Sign up and stay connected to your favorite communities.

sign uplog in
8

OG post in /r/networking, but given my problem may have an obvious solution, or obviously no solution, I thought I would post here too.

Here is my ideal wire configuration

Bad idea in the real world. I know. But this is for my company's mock lab for new equipment we ship out the customers. Our mock team emulates what the client would see once we ship the servers and does some pre-updating and quality assurance. We have a 10.1.1.0 /24 standard for nearly all of our commercial deployments and our servers all have the same 10.1.1.1 through .150 addresses and .254 gateway. We also have some government clients that have other standards using public addressing.

We currently use about 10 ASA 5505s to segregate these 10.1.1.0/24 VLANs and other VLAN subnets, but I want us to move to a rack with if possible, one 5520, or one 5506-X. Our QA/installation team abuses these firewalls and they die randomly, or find their way in trashcans [not kidding]. Not to mention that we have to get in each firewall remotely to do configuration changes for site that have a different standard.

I'd like to centralize one rack, trunk three 3750 access switches to one distro switch, and trunk that to the firewall, which would be running sub-interfaces CAT5e would be conduit-ed from the access switches to each of the tables [each table representing a different client mockup station VLAN]. In the diagram there are only two stations per table but in reality there could be as many as 15-20 datapoints and servers per site. Of course the central problem would be overlap on these 10.1.1.0/24 networks that are being mocked simultaneously.

I've read multiple context firewalling could do this when applied to subinterfaces on an ASA -- multiple say, 10.1.1.254 255.255.255.0 IPs on multiple subinterfaces -- but I have not been able to test it out and the 5520 we have has just a base license offering 2 context instances. I'd like to have at least 4. I'm sure there is a new hardware solution but I'm just the network pipes guy and the higher ups won't want to give us any better equipment when we have literally hundreds of ASA 5505s lying around. I also have a few 5506-Xs but those don't offer Multiple Context firewalling.

Does anyone have any ideas? I am at wits end with these 5505s

5

I've looked through what documentation I could find and I suspect that the answer is no, but I thought I'd ask just to see if anyone knows of anything.

I'd like to be able to log into the CLI using AAA, like the way that you can SSH into an ASA using an active directory account. Is that possible?

8

I seem to be getting stuck on getting L3 routing on the 3750G switch.

My network layout is like this.

EdgeRouter > Cisco 3750G > ESXi VMs

I have a network setup for my VMs, which is VLAN30. If I'm transferring files to my NAS (Vlan1) from VLAN30, I get around 30-40MB/s If I transfer files to the NAS from VLAN1, I get full speed.

Here is my sanitized running config

Current IOS version

System image file is "flash:/c3750-ipservicesk9-mz.150-2.SE8/c3750-ipservicesk9-mz.150-2.SE8.bin"

Building configuration...

Current configuration : 5678 bytes
!
! Last configuration change at 00:46:41 UTC Sat Mar 13 1993
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service unsupported-transceiver
!
hostname Skynet
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone UTC -8 0
switch 1 provision ws-c3750g-24ts-1u
system mtu routing 1500
ip routing
!
!
!
!
!
!
!
        quit
!
!
!
!
!
no errdisable detect cause gbic-invalid
errdisable recovery cause gbic-invalid
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Port-channel2
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/3
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/4
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/5
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/6
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/7
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/8
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/9
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/10
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/11
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/12
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/13
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/14
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/15
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/16
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/17
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/18
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/19
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/20
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/21
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 2 mode active
!
interface GigabitEthernet1/0/22
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 2 mode active
!
interface GigabitEthernet1/0/23
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/25
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/26
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/27
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/28
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Vlan1
 ip address 10.0.0.11 255.255.255.0
!
interface Vlan10
 ip address 192.168.10.30 255.255.255.0
!
interface Vlan20
 ip address 172.16.20.30 255.255.255.0
!
interface Vlan30
 ip address 172.16.30.30 255.255.255.0
!
interface Vlan40
 ip address 172.16.40.30 255.255.255.0
!
ip default-gateway 10.0.0.1
ip http server
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
!
!
!
line con 0
line vty 0 4
 login
line vty 5 15

 login
!
end
1

I got certified as an entry networking technician at the end of 2015. My certification is about to expire in September and I’m trying to determine which specialization I can work towards that’s the least challenging rather than just re-certifying as a CCENT. I would just press my nose to the grindstone and go for what I actually want. Either R&S or CCDA.However I’m working full time as an Analyst and recently became a father. I just can’t put in more than 10 hours a week into study and labs.

