Всем привет! Помогите разобраться: есть Cisco 3750 и она периодически грузится под 90-100% на несколько часов, а потом загрузка падает до нормальных 10% и это продолжается где-то месяц. В чём может быть проблема? 6667777777777888887777766666666669999977777888888888888888 100 90 80 70 60 50 40 30 20 10 ********************************************************** 0....5....1....1....2....2....3....3....4....4....5....5.... 0 5 0 5 0 5 0 5 0 5 CPU% per second (last 60 seconds) 1 1 1 11 111 1 1 9188988988980880898889888905899890009888990999999898989891 100 90 80 70 60 50 40 30 20 * 10 ########################################################## 0....5....1....1....2....2....3....3....4....4....5....5.... 0 5 0 5 0 5 0 5 0 5 CPU% per minute (last 60 minutes) * = maximum CPU% # = average CPU% 1 34190199999999999999999999999999999999999999999 23820622222222322222222332222222222222233222322 100 * 90 ** *#############*#####*###################* 80 ** *#######################################* 70 ** ########################################* 60 ** ######################################### 50 ** ######################################### 40 * ** ######################################### 30 ** ** ######################################### 20 ******######################################### 10 ############################################### 0....5....1....1....2....2....3....3....4....4....5....5....6....6....7. 0 5 0 5 0 5 0 5 0 5 0 5 0 CPU% per hour (last 72 hours) * = maximum CPU% # = average CPU% 3750#sh proc cpu s CPU utilization for five seconds: 96%/40%; one minute: 96%; five minutes: 96% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 69 2219137672160904446 0 39.73% 39.02% 38.99% 0 HLFM address lea 235 2467729913 113592846 21724 4.92% 4.07% 4.01% 0 CEF: IPv4 proces 120 2025413892125836054 95 2.06% 2.44% 2.44% 0 Hulc LED Process 121 735610080 230582176 3190 1.27% 1.36% 1.38% 0 HL3U bkgrd proce 177 3081136191594440566 193 0.95% 0.57% 0.54% 0 Spanning Tree 55 713500643831848406 0 0.79% 0.71% 0.72% 0 Fifo Error Detec 160 50 98 510 0.31% 0.02% 0.00% 1 Virtual Exec 85 26140044 637714523 40 0.31% 0.23% 0.20% 0 hpm main process 34 9500294 74249808 127 0.31% 0.07% 0.01% 0 Per-Second Jobs 9 247931210 226311889 1095 0.15% 0.39% 0.31% 0 ARP Input 174 21906616 104339897 209 0.15% 0.08% 0.06% 0 IP Input 38 21550080 15054276 1431 0.15% 0.04% 0.00% 0 Compute load avg 141 59081069 74225824 795 0.15% 0.27% 0.23% 0 PI MATM Aging Pr 128 76786068 15034190 5107 0.15% 0.15% 0.15% 0 HQM Stack Proces 89 59077706 74225825 795 0.15% 0.17% 0.19% 0 hpm counter proc 15 3119 1255354 2 0.00% 0.00% 0.00% 0 IPC Dynamic Cach 14 0 1 0 0.00% 0.00% 0.00% 0 IFS Agent Manage 13 344 20 17200 0.00% 0.00% 0.00% 0 Entity MIB API 12 0 1 0 0.00% 0.00% 0.00% 0 Policy Manager 16 0 1 0 0.00% 0.00% 0.00% 0 IPC Zone Manager 17 648528 74225864 8 0.00% 0.00% 0.00% 0 IPC Periodic Tim 22 2685456 22535117 119 0.00% 0.00% 0.00% 0 HC Counter Timer 18 926 60335 15 0.00% 0.00% 0.00% 0 IPC Managed Time 24 0 1 0 0.00% 0.00% 0.00% 0 ARP Snoop 19 512154 74225867 6 0.00% 0.00% 0.00% 0 IPC Deferred Por 20 525019 19150287 27 0.00% 0.00% 0.00% 0 IPC Seat Manager 27 531319 74225842 7 0.00% 0.00% 0.00% 0 GraphIt 28 0 2 0 0.00% 0.00% 0.00% 0 XML Proxy Client 21 0 1 0 0.00% 0.00% 0.00% 0 IPC Session Serv 30 763611 43729844 17 0.00% 0.00% 0.00% 0 Net Background 23 807523 74225863 10 0.00% 0.00% 0.00% 0 Dynamic ARP Insp 32 537 859 625 0.00% 0.00% 0.00% 0 Logger 33 748316 74225835 10 0.00% 0.00% 0.00% 0 TTY Background 11 0 2 0 0.00% 0.00% 0.00% 0 AAA high-capacit 25 0 1 0 0.00% 0.00% 0.00% 0 License IPC stat 36 0 55 0 0.00% 0.00% 0.00% 0 AggMgr Process 37 530943 15946862 33 0.00% 0.00% 0.00% 0 Net Input 26 0 1 0 0.00% 0.00% 0.00% 0 License IPC serv 39 8192 439 18660 0.00% 0.00% 0.00% 0 Collection proce 40 23725971465808570 1 0.00% 0.01% 0.02% 0 DownWhenLooped 29 0 1 0 0.00% 0.00% 0.00% 0 Critical Bkgnd 42 0 1 0 0.00% 0.00% 0.00% 0 HRPC emac reques 43 0 1 0 0.00% 0.00% 0.00% 0 HRPC lpip reques 44 0 2 0 0.00% 0.00% 0.00% 0 HLPIP Sync Proce 10 0 1 0 0.00% 0.00% 0.00% 0 AAA_SERVER_DEADT 31 0 1 0 0.00% 0.00% 0.00% 0 IDB Work 47 0 2 0 0.00% 0.00% 0.00% 0 MIRAGE RBCP Moni 48 495182 15034188 32 0.00% 0.00% 0.00% 0 Hulc LED Alchemy 49 14962183 455466608 32 0.00% 0.09% 0.11% 0 RedEarth Tx Mana 35 22319125 1272739 17536 0.00% 0.03% 0.00% 0 Per-minute Jobs 51 0 1 0 0.00% 0.00% 0.00% 0 HRPC asic-stats 52 0 1 0 0.00% 0.00% 0.00% 0 HRPC hsm request 53 0 7 0 0.00% 0.00% 0.00% 0 Stack Mgr 54 116 5 23200 0.00% 0.00% 0.00% 0 Stack Mgr Notifi 8 0 1 0 0.00% 0.00% 0.00% 0 Crash writer 56 167882406 26799678 6264 0.00% 0.01% 0.00% 0 Adjust Regions 57 1889919 74225846 25 0.00% 0.00% 0.00% 0 hrpc -> response 41 0 1 0 0.00% 0.00% 0.00% 0 HRPC hdwl reques 59 2368170 15034316 157 0.00% 0.00% 0.00% 0 hrpc <- response 7 9081 502163 18 0.00% 0.00% 0.00% 0 HULC Thermal Pro 61 0 11 0 0.00% 0.00% 0.00% 0 HULC Device Mana 6 0 2 0 0.00% 0.00% 0.00% 0 Timers 63 8 2 4000 0.00% 0.00% 0.00% 0 HRPC hdm blockin 5 11713 11914 983 0.00% 0.00% 0.00% 0 Pool Manager 65 0 1 0 0.00% 0.00% 0.00% 0 RTTYS Process 66 32 619 51 0.00% 0.00% 0.00% 0 Hulc Port-Securi 67 0 1 0 0.00% 0.00% 0.00% 0 HRPC hpsecure re 68 0 1 0 0.00% 0.00% 0.00% 0 HRPC hlfm reques 4 223619471 11638246 19214 0.00% 0.25% 0.28% 0 Check heaps 46 0 119 0 0.00% 0.00% 0.00% 0 HULC multifs pro 71 38850372163699000 1 0.00% 0.04% 0.00% 0 HLFM address ret 72 0 1 0 0.00% 0.00% 0.00% 0 HRPC hrcmd reque 73 9 97 92 0.00% 0.00% 0.00% 0 HRPC hulc misc r 74 0 1 0 0.00% 0.00% 0.00% 0 HRPC system mtu 75 94074 25071002 3 0.00% 0.00% 0.00% 0 HVLAN main bkgrd 76 9 2 4500 0.00% 0.00% 0.00% 0 HVLAN Mapped Vla 77 0 2 0 0.00% 0.00% 0.00% 0 Vlan shutdown Pr 78 0 1 0 0.00% 0.00% 0.00% 0 HRPC vlan reques 79 0 2 0 0.00% 0.00% 0.00% 0 HULC VLAN REF Ba 50 40361702880613912 1 0.00% 0.04% 0.03% 0 RedEarth Rx Mana 81 664 418500 1 0.00% 0.00% 0.00% 0 HCMP sync proces 82 0 1 0 0.00% 0.00% 0.00% 0 HRPC ilp request 83 0 1 0 0.00% 0.00% 0.00% 0 HPM Msg Retry Pr 84 0 1 0 0.00% 0.00% 0.00% 0 LICENSE AGENT 3 0 1 0 0.00% 0.00% 0.00% 0 CEF RP IPC Backg 2 174779 15039575 11 0.00% 0.00% 0.00% 0 Load Meter 87 0 1 0 0.00% 0.00% 0.00% 0 HRPC pm request 45 0 1 0 0.00% 0.00% 0.00% 0 HRPC Multi-FS Sy 58 261881 15034291 17 0.00% 0.00% 0.00% 0 hrpc -> request 90 0 1 0 0.00% 0.00% 0.00% 0 HRPC pm-counters 91 0 1 0 0.00% 0.00% 0.00% 0 hpm vp events ca 92 0 1 0 0.00% 0.00% 0.00% 0 HRPC hcmp reques 93 108 35879 3 0.00% 0.00% 0.00% 0 HCEF ADJ Refresh 94 0 1 0 0.00% 0.00% 0.00% 0 HRPC hl3mm reque 95 0 1 0 0.00% 0.00% 0.00% 0 hl3md_rpfq_thrl_ 96 301336 73038027 4 0.00% 0.00% 0.00% 0 hl3mm 97 8 30 266 0.00% 0.00% 0.00% 0 HACL Queue Proce 98 0 1 0 0.00% 0.00% 0.00% 0 HRPC acl request 99 346 218 1587 0.00% 0.00% 0.00% 0 HACL Acl Manager 100 0 1 0 0.00% 0.00% 0.00% 0 HRPC backup inte 102 0 1 0 0.00% 0.00% 0.00% 0 HRPC cdp request 103 0 1 0 0.00% 0.00% 0.00% 0 HRPC dot1x reque 104 0 6 0 0.00% 0.00% 0.00% 0 HULC DOT1X Proce 105 0 1 0 0.00% 0.00% 0.00% 0 HRPC foxhound re 106 0 2 0 0.00% 0.00% 0.00% 0 Hulc Foxhound Pr 107 0 1 0 0.00% 0.00% 0.00% 0 HRPC sdm request 108 5388150 368307399 14 0.00% 0.01% 0.00% 0 Hulc Storm Contr 109 0 2 0 0.00% 0.00% 0.00% 0 HSTP Sync Proces 110 0 1 0 0.00% 0.00% 0.00% 0 HRPC stp_cli req 111 0 1 0 0.00% 0.00% 0.00% 0 HRPC stp_state_s 112 0 2 0 0.00% 0.00% 0.00% 0 S/W Bridge Proce 113 0 1 0 0.00% 0.00% 0.00% 0 HRPC hudld reque 114 0 1 0 0.00% 0.00% 0.00% 0 HRPC vqpc reques 115 0 1 0 0.00% 0.00% 0.00% 0 BCM cable diags 1 25 137 182 0.00% 0.00% 0.00% 0 Chunk Manager 117 0 1 0 0.00% 0.00% 0.00% 0 HRPC l2pt qnq rp 118 49512 37543119 1 0.00% 0.00% 0.00% 0 hl3mm_rp 119 0 1 0 0.00% 0.00% 0.00% 0 HRPC hled reques 60 0 1 0 0.00% 0.00% 0.00% 0 HRPC hcomp reque 62 0 3 0 0.00% 0.00% 0.00% 0 HRPC hdm non blo 122 0 1 0 0.00% 0.00% 0.00% 0 HRPC hl3u reques 123 48671 17195829 2 0.00% 0.00% 0.00% 0 HL3U PBR bkgrd p 64 707591 15034191 47 0.00% 0.00% 0.00% 0 HIPC bkgrd proce 125 0 1 0 0.00% 0.00% 0.00% 0 HRPC dtp request 126 0 1 0 0.00% 0.00% 0.00% 0 HRPC show_forwar 127 0 1 0 0.00% 0.00% 0.00% 0 HRPC snmp reques 70 2799773 74225839 37 0.00% 0.00% 0.00% 0 HLFM aging proce 129 34124225 30068416 1134 0.00% 0.02% 0.00% 0 HRPC qos request 130 0 1 0 0.00% 0.00% 0.00% 0 HRPC span reques 131 0 1 0 0.00% 0.00% 0.00% 0 HRPC obfl reques 132 0 1 0 0.00% 0.00% 0.00% 0 HRPC system post 133 0 1 0 0.00% 0.00% 0.00% 0 Hulc Reload Mana 134 0 1 0 0.00% 0.00% 0.00% 0 HRPC hrcli-event 135 596 115 5182 0.00% 0.00% 0.00% 0 SpanTree Helper 136 0 2 0 0.00% 0.00% 0.00% 0 image mgr 137 175612 658208 266 0.00% 0.00% 0.00% 