[c-nsp] cisco-nsp Digest, Vol 65, Issue 103
Yong Sung
sungy at ohsu.edu
Sat Apr 19 14:46:14 EDT 2008
got it.
thanks
yong
>>> cisco-nsp-request at puck.nether.net 4/19/2008 4:34 AM >>>
Send cisco-nsp mailing list submissions to
cisco-nsp at puck.nether.net
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/cisco-nsp
or, via email, send a message with subject or body 'help' to
cisco-nsp-request at puck.nether.net
You can reach the person managing the list at
cisco-nsp-owner at puck.nether.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of cisco-nsp digest..."
Today's Topics:
1. Re: Cisco 7206VXR (Gert Doering)
2. Re: Cisco 7206VXR (Jason Berenson)
3. Re: Cisco 7206VXR (Buhrmaster, Gary)
4. Re: Cisco 7206VXR (Tassos Chatzithomaoglou)
5. Re: %BGP-3-INVALID_MPLS: Invalid MPLS label (1) (Christian
Bering)
6. Re: Cisco 7206VXR (Tolstykh, Andrew)
7. Re: Cisco 7206VXR (e ninja)
8. Re: EAP SSL certificates - how to? (Phil Mayers)
9. Re: %BGP-3-INVALID_MPLS: Invalid MPLS label (1) (Saku Ytti)
10. "continue" in outbound route-map (Peter Rathlev)
----------------------------------------------------------------------
Message: 1
Date: Fri, 18 Apr 2008 23:16:04 +0200
From: Gert Doering <gert at greenie.muc.de>
Subject: Re: [c-nsp] Cisco 7206VXR
To: Rodney Dunn <rodunn at cisco.com>
Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Message-ID: <20080418211604.GG3278 at greenie.muc.de>
Content-Type: text/plain; charset="us-ascii"
Hi,
On Fri, Apr 18, 2008 at 02:55:54PM -0400, Rodney Dunn wrote:
> PS. 12.4 will never be GD. That program is retired.
Hmmm?
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert at greenie.muc.de
fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
Url :
https://puck.nether.net/pipermail/cisco-nsp/attachments/20080418/9adba543/attachment-0001.bin
------------------------------
Message: 2
Date: Fri, 18 Apr 2008 17:17:25 -0400
From: Jason Berenson <jason at pins.net>
Subject: Re: [c-nsp] Cisco 7206VXR
To: Gert Doering <gert at greenie.muc.de>
Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Message-ID: <48090FE5.1020604 at pins.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
That's what I say too...
Gert Doering wrote:
> Hi,
>
> On Fri, Apr 18, 2008 at 02:55:54PM -0400, Rodney Dunn wrote:
>
>> PS. 12.4 will never be GD. That program is retired.
>>
>
> Hmmm?
>
> gert
>
------------------------------
Message: 3
Date: Fri, 18 Apr 2008 14:42:16 -0700
From: "Buhrmaster, Gary" <gtb at slac.stanford.edu>
Subject: Re: [c-nsp] Cisco 7206VXR
To: "Gert Doering" <gert at greenie.muc.de>, "Rodney Dunn"
<rodunn at cisco.com>
Cc: cisco-nsp at puck.nether.net
Message-ID:
<D0D0330CBD07114D85B70B784E80C2F201FF7440 at exch-mail2.win.slac.stanford.edu>
Content-Type: text/plain; charset="us-ascii"
> On Fri, Apr 18, 2008 at 02:55:54PM -0400, Rodney Dunn wrote:
> > PS. 12.4 will never be GD. That program is retired.
>
> Hmmm?
Cisco retired (is retiring) the GD/LD program
(ED and DF continue, MD is a new designation):
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6350/product_bulletin_cisco_ios_software_gd_program_retirement.html
Gary
------------------------------
Message: 4
Date: Sat, 19 Apr 2008 00:47:13 +0300
From: Tassos Chatzithomaoglou <achatz at forthnet.gr>
Subject: Re: [c-nsp] Cisco 7206VXR
To: Jason Berenson <jason at pins.net>
Cc: Gert Doering
<gert at greenie.muc.de>, "cisco-nsp at puck.nether.net"
<cisco-nsp at puck.nether.net>
Message-ID: <480916E1.30101 at forthnet.gr>
Content-Type: text/plain; charset=ISO-8859-7; format=flowed
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6350/product_bulletin_cisco_ios_software_gd_program_retirement.html
--
Tassos
Jason Berenson wrote on 19/4/2008 12:17 ??:
> That's what I say too...
>
> Gert Doering wrote:
>> Hi,
>>
>> On Fri, Apr 18, 2008 at 02:55:54PM -0400, Rodney Dunn wrote:
>>
>>> PS. 12.4 will never be GD. That program is retired.
>>>
>> Hmmm?