Just to be clear: I know none of them are “easy”, but I’m going to go out on a limb here and guess that CCNA Wireless is less time intensive than CCNA Security. If I’m wrong I’m wrong, but I’m wondering if anyone else here has run into a similar predicament. Any advice on how to attack it is appropriated.

0

I'm using Cisco Jabber 11.8.1 for Mac and recently my Answer window on my computer stopped popping up on my screen. The window I'm talking about looked similar to this but I also had a Decline option.

I normally would take calls from my computer as I have a USB headset plugged in, this makes it easier if I'm watching/listening to something and I have to take a call. I've checked every setting I can think of to make sure calls are being routed through my computer, and I'm still able to make outgoing calls through my headset just fine, I just can't answer them on my computer.

I've checked all of my windows/desktops and it's not being hidden either. I tested this by hiding all of my applications, including Jabber. When I called my desk phone from my cell phone, Jabber popped back up but no Answer window. I can hear the incoming call sound through my headset as well. I have searched online for this problem and am not finding other people with a similar problem.

0
comment
34

While studying for the ICND1, I was getting tripped up over what exactly Inside/Outside Global/Local IPs were and had a bit of trouble finding someone to explain it clearly. To help people in the future, I made a video in my series called The Wilson Minute in which I explain the differences between Inside Local, Outside Local, Inside Global, and Outside Global IP addresses. The Wilson Minute is a video series I've been working on in which I go over a concept or walk viewers through a tutorial in 60 seconds or less. If you have any suggestions for me or would like to make a recommendation on future videos, I'd love to hear it.

Here is the video:

NAT: Inside/Outside Local/Global IP Addresses (The Wilson Minute)

34
2

I need to copy an image from USB to a SUP2T but the USB port appears to be disabled. Does anyone know how to enable it?

1

I have a client who has a couple of SIP phones. When they are connecting to the server, they are suppose to use a random port (outgoing), but they all use port 5060. Therefor only 1 of the 3 phones are working.

The configuration are more or less identical to a other location (same customer). The phone provider has assured the configuration is correct and identical to the other location. Firewall is a ASA 5506x

We have allowed voip-network to any

8

I have configured a port as a trunk, and when I execute "sh ip int br" all I get is "IP Interface Status for VRF "default"(1)" and the IP addresses of the vlan virtual interfaces. I don't get normal ethernet#/# information like any other switch I've ever used. Even my other Nexus 3000 doesn't behave in this manner, and using beyond compare on the two configs I barely see any differences. When I run "sh ip interface ethernet1/48" or any other port I just get the message "ip is disabled on ethernet1/48" or whatever interface I try to directly look at.

Everything I've found online just says to apply "switchport mode trunk" and configure that port to enable IP, and that is exactly how my port is configured, but no worky. Kind of losing my marbles on this one.

More info that might be relevant:

3064T model number

Software version version 6.0(2)U6(6)

The other connected switch has up/up on it's interface

I see stuff from each others devices in the mac address table

RESOLVED: Looks like I had a bad port on the switch that was connecting to the Nexus. Even thought it was showing Up/Up data wouldn't transfer until I created a new trunk port. Guess I was getting "ip is disabled...." because I was using the wrong command on the Nexus 3000. Thanks for the help everyone.

1

We have a really weird issue with a couple of C240 M5 servers with SAS HBA's. We are booting CentOS 7.4 (OnApp Cloudboot) kernel and when the system COLD boots, the kernel finds the controller and all of the SAS drives attached. However after a very short period of time the server reboots. (we are trying to figure out what is causing the warm boot), but when the system warm reboots, the Linux kernel no longer sees the HBA. Cold boot the server it's fine again, until next warm boot.

