...have no knowledge of where it came from or the subnet it was in previously? Can you hook it up to a switch, mirror the port, run tcpdump and detect anything? How can you get it to send out packets if it doesn't seem to be doing that by default?
Saturday, February 16, 2019
port isolation old HP procurve switches
I am responsible for the network administration in a dormitory and try to isolate the individual users from each other. The old HP procurve 2910al switches do not support private VLANs. What is the best way to do this? L3 routing? Source port filtering?
Tool Bag
Hi everyone,
I currently used a backpack to carry all of my tools around. Moving forward, I will like to get a dedicated tool bag to carry everything except essential cables and my laptop. Any recommendations?
Edit:
I am a Network Engineer but I do a lot of telephony deployments. I would like to use a bag instead of a backpack for my tools.
Can't get console to work on Eve-Ng install
Hey I installed the eve-ng package on a old HP server using ubuntu 16.04, I got images on there but I can't get the consoles to come up via telnet. Uninstalled and reinstalled a couple times, no dice. Anyone had this problem?
The Case for the Cloud-Savvy Network Engineer
I suspect members of this subbredit would agree with these two statements:
- This is the most exciting time to be involved in networking in twenty years
- Understanding topics such as network automation and the public cloud will advance your career
I made the argument for why cloud-savvy network engineers will be relevant in this blog post.
https://www.linkedin.com/pulse/case-cloud-savvy-network-engineer-jeff-loughridge/?published=t
USG with Ethernet Switch
I can't get my USG (Ubiquiti Security Gateway) to send an internet connection through my Ethernet switch to my other devices any advice or help?
2 svi's, same network
Stilllearning here...If you have a /16 in an svi and then have another svi in the same network as a /24 (plucked from the /16) would that work? Or would that not be possible because the networks are overlapping? Tried to do this in packet tracer but only the host with the /16 gateway/svi set was reachable. Couldnt ping the /24 gateway from the other host in that /24 network. Both svi on same switch
Remote site internet access
Hello all,
I have an issue at one of our remote sites and figured I could reach out for hopefully some hints to where else I can check.
Basically our network at this time is running a hub and spoke type, so all internet traffic as well at local access is routed to our main site. Yesterday this remote site called and said that couldn’t access the internet. After doing some searching, it seems that our wireless at the site can access everything, internet and servers but our LAN has no internet access. The switch at the remote site seems to be able to ping the internet but not the router at the site. The two sites are connect with a point to point connection.
My thoughts are that something has changed at our main site to cut off internet access at either the router or SonicWall. Since I believe even if they are on the LAN, they can communicate with some servers at the main site. If anyone has any helpful hints it would greatly appreciated. In a bind and we are in the middle of switching 3rd party vendors.
Thank you, and hopefully this is the right place for this. And if you need more information please ask and I’ll happily provide.
Meraki TLS and WMI errors when connecting to AD
Let me preface by saying I am very green and in way over my head. I’ve read all the posts about not doing too much, as well as all the posts about finding a job where I can get the mentor ship I need. I’m working on those things, but I’m still trying to keep the lights on at this organization until I can get myself into a better position.
I’ve been using Cisco ASAs at my 12 existing sites, because that is what my predecessor used. As the 5505s have died I’ve replaced them with 5506s. I don’t claim to be an expert but I’ve largely got them up and running, site to site VPNs work, etc.
It was recommended to me that I reach out to a VAR because all of our equipment (servers, switches, PCs, really everything) is pretty outdated. They recommended we try meraki. I’m attempting to demo it at a site we purchased roughly 45 days ago this weekend. Not ideal, but my backup asa had to go to another site that had an asa crash on Friday. This new site is supposed to be up and running and joined to our domain by Monday. (I know. I have 3 years of troubleshooting experience and have been the only IT guy at an organization of 300 users spread across 12 sites for the entire 45 days from purchase to go-live, hence why this has become a last minute nightmare.)
Meraki support was largely excellent in helping me sort out a few initial errors and get a VPN tunnel back to my main site up. I can remote to the main DC at the admin building currently, and access network shares.
However when it came time to connect to active directory I got two errors—“ldap_start_tls: server is unavailable” and “wmi error”. At that point meraki said this was a known issue and that I’d have to reach out to Microsoft to solve the issues on my server. Obviously I can’t have this new site not joined to my domain, and now I’m diving into learning about certificate authority and wmi errors.
I’m throwing a Hail Mary to the internet, if anyone out there has any assistance I’ll be forever in your debt.
CPPM troubleshooting guide
Hi; I have very limited Aruba CPPM experience. Are there any flowcharts or processes I can see for troubleshooting Clear-Pass issues? I googled but cant look whag I was looking for.
Thank you in advance.
HPE IRF traffic flow query
If I have a pair of distribution switches (D1 & D2) in an HPE IRF with a single LACP northbound (towards core), and multiple LACPs southbound (towards access), what sort of traffic flow would I expect over the IRF links?
Specifically, in the case of South->North traffic, a packet is received from the access layer on D1, and needs to travel northbound. Is the northbound LACP algorithm weighted to prefer to send traffic over D1's LACP link rather than sending to D2 via the IRF first?
Is it possible to get a networking job without being passionate about it? I mean it's not like coding right? It's just been a been rough finding something and I always have been a good trouble shooter and learned a decent amount of info over the years. I can excel faster than average. I mean I see
Myself going nowhere as far as making it on my own. I'm assuming cyber security isn't for me but could I get by with seeing networking as a labor kind of job in a small sense? Is networking in demand? What would I be doing? I mean I have an idea but an example would be taking care of a company's network kinda sorta? I already know a decent amount. I wouldn't mind completely surrounding myself with it and learning way more I'm passionate to an extent but nothing crazy. I just feel as it's enough to get by and enjoy the work and learning/troubleshooting. Thanks. I'm assuming nothing else computer related would be recommended. What about working from home? Should my first step really be comp tia?
Preparing for SDN, you guys recomend to learn python scripting for near future?
i have a decent understanding of networks, what else would i need to prepare for sdn?
Friday, February 15, 2019
Tooling
What network tools do you wish existed from a monitoring or packet generation standpoint? I've been working with IXIAs and haven't found them feature rich and lacking in certain ways and wanted to get other people's opinions on what they would like to see.
CCNA looking for Ruckus/Brocade help
I just started at a new job as a Network Engineer. One of the challenges so far is that we are most often installing/configuring Ruckus/Brocade switches and I'm almost exclusively familiar with Cisco IOS. I've looked around the Ruckus resource page but I was wondering if there's somewhere this group would recommend to give me a crash course in Ruckus/Brocade commands and what some of the main differences would be. For instance, tagging vlan's seems to have a different verbiage (trunk/access/dynamic vs untagged/tagged/dual). Obviously, the best thing is going to be getting some quality time in the CLI, but I figured a head start wouldn't hurt. Thanks in advance.
VPN for Office of 40 staff
40 person engineering firm. Many staff work from home/remote. They VPN to the office and access files from the file server. We're currently using a SonicWall TZ600 with the $3K/year content filtering subscription. The SSL VPN is terribly slow. Many staff complaining (including me) about slow speeds copying/accessing files remotely.
I'm willing to spend up to $5K for the firewall (capital purchase) . Need something that supports 10-15 concurrent staff VPN connections. We have several IPSec connections to client sites. Would also like the anti-malware/av stuff but not super important. We have Kaspersky on all servers and workstations/laptops.
Looking for a recommendation please.
Edit: 100MB up and down dedicated fiber.
Is SD-WAN Right For Us?
I work for a company that has about 60 remote sites. Each site has an IPSec tunnel up to our main datacenter with untapped bandwidth.
Throughout the country, we have varying lines from 500/500 fiber to simple 100/25 coax lines. We ALWAYS go with fiber if that is an option, and I would say more than 35% of our company is on fiber.
All our remote sites spread across the country but ALL send into our main data hub. Our data is mainly a singular application sending dozens of terabytes of data a day.
We have been looking at SD-WAN because it is an embedded feature in our FortiGate firewalls. The problem is, it seems like there are several flavors of SD-WAN, and none of us have a good grasp on what it will do.
The way we see it, could SD-WAN be a way to create a mesh WAN in which we can direct routes across the coast through low-latent nodes, effectively making traffic quicker? We see latency as the #1 culprit to performance that can absolutely effect a lot of areas of our business. We also have a very good grasp on latency metrics and what paths we would want to take, but we're not sure if we are looking at it correctly.
Can anyone with experience help me understand if SD-WAN is a useful application for what we are trying to do?
Cisco WLCs: Pros and cons of replacing 5508's with AireOS 5520 vs IOS-XE 9800 ?
Yes, the emotional scars of the 5760 are still fresh. but it seems like IOS-XE is the future for Cisco WLCs (again)
In your experience, what would be the pros and cons of replacing some existing 5508s with 9800s?
We are already rolling out Catalyst 9200s for access layer, if that matters.
Help needed with Comcast fiber and multiple site connections
Hello, we have just had Comcast fiber installed and I don't understand the ip assignments I was given by Comcast. Here is what they sent me:
WAN Block:
Link IP Address: 50.x.x.16/29
Gateway: 50.x.x.17
Layer 3 IP: 50.x.x.17 - 50.x.x.22
LAN Block:
Everything is listed as N/A
Layer 3 Subnet Mask: 255.255.255.248
The setup is Comcast Metro-E EDI at our main site and Comcast Metro-E EPL at the other sites, so I don't think they have direct internet access and must go through our main site to get out to the internet.
I have our Sonicwall TZ300 configured at the main site, that was easy enough, but I'm not quite sure how to set up our other sites. Do I assign the WAN ip on the router at each site to be an ip that is within the LAN scheme of our main site, and use the given gateway address of 50.x.x.17 at each site? I could use some advice on how to connect and route our other sites to and through the main site, thanks everyone.
ISO ip-sla on linux, or something with a similar result
What I'm looking for is a tool that runs on vanilla linux that would act a lot like ip-sla and adjust a route on configurable link failure conditions.
The goal is to have a client device establish a connection with a cloud host (server), start up a stream of data from the cloud host to the client and monitor that for interruptions and re-connection. Adjust a route accordingly.
