Skip to content

Flexible NetFlow through an IPSec VPN Tunnel

Monday, August 9, 2010

As of IOS 12.4(20)T Cisco routers can send NetFlow data through an IPSec VPN tunnel. The flow exporter just needs to be configured with the output-features option. According to Configuring Data Export for Cisco IOS Flexible NetFlow with Flow Exporters this option “Enables sending export packets using QoS and encryption”.

For example:

flow exporter NFSVR
 destination 10.1.1.1
 source Vlan1
 output-features
 transport udp 9996
!
!
flow monitor flow-monitor
 record netflow-original
 exporter NFSVR
 cache timeout active 1

However, although the output-features command appears to be available on earlier versions of IOS, it doesn’t seem to have been implemented. You can type the command without error, but it never makes it into the config. So, if you’re trying to get this working, and it’s not, I suggest checking your IOS version.

Filed in Cisco, IOS, IPSec | | Comments (0)

Poor Voice Quality, Inbound Calls Work, Outbound Calls Don’t on BRI

Monday, August 9, 2010

I had an issue the other day when we replaced an ISDN PRI interface with a BRI. I reconfigured the voice gateway and had inbound calls working – albeit a fair bit of static. However, I could not get outbound calls to go via the BRI interface. I had debugging on for isdn q931 and voip ccapi inout and was seeing entries similar to:

Aug  5 07:51:08.643: ISDN BR0/1/0 Q931: RX <- RELEASE_COMP pd = 8  callref = 0x84
        Cause i = 0x82E404 - Invalid information element contents
Aug  5 07:51:08.643: //21/8043BD33BC09/CCAPI/cc_api_call_disconnected:
   Cause Value=100, Interface=0x4900DFC0, Call Id=21
Aug  5 07:51:08.643: //21/8043BD33BC09/CCAPI/cc_api_call_disconnected:
   Call Entry(Responsed=TRUE, Cause Value=100, Retry Count=0)
Aug  5 07:51:08.643: //20/xxxxxxxxxxxx/CCAPI/ccCallReleaseResources:
   release reserved xcoding resource.
Aug  5 07:51:08.647: //21/8043BD33BC09/CCAPI/ccCallSetAAA_Accounting:
   Accounting=0, Call Id=21
Aug  5 07:51:08.647: //21/8043BD33BC09/CCAPI/ccCallDisconnect:
   Cause Value=100, Tag=0x0, Call Entry(Previous Disconnect Cause=0, Disconnect Cause=100)
Aug  5 07:51:08.647: //21/8043BD33BC09/CCAPI/ccCallDisconnect:
   Cause Value=100, Call Entry(Responsed=TRUE, Cause Value=100)
Aug  5 07:51:08.647: //21/8043BD33BC09/CCAPI/cc_api_get_transfer_info:
   Transfer Number Is Null
Aug  5 07:51:08.647: //21/8043BD33BC09/CCAPI/cc_api_call_disconnect_done:
   Disposition=0, Interface=0x4900DFC0, Tag=0x0, Call Id=21,
   Call Entry(Disconnect Cause=100, Voice Class Cause Code=0, Retry Count=0)
Aug  5 07:51:08.647: //21/8043BD33BC09/CCAPI/cc_api_call_disconnect_done:
   Call Disconnect Event Sent
Aug  5 07:51:08.647: //-1/xxxxxxxxxxxx/CCAPI/cc_free_feature_vsa:

In the end it turns out I was missing the configuration command compand-type a-law


voice-port 0/1/0
 translation-profile incoming pstn-incoming
 translation-profile outgoing pstn-outgoing
 compand-type a-law
 cptone AU

Note this is for a router in Australia – other countries might be different.

Filed in Cisco, IOS | | Comments (0)

Different MTU Settings on a Cisco 877 Router

Tuesday, April 20, 2010

I have a remote site on an ADSL connection using a Cisco 877 router. There’s an IPSec VPN back to my location. They connection speed is very good:

Download Speed (kbps): 23410
Upload Speed (kbps): 1017

The ADSL router was configured with pretty typical MTU and MSS settings (probably copied off the Internet):

interface Vlan1
ip mtu 1452
ip flow ingress
ip tcp adjust-mss 1452

interface Dialer0
ip mtu 1452

The remote site has a VMware ESXi server. I couldn’t remotely connect to the ESXi server using the vSphere client. I could connect using ssh. However, if I tried running any command with a reasonable size output (e.g. ps) the session would hang and then time out. I could connect to a remote server using RDP, but it was very slow to connect (once connected the RDP session was fine).

I had no problems connecting to the ESXi server from the VMware session.

I tried running an FTP on the remote server and copying a file to my location with the following result:
ftp: 149504 bytes sent in 28.89Seconds 5.17Kbytes/sec.

That’s pretty slow for a connection with almost 1Mbps upload speed.