We opened a TAC case thinking maybe a BAD controller. Swapped the controller, same thing. We have an IDENTICAL server and it's having the SAME issue. So safe to assume that whatever the OS or userland startup is doing, the controller is having no part of it.

Using latest recommended HUU firmware, and Cisco's recommended driver for RHEL 7.3 (mpt3sas 23.0.0)

Just very strange as I've never seen a card do this before; ie: work cold but just stop showing up. (unless it was defective hardware).

Running out of ideas... Only thing left to try is warm booting into another OS (FreeBSD) live and see if it finds the controller and all the drives when Linux kernel no longer can.

Anyone run into this before?

1
comment
1

Has anyone had any success on deploying Cisco FTDv 6.2.3-83 on ESXI 6.7? I can get the appliance to register in FMCv but it will not show any active interfaces. I have read over all the install documentation, however no where does it state that Virtual Distributed Switches are supported? What am I missing?

4

I've redoing some of my switches since they wernt configured my me and I question some of the config.

As far as trunk ports, should I be carrying all 12-15 of my vlans on the trunk ports or just specific ones? I question this because I'm interested in how trunk ports work. For example, my server vlan (10) if I just configure my trunk port for that vlan switchport trunk allowed vlan 10 I can still ping any server behind that trunk port even though my laptop is on vlan 150.

Is the concept just to pass only the vlans that you want to use on the other side? Like I would only do 10, if I wanted to give all vm's my vlan 10 server defined network.

Also, should I be defining a switchport trunk native vlan on all my trunks? Most of em are set already to our management vlan

1

I am slowly rolling my internal users off the android platform and I ran across an instance of one of my users having multiple lines on the DX80 platform. I went through my Phone Templates and I realized I don't have a DX80 multiline template. I went to go and make one, but I've come to realize that it appears like when you change the type to DX80 TelePresence, you seem to only be able to configure a single line. Does the DX80 running on ce only support 1 line currently?

1

I work at a large institution and we have been in the process of merging together services. Part of that was one of our departments shutting down their DNS/DHCP and handing off to the central service. Around that time, we also built a new VPN profile for them. The new profile is pretty much identical to a few others aside from the IP Pool it uses. The ASAs are 5516-X appliances in a load balancing pair (providing VPN service only).

We are noticing among many, but not all, users of that profile that they cannot do DNS while connected to the tunnel. I've traced this down to: When the physical NIC gets a DHCP lease from NS1, AnyConnect will create a static route pointing communications to that server outside the tunnel (so you can renew your lease, presumably). My understanding is that somewhere deep down, there's also a filter to go with that, only allowing DHCP traffic down that route. At my institution, DNS and DHCP are both normally provided by the two servers NS1 and NS2. In the DNS server list, NS1 is first, then NS2. Doing an NSLOOKUP works fine with the other server.

So far, it feels fairly consistent that if you have NS1 as your DHCP server, you won't be able to do DNS to NS1 via the tunnel. Even if you could, presumably it would be sent via the unsecured path. I have seen those users now also fail on other profiles.

What is odd to me, is that this should affect like half of all users that connect to the VPN from on campus (there are profiles on there that would be necessary for privileged access).

Is DHCP/DNS on the same host less common that I thought? Have others run into this? Did I possibly miss something dumb? I do have a TAC case now, but it's in the early stages and I'm curious what others have run into.

1

We have a Cisco WLC 8.2.166 with 4 WLANs and 4 AP groups. This morning we started receiving errors in the logs and users are not able to connect due to an authentication problem. I will include some sample errors below. The solutions I have seen from looking in Cisco's forums mostly relate to altering some settings under Advanced EAP for the timeout. This did not make a difference for our issue. Any help is most appreciated!