I'm wanting to build a rapid recovery VPN toolkit around wireguard and tinyfecvpn.
ie, 2 WANs, primary is 'cable' and secondary is 'lte'. ip-sla monitor over the 'cable' connection and if that has a ~300ms gap in packets, immediately switch the route to the remote vpn from 'cable' to 'lte'. Wireguard handles the rapid and graceful transition between WAN hosts because it's awesome. tinyfecvpn runs over wireguard specifically to add ~100ms worth of forward error correction so that no packets are lost in the transition.
when the 'cable' connection stabilizes, for example has 5 seconds of uninterupted packets, then change the route back. Wireguard will forward the next packet to the src address of the last one, so it's very fast at adapting. And tinyfecvpn will reconstruct lost packets.
I've worked with cradlepoint and peplink but their tech is heavy on cellular data just maintaining the 'bulletproof' VPN connection. That means a lot of cost. This solution would have minimal overhead and rapid recovery to the primary WAN.
Thoughts?
Naming Standards/Conventions
Hey all,
Bit of a dull topic :) but i was curious to see the various naming conventions you all use for network equipment across your estates globally?
I'm kicking off a mini project to revamp how my current company does it which will hopefully include more relevant information such as continent, site code , kit type (e.g. router/switch/firewall) etc. The goal is to be able to easily group items when developing scripts etc
Currently we do "company name-location-rt1/2" as an example. We have over 60 sites globally so defining a script that sets a variable for all USA kit for instance is rather difficult without knowing all the locations. I'm aware we could just add in USA/APAC/EMEA etc into the name but i thought i'd get some examples as its something that is often overlooked.
Thanks :)
First senior network engineer role!
I've got a few years experience under my belt now and just landed myself a new job, first time I've had the responsibility that comes with a senior position.
Looking to make an impact when I've got my head around the new network initially making sure documentation/diagrams are good which will help me learn the environment quickly then try and suggest/implement network improvements where I can see things can be done better.
What i'm wary of is upsetting any of the current network engineers, any tips for getting them onside? How long would you leave it after starting before suggesting any changes? and when you enter a new networking environment what do you do to get your head around it?
100Base-FX over Single mode fiber anyone?
I am tasked with coming up with suggestions on how to connect a number of these to something a bit more contemporary. I have some Cisco switches with Fast Ethernet SFP ports to get me going. The SFPs I tried to use are GLC-FE-100LX-C. This does not seem to work.
My research has indicated that the linked switches use 100Base-FX, whereas the SFPs on the Cisco side are 100Base-LX. Furthermore, the 100Base-FX standard is as far as I can tell meant for multimode fiber. Nevertheless, the linked switch specification talks about an SM connection, as in Single Mode.
Did the manufacturer of the switch, Hirschmann, come up with their very own implementation of 100Mbps over Single mode fiber and call it 100Base-FX SM?
I'm eyeing the GLC-FE-100FX SFP, which seems to be closest I can get. This is however meant for multimode. What are my chances of getting a link between the Hirschmann switch and the Cisco switch?
The plant is running single mode fiber for sure.
And yes, I'm quite aware 100 Mbps is past its sell date but to upgrade all existing networking to at least 1 Gbps will be a challenge Because Reasons.
How to effectively determine the cause of L2 loops
Hello,
We have a vast L2 network, and I was wondering the best way to quickly determine what device/port is causing loops. We use Juniper EX series devices, with all variations of stp disabled and storm control enabled. Generally, when things start storming we clear the mac table, disable ports, and eventually if it isn't fixed we get Wireshark captures. Could anyone give me some strategies of a quicker/more effective ways to troubleshoot loops faster?
etwork redundancy and resilience
What protocols for network redundancy and resilience in Ethernet networks is mainly used in production nowadays? I know CCNA tests you in STP, but it seems like at my job other things are used that I'm not familiar with?
Would the sub find a demographics survey interesting or useful?
I'm not even sure if such a thing is allowed on this sub, though I saw a salary-based one a while ago that got cross-posted here from /r/sysadmin.
I'd be more interested not in a salary one, but a pure demographics one, and have it narrowed down to just the denizens of /r/networking.
I've never done a survey before, I'm just trying to gauge interest of the community at large. The main objective would be to see what demographic groups and areas of the industry are represented here.
Just some sample probes:
General demographics
What age are you?
18 - 21
22 - 25
25 - 30
30 - 35
35 - 40
40 - 45
45 - 50
50+
What is your gender and ethnicity?
Where are you?
U.S. ... Bay Area, U.S. West, U.S. upper midwest, U.S. lower midwest, U.S. Southwest, U.S. U.S. Northeast, U.S. East, etc.
Canada? Onatario, Quebec, B.C, etc?
UK/Europe, Asia, Africa, Pacific Island, etc. (I'd probably need to do some homework on the "where are you living" section to make sure to cast a wide net and not make certain parties feel excluded, as I'm aware that this sub has people from all over the world posting on it.)
And then the part which would be the main interest I feel
** Defining "Networking" as primary job duties revolving around designing, configuring, installing, operating, maintaining, or administrating routers, switches, firewalls, load-balancers, wan optimizers, bulk encryptors, MUX/DE-MUX, SDN components, or any other aspects of network transport infrastructure**
How long have you worked in Networking?
0 years - "Aspiring, in-training/education/prep, etc.)
0 - 5 years
5 - 10 years
10 - 15 years
15 - 20 years
20 - 25 years
25 - 30 years
30+ years
Would you think of also breaking that question down to even shorter time spans?
How long have you been employed at your CURRENT networking job
0 - 5 years
5 - 10 years
10 - 15 years
15 - 20 years
20 - 25 years
25 - 30 years
30+ years
How many PRIMARILY NETWORKING jobs have you held since your first one?
1
2-3
3-4
4-5
5-6
6-7
7-8
8-9
9-10
10+ networking jobs since my career began
What best describes your CURRENT NETWORKING JOB?
I work for a Vendor (Cisco, Juniper, Arista, etc.) in TAC
I work for a Vendor (Cisco, Juniper, Arista, etc.) in a sales role
I work for a Vendor (Cisco, Juniper, Arista, etc.) in some other role
I work for a VAR or Reseller as pre-sales engineer.
I work for a VAR or Reseller as post-sales engineer.
I work for a VAR or Reseller in some other role.
I work for a Managed Service Provider / Professional Services firm.
I work as a freelance Consultant.
I work for a hosting/cloud provider. (include content delivery networks)
I work for an Internet Service Provider in a NOC.
I work for an Internet Service Provider in a Tier 2 / 3 engineering position.
I work for an Internet Service Provider in a design/solutions/architecture role
I work for an Internet Service Provider in some other role.
I work in an enterprise environment in the Health Care industry.
I work in an enterprise environment in the Financial Services industry.
I work in an enterprise environment in the Consumer Products & Services industry.
I work in an enterprise environment in the Business Products & Services industry.
I work in an enterprise environment in the Transportation/Logistics industry
I work in an enterprise environment in the Construction industry.
I work in an enterprise environment in the Entertainment industry.
I work in an enterprise environment in some other industry not listed here.
I am a Fed-Gov government employee.
I am a Fed-Gov government contractor.
I am active duty military.
I am a State/Local government employee.
I am a State/Local government contractor.
There'd also be an education and certification section, trying to determine highest level of degree possessed, and the number of certifications lifetime (including expired) number currently held, etc.
Also something in there about this sub like
Do you primarily read the subreddit but not participate.
Do you participate and post content, or just reply to threads mostly, etc.
I won't type any more because this isn't the actual survey. I'm just interested to see if people would actually like this and would participate in such a survey. Or does this border in "probably not worth the effort" kinda thing.
QOS in a DC?
Just fishing for your guys thoughts on the above, really.
The network architect where I work implements QOS on the fibre path layers in our DC’s.
Personally, I think this is unnecessary - what do you guys make of it? Yay or nay?
New to networking, need some help.
I am doing an online course in networking right now and I have an assignment question right now in which I am completely drawing a blank.
I need to find a new (recent or upcoming) networking technology that I can use to compare based on the LAN backbone design (collapsed/distributed/parallel) i.e. a new technology which is affected by the structure of the LAN backbone.
I have searched a lot here and there and been unable to find any such thing. I took a look at SD-LAN but it seems to be unaffected by LAN structures.
If something comes to your mind, I'd be really grateful if you can point me to the right direction, in terms of what to search for. Thanks!
PoE powered switches with passthrough
I'm in the process of assembling a list of PoE powered gigabit managed switches that have one or two ports of downstream passthrough.
The search has been easy so far for 5 port switches.
- D-Link DGS-1100-05PD is a 5 port switch powered by 802.3af or at (if extra power budget is desired) and supports two downstream PoE devices with an 8 or 18w budget depending on input.
- Netgear GS105PE is identical to the D-Link in every way. It's stated to support 19w of downstream PoE when powered by an 802.11at POE+ device.
- Trendnet TPE-P521ES is identical to the other two, but with an 18w budget
Easy peasy right? I've been having issues finding options for 8 port versions. The only one I've found so far that supports passthrough is the Ubiquiti Unifi US-8, and if I drop the passthrough requirement I've only found the DGS-1100-08PD and the GS108TV2 to support PoE power.
Just wanted to see if anyone has gone through a similar search. Cheers!
Thursday, February 14, 2019
Wireless basic question
I am trying to understand wireless. And I have a few questions.
-
Why did the designers of 802.11 standard decided to use only 20 mhz of bandwidth? Why not use the entire 2.4 ghz band (83.5 mhz) ? Why was it split into channels ??
-
What is the difference between l2 and l3 roaming conceptually ? (I will read through the nitty gritty details from google, but a little explanation in would be really great).
I have never worked on wireless systems and trying to understand the basics. I am sorry if this is a silly question.
Thanks in advance.
Does Cisco 1905 support 2x Ehwic-4esg ?
Does Cisco 1905 support 2x Ehwic-4esg ?
I mean, it has slot for 2, but does the CPU handles it?
can i assign Multiple boot system images on Cisco 2960XR stacked switch?
I would like to know if is it possible to have two boot system images in cisco 2960XR stacked switch, one primary and another secondary as we can do in routers.
Also no info related to boot image appears on running nor startup-config after command insertion and info shown only in 'show boot' output.
And in the "show boot" output, we can only see the image path that was last configured with "boot system" command. It seems like IOS replaces the image path that was configured first by the one that was last configured:
Do you guys know if this platform supports multiple boot system images or not?
Networking noob - Cable Question
I'm working on getting my CompTIA Network+ certification using this book: https://www.amazon.com/CompTIA-Network-Certification-Guide-N10-005/dp/0071789227
The book describes CAT X as basically just an Ethernet cable. Which I understand. But then they start talking about XbaseY and how that's also a type of cable? Then they talk about using 'XbaseY running on CAT X'?
