[c-nsp] Newb Question about site to site vpn.

manderson chiefwfb at gmail.com
Thu Jun 16 13:00:19 EDT 2011


Sounds like you maybe have it set up in client mode vs. network mode

On Thu, Jun 16, 2011 at 8:26 AM, <cisco-nsp-request at puck.nether.net> wrote:

> Send cisco-nsp mailing list submissions to
>        cisco-nsp at puck.nether.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://puck.nether.net/mailman/listinfo/cisco-nsp
> or, via email, send a message with subject or body 'help' to
>        cisco-nsp-request at puck.nether.net
>
> You can reach the person managing the list at
>        cisco-nsp-owner at puck.nether.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cisco-nsp digest..."
>
>
> Today's Topics:
>
>   1. Re: uRPF lacking on ME3600X? (LM)
>   2. Re: uRPF lacking on ME3600X? (Gert Doering)
>   3. Re: Latest Nexus 5k NX-OS? (Thomason, Simon)
>   4. ASR9k A9K-8T-L LC crash and reload (Wyatt Mattias Gyllenvarg)
>   5. Newb Question about site to site vpn.... (Scott Voll)
>   6. Re: modify cisco router config with scripting? (d tbsky)
>   7. Re: Newb Question about site to site vpn.... (Ryan West)
>   8. Re: modify cisco router config with scripting? (chip)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 16 Jun 2011 08:25:39 +0200
> From: LM <asturluismi at gmail.com>
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] uRPF lacking on ME3600X?
> Message-ID: <4DF9A1E3.30701 at gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Is the same in 7600
>
> El 15/06/11 18:46, Vinny_Abello at Dell.com escribi?:
> > Oh yuck, really?? Is this a limitation of the platform?
> >
> > -Vinny
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Nick Hilliard
> > Sent: Wednesday, June 15, 2011 5:38 AM
> > To: Jon Lewis
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] uRPF lacking on ME3600X?
> >
> > On 15/06/2011 04:05, Jon Lewis wrote:
> >> On Tue, 14 Jun 2011, Jeff Kell wrote:
> >>> Does uRPF cut the FIB/TCAM in half on a 6500/Sup720 like it does a
> Sup2?
> >> No...but it has the annoying issue of only being able to do one flavor
> of
> >> uRPF on the whole box. Any ports configured for it will do whichever
> type
> >> is configured last. So it does reachable via rx or reachable via
> any...pick
> >> one. Don't try using the other.
> > Also, ipv6 urpf on the sup720 causes ipv6 traffic to be punted to the RP.
> >
> > Nick  . o O ( but at least it's supported, right?  argh )
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 16 Jun 2011 08:52:43 +0200
> From: Gert Doering <gert at greenie.muc.de>
> To: LM <asturluismi at gmail.com>
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] uRPF lacking on ME3600X?
> Message-ID: <20110616065242.GJ8496 at greenie.muc.de>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi,
>
> On Thu, Jun 16, 2011 at 08:25:39AM +0200, LM wrote:
> > Is the same in 7600
>
> Except that PFC4 is not even on the roadmap there.
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                           //
> www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 305 bytes
> Desc: not available
> URL: <
> https://puck.nether.net/pipermail/cisco-nsp/attachments/20110616/84e5172b/attachment-0001.pgp
> >
>
> ------------------------------
>
> Message: 3
> Date: Thu, 16 Jun 2011 16:57:11 +1000
> From: "Thomason, Simon" <Simon.Thomason at racq.com.au>
> To: "'John Gill'" <johgill at cisco.com>, "cisco-nsp at puck.nether.net"
>        <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] Latest Nexus 5k NX-OS?
> Message-ID:
>        <42752206EE5B8545B68464E1D0B774B86759B315F0 at EMPMAIL.racq.com.au>
> Content-Type: text/plain; charset="utf-8"
>
> I just saw this email going over the release notes now. I did not see that
> CSCtn94753 was fixed but only skimming over right now.
>
>
> Flex links looks pretty interesting along with Orphan port shutdown.
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of John Gill
> Sent: Thursday, 16 June 2011 12:39 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Latest Nexus 5k NX-OS?
>
> FYI 5.0(3)N2(1) is out now
>
> John Gill
> cisco
>
>
> On 6/14/11 7:37 PM, Ramesh Karki wrote:
> > It is better to stay with existing version until 5.03(n2) get released.
> >
> > 5.0.3.N1.1c has a bug (CSCtn94753) which cause the slot# to appear
> > automatically in config and can't delete them easily.
> >
> > Thanks
> >        -R
> >
> > On Tue, Jun 14, 2011 at 3:35 PM, Thomason, Simon<
> Simon.Thomason at racq.com.au
> >> wrote:
> >
> >> Hey All,
> >>
> >> Was just wondering if anyone has started to use
> n5000-uk9.5.0.3.N1.1c.bin
> >> NX-OS?