So, I started playing around with MTU and MSS (in the following tests MSS was either set to the same value as MTU or 40 bytes less):
mtu 1200
ftp: 149504 bytes sent in 1.58Seconds 94.74Kbytes/sec.

mtu 1300
ftp: 149504 bytes sent in 2.84Seconds 52.62Kbytes/sec.

I finally settled on the following:

interface Vlan1
ip mtu 1242
ip flow ingress
ip tcp adjust-mss 1200

interface Dialer0
ip mtu 1452

94Kbytes/sec is pretty reasonable for a 1Mb link with round trip latency of around 83ms.

Then I started wondering if my ACL was blocking Path MTU Discovery. So, I added the following to the inbound ACL on the 877 (as per http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml) and changed the MTU values back to original:

permit icmp any any unreachable
permit icmp any any time-exceeded

However, there were no hits and it didn’t seem to help at all:
ftp: 149504 bytes sent in 28.73Seconds 5.20Kbytes/sec.

Then after reading a bit more I wondered what would happen if I took all the MTU and MSS settings off:
ftp: 149504 bytes sent in 3.05Seconds 49.08Kbytes/sec.

Hmm. Much better than the original settings, although not as good as MTU 1200. Perhaps the link might be under a bit of load, let’s try again:
ftp: 149504 bytes sent in 1.52Seconds 98.68Kbytes/sec.

And a third time:
ftp: 149504 bytes sent in 1.52Seconds 98.68Kbytes/sec.

So I tried a fourth and fifth time (both had the same result):
ftp: 149504 bytes sent in 1.50Seconds 99.67Kbytes/sec.

So, I thought, maybe the router or computer is remembering the session and MTU (if it’s doing MTU discovery). So I disconnected the FTP sessions and reconnected:
ftp: 149504 bytes sent in 1.50Seconds 99.74Kbytes/sec.

Amazing. So the tip? Perhaps the best way to handle MTU is to not worry about it.

Filed in Cisco, IOS, IPSec, Router | | Comments (0)

Sun boot error: The file just loaded does not appear to be executable

Wednesday, April 14, 2010

When you try to boot a Sun SPARC based machine from CDROM you get the error “The file just loaded does not appear to be executable”:

ok boot cdrom
Resetting ...

Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 333MHz), No Keyboard
OpenBoot 3.19, 384 MB (50 ns) memory installed, Serial #12345678.
Ethernet address 8:0:20:11:22:33, Host ID: 80112233.

Rebooting with command: boot cdrom
Boot device: /pci@1f,0/pci@1,1/ide@3/cdrom@1,0:f  File and args: -F cprboot
Boot load failed.
The file just loaded does not appear to be executable.
Boot device: disk  File and args: -F cprboot
Boot load failed.
The file just loaded does not appear to be executable.

ok

You may also get this error if you’re attempting to boot from a new disk. You are, however, able to boot from CD in single user mode (boot cdrom -s).

Notice that File and args contains “-F cprboot”. This parameter is inserted in the Boot PROM if the machine was suspended. The parameter is used to restore the running OS from the state file saved to the hard disk at the time the system was suspended. Obviously neither the CD nor a new hard disk will contain the state file.

You can see this parameter in the Boot PROM:

ok printenv boot-file
boot-file =           -F cprboot

To remove this parameter use the following command at the ok prompt:
set-default boot-file

Hopefully the system will now boot successfully:

ok boot cdrom
Boot device: /pci@1f,0/pci@1,1/ide@3/cdrom@1,0:f  File and args:
SunOS Release 5.6 Version Generic_105181-05 [UNIX(R) System V Release 4.0]
Copyright (c) 1983-1997, Sun Microsystems, Inc.
Configuring devices...
fd0: unformatted diskette or no diskette in the drive
fd0: unformatted diskette or no diskette in the drive
fd0: unformatted diskette or no diskette in the drive
The system is coming up.  Please wait.
....

Filed in Sun | | Comments (0)

How to do a Stop-A on a PS/2 Keyboard with a Sun Interface Converter

Thursday, April 8, 2010

If you’re using a PS/2 keyboard on an older model Sun with a Sun Interface Converter (part number 730-2068-01) you might be wondering where the Stop key is. Use the Break key instead. For example, Break+A instead of Stop+A.

Filed in Sun | | Comments (0)

MRTG error: log file was corrupt or not in sorted order

Thursday, January 21, 2010

You create an MRTG config file to poll for CPU load on a device. When you run mrtg you get errors similar to that below:

Rateup ERROR: /usr/bin/rateup found server.cpu's log file was corrupt
or not in sorted order:
time: 1263993300.Rateup WARNING: /usr/bin/rateup The backup log file for server.cpu was invalid as well
WARNING: rateup died from Signal 0
with Exit Value 1 when doing router 'server.cpu'
Signal was 0, Returncode was 1

This may be because you have only specified one MIB value. MRTG assumes there will be two values (e.g. Tx and Rx). You can get around this problem by specifying the same value twice. MRTG will then superimpose one on the other. For example:

Target[server.cpu]: .1.3.6.1.4.1.9.9.109.1.1.1.1.5.1&amp;.1.3.6.1.4.1.9.9.109.1.1.1.1.5.1:public@192.168.100.1:

For more information see this link.

