We have two offices connected using Site-to-Site VPN (IPSEC) as shown:(IP ficticius)Office 1 - We had to use 2 routers since we have a range of valid IPs: From a host in office 2 we normally ping 192.168.102.1 (gateway at office 1),But when pinging a host inside office 1 (eg: 192.168.102.8) 50% of packets have been lost.Could it be a hardware problem?
View 1 RepliesI am capturing at 2 different locations and I need to find packets that are getting dropped between the 2.
I have done all the merging and everything needed for this in wireshark but because the mac address changes 1/2 way to me all the packets are coming up as lost
is there anyway to remove the MAC address from the captures or as a field it looks at?
It appears we might have an issue with our RV082 (v4.2.1.02) dropping packets during the teardown of many TCP conversations. I have attached two packet captures of what I believe is the same conversation. One is from outside the router (Wireshark using an Ethernet Tap) and the other is from the client inside the router (SLES11SP2 running TCPDump). These are both very small captures 9 packets and 18 packets and I'm hoping it will identify the problem.
It appears that the RV082 is prematurely closing the natted port used to communicate with the host outside the network. The host sends a FIN, ACK packet, to which the client responds with an ACK, However, when the client then sends his FIN,ACK sequence, it never makes it outside the router. The client sends a total of 9 FIN,ACKs trying to contact the outside server, but none of those appear to make it through the router.
Is the router slamming the door prematurely? (I've been fighting with this problem for 3 weeks now!)
Inside Capture:
----------------------
No. Time Source Destination Protocol Length Info
1 2013-02-13 19:32:37.827942 192.168.1.45 38.113.116.214 TCP 76 35975 > http [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=635644783 TSecr=0 WS=128
[Code].....
I have 2691 Router conencted to Internet and it is doing Nat.
This connects to 3550A Switch which has connection to 1811W Router.
I setup VPN between 1811W and 3550A.
3550A has connection to 2691 via ospf.
OSPF is running between 1811w and 3550A.
1811
1811w# sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
[Code]....
A customer of mine has two RV082 in different locations. The "main" router is providing a gateway-to-gateway VPN tunnel, and is also used by a few road warriors for VPN access. We've had some issues with the "main" router lately, so we've decided to exchange it for a brand new device (v3). The old RV082 was a hardware revision v2 device, so I had to manually rebuild the config on the new router. The new router is working fine so far - connectivity and gateway-to-gateway VPN are fine. IPsec Client VPN, however, doesn't work at all. The config of the new router is identical to the config of the old one, IPsec Client VPN used to work fine on the old router.
The router is running the latest firmware (v4.0.4.02-tm). I've been trying to make IPsec VPN work with "QuickVPNplus ver: 1.0.6" and the "Cisco QuickVPN Client v1.4.2.1". From what I understand, both programs first connect to the routers external IP and download some sort of VPN config file. The info in that file is then used to create the actual connection. The problem is that the config file is invalid. It contains HTML code instead of config data. This is the code: "<HTML><HEAD><meta http-equiv="refresh" content="0; URL=/cgi-bin/welcome.cgi"></HEAD><BODY></BODY></HTML>". The URL is the same I see when logging in to the admin interface of the router. The Cisco client tells me in its "wget_error.txt": "rwConnStart message=All 1 wget requests did not return a valid vpnserver.conf". Both clients connect to the router fine, and the config download itself is working - only the returned data is invalid.
I've already tried lots of stuff to make the problem go away - enabling/disabling the firewall, VPN passthrough options, and other things. I'm beginning to think that there may be a bug in the firmware I'm using, or that the way Client VPN works has changed in a way that makes connecting with a client implementing the "old" method impossible. By the way, PPTP is working fine, so we're using it as a temporary workaround. My client, however, isn't happy with this workaround - he bought a relatively expensive router so he can make use of its advanced features, after all.
i have an ipsec tunnel between two rv082 routers. (1 v3 Hardware and the other with v2). On both devices are the latest firmware installed.
Everything working fine, the routers establish an ipsec connection but after about two hours, the router with hw version 3 freezes.... nor the wan neither der lan interface is pingable. I can only pull out the power cord. Below attached are the ipsec settings. It´s a Gateway to Gateway connection
I have 2691 Router conencted to Internet and it is doing Nat. This connects to 3550A Switch which has connection to 1811W Router.
I setup VPN between 1811W and 3550A. 3550A has connection to 2691 via ospf.
OSPF is running between 1811w and 3550A.
1811
1811w# sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
[Code].....
Region : Others
Model : TD-W8950ND
Hardware Version : V1
Firmware Version : 1.3.1 build 120406 Rel.32903n
ISP : PTCL
I am trying to establish IPSec VPN Tunnel between Linsys RV082 and TP-Link TD-W8950ND but failed.
We have tried a variety of options in an attempt to use Load Balancing (Protocol Binding) with an RV082 that has a site to site IPsec tunnel with another RV082. Both are v3.
Here is the issue. We have dual ISPs, one has great bandwidth, but we incur overages. The other has mediocre bandwidth, but has unlimited usage.