0 HL2MCM 138 0 3 0 0.00% 0.00% 0.00% 0 HL2MCM 139 0 2 0 0.00% 0.00% 0.00% 0 EAPoUDP Process 140 0 3 0 0.00% 0.00% 0.00% 0 CEF switching ba 80 0 1 0 0.00% 0.00% 0.00% 0 HRPC hfbm reques 142 0 15 0 0.00% 0.00% 0.00% 0 Switch Backup In 143 2681 1255352 2 0.00% 0.00% 0.00% 0 MMN bkgrd proces 144 0 2 0 0.00% 0.00% 0.00% 0 Dot1x Mgr Proces 145 0 1 0 0.00% 0.00% 0.00% 0 MAB Framework 146 8 154 51 0.00% 0.00% 0.00% 0 802.1x switch 147 4081 1255353 3 0.00% 0.00% 0.00% 0 802.1x MDA Aging 148 0 1 0 0.00% 0.00% 0.00% 0 802.1x Webauth F 149 0 1 0 0.00% 0.00% 0.00% 0 802.1x Critical 150 1284136 13568122 94 0.00% 0.00% 0.00% 0 DTP Protocol 151 0 1 0 0.00% 0.00% 0.00% 0 EAP Framework 152 0 1 0 0.00% 0.00% 0.00% 0 HRPC dai request 153 0 1 0 0.00% 0.00% 0.00% 0 HULC DAI Process 154 0 1 0 0.00% 0.00% 0.00% 0 HRPC dhcp snoopi 155 0 4 0 0.00% 0.00% 0.00% 0 HULC DHCP Snoopi 156 0 1 0 0.00% 0.00% 0.00% 0 HRPC ip source g 157 0 1 0 0.00% 0.00% 0.00% 0 HULC IP Source g 158 369065 75329833 4 0.00% 0.00% 0.00% 0 UDLD 159 4003 2510995 1 0.00% 0.00% 0.00% 0 Port-Security 86 42 652 64 0.00% 0.00% 0.00% 0 HPM Stack Sync P 161 0 2 0 0.00% 0.00% 0.00% 0 Switch IP Host T 162 0 1 0 0.00% 0.00% 0.00% 0 Link State Group 163 8937 7527849 1 0.00% 0.00% 0.00% 0 Ethchnl 164 5589 70086 79 0.00% 0.00% 0.00% 0 VMATM Callback 165 0 1 0 0.00% 0.00% 0.00% 0 IPv6 RIB Redistr 166 9 2 4500 0.00% 0.00% 0.00% 0 AAA Server 167 0 1 0 0.00% 0.00% 0.00% 0 AAA ACCT Proc 168 0 1 0 0.00% 0.00% 0.00% 0 ACCT Periodic Pr 169 2170353 13076547 165 0.00% 0.00% 0.00% 0 CDP Protocol 171 8 1 8000 0.00% 0.00% 0.00% 0 HRPC hl2mcm igmp 172 0 2 0 0.00% 0.00% 0.00% 0 AAA Dictionary R 173 4042 628243 6 0.00% 0.00% 0.00% 0 DHCP Snooping 88 0 3 0 0.00% 0.00% 0.00% 0 HPM if_num mappi 175 0 1 0 0.00% 0.00% 0.00% 0 ICMP event handl 176 2568624 738806861 3 0.00% 0.01% 0.00% 0 MDFS MFIB Proces 116 0 1 0 0.00% 0.00% 0.00% 0 HRPC iec_load_ba 178 1458 1255411 1 0.00% 0.00% 0.00% 0 Spanning Tree St 179 121872 1526374 79 0.00% 0.00% 0.00% 0 CEF background p 180 0 1 0 0.00% 0.00% 0.00% 0 IP IRDP 181 0 1 0 0.00% 0.00% 0.00% 0 CEF RF HULC Conv 182 0 3 0 0.00% 0.00% 0.00% 0 XDR mcast 183 0 1 0 0.00% 0.00% 0.00% 0 IPC LC Message H 184 0 1 0 0.00% 0.00% 0.00% 0 XDR RP Ping Back 185 1149 628201 1 0.00% 0.00% 0.00% 0 XDR RP backgroun 186 0 1 0 0.00% 0.00% 0.00% 0 XDR RP Test Back 187 2027560 83960498 24 0.00% 0.00% 0.00% 0 MDFS LC Process 188 1085 941583 1 0.00% 0.00% 0.00% 0 Cluster L2 189 16339 7527847 2 0.00% 0.00% 0.00% 0 Cluster RARP 190 757429 13117772 57 0.00% 0.00% 0.00% 0 Cluster Base 191 3023 112395 26 0.00% 0.01% 0.00% 0 TCP Timer 192 821 1473 557 0.00% 0.00% 0.00% 0 TCP Protocols 193 0 1 0 0.00% 0.00% 0.00% 0 Socket Timers 194 544 251127 2 0.00% 0.00% 0.00% 0 HTTP CORE 195 17 127 133 0.00% 0.00% 0.00% 0 RARP Input 196 3368 35093 95 0.00% 0.00% 0.00% 0 IGMPSN L2MCM 197 5988794 62477410 95 0.00% 0.00% 0.00% 0 IGMPSN MRD 198 5459135 34836461 156 0.00% 0.00% 0.00% 0 IGMPSN 199 0 1 0 0.00% 0.00% 0.00% 0 IGMPQR 200 0 1 0 0.00% 0.00% 0.00% 0 CEF MQC IPC Back 201 0 2 0 0.00% 0.00% 0.00% 0 L2TRACE SERVER 202 2806 35071 80 0.00% 0.00% 0.00% 0 MLDSN L2MCM 203 0 1 0 0.00% 0.00% 0.00% 0 MRD 204 0 1 0 0.00% 0.00% 0.00% 0 MLD_SNOOP 205 0 1 0 0.00% 0.00% 0.00% 0 HRPC hl2mcm mlds 206 150512 1255229 119 0.00% 0.00% 0.00% 0 IP RIB Update 207 0 1 0 0.00% 0.00% 0.00% 0 Auth-proxy AAA B 208 552 251097 2 0.00% 0.00% 0.00% 0 IP Admin SM Proc 209 30517 751 40635 0.00% 0.00% 0.00% 0 Archive Config 211 3052849 732163131 4 0.00% 0.02% 0.00% 0 MDFS RP process 213 0 2 0 0.00% 0.00% 0.00% 0 AAA Cached Serve 214 0 2 0 0.00% 0.00% 0.00% 0 LOCAL AAA 215 0 2 0 0.00% 0.00% 0.00% 0 TPLUS 216 0 1 0 0.00% 0.00% 0.00% 0 HRPC x_setup req 217 18 146 123 0.00% 0.00% 0.00% 0 VTP Trap Process 218 0 2 0 0.00% 0.00% 0.00% 0 VTPMIB EDIT BUFF 219 0 2 0 0.00% 0.00% 0.00% 0 DHCP Security He 220 0 1 0 0.00% 0.00% 0.00% 0 HCD Process 221 0 1 0 0.00% 0.00% 0.00% 0 HRPC cable diagn 222 0 2 0 0.00% 0.00% 0.00% 0 DiagCard2/-1 223 732076 234635018 3 0.00% 0.00% 0.00% 0 PM Callback 224 25 35 714 0.00% 0.00% 0.00% 0 VLAN Manager 226 15015 6027515 2 0.00% 0.00% 0.00% 0 dhcp snooping sw 227 0 1 0 0.00% 0.00% 0.00% 0 Licensing MIB pr 228 0 3 0 0.00% 0.00% 0.00% 0 RADIUS TEST CMD 229 0 2 0 0.00% 0.00% 0.00% 0 AAA SEND STOP EV 230 276 204 1352 0.00% 0.00% 0.00% 0 Syslog Traps 231 0 1 0 0.00% 0.00% 0.00% 0 SAA MPLSLM Proce 233 0 2 0 0.00% 0.00% 0.00% 0 STP FAST TRANSIT 234 0 2 0 0.00% 0.00% 0.00% 0 CSRT RAPID TRANS 124 1755 627703 2 0.00% 0.00% 0.00% 0 HL3U PBR n-h res 236 32 84 380 0.00% 0.00% 0.00% 0 ADJ background 237 31263085 1262969 24753 0.00% 0.03% 0.00% 0 IP Background 238 1316642 74225840 17 0.00% 0.01% 0.00% 0 DVMRP Timers 239 9242895 81018375 114 0.00% 0.00% 0.00% 0 IGMP Input 240 7467997 85122622 87 0.00% 0.00% 0.00% 0 PIM Process 241 3689627 731330150 5 0.00% 0.04% 0.01% 0 Mwheel Process 242 0 9 0 0.00% 0.00% 0.00% 0 SNMP Timers 243 408708 1472229 277 0.00% 0.00% 0.00% 0 IP SNMP 244 139623 736001 189 0.00% 0.00% 0.00% 0 PDU DISPATCHER 245 949592 734666 1292 0.00% 0.00% 0.00% 0 SNMP ENGINE 246 0 1 0 0.00% 0.00% 0.00% 0 SNMP ConfCopyPro 247 3863 1264 3056 0.00% 0.00% 0.00% 0 SNMP Traps 248 1614971 80129514 20 0.00% 0.01% 0.00% 0 NTP 250 0 233 0 0.00% 0.00% 0.00% 0 hulc cfg mgr mas 251 454514 2007 226464 0.00% 0.00% 0.00% 0 hulc running con 3750#sh ip traf IP statistics: Rcvd: 110284548 total, 25479063 local destination 10 format errors, 40 checksum errors, 20167018 bad hop count 40522 unknown protocol, 32284929 not a gateway 0 security failures, 0 bad options, 13027191 with options Opts: 113 end, 0 nop, 0 basic security, 4 loose source route 12 timestamp, 0 extended security, 110 record route 8 stream ID, 0 strict source route, 13027057 alert, 0 cipso, 0 ump 0 other Frags: 170567 reassembled, 674 timeouts, 0 couldn't reassemble 474826 fragmented, 0 couldn't fragment Bcast: 7453282 received, 627 sent Mcast: 9357313 received, 10146557 sent Sent: 193093007 generated, 1776653441 forwarded Drop: 27544116 encapsulation failed, 18165 unresolved, 10 no adjacency 5 no route, 0 unicast RPF, 0 forced drop 0 options denied, 0 source IP address zero ICMP statistics: Rcvd: 0 format errors, 0 checksum errors, 4551 redirects, 744019 unreachable 2178598 echo, 5717 echo reply, 0 mask requests, 0 mask replies, 0 quench 0 parameter, 0 timestamp, 0 info request, 0 other 3 irdp solicitations, 49 irdp advertisements Sent: 20381149 redirects, 536195 unreachable, 5805 echo, 2178598 echo reply 0 mask requests, 0 mask replies, 0 quench, 0 timestamp 0 info reply, 158667298 time exceeded, 0 parameter problem 0 irdp solicitations, 0 irdp advertisements TCP statistics: Rcvd: 179946 total, 0 checksum errors, 6 no port Sent: 154304 total UDP statistics: Rcvd: 12879113 total, 2 checksum errors, 7376458 no port Sent: 5505240 total, 0 forwarded broadcasts IP-EIGRP statistics: Rcvd: 0 total Sent: 0 total BGP statistics: Rcvd: 0 total, 0 opens, 0 notifications, 0 updates 0 keepalives, 0 route-refresh, 0 unrecognized Sent: 0 total, 0 opens, 0 notifications, 0 updates 0 keepalives, 0 route-refresh PIMv2 statistics: Sent/Received Total: 7645892/2495651, 0 checksum errors, 0 format errors Registers: 0/0 (0 non-rp, 0 non-sm-group), Register Stops: 0/0, Hellos: 76458 92/2495579 Join/Prunes: 0/0, Asserts: 0/72, grafts: 0/0 Bootstraps: 0/0, Candidate_RP_Advertisements: 0/0 State-Refresh: 0/0 IGMP statistics: Sent/Received Total: 2500665/6861665, Format errors: 0/0, Checksum errors: 0/0 Host Queries: 2500665/1695509, Host Reports: 0/4147228, Host Leaves: 0/19403 DVMRP: 0/0, PIM: 0/948178 OSPF statistics: Rcvd: 0 total, 0 checksum errors 0 hello, 0 database desc, 0 link state req 0 link state updates, 0 link state acks Sent: 0 total 0 hello, 0 database desc, 0 link state req 0 link state updates, 0 link state acks ARP statistics: Rcvd: 222306971 requests, 70895151 replies, 126 reverse, 0 other Sent: 94109858 requests, 79221378 replies (76408484 proxy), 0 reverse Drop due to input queue full: 60170 3750#sh platf tcam util CAM Utilization for ASIC# 0 Max Used Masks/Values Masks/values Unicast mac addresses: 784/6272 763/6040 IPv4 IGMP groups + multicast routes: 144/1152 11/36 IPv4 unicast directly-connected routes: 784/6272 763/6040 IPv4 unicast indirectly-connected routes: 272/2176 107/763 IPv4 policy based routing aces: 0/0 0/0 IPv4 qos aces: 528/528 90/90 IPv4 security aces: 1024/1024 132/132 Note: Allocation of TCAM entries per feature uses a complex algorithm. The above information is meant to provide an abstract view of the current TCAM utilization