What am I missing here? Are they both types of cables? How can they be run through together? I have no idea how to look up the general topic of 'XbaseY', as the book hasn't really provided a topic name that encompasses all of them - it only brings up the dozen-or-so versions of it individually. The only small inkling of an answer that I may have come up with is that XbaseY refers to more of the 'load' that is put on the cable, while CAT X describes the cables and the loads they can take. But that is smashed to bits every time I remember that the book talks about all the different connectors that XbaseY can use.
So, I'm just crazy lost - any help would be appreciated (even if it means recommended more/different books)!
ASA crypto map config, two local subnets to one remote subnet
Hello Networking!
I'm struggling with what I feel should be a simple VPN setup on a Cisco ASA and I feel I'm missing something simple. I'm trying to set up two tunnels to a site, securing traffic from two of my local subnets to the same remote subnet.
For example purposes, lets say my local subnets are 10.1.0.0/16 and 10.5.1.0/24. The remote subnet is 10.3.0.0/16. I've configured the following -
ikev2 enable outside
ikev2 policy 2
encryption aes-gcm-256
group 24
prf sha384
lifetime seconds 86400
tunnel-group PEER_IP type ipsec-l2l
tunnel-group PEER_IP ipsec-attributes
ikev2 remote-authentication pre-shared-key password
ikev2 local-authentication pre-shared-key password
crypto ipsec ikev2 ipsec-proposal cry_ike2
protocol esp encryption aes-gmac-256
access-list map_1 extended permit ip 10.1.0.0 255.255.0.0 10.3.0.0 255.255.0.0
access-list map_1 extended permit ip 10.5.1.0 255.255.255.0 10.3.0.0 255.255.0.0
crypto map cry1 1 match address map_1
crypto map cry1 1 set peer PEER_IP
crypto map cry1 1 set ikev2 ipsec-proposal cry_ike2
crypto map cry1 interface outside
crypto map cry1 set pfs Group24
object network Network1
subnet 10.1.0.0 255.255.0.0
object network Network2
subnet 10.5.1.0 255.255.255.0
object network Remote_Net
subnet 10.3.0.0 255.255.0.0
nat (inside,outside) source static Network1 Network1 destination static Remote_Net Remote_Net no-proxy-arp route-lookup
nat (inside,outside) source static Network2 Network2 destination static Remote_Net Remote_Net no-proxy-arp route-lookup
I have configured the same (but reverse, as needed) on the ASA at the other end.
I have SA's for 10.1.0.0 > 10.3.0.0 forming but no SA forming for 10.5.1.0 > 10.3.0.0
what am I doing wrong here?
Should i be concerned
So I have been working as a NE and some days I feel over my head.
We recently hired a senior level to help me out and give me some more guidance to grow. So he interviewed great but I was reserved about him. He stated that he had racked and stacked, and was familiar with cabling.
This is where the problems started, I was covered up with work so my manager off loaded a simple switch config and cabling job to him.
He didn't even know what cage nuts were.... WTF he came back and told us that the brand new fiber run was bad. We asked how he knew and he stated the links didn't come up. Asked if he ran a light test then he asked what's that. He didn't know you had to swap one end of the fiber. Imean really should I be worried?
Is there a disadvantages to using SM fiber for short distances?
Ixia FlexTaps support 1/10/40/25/100G in the same tap, but only in their passive single mode fiber taps.
Is there any disadvantage (other than cost) to running SM fiber for a 2 meter distance?
Monitoring Traffic with GNS3
So I built a network with a couple of routers in GNS3, but 20 routers running all at the same time chokes my laptop. I tried running the routers and appliances on AWS, this has been successful so far, would you have recommendations on how to monitor the traffic on my routers in the cloud using real-world monitoring tools e.g Solarwinds, ThousandEyes, OF5.
I can do this locally (hook up gns3 with vmware) using a vm with said tools but clouds don't generally support nested vms.
Would you have recommendations on how I can proceed with this? I prefer virtual labs as I don't have the money to spare nor the space on a shared flat to setup a home lab with 20 routers.
Thank you. I've been losing sleep over this trying different solutions to have a lab environment that's close to real-world including tools etc.
Thanks.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Watchguard firewall is unable to reach a domain controller over a branch office VPN to AWS - but all other devices can.
Hi,
I'm setting up a backup domain controller on AWS and a VPN between the office and the VPC. Everything went fine: promoted the server and all went good... Until I tried to add the new domain controller in the Watchguard authentication servers configuration. Somehow, the firewall can't reach the DC!
I can ping the firewall from the DC, but I can't ping the DC from the firewall itself. So the device routes everything correctly, but its internal services cannot access the server.
I use the default BOVPN rules and everything should be able to reach the other side of the tunnel, even the firewall itself! I modified my ping rule to be able to see them in the logs, but I'm not seeing any from the firewall when I run my test.
So far, I'm satisfied of our Watchguard firewalls, but this issue is really weird... I'm running the latest version of the Firebox software.
If someone has any idea, don't hesitate. I opened a customer support case for this issue and will report back if they're able to give me a solution.
vPC/MLAG vs L3 Topology
Dear Reddit,
So I was recently promoted to the magical and sometimes soul crushing position of Network Engineer at a non-profit IT company that services a lot of non-profits in the area. There are tons here because there is a large industrial company here in the city that gives money to all these orgz as a tax write off. Anyway, we are looking to redesign our network, and one of the things we are looking to do is move our core network to Layer 3.
I understand the concept behind technologies like vPC and MLAG, however I was wondering if it would be better to just have L3 links between switches instead of aggregating them with these techniques. I understand from a L2 perspective it makes sense to aggregate this way to prevent having to deal with STP and also utilize links better. But wouldn't something like L3 etherchannel provide the same kind of link utilization and redundancy, without the risk of a split brain scenario? We just purchased Nexus 3064-Xs and I'm trying to decide if we should use vPC or not.
Thanks in advance...
How to use route-map to permit only LAN (loopback) traffic or deny public traffic
I have 2 routers connected via iBGP (in a DMVPN tunnel) and i want to allow only LAN traffic to pass through them.
If i use an ACL that denies them , like
access-list 1 deny x.x.x.x x.x.x.x (as x.x.x.x being the network on my public interface)
all of the traffic stops.
Any suggestionns ?
Another automation post...how are you code testing?
Hi All...
Question to all of you folks that are developing your networks as code.
As most in the software development world presumably know, all good code is tested once or many times as you move that code to production. I'm curious about how this looks in the networking world.
What strategies are you using to test your network and code?
Do you have unit tests directly in your code? Are you testing the resultant network configurations and/or state as extensively as the code itself?
Do you have external systems that test the before, during and after states of the network deployments?
Are there certain deployment tools that are better for networking code than others?
Many platforms have dev, stage and prod environments. Are you using a similar methodology for automating networks?
Look forward to hearing more!
Need help troubleshooting VPN to VPC (AWS) from Fortigate 60E
Am having some issues getting tunnels to come up. Deployed config sent to me by AWS.
Willing to pay for someone to help me troubleshoot this.
Where do you draw the line between enterprise and non-enterprise networking?
A little discussion topic - first post here apologies if this type of discussion isn't really the done thing
I'm not looking for a definition of what an enterprise network would be, I can find one of them online. I'm just wondering at what point- in your opinion- a network becomes large/fast enough etc to be considered an enterprise network
I'd be interested to see what types of responses come up, whether they differ too much or not :)
VLAN confusion ... Sonicwall/HP Switches/VOIP
I'm a beginner and having a difficult time with VLANs.
In my home lab, I have a Sonicwall TZ firewall, 2 8-port HP 1820 switches and a VMWare ESXi box.
Sonicwall port X0 (LAN zone): 192.168.10.1
HP1820_01 - 192.168.10.2
HP1820_02 - 192.168.10.3
ESXi host - 191.168.10.10
VM01 (DHCP) - 192.168.10.20
Sonicwall X0 is connected to HP1820_01 Port 1
HP1820_01 Port 8 is connected to HP1820_02 Port 1
HP1820_02 Port 2 is connected to the ESXi host
I'd like to be able to set up a VLAN for VOIP such that I have a VOIP phone connected to any port on HP1820_02 and then a PC connected to the VOIP phone.
The phone should get an IP adddress on a separate VLAN (100) from the DHCP server eg 192.168.100.x
The PC should get an IP address from the DHCP server in the 192.168.10.x range.
Is this possible?
Sonicwall's documentation says to add a virtual sub interface to X0. i.e. X0:V100 192.168.100.1
I'm struggling with the next step(s) on the HP switches.
There is a feature where you can add ports to a "trunk" group which is what I assumed I wanted for ports that would have both the default 192.168.10.x and the 192.168.100.x networks. When I tried configuring ports 1 and 8 of HP1820_01 in this trunk group, I lost connectivity from the Sonicwall to HP1820_01.
I removed that config then tried just creating a VLAN ID:100 on both HP swtiches.
On HP1820_01, I added the VLAN(100) to ports 1 and 8 (tagged), and left the default VLAN (1, for the 192.168.10.x network??) untagged. Is that correct?
On HP1820_02, I added the VLAN(100) for all the ports 1-8 (tagged), and left the default VLAN untagged.
Should I be able (at this point) to connect a laptop to any port on HP1820_02 with a static IP of e.g. 192.168.100.55/24 and have it be able to communicate to another laptop on the swtich with another static IP in that VLAN - e.g. 192.168.100.66/24?
On the ESXi box, is there additional network config required to recognize the VLAN?
On the DHCP VM, can I just configure a scope for each VLAN?
DDOS - Enterprise Provider & Branch Office
So we have a site with Comcast (enterprise fiber, 100mbps) that has been having issues for a while now. After really digging into things, i firmly believe we are on the receiving end of intermittent DDOS attacks. Sometimes its every few days, sometimes it may go 2-3 weeks without an issue. Luckily we have LTE backup so i can get in and take a look while things are going on . I always see the downstream totally saturated on the WAN side of my firewall, but that traffic is not getting passed to the LAN, which tells me it is not any client requesting traffic. I am sure the attack is higher than 100mbps, but obviously that is all we can see since that maxes out our circuit.
This site has a smaller routed IP subnet from comcast, no BGP. So even if we wanted we could not do a filtering service from a 3rd party. Any on site appliance would not help from my understanding, since by the time it hits us our circuit is maxed and thus the damage is done.
I sent a note out to one higher level comcast contact and didnt really get anywhere, besides them talking about possibly trying to sell us DDOS protection.