>>
>> gert
>>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
------------------------------
Message: 5
Date: Sat, 19 Apr 2008 00:17:43 +0200
From: "Christian Bering" <CB at nianet.dk>
Subject: Re: [c-nsp] %BGP-3-INVALID_MPLS: Invalid MPLS label (1)
To: "Saku Ytti" <saku+cisco-nsp at ytti.fi>
Cc: cisco-nsp at puck.nether.net
Message-ID:
<D2A46EC72B5C2D4FAF017F2C8EA3E72A68CF4F at mail2.nianetas.local>
Content-Type: text/plain; charset="us-ascii"
Hi Saku,
>I don't think you have anything to worry about. Most likely
>this is caused by dual-homed site or
>import map that may be denying local routes to BGP. Don't you
>have any prefix behind that
>log message?
No, there's never anything pointing to a specific prefix or even just
a
VRF in those messages.
>You could look in that box for the VRF and check
>it's import maps and also
>look 'sh ip bgp vrf X <prefix>' should it say 'no table' it's
>the culprit when funny
>label gets assigned.
I would if I could see which VRF and prefix the boxes complain about.
>CSCsg55591.
>--- (apologies for ugly paste)
Yes, that was the only one I found that mentions the error message. We
do see a few symptoms that could be explained by the part about a
local
label not being programmed into the forwarding table but without
knowing
the prefix and VRF, it's kind of hard to say for sure.
But it doesn't really tell me if the bug would affect the PEs or the
route reflectors (or both).
>This is new check implemented in CSCeh77395 and can be
>triggered by several issues (at least 4 documented,
>at least CSCsb87499, CSCse99753 are possible).
Ah, okay. That gives me a bit more to pursue. Thanks.
--
Regards
Christian Bering
IP engineer, nianet a/s
Phone: (+45) 7020 8730
------------------------------
Message: 6
Date: Fri, 18 Apr 2008 19:51:12 -0500
From: "Tolstykh, Andrew" <ATolstykh at integrysgroup.com>
Subject: Re: [c-nsp] Cisco 7206VXR
To: "Jason Berenson" <jason at pins.net>
Cc: cisco-nsp at puck.nether.net
Message-ID:
<6E31172B4025564D861CD73627500BAC02E2F6AF at pru-mail02.pe.net>
Content-Type: text/plain; charset="us-ascii"
Jason,
My issue was 100% specific to 12.4(19) - confirmed on 1 x 7204VXR and
1
x 7206VXR. Both routers were unable to boot the 12.4(19) IOS with
PA-2FE-FX card present (crash dump with the message that this code
does
not support the installed port adapter). Changing the code to 12.4(8d)
resolved this issue on both routers.
-----Original Message-----
From: Jason Berenson [mailto:jason at pins.net]
Sent: Friday, April 18, 2008 2:33 PM
To: Tolstykh, Andrew
Cc: Justin M. Streiner; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco 7206VXR
Andrew,
It looks like it may be this G1. I'm testing another G1 with the T3
and
OC3 card in it and it seems to be happy but it's running:
:c7200-js-mz.123-4.T1.bin right now. I'm going to try
c7200-is-mz.124-19.bin and see what happens.
-Jason
Tolstykh, Andrew wrote:
> Same issue with PID: PA-2FE-FX running on 12.4(19); crash dump on
hard
> boot.
> Fixed by changing the image to 12.4(8d) - works like a charm.
12.4(17)
> should also work fine.
>
> HTH,
> Andrew
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason
Berenson
> Sent: Friday, April 18, 2008 1:52 PM
> To: Justin M. Streiner
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco 7206VXR
>
> Justin, David,
>
> It crashes when I put the card in and keeps crashing on a reboot. I
did
>
> get it to boot with 12.3.26. When I put the PA-MC-T3 card in at that
> point it's ok but when I put the ATM OC3 card in it crashes.
>
> When I have this router configured with an NPE-400 and these two
cards
> it seems to work just fine. I'm about to throw these 7206's out the
> window and watch them slam into the pavement 10 floors down.
>
> -Jason
>
> Justin M. Streiner wrote:
>
>> On Fri, 18 Apr 2008, Jason Berenson wrote:
>>
>>
>>
>>> I'm going to be upgrading a couple of 7206VXR NPE-350's to G1's
>>>
> tomorrow
>
>>> night. I'm testing right now with the latest IP plus software:
>>> c7200-is-mz.124-19.bin. When I pop in a PA-MC-T3 the router
promptly
>>> crashes:
>>>
>>> 10:44:58 UTC Fri Oct 8 2004: Data Bus Error exception, CPU signal
10,
>>> PC = 0x60
>>> 98AAA0
>>>
>>>
--------------------------------------------------------------------
>>> Possible software fault. Upon reccurence, please collect
>>> crashinfo, "show tech" and contact Cisco Technical Support.
>>>
--------------------------------------------------------------------
>>>
>>>
>> You can try another version of code and see if that works better.
If
>>
> not,
>
>> your best bet is to open a case with the TAC.
>>
>> Does the router crash when you insert any other port adapters?
>> Does the router crash regardless of which slot/bus you put the
>>
> PA-MC-T3
>
>> in?
>> Is it a PA-MC-T3, or a PA-MC-T3+?