Здравствуте коллеги! На днях фирма приобрела новый маршрутизатор cisco ISR 4431, при переносе конфига со старой циски 2921 работает все, кроме пользовательских подключений VPN(vpdn pptp), точнее они работают, но не маршрутзируются... Пользователь подключается к сети, получает IP, IP в машрутах на циске коннектед, передается на филиальские циски через GRE по средствам OSPF,НО когда клиент делает обращение к какому либо хосту в организации, пакет доходит до получателя, получатель шлет ответ И ответ не доходит до клиента, а теряется на циске, такое ощущение, что циска не знает куда возвращать пакет.Прошу заметить, что на 2921 этот конфиг работает без запинок... Собственно описание всего и вся Старая циска Cisco CISCO2921/K9 (revision 1.0) Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9_NPE-M), Version 15.3(2)T Новая циска cisco ISR4431/K9 (1RU) Cisco IOS XE Software, Version 03.13.03.S - Extended Support Release Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9_NPE-M), Version 15.5(3)S1a, RELEASE SOFTWARE (fc1) version 15.5 service telnet-zeroidle service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service linenumber service pt-vty-logging service sequence-numbers no platform punt-keepalive disable-kernel-core ! hostname krr-cs1_1 ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! logging exception 65536 logging count logging userinfo logging buffered 65536 logging reload alerts logging rate-limit all 100 no logging console enable secret 5 $1$tVIt$TwZrH ! aaa new-model ! ! aaa authentication login default local aaa authentication ppp default local group radius aaa authorization exec default local aaa authorization network default if-authenticated aaa accounting network default ! aaa accounting network VPN-USERS action-type start-stop group radius ! ! ! ! ! ! aaa session-id common clock timezone AST 3 0 ! ! ! ip name-server 192.168.210.253 192.168.210.251 ip domain lookup source-interface Loopback1 ip domain name mycomp.ru ip dhcp excluded-address 10.100.100.1 10.100.100.100 ip dhcp excluded-address 10.100.100.199 10.100.100.254 ip dhcp excluded-address 192.168.50.0 192.168.50.19 ip dhcp excluded-address 192.168.203.0 192.168.203.19 ip dhcp excluded-address 192.168.51.0 192.168.51.19 ip dhcp excluded-address 192.168.203.200 192.168.203.255 ip dhcp excluded-address 192.168.203.69 ip dhcp excluded-address 192.168.203.94 ip dhcp excluded-address 192.168.203.68 ip dhcp excluded-address 192.168.52.1 192.168.52.10 ip dhcp excluded-address 192.168.48.1 192.168.48.10 ip dhcp excluded-address 192.168.49.0 ! ip dhcp pool users-vpn network 10.100.100.0 255.255.255.0 domain-name mycomp.ru dns-server 192.168.210.253 192.168.210.251 ! ip dhcp pool TLGUEST network 192.168.50.0 255.255.255.0 default-router 192.168.50.1 domain-name mycomp.ru dns-server 8.8.8.8 ! ip dhcp pool mycomp2 network 192.168.203.0 255.255.255.0 default-router 192.168.203.1 domain-name mycomp.ru dns-server 192.168.210.253 192.168.210.251 option 43 hex 0104.c0a8.cb14 lease 180 ! ip dhcp pool mycomp2_TL network 192.168.51.0 255.255.255.0 default-router 192.168.51.1 domain-name mycomp.ru dns-server 192.168.210.253 192.168.210.251 ! ip dhcp pool VOIP network 192.168.52.0 255.255.254.0 default-router 192.168.52.1 domain-name mycomp.ru dns-server 192.168.210.253 192.168.210.251 option 66 ascii 192.168.52.2 lease 180 ! ip dhcp pool TL3 network 192.168.48.0 255.255.254.0 default-router 192.168.48.1 domain-name mycomp.ru dns-server 192.168.210.253 ! ! ! ! ! ! ! ! ! ! subscriber templating multilink bundle-name authenticated vpdn enable ! vpdn-group pptp ! Default L2TP VPDN group ! Default PPTP VPDN group accept-dialin protocol any virtual-template 1 ! ! ! ! ! license udi pid ISR4431/K9 sn FOC19471AXH license boot level appxk9 disable license boot level uck9 disable ! spanning-tree extend system-id ! ! redundancy mode none ! ! vlan internal allocation policy ascending ! track 75 ip sla 75 reachability delay down 60 up 60 ! track 88 ip sla 88 reachability delay down 60 up 60 ! track 207 ip sla 207 reachability delay down 60 up 60 ! track 208 ip sla 208 reachability delay down 60 up 60 ! ! class-map match-all CM_WIFI_TO_EXT match access-group name ACL_WIFI_TO_EXT class-map match-all no_gre_fil match access-group 117 class-map match-all real-time match precedence 5 class-map match-any gre_fil match access-group 27 class-map match-any realtime-marking match protocol rtp ! policy-map PM_WIFI_IN_1 class CM_WIFI_TO_EXT police 5242500 class class-default policy-map PM_ISP_OUT_1 class class-default shape peak 20971520 ! ! ! ! ! ! interface Loopback0 description -- system loopback ip address 194.22.8.30 255.255.255.255 ! interface Loopback1 ip address 10.200.200.1 255.255.255.255 ! interface Loopback2 description tunnel2 194.22.8.1 ! interface Loopback3 description tunnel3 194.22.8.25 ! interface Loopback4 description NAT_FOR_MAIL_TALE ip address 194.22.8.4 255.255.255.255 ip nat outside ! interface Loopback5 description -- for NAT ip address 194.22.8.6 255.255.255.255 ip nat outside ! interface Loopback6 description youtrack_mysrv ip address 194.22.8.28 255.255.255.255 ! interface Loopback7 description NAT_FOR_MAIL ip address 194.22.8.22 255.255.255.255 ip nat outside ip access-group 116 in ! interface Loopback8 description NAT_FOR_VTASKMOB ip address 194.22.8.23 255.255.255.255 ip nat outside ! interface Tunnel3 description NEW ip address 10.13.13.1 255.255.255.0 no ip redirects ip mtu 1416 ip nhrp authentication tra-tun3 ip nhrp map multicast dynamic ip nhrp network-id 171623 ip nhrp registration no-unique ip policy route-map from_RO_LAN ip ospf network broadcast ip ospf hello-interval 30 ip ospf priority 10 ip ospf mtu-ignore ip ospf cost 100 tunnel source 194.22.8.1 tunnel mode gre multipoint tunnel key 171623 ! interface GigabitEthernet0/0/0 description krr_cs2_g0/0 ip address 10.111.111.1 255.255.255.252 negotiation auto ! interface GigabitEthernet0/0/1 description to_krr-sw1_g1/0/1 no ip address negotiation auto ! interface GigabitEthernet0/0/1.52 description SIP_PHONES encapsulation dot1Q 52 ip address 192.168.52.1 255.255.254.0 ip nat inside ip policy route-map 115 no cdp enable ! interface GigabitEthernet0/0/1.100 description LAN encapsulation dot1Q 100 ip nat inside ip policy route-map from_GK_LAN no cdp enable ! interface GigabitEthernet0/0/1.101 description -- to MTS AS58322 (upstream) encapsulation dot1Q 101 ip address 77.66.27.22 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip access-group 117 in no cdp enable ! interface GigabitEthernet0/0/1.134 description -- to PROV AS58322 (upstream) encapsulation dot1Q 134 ip address 193.242.14.2 255.255.255.254 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip access-group 117 in no cdp enable ! interface GigabitEthernet0/0/1.200 description DMZ encapsulation dot1Q 200 ip address 192.168.100.1 255.255.255.128 ip nat inside ip ospf hello-interval 5 ip ospf priority 10 ip ospf cost 10 no cdp enable ! interface GigabitEthernet0/0/1.204 description TL_GUEST encapsulation dot1Q 204 ip address 192.168.50.1 255.255.255.0 ip nat inside no cdp enable ! interface GigabitEthernet0/0/1.205 description WiFi_BOSS encapsulation dot1Q 205 ip address 192.168.20.1 255.255.255.0 ip nat inside no cdp enable service-policy input PM_WIFI_IN_1 ! interface GigabitEthernet0/0/1.211 description TL3 encapsulation dot1Q 211 ip address 192.168.48.1 255.255.254.0 ip nat inside no cdp enable ! interface GigabitEthernet0/0/1.243 description dc-food encapsulation dot1Q 243 ip address 192.168.203.1 255.255.255.0 ip nat inside ip policy route-map from_GK_LAN no cdp enable ! interface GigabitEthernet0/0/1.244 description TL_GUEST_TRMEDIA encapsulation dot1Q 244 ip address 192.168.51.1 255.255.255.0 ip nat inside no cdp enable ! interface GigabitEthernet0/0/1.255 description krr_lan_MGMT encapsulation dot1Q 255 ip address 10.200.201.1 255.255.255.240 ip nat inside no cdp enable ! ! ! interface GigabitEthernet0/0/3 no ip address negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address negotiation auto ! interface Virtual-Template1 ip dhcp client hostname mycomp.ru ip unnumbered Loopback0 ip nat inside peer default ip address dhcp-pool users-vpn ppp authentication ms-chap-v2 ppp authorization local ppp accounting VPN-USERS ! interface Vlan1 no ip address ! router ospf 1 redistribute connected subnets route-map vpdnip_ospf passive-interface GigabitEthernet0/0/0 passive-interface GigabitEthernet0/0/2 passive-interface GigabitEthernet0/0/3 network 10.12.12.0 0.0.0.255 area 0 network 10.13.13.0 0.0.0.255 area 0 network 10.200.200.0 0.0.0.255 area 0 network 10.200.201.0 0.0.0.15 area 1 network 192.168.20.0 0.0.0.255 area 1 network 192.168.48.0 0.0.1.255 area 1 network 192.168.50.0 0.0.0.255 area 1 network 192.168.51.0 0.0.0.255 area 1 network 192.168.52.0 0.0.1.255 area 1 network 192.168.100.0 0.0.0.127 area 1 network 192.168.203.0 0.0.0.255 area 1 network 192.168.206.0 0.0.0.255 area 1 network 192.168.208.0 0.0.3.255 area 1 neighbor 10.12.12.2 cost 1 ! router bgp 201631 no bgp fast-external-fallover bgp log-neighbor-changes bgp deterministic-med bgp graceful-restart restart-time 120 bgp graceful-restart stalepath-time 360 bgp graceful-restart neighbor 77.66.207.221 remote-as 60490 neighbor 77.66.207.221 description -- MTS tehnicheskaya (upstream) neighbor 193.242.148.200 remote-as 58314 neighbor 193.242.148.200 description -- PROV (upstream) neighbor 212.188.45.204 remote-as 8359 neighbor 212.188.45.204 description -- MTS fullview (upstream) neighbor 212.188.45.204 ebgp-multihop 10 ! address-family ipv4 redistribute static route-map static-to-bgp neighbor 77.66.207.221 activate neighbor 77.66.207.221 send-community both neighbor 77.66.207.221 remove-private-as neighbor 77.66.207.221 route-map uAS8359-import in neighbor 77.66.207.221 route-map uAS8359-export out neighbor 193.242.148.200 activate neighbor 193.242.148.200 send-community both neighbor 193.242.148.200 remove-private-as neighbor 193.242.148.200 advertisement-interval 1 neighbor 193.242.148.200 route-map uAS58322-import in neighbor 193.242.148.200 route-map uAS58322-export out neighbor 212.188.45.204 activate neighbor 212.188.45.204 send-community both neighbor 212.188.45.204 remove-private-as neighbor 212.188.45.204 advertisement-interval 1 neighbor 212.188.45.204 route-map uAS8359-import in neighbor 212.188.45.204 route-map uAS8359-export out exit-address-family ! ip nat inside source route-map dynamic-nat interface Loopback5 overload ip nat inside source route-map dynamic-nat-mail interface Loopback7 overload ip nat inside source route-map dynamic-nat-mail-TALE interface Loopback4 overload ip nat inside source route-map dynamic-nat-yt-TALE interface Loopback6 overload ip forward-protocol nd no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 18.0.0.0 2 name floating-default-to-mit ip route 0.0.0.0 0.0.0.0 4.0.0.0 3 name floating-default-to-level3 ip route 0.0.0.0 0.0.0.0 128.15.0.0 4 name floating-default-to-llnl ip route 0.0.0.0 0.0.0.0 132.249.0.0 5 name floating-default-to-sdsc ip route 0.0.0.0 0.0.0.0 194.226.64.0 6 name floating-default-to-rosniiros ip route 0.0.0.0 255.0.0.0 Null0 name martians-route ip route 127.0.0.0 255.0.0.0 Null0 name martians-route ip route 194.22.8.0 255.255.255.0 Null0 tag 609 name aggregate-to-bgp ip route 212.188.45.204 255.255.255.255 77.66.207.221 name to-ebgp-peer-mts ip route 217.79.225.8 255.255.255.255 77.66.206.97 name mikhail-emergancy ip ssh version 2 ! ip community-list standard type-aggregate permit 609 ! ip access-list extended ACL_WIFI_TO_EXT deny ip any 192.168.0.0 0.0.255.255 permit ip any any ip access-list extended border-filter-in ip access-list extended from_2ndISP permit ip any host 193.242.149.83 ip access-list extended to-inet deny ip any 10.0.0.0 0.255.255.255 deny ip any 172.0.0.0 0.240.255.255 deny