Cisco WAN :: 2821 / IP SLA Tracking Objects Dropping?
Mar 24, 2013
I use tracking objects aroung the organization where I work to monitor WAN and VPN connections and add/remove routes based on the state of the object. I'm having 2 locations that are constanty going up and down and I've been troubleshooting and monitoring for the last few weeks without finding anything. I've been incrementing the timeout for the SLA and it seems like this is working a little (less overall drops) but the drops still occur. Our ISP reports no issues and we see no issues internally on the circuits. Just out of curiosity could this be some kind of IOS bug or hardware malfunction? The router logs are full of these:
Mar 21 16:18:33: %TRACKING-5-STATE: 2 ip sla 2 reachability Up->Down
Mar 21 16:18:38: %TRACKING-5-STATE: 2 ip sla 2 reachability Down->Up
Mar 21 17:24:14: %TRACKING-5-STATE: 2 ip sla 2 reachability Up->Down
Mar 21 17:24:19: %TRACKING-5-STATE: 2 ip sla 2 reachability Down->Up
[code]....
The IOS version of the router I took these from is 151-4.M6 advanced IP services and it's a 2821 router.
View 5 Replies
ADVERTISEMENT
Nov 21, 2011
I have a remote user who currently has a Cisco VoIP phone that connects into our network via TFTP. He informs me that the phone drops several times throughout the day, with an occasional drop in VPN from time to time. His router has the most current firmware, set QoS rules priortizing the phone and VPN, and decreased the MTU rate, yet he still experiences these drops. He used a VoIP phone from his last job, and never experienced a drop.
A little info of our current setup:
Cisco 2821 Intergrated Services Router, with CUCM version 7.1.3.30000-1
Cisco ASA 5510 software version 8.2(4)
View 1 Replies
View Related
Jun 9, 2009
i need the MIB object names for monitoring the processor and Memory Utilization of CSS 11503 with software version 7.50 Where can I find it?
View 5 Replies
View Related
Jun 22, 2011
We are currently running 8.3(2) and I'm just wondering how many network/host objects the device can support? and how big can an access-l get?
View 1 Replies
View Related
Sep 24, 2012
I'm testing upgrading an ASA from 8.2.5 to 8.4.4. During the the upgrade, it change all of my ACL host entries to objects. But I noticed that the keyword "host" is still a valid option when creating an ACL.
I'm trying to understand why this change is made during the migration.
View 3 Replies
View Related
Aug 27, 2012
I'm trying to add an extended ACL (120) to an 800 series router (887) using Network Objects to allow the management user IP range full access to IP services and restricted access to email only for standard user IP range. However as soon as I apply the ACL to the outbound of my Vlan no matter what is in the ACL my PC looses internet connectivity. I've tried adding an explict allow for my IP address and still no access so I'm thinking possible a NAT issue, please have a look at my attached config and let me know what you think. Would I be better trying to control data flow with ZBF? I want to restrict standard users to email access only during the work day with web access and IM access after hours along with blocking all P2P programs for standard users at any time. Management group will have unrestricted access to all IP protocols. My original plan was to use time based ACL's!
View 9 Replies
View Related
Oct 4, 2010
My ASA5505 has an external address of x.x.x.13. We have got another 2 spare ip addresses: x.x.x.10 and x.x.x.11.We also have 2 internal hosts, which we need to provide with internet access using NAT. y.y.y.146 and y.y.y.70.
We recently updated our ASA to software version 8.3(1). I was thinking that I could do it using network objects and groups, but didn't understand quite good how this should be done.
The goal is to set up ASA in the way, that if either of the abovementioned 2 hosts will connect to the internet, it needs take one of 2 external addresses. All other hosts should use PAT through x.x.x.13.
View 21 Replies
View Related
Mar 5, 2012
Any way of doing named objects or object groups for ACLs on the ASRs? (1000 series in this case.) I'm setting up an ASR with a zone-based firewall and writing out all the addresses, ports and protocols for the ACLs associated with the various zones is creating huge, unwieldy ACLs in the config.
