Have a very peculiar issue with IP SLA. Firstly, the architecture.
1) There are two sites - A & B. Both have their own internet connection.
2) Sites A & B are connected via MPLS.
3) Both sites have the below topology.
3750 CORE --> FIREWALL -->ROUTER ---> INTERNET
4) 3750 has a Default route pointing to firewall .
5) MPLS router is connected to 3750. A default information is originated via BGP to MPLS at each location. So that default route is learnt as a backup path from any location if it has to lose its local internet.
6) IP SLA has been configured at each location to track the default route using icmp-echo to hit a public IP (i.e 4.2.2.2 as an example).
Issue?ICMP probes from Site-A via its local internet fails abruptly. I can reach the public IP mentioned above from my firewall pretty fine, but not from my 3750. Whenever i remove the tracking from the static default route & push in the plain default route without tracking, it works fine. Again, if i add the tracking back, it will work fine for an hour or so & then fails back again. To my bad, Site-B had recently gone offline due to some natural calamity. So, there is no other path for internet.
My config looks pretty simple
track 10 ip sla 1 reachability ! ip sla 1 icmp-echo 4.2.2.2 source-ip 10.1.254.1 frequency 180 ip sla schedule 1 life forever start-time now ip sla enable reaction-alerts ! ip route 0.0.0.0 0.0.0.0 10.1.254.1 track 10
I am running IOS version 12.2(53)SE2 (IPservices images).
I have set up an ACL on my 3750 switch to deny icmp from PC A on our inside network to PC B on a different VLAN on our inside network using the following ACLs:
These ACLs belong to an access-list that also limits ip traffic to a few specific machines.When I try pinging from PC A I receive a reply message back from PC B. Shouldn't this configuration block any ICMP from PC A to PC B and from PC B to PC A? I would have expected the first ACL statement to block any packets associated with ICMP and when that didn't work I tried the second configuration.
I had setup a lan infrastructure with 5 3750 stack swithes. In these 3 of them are in one stack which is acting as access switch, 2 of them in another stack which is as core switch where all the SVI is configured. Now, when i tried to ping from our edge pc which is connected in access switch to default gaeway, which is configured in core switch, the ICMP is getting delayed . But when try to ping from the same edge pc to another user PC, it is getting less tahn 1 millisecond icmp replies.
why icmp is delaying to default gateway , but working with another edge to edge pcs without any delays?
i am facing a problem when the client vlan is commmunicating with the default gateway on the core 3750-x.
ios in 3750-x core is 3750e-universalk9-mz.150-2.SE.bin. But, client to client communication is happening without any dealy and icmp is less than 1 ms always.
When try to ping default gateway of client vlan, it is getting delayed (variable icmp delays). Is this an ios bug?
I've been looking for a way to detect the level of traffic caused by unknown unicast traffic on a Catalyst 6509.I have found mechanisms to mitigate it but nothing to actually detect/measure what the levels might be.
I have a Canon ScanFront 220 network scanner that seems to have a problem with our network. It's plugged into a Cisco 3560. The network is operational, just chatty.
A wireshark session for just a few seconds looks like this: (192.168.81.42 is the scanner) 1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.89 Vlan81 1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.90 Vlan81 1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.91 Vlan81 1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.92 Vlan81 1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.93 Vlan81 1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.94 Vlan81 1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.95 Vlan81 1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.96 Vlan81 1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.97 Vlan81 1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.98 Vlan81 1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.99 Vlan81 1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.101 Vlan81 1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.102 Vlan81 1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.103 Vlan81 1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.104 Vlan81 1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.106 Vlan81 1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.108 Vlan81 1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.109 Vlan81 1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.110 Vlan81 1w4d: IP ARP: rcvd req src 192.168.81.42 0000.8583.2c43, dst 192.168.81.111 Vlan81
I can't find anything on the scanner that would cause this.
I have a Nexus 3064 which is not recording source MAC addresses after a successful ARP. The switch is then flooding the entire vlan with unicast traffic.
The config is a boring single VLAN. One port (48) is going to a 6509. Not as a trunk, just extending the VLAN. There are SVI's on both switches. the default route for the Nexus users is the 6509's IP.The switch was basically, pulled out of the box, setup a single vlan(with jumbo frames) andan SVI, then plugged in the users. Nothing special.