> >>
> >> I have been advised this will fix a few issues with our monitoring
> solution
> >> Statseeker (nexus does not send correct snmp info to statseeker).
> >>
> >> Currently running on n5000-uk9.5.0.2.N2.1.bin so there are really no
> major
> >> features in the newer version to really drive home the point of an
> upgrade.
> >>
> >> Just wanted to hear from anyone running on the cutting edge and if they
> >> have had any issues with it.
> >>
> >> Hot foot it to RACQ MotorFest at Eagle Farm Racecourse on 17 July and
> swoon
> >> over Queensland?s largest display of collectable vehicles. Visit
> >> www.racq.com/motorfest
> >>
> >> Please Note: If you are not the intended recipient, please delete this
> >> email as its use is prohibited.  RACQ does not warrant or represent that
> >> this email is free from viruses or defects.  If you do not wish to
> receive
> >> any further commercial electronic messages from RACQ please e-mail
> >> unsubscribe at racq.com.au or contact RACQ on 13 19 05.
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> Hot foot it to RACQ MotorFest at Eagle Farm Racecourse on 17 July and swoon
> over Queensland?s largest display of collectable vehicles. Visit
> www.racq.com/motorfest
>
> Please Note: If you are not the intended recipient, please delete this
> email as its use is prohibited.  RACQ does not warrant or represent that
> this email is free from viruses or defects.  If you do not wish to receive
> any further commercial electronic messages from RACQ please e-mail
> unsubscribe at racq.com.au or contact RACQ on 13 19 05.
>
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 16 Jun 2011 14:25:58 +0200
> From: Wyatt Mattias Gyllenvarg <wyatt.eliasson at gmail.com>
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASR9k A9K-8T-L LC crash and reload
> Message-ID: <BANLkTi=R+=iyUya0gkST5+k8p_zbx8tT4A at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi All
>
> We are having an issue with a ring of 3 ASR9010 and one 7606
> Sup7203BXL with 6704-DFC3BLX.
>
> The LCs facing the 7606 crash and reload randomly (once they have
> reloaded at the same time).
>
> Both cards are in slot 0/2 and have if Te0/2/0/0 facing the 7606.
>
> All the ASR machines have the same physical configuration.
> 0/0 A9K-40GE-L
> 0/1 A9K-8T-L LC
> 0/2 A9K-8T-L LC
>
> Dual RSPs 4G Running 4.1.0 all fpd are updated
>
> Very little traffic is being forwarded as we have not yet migrated
> fully too this new setup.
>
> Running Protocolls are:
> OSPF
> MPLS LDP
> PIM
> BGP
> IPv6 PE
> CDP
>
> All interfaces are routed.
>
> Log shows:
>
>
> LC/0/2/CPU0:Jun 16 11:27:54.502 : pfm_node_lc[267]:
> %PLATFORM-DIAGS-0-LC_NP_LOOPBACK_FAILED :
> Set|online_diag_lc[163921]|Line card NPU loopback Test(0x2000006)|
> LC/0/2/CPU0:Jun 16 11:27:54.509 : pfm_node_lc[267]:
> prm_fast_reset_subset fast reset api succeeded for chan 4
> LC/0/2/CPU0:Jun 16 11:27:54.510 : pfm_node_lc[267]: NP loopback
> recovery action: Succeded (NP bitmask:0x10)
> LC/0/2/CPU0:Jun 16 11:27:57.975 : prm_server[278]:
> %PLATFORM-NP-0-INIT_ERR : *** Error 0xA0003F03 : prm_np_fast_reset :
> Channel 4 Config Start Fast Reset failed, line
> LC/0/2/CPU0:Jun 16 11:27:57.976 : prm_server[278]: Line card needs to
> be reloaded, a reboot is being requested
> RP/0/RSP0/CPU0:Jun 16 11:27:58.031 : shelfmgr[352]:
> %PLATFORM-SHELFMGR-3-NODE_CPU_RESET : Node 0/2/CPU0 CPU reset
> detected.