View 11 Replies
View Related
Nov 3, 2011
I'm working with ASA 5520s. how to add network objects via CLI. I know I could easily do it using ASDM, but I like to learn the hardway first. How do I add the subnet mask for a network object when creating via CLI? [code] That sets up the hosts with IP addresses, but how do I add the subnet mask?
View 2 Replies
View Related
Nov 3, 2011
I am trying to create host objects that I'll then add to network-object groups for use in ACL/ACEs.When I try to create a host I am having trouble adding the IP address.I then get an error saying the host name must start and end with letters or numbers and only contain letters or numbers. What do I need to do to create hosts from CLI?
View 2 Replies
View Related
Feb 22, 2012
when I migrated the ASA config from 8.2 to 8.3, in all groups the group members has been replaced by the IP address object. However, the "name" for this object has been migrated, but there is the "object network name" configuration missing.
What I can do now is that I can open the new created object in the ASDM, search for the object with this IP address and then enter the object name I had before. When I apply the config, ASDM then creates the object and replaces all affected objects in all groups, by replacing the object group memeber "network-object host hostname" with "network-object object hostname".
Do you know if there exists an automated way, which checks all the groups for members "network-object host", creates the "object network" and replaces the "network-object hosts" with "network-object object" within the group? As long we have a lot of groups which contains partially > 50 members?
View 2 Replies
View Related
May 17, 2011
I have a customer an exisiting 5505 which connects to multiple sites for a site-to-site VPN. This firewall was not installed by myself originally I have just been asked to take a look now.The situation is that we now need to edit one of the existing site-to-site VPNs to include the remote sites expanded network. I have tried doing this through the ASDM and have found that I cannot add new network objects. I have tried creating a new network object group and then added the new networks from there but I am completely unable to add the new objects.I believe a picture tells a thousand words in this case so I have attached some images which show the problem. I have also tried going through the VPN wizard, this also does not allow me to add new network objects.
View 2 Replies
View Related
Feb 14, 2012
how to export objects (net and security) from an ASA 5500 firewall to a .csv file?
View 1 Replies
View Related
Mar 23, 2011
Any detailed knowledge about Cisco ACS 5.1 and Windows AD interaction? I wonder why does Cisco ACS domain account must have permission to create/delete domain objects. This fact does really surprided me, because to my mind Cisco ACS only reads domain structure, and does not make any changes.
View 3 Replies
View Related
Dec 1, 2011
I was wondering if it is possible to track and or log the changes that users make in in LMS 4.1. For an example if someone changed a configuration I want that being logged. I want to see what the person changed, when it's changed and who changed it.
View 2 Replies
View Related
Dec 27, 2011
what is the best way to do a acquistion on ip address on devices that appear to be dead until ping before LMS4.1 reports onn them. For example we run acquistion on a branch we do not see 172.20.12.51, howver we ping it from my desktop Claims unplugged when plugged in, and says "safe to remove" when I unplug the cableand then run user tracking and then it shows up.
View 1 Replies
View Related
Sep 26, 2012
I am trying to collect and track packets from other computers on my network and have them sent to my computer so i can sniff through them. I have been tacked with trying to reduce the amount packet broadcasts going through the network. I have been playing with Wireshark for a little bit only analyzing my packets but now I want to try collecting a couple of computers on my network. I know there is a little service that I can run with WinPcap but I am pretty sure there is a way to do it through the settings on my switches but i'm not sure what setting I need to use. I have 4 switches 2x Netgear GS724TS 2x Netgear GS724TR. I'm not sure what feature needs to be used to do what I want. All the switches can do SNMP and LLDP and I think it is one of these I need to use but not sure switch one to use.