We have over 130+ sites, and i have seen maybe 2 attacks over the past 10 years, single incidents each time, maybe lasting less than an hour in total. This is the only site that has ever had ongoing issues.
I plan on getting all my data together and just opening a ticket and see what they say and if there is perhaps any upstream filtering they could do?
Anyone have any experience with this?
Silent 10GigE Switches?
Anyone know any switches (any vendor) with a decent amount of 1G/10G SFP ports that runs fairly silent? Cost is not necessarily a factor, just noise.
How to protect yourself from backdoors in network equipment?
Does blocking internet access to the IP address of the switch management interface enough to prevent backdoor being used on that switch? Or are backdoors on switch equipment more advance than that?
QOS N00B
I have created a config on my access switches to mark traffic as it Cisco best practice.
What I am attempting to figure out is, My agg switches (4500X) are configured as L2 to the core. on my access switch I have a COS to DSCP mapping.
Given that the traffic should be marked as it egresses the access switch do I need to simply trust the COS value as it enters my agg switch? Then from the agg to the Core trust DSCP?
To further quantify my question, is there any further classifying that needs to occur between the agg and the core, or do I just trust the marking's as they leave the access switch, and the trust will set the ef values and so forth as the traffic traverses the network?
Email to SMS Bouncebacks?
Currently, we email the SMS addresses ([number@vtext.com](mailto:number@vtext.com) for example) of a small number of users in our environment to notify them of issues.
If you text an invalid number, you'll often get a bounceback from Verizon noting "This is a landline". Today there was a discussion of different opinions and I curious if anyone knows: why do you not get email bouncebacks?
Azure Firewall Networking
Hi all,
Long time lurker, first time poster :)
I'm hoping to get some help regarding Azure HA and Firewalls.
I'm deploying 2x firewalls (Palo Alto) in Azure. I understand that they won't be a pair but will be singles in an active/active availability set, sandwiched between two load balancer's (internal,external).
Here's where i'm lost..
- LB's; Just to confirm the LB's in Azure only really work in one direction? they aren't routers and there is a hidden system router using UDR's to route traffic? If seems that my deployed machines using DHCP set their default gateway to the first IP in the network. Is this the System router or the LB or both? If my machine wants to go outbound for internet traffic how does my machine going outbound know to use the LB because there is a configured pool or just to route out straight to a firewall IP or other device i have configured? is this the purpose of UDR routes ? to route traffic to the LB or to another IP or is all the traffic supposed to go in and out of the LB?
- Backend pools; The only option I have on the Loadbalacers seems to be create backend pools on LB to listen for single tcp or udp ports and send to the firewalls. Can I not have it LB all traffic to my firewalls? having to create a backed pool to listen on every service seems odd? (potentially hundreds?)
- When I do create a backpool it does seem to work to my internal server but only if I use NAT on the firewall. When the packet leaves the inside address of the firewall to the server I seem to have to NAT the source to the inside address of the firewall. This does make sense as now the return packet knows to send it back to the same firewall and not the internal LB but this means I have to create NAT statements for every packet in and out on both firewalls? This this correct?
- Hosting services; I have been told that only the External LB can have multiple Public IP address (not the FW's) however I can see this being an issue. Even if I have two public IP's on the External LB with pools going to my firewalls. lets say this traffic is to different RDP servers. When the traffic arrives at the firewall there is nothing unique about the traffic in order for me to NAT the packet to the correct server for each public IP. I understand SNAT but I've been told this isn't an option. Even if It was an option it will SNAT to the inside address of the EXT LB? if I do this the traffic still all looks the same from the firewall's point of view? how do I NAT each service?
Sorry if this isn't the correct place.
Thanks for your help in advance.
Corero in-line DDoS scrubbing appliance
Does anyone have experience with Corero's inline DDOS scrubbing appliance? We are an ISP looking to add these at our edge.
If you're using them, how are they performing? Are there any reliability issues you've run into?
Network Simulators/Emulators?
I am somewhat new to networking and have been designing my own protocol. I want to test it using a Network Simulator but don't know enough about them to make an informed decision. I looked into CORE, but couldn't find a way to upload and run your own protocol. I have also used docker networks in the past, but its limitations prevent me from testing everything I want to.
I am looking for a network simulator that allows me to upload and run my own protocol so that I can test it effectively.
Cisco WLC making sure client is part of domain
Hey, Not sure about the exact wording but: we have wireless controller and access points which authenticate the users via ldap. the only use for them should be connecting a laptop that is in our domain to the office network. Unfortunately, some workers log in to this network via their phone, I would like to make sure that a device that is connected to my office network is part of the domain. What are my options? Thanks.
Cisco IP SLA Question
Ran into a unique case and my google-fu is failing me on this one. When an IP sla is configured for failover routes on the ASA platform or possibly any other cisco platform in this scenario. How does the ASA interpret packet loss?
For example if my frequency is 60 seconds and my timeout is 5 seconds with a packet count of 3 but only 2 packets are received in that 5 seconds, is this marked as down?
Trying to use wireshark to track down some traffic.
Hey, hope this is the right place, and have the right info. Apologies if its not.
So, my network team opened a ticket with me saying that there are A LOT of DNS alerts that are going to the wrong domain address. Something like company.corp.com rather than companycorp.com.
We figure that someone was configuring something and just put a typo in the address and it was forgotten about. As my team own the source server it has been asked that we do some investigating.
So far, I've installed Wireshark on the server and can see the the DNS request for the domain name and the response saying the host is unreachable but thats as far as I've gotten.
How do I analyse the data to find out where in the Application layer this traffic is coming from?
Thanks for your Time.
Downloading causes uploading (Networking theory)
Hello everyone,
Today while downloading a big file from the internal server at work, via LAN I noticed that, while I was downloading at 100Mbit/s, I also had a semi-constant 2.5/3Mbit/s in upload data.
What causes this specifically? TCP/IP protocol sending acknowledgement packet?
Thanks you!
Cisco ASA - Set to FIPS compliant to disable 3DES
We have an ASA running asa991-smp-k8.bin that is also setup as a VPN device for AnyConnect clients.
I have to remediate some Alert Logic scan issues and one of them is that 3DES is enabled on the ASA and it should be set to a higher one.
The current encryption Cipher Security Level is set to medium and I would like to ask what I need to consider before I set it to FIPS so 3DES is disabled?
The minimum SSL version for the security appliance to negotiate as a server is set to TLS V1.2
Minimum As a client is set TLSV1
Pfsense openvpn passthrough internal firewall to LAN
The setup I'm dealing with goes pfsense > Sophos firewall > LAN
I have openvpn setup and working on the pfsense but clients need to be able to access resources on the LAN. Right now clients can ping the outside interface of the Sophos but not ping anything on the LAN. What rules do I need on the Sophos to allow this? I've tried an inbound rule to allow any any from the vpn subnet (the IPs given out to vpn clients) but this didn't work.
MVRP operation over spanning-tree
Hi Guys, I wanted to know how MVRP would inter-operate with spanning-tree. As MVRP will dynamically add/remove ports. What is the behavior when a port goes to 'blocking' and 'forwarding', will MVRP propagate leave messages in case of a BLK and similarly for FWD or will it not care about STP port states?
Cisco WLC SSO problem
Dear Networkers,
I have an issue on the failover from active to standby. When standby becomes active I cant ping its default gateway or anything other destination. When I checked the ARP table on switches and wlc everything seems to be correct. From the active one I can only ping HSRP standby interface but cant ping the VIP either masters interface. I checked all the trunks and native vlans and it seems to be fine. My managment traffic is tagged. When I willmake another failover everything seems to be fine and from standby I can ping its default gateway and HSRP master interface (but not the standby interface). I stuck. Did any of you occured similiar issue?
Will default interface command delete and clear configuration from the sub-interfaces?
Suppose I have the interface Gi0/1
And I have sub-interfaces Gi0/1.100, Gi0/1.200, Gi0/1,201 etc..
If I do "default interface Gi0/1", will it removed the sub-interfaces and all the configurations?
I have a production line running on Gi0/1 and its sub-interfaces. I created a new port-channel using 2 other interfaces and want to move traffic to this Po (by creating Po1.100, Po1.200 etc).
This is on ASR1001 , running Version 15.4(1)S1 if it matters.
Wednesday, February 13, 2019
NMAP behind NAT & VPN
I came accross an interesting finding while scanning an IP address for open ports , i have kali on Virtualbox with NAT , host is connected to a VPN and everything is working fine , but when i nmap for ports , i get aroubd 235 open ports, i used Armitage and i got around 15 shell sessions , when i desconnected from VPN and run nmap on the same IP , i get 3 open ports , which i intentionally opened too test this, does anyone have any theory on why i got 2 different nmap results ?
Professional Training in Network Engineering
IIHT Vadapalani offers professional training in Networking that encompass the latest curriculum of most sought after Cisco certifications including CCNA and CCNP courses in Chennai. The professional trainers at IIHT impart knowledge, understanding, and skills needed to launch a dynamic career in Network Engineering. The course curriculum includes extensive hands-on practice of configuring networks that will enable the students to face the industry-standard CCNA certification examinations as well as demanding job requirements. The competent IIHT placement wing provides strong placement support with mock interviews, prep tests, career counseling and soft skills training programs to place deserving candidates in well reputed companies. For more details call us @ 8939814420. Visit us at www.iihtvadapalani.com.
Troubleshooting a 10G CenturyLink Wavelength
I need some help for my sanity. Im having alot of difficulty getting a 10G P2P wave up and running from CenturyLink, its going between 2 carrier hotels, so with cross connects on either end, one side being un-manned, etc.,. its taking forever to troubleshoot. The A location is manned by us, the Z is not.
Question is, regardless if my router at the Z end is connected, when I connect my router at the A location, I should see normal RX light levels, correct? Obviously link is down, but I should see something other then -40dBm.
We're using LR optics at both ends, A is a Cisco 6500, Z side is Juniper MX980. Both sides keep reporting -40 dBm on RX, and we're tried rolling the pairs. We're 99% certain the fiber cross connects are good, but we are trying to get CenturyLink to dispatch field tech to confirm that and do a true end-to-end test starting at the A side first.
Cisco FTD deployment times
Does anyone here have as much hate as I do towards Cisco FMC/FTD's?
I'm looking to see if anyone has been able to cut down deployment times.
I've talked with a few others in the area that have tested out/have the FTD's and the the general consensus is that deployments in general take a painfully long time.
We are adding configurations to the firewalls almost every day and it won't be slowing down at all over the next 1-2 years.