>>
>> jms
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
------------------------------
Message: 7
Date: Fri, 18 Apr 2008 18:20:41 -0700
From: "e ninja" <eninja at gmail.com>
Subject: Re: [c-nsp] Cisco 7206VXR
To: "Jason Berenson" <jason at pins.net>
Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Message-ID:
<e8590f60804181820t33e913cbs9a2394b9e3a81407 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Fri, Apr 18, 2008 at 11:57 AM, Jason Berenson <jason at pins.net>
wrote:
> Rodney,
>
> When I say pop in, I mean the router is booted and I put the card
in.
> I've tried a hard reboot too, same results. It did generate a
> crashinfo, once I get our contract renewed I can open a TAC case.
Jason,
You don't need to have a 'contract' to open a TAC case for a bug in
*any*
software you have already paid for. Call the TAC, get your bug fix and
get
your network online.
/eninja
PS. Enlighten yourself - http://resources.multiven.com/dossier
------------------------------
Message: 8
Date: Sat, 19 Apr 2008 11:47:33 +0100
From: Phil Mayers <p.mayers at imperial.ac.uk>
Subject: Re: [c-nsp] EAP SSL certificates - how to?
To: matthew zeier <mrz at velvet.org>
Cc: A.L.M.Buxey at lboro.ac.uk, "cisco-nsp at puck.nether.net"
<cisco-nsp at puck.nether.net>
Message-ID: <4809CDC5.9060306 at imperial.ac.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
matthew zeier wrote:
> GeoTrust is a well known root CA and I don't get prompts going to
> websites signed by them. I do, however, if I use the same cert for
> RADIUS. The error is "unknown trust setting".
The server certificate may be lacking certain X509 fields; for example,
"openssl x509 -noout -text -in $cert.pem" for our cert, which works
fine, says:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
snip
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US,O=VeriSign...,CN=VeriSign Class 3 Secure Server
CA
Validity
Not Before: Apr 2 00:00:00 2007 GMT
Not After : May 17 23:59:59 2008 GMT
Subject: snip
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
snip
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
URI:http://SVRSecure-crl.verisign.com/SVRSecure2005.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.3
CPS: https://www.verisign.com/rpa
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication
X509v3 Authority Key Identifier: snip
Authority Information Access:
OCSP - URI:http://ocsp.verisign.com
CA Issuers - snip
1.3.6.1.5.5.7.1.12: snip
Signature Algorithm: sha1WithRSAEncryption
Specifically:
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication
...are important. We had problems with a previous "cheaper" CA which
issues certs unsuitable for 802.1x, with some clients failing to trust
the cert. We had to move to the Verisign product. I can't remember the
*specific* details, but IIRC there is a specific Verisign product for
802.1x certs.
Arguably a "safer" option is to issue a self-signed CA & server cert,
which prevents someone going out and buying a cert from the same CA and
impersonating your SSID, but that has the obvious deployment hassles of
deploying the CA. If you choose to do that, and appropriate "ca.cnf"
file for OpenSSL along with scripts to drive it lives in the FreeRadius
2.0.3 source tarball.
------------------------------
Message: 9
Date: Sat, 19 Apr 2008 13:56:36 +0300
From: Saku Ytti <saku+cisco-nsp at ytti.fi>
Subject: Re: [c-nsp] %BGP-3-INVALID_MPLS: Invalid MPLS label (1)
To: cisco-nsp at puck.nether.net
Message-ID: <20080419105636.GA27870 at mx.ytti.net>
Content-Type: text/plain; charset=us-ascii
On (2008-04-19 00:17 +0200), Christian Bering wrote:
> But it doesn't really tell me if the bug would affect the PEs or the
> route reflectors (or both).
Most likely culprit is one box doing something funny (not RR), and
then
as it's propagated every box that has CSCeh77395 integrated will
report it by crying wolf.
For me, it was config mistake in single box. But as you didn't
have any prefix in it, you may have one of the other possible
bugid's causing it.
--
++ytti
------------------------------
Message: 10
Date: Sat, 19 Apr 2008 13:30:11 +0200
From: Peter Rathlev <peter at rathlev.dk>
Subject: [c-nsp] "continue" in outbound route-map
To: cisco-nsp <cisco-nsp at puck.nether.net>
Message-ID: <1208604611.5629.11.camel at dusken.sys.mjna.net>
Content-Type: text/plain
Hi,
According to
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/cs_brmcs.html
the "continue" route-map statement is only supported in the outbound
direction when running 12.0(31)S and later. According to the Feature
Navigator, 12.2(33)SRB + SRC also supports it, but 12.2(18)SXF
doesn't.
Now the strange thing is that I can use it fine in labs on 6500 and
7600
SXF. I can configure it, and it works as I expect.
Is it a very bad idea starting to use this in production? I haven't
tested SXH yet, and I am a bit worried, thinking this might be an
"unintended feature" like BFD+SVI. Anybody else using it with C6k,
maybe
SXH?
Regards,
Peter
------------------------------
_______________________________________________
cisco-nsp mailing list
cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
End of cisco-nsp Digest, Vol 65, Issue 103
******************************************
More information about the cisco-nsp
mailing list