ip any 192.168.0.0 0.0.255.255 deny ip any 194.22.8.0 0.0.0.255 permit ip any any ip access-list extended vlan100-out permit ip 192.168.0.0 0.0.255.255 any permit ip 10.0.0.0 0.255.255.255 any permit ip 172.16.0.0 0.15.255.255 any permit tcp any host 192.168.210.78 eq www ! ! ip prefix-list allocated-blocks description -- registered address blocks ip prefix-list allocated-blocks seq 10 deny 194.22.8.0/24 le 32 ! ip prefix-list default-networks description networks we use to point default to ip prefix-list default-networks seq 10 permit 18.0.0.0/8 ip prefix-list default-networks seq 20 permit 4.0.0.0/8 ip prefix-list default-networks seq 30 permit 128.15.0.0/16 ip prefix-list default-networks seq 40 permit 132.249.0.0/16 ip prefix-list default-networks seq 50 permit 194.226.64.0/20 ! ip prefix-list martians description RFC3330 martians nets ip prefix-list martians seq 5 permit 0.0.0.0/8 le 32 ip prefix-list martians seq 10 permit 10.0.0.0/8 le 32 ip prefix-list martians seq 15 permit 127.0.0.0/8 le 32 ip prefix-list martians seq 20 permit 169.254.0.0/16 le 32 ip prefix-list martians seq 25 permit 172.16.0.0/12 le 32 ip prefix-list martians seq 30 permit 192.0.2.0/24 le 32 ip prefix-list martians seq 35 permit 192.42.172.0/24 le 32 ip prefix-list martians seq 40 permit 192.88.99.0/24 le 32 ip prefix-list martians seq 45 permit 192.168.0.0/16 le 32 ip prefix-list martians seq 50 permit 198.18.0.0/15 le 32 ip prefix-list martians seq 55 permit 224.0.0.0/4 le 32 ip prefix-list martians seq 60 permit 240.0.0.0/4 le 32 ip sla 75 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/1.134 frequency 10 ip sla schedule 75 life forever start-time now ip sla 88 icmp-echo 192.168.211.1 source-interface GigabitEthernet0/0/1.100 frequency 10 ip sla schedule 88 life forever start-time now ip sla 99 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/1.101 frequency 10 ip sla schedule 99 life forever start-time now ip sla 207 icmp-echo 10.3.1.2 source-interface Tunnel3 frequency 10 ip sla schedule 207 life forever start-time now ip sla 208 icmp-echo 10.2.2.2 source-interface GigabitEthernet0/0/1.138 frequency 10 ip sla schedule 208 life forever start-time now access-list 25 permit 192.168.208.0 0.0.3.255 access-list 25 permit 192.168.100.0 0.0.0.127 access-list 25 permit 10.100.100.0 0.0.0.255 access-list 25 permit 10.10.10.0 0.0.0.255 access-list 25 permit 10.11.11.0 0.0.0.255 access-list 25 permit 10.200.200.0 0.0.0.255 access-list 25 permit 10.111.111.0 0.0.0.3 access-list 25 permit 192.168.52.0 0.0.1.255 access-list 26 permit 192.168.211.10 access-list 26 permit 192.168.211.13 access-list 28 permit any access-list 33 permit 10.100.100.0 0.0.0.255 access-list 34 permit 192.168.210.252 access-list 34 permit 192.168.209.98 access-list 77 permit 192.168.209.245 access-list 78 permit 192.168.208.250 access-list 78 permit 192.168.208.237 access-list 78 permit 192.168.210.85 access-list 79 permit 192.168.208.250 access-list 79 permit 192.168.210.102 access-list 80 permit 192.168.210.96 access-list 88 deny 192.168.208.250 access-list 88 deny 192.168.209.245 access-list 88 deny 192.168.210.96 access-list 88 deny 192.168.210.102 access-list 88 permit 10.2.1.0 0.0.0.255 access-list 88 permit 10.2.2.0 0.0.0.255 access-list 88 permit 10.1.1.0 0.0.0.255 access-list 88 permit 10.1.2.0 0.0.0.255 access-list 88 permit 10.3.1.0 0.0.0.255 access-list 88 permit 10.3.2.0 0.0.0.255 access-list 88 permit 10.3.3.0 0.0.0.255 access-list 88 permit 10.10.10.0 0.0.0.255 access-list 88 permit 10.100.100.0 0.0.0.255 access-list 88 permit 10.200.200.0 0.0.0.255 access-list 88 permit 10.200.201.0 0.0.0.255 access-list 88 permit 192.168.10.0 0.0.0.255 access-list 88 permit 192.168.20.0 0.0.0.255 access-list 88 permit 192.168.100.0 0.0.0.127 access-list 88 permit 192.168.203.0 0.0.0.255 access-list 88 permit 192.168.205.0 0.0.0.255 access-list 88 permit 192.168.206.0 0.0.0.255 access-list 88 permit 192.168.207.0 0.0.0.255 access-list 88 permit 192.168.208.0 0.0.3.255 access-list 88 permit 192.168.212.0 0.0.3.255 access-list 88 permit 192.168.216.0 0.0.3.255 access-list 88 permit 192.168.220.0 0.0.3.255 access-list 88 permit 192.168.224.0 0.0.3.255 access-list 88 permit 192.168.232.0 0.0.3.255 access-list 88 permit 192.168.236.0 0.0.3.255 access-list 88 permit 192.168.240.0 0.0.3.255 access-list 88 permit 192.168.244.0 0.0.0.255 access-list 88 permit 10.11.11.0 0.0.0.255 access-list 88 permit 192.168.48.0 0.0.1.255 access-list 88 permit 192.168.50.0 0.0.0.255 access-list 88 permit 192.168.52.0 0.0.1.255 access-list 88 permit 193.242.149.0 0.0.0.255 access-list 88 permit 192.168.155.0 0.0.0.255 access-list 88 permit 192.168.156.0 0.0.0.255 access-list 88 permit 192.168.157.0 0.0.0.255 access-list 177 deny ip 192.168.237.0 0.0.0.255 any access-list 177 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 access-list 177 deny ip 192.168.0.0 0.0.255.255 10.1.1.0 0.0.0.255 access-list 177 deny ip 192.168.0.0 0.0.255.255 10.1.2.0 0.0.0.255 access-list 177 deny ip 192.168.0.0 0.0.255.255 10.2.1.0 0.0.0.255 access-list 177 deny ip 192.168.0.0 0.0.255.255 10.2.2.0 0.0.0.255 access-list 177 deny ip 192.168.0.0 0.0.255.255 10.3.1.0 0.0.0.255 access-list 177 deny ip 192.168.0.0 0.0.255.255 10.3.2.0 0.0.0.255 access-list 177 deny ip 192.168.0.0 0.0.255.255 10.3.3.0 0.0.0.255 access-list 177 deny ip 192.168.0.0 0.0.255.255 10.5.5.0 0.0.0.255 access-list 177 deny ip 192.168.0.0 0.0.255.255 10.11.11.0 0.0.0.255 access-list 177 deny ip 192.168.0.0 0.0.255.255 10.100.100.0 0.0.0.255 access-list 177 deny ip 192.168.0.0 0.0.255.255 10.200.200.0 0.0.0.255 access-list 177 permit ip 192.168.0.0 0.0.255.255 any access-list 178 deny ip host 192.168.208.28 any access-list 178 deny ip host 192.168.210.102 any access-list 178 deny ip 192.168.48.0 0.0.1.255 any access-list 178 deny ip 192.168.50.0 0.0.0.255 any access-list 178 deny ip 192.168.52.0 0.0.1.255 any access-list 178 deny ip 192.168.208.0 0.0.3.255 192.168.0.0 0.0.255.255 access-list 178 deny ip 192.168.208.0 0.0.3.255 10.1.1.0 0.0.0.255 access-list 178 deny ip 192.168.208.0 0.0.3.255 10.1.2.0 0.0.0.255 access-list 178 deny ip 192.168.208.0 0.0.3.255 10.2.1.0 0.0.0.255 access-list 178 deny ip 192.168.208.0 0.0.3.255 10.2.2.0 0.0.0.255 access-list 178 deny ip 192.168.208.0 0.0.3.255 10.3.1.0 0.0.0.255 access-list 178 deny ip 192.168.208.0 0.0.3.255 10.3.2.0 0.0.0.255 access-list 178 deny ip 192.168.208.0 0.0.3.255 10.3.3.0 0.0.0.255 access-list 178 deny ip 192.168.208.0 0.0.3.255 10.5.5.0 0.0.0.255 access-list 178 deny ip 192.168.208.0 0.0.3.255 10.11.11.0 0.0.0.255 access-list 178 deny ip 192.168.208.0 0.0.3.255 10.100.100.0 0.0.0.255 access-list 178 deny ip 192.168.208.0 0.0.3.255 10.200.200.0 0.0.0.255 access-list 178 deny ip 192.168.203.0 0.0.0.255 192.168.0.0 0.0.255.255 access-list 178 deny ip 192.168.203.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 178 deny ip 192.168.203.0 0.0.0.255 10.11.11.0 0.0.0.255 access-list 178 deny ip 192.168.203.0 0.0.0.255 10.100.100.0 0.0.0.255 access-list 178 deny ip 192.168.203.0 0.0.0.255 10.200.200.0 0.0.0.255 access-list 178 deny ip 192.168.206.0 0.0.0.255 192.168.0.0 0.0.255.255 access-list 178 deny ip 192.168.206.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 178 deny ip 192.168.206.0 0.0.0.255 10.11.11.0 0.0.0.255 access-list 178 deny ip 192.168.206.0 0.0.0.255 10.100.100.0 0.0.0.255 access-list 178 deny ip 192.168.207.0 0.0.0.255 192.168.0.0 0.0.255.255 access-list 178 deny ip 192.168.207.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 178 deny ip 192.168.207.0 0.0.0.255 10.11.11.0 0.0.0.255 access-list 178 deny ip 192.168.207.0 0.0.0.255 10.100.100.0 0.0.0.255 access-list 178 deny ip 192.168.207.0 0.0.0.255 10.200.200.0 0.0.0.255 access-list 178 deny ip 192.168.100.0 0.0.0.127 any access-list 178 deny ip host 192.168.208.78 any access-list 178 deny ip host 192.168.210.78 any access-list 178 deny ip host 192.168.208.118 any access-list 178 deny ip host 192.168.208.175 any access-list 178 deny ip host 192.168.208.233 any access-list 178 deny ip host 192.168.209.79 any access-list 178 deny ip host 192.168.209.98 any access-list 178 deny ip host 192.168.208.215 any access-list 178 deny ip host 192.168.209.201 any access-list 178 deny ip host 192.168.209.211 any access-list 178 deny ip host 192.168.210.250 any access-list 178 deny ip host 192.168.210.252 any access-list 178 deny ip host 192.168.211.1 any access-list 178 deny ip host 192.168.211.10 any access-list 178 deny ip host 192.168.211.12 any access-list 178 deny ip host 192.168.211.13 any access-list 178 deny ip host 192.168.208.168 any access-list 178 deny ip host 192.168.208.156 any access-list 178 deny ip host 192.168.208.124 any access-list 178 deny ip host 192.168.209.245 any access-list 178 deny ip host 192.168.209.20 any access-list 178 deny ip host 192.168.208.61 any access-list 178 deny ip host 192.168.211.216 any access-list 178 deny ip host 192.168.209.57 any access-list 178 deny ip host 192.168.210.189 any access-list 178 deny ip host 192.168.208.209 any access-list 178 deny ip host 192.168.208.80 any access-list 178 deny ip host 192.168.210.85 any access-list 178 deny ip host 192.168.208.237 any access-list 178 deny ip host 192.168.209.26 any access-list 178 deny ip host 192.168.210.55 any access-list 178 deny ip host 192.168.210.171 any access-list 178 deny ip host 192.168.208.250 any access-list 178 permit ip 192.168.203.0 0.0.0.255 any access-list 178 permit ip 192.168.205.0 0.0.0.255 any access-list 178 permit ip 192.168.206.0 0.0.0.255 any access-list 178 permit ip 192.168.207.0 0.0.0.255 any access-list 178 permit ip 192.168.208.0 0.0.3.255 any ! route-map dynamic-nat-mail permit 10 match ip address 77 ! route-map ISP1-NAT permit 10 match ip address 88 ! route-map ISP2-NAT permit 10 match ip address 88 ! route-map aggregate-to-bgp permit 10 set local-preference 1000 set origin igp set community 609 ! route-map dynamic-nat-vtaskmob permit 10 match ip address 78 ! route-map dynamic-nat permit 10 match ip address 88 ! route-map 115 permit 10 match ip address 115 set ip next-hop verify-availability 193.242.149.1 10 track 75 set ip next-hop verify-availability 77.66.206.97 20 track 99 ! route-map from_2ndISP permit 10 match ip address from_2ndISP ! route-map vpdnip_ospf permit 10 match ip address 33 ! route-map from_RO_LAN permit 10 match ip address 177 set ip next-hop verify-availability 192.168.211.1 10 track 88 ! route-map uAS8359-export permit 10 description -- advertise only my AS prefixes match community type-aggregate ! route-map gre_fil permit 10 match ip address 27 ! route-map gre_fil permit 20 match policy-list 28 ! route-map dynamic-nat-mail-TALE permit 10 match ip address 79 ! route-map uAS8359-import deny 20 description -- filter martians, default and our own prefixes match ip address prefix-list martians allocated-blocks ! route-map uAS8359-import permit 100 match ip address prefix-list default-networks set local-preference 200 set community 626 ! route-map uAS8359-import permit 200 set local-preference 100 set community 626 ! route-map dynamic-nat-yt-TALE permit 10 match ip address 80 ! route-map from_GK_LAN permit 10 match ip address 178 set ip next-hop verify-availability 192.168.211.1 10 track 88 ! route-map uAS58322-import deny 20 description -- filter martians, default and our own prefixes match ip address prefix-list martians allocated-blocks ! route-map uAS58322-import permit 100 match ip address prefix-list default-networks set local-preference 200 set community 626 ! route-map uAS58322-import permit 200 set local-preference 100 set community 626 ! route-map uAS58322-export permit 10 description -- advertise only my AS prefixes match community type-aggregate ! route-map static-to-bgp permit 10 match tag 609 set local-preference 1000 set origin igp set community 609 !