*Dot1x_NW_MsgTask_0: Jun 20 06:24:42.972: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_7: Jun 20 06:24:22.883: %LOG-3-Q_IND: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_0: Jun 20 06:24:20.198: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*apfMsConnTask_7: Jun 20 06:24:19.861: %LOG-3-Q_IND: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_0: Jun 20 06:24:18.294: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_0: Jun 20 06:23:45.529: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_7: Jun 20 06:22:34.038: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 34:e6:ad:f8:ce:6f - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_0: Jun 20 06:22:27.588: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*apfMsConnTask_7: Jun 20 06:21:35.527: %LOG-3-Q_IND: 1x_eapkey.c:2532 Received EAPOL-key message while in invalid state (4) - version 1, type 3, descriptor 2, client 34:e6:ad:f8:ce:6f
*Dot1x_NW_MsgTask_7: Jun 20 06:21:29.716: %DOT1X-3-INVALID_WPA_KEY_STATE: 1x_eapkey.c:2532 Received EAPOL-key message while in invalid state (4) - version 1, type 3, descriptor 2, client 34:e6:ad:f8:ce:6f
*apfReceiveTask: Jun 20 06:21:29.461: %LOG-3-Q_IND: 1x_eapkey.c:2532 Received EAPOL-key message while in invalid state (4) - version 1, type 3, descriptor 2, client 34:e6:ad:f8:ce:6f[...It occurred 2 times.!]
*Dot1x_NW_MsgTask_7: Jun 20 06:21:29.321: %DOT1X-3-INVALID_WPA_KEY_STATE: 1x_eapkey.c:2532 Received EAPOL-key message while in invalid state (4) - version 1, type 3, descriptor 2, client 34:e6:ad:f8:ce:6f
*apfMsConnTask_7: Jun 20 06:21:02.951: %LOG-3-Q_IND: 1x_eapkey.c:2532 Received EAPOL-key message while in invalid state (4) - version 1, type 3, descriptor 2, client 9c:4e:36:cf:e1:68
*Dot1x_NW_MsgTask_0: Jun 20 06:21:02.002: %DOT1X-3-INVALID_WPA_KEY_STATE: 1x_eapkey.c:2532 Received EAPOL-key message while in invalid state (4) - version 1, type 3, descriptor 2, client 9c:4e:36:cf:e1:68
*Dot1x_NW_MsgTask_0: Jun 20 06:20:42.233: %DOT1X-3-INVALID_WPA_KEY_STATE: 1x_eapkey.c:2532 Received EAPOL-key message while in invalid state (4) - version 1, type 3, descriptor 2, client 9c:4e:36:cf:e1:68
*Dot1x_NW_MsgTask_7: Jun 20 06:20:20.160: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 34:e6:ad:f8:ce:6f - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_6: Jun 20 06:19:23.632: %LOG-3-Q_IND: 1x_eapkey.c:2532 Received EAPOL-key message while in invalid state (4) - version 1, type 3, descriptor 2, client 9c:4e:36:cf:e1:68
*Dot1x_NW_MsgTask_0: Jun 20 06:19:22.930: %DOT1X-3-INVALID_WPA_KEY_STATE: 1x_eapkey.c:2532 Received EAPOL-key message while in invalid state (4) - version 1, type 3, descriptor 2, client 9c:4e:36:cf:e1:68
*Dot1x_NW_MsgTask_7: Jun 20 06:19:21.800: %LOG-3-Q_IND: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_0: Jun 20 06:19:18.984: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_0: Jun 20 06:18:53.112: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client f4:8c:50:26:fc:c8 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_0: Jun 20 06:18:09.181: %DOT1X-3-INVALID_WPA_KEY_STATE: 1x_eapkey.c:2532 Received EAPOL-key message while in invalid state (4) - version 1, type 3, descriptor 2, client 9c:4e:36:cf:e1:68
*Dot1x_NW_MsgTask_0: Jun 20 06:17:14.433: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*apfMsConnTask_7: Jun 20 06:16:02.231: %LOG-3-Q_IND: 1x_eapkey.c:449 Invalid replay counter from client 34:e6:ad:f8:ce:6f - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_7: Jun 20 06:16:01.548: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 34:e6:ad:f8:ce:6f - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_7: Jun 20 06:16:01.345: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 34:e6:ad:f8:ce:6f - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_7: Jun 20 06:15:55.628: %DOT1X-3-INVALID_WPA_KEY_STATE: 1x_eapkey.c:2532 Received EAPOL-key message while in invalid state (4) - version 1, type 3, descriptor 2, client 34:e6:ad:f8:ce:6f
