Cisco WAN :: Linux Not Passing Traffic Through 1721 / 1841?
Jan 6, 2011
I run a network that uses MPLS circuits to connect all of the companies different stores. Internet access is through a Cisco ASA5500 here at the corp headquarters.
To make all of this work, we use a little 1721 gateway router to move traffic as needed. All the clients in our corporate office use 10.10.99.1 (Cisco 1721) as a gateway. The 1721 routes the traffic either to the internet (10.10.99.106 Cisco ASA5500) or the MPLS router (159.61.54.30).
For some reason, anything that runs on Linux (Ubuntu server, ReadyNAS boxes, Thecus NAS) will not pass traffic beyond the 1721 gateway router.
I've poured over the config for that router, and I can't find anything that could be causing this not to work. Thinking that the 1721 was bad, I put an 1841 online in it's place, and it did the same thing. I'm a noob when it comes to Cisco configs, but am learning as I go along.
I am about to pull my hair out. I have a 1841 router at one end with 3 ASA's for teleworkers working great. I'm connecting a 4th one that I can not get to work for the life of me. The tunnel is comming up, but its not passing any traffic. I don't see any glaring errors in the VPN debug. The router comes up, reverse route injection does its thing... all looks great. Am I totally overlooking somthing? I must have rebuilt this a dozen times.
I am currently using a 1841 router with AdvSec 12.4(24)T4 IOS on it. I used to have a working SSL tunnel configuration working, but for some reason it had disappeared and I am rebuilding the configuration. Unfortunately, I have been able to configure the router to perform the SSL tunnel, but I am not able to pass any data through the VPN. I am only able to ping the inside interface of the router and this is it. If I try to extended PING from the router to the remote PC I am able to get replies. Trying to PING anything on the remote network does not provide any responses back. I am thinking there is some sort of routing not happening here or I am missing some sort of configuration to allow the VPN to pass data through correctly. [code]
As a Cisco newbie I am thinking about building a linux router (for a study project) to connect to a Cisco network (2 x 1841 routers). what kind (standard) of serial interface card will I need to install on the Linux PC router to enable serial communications with the other two 1841s.
I've looked at many others having this same problem, but can't seem to figure out what my problem is. Same issue as most, I can connect fine, I get an IP, but it won't pass any traffic, I can't ping anything or access anything.
I have a vendor that currently uses a Cisco 871 as a VPN router in our company network, they use it connect to provide services to one of the servers in our LAN for our customers. Recently, we are going to be setting up a 24/7 call center with this vendor, they will be accessing a server in our network through the VPN to provide customer service during after hour periods.We have a problem however, with an application that is hosted by another vendor that is critical for our regular company call center. Access is reached with this application through this vendor by way of IPSec VPN tunnel that is built in our company's Cisco ASA 5510. This application is accessed via Internet Explorer that goes across to access the application at the endpoint
I need to figure a way by which the vendor that will be running the 24/7 call center coming through their tunnel in our network to connect over to the tunnel on the vendor on my ASA. Im likely going to have to set some routing of traffic in my internal default gateway router for this to work.
I've got a client that recently got an ASA 5505. E0/0 is connected to the outside, E0/1 connected to the internal server (Win 2008). The ASA "local network" is 172.30.1.0/24; my internal network is 192.168.1.0/24. I'm able to connect from home through AnyConnect and get a proper address (which I've got a pool of 172.30.1.64/26 assigned for VPN users), but no traffic from my computer will go to the internal network, nor will the internal server (or the ASA for that matter) can't talk to my VPN'd computer.
On the firewall settings on the ASA, I've got it all open: any/any on both inside and outside, just to try and get anything to go through. I've even got split-tunneling working, but not traffic-passing! The config is below (redacting local AAA users).
Traffic Generator TG connected to R1 via switch SW . One end of the R1 is LAN1 interface and other end is WAN1. LAN1 is connected to switch SW. WAN1 is connected to R2 WAN0 interface..
Wen I pass traffic say 5000 from TG, I'm to recieve 5000 at R1 lan1 interface but I'm not to recieve at R2 WAN1 interface and hence not to R2 WAN0 interface.
Config at TG:' ----------------- Destination IP : R2 WAN interfavce IP Destination MAC : R1 LAN mac
I have an Cisco ME3400-24TS-A Switch with is not behaving normal.