Right now, our deployments take around 15 minutes (I just had one take 30 minutes). This is already painfully long (especially if the deployment doesn't finish and we have to wait ~55 minutes until the deployment times out).
I would honestly love to get these pulled out of production and move to something that causes less headaches. But, I want to know if anyone on here has come across similiar issues/has a fix.
Here is a basic hardware overview:
(2) Cisco FTD 4140's (Clustered)
(1) Cisco FMC 1000
Remote management for network engineer
So I have a few companies that I manage their network, and when the internet is down I need to go down and diagnose the problem.
Is there a remote access management tool that I could put like a sim card in for data and a lan port to connect to the actual network for diagnosis?
OpenConfig - are you using it?
I've been looking into alternatives to our current monitoring platform and found some information on OpenConfig out there which looks interesting. Have any of you looked into this, done a PoC on it, or have any thoughts to share? It does seem to be updated fairly regularly (latest commit 2 months ago?) and has several issues open on its github repository with updates in the last week or two, so it's fairly active.
I can't find a whole lot of information on real use cases or success stories at the moment.
Devices for measuring length of MM fiber cable? 10g/40g
Does anyone have familiarity with devices for testing fiber cable lengths? Did a little googling but so far am not finding what I'm looking for. I don't really need to test for faults although that would be a nice bonus. Looking for something that you can plug 40G or 10G LC/LC and/or MTM connector cables into.. are there things that can do both?
Trying to connect 1GBASE-LX to Netgate XG-7100 with Intel X553 SFP+ - is this possible?
So we are setting up a test lab in a data-centre, and I'm learning all this stuff trial-by-fire...lol.
The datacenter provides internet connectivity via 1G LX (Single Mode). So my plan was to source 1GBASE-LX SFP modules.
For the router, we are ordering Netgate XG-7100's, which have two in-built SFP+ ports.
It also has a PCIe slot - so I thought I could add additional ones if needed via an Intel X520-DA2.
However, I've been told that the XG-7100 won't take SFP+ cards, due to insufficient cooling/power.
Furthermore, apparently the in-built Intel X553 SFP+ ports do not take SFP modules =(.
What are our options here?
Should we bite the bullet, and get media converters? Or is this a SFP+ module that will work with 1G LX?
Need assistance for upgrading Cisco Catalyst 2960XR-48FPD-I stacked Switch
Iam planning to upgrade IOS in stacked switch 2960XR. Cisco doesn't have any documentation for steps for upgrading image in this switch model however it does have a document for upgrading image in 3750 stacked switch (link below). I have few questions:
- Can the steps given for upgrading 3750 stacked switch be used exactly as it is for upgrading 2960XR switch model as well?
- Is there any potential problem or bug that i need to be aware of when upgrading stacked switches that is not mentioned in cisco documentation?
- Have you faced any particular issue with upgrading 2960XR stacked switch?
- Which method of upgrading is more reliable - automatic upgradation using .tar method or manual upgradation using .bin method?
Recommendation for network monitoring systems?
To preface, networking is not my strongest suit but I am always up to learn new things and see where it takes me..
So after doing my own research I care across PRTG, and after seeing that they offer up to 100 sensors for free I decided to lab it up and play around with it. My initial thought was that it seemed relatively intuitive and not that hard to get setup and configured.
However after doing a little more research I came across multiple threads that it poses a pretty big security risk and clear text passwords are thrown out in the clear. This was a pretty big turn off because it will might eventually be used in production and we can’t have that happen obviously.
So it’s back to the drawing boards.. I figure I’d ask the community to see what’s recommended and then seeing if I can lab it up.
LAN Standardization
Hi everyone and thanks in advance!
A little background here. We have 2 offices and 2 data centers with each site having DIA and MPLS circuits running DMVPN.
Right now the VLAN/Subnet architecture is all over the place, with no consistency, and no rhyme or reason. I would like to standardize the network and make it so that each office site has consistent VLANs (e.g. VLAN 20 would be VoIP at each office site).
This makes sense to me for the offices, but for the data centers I'm unsure of how to approach this, as there is talk of possibly spanning layer 2 between the data centers, so I'd like some guidance or reference material to study up on best practices for LAN standardization in data centers.
Cisco VIRL Question
I've got VIRL installed but keep getting 'Advanced key value store' failure during the VIRL bootup and do not have the address for the UWM listed above the virl@virl:$ prompt in order to get the GUI functioning.
Anyone here have VIRL king fu?
Disjoint Spanning tree instances, all ports forwarding.
Reddit,
I'm looking for some advice as my google-fu seems to be failing me in finding the answers I'm looking for.
I have diagramed the topology/network segment I'm referring to: https://imgur.com/a/CWxBio5
- My end goal is to decomission the Cisco stack as we no longer have support/need for it within our environment.
This was all configured prior to me joining the company and have come in blind as there was no documentation on anything. I am i no means a networking engineer and I am seeking some guidance.
When checking the STP configuration on the Cisco stack and HP Switch1/2 both port channels are in a forwarding state on both sides. To me this would mean there is a networking loop. The HP switches are not stacked and not MLAG capable. I am confused as to why this would be the case. I can only assume it's due to the disjointed STP instances and BPDU's not making it through correctly.
My aim is to move the port channels from the Cisco stack to the Huawei stack. I am unsure on how STP would react when carrying this out. If both portchannels remained in a forwarding state could this 'loop' be more catastrophic?
On the HP side the portchannel has "no spanning-tree auto-edge-port" defined in it's config. There's no specific spanning-tree config on the Cisco interfaces/portchannels. there's no BPDU filtering that I can see it just seem's the Cisco stack is not passing them and not allowing for loop detection to take place.
Can anyone help shed some light or point me in the right direction on how best to proceed?
Thanks,
How to draw huge network diagram?
Have 400 switches with 60 stack configurations. Firewalls, servers and wifi access points, ports, ip, hostmanes etc. How can i represent such huge topology? Attempt at visio resulted in 2 gig file. Recommendation?
not sure if this should go here, currently Cableone and level 3 are having some communication issues
this is PSA for anyone who might be looking for info for this issues. but looks like CableOne looses its connection when handing off to Level 3. as of right now they are the only isp i have found that is having this issue.
x-Post from Sysadmin: Debate on IP Phone pass through
It's amazing to see the comment contrast on /r/sysadmin when it comes to IP phone pass through:
https://old.reddit.com/r/sysadmin/comments/aq5afb/again_with_the_ip_phones/
Compare this to the debate thread that we just had a couple weeks ago in regards to phone pass through. Really puts it into perspective how different sectors in IT think.
Cisco ASA Compatibility Question
Not a Cisco guy, but I have a 5515-x K8 that is EOL and we're not ready to pull the trigger on replacing it at this point in time, even though we cannot get a new SmartNet on it.
I've seen refurbished 5515-x K9's out there. I assume this is a newer model, than the K8.
What I want to know is if I had a K9 here as a 'warm spare' and in the event of a failure of the K8 pushed a copy of the running config on the device or a full image of the K8 to the K9 would it operate correctly?
I'm curious about this as an interim BCP plan that we know is flawed, but kicks the can down the road until we can bite the bullet for Palo Altos that we want so badly.
Route target and how to use
Hi, I need to know how and when to use a route target and what's the use case on an A.S. with different client/VPN connected that use route distinguisher to manage the traffic
VIOP Question Plz Help
I need to set up three Cisco IP Phone 7940 connected to each other to simulate a network. The phones only need to be able to make calls to each other no other networking is needed. I am doing this for my college and they already use VOIP that I cannot interfere with. What is the easiest way to make these phones work without any other networking? Thanks in advance.
Should I setup an additional Firewall to EC2 Instances in AWS or Security Groups are enough!
What's the best practice here and why so?
What is wrong with my IPv6 Announcement?
I'm trying to get the basics of IPv6 ready in my SP deployment (Yeah we're years behind of any config and knowledge). IPv4 is easy enough to deploy and turn up new BGP peers, but something is kicking my ass with this IPv6. Any insight into what I'm missing here?
Thanks!
neighbor 2001:470:XX:: remote-as 6939 timers 10 30 description HE IPv6 Transit session-open-mode both address-family ipv6 unicast send-community-ebgp route-policy INBOUND_PEERS_V6 in route-policy OUTBOUND_PEERS_V6 out next-hop-self soft-reconfiguration inbound always route-policy INBOUND_PEERS_V6 if destination in TOO-SPECIFICV6 then drop else pass endif end-policy route-policy OUTBOUND_PEERS_V6 if destination in TOO-SPECIFICV6 then drop elseif destination in COMPANY_IPV6_BLOCKS then pass endif end-policy prefix-set TOO-SPECIFICV6 ::/0 ge 49 end-set prefix-set COMPANY_IPV6_BLOCKS 2606:XXXX::/32 end-set RP/0/RSP0/CPU0:ASR9006#show bgp vrf INTERNET ipv6 unicast neighbors 2001:470:XX::1 advertised-routes Wed Feb 13 10:43:02.738 EST RP/0/RSP0/CPU0:ASR9006#
Seeking advice on MDU deployment...
My team was recently brought in to take over where a previous contractor failed to meet timelines along with overall failure of the projects. One of the terms of the contract they signed was to build networks (7 of them were "completed") which provided 10Gbps backhaul from an MDU to anywhere from 2 to 30 IDFs, whether these be in a high-rise building or structured more like an apartment complex. The consistent issue across the board is that OM1 MMF was originally deployed between the MDF and each IDF.
Where the complexity comes in is the MDF core switch is a Brocade ICX7750, which while it is a powerful switch and full-featured, it requires special 10GBASE-LRM optics in addition to only accommodating 12 10GB-LRM in a single chassis. We didn't know this when we got involved to take over the contract, and are looking for a way to continue deploying at each of these sites where OM1 fiber is in place, at distances of 900+ feet, and where 10GB is a requirement.
With that being said, we have considered mode-conditioning fiber cables so that we can use 10GB-LR modules on MMF which may help some, but it's still not ideal. I am completely unconvinced that 10GB-SR would be feasible to operate on this since all of the links are >30 meters.
So, aside from the idea of stacking media converters or going to the client and asking them to replace a 48 port 10GB/6 port 40GB switch with something that's more accommodating for this build, what would you guys do? I've considered going as far as placing a stack of Routerboard CRS317 units with 2 DACs for the uplinks to the 7750 and then 10GB-LRM off those to each IDF which would be fairly reliable and expensive to deploy, but I am trying to avoid any additional equipment in these sites since so many of the racks are near capacity.
2x DHCP hosts - slighty different results with trace route
I have 2x PC that are getting 2 different results with traceroute out the VPN.