Добрый день. Имеется следующая картина - ISR2911, установил L2TP сервер, настроил IPSEC c авторизацией по ключу PSK. Проблема в том, что Win клиенты легко коннектятся и без него, т.е. иногда они не могут подключиться, пока не ввести ключ, но если потом отключиться и убрать ключ, то они спокойно подключаются и без него, crypto session в этих случаях говорит, что зашифрованных сессий нет. Иногда сразу могжно подключиться без ключа. Но MAC клиенты нормально подключаются, всегда требуя ключ и о них есть инфа в crypto session. Дебаги debug crypto ipsec и debug crypto isakmp ничего не показывают при подключении без ключа, показывает только debug l2tp all: Feb 9 00:34:52.979: L2TP _____:________: I SCCRQ, flg TLS, ver 2, len 100 Feb 9 00:34:52.979: L2TP _____:________: IETF v2: Feb 9 00:34:52.979: L2TP _____:________: Protocol Version 1, Revision 0 Feb 9 00:34:52.979: L2TP _____:________: Framing Cap sync(0x1) Feb 9 00:34:52.979: L2TP _____:________: Bearer Cap none(0x0) Feb 9 00:34:52.979: L2TP _____:________: Firmware Ver 0x601 Feb 9 00:34:52.979: L2TP _____:________: Hostname ';<55><73><65><72><2D><1F><1A>'; Feb 9 00:34:52.979: L2TP _____:________: Vendor Name Feb 9 00:34:52.979: L2TP _____:________: ';Microsoft'; Feb 9 00:34:52.979: L2TP _____:________: Assigned Tunnel I 0x00000002 (2) Feb 9 00:34:52.979: L2TP _____:________: Recv Window Size 8 Feb 9 00:34:52.979: L2TP _____:________: Feb 9 00:34:52.979: L2X tnl 08233:________: Create logical tunnel Feb 9 00:34:52.979: L2TP tnl 08233:________: Create tunnel Feb 9 00:34:52.979: L2TP tnl 08233:________: version set to V2 Feb 9 00:34:52.979: L2TP tnl 08233:________: remote ip set to ******* Feb 9 00:34:52.979: L2TP tnl 08233:________: local ip set to ******* Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: FSM-CC ev Rx-SCCRQ Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: FSM-CC Idle->Proc-SCCRQ Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: FSM-CC do Rx-SCCRQ Feb 9 00:34:52.983: L2X _____:________: Tunnel author started for User- Feb 9 00:34:52.983: L2X _____:________: Tunnel author found Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: Author reply, data source: ';L2TP'; Feb 9 00:34:52.983: L2X _____:________: class Feb 9 00:34:52.983: L2X _____:________: created Feb 9 00:34:52.983: L2X _____:________: class Feb 9 00:34:52.983: L2X _____:________: App locked 0->1 Feb 9 00:34:52.983: L2X _____:________: class Feb 9 00:34:52.983: L2X _____:________: Protocol locked 0->1 Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: class name AAA author, group ';L2TP'; Feb 9 00:34:52.983: L2X _____:________: class Feb 9 00:34:52.983: L2X _____:________: App unlocked 1->0 Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: peer cap sync set Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: FSM-CC ev SCCRQ-OK Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: FSM-CC Proc-SCCRQ->Wt-SCCCN Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: FSM-CC do Tx-SCCRP Feb 9 00:34:52.983: L2X _____:________: l2x_open_socket: is called Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: Open sock *******:1701->*******:65369 Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: FSM-CC ev Sock-Ready Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: FSM-CC in Wt-SCCCN Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: FSM-CC do Ignore-Sock-Up Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: O SCCRP to User- tnl 2 Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: IETF v2: VL-ROUTER-CISCO# Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: Protocol Version 1, Revision 0 Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: Framing Cap none(0x0) Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: Firmware Ver 0x1130 Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: Hostname ';VL-ROUTER-CISCO'; Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: Vendor Name Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: ';Cisco Systems, Inc.'; Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: Assigned Tunnel I 0x0000E427 (58407) Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: Recv Window Size 1024 Feb 9 00:34:52.983: L2TP tnl 08233:0000E427: Feb 9 00:34:53.255: L2TP tnl 08233:0000E427: Drain unsentQ, cur/max resendQ sz 0/8, unsentQ 0 Feb 9 00:34:53.255: L2TP tnl 08233:0000E427: Feb 9 00:34:53.255: L2TP tnl 08233:0000E427: I SCCCN, flg TLS, ver 2, len 20 Feb 9 00:34:53.255: L2TP tnl 08233:0000E427: Feb 9 00:34:53.255: L2TP tnl 08233:0000E427: FSM-CC ev Rx-SCCCN Feb 9 00:34:53.255: L2TP tnl 08233:0000E427: FSM-CC Wt-SCCCN->Proc-SCCCN Feb 9 00:34:53.255: L2TP tnl 08233:0000E427: FSM-CC do Rx-SCCCN Feb 9 00:34:53.255: L2TP tnl 08233:0000E427: Feb 9 00:34:53.255: L2TP tnl 08233:0000E427: O ZLB ACK to User- tnl 2 Feb 9 00:34:53.255: L2TP tnl 08233:0000E427: Feb 9 00:34:53.259: L2TP tnl 08233:0000E427: FSM-CC ev SCCCN-OK Feb 9 00:34:53.259: L2TP tnl 08233:0000E427: FSM-CC Proc-SCCCN->established Feb 9 00:34:53.259: L2TP tnl 08233:0000E427: FSM-CC do Established Feb 9 00:34:53.259: L2TP tnl 08233:0000E427: Control channel up Feb 9 00:34:53.259: L2TP tnl 08233:0000E427: *******<->******* Feb 9 00:34:53.315: L2TP tnl 08233:0000E427: ZLB: dropping packet Feb 9 00:34:53.511: L2TP _____:________: ERROR: ICRQ AVP 1, vendor 311: unknown Feb 9 00:34:53.511: L2TP tnl 08233:0000E427: Unknown Vendor 311 AVP 1 in CM ICRQ Feb 9 00:34:53.511: L2TP tnl 08233:0000E427: Feb 9 00:34:53.511: L2TP tnl 08233:0000E427: I ICRQ, flg TLS, ver 2, len 70 Feb 9 00:34:53.511: L2TP tnl 08233:0000E427: IETF v2: Feb 9 00:34:53.511: L2TP tnl 08233:0000E427: Assigned Call ID 0x00000001 (1) Feb 9 00:34:53.511: L2TP tnl 08233:0000E427: Serial Number 0 Feb 9 00:34:53.511: L2TP tnl 08233:0000E427: Bearer Type analog(2) Feb 9 00:34:53.511: L2TP tnl 08233:0000E427: Feb 9 00:34:53.511: L2X _____:_____:________: Create logical session Feb 9 00:34:53.511: L2TP _____:_____:________: Create session Feb 9 00:34:53.515: L2TP _____:_____:________: Using ICRQ FSM Feb 9 00:34:53.515: L2TP _____:_____:________: FSM-Sn ev created Feb 9 00:34:53.515: L2TP _____:_____:________: FSM-Sn Init->Idle Feb 9 00:34:53.515: L2TP _____:_____:________: FSM-Sn do none Feb 9 00:34:53.515: L2TP _____:_____:________: remote ip set to ******* Feb 9 00:34:53.515: L2TP _____:_____:________: local ip set to ******* Feb 9 00:34:53.515: L2TP tnl 08233:0000E427: FSM-CC ev Session-Conn Feb 9 00:34:53.515: L2TP tnl 08233:0000E427: FSM-CC in established Feb 9 00:34:53.515: L2TP tnl 08233:0000E427: FSM-CC do Session-Conn-Est Feb 9 00:34:53.515: L2TP tnl 08233:0000E427: Session count now 1 Feb 9 00:34:53.515: L2TP _____:08233:00003C39: FSM-Sn ev CC-Up Feb 9 00:34:53.515: L2TP _____:08233:00003C39: FSM-Sn in Idle Feb 9 00:34:53.515: L2TP _____:08233:00003C39: FSM-Sn do CC-Up-Ignore0-1 Feb 9 00:34:53.515: L2TP _____:08233:00003C39: Session attached Feb 9 00:34:53.515: L2TP _____:08233:00003C39: FSM-Sn ev Rx-ICRQ Feb 9 00:34:53.515: L2TP _____:08233:00003C39: FSM-Sn Idle->Proc-ICRQ Feb 9 00:34:53.515: L2TP _____:08233:00003C39: FSM-Sn do Rx-ICRQ Feb 9 00:34:53.515: L2TP _____:08233:00003C39: Chose application VPDN Feb 9 00:34:53.515: L2TP _____:08233:00003C39: App type set to VPDN Feb 9 00:34:53.515: L2TP tnl 08233:0000E427: VPDN Session count now 1 Feb 9 00:34:53.515: L2TP _____:08233:00003C39: VPDN: process AVPs Feb 9 00:34:53.515: L2TP _____:08233:00003C39: Set HA epoch to 0 Feb 9 00:34:53.515: L2TP _____:08233:00003C39: Local AC is now UP Feb 9 00:34:53.515: L2TP _____:08233:00003C39: Remote AC is now UP Feb 9 00:34:53.515: L2TP _____:08233:00003C39: Feb 9 00:34:53.515: L2TP _____:08233:00003C39: APP<-L2TP: Incoming Feb 9 00:34:53.515: L2TP _____:08233:00003C39: sock 00000000 Feb 9 00:34:53.515: L2TP _____:08233:00003C39: serv 00008235 Feb 9 00:34:53.515: L2TP _____:08233:00003C39: Feb 9 00:34:53.515: L2TP _____:08233:00003C39: L2TUN: add sock 00001238 Feb 9 00:34:53.515: L2TP _____:08233:00003C39: Feb 9 00:34:53.515: L2TP _____:08233:00003C39: APP->L2TP: Accept , Feb 9 00:34:53.515: L2TP _____:08233:00003C39: sock 00001238 Feb 9 00:34:53.515: L2TP _____:08233:00003C39: serv 00008235 Feb 9 00:34:53.515: L2TP _____:08233:00003C39: data 3EB7FDD4 Feb 9 00:34:53.515: L2TP _____:08233:00003C39: replied on new socket Feb 9 00:34:53.515: L2TP _____:08233:00003C39: Feb 9 00:34:53.515: L2TP _____:08233:00003C39: App type set to VPDN Feb 9 00:34:53.515: L2TP 0003F:08233:00003C39: UDP checksum ignore is enabled Feb 9 00:34:53.515: L2TP 0003F:08233:00003C39: Sequencing default tx disabled Feb 9 00:34:53.515: L2TP 0003F:08233:00003C39: Sequencing default rx disabled Feb 9 00:34:53.515: L2TP 0003F:08233:00003C39: Framing set to sync Feb 9 00:34:53.515: L2TP 0003F:08233:00003C39: Bearer set to none Feb 9 00:34:53.515: L2TP 0003F:08233:00003C39: no cookies enabled Feb 9 00:34:53.515: L2TP 0003F:08233:00003C39: FSM-Sn ev ICRQ-OK Feb 9 00:34:53.515: L2TP 0003F:08233:00003C39: FSM-Sn Proc-ICRQ->Wt-Tx-ICRP Feb 9 00:34:53.515: L2TP 0003F:08233:00003C39: FSM-Sn do Tx-ICRP-Local-Check Feb 9 00:34:53.515: L2TP 0003F:08233:00003C39: FSM-Sn ev Local-Cont Feb 9 00:34:53.515: L2TP 0003F:08233:00003C39: FSM-Sn Wt-Tx-ICRP->Wt-Rx-ICCN Feb 9 00:34:53.515: L2TP 0003F:08233:00003C39: FSM-Sn do Tx-ICRP Feb 9 00:34:53.515: L2X _____:________: l2x_open_socket: is called Feb 9 00:34:53.515: L2TP 0003F:08233:00003C39: Open sock *******:1701->*******:65369 Feb 9 00:34:53.515: L2TP 0003F:08233:00003C39: FSM-Sn ev Sock-Ready Feb 9 00:34:53.515: L2TP 0003F:08233:00003C39: FSM-Sn in Wt-Rx-ICCN Feb 9 00:34:53.515: L2TP 0003F:08233:00003C39: FSM-Sn do Ignore-Sock-Up Feb 9 00:34:53.515: L2TP 0003F:08233:00003C39: Feb 9 00:34:53.515: L2TP 0003F:08233:00003C39: O ICRP to User- 2/1 Feb 9 00:34:53.519: L2TP 0003F:08233:00003C39: IETF v2: Feb 9 00:34:53.519: L2TP 0003F:08233:00003C39: Assigned Call ID 0x00003C39 (15417) Feb 9 00:34:53.519: L2TP 0003F:08233:00003C39: Feb 9 00:34:53.519: L2TP 0003F:08233:00003C39: APP->L2TP: Setup dataplane , Feb 9 00:34:53.519: L2TP 0003F:08233:00003C39: sock 00001238 Feb 9 00:34:53.519: L2TP 0003F:08233:00003C39: serv 00008235 Feb 9 00:34:53.519: L2TP 0003F:08233:00003C39: data 216CD36C Feb 9 00:34:53.519: L2TP 0003F:08233:00003C39: replied on same socket Feb 9 00:34:53.519: L2TP 0003F:08233:00003C39: Feb 9 00:34:53.519: L2TP 0003F:08233:00003C39: FSM-Sn ev DP-Setup Feb 9 00:34:53.519: L2TP 0003F:08233:00003C39: FSM-Sn in Wt-Rx-ICCN Feb 9 00:34:53.519: L2TP 0003F:08233:00003C39: FSM-Sn do Ignore-DP-Setup Feb 9 00:34:53.959: L2TP tnl 08233:0000E427: Drain unsentQ, cur/max resendQ sz 0/8, unsentQ 0 Feb 9 00:34:53.959: L2TP tnl 08233:0000E427: Feb 9 00:34:53.959: L2TP 0003F:08233:00003C39: I ICCN, flg TLS, ver 2, len 48 Feb 9 00:34:53.959: L2TP 0003F:08233:00003C39: IETF v2: Feb 9 00:34:53.959: L2TP 0003F:08233:00003C39: Framing Type sync(1) Feb 9 00:34:53.959: L2TP 0003F:08233:00003C39: Connect Speed 72000000 Feb 9 00:34:53.959: L2TP 0003F:08233:00003C39: Proxy Auth Type 4 Feb 9 00:34:53.959: L2TP 0003F:08233:00003C39: Feb 9 00:34:53.959: L2TP 0003F:08233:00003C39: O ZLB ACK to User- 2/1 Feb 9 00:34:53.963: L2TP 0003F:08233:00003C39: Feb 9 00:34:53.963: L2TP 0003F:08233:00003C39: FSM-Sn ev Rx-ICCN Feb 9 00:34:53.963: L2TP 0003F:08233:00003C39: FSM-Sn Wt-Rx-ICCN->Proc-ICCN Feb 9 00:34:53.963: L2TP 0003F:08233:00003C39: FSM-Sn do Rx-ICCN Feb 9 00:34:53.963: L2TP 0003F:08233:00003C39: MTU is 65535 Feb 9 00:34:53.963: L2TP 0003F:08233:00003C39: Session data plane UP Feb 9 00:34:53.963: L2TP 0003F:08233:00003C39: VPDN: process AVPs Feb 9 00:34:53.963: L2TP 0003F:08233:00003C39: Feb 9 00:34:53.963: L2TP 0003F:08233:00003C39: APP<-L2TP: Connected Feb 9 00:34:53.963: L2TP 0003F:08233:00003C39: sock 00001238 Feb 9 00:34:53.963: L2TP 0003F:08233:00003C39: serv 00008235 Feb 9 00:34:53.963: L2TP 0003F:08233:00003C39: Feb 9 00:34:53.963: L2TP 0003F:08233:00003C39: FSM-Sn ev ICCN-OK Feb 9 00:34:53.963: L2TP 0003F:08233:00003C39: FSM-Sn Proc-ICCN->established Feb 9 00:34:53.963: L2TP 0003F:08233:00003C39: FSM-Sn do Established Feb 9 00:34:53.963: L2TP 0003F:08233:00003C39: Session up Feb 9 00:34:53.963: L2TP 0003F:08233:00003C39: *******<->******* VL-ROUTER-CISCO# Feb 9 00:34:54.015: L2TP tnl 08233:0000E427: Feb 9 00:34:54.015: L2TP tnl 08233:0000E427: I ZLB ACK, flg TLS, ver 2, len 12 Feb 9 00:34:54.015: L2TP tnl 08233:0000E427: VL-ROUTER-CISCO# Feb 9 00:34:55.987: L2TP 0003F:08233:00003C39: APP->L2TP: Session updated , Feb 9 00:34:55.987: L2TP 0003F:08233:00003C39: sock 00001238 Feb 9 00:34:55.987: L2TP 0003F:08233:00003C39: serv 00008235 Feb 9 00:34:55.987: L2TP 0003F:08233:00003C39: data 3FCF0AA4 Feb 9 00:34:55.987: L2TP 0003F:08233:00003C39: replied on same socket Feb 9 00:34:55.987: L2TP 0003F:08233:00003C39: Feb 9 00:34:55.987: L2TP 0003F:08233:00003C39: App type set to VPDN Feb 9 00:34:55.987: L2TP 0003F:08233:00003C39: Sequencing default tx disabled Feb 9 00:34:55.987: L2TP 0003F:08233:00003C39: Sequencing default rx disabled Feb 9 00:34:55.987: L2TP 0003F:08233:00003C39: Framing set to sync Feb 9 00:34:55.987: L2TP 0003F:08233:00003C39: Bearer set to none Feb 9 00:34:55.987: L2TP 0003F:08233:00003C39: Feb 9 00:34:55.987: L2TP 0003F:08233:00003C39: APP<-L2TP: Dataplane up Feb 9 00:34:55.987: L2TP 0003F:08233:00003C39: sock 00001238 Feb 9 00:34:55.987: L2TP 0003F:08233:00003C39: serv 00008235 Feb 9 00:34:55.987: L2TP 0003F:08233:00003C39: Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: FSM-Sn ev DP-Up Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: FSM-Sn in established Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: FSM-Sn do Ignore-DP-UP Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: APP->L2TP: Session updated , Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: sock 00001238 Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: serv 00008235 Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: data 3FCF0AA4 Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: replied on same socket Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: App type set to VPDN Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: Sequencing default tx disabled Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: Sequencing default rx disabled Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: Framing set to sync Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: Bearer set to none Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: APP->L2TP: Session updated , Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: sock 00001238 Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: serv 00008235 Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: data 3FCF0AA4 Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: replied on same socket VL-ROUTER-CISCO# Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: Feb 9 00:34:55.991: L2TP 0003F:08233:00003C39: App type set to VPDN Feb 9 00:34:55.995: L2TP 0003F:08233:00003C39: Sequencing default tx disabled Feb 9 00:34:55.995: L2TP 0003F:08233:00003C39: Sequencing default rx disabled Feb 9 00:34:55.995: L2TP 0003F:08233:00003C39: Framing set to sync Feb 9 00:34:55.995: L2TP 0003F:08233:00003C39: Bearer set to none VL-ROUTER-CISCO# Конфа: version 15.4 ! ! aaa new-model ! ! aaa authentication login default local aaa authentication ppp VPDN_AUTH local aaa authorization exec default local aaa authorization network default local ! ! ! ! ! aaa session-id common clock timezone VLAT 10 0 ! ! ! ! ! ! no ip source-route ! ! ! ! ! ! ! ! ! vpdn enable ! vpdn-group L2TP ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 no l2tp tunnel authentication ! ! ! username cisco password 7 cisco ! ! ! ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 ! ! crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac mode transport ! ! ! crypto dynamic-map dyn-map 10 set nat demux set transform-set L2TP-Set2 ! ! ! ! crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map ! ! ! ! ! ! interface GigabitEthernet0/1 description PrimaryWAN ip address ISR_IP ip access-group firewall_in in ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map outside_map ! interface Virtual-Template1 ip address 172.16.29.1 255.255.255.0 ip nat inside ip virtual-reassembly in peer default ip address pool l2tp-pool ppp authentication ms-chap-v2 VPDN_AUTH ppp ipcp dns 172.16.22.203 ! ip local pool l2tp-pool 172.16.29.10 172.16.29.50