View 1 Replies
View Related
Jul 15, 2012
I have a dual connection from two service providers ( provider A & Provider B).In my internal network, I have two Vlans (vlan10 & vlan 20).My requirement is users belonging to vlan10 should go via ISP A and for vlan 20, it should go via ISP B.So, for that purpose, I configured HSRP along with intervlan routing and that worked quite fine. I have two Cisco AS5300 routing connecting to both ISPs and they are terminated to a common switch Cisco2950.All are in ethernet technology, serial technology has not been used. "IP SLA" command is not supported in CiscoAS5300.I configured the interface tracking command for HSRP as well.
When one link goes down then it doesn't fail over and go through another link. To fail over, I should manually remove the external link connecting to the router. And another thing is, if i pulled the cable connecting to the internal network then it fails over. "IP SLA" command is not supported in CiscoAS5300.I am trying to implement a failover using HSRP in Cisco AS5300 but the interface tracking is not decreasing the priority value when the connection is lost with the ISP and IP SLA is also not supported. So, in this case what can i do to make a perfect failover for the network ?
View 4 Replies
View Related
Sep 1, 2011
I am trying to determine why hosts off our Nexus 7010s are being picked up in UT. Since LMS 4.0.1, UT should be supported on these devices.When adding the Nexus devices to DCR, provide the netadmin SNMP RO credential.When other SNMP RO credential is provided, user tracking will not collect end host data.I think I have this setup correctly as the device center test passes when cehcking snmp ro credentials.Our 7010s are running NX-OS 5.0(3) - earlier than the recommended version - might that cause issues? We are not using VRFs other than the default and management.
Here is my snmp section:
sh run | sec snmp
ip access-list copp-system-acl-snmp
10 permit udp any any eq snmp
10 permit udp any any eq snmp
20 permit udp any any eq snmptrap
[code]....
View 12 Replies
View Related
Nov 14, 2011
Some times the ISP side interface remains up with a failure of internet. At those situation how we can efficiently track the ISP failure from asa 5510
View 2 Replies
View Related
Nov 27, 2011
in LMS 4.1, under Monitor->Identity Dashboard, i have "user tracking summary" as a portlet, which tells me i have ~ 17,000 users. when i click the report, it pops up a screen that shows mac address, ip address, hostname, subnet, etc.
If i try to do ANY filtering, it returns 0 records. this could be from a specific IP, mac address, device name, or subnet. i have tried every type of record. every filter i attempt always ends with 0 records returned, even though in the unfiltered list they show up. It would be problematic to manually sort through 17,000 users looking for the particular records i need without the ability to use the filter.
how to filter the User Tracking report? is there some feature in LMS i don't own or have enabled to allow this filtering?
View 3 Replies
View Related
Mar 15, 2012
I have just got LMS 4.2 soft appliance up and running. When going to Inventory >> Acquisition summary, I get a HTTP 500 error with java. lang.Null Pointer Exception. That is obviously a bug somewhere (although the TAC engineer disagrees with me). I am just wondering if this is could have been caused by the fact that I have not done any user tracking on this LMS server yet? [code]
View 1 Replies
View Related
Feb 18, 2013
We are running LMS 4.3.2, it was running OK... but now we receive the following message:
"User Tracking Major Acquisition cannot be started as Network Topology, Layer 2 Services and User Tracking are disabled."
All processes are running. System restart and re-install the 4.3.2 update does not fix it. I think this happens after a device update, maybe FaultManagementDeviceUpdate...