Path: PC -> Switch (L3 gateway) -> FW -> (VPN) -> .....
Now the gateway of the switch is the FW, not the best setup, babysteps. However, I'm hitting the switch as first hop, he is not. What could be causing this behavior, we both have the same GW configured.
Essentially the both reach the destination, but I'm hoping this isn't a bomb waiting to explode.
TL;DR - 2x PCs pulling DHCP connected to the same switch, using TraceRT - only 1 shows the switch (Default gateway L3) as a hop.
What happens to the L2 portion of a packet when it gets to the first router?
I am reading through this page about networking and had a question about the ARP table portion.
This is the network in question. This is the packet being sent.
I understand that L2 has the host as source and to leave the first network, it has an L2 Destination of the first router. However, once it gets to the Router, the L2 is "complete" right? It reached its destination. However, the packet still needs to make its way over to the Red Network. Does that mean the L2 destination gets written over with the next destinations MAC Address? Thus, does L2 change multiple times through a packet transmission?
Thanks for any insight!
Anyone seen unicast flooding but the destination MAC is in the CAM table?
This is from some catalyst switches, I've confirmed the unicast flooded traffic's MAC destination is in the CAM table. Storm-control is triggering ingress from the access ports. I know what the common solutions are to this, but I am finding a hard time understanding why it's happening if the MAC is there in the table to forward it up. TCAM utilization is fine.
Pfsense vs Sonicwall vs shorewall. SOHO firewall.
All,
I ask for your good fortune fellow packet heads.
Please excuse my random/out of order sentences, some of us
are not gifted with linear thinking.
I am in the market for a new firewall for less then 10 users,
with good feature set (QoS, Packet Inspection (maybe)).
this would be a international customer that is mobile (road warrior in europe/APAC).
I am looking for (2 to 4 ports with wan DHCP) maybe a commercial license
for unlocking features, syslog/snmp, headless (console only). No frills.
Cisco is not on the table, Open VPN/Site to Site (PSK and/or CERT Based) ability,
No wifi (will disable if installed).
Maybe 5 to 7 year lifespan. Budget is under $500. If viable, i will expand to
10+ installs.
TIA,
Joe
Networking Valentine's Day Reminder
Did you forget to get your SO a valentine's day present? It's not too late guys: https://youtu.be/Z8MWl9UGwQo
How to learn about advanced Telecom and ISP networking
Im interested in learning about advance Telecom and ISP networking such as fiber optics, Metropolitan area networks, SONET Technology etc. Any good training resources available online? Whats the general path for someone that wants to dive into a career like that? i.e. from beginner to expert.
Confusion over advertising routes between VRFs
Hi all
A bit of background - i've recently started a new job and my employer has a complicated (at least by my standards!) networking implementation. The previous network admin left suddenly and didn't create much in the way of useful documentation, so i've had to reverse engineer a lot of things. From what I can gather, the sites were connected using MPLS and GetVPN, and some sites have been migrated to a DMVPN solution.
The problem I have is that a site (Site1) connecting to a site in another continent (Site2). Both sites are connected to the same MPLS provider but the traffic is routed via the DMVPN Hub site, because the routers in Site1 aren't advertising any routes into the MPLS, so Site2 sends traffic to the MPLS default route which is the hub site, and the traffic from there enters the DMVPN cloud. This is causing a huge amount of latency for the users.
I've simplified and/or obfuscated IP addresses where possible
Site1 = 2x Cisco 2800 routers connected to an MPLS circuit. Routing done using EIGRP.
Site2 = 2x Cisco 892 routers connected to both an MPLS and internet circuit. Router is using EIGRP on the inside and BGP on the outside. HSRP configured on the inside.
Site2's config is very simple so I don't think the issue resides here. The internal network is 192.168.0.0/16 , 172.16.0.1 is the next hop on the LAN side
sh run | sec ip route ip route 0.0.0.0 0.0.0.0 172.17.0.1 ip route 192.168.0.0 255.255.0.0 172.16.0.1 sh run | sec router eig router eigrp 100 redistribute static network 0.0.0.0 no auto-summary
Site1's config on the other hand ...
There are two VRFs configured. One for MPLS and one for INET. There is a firewall behind the router and there are two transit VLANs used, one for internet traffic and one for traffic to the other sites, i'm not really clear on why this was done. The actual internal network of Site1 are a few different subnets e.g. 172.20.1.0/24 but it's connected through a spaghetti of other devices with different interfaces in between.
ip vrf INET rd 65000:2 ip vrf MPLS rd 65000:1 interface GigabitEthernet8 description MPLS ip vrf forwarding MPLS ip address 172.25.1.45 255.255.255.240 interface GigabitEthernet9 description INET ip vrf forwarding INET ip address <public IP removed> interface Vlan9 ip address 172.25.10.108 255.255.255.248 standby 0 ip 172.25.10.107 standby 0 timers 1 4 standby 0 priority 105 standby 0 preempt delay minimum 60 service-policy input PM_SET-DSCP interface Vlan2525 description Internet-FW ip vrf forwarding INET ip address 10.71.1.100 255.255.255.248 ip nat inside ip virtual-reassembly in standby 0 ip 10.71.1.99 standby 0 timers 1 4 standby 0 priority 105 standby 0 preempt delay minimum 60 router eigrp 100 network 172.25.10.108 0.0.0.0 network 172.25.200.22 0.0.0.0 redistribute bgp 65000 metric 100000 10 255 1 1500 distance eigrp 90 210 passive-interface default no passive-interface Vlan9 router bgp 65000 bgp router-id 172.25.200.22 bgp log-neighbor-changes neighbor MPLS-HUB peer-group neighbor MPLS-HUB remote-as 65000 neighbor MPLS-HUB timers 20 60 neighbor INET-HUB peer-group neighbor INET-HUB remote-as 65000 neighbor INET-HUB timers 20 60 neighbor 10.0.0.1 peer-group MPLS-HUB neighbor 10.0.0.2 peer-group MPLS-HUB neighbor 10.0.20.1 peer-group INET-HUB neighbor 10.0.20.2 peer-group INET-HUB ! address-family ipv4 bgp redistribute-internal <a load of network xxx.xxx.xxx.xxx statement cut to advertise the internal networks of the site, but basically 172.20.0.0> neighbor MPLS-HUB send-community neighbor MPLS-HUB next-hop-self neighbor MPLS-HUB route-map MPLS-SPOKE-IN in neighbor MPLS-HUB route-map MPLS-SPOKE-OUT out neighbor INET-HUB send-community neighbor INET-HUB next-hop-self neighbor INET-HUB route-map INET-SPOKE-IN in neighbor INET-HUB route-map INET-SPOKE-OUT out neighbor 10.0.0.1 activate neighbor 10.0.0.1 soft-reconfiguration inbound neighbor 10.0.0.2 activate neighbor 10.0.0.2 soft-reconfiguration inbound neighbor 10.0.20.1 activate neighbor 10.0.20.1 soft-reconfiguration inbound neighbor 10.0.20.2 activate neighbor 10.0.20.2 soft-reconfiguration inbound distance bgp 20 109 109 exit-address-family ip route <various internal networks> Vlan9 172.25.10.105 <- next hop to firewall INET interface ip route vrf INET 0.0.0.0 0.0.0.0 GigabitEthernet9 <ISP IP redacted> ip route vrf INET <various internal networks> Vlan2525 10.71.1.97 <- next hop to firewall LAN interface ip route vrf MPLS 0.0.0.0 0.0.0.0 GigabitEthernet8 172.25.1.33 <- next hop into MPLS
Site2's routers can see the MPLS interface of Site1 advertised through EIGRP but not the LAN:
Site2#sh ip route 172.25.1.45 Routing entry for 172.25.1.32/28 Known via "eigrp 100", distance 170, metric 341760 Tag 64532, type external Redistributing via eigrp 100 Last update from 172.25.7.21 on GigabitEthernet0/1, 5d02h ago Routing Descriptor Blocks: * 172.25.7.21, from 172.25.7.21, 5d02h ago, via GigabitEthernet0/1 Route metric is 341760, traffic share count is 1 Total delay is 10020 microseconds, minimum bandwidth is 30030 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 2 Route tag 64532 Site2#sh ip route 172.20.1.2 % Network not in table
Site1 doesn't have any routes to this network so traffic goes to the hub site over the DMVPN:
Site1#sh ip route vrf * 192.168.0.0 % Network not in table Routing Table: INET % Network not in table Routing Table: MPLS % Network not in table
So, I read about route leaking (https://www.netcraftsmen.com/using-vrf-lite-eigrp-and-static-routes/), I thought a configuration like this would work, but I still don't get the routes visible from the remote sites
router eigrp 100 ! address-family ipv4 vrf MPLS redistribute static network 172.20.0.0 autonomous-system 65000
Can anyone point me in the right direction? I feel like this isn't the complete config but i'm not sure what else im missing... sorry for the long post, my head hurts!!
EIGRP Adjacency flapping, IPv6
Feb 13 11:52:38.554: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::2 (Ethernet0/0) is down: holding time expired
*Feb 13 11:52:46.255: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::1 (Ethernet0/0) is up: new adjacency
*Feb 13 11:52:50.946: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::2 (Ethernet0/0) is up: new adjacency
*Feb 13 11:53:01.260: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::1 (Ethernet0/0) is down: holding time expired
*Feb 13 11:53:01.262: EIGRP: Build goodbye tlv for FE80::1
*Feb 13 11:53:05.955: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::2 (Ethernet0/0) is down: holding time expired
*Feb 13 11:53:27.259: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::1 (Ethernet0/0) is up: new adjacency
*Feb 13 11:53:32.060: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::2 (Ethernet0/0) is up: new adjacency
*Feb 13 11:53:42.267: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::1 (Ethernet0/0) is down: holding time expired
*Feb 13 11:53:42.276: EIGRP: Build goodbye tlv for FE80::1
Can I on Cisco 800 series allow vlan 1 to talk with vlan 2, but not vlan 2 with vlan 1?
Greetings,
Like title says, I'm having difficulty finding examples how to do this on Cisco 800 series. Always referring to Cisco ASA configuration.
Can someone help?
Linux is sending a single pkt larger than 15KBytes
I see a single packet larger than 15KBytes on the wire. In a simple 3 node topology in a straightline.
NodeA<------ NodeB<--------NodeC
Traffic is flowing from NodeC to NodeA. Capture is done from egress side of NodeC and ingress side of NodeB.
wireshark is capturing over 15KBytes as displayed in the "Frame Length" field (I've disabled Tcp follow stream).