Ищу прошивку asr1000rp2-adventerprisek9.03.07.00.S.152-4.S.bin Кто сможет скинуть ссылку на скачивание?

Добрый день, коллеги! Значит вот такая проблема возникла. Есть Циска ASA5510(8.2(5)) в центральном офисе - у неё статический белый ip И теперь нужно настроить ASA5505(8.3(1)) у которой будет динамический ip (и не факт что белый, но сейчас тестирую на белом) Проблема - впн устанавливается, но трафик проходит только в сторону статического ip. Настройки сделал такие: ASA5505 object-group network REMOTE-NET network-object 192.168.140.0 255.255.254.0 network-object host 192.168.150.2 object-group network LOCAL-NET network-object 192.168.122.0 255.255.255.0 access-list ACL extended permit ip object-group LOCAL-NET object-group REMOTE-NET crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map OUTSIDE_map 1 match address ACL crypto map OUTSIDE_map 1 set peer 188.X.X.X crypto map OUTSIDE_map 1 set transform-set ESP-AES-256-SHA crypto map OUTSIDE_map 1 set nat-t-disable crypto map OUTSIDE_map 1 set phase1-mode aggressive crypto map OUTSIDE_map 1 set reverse-route crypto map OUTSIDE_map interface OUTSIDE crypto isakmp identity key-id ASA5505 crypto isakmp enable OUTSIDE crypto isakmp policy 20 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 tunnel-group 188.X.X.X type ipsec-l2l tunnel-group 188.X.X.X ipsec-attributes pre-shared-key ***** ASA5510 object-group network DM_INLINE_NETWORK_11 network-object 192.168.140.0 255.255.254.0 network-object host 192.168.150.2 access-list outside_cryptomap_5 extended permit ip object-group DM_INLINE_NETWORK_11 192.168.122.0 255.255.255.0 crypto dynamic-map ASA5505 9 match address outside_cryptomap_5 crypto dynamic-map ASA5505 9 set transform-set ESP-AES-256-SHA crypto map CryptoMap 9 ipsec-isakmp dynamic ASA5505 crypto map CryptoMap interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 20 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 tunnel-group ASA5505 type ipsec-l2l tunnel-group ASA5505 ipsec-attributes pre-shared-key ***** важно - НАТа на обоих железках нет! дело не в нём пакет-трейсы ASA5505 # packet-tracer input iNSIDE icmp 192.168.122.10 1 1 192.168.150.2 Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.150.2 255.255.255.255 OUTSIDE Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outbound in interface INSIDE access-list outbound extended permit icmp any any Additional Information: Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 4 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 5 Type: HOST-LIMIT Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Phase: 7 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 1307, packet dispatched to next module Result: input-interface: INSIDE input-status: up input-line-status: up output-interface: OUTSIDE output-status: up output-line-status: up Action: allow ASA5510 # packet-tracer input inside icmp 192.168.150.2 10 10 192.168.122.10 Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.122.0 255.255.255.0 outside Phase: 2 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 3 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 4 Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule лог при пинге с центрального офис на 5510 (5505 молчит в этот момент) # sh logging asdm | in 192.168.122 3|Feb 10 2016 11:40:09|713042: IKE Initiator unable to find policy: Intf inside, Src: 192.168.150.2, Dst: 192.168.122.10 3|Feb 10 2016 11:40:11|713042: IKE Initiator unable to find policy: Intf inside, Src: 192.168.150.2, Dst: 192.168.122.10 пробовал и с майн-модом на 5505 и tunnel-group DefaultL2LGroup - проблема точно такая же. Может кто знает что ещё можно поковырять и где покрутить?