GROUP1 - We want most PCs to use the "unlimited" ISP for general surfing, email, etc. (Bound all ports for range of internal IPs to ANY dest to WAN1)
GROUP2 - We want to use the "faster" ISP for our VPN tunnel (mostly RDP and SIP traffic). (Bound all ports for range of internal IPs to ANY dest to WAN2)
So far everything works. The router will route traffic appropriately and GROUP 1 uses WAN1 and GROUP 2 uses WAN2.
Unfortunately, sometimes GROUP1 users need access to resources over the VPN (WAN2).
There is something not right with the routing. For example GROUP1 can ping and receive responses from devices on the other side of the tunnel, but GROUP1 can't access intranet sites on the other side of the tunnel. They also can't RDP to PCs on the other side of the tunnel.
Why does the router correctly route ICMP, but not RDP?
We've tried adding additional protocol binding rules for specific ports(80, 3389, etc) and ip ranges (both local and remote) to see if we could force GROUP1 traffic destined via VPN through WAN2, but it doesn't work.
Shouldn't VPN tunnels created and configured in the RVs not adhere to protocol binding? It just seems logical to me, but maybe I am missing something.
I am having a Cisco 4507 switch. The CPU on the switch is running between 50% to 60% constantly. To troubleshoot I collected some logs using debugs & show commands.
debug platform packet all receive buffer
show platform cpu packet buffered
debug platform packet all count
show platform cpu packet statistics
show processes cpu sorted | exc 0.00
show platform health
show platform cpu packet statistics
show platform health output shows the below process crossing the target value.
%CPU %CPU RunTimeMax Priority Average %CPU Total
Target Actual Target Actual Fg Bg 5Sec Min Hour CPU
Stub-JobEventSchedul 10.00 13.41 10 47 100 500 13 13 10 5462:52
K2PortMan Review 3.00 5.35 15 11 100 500 4 4 3 1799:47
What I need to know is, though these process are running in Low Priority, will there be any issue if the CPU goes high due to these process.
I have just finished installing LMS 4.2 on a new VM (Windows 2008 R2 Standard Edition SP1). I have already reloaded the server, all LMS services have correctly started. However, the process CS_sm_server.exe still using 100% CPU.Windows 2008 R2 Standard Edition SP1
View 6 Replies View RelatedWe are running Cisco 6509-e and we are running load test and when traffic reach 80 mbps switch start reponding very slow. I checked CPU usage and it was using 100% and connection to the switch from outside to inside are 80K. once connection dropp Cisco release CUP and it start responding normal. [code]
View 4 Replies View RelatedI am working at a client site that is an MPLS customer. The customer has an MPLS circuit that runs between their Main HQ and their Disaster Recovery site. I have been asked to analyze and report as well on the way the Qos Policy is written, and to provide any recommendations on how they can improve performance.There is a statement within the Qos Policy as it exists at each end on the 3825 routers. The statement is called "shape average percent". Here is the policy from one side:
policy-map QoS
class COS2_traffic
set dscp af31
shape average percent 12
bandwidth percent 13
[code]....
What does this statement mean and how is it different than the the "bandwidth percent" statement?
I have two switches that always are with yours CPU in 39 or 40 %. the switches are:
IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5)WC3b, RELEASE SOFTWARE (fc1)
I think it's very strange the CPU always in 39 or 40 %. neither all ports of the switches are busy there are 6 ports free in each switch. 40 % I think it is a high value for CPU maybe because my IOS version 12.0 ?
Im running ASA 8.0(3) on Active/StandBy failover pair.Last night I realized the CPU usage of my production ASA was 99%,,, on the ASDM Firewall Dashboard I can see counters like this:
Dropped Packet Rate (ACL Dropped) = 6000+ (more than 6 thousand)
Scanning Attacks = 18600+ (more than Eighteen thousand)
I went on the ASDM and checked the RealTime Log viewer and I have about 30 entries per second of these:
4Oct 19 201111:35:12401004Shunned packet: 10.64.10.1 ==> 10.64.0.1 on interface NewLAN
[code]...
after IOS upgrade to 15.x on Cisco2811 MEM util raised from 20% to 43%. Is it critical?Which level of MEM utilization is critical?
View 6 Replies View RelatedI have an ASA 5520 with a CSC-SSM modul,the problem is when i am logging in to my ASDM, on the content security monitoring, it's showing the CPU and memory are at 100%(CSC) but when i directly connect csc-ssm MODULE it comes down,so is it problem with ASDM , java OR csc.
View 5 Replies View RelatedWhenever i try to download an exe file from the internet, its just get stuck at 99%. It doesn't happen with .rar or any other file. Not to mention, I was able to download net fremwork 4.0 exe installer though. I tried these things: Used different browsers. Used different download managers. Disabled firewall and AV.
View 1 Replies View RelatedI have ATT DSL and pretty much every night, I lose a large portion of the Internet. I cannot ping these sites, while the rest of the net works fine. The other night, I could not ping major domains like ATT, CNN, MSNBC, BBC (a chronic missing domain). On the other hand, I could get Yahoo fine and go to a streaming audio site and run music perfectly...but about 90% of the Internet was unreachable. Could not load their sites nor ping them in command line. The other 10% worked flawlessly.