I could blame it on the NIC not following standards etc, but want to understand this a little more and ways to avoid it.
Reading online, there are some Large Send Offload settings that may trigger this. Has anyone seen pkts larger than 10K in their network?
Cisco RV340W licensing
Hello everyone,
Long time redditer, first time poster :)
I was handed a Cisco RV340W and was asked to license the devices (there are 3 of them). I generally don't deal with licensing but the guy who manages all this left the company and I'm the only one here who can "help". The company I am in has a Cisco account and I am able to download new firmware versions for the devices so I think we are all good on that side of things.
However I noticed when I log in under the licensing tab, there is a Registration Status and License Authorization Status. Ive done some googling and I believe the License Authorization Status is for the extra features such as AVC_Webfilter and AnyConnectVPN (for more than 2 users). When enabled there is a 60 day "play around" trial and when disabled the status goes green. The guys who will be using the device don't require anyconnect or the WebFilter so I am assuming leaving it disabled wont have an impact on the normal features. Regarding the Registration status, is this just for the SMARTnet support? For example TAC support etc? If I dont register the device, will I lose functionality after some time?
Just a little confused regarding the licenses and a gently push in the right direction would be greatly appreciated!
Thanks for your time.
source for third-party transceiver or DAC?
I've purchased about 20 DACs and a few transceivers in the past few months from fs.com and have had pretty good luck. Unfortunately, I just ran into an issue with an Aruba 2930M. fs.com specified their 11559 transceiver which states that it's J9150A-compatible. The spec sheet for the 2930M says it supports the J9150D. When I checked with fs.com support, they said it would work. Well, lo and behold it doesn't. The transceiver comes up as not supported (even with the setting to allow unsupported transceivers set). I re-engaged support and they've just come back to tell me they don't currently have a solution, so I'm looking elsewhere.
After some checking here on this sub, I checked out Flexoptix, but it appears that they're in the same boat with only J9150A support. Anyone have a suggestion in general for a source or perhaps in particular for a third-party J9150D DAC or transceiver?
Tuesday, February 12, 2019
Is a router what I need?
Hello r/networking! I am a graduate student working on a project and was hoping you all could educate me/point me in the right direction.
I am building/operating a remote observatory inside of which there is a primary computer and a dozen or more network connected devices, many of which have a fixed IP address. Currently the primary computer is the only device connected to the outside world. It is connected to the nearest internet-connected network via media converts and fiber. IMPORTANT NOTE: this outside network will not always be the same and I do not necessarily have any control over it whatsoever; it may be DHCP or static. The remaining devices are all on an internal network being hosted via a switch and network card in the primary computer. I remote connect to the primary computer and can access/control all the devices.
I would like to add a router to the system which would host all the devices including the primary computer on a static IP internal network. The outside network should only see one device, the router, but I want all the devices on the internal network to be able to connect to the internet through the router.
Not necessary, the follow abilities would be beneficial:
- The ability to 'tunnel' through the router and remote connect directly to a device via IP address
- The ability to remote connect to the router, via SSH or other, and access devices via a terminal or a browser(some devices have an html GUI).
- Extremely stable. This is a remote site and on-site troubleshooting means driving multiple hours, assuming weather even allows access. Everything is on a UPS but power outages can last hours to days and it needs to be able to restart on its own.
- Rack-mountable
Is a router the correct device for my use case? Any product suggestions or guidance on what I should be looking for in the enterprise market?
BGP Help!
Hello! I'm managing a customer network that uses 4 BGP Peers across 2 different WAN links. The 4 peers connect to 2 different data center devices. Recently, we just lost several sites (maybe 5-10 out of 300) on one of the peers. All the effected sites are to the same data center router across the second WAN link (CradlePoint). The primary WAN1 connection to that same data center is just fine.
I've tried some debugging and I compared the config the best I could but am honestly not seeing any issues. Can someone take a look and see if they can see what I'm missing? (changed IPs for security concerns)
I think the issue could be this "tcb not available"
BGP Config: (at the Spoke site)
router bgp 12345
bgp router-id 10.0.99.99
bgp log-neighbor-changes
neighbor 10.0.100.251 remote-as 100
neighbor 10.0.100.251 local-as 100
neighbor 10.0.100.251 fall-over bfd multi-hop
neighbor 10.0.100.253 remote-as 100
neighbor 10.0.100.253 local-as 100
neighbor 10.0.100.253 fall-over bfd multi-hop
neighbor 10.0.200.251 remote-as 101
neighbor 10.0.200.251 local-as 101
neighbor 10.0.200.253 remote-as 101
neighbor 10.0.200.253 local-as 101
!
address-family ipv4
network 10.12.252.0 mask 255.255.252.0
network 172.31.94.128 mask 255.255.255.224
neighbor 10.0.100.251 activate
neighbor 10.0.100.251 weight 100
neighbor 10.0.100.251 soft-reconfiguration inbound
neighbor 10.0.100.253 activate
neighbor 10.0.100.253 weight 95
neighbor 10.0.100.253 soft-reconfiguration inbound
neighbor 10.0.200.251 activate
neighbor 10.0.200.251 weight 90
neighbor 10.0.200.251 soft-reconfiguration inbound
neighbor 10.0.200.253 activate
neighbor 10.0.200.253 weight 85
neighbor 10.0.200.253 soft-reconfiguration inbound
distribute-list prefix default-route in
exit-address-family
Debugs: debug ip ipv4 and debut ip nat translation
TCP special event debugging is on
router#term mon
router#
Feb 12 16:25:59 PST: TCP0: RETRANS timeout timer expired
Feb 12 16:25:59 PST: Released port 13562 in Transport Port Agent for TCP IP type 1 delay 240000
Feb 12 16:25:59 PST: TCP0: state was SYNSENT -> CLOSED [13562 -> 10.0.200.251(179)]
Feb 12 16:25:59 PST: TCB 0x3F7ADE1C destroyed
Feb 12 16:25:59 PST: BGP: 10.0.200.251 open failed: Connection timed out; remote host not responding
Feb 12 16:25:59 PST: BGP: 10.0.200.251 Active open failed - tcb is not available, open active delayed 10240ms (35000ms max, 60% jitter)
Feb 12 16:25:59 PST: BGP: ses global 10.0.200.251 (0x3F46606C:0) act Reset (Active open failed).
router#
Feb 12 16:25:59 PST: BGP: 10.0.200.251 active went from Active to Idle
Feb 12 16:25:59 PST: BGP: nbr global 10.0.200.251 Active open failed - open timer running
Feb 12 16:25:59 PST: BGP: nbr global 10.0.200.251 Active open failed - open timer running
router#
Feb 12 16:26:09 PST: BGP: 10.0.200.251 active went from Idle to Active
Feb 12 16:26:09 PST: BGP: 10.0.200.251 open active, local address 10.0.146.245
Feb 12 16:26:09 PST: tcp_uniqueport: using ephemeral max 65535
Feb 12 16:26:09 PST: Reserved port 45519 in Transport Port Agent for TCP IP type 1
Feb 12 16:26:09 PST: TCB4101600C getting property TCP_STRICT_ADDR_BIND (19)
Feb 12 16:26:09 PST: TCP0: Connection to 10.0.200.251:179, advertising MSS 1336
Feb 12 16:26:09 PST: TCP0: state was CLOSED -> SYNSENT [45519 -> 10.0.200.251(179)]
router#
Feb 12 16:26:11 PST: BGP: topo global:IPv4 Unicast:base Scanning routing tables
Feb 12 16:26:11 PST: BGP: topo global:VPNv4 Unicast:base Scanning routing tables
Feb 12 16:26:11 PST: BGP: topo att-mpls:VPNv4 Unicast:base Scanning routing tables
Feb 12 16:26:11 PST: BGP: topo inet:VPNv4 Unicast:base Scanning routing tables
Feb 12 16:26:11 PST: BGP: topo global:IPv4 Multicast:base Scanning routing tables
Feb 12 16:26:11 PST: TCP0: RETRANS timeout timer expired
Feb 12 16:26:11 PST: 10.0.146.245:45519 <---> 10.0.200.251:179 congestion window changes
Feb 12 16:26:11 PST: cwnd from 1336 to 1336, ssthresh from 65535 to 2672
router#
Feb 12 16:26:11 PST: TCP0: timeout #1 - timeout is 4000 ms, seq 3478527092
Feb 12 16:26:11 PST: TCP: (45519) -> 10.0.200.251(179)
router#
Feb 12 16:26:15 PST: TCP0: RETRANS timeout timer expired
Feb 12 16:26:15 PST: TCP0: timeout #2 - timeout is 8000 ms, seq 3478527092
Feb 12 16:26:15 PST: TCP: (45519) -> 10.0.200.251(179)
router#
Feb 12 16:26:16 PST: %FW-6-DROP_PKT: Dropping udp session 10.12.252.132:137 172.16.135.87:137 on zone-pair storenet-bcfcorpnet class class-default due to DROP action found in policy-map with ip ident 56898
router#
Feb 12 16:26:23 PST: TCP0: RETRANS timeout timer expired
Feb 12 16:26:23 PST: TCP0: timeout #3 - timeout is 16000 ms, seq 3478527092
Feb 12 16:26:23 PST: TCP: (45519) -> 10.0.200.251(179)
router#
Feb 12 16:26:39 PST: TCP0: RETRANS timeout timer expired
Feb 12 16:26:39 PST: Released port 45519 in Transport Port Agent for TCP IP type 1 delay 240000
Feb 12 16:26:39 PST: TCP0: state was SYNSENT -> CLOSED [45519 -> 10.0.200.251(179)]
Feb 12 16:26:39 PST: TCB 0x4101600C destroyed
Feb 12 16:26:39 PST: BGP: 10.0.200.251 open failed: Connection timed out; remote host not responding
Feb 12 16:26:39 PST: BGP: 10.0.200.251 Active open failed - tcb is not available, open active delayed 14336ms (35000ms max, 60% jitter)
Feb 12 16:26:39 PST: BGP: ses global 10.0.200.251 (0x401249A4:0) act Reset (Active open failed).