> RP/0/RSP0/CPU0:Jun 16 11:27:58.032 : shelfmgr[352]:
> %PLATFORM-SHELFMGR-6-NODE_STATE_CHANGE : 0/2/CPU0 A9K-8T-L
> state:BRINGDOWN
> RP/0/RSP0/CPU0:Jun 16 11:27:58.075 : invmgr[234]:
> %PLATFORM-INV-6-NODE_STATE_CHANGE : Node: 0/2/CPU0, state: BRINGDOWN
> RP/0/RSP0/CPU0:Jun 16 11:28:04.026 : shelfmgr[352]:
> %PLATFORM-SHELFMGR-6-NODE_STATE_CHANGE : 0/2/CPU0 A9K-8T-L
> state:ROMMON
> RP/0/RSP0/CPU0:Jun 16 11:28:26.636 : shelfmgr[352]:
> %PLATFORM-SHELFMGR_HAL-6-BOOT_REQ_RECEIVED : Boot Request from
> 0/2/CPU0, RomMon Version: 1.3
> RP/0/RSP0/CPU0:Jun 16 11:28:26.639 : shelfmgr[352]:
> %PLATFORM-MBIMGR-7-IMAGE_VALIDATED : Remote location 0/2/CPU0: : MBI
> tftp:/disk0/asr9k-os-mbi-4.1.0/lc/mbiasr9k-lc
> RP/0/RSP0/CPU0:Jun 16 11:28:26.639 : shelfmgr[352]:
> %PLATFORM-SHELFMGR-6-NODE_STATE_CHANGE : 0/2/CPU0 A9K-8T-L
> state:MBI-BOOTING
> RP/0/RSP0/CPU0:Jun 16 11:29:26.295 : shelfmgr[352]:
> %PLATFORM-SHELFMGR-6-NODE_STATE_CHANGE : 0/2/CPU0 A9K-8T-L
> state:MBI-RUNNING
> LC/0/2/CPU0:16: init[65540]: %OS-INIT-7-MBI_STARTED : total time 10.058
> seconds
> LC/0/2/CPU0:Jun 16 11:29:29.619 : insthelper[61]:
> %INSTALL-INSTHELPER-7-PKG_DOWNLOAD : MBI running; starting software
> download
> LC/0/2/CPU0:Jun 16 11:29:47.569 : sysmgr[89]: %OS-SYSMGR-5-NOTICE :
> Card is COLD started
> LC/0/2/CPU0:Jun 16 11:29:47.833 : init[65540]:
> %OS-INIT-7-INSTALL_READY : total time 32.328 seconds
> LC/0/2/CPU0:Jun 16 11:29:49.240 : sysmgr[320]: %OS-SYSMGR-6-INFO :
> Backup system manager is ready
> LC/0/2/CPU0:Jun 16 11:29:50.345 : syslog_dev[87]: dumper_config[148]:
> LC/0/2/CPU0:Jun 16 11:29:50.356 : syslog_dev[87]: dumper_config[148]:
> The node id is 2081
>
> And the normal reload of the LC and everything goes back to normal.
>
> TAC case has been created but no awnser so far.
>
> We have not found any relevant SMU or know bugs.
>
> I found the following in one of the ASRs.
>
>
> RP/0/RSP0/CPU0:core-foo-bar-1#sh asic-errors fia 0 all location 0/RSP0/CPU0
>
> ************************************************************
> *                      Generic Errors                      *
> ************************************************************
> Name            : OC_INTERNAL_LOG_RF_UNEXP_SEG-GENERIC
> Node Key        : 0x1050015
> Thresh/period(s): 10/2   Alarm state: OFF
> Error count     : 2
> Last clearing   : Sat Jun 11 08:04:44 2011
> Last N errors   : 2
> --------------------------------------------------------------
> First N errors.
> @Time, Error-Data
> ------------------------------------------
> Jun 11 08:04:44.498: RF unexp seg log
> oc 0, addr 0x0, src 2
> fa000000 fafafafa 0ffafafa 0f020f02 - 020e0f02 020e020e 0f020f0e 0f020f02
> 00020202
>
> Jun 16 11:27:58.019: RF unexp seg log
> oc 0, addr 0x0, src 2
> e15b5b5b e1e1e1e1 0fe1e1e1 0f020f02 - 020e0f02 020e020e 0e020e0e 0e020e02
> 00020202
>
> --------------------------------------------------------------
> Name            : OC_RF1_INT_LO_UNEXP_SEG-GENERIC
> Node Key        : 0x10501c7
> Thresh/period(s): 10/2   Alarm state: OFF
> Error count     : 2
> Last clearing   : Sat Jun 11 08:04:44 2011
> Last N errors   : 2
> --------------------------------------------------------------
> First N errors.
> @Time, Error-Data
> ------------------------------------------
> Jun 11 08:04:44.498: OC_RF1_INT_MSK
> Jun 16 11:27:58.019: OC_RF1_INT_MSK
> --------------------------------------------------------------
> ************************************************************
> *                    ASIC Reset Errors                     *
> ************************************************************
>
> Any opinions or comments appreciated!
>
> Best Regards
> Mattias Gyllenvarg
> Bredband2
> Sweden
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 16 Jun 2011 07:45:56 -0700
> From: Scott Voll <svoll.voip at gmail.com>
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Newb Question about site to site vpn....