Всем привет! Есть свитч WS-C3560-48TS (c3560-advipservicesk9-mz.122-46.SE). И бывает такое, что задев патчкорд, воткнутый в него, свитч уходит в перезагрузку. Досталось хозяйство в наследство. Патчкордов много. Замотано всё так, что иной раз тяжко продергивать. Постепенно привожу в порядок, но чтобы вот взять всё вытащить(отключить) и собрать как надо - такой возможности нет. Хотел бы услышать, может ли быть такое вообще? Может кто сталкивался. Первый раз вижу такое поведение железки. Что может вызывать такую реакцию?! Где-то что-то плохо обжато было?! Даже если так, как выяснить кто виновник?! Если ничего не трогать - не перегружается

Всем добрый день! Может кто-нибудь сможет подсказать есть файл с диапазоном публичных адресов вида 2.60.0.0-2.63.255.255 2.92.0.0-2.95.255.255 5.1.48.0-5.1.55.255 5.2.32.0-5.2.63.255 5.3.0.0-5.3.255.255 5.8.0.0-5.8.31.255 5.8.36.0-5.8.39.255 мне надо загрузить эти диапазоны в виде подсетей с префиксами 2.60.0.0/14 2.92.0.0/14 и т.д. можно ли пересчитать по CIDR скажем с помощью EXCEL или есть еще какой-то софт чтобы сделать для всего файла