Filed in MRTG | | Comments (0)

One solution to “The network path was not found” Windows error

Monday, January 18, 2010

I had an issue escalated to me where NetBIOS name resolution didn’t work on one particular machine. DNS was working – you could ping by hostname. However, you couldn’t connect to a remote share using hostnames (although connecting using IP addresses worked).

As a number of other people had already looked at this before me I assumed that the problem must be particularly fiendish and started Googling. I tried all the recommendations to reset Winsock using netsh etc. Nothing worked. I tried uninstalling anything that might be network related – that didn’t work either.

In the end I went back to the basics and found the problem. It seems that somewhere along the line the “TCP/IP NetBIOS Helper” service startup was set to Manual. I started the service and everything started working.

I have no idea how this service was changed from Automatic to Manual but it must have been some time ago as the user had been putting up with the problem for months.

So, if you get the above error and can ping the host by name I suggest you first make sure that the “TCP/IP NetBIOS Helper” service is running. After that try checking all the hard stuff.

Filed in Windows | | Comments (0)

Windows 7 and ATI – Screen does not wake from sleep after RDP

Tuesday, December 15, 2009

You might have the following problem with Windows 7 64 bit with ATI Radeon 2400 HD (default Windows drivers or latest drivers from ATI). If you RDP to the machine after Windows has put the screen to sleep you might find that when you later try to use the computer, there’s no signal being sent to the screen.

A work around is to change your power options within Windows Control Panel and set “Turn off the display:” to “Never”.

Filed in ATI, Windows | | Comments (0)

DynDNS and Cisco 877 Router

Sunday, December 6, 2009

I had a couple of issues getting DynDNS working on a Cisco router. The first issue was: how do I type a question mark within an IOS configuration command? Normally, when you type ? IOS responds with its command help. This is obviously a problem when you’re trying to enter a URL that contains a question mark. The fix, hit Control-v before typing the question mark. Just like Unix.

The second issue I had was with the router not registering with DynDns. Specifying debug ip ddns update showed the following:

Dec  6 10:03:00.988: HTTPDNSUPD: Sending request
Dec  6 10:03:20.996: HTTPDNSUPD: Call returned Connection time out, update of yourhost.dyndns.net <=> 123.123.123.123 failed

It turns out the second issue was with CBAC. I had to add an inspect entry to my router configuration:
ip inspect name CBAC-OUT tcp router-traffic

The relevant parts of my configuration are below:

ip inspect name CBAC-OUT tcp router-traffic
ip ddns update method DYNDNS
 HTTP
  add http://username:password@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
 interval maximum 28 0 0 0
 interval minimum 28 0 0 0

interface Dialer0
 ip ddns update hostname putyourdnsnamehere
 ip ddns update DYNDNS host members.dyndns.org
 ip address negotiated
 ip access-group DIALER0_IN-3 in
 ip inspect CBAC-OUT out

ip access-list extended DIALER0_IN-3
 permit icmp any any echo-reply
 permit icmp any any ttl-exceeded
 permit icmp any any time-exceeded
 permit icmp any any packet-too-big
 deny   ip any any

Thanks to this thread at Whirlpool for helping me resolve this problem. For more on the ip inspect tcp router-traffic see Inspect router-generated traffic and it’s update Update: Inspect router-generated traffic. For information on CBAC try the following links:
http://www.ciscopress.com/articles/article.asp?p=26533
http://www.dslreports.com/faq/13435
http://www.cisco-tips.com/how-to-configure-cisco-router-with-ios-firewall-functionality-%E2%80%93-cbac/
http://articles.techrepublic.com.com/5100-10878_11-1057051.html

Filed in Cisco, IOS | | Comments (0)

VMware Workstation Unrecoverable Error: (vmx) NOT_IMPLEMENTED

Monday, June 15, 2009

I RDP’d to my workstation and attempted to start a virtual machine in VMware Workstation 6.5.2. However, part of the way through the boot process VMware would pop up the following error:

VMware Workstation Unrecoverable Error

VMware Workstation Unrecoverable Error

Looking at the log file I would see

NOT_IMPLEMENTED d:/build/ob/bora-156735/bora/vmx/main/pollVMX.c:3651

It didn’t matter whether I was trying to start a Windows or a Linux virtual machine, I still got the error.

The cause appears to have been my display settings. I changed my RDP client settings to “High Color (16 bit)” and everything started working.

Edited at 13/8/2009:

This happened again and changing the colours made no difference. Normally I run RDP in full screen mode. I “umaximised” it and was then able to start the VM.

Filed in VMware | | Comments (2)