collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Recent Posts

Pages: 1 ... 8 9 [10]
91
Security / Re: SEC0257 (DVTI Part 2) - Virtual-Access interface routes not working
« Last post by MC on March 11, 2018, 09:06:31 PM »
The video uses ISR4K router running 16+ code so if you are using anything lower, you might have the issue. Some people have also reported the same. Some have suggested to put "crypto ikev2 authorization policy default" on the spoke side to force the hub to inject the route. Give it a try and see if that works.
92
Security / SEC0257 (DVTI Part 2) - Virtual-Access interface routes not working
« Last post by ChrisD777 on March 09, 2018, 05:16:32 AM »
Hi,
I have recreated the topology of the the FlexVPN series in my own lab (another great video series BTW!)
So far, everything has worked exactly as per the videos, but I have now hit a roadblock:
In SEC0257 (DVTI Part 2) I have configured R1 to assign Tunnel IP addresses from a local pool.
The Branch Routers get the negotiated IP address correctly, and both Tunnels (to BR1 and BR2) come up OK.
However, R1 does not get the auto-generated static routes to the Tunnel endpoints via the Virtual-Access interfaces.
This means I don't have reachability across the tunnels and am unable to set up BGP routing.

I am using IOL 15.4(2)T4 images on EVE-NG for my Routers, but swapped R1 to CSR1000V (IOS XE 03.17.00.S / 15.6(1)S ) to see if it would help (it didn't).

Any ideas?


R1#show ip route static
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 1.1.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 1.1.1.1
      172.16.0.0/16 is variably subnetted, 6 subnets, 4 masks
S        172.16.0.0/16 [1/0] via 172.16.1.1

R1#show ip int brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet1       1.1.1.11        YES NVRAM  up                    up     
GigabitEthernet2       172.16.1.2      YES NVRAM  up                    up     
GigabitEthernet3       unassigned      YES NVRAM  administratively down down   
GigabitEthernet4       unassigned      YES NVRAM  administratively down down   
Loopback0              172.16.0.2      YES NVRAM  up                    up     
Loopback1              172.16.255.1    YES NVRAM  up                    up     
Virtual-Access1        172.16.255.1    YES unset  up                    up     
Virtual-Access2        172.16.255.1    YES unset  up                    up     
Virtual-Template1      172.16.255.1    YES unset  up                    down   


BR1#show ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                2.2.2.2         YES NVRAM  up                    up     
Ethernet0/1                172.17.1.1      YES NVRAM  up                    up     
Ethernet0/2                unassigned      YES NVRAM  administratively down down   
Ethernet0/3                unassigned      YES NVRAM  administratively down down   
Loopback0                  172.17.0.1      YES NVRAM  up                    up     
Tunnel1                    172.16.255.61   YES NVRAM  up                    up   
93
Security / Re: Cisco ASA DNS
« Last post by MC on February 28, 2018, 07:53:27 PM »
In that case, the ASA should have no influence on the TTL. You can try to turned off DNS inspection on the ASA too.
94
Security / Re: Cisco ASA DNS
« Last post by Pankz on February 28, 2018, 03:47:17 AM »
Thanks MC for reverting.

No, the user PC is configured with our internal DNS servers.
95
Security / Re: Cisco ASA DNS
« Last post by MC on February 26, 2018, 09:51:47 PM »
Does your user have the ASA as the DNS server? If so, can you point it to another internal or public DNS server?
96
Security / Cisco ASA DNS
« Last post by Pankz on February 23, 2018, 06:02:09 AM »
One of my user need my help in getting access to URL hosted in AWS from this PC and i provided the access in Cisco ASA (FQDN access)...but he is facing Intermittent connectivity issue and after some troubleshooting we came to the conclusion that the URL is getting resolved to multiple IP's (TTL value is 30 Sec) and at the same moment ASA is unable to resolve the current IP's and hence connection is still pointed towards old IP.

I believe this is some thing related to ASA DNS cache time value.

Did anyone here faced the same issue??
97
Routing and Switching / Re: interface state on Router
« Last post by amsa on February 05, 2018, 01:40:43 PM »
No, not solved :'( :'( :'(
98
Security / Re: ISE 2.3 CWA redirection issue
« Last post by MC on February 01, 2018, 08:36:28 PM »
I just ran into an issue with failed URL redirect on a 3850/9300 switch running  16.3 and 16.6.1. Apparently there is a bug for this (see below). The symptom is very similar to what you described which is switch gets redirect URL from ISE but endpoint is not getting there even though it can get there by copy/paste URL to browser.

What switch model/version are you using? If you are running one of the version mentioned above, try to upgrade to 16.6.2

You are not allowed to view links. Register or Login
99
Routing and Switching / Re: interface state on Router
« Last post by MC on February 01, 2018, 08:30:43 PM »
Glad the issue is resolved.
100
Routing and Switching / Re: interface state on Router
« Last post by amsa on February 01, 2018, 06:54:06 AM »
Thanks MC

almost I did it that steps but I didn't upgrade IOS
Pages: 1 ... 8 9 [10]
SimplePortal 2.3.7 © 2008-2024, SimplePortal