Re: [c-nsp] AS Download ipv6 Was: AS missing in Netflow data, ASR 9001
On 17.12.2014 1:26 AM, Nick Hilliard wrote: On 16/12/2014 19:21, Tim Kleefass wrote: Which line-cards do you have ? asr9001, i.e. typhoon. Arg, totally forgot: there is bug CSCuf86015 for 4.3.1 - no known Fixed releases? (Don't now if this applies for asr9001) If nobody knows a release were this is solved I'll reopen the old TAC case. - For IPv6 flows AS numbers are 0 for prefixes learned via directly connected ebgpv6 neighbors. (The bug report is a bit more specific, so that we could thought that it does not apply for us, but it did.) One workaround is to set the nexthop to the neighbor's global IPv6 address, e.g. route-policy peer-in ... set next-hop peer-address end-policy Obviously, don't do that for route-servers at IXPs... This works for us with Typhoon line-cards, ASR 90(06|10), RSP-4G and 4.3.1 running. -Tim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASR9k question
Hi does anybody knows the maximum number of VPLS instances supported on ASR9k ? Is there a reference on cisco.com ? I was able to find numbers of pseudowires but I'm not currently sure i'ts the same... Merry Christmas and regards ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SDN
I need to understand and setup SDN in my office environment. Can you help me out with necessary videos and installation guides ? - Gnanesh R ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Get Cisco CEF hash function
Hi, I am using cisco ECMP to load-balance traffic to servers. I am currently using static IP, but I will soon use BGP. For instance: ip route [VIP-WEB] 255.255.255.255 [REAL-WEB1] 255.255.255.255 weight 20 ip route [VIP-WEB] 255.255.255.255 [REAL-WEB2] 255.255.255.255 weight 20 I am using cisco 7600, rsp720, and IOS 12.2(33)SRE2 on the test platform. I am using per per IP balancing, and I have forced seed to 1: ip cef load-sharing algorithm universal 0001 mls ip cef load-sharing simple Is there a way to get the exact hash function used by the router ? This is for monitoring purpose: I'd like to be able to check that each real server is alive by using different source IP when testing the service (VIP-WEB). I know I could use show ip cef [VIP/32] detail show ip cef [VIP/32] internal or show mls cef exact-route [IPSRC] [VIP] However, I guess it would be easier to have exact internal hashing algorithm. Or is there another way to monitor each real server with such configuration ? Regards, -- Xavier Nicollet ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Primer for IOS-XR
Hello Scott, Since you have ASRs you should read through everything from Xander (Alexander Thuijs) on support forums including discussions under the articles -you can also post questions. Oh and also watch Xander's presentations on cisco live. adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Secondary IP address causing MTU reduction?
ME-3600X Version 15.2(4)S, RELEASE SOFTWARE (fc1)ASR1001 Version 15.3(1)S1, RELEASE SOFTWARE (fc1) ME-3600X G0/1 is connected to ASR 1001 G0/0/1 ME-3600Xinterface GigabitEthernet0/1 description uplink-nav-oxr-core1 switchport access vlan 100 mtu 9200 ! interface Vlan100 description nav-oxr-base1-mgmt mtu 9200 ip address XXX.209.96.102 255.255.255.240 ip ospf cost 10 ! ASR 1001interface GigabitEthernet0/0/1 description uplink-nav-oxr-base1 mtu 9200 ip address XXX.209.96.97 255.255.255.240 ip flow ingress ip flow egress ip ospf cost 10 negotiation auto mpls ip cdp enable On Tuesday, December 16, 2014 6:28 PM, David Coulson da...@davidcoulson.net wrote: What platform? What code? Can you post your interface config? Sent from my iPhone On Dec 16, 2014, at 9:22 PM, Eric A Louie via cisco-nsp cisco-nsp@puck.nether.net wrote: I encountered a strange problem that I'm hoping is a bug. Directly connected routersMTU 9200Works fine with single IP addresses As soon as I put a secondary address on both interfaces (one VLAN, one physical interface), the MTU allowed magically decreased to 1477. 1500 byte packets with DF set would not pass. Removing the secondaries fixed the problem. Anyone seen this before? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MBUS-2-DNLDFAIL in cisco 12404
Hello everyone, I am finding a MBUS-2-DNLDFAIL error log thrown in cisco 12404 in 4 port GiGE card. When I reset the LC I find the IOS is downloading but getting timeout after sometime, Slot 2 type = 4 Port ISE Gigabit Ethernet state = FABLSTRT Launching Fabric Downloader . . Slot 2 type = 4 Port ISE Gigabit Ethernet state = IOSDNLD Downloading IOS . . . Slot 2 type = 4 Port ISE Gigabit Ethernet state = RTRYWAIT Waiting to retry download after persistent failures . This process is continuing and finally finding the below log: *Dec 17 12:31:09.287 IST: %MBUS-2-DNLDFAIL: IOS download to slot 2 fail, timeout *Dec 17 12:31:09.287 IST: %RP-3-ABANDON_DOWNLOAD: End attempt to start the linecard in slot 2 Any issue in hardware or? Warm Regards, Thiyagarajan B. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IOS-XR vimrc?
Just started using IOS-XR. My normal text editor is VIM, and I am using that to edit existing route-policies on some ASRs we have deployed. However, the default vimrc has tab settings that make it difficult to edit RPs that default to 2-space indent on control structures, when VIM doesn't auto-indent at all on following new-lines, and the default tab settings insert a tab instead of spaces. I did a little investigation of the underlying OS -- has anyone tried editing/creating /pkg/etc/vim/vimrc to have some more sane settings? Does it persist with system upgrades/reboots? -- Brandon Ewing (nicot...@warningg.com) pgp3eB5kb6kzv.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Get Cisco CEF hash function
On (2014-12-17 10:25 +0100), Xavier Nicollet wrote: Hey, I know I could use show ip cef [VIP/32] detail show ip cef [VIP/32] internal or show mls cef exact-route [IPSRC] [VIP] However, I guess it would be easier to have exact internal hashing algorithm. Or is there another way to monitor each real server with such configuration You probably want to have unicast address as well as anycast