router#
Feb 12 16:26:39 PST: BGP: 10.0.200.251 active went from Active to Idle
Feb 12 16:26:39 PST: BGP: nbr global 10.0.200.251 Active open failed - open timer running
Feb 12 16:26:39 PST: BGP: nbr global 10.0.200.251 Active open failed - open timer running
router#
Feb 12 16:26:53 PST: BGP: 10.0.200.251 active went from Idle to Active
Feb 12 16:26:53 PST: BGP: 10.0.200.251 open active, local address 10.0.146.245
Feb 12 16:26:53 PST: tcp_uniqueport: using ephemeral max 65535
Feb 12 16:26:53 PST: Reserved port 11563 in Transport Port Agent for TCP IP type 1
Feb 12 16:26:53 PST: TCB3A067D18 getting property TCP_STRICT_ADDR_BIND (19)
Feb 12 16:26:53 PST: TCP0: Connection to 10.0.200.251:179, advertising MSS 1336
Feb 12 16:26:53 PST: TCP0: state was CLOSED -> SYNSENT [11563 -> 10.0.200.251(179)]
router#
Feb 12 16:26:55 PST: TCP0: RETRANS timeout timer expired
Feb 12 16:26:55 PST: 10.0.146.245:11563 <---> 10.0.200.251:179 congestion window changes
Feb 12 16:26:55 PST: cwnd from 1336 to 1336, ssthresh from 65535 to 2672
Feb 12 16:26:55 PST: TCP0: timeout #1 - timeout is 4000 ms, seq 650223779
Feb 12 16:26:55 PST: TCP: (11563) -> 10.0.200.251(179)
router#
Feb 12 16:26:59 PST: TCP0: RETRANS timeout timer expired
Feb 12 16:26:59 PST: TCP0: timeout #2 - timeout is 8000 ms, seq 650223779
Feb 12 16:26:59 PST: TCP: (11563) -> 10.0.200.251(179)
router#
Feb 12 16:27:07 PST: TCP0: RETRANS timeout timer expired
Feb 12 16:27:07 PST: TCP0: timeout #3 - timeout is 16000 ms, seq 650223779
Feb 12 16:27:07 PST: TCP: (11563) -> 10.0.200.251(179)
router#
Feb 12 16:27:11 PST: BGP: Sched timer-wheel running slow by 1 ticks
Feb 12 16:27:11 PST: BGP: topo global:IPv4 Unicast:base Scanning routing tables
Feb 12 16:27:11 PST: BGP: topo global:VPNv4 Unicast:base Scanning routing tables
Feb 12 16:27:11 PST: BGP: topo att-mpls:VPNv4 Unicast:base Scanning routing tables
Feb 12 16:27:11 PST: BGP: topo inet:VPNv4 Unicast:base Scanning routing tables
Feb 12 16:27:11 PST: BGP: topo global:IPv4 Multicast:base Scanning routing tables
router#
Feb 12 16:27:21 PST: %FW-6-DROP_PKT: Dropping udp session 10.12.252.132:137 172.16.135.87:137 on zone-pair storenet-bcfcorpnet class class-default due to DROP action found in policy-map with ip ident 56901
router#
Feb 12 16:27:23 PST: TCP0: RETRANS timeout timer expired
Feb 12 16:27:23 PST: Released port 11563 in Transport Port Agent for TCP IP type 1 delay 240000
Feb 12 16:27:23 PST: TCP0: state was SYNSENT -> CLOSED [11563 -> 10.0.200.251(179)]
Feb 12 16:27:23 PST: TCB 0x3A067D18 destroyed
Feb 12 16:27:23 PST: BGP: 10.0.200.251 open failed: Connection timed out; remote host not responding
Feb 12 16:27:23 PST: BGP: 10.0.200.251 Active open failed - tcb is not available, open active delayed 12288ms (35000ms max, 60% jitter)
Feb 12 16:27:23 PST: BGP: ses global 10.0.200.251 (0x214AC9F0:0) act Reset (Active open failed).
router#
Feb 12 16:27:23 PST: BGP: 10.0.200.251 active went from Active to Idle
Feb 12 16:27:23 PST: BGP: nbr global 10.0.200.251 Active open failed - open timer running
Feb 12 16:27:23 PST: BGP: nbr global 10.0.200.251 Active open failed - open timer running
router#
Feb 12 16:27:35 PST: BGP: 10.0.200.251 active went from Idle to Active
Feb 12 16:27:35 PST: BGP: 10.0.200.251 open active, local address 10.0.146.245
Feb 12 16:27:35 PST: tcp_uniqueport: using ephemeral max 65535
Feb 12 16:27:35 PST: Reserved port 42948 in Transport Port Agent for TCP IP type 1
Feb 12 16:27:35 PST: TCB42030CE8 getting property TCP_STRICT_ADDR_BIND (19)
Feb 12 16:27:35 PST: TCP0: Connection to 10.0.200.251:179, advertising MSS 1336
Feb 12 16:27:35 PST: TCP0: state was CLOSED -> SYNSENT [42948 -> 10.0.200.251(179)]
router#
Feb 12 16:27:37 PST: TCP0: RETRANS timeout timer expired
Feb 12 16:27:37 PST: 10.0.146.245:42948 <---> 10.0.200.251:179 congestion window changes
Feb 12 16:27:37 PST: cwnd from 1336 to 1336, ssthresh from 65535 to 2672
Feb 12 16:27:37 PST: TCP0: timeout #1 - timeout is 4000 ms, seq 2064756798
Feb 12 16:27:37 PST: TCP: (42948) -> 10.0.200.251(179)
router#
Feb 12 16:27:41 PST: TCP0: RETRANS timeout timer expired
Feb 12 16:27:41 PST: TCP0: timeout #2 - timeout is 8000 ms, seq 2064756798
Feb 12 16:27:41 PST: TCP: (42948) -> 10.0.200.251(179)
router#
Feb 12 16:27:49 PST: TCP0: RETRANS timeout timer expired
Feb 12 16:27:49 PST: TCP0: timeout #3 - timeout is 16000 ms, seq 2064756798
Feb 12 16:27:49 PST: TCP: (42948) -> 10.0.200.251(179)
router#
Feb 12 16:28:05 PST: TCP0: RETRANS timeout timer expired
Feb 12 16:28:05 PST: Released port 42948 in Transport Port Agent for TCP IP type 1 delay 240000
Feb 12 16:28:05 PST: TCP0: state was SYNSENT -> CLOSED [42948 -> 10.0.200.251(179)]
Feb 12 16:28:05 PST: TCB 0x42030CE8 destroyed
Feb 12 16:28:05 PST: BGP: 10.0.200.251 open failed: Connection timed out; remote host not responding
Feb 12 16:28:05 PST: BGP: 10.0.200.251 Active open failed - tcb is not available, open active delayed 7168ms (35000ms max, 60% jitter)
Feb 12 16:28:05 PST: BGP: ses global 10.0.200.251 (0x2145C8BC:0) act Reset (Active open failed).
router#
Feb 12 16:28:05 PST: BGP: 10.0.200.251 active went from Active to Idle
Feb 12 16:28:05 PST: BGP: nbr global 10.0.200.251 Active open failed - open timer running
Feb 12 16:28:05 PST: BGP: nbr global 10.0.200.251 Active open failed - open timer running
router#
Feb 12 16:28:11 PST: BGP: topo global:IPv4 Unicast:base Scanning routing tables
Feb 12 16:28:11 PST: BGP: topo global:VPNv4 Unicast:base Scanning routing tables
Feb 12 16:28:11 PST: BGP: topo att-mpls:VPNv4 Unicast:base Scanning routing tables
Feb 12 16:28:11 PST: BGP: topo inet:VPNv4 Unicast:base Scanning routing tables
Feb 12 16:28:11 PST: BGP: topo global:IPv4 Multicast:base Scanning routing tables
router#
Feb 12 16:28:12 PST: BGP: 10.0.200.251 active went from Idle to Active
Feb 12 16:28:12 PST: BGP: 10.0.200.251 open active, local address 10.0.146.245
Feb 12 16:28:12 PST: tcp_uniqueport: using ephemeral max 65535
Feb 12 16:28:12 PST: Reserved port 64922 in Transport Port Agent for TCP IP type 1
Feb 12 16:28:12 PST: TCB3FCB5D98 getting property TCP_STRICT_ADDR_BIND (19)
Feb 12 16:28:12 PST: TCP0: Connection to 10.0.200.251:179, advertising MSS 1336
Feb 12 16:28:12 PST: TCP0: state was CLOSED -> SYNSENT [64922 -> 10.0.200.251(179)]
router#
Feb 12 16:28:14 PST: TCP0: RETRANS timeout timer expired
Feb 12 16:28:14 PST: 10.0.146.245:64922 <---> 10.0.200.251:179 congestion window changes
Feb 12 16:28:14 PST: cwnd from 1336 to 1336, ssthresh from 65535 to 2672
Feb 12 16:28:14 PST: TCP0: timeout #1 - timeout is 4000 ms, seq 1770928857
Feb 12 16:28:14 PST: TCP: (64922) -> 10.0.200.251(179)
router#
Feb 12 16:28:18 PST: TCP0: RETRANS timeout timer expired
Feb 12 16:28:18 PST: TCP0: timeout #2 - timeout is 8000 ms, seq 1770928857
Feb 12 16:28:18 PST: TCP: (64922) -> 10.0.200.251(179)
router#
Feb 12 16:28:26 PST: TCP0: RETRANS timeout timer expired
Feb 12 16:28:26 PST: TCP0: timeout #3 - timeout is 16000 ms, seq 1770928857
Feb 12 16:28:26 PST: TCP: (64922) -> 10.0.200.251(179)
router#
Feb 12 16:28:42 PST: TCP0: RETRANS timeout timer expired
Feb 12 16:28:42 PST: Released port 64922 in Transport Port Agent for TCP IP type 1 delay 240000
Feb 12 16:28:42 PST: TCP0: state was SYNSENT -> CLOSED [64922 -> 10.0.200.251(179)]
Feb 12 16:28:42 PST: TCB 0x3FCB5D98 destroyed
Feb 12 16:28:42 PST: BGP: 10.0.200.251 open failed: Connection timed out; remote host not responding
Feb 12 16:28:42 PST: BGP: 10.0.200.251 Active open failed - tcb is not available, open active delayed 12288ms (35000ms max, 60% jitter)
Feb 12 16:28:42 PST: BGP: ses global 10.0.200.251 (0x3A06B420:0) act Reset (Active open failed).
router#
Feb 12 16:28:42 PST: BGP: 10.0.200.251 active went from Active to Idle
Feb 12 16:28:42 PST: BGP: nbr global 10.0.200.251 Active open failed - open timer running
Feb 12 16:28:42 PST: BGP: nbr global 10.0.200.251 Active open failed - open timer running
Subscribe to:
Posts (Atom)