*Dot1x_NW_MsgTask_0: Jun 20 06:15:15.317: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_6: Jun 20 06:14:17.185: %LOG-3-Q_IND: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_0: Jun 20 06:14:14.116: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*apfReceiveTask: Jun 20 06:13:44.407: %LOG-3-Q_IND: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_0: Jun 20 06:13:41.253: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_7: Jun 20 06:13:41.233: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 34:e6:ad:f8:ce:6f - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_6: Jun 20 06:13:26.423: %LOG-3-Q_IND: 1x_eapkey.c:449 Invalid replay counter from client 34:e6:ad:f8:ce:6f - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_7: Jun 20 06:13:21.351: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 34:e6:ad:f8:ce:6f - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_7: Jun 20 06:13:21.351: %LOG-3-Q_IND: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01[...It occurred 2 times.!]
*Dot1x_NW_MsgTask_0: Jun 20 06:13:12.966: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*apfReceiveTask: Jun 20 06:12:58.651: %LOG-3-Q_IND: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_0: Jun 20 06:12:57.028: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*apfReceiveTask: Jun 20 06:12:28.267: %LOG-3-Q_IND: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_0: Jun 20 06:12:26.465: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_7: Jun 20 06:11:37.765: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 34:e6:ad:f8:ce:6f - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_7: Jun 20 06:10:56.400: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 34:e6:ad:f8:ce:6f - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_7: Jun 20 06:10:34.501: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 34:e6:ad:f8:ce:6f - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_7: Jun 20 06:09:09.914: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 34:e6:ad:f8:ce:6f - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 00
*dtlArpTask: Jun 20 06:09:08.401: %LOG-3-Q_IND: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01[...It occurred 2 times.!]
*Dot1x_NW_MsgTask_0: Jun 20 06:09:06.900: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_6: Jun 20 06:08:54.668: %LOG-3-Q_IND: 1x_eapkey.c:2532 Received EAPOL-key message while in invalid state (4) - version 1, type 3, descriptor 2, client 34:e6:ad:f8:ce:6f
*Dot1x_NW_MsgTask_7: Jun 20 06:08:51.366: %DOT1X-3-INVALID_WPA_KEY_STATE: 1x_eapkey.c:2532 Received EAPOL-key message while in invalid state (4) - version 1, type 3, descriptor 2, client 34:e6:ad:f8:ce:6f
*Dot1x_NW_MsgTask_7: Jun 20 06:08:51.366: %LOG-3-Q_IND: 1x_eapkey.c:449 Invalid replay counter from client 34:e6:ad:f8:ce:6f - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_7: Jun 20 06:08:51.361: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 34:e6:ad:f8:ce:6f - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_0: Jun 20 06:08:13.785: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_0: Jun 20 06:07:51.452: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client 9c:4e:36:cf:e1:68 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
16