View 2 Replies
View Related
Dec 6, 2011
I have an interesting problem at one of my customers. They are using LMS 4.0.1, but they have a problem with user tracking with SNMPv3. They using a very simple SNMP configuration, wich is the following: [code]
Now they have UT working well for their Ctalyst 4500 switches, and the half of the 6500s (They have 2950 switches as well, but for those UT with SNMPv3 is unsupported). So the problem is the following: they have 12 6500 switches, with the same IOS version (10 pieces of WS-C6506-E + SUP720-3B IOS: 12. 2 (18) SXF17 (IP Services), 2 pieces of WS-C6506 + SUP720-BASE IOS: 12.2(18)SXF17 (IP Services)). They have identical SNMP configuration on both devices. Based on the logs from LMS it seems that on the problematic switches for some reason LMS identifies the switchports as routed: [code]
View 5 Replies
View Related
Jan 9, 2013
I try to aquier IP Phone in User Tracking. Phones are present but like pc (without other information...DN, user....)
the LMS version is 4.2.3
the CUCM version is 8.6
the CUCM is green on Topology..
View 4 Replies
View Related
Nov 4, 2011
I've another problem with our new LMS 4.0.1.We manage our devices with SNMP v3 but the user tracking don't want to work flawlessly.I've attached an example from our SNMP configuration. Basicly it's the same in our devices.
1st the problem was that no matter what I did the User tracking didn't want to find any host. I left it and worked on something else. After 2 weeks suddenly appeard couple of thousand end host.As earlier (LMS 2.6 or 3.2 with snmp v2) it is the same that LMS cannot differentiate normal end host and IP Phones although we have several thousand from both. But this is only one problem. The other is that there are switches with the same IOS and SNMP configuration and from one I get the UT data and from another one I didn't get anything. Only from some 4506 (aprox. 12-15) and 6506 (2) works and we have 20+ 4506 and 10+ 6506. Not to mention the other switches (couple of houndred 2960 and 3750).
View 10 Replies
View Related
Mar 7, 2011
if my employer uses split tunneling on our VPN network, and I access the internet thru our VPN then my home internet is routed through my ISP and can not be tracked by my employer or is unlikely to pop-up on employer tracking software. Is this correct?,how can I tell if my employer uses split tunneling? Currently they use Juniper Network Connect. If I am logged onto the VPN and look up my ip address, I see it finds my DSL ip address, not my employers IP address. Does this mean the VPN is using split tunneling?
View 7 Replies
View Related
Oct 19, 2011
I have a problem about user tracking for LMS 4.0.
For example:Switch 4506 send the endhosts for every VLAN that it has configured, except for one, but I can see that VLAN is configured over the switch.
are there problems directly with the connected endhosts over this VLAN or is it a problem about configuration for user tracking settings ?
View 2 Replies
View Related
Aug 23, 2011
I've the following problem, configured dynamic user tracking on a WS-C4506-E with a WS-X45-SUP6L-E, System image file is a Version 12.2(53)SG2
Interface configuration:
snmp trap mac-notification change added
snmp trap mac-notification change removed
[Code].....
View 12 Replies
View Related
Feb 27, 2012
Is it possible to track failed login attempts to ACS instances (both on CLI and web GUI) by snmp? unfortunately i haven't found such option in Monitoring and Reports > Alarms > Thresholds >
View 2 Replies
View Related
Dec 25, 2012
If I have understand correctly, the IP address - mac address matching was made with the arp table of a cisco acces switch if it will made the L3.
My access switch wasn't used for L3 routing, only L2
It's possible to set user track to use the arp table of a firewall or a router for made this matching ?
View 2 Replies
View Related
Nov 14, 2011
I have PIX 535 and using ACLs for allowing traffic. I need to clean up the rule base. I would like to know how to fetch a report of Unused rules for long time?Also when a traffic is being allowed, I want to know through which rule number its being allowed?
View 2 Replies
View Related
Oct 5, 2012
I have already ordered a Cisco ISR 1921/K9. but as i read on Cisco website, it is written that Cisco 1921/K9 only support (IP SLA Responder) feature.
I don't know actually what is sla- responder. but our requirement is we will connect that Router 1921/K9 into 2-ISP links and i want to enable IP- SLA probes on that router so that it can track both the routes into those isp links. so my question is does CISCO 1921/K9 have the support for what i need ?How about Cisco 1921-SEC/K9 ?
View 1 Replies
View Related