Добрый день! Объясните, пожалуйста, тупому. Правильно ли я понимаю, что на 3900 с universalk9_npe нельзя настроить никакой шифрованный vpn? Ни IPSEC, ни L2TP/IPSEC, ни PPTP? И в свете сложившейся ситуации в стране без ФСБ обновить лицензию, чтобы можно было установить universalk9 - практически не реально? Как выйти из этой ситуации, если нужен vpn сервер в сети? Ставить стороннее оборудование например Mikrotik или настраивать vpn-сервер на PC? Подскажите как лучше поступить? З.Ы. Кстати назрел логичный вопрос? Если ввоз оборудование cisco с шифрованием ограничивают, то почему не ограничивают например тот же Mikrotik? Спасибо

Задачка собственно у меня только одна идея стат маршрут на ПК3 до ПК1 есть у кого идеи??

ROUTER on STICK вопрос : почему падает скорость между vlan проходя через транк ???

Всем доброго времени суток! Задача: есть две железки ASA 5512 и Router 3945. На обоих подключено по одному провайдеру с белыми адресами. Необходимо прокинуть IpSec туннели до двух внутренних узлов. Собственно, для одного узла будет туннель через ASA, для другого через роутер. Но ASA у меня уже сама принимает IpSec туннели. Вопрос, возможно ли реализовать проброс IpSec на основе внешнего адреса источника (так как цепляться извне будут со строго определенного пула внешних адресов)? В линуксе это выглядело бы примерно так: iptables -t nat -A PREROUTING -s 1.1.1.1/24 -p udp -m multiport --dports 500, 4500 -j DNAT --to-destination 192.168.10.15 (где 1.1.1.1/24 - пул адресов из которого будут цепляться снаружи, 192.168.10.15 - хост на который надо пробросить трафик приходящий на порты 500 и 4500 с адресов 1.1.1.1/24) И второй вопрос, если можно - Вообще не пойму, как в циске реализовать проброс на основании адреса источника - есть ли там такая фишка?

Всем добррого дня https://blog.exodusintel.com/2016/01/26 ... l-hacking/ https://tools.cisco.com/security/center ... 10-asa-ike Кто-нибудь уже залечил?

Добрый вечер, всем знатокам cisco! подскажите пожалуйста как правильно настроить сбор статистики netflow, а именно на какие интрфейсы надо вешать flow monitor? вывожу часть конфига, который посвещен настройки netflow flow record FLOW_RECORD_FNF description -- Flexible NetFlow Record -- match ipv4 version match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input collect routing source as collect routing destination as collect routing next-hop address ipv4 collect ipv4 source mask collect ipv4 destination mask collect transport tcp flags collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last ! ! flow exporter FLOW_EXPORTER_RIVERBED description -- NetFlow Exporter -- destination 1.1.1.1 vrf xxxxxxxxxxxx source Vlan518 transport udp 2055 option interface-table timeout 10 ! ! flow monitor FLOW_MONITOR_RIVERBED description -- NetFlow Monitor Ingress -- exporter FLOW_EXPORTER_RIVERBED cache timeout inactive 10 cache timeout active 5 record FLOW_RECORD_FNF interface TenGigabitEthernet1/3/1.3010 ip flow monitor FLOW_MONITOR_RIVERBED input ip flow monitor FLOW_MONITOR_RIVERBED output есть пара 6504 с SUP2T, каждый находится в своем офисе между ними оптика Каждый из коммутаторов соединен между собой 2 физическими линками разбитами каждый на 2 sub-int Правильно ли я понимаю, что вешать flow monitor надо только на каждый из sub-int? И достаточно ли вешать только на этих sub, чтобы получить полную картину, того как ходит трафик? нужен трафик как входящий так и исходящий?

Добрый день. Интересует вопрос, у кого-нибудь caller id на FXO портах с CUCM получилось заполучить, чтобы понять с какого номера звонят? Или тут только анонимные звонки выходят? upd. Похоже, что мой СUCM этого не умеет по mgcp

Добрый день! Поделитесь, пожалуйста, TCNC6.1.1 для Cisco SX20, может у кого завалялся? На cisco.com - нету.

В object-group разрешен только host 1.1.1.1, ставим object-group на extended access-list. А access-list на wccp web-cache redirect-list. Хост 3.3.3.3 не указан в object-group, но трафик туда все равно пролезает. Бага или я упускаю что-то? Иос висит на сайте циско как рекомендованный. # sh ver Cisco IOS XE Software, Version 03.13.04.S - Extended Support Release Cisco IOS Software, ASR1000 Software (PPC_LINUX_IOSD-ADVENTERPRISE-M), Version 15.4(3)S4, RELEASE SOFTWARE (fc3) # sh run object-group network object-group-network-test host 1.1.1.1 ! ip access-list extended WCCP_HTTP_OBJ-G permit tcp host 2.2.2.2 object-group object-group-network-test eq www log-input deny tcp any any ! ip wccp web-cache redirect-list WCCP_HTTP_OBJ-G ! ##SRCIP: 2.2.2.2 --> telnet 3.3.3.3 80 # sh log 000512: Feb 13 12:59:27.940 MSK: %FMANFP-6-IPACCESSLOGP: F0: fman_fp_image: list WCCP_HTTP_OBJ-G permitted tcp 2.2.2.2(51645) TenGigabitEthernet0/2/0.600-> 3.3.3.3(80), 1 packet

Доброго дня! Есть роутер настроенный по классической схеме использования двух провайдеров (ip sla, track, pbr, route-map). Оба провайдера откликаются на пинг из вне - то есть доступны. Теперь понадобилось сделать проброс портов для каждого провайдера, так, чтобы при запросе к ip каждого из провайдеров ответил свой сервер внутренней сети: 192.168.5.10 - веб сервер 1 - провайдер 1 192.168.5.11 - веб сервер 2 - провайдер 2 Настраиваю проброс портов: ip nat inside source static tcp 192.168.5.10 80 interface GigabitEthernet0/1 80 ip nat inside source static tcp 192.168.5.11 8o interface GigabitEthernet0/2 80 Запрос от первого провайдера работает, от второго - нет. Проблема, насколько я понимаю, в том, что при запросе от второго провайдера ответ уходит через первого так-как default gateway выбран первый пров. Как сделать так, чтобы ответ правильно уходил? Конфиг: track 1 ip sla 1 reachability delay down 10 up 10 ! track 2 ip sla 2 reachability delay down 10 up 10 ! interface GigabitEthernet0/1 description WAN1 ip address WAN1_IP ip nat outside ip virtual-reassembly in ! interface GigabitEthernet0/2 description WAN2 ip address WAN2_IP ip nat outside ip virtual-reassembly in interface Vlan1 description LAN ip address 192.168.5.1 255.255.255.0 ip nat inside ip virtual-reassembly in ip local policy route-map PBR ip nat inside source static tcp 192.168.5.10 80 interface GigabitEthernet0/1 80 ip nat inside source static tcp 192.168.5.11 80 interface GigabitEthernet0/2 80 ip nat inside source route-map WAN1 interface GigabitEthernet0/1 overload ip nat inside source route-map WAN2 interface GigabitEthernet0/2 overload ip route 0.0.0.0 0.0.0.0 WAN1_PROV1_GW track 1 ip route 0.0.0.0 0.0.0.0 WAN2_PROV2_GW track 2 2 ip sla auto discovery ip sla schedule 1 life forever start-time now ip sla 1 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/1 frequency 3 ip sla schedule 2 life forever start-time now ip sla 2 icmp-echo 8.8.4.4 source-interface GigabitEthernet0/2 frequency 3 ip access-list extended 100 permit ip host WAN1_IP any ip access-list extended 200 permit ip host WAN2_IP any ip access-list extended NAT permit ip 192.168.5.0 0.0.0.255 any ! route-map PBR permit 10 match ip address 100 set ip next-hop WAN1_PROV1_GW ! route-map PBR permit 20 match ip address 200 set ip next-hop WAN2_PROV2_GW ! route-map WAN1 permit 10 match ip address NAT match interface GigabitEthernet0/1 ! route-map WAN2 permit 10 match ip address NAT match interface GigabitEthernet0/2 !

Всем привет. Появилась у меня проблема - не работает ipsec туннель поверх еще одного ipip-туннеля. Подробнее: Был у меня туннель site2site между моей Cisco ASA и клиентом (не знаю что на его стороне). Все работало отлично. http://saveimg.ru/pictures/15-02-16/3eaa6c729eaa8ab7819a60b7b0f08149.png Появился костыль в виде еще одного туннеля ipip без шифрования между моим бордером и удаленным роутером (не спрашивайте зачем - так надо =-)). http://saveimg.ru/pictures/15-02-16/2da337d8ed0732cbf60f7f63387c74b3.png То есть я стал туннель до клиента принудительно заворачивать в ipip туннель до router2. Туннель перестал работать, вернее он поднимается и на ASA счетчик TX увеличивается, но в обратную сторону ничего не доходит, RX пустой. Грешу на mtu. Как вы думаете? ipip - MTU 17920 bytes, Tunnel transport MTU 1480 bytes внутренний интерфейс border - MTU 1500 bytes внешний интерфейс border - MTU 1500 bytes интерфейс ASA - MTU 1500

Может кто нибудь ткнуть на статью, ман ну или вкратце объяснить принцип работы acl с добавлением control-plane? никогда не использовал, пытаюсь понять на что повлияет. Спрашиваю в связи с последним багом на asa, ставить inherit обновление как то сыкотно, поэтому думаю воспользоваться вариантом с acl control-plane

Доброго времени суток. Пните, пожалуйста, в нужном направлении, ибо голову себе сломал. Имеется: Cisco 2911 с 15 иосом как пограничный роутер к прову. Поднят нат, физический интерфейс в сторону провайдера без интернета, ну лупбеки настроены реальные адреса с выходом в инет. Возникла задача настроить ipsec. Доступа ко второй стороне нету, параметры подключения есть. Настроил криптомап, назначил источником тот лупбек, с которого должна происходить инициализация туннеля. Но магии не происходит. На лупбеке, с которого должно происходить установление соединения, несколько адресов. И тот, с которого инициируется, и тот, который должен уходить в туннель. Первичным настроен тот, который должен уходить в туннель. Есть ли разница, какой primary ip на интерфейсе, а какой secondary? Или же надо роут мап пользовать? Уже неделю мучаюсь. Причем в GNS3 все работает, а тут... Спасибо.