View 12 Replies View RelatedI installed a CSC-SSM-20 module on ASA 5510. After policy services have been enabled, services works well for a few minutes, after that the cpu usage's module rise to 100% and all http traffic is wholy blocked, till the cpu usage go down.This happens very frequently and traffic stay blocked for such a long time that it makes the csc-ssm module unusable. It's disabled right now. ASA version is 8.2(1)and CSC-Module version is 6.6.1172.0.
View 1 Replies View Relatedwhenever I setup URL filtering in 1841 router with policy-map type http and zone-pair command, I experience 100% CPU spike. is there any workaround?
View 1 Replies View RelatedWe have a client that has a large number of AIR-AP1252AG-N-K9 installed in the network with power injectors. We have seen a about 48% failure rate of AP's failing with all 3 red lights on the unit. Once I get the AP in the lab I'm unable to get any response from the console, therefore unable to troubleshoot.
View 3 Replies View RelatedTrying to update my firmware 1.00.01 B15 to 1.00.01 B17. I downloaded the firmware to my desktop (using mac os X 10.5.5) and connected my computer directly to port 1 on the back of the router. I used the Firmware upgrade tool under the Administration tab to upload the new firmware file. The update progress starts but fails at 98%
View 4 Replies View RelatedI have one Catalyst 4503 with Supervisor 7L-E 10 with IOS - XE 03.02.00.XO. . One of its gigabit interfaces is connected to a Internet link of 1 Mega. In terms of QoS i would like to limit the total bandwidht of this gigabit interface to just one 1 Mega and simultaneous i want share bandwidth between traffic classes with bandwith percent up to 1 Mega and not 1Giga.
View 1 Replies View RelatedI tried any type of combination and just couldn't make it works. Only PPTP works well. Whether Apple iOS IPSec VPN is supported or not?
View 11 Replies View RelatedI've no experience in VoIP and been ditched with looking at an IP trunking problem on our network.The users where getting dead lines or silent calls, but it seems after re-seating IP trunking card here and there around the network a few times, all is settled to normal. Unfortunately it's a third party that look after the majority of the telephony, and as they can't figure out why this happens they often say it must be a problem with the data WAN it traverses.So I started trying to figure something out, I have IPSLA monitoring setup in Solarwinds on most of the routers and all looks well from that aspect; MOS is 4.34 and Jitter is only 1ms at worst. I've taken a wireshark packet capture of the IP trunk by mirroring the port on the switch at a main site where I've been told a lot of calls are routed through. Inside wireshark I used the 'telephony> voip calls' tool and decoded all the calls. The output is showing most calls have 'Out of Seq' and 'Wrong Timestamp' at around 25-50%. Although these calls seem fine otherwise, and I took this capture whilst the fault was not occurring. I know I need to capture next time when the fault is occurring, but this is what I have for now.How can i fix this or even start to troubleshoot further?
p.s- each site has two routers running GLBP to the WAN, over two ISP locations. I read something about having consistent routing to avoid packets arriving out of sequence, but haven't found anything yet to say this is how I can/should do that.
I have a ASA5510 with VPN Configured on it. My goal is to be able to access our Rv082 Router after connecting to the VPN and from any PC inside the LAN. I don't want to be able to access the ASDM on the ASA5510 or the RV082 from outside the LAN UNLESS you are using VPN.
My Inside IP Subnet is 10.0.1.0/24 on the CISCO ASA5510. The CISCO ASA5510 Outside Interface is 172.16.15.2
The CISCO RV082 (172.16.15.1) is connected to the ASA5510 Outside Interface.
Our VPN Addresses start at 10.0.10.240 and I think they are NATTED to the Inside Interface of the LAN.
At this time, after connecting via VPN, we cannot access the RV082 at 172.16.15.1.but we want to. I think we need a static Route to do this but I don't know which one to add, or how to add it ?
We use all Cisco router in our business mostly 1841 and 871. But now i'm currently working with a new router:
Just purchased last week - Cisco 881
The Cisco IOS is:
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.0(1)M6, RELEASE SOFTWARE (fc1)
->System image file is "flash:c880data-universalk9-mz.150-1.M6.bin"
As all our router are Cisco we use EIGRP as our routing protocal. But with this router all I see is:
#router ?
odr On Demand stub Routes
rip Routing Information Protocol (RIP)
Where is my EIGRP ? I can't configure eigrp, so my router wont be doing much routing.
My sent packets are 0 and also received packets. What can I do?
View 3 Replies View RelatedI use a wireless adapter to connect to our home network but its stopped receiving packets but is sending them. It has worked fine for ages now it just randomly stopped. The network works with everything else (laptops, Xbox and iPods) but my pc wont receive anything. Also our home connection has no password as we live in the middle of nowhere.
View 8 Replies View RelatedI am having a really hard time with a computer that has a wireless connection. Specifically the internet keeps going out. The computer info is that of the affected computer and not the host computer to which the router and modem are connected.
View 2 Replies View RelatedHow come my packets sent are so high.
View 3 Replies View RelatedWhy might an ASA flag packets originated from itself as having a spoofed address?
Log messages are ASA-2-106016