I have a serious problem with nexus 7018, there're unicast flooding on one n7k, named n7k-1, which is the member of vPC domain combined with 2 N7Ks. [code]I had clean the mac-address-table, and all mac-address-tables had been synced fine, and the unicast flooding went away.
How could I fix the mac-address sync function between the modules ?
My IPTV connection works fine so far but as soon as I start watching TV I can't use my WiFi connection anymore. My router is an "Alice Modem 1121" (SIEMENS S1621-Z220-A) with 4 LAN ports and a WiFi interface (4th LAN port provides the IPTV). It is directly connected by wire to my PC's ethernet card for the IPTV and the internet is provided via the WiFi. When I activate the LAN connection the WiFi and internet connction stays up and requests can be sent but nothing returns anymore. Another device (iPod) has no problems with accessing the internet while IPTV is in use. I also have a Netgear WNR1000v3 router which I tried to use as AP instead but it's exactly the same problem. Unlucky the Netgear router is not supported to use dd-wrt firmware yet (I've found a step by step guide to prevent multicast floods with dd-wrt/ebtables). But maybe the Alice Modem can handle this problem on its own. I read some stuff about VLANs and splitting them but I have no clue how that would look like.
I'm having an issue with my network, where we're are experiencing random and brief network outages. They happen a couple times a day and last 5-10 seconds. when I check my two backbone switches (4506 : Supervisor: WS-X4516-10GE ,IOS : cat4500-ipbase-mz.122-31.SGA8.bin), STP remains normal and no topology change occurs.
I have a 2x Cisco 3750G switches (Stacked) that are part of an IP Video Surveillance System .All network is set to 1 VLAN (VLAN 1 default).The Cisco SWs ( Core ) are configured with IGMP Querier + Snooping .Connected to the Cisco SWs are 4 Fiber Rings(Loops) for redundancy . RSTP and IGMP Snooping are enabled on all the network SWs .Network Architecture Figure :
When all Fiber Rings (Loops ) are connected , the Cisco and Ring SWs spanning-tree tables show the blocked and forwarding ports properly .I am able to connect all my IP Cams + Encoders to the Ring SWs and connect my Servers + WorkStations to the Cisco SWs to record and view the multicast ip streams .All streams from Rings 1 ,3 and 4 are getting normally to the Servers + WorkStations through multicast ( IGMP Snooping are filled correctly on the Cisco and non-Cisco SWs ) . All multicast streams are joined normally except for Ring 2 .The Multicast streams passing through Ring 2 will operate normally for around 2 hours then after that the Fiber SWs begin to flood their multicast traffic causing the cams on the same switch to drop off the network .
I checked the Configuration of all the SWs on Ring 2 but all are are the same .
What is weird is that I have to set all the streams to unicast to stop the flooding just on Ring 2 (All other rings are not affected ) then after some time if I enabled a video multicast stream on one of the SWs of the Ring it will be streamed properly to the Servers + WorkStations ( All IGMP tables along the way will be filled properly ) then again after 2 hours or so , the flooding will start again suddenly and all IGMP table entries for the SW on Ring2 will be empty . No problem occurs on the other Rings which have more multicast streams .
I cannot seem to ping between devices on two networks hanging off a 5520 unless I use the same-security interface command. I have the relevant ACL's set up between the interfaces, but it just doesnt work unless I have that command in - if I use that command, it bypasses the ACL.
More and more recently I'm seeing that inspect ICMP and ICMP error do not allow trace route to work through the firewall from inside to outside.I used to go in, enable the inspections and subsequent trace route's worked. Now when this is enabled, the firewall still blocks return trace route.
I'm new to the Cisco WLCs and recently implemented a wireless infrastructure using a WLC 2100 with 1262 LWAPs. I have two of the 1262s plugged into ports 7/8 using crossover cables. They're functioning correctly with the exception of the inability SSH and send pings to the LWAPs behind the WLC. Is there anyway to ping/shh through the WLCs to the LWAPs behind it? I use an NMS (Nagios) to monitor the status of the LWAPs and it can't monitor them if it cannot ping them. Also, is there anyway to configure the WLC to monitor the status of LWAPs?