> Message-ID: <BANLkTimZhCG2ALyw=GQGx2EbUXPNfiihiw at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> I have setup a couple 881's to do a Dynamic site to site vpn tunnel back to
> my ASA at the head end.
>
> All traffic ends up stopping even thou the tunnel is still up.  If I start
> some traffic from the 881 than the traffic starts working from the head end
> (ASA side).
>
> What have I missed to get traffic on the ASA side to start passing traffic?
>  With out starting it on the far side (881).
>
> TIA
>
> Scott
>
>
> ------------------------------
>
> Message: 6
> Date: Thu, 16 Jun 2011 22:56:09 +0800
> From: d tbsky <tbskyd at gmail.com>
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] modify cisco router config with scripting?
> Message-ID: <BANLkTi=r+gwZOtxdgrV-HXLHhZy0bSt_PA at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi:
>    thanks for all the information about the scripting problem.
> I find now basically there are two kind of method to do the work.
>
> 1.interactive CLI, with 3rd party tools or expect-like perl modules.
>
> 2. snmpset. but it can not be done directly, snmpset just trigger the
> tftp procedure.
>
> I think I may use perl-expect to do this job. it is ugly but seems simple.
>
>   thanks again for all the suggestion!!
>
> Regards,
> tbskyd
>
>
> ------------------------------
>
> Message: 7
> Date: Thu, 16 Jun 2011 14:58:41 +0000
> From: Ryan West <rwest at zyedge.com>
> To: Scott Voll <svoll.voip at gmail.com>, "cisco-nsp at puck.nether.net"
>        <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] Newb Question about site to site vpn....
> Message-ID:
>        <5DC4853C6CC3EE4788779E0726E034DD9898C4 at zy-ex1.zyedge.local>
> Content-Type: text/plain; charset="us-ascii"
>
> On Thu, Jun 16, 2011 at 10:45:56, Scott Voll wrote:
> > Subject: [c-nsp] Newb Question about site to site vpn....
> >
> > I have setup a couple 881's to do a Dynamic site to site vpn tunnel
> > back to my ASA at the head end.
> >
> > All traffic ends up stopping even thou the tunnel is still up.  If I
> > start some traffic from the 881 than the traffic starts working from
> > the head end (ASA side).
> >
> > What have I missed to get traffic on the ASA side to start passing
> traffic?
> >  With out starting it on the far side (881).
> >
>
> On the ASA you can try 'logging class vpn monitor debugging' and run term
> mon.  The receiver usually has better information, so the 881 should debug
> as well.  Can you post some of those debugs?
>
> Thanks,
>
> -ryan
>
>
>
> ------------------------------
>
> Message: 8
> Date: Thu, 16 Jun 2011 11:26:28 -0400
> From: chip <chip.gwyn at gmail.com>
> To: d tbsky <tbskyd at gmail.com>
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] modify cisco router config with scripting?
> Message-ID: <BANLkTinqwY7h-B6-fZr61x-OyjwBt5VBrg at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> One way we've done things like this is to generate all the config
> changes required and throw it in a plain text file.  Then you use
> another script to log into the router and copy the file up to the
> router via tftp.  This allows you to make almost any kind of changes
> you need while only having to automate the tftp part on the router.
> You can get fancy with the "copying up" part depending on your level
> of paranoia, check interfaces, check routing protocol sessions, etc...
> and compare before/after to make sure nothing unexpected happens.
> Then you can take this a step further and compare the config
> before/after to make sure the changes that happened were the changes
> you expected.  But as with anything, the more functionality you add
> the more complicated it gets.
>
> For easy-mode, as others have suggested, use rancid's clogin to tftp
> the file up and "wr mem".
>
> --chip
>
> On Thu, Jun 16, 2011 at 10:56 AM, d tbsky <tbskyd at gmail.com> wrote:
> > Hi:
> > ? ?thanks for all the information about the scripting problem.
> > I find now basically there are two kind of method to do the work.
> >
> > 1.interactive CLI, with 3rd party tools or expect-like perl modules.
> >
> > 2. snmpset. but it can not be done directly, snmpset just trigger the
> > tftp procedure.
> >
> > I think I may use perl-expect to do this job. it is ugly but seems
> simple.
> >
> > ? thanks again for all the suggestion!!
> >
> > Regards,
> > tbskyd
> > _______________________________________________
> > cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>
>
> --
> Just my $.02, your mileage may vary,? batteries not included, etc....
>
>
>
> ------------------------------
>
> _______________________________________________
> cisco-nsp mailing list
> cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
>
> End of cisco-nsp Digest, Vol 103, Issue 46
> ******************************************
>


More information about the cisco-nsp mailing list