I am starting to pursue a ICND1 100-105. I have been starting to work through the study book in my free time. I also was gifted two 2960 switches by a family member to start my home lab as well as a MicroTik Cloud Core Router (not Cisco I know).

My question here is I am looking for some things to set up and tear down to learn more about the CLI and about switching generally. I don't know the CLI at all yet and all this will be a steep learning curve for me. So what can I build out with the equipment I have that will take me through the basics? I know this is very general and I don't really have any idea what I am doing. Just looking for a place to start out at.

Thanks!

2

So im trying to learn cisco CLI and immediately Im stuck. I started the setup and selected yes with SNMP setup when I shouldve selected no.

I might need SNMP later but for now, I just need to configure DHCP.

Im not sure what keywords I need to google to search to help me out this bind.

Currently the switch shows:

% No defaulting allowed

Enter interface name used to connect to the
management network from the above interface summary:

What can I do to get past this or cancel it?

Im working in Putty

5

We are managing over a hundred switches, and are looking for a way to automate the process of identifying switches with a 'down', but not 'admin down' port.

We'd like to initially shut them, all (using a script or some semi-automated process preferably), and then monitor for new ports that meet this criteria regularly.

Is SNMP the preferred way to do this or what would a more mature company use?

2

I’m a bit outside of my area of expertise and was wondering if I could get some guidance. We have multiple sites, connected by Comcast ENS. Each site has a router that connects the local network for the site to the ENS network so it can talk to all the other sites. We also have two incoming Comcast EDI (Ethernet Dedicated Internet) connections for Internet service. These are at two separate sites. Only one of the EDI circuits is in play right now with a ASA 5516X acting as the firewall. We have recently purchased an identical (licensing/hardware) 5516X to put at the other location. The goal is to have this set up in a failover configuration so that if one of the sites (not necessarily the Internet service itself) goes down, the Internet isn’t cut off for all our sites.

Internet (EDI) <---> FW1 <---> Switch (site1) <---> Router (site1) <--ENS--> Router(site2) <---> Switch (site2) <---> FW2 <---> Internet (EDI)

My initial assumption was that I would go in and configure active standby/failover, but looking at guides online, I’m not sure that that’s what I need to be configuring as all the guides seem to indicate that is more targeted at hardware failure of one of the ASA devices, which would be located at the same site. So, should I be configuring something else? Would it be better just to have each set up separately and synching settings somehow, but have the failover bit configured in the routers instead (using OSPF)? Looking over my data from Comcast, I believe they have the EDI circuits configured so they show the same public IP.

3

I have a 3850 stack. With a WS-C3850-24XU. I'm currently running the 3.7.x code to support the switch. I'm getting ready to do my IOS firmware upgrades. Should I be moving to Denali (16.3.x) or Fuji (16.8.x)? Is there anything I need look out for in switching to Denali?

22

The network topology icons located here are pretty dated now and I'm getting to the point where I'm no longer keen to use them in my diagrams...

After a bit of searching around I found these 2D Cisco Validated Design(CVD) icons which look a lot better, but I notice the name of the down;load pack is 'Unmaintained 2015"

Has anyone completely moved aware from official Cisco icons and found something that still covers Cisco products, but looks more modern?

22
1

I'm trying to add an exclusion range on an old 3750 switch and none of the commands I'm trying are working. Disclaimer: I'm still green to cisco management and command line isn't my strongest suit by a longshot. Assume all quotes shown in command line examples below are not included when I enter the commands. I looked online at all the manuals which showed the commands for this and I just can't seem to get it right.

We have two address pools, the one I'm working with is called WORKSTATIONS.
In secret mode, I type "show ip dhcp pool" and it hates the word 'pool'

"show ip dhcp pool workstations" hates the word pool again

Go into configure terminal mode "ip dhcp exclude-address 192.168.1.1 192.168.1.100" Hates the dash.

I tried adding in the pool name after dhcp but still no joy. What am I doing wrong? If this isn't the right sub, please let me know.

1

Long story I won't go into for privacy reasons, but this seemed like something this sub might know. I'm an interested outside and not under any kind of issue myself.

A guy at my work is being accused of making calls from his IP phone that he insists he didn't make. They're too far back now to show in his outgoing call logs though. When I say "call logs" I mean a record of the metadata of the calls made, not an audio recording of the call.

Nothing illegal took place on these calls -- no-one accuses him of breaking the law. He's insistent that he did not make these calls. There were apparently several to a couple of different numbers. He stares he has called one or two of the numbers once each time, for a short call each time.

It's messy. It's now they-said-he-said and not sure where it's going.

I guess it comes down to these questions:

  1. Are calls outgoing logged somewhere centrally? Or just on his phone itself?

  2. If they are logged, what is logged? Time and date? Length of call? Who ended the call?

  3. Is there a way to retrieve this information if it's recorded?

We're the tiny Midwest buttfuck office of a medium-size company and the management want to deal internally if they can. I'm just an interested bystander with an interest in finding out how this can be resolved so we can end the unpleasantness.

1

Hi,

Not sure if anyone is using the TID feature on FMC. I am trying to use it with 6.2.3 but when I try to add source (hail a taxii), I got error message "TAXII Discovery service failed"...

Wonder if this is on my FMC or the Hail a TAXII site issue? Any other reputable source for TID you recommend as well?

Community Details

17.2k

Subscribers

79

Online

Create Post

r/Cisco Rules

1.
No Brain Dumps
2.
No direct sales of equipment
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.