I have already erased its flash, uploaded new IOS but could not fix the issue. However it boots normally and pass all tests show in boot process. Issue is this the i cant access or ping the computers attached to its ports from one to other.
However i can ping the switch vlan 1 IP from all computers attached to it.
When i tried Debug All Command, its shows the following:
debug all This may severely impact network performance. Continue? (yes/[no]): yes All possible debugging has been turned on Switch# *Mar 1 00:03:41.467: special_oce_change_vectors: select debug vectors
i am using RV042 router, i have configured DMZ in this, DMZ is not passing the traffic, i am able to ping the DMZ ip from the server. but the server is not getting the Internet.
I have a site to site tunnel between two 5520 ASAs. Tunnel is up but when I try to talk to the other side, the implicit deny on the inside interface of the local ASA blocks the traffic. When I ping, the tunnel comes up but in the logs it says it is blocking icmp from inside to outside. I have tried the sys opt connection permit-vpn but it is not working. The traffic is from 5 specific machines within the local sub net that I put in a network object group called Celerra_Replication.
I want to them to be able to talk to 5 machines on the far end of the tunnel in a seperate sub net. They are in a net wrok object group called GP_Celerra_Replication The ACLs I created for this appear to be created correctly allowing IP from Celerra_replication to GP_Celerra_Replication and the opposite on the other side.
I am facing a very big problem with site to site vpn on cisco 2900 ios.
I configured the vpn and when i ping from router itself to destination ip with source as lan interface , VPN works, no problem.
but when i connect any computer directly to router's lan interface to initiate traffic , it doesnot work at all. and on computer's lan i see yeloow sign.
mtu is 1500, speed is auto (I tried changing also) , duplex is auto ( i tried changing also) , through firewall on pc should not affect but still i disabled it.
since their is no problem with vpn config as vpn comes up when i initiate ping from router itself but i dont know why it is not working from lan.
do we need any inspect icmp on this router also ? or any policy modification to pass traffic across the interfac on router is required ?
I was useinf c2900k9-15.0(M4).bin and i upgraded it to 15.3 which is lated to get reed of any bug .
I connected two laptops directly to router's gi0/0, g0/1 interface to ping from one laptop to another but this also did not work.
I have a server with SQL Server 2008 on it. It listens on the default ports 1433 & 1434. But traffic is not making it through my DIR-655 to the LAN so that SQL Server can respond to the request. I am using DynDNS and have confirmed that the traffic is getting thru DNS and finding the router, but after watching the syslog I can see that I'm getting multiple of the following error messages when a request is initiated from a client (Microsoft Access app) outside my network:
01-24-2012 22:28:24 System3.Info 192.168.1.1 Tue Jan 24 22:28:28 2012 D-Link Systems DIR-655 System Log: Blocked incoming TCP connection request from 67.167.87.109:53284 to 67.167.87.109:139 01-24-2012 22:28:24 System3.Info 192.168.1.1 Tue Jan 24 22:28:28 2012 D-Link Systems DIR-655 System Log: Blocked incoming TCP connection request from 67.167.87.109:53282 to 67.167.87.109:445
In Port Forwarding I have specified a rule to allow/pass port 1433 & 1434 TCP traffic to my internal server IP.
Also I'm confused by the ports shown above since I was expecting to see 1433/1434 in there...seems this is a factor in the traffic never getting to the SQL Server to process the request?
FTP traffic routed from outside to the inside interface works fine. I have another interface with multiple sub-interfaces and vlans configured. FTP traffic routed from the outside to vlan2_servers is not making it through the firewall. I must be missing something. I have attached my config.
We have a managed service provider voip network that requires us to use our own router for the data network. We wanted to use the RV042 for it's easy vpn setup. After installing it worked great for about 10 min. then the WAN port stopped passing traffic. 3 min. later it started working again. We tested the RV042 on a different network and it works fine. We tested an older Pix on the managed network and that works fine. But the RV042 will not work on the managed service provider voip network. The service provider says that on their end it shows our WAN port going up and down.
We are trying to get a video conference system (POLYCOM) up running. Thrue a Cisco 1812 router with Firewall feature set.
I Have heard in the past that there should be issues with Polycom and Cisco, but have actually never seen it.I can establish a video call from inside the 1812 to outside.
But when I try from outside to the public ip adress there is nattet to, then it reach the video system and die straight after, so there is never any video session set up.
I have tried to remove everything regarding firewall feature and passing true, so the only thing the 1812 should do is NAT. And still the same.
I can not see anything in the log on the router from the ACL's where I permittet everything, other then it connect on the port TCP 1720, as it should. This is the software I'm running on the router:
When I search Google, it look like there is a lot issues with Cisco and Polycom, but I have not found any concret solution. Other then I should use a ADSL line with a public IP address. As we probably is going to do.
We have a 2911 Router running 15.0(1)M4. G 0/0 is our LAN interface, and it has three subinterfacesG0/0.1 is our data LAN, and the gateway for our Windows machines. This is the interface this question concerns.G0/0.23 is a separate LAN for various equipmentG0/0.192 is another LAN for equipmentG 0/1 is connected to the internet, and has a public address.S 0/0/0 is a T1 PPP, connected to our core data centerS 0/1/0 is a backup T1 PPP, again, connected to our core data center.There are three static routes entered:ip route 0.0.0.0 0.0.0.0 10.12.1.1 100 This is the first PPPip route 0.0.0.0 0.0.0.0 10.13.1.1 200 This is the secondary PPPip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 255 It currently has a cost of 255 while i figure this one out. xxx.xxx.xxx.xxx represents the cable company gateway, which I can ping properly. I've also used "gigabitethernet 0/1" in place of the next hop ip with the same results. The public interface is properly connected, and can ping it's next hop (the cable company gateway). When I change the static route for gigabitethernet 0/1 to a cost of "0", the router can properly ping DNS names, such as google.com through the public interface.
However, devices on the data LAN cannot reach any public addresses except for the router's public interface, let alone DNS names (I am using 8.8.8.8 as my test IP). If I revert the cost back to 255, making the PPP the gateway of last resort, these devices can again connect. (they travel through the PPP to our Data center's internet)
This confuses me. If our server, on the same LAN as the router can ping the public interface (it's definitley not leaving the 2911, as latency is less than 1ms), and the router itself can ping outside addresses, what is preventing the router's public interface from passing traffic to the internet from any source other than itself? I have attached our running config in the hopes that there is something obvious I'm missing (the public ip addresses have been changed so they are not exposed). I simply want clients on our 10.23.0.0 LAN to get to the internet via the public interface of the local router, and still connect to corporate resources using the PPP links. MAS_2911#sho run
Building configuration...
Current configuration : 5666 bytes ! ! Last configuration change at 01:47:50 eastern Sat Sep 24 2011 by redacted
Web server log showing the issue: 2013-03-08 05:39:21 192.168.1.102 POST /somewebpage/somefile.htm - 80 - 192.168.1.1 - 404 0 0 6098 410 457
ISSUE: 100% of the traffic forwarded through the router is taking on the IP address of the router when it arrives at the web server. In this case, 192.168.1.1
My email server and FTP servers are having fits due to the anti-hammering issue that this creates.
I simply got the run around and they told me to call level 2 support and did not provide me with a contact number. For some reason, he refused to escalate the call. They simply told me to contact someone from a previous issue in which they gave me the beta firmware to download and I spent a lot of time on the phone to get that far. I do NOT want to speak with the same person who addressed my last issue.
I've replaced real networkID to the one mentined below.
Topology: classical IPSec VPN tunnel between two Cisco 892s, with pre-shared key and no GRE. One 892 (branch_892) has access to the Internet via PPPoE and has three networks/vlans behind it. One VLAN is NATed to access internet via the PPPoE. Access to two other VLANs - VL92 (100.100.200.0/24) and VL93 (100.100.100.0/24) need is done thrue the VPN tunnel.
Second 892 (892_DC) has just one interface - WAN on Gigabit enabled/connected and has a static route to the default GW. It does not have any interal network defined. So the router is strictly used to send traffic for VL92/VL93 to the branch 892 via IPSec tunnel.
Here is the problem: access to/from VL93 (100.100.100.0/24) works, however for VL92 (100.100.100.0/24) - does not.
From devices in VL92 I can ping the 892_DC IP address across the VPN tunnel. From the 892_DC router I can also ping devices in VL92. However I can no ping from VL92 any device beyond the 892_DC and at the same time packet arriving on 892_DC for VL92 are not sent out via the VPN tunnel.