So I have my shiny new (used, but new to me) 5510 finally working and installed in my Dev network. I need to have icmp (ping and trace route) available from the inside network. I Google and found a few articles on how to do it. I tried modifying the class maps, but it looks like there are changes in the commands in 8.4 and the articles I found evidently were for 8.2 and lower. I tried doing it with access lists, again from examples and traffic stopped in all directions (not good) so I am back to being functional and how to do it in 8.4. Documentation seems sparse on the net with 8.4
I have router which has two physical interfaces Gi0/0 and Gi0/1. G0/0 connects to metro over ethernet and Gi0/1 is configured a s router on a stick, which has many defined. All those interfaces have IP addresses assigned. EIGRP is configured between other metro sites. Here is a sample IP assigment for this site, let's say Site.
We have downgraded cisco acs appliance 1120 from ACS 5.0 to ACS 4.2.1.15 , when we perform ICMP ping request to acs appliance its not responding , But i can do ping test from acs appliance on console mode not from GUI mode .
Is there any option to enable ICMP Ping response on cisco acs 1120 . else any patch to be upgraded to perform this action , my requirement is enable ICMP ping on acs appliance for troubleshooting . instead always check with telnet x.x.x.x 2002 for service responding
I've got a Cisco 1811 router with FastEthernet0 plugged into a cable modem with 5 static IP's. I want to disable the ability for those IP's to be pinged externally except for certain addresses that I specify (I have some offsite servers that I use to monitor the ISP link for example). I also want the ability to be able to ping external addresses from the router as well as any of my inside subnets. [code]
I've tried varying ACL's and applied to Fa0, none of which work [code]
I have a cisco 7600. It will send an icmp request every second. If the icmp response is not received, 3 consecutive icmp requests will be sent. SLA reachability down will be reported after all 4 icmp responses are not received. The following diagram illustrates my goal.
Sender --------------------------------------- 0 second -> 0 sec (1st icmp Request is sent out)-> 50ms (no response, send 2nd icmp after timeout)-> 50ms (no response, send 3rd icmp after timeout) -> 50ms (no response, send 4th icmp after timeout) 50ms Report SLA reachability down --------------------------------------- 1 second --------------------------------------- 2 second
Question: will the following configuration achieve my goal?
ip sla 100icmp-echo 10.32.24.1 source-ip 10.32.24.2timeout 50frequency 1
I want to allow ICMP traffic on ASA 5510 from LAN interface to DMZ. I've permit any traffic and added ICMP to the inspestion list also but still there is problem. Belos is the configuration. The image is asa822-k8.bin
Is it really the case that the ASA will not generate ICMP Host Unreachable messages for sub nets connected to any of its interfaces (in breach of RFC1812) as claimed here: [URL]
I'm investigating a situation where an organization uses ASAs to control traffic between different v lans in their internal production systems as well as Internet traffic. They are having problems with internal load balancing because the ASAs do not (as currently configured) generate Host Unreachable packets. Can this be changed in the configuration or not? I have to say, if it can't then I'd urge them to find something else to route between their internal sub nets.
I would like to passthrough ICMP 8 (ping) requests through the DIR-655 to my server. I found where to allow the router to respond to ICMP 8 requests, however, I do not want the router to responder, rather the server itself. Is there a way to pass these requests through to the server?
I'm connected to my remote access vpn and am getting the below error, wierd thing i only get this error for ICMP, i can browse data on our network retrieve files etc, but pings fail for some reason
The LMS 4.0.1 keeps sending ICMP messages to VLAN interfaces that have been removed months ago.these logs are filling up my log server [code] How do I update the poller to use the latest config information for the switch?
Sometimes, I get this email notification 3 times within 1 minute interval. What caused this type of error message and how to fix it? No one was logging in to Cisco VPN client when this error occurred.
I am running ping between two Nexus 7018 over WAN link ,and I can see some set pattern of packet drop(7.40 % drop) with MTU size 1500.When I ping between my 6500 VSS pair and same Nexus 7018 over different SP WAN link on diffrent location , I am still getting same kind of packet drop (8% drop) with MTU 1500. Has any one else come across this issue with Nexus?
I am trying to set up remote access vpn on an asa 5520 running 8.4.1. I have the ipsec group, policies, and ip pool set up. When I try and connect with the cisco vpn client I see the following in the logs. Deny icmp src outside:214.67.39.42 dst outside:24.252.51.73 (type 3, code 3) by access-group "acl_inbound". Do I need to put in some firewall rules to allow this traffice so that the VPN can connect?
