.) I also have a Mikrotik Routerboard 750, I'm no longer using it as my router due to a few config issues I had plus the fact I had to hard code my internet gateway's arp address into the device due to some issues.
What I am wanting to do, which I'm sure is possible and easily accomplished (I just don't have the time right now to try it) is set the routerboard up behind my pix and have it function as an ipv6 router, while the pix handles my ipv4 duties. I've already set up the routerboard w/ an ipv6 tunnel broker when I had it running as my router, I am just curious if it will work in a similar fashion when configured behind an ipv4 device.
View 2 Replies
View Related
Mar 24, 2013
Recently I wanted to setup IPv6 for my home network. I signed up for tunnelbroker.net service and was provided with IPs. Then I configured the IP address in my DIR-615. But It's not working..
Screenshot of IPv6 config (router) : Screenshot of my Win 8 network Config : I also tested at [URL] but failed...
View 3 Replies
View Related
May 16, 2011
When I create a service object or group and add the object to a new rule it never works.I mean the traffic match not the rule. I see not hits.I placed the rule on top of my access list to check if I do somethink wrong but it is not working. When I place only a service for example tcp/23 it is working.
my ip service object
object-group service g-as400 description access client 2 as400 machine service-object tcp-udp destination eq 397 service-object tcp destination eq 137 service-object tcp destination eq 2001 service-object tcp destination eq 3000 service-object tcp destination eq 445 service-object tcp destination range 446 447 service-object tcp destination eq 449 service-object tcp destination eq 5010 service-object tcp destination eq 5544 service-object tcp destination eq 5555 service-object tcp destination range 8470 8476 service-object tcp destination eq 8480 service-object tcp destination eq
[code]...
View 8 Replies
View Related