I took the packet trace on 892_DC using capture point/buffer to capute packets for VL92 and could see that traffic does arrive at the 892_DC. I run the same capute on Branch_892 and there was not a single packet.More interesting I modified the access list such a way that left on VL92 and still - no packets are sent out thru the tunnel. [code]
I am trying to hook up a SF300 switch to a cable modem and then plug some phones into the switch that are configured with static IPs. I am able to access the switch without an issue, but need it to pass traffic from the phones to the network and it is not doing so. We cannot do trunking because we are not using BSoD modems yet (next phase). For now, we just need the switches to pass everything from the phones to the network as is. Any ideas?
So I was doing some testing with my BB Playbook where I wanted to see what outside connections it tried to make during startup and whatnot. I have a pix 506e running 6.3(5). I created an simple 'deny ip any any' access list on the inside interface so that the Playbook doesn't actually make any connections, but I set up a 'capture' on the inside interface accepting 'ip any any' to see what kind of traffic I could see heading outbound from the Playbook. Well, it started off showing attempts to query DNS (and failed, naturally), but then after a couple of minutes, it tried to connect to a couple of IPs over port 443 and actually got a response!!! For the life of me, I can't figure out how this can happen. NO traffic should be allowed outbound due to my explicit 'deny' rule, but for some reason some traffic on port 443 made it past the firewall and got a response back. There are no other rules in the access list except the 'deny' rule. My PIX configuration is quite simple and I cannot see anything that would allow the Playbook traffic to circumvent the access list.
I've come to think that either RIM has found away around Cisco access-lists, or there is a bug in the Pix OS. I know it's an old appliance/OS, but still. I wouldn't think it could be THAT easy to bypass the firewall.
I just purchased a new SF-300 managed switch for the purpose of using it on the DMZ, so we can mirror the internet port and monitor traffic for my company. I have set it up from the web interface to miror port 1 to port 2 and that's pretty much it. I decided to test it before putting it in production, by hooking it up to one of my core network switches, connecting a laptop to it and trying to get online. It doesn't even connect to my DHCP server to get an IP address. If I put the laptop back on the same subnet as the switch management IP, I can still connect to the switches web interface. Isn't the basic functionality of a switch to pass traffic?
I should also mention that I'm not a network engineer, so there might just be something I'm missing with regard to a default setting that needs to be switched off?
I am monitoring 2 or more source interfaces which are running 1G traffic on each interface. Destination is 10G interface.There are 2 kinds of traffic running through the source interfaces: icmp and regular IP traffic. I am only interested in capturing icmp traffic. How can I achieve my goal?I don’t have any vlan traffic at all. Router is c6500.
I have configured multicast (ip pim dense-mode) on two 2911 routers that are connected by a Multilink (3Mbps) Wan connection.The configuration work fine for awhile and sometimes all day but at some point one of the Multilink interfaces stop passing multicast traffic.I perform a sh multilink 1 on the interfaces and one interfaces show the multicast packets incrementing and the other does not, it just stops.The only fix for this is to hard reboot both routers and the multicast traffic begins to flow once again.
I have created an L2L tunnel between my self and a 3rd party. I am using a Cisco ASA 5520 and the other end is using a Cisco 3005 VPN concentrator. The tunnel will get established and pass traffic both ways for a little while, it varies, sometimes 1 hour or last time we built it it was working for 17 hours, but at some point my ASA will stop transmitting but it will still be receiving packets. These errors start to show up when I look at the traffic going through my ASA interfaces:
713042 IKE Initiator unable to find policy: Intf Outside, Src: 192.168.xx.16, Dst: 10.1.xx.30
Then when I try to ping their hosts .30 and .27 I get:
713041 Group = 68.23.xx.xx, IP = 68.23.xx.xx, IKE Initiator: New Phase 2, Intf private, IKE Peer 68.23.xx.xx local Proxy Address 192.168.xx.16, remote Proxy Address 10.1.xx.30, Crypto map (Outside_map) 713041 Group = 68.23.xx.xx, IP = 68.23.xx.xx, IKE Initiator: New Phase 2, Intf private, IKE Peer 68.23.xx.xx local Proxy Address 192.168.xx.16, remote Proxy Address 10.1.xx.27, Crypto map (Outside_map) 713050 Group = 68.23.xx.xx, IP = 68.23.xx.xx, Connection terminated for peer 68.23.xx.xx. Reason: Peer Terminate Remote Proxy 10.1.xx.27, Local Proxy 192.168.xx.16
When I first configured this tunnel it was with 3DES and SHA for phase 1 & 2, but when the tunnel would come up my phase 1 would negotiate to an MD5 hash, even though I specifically entered SHA, so me and the 3rd party decided to bring all the hashes for phase 1 & 2 down to MD5, and that was when it was up for the longest, but the problem still came back eventually. My ASA config posted below:
ASA Version 8.2(3) name 192.168.xx.16 Server description Server name 10.1.xx.27 XYZ_01 name 10.1.xx.28 XYZ_02 name 10.1.xx.29 XYZ_03
after upgrading an ASA 5520 to 8.4.2-8 VPN clients traffic is not passing destinations other then destinations behind the inside interface. the log shows routing failure for the vpn client on the inside interface.it was working fine with 8.4.1 but the traffic is originated from the outside interface. confirm the the interface for VPN clients changed from outside to the inside interface.
I have an issue where our ASA 5520 is impacting upload (from LAN to internet) speed. We have a 100Mbps SDSL internet link and only see around 45-50 Mbps on the upload when going via the firewall, download is around 90+ Mbps so that is acceptable. I have tested a laptop connected directly to the internet router and that give near on the 100Mbps up and down speeds, but if I put that laptop on the LAN or directly onto the firewall interface I only see 90Mbps down and 45Mbps up. I have check that the interface speeds/duplex on the firewall, switch and laptop are correct and also checked there are no errors on the ports. I also turned off the IPS and that made no difference. In addition I have checked the CPU during download/upload (max): CPU utilization for 5 seconds = 9%; 1 minute: 3%; 5 minutes: 1%
In theory the 5520 should be able to cope with this throughput:
Cisco ASA 5500 Series Model/License: 5520 Maximum firewall throughput (Mbps): 450 Mbps Maximum firewall connections: 280,000
I am trying to determine why Comcast Business Class modem configured with a static IP (IPV4) works with a laptop or Linksys Cable modem but not with a Cisco ASA 5505. After a few minutes, the 5505 stop passing web traffic. I am able to ping the default gateway even though I can not surf the web. Restarting the 5505 and the Comcast modem, web traffic flows for a short period of time, then stops. I can connect inside the firewall via ASDM 7.1.1 and via SSH. I can not connect via either from the outside. Comcast tech support indicated their router is working and is configured in bridge mode. I swapped out the 5505's memory, and then with another 5505. Nothing seems to resolve the issue. I am trying to determine if the 5505 or the Comcast router is not configured correctly.
Here are the parameters: The 5505 was reset to default factory settings via the command: config factory-default. Configured the outside interface with static IP Address followed by the no shutdown command, then removed DHCP features from outside interface. Added Comcast DNS servers, default route, ntp servers, configured DHCP features on the inside interface. Enabled HTTP/SSH (inside & outside interfaces) and ICMP echo-reply (outside only).
I believe the Comcast modem is not configured correctly. The show version and show startup output are below.
ciscoasa# show version Cisco Adaptive Security Appliance Software Version 9.1(1) Device Manager Version 7.1(2)
We recently extended our access layer using a pair of 5ks with extenders. We have a pair of 6509s at our core and they handle the intra-VLAN routing with SVIs. I recently noticed that access hosts connected to the extenders cannot pass traffic between each other if they are in different VLANs. The strange thing is these same hosts can ping devices in other VLANs as long as the other devices are not connected to the 5k environment.
For example, consider the following hosts. Each host has their gateway set to the appropriate SVI on our core.
HostA - VLAN100 - connected to 5k extender HostB - VLAN200 - connected to 5k extender HostC - VLAN100 - connected to 2960 off our core HostD - VLAN200 - connected to 2960 off our core
Each host can ping each other with the exception of HostA and HostB. As for specifics, we use HSRP (no VSS) between our cores.
When I ping between hostA and hostB, I see the egress packets on either 5k1 or 5k2. I then see ingress AND egress on Core1. There are no ingress packets on 5k1 or 5k2.The egress packets from Core1 show the correct destination MAC address of the target host. The mac address table shows the mac address on po31.
We want to get L2 traffic amount (bit/byte) passing through a cisco switch (6500/3560 ...) for a specific VLAN. it can be via SNMP or CLI ...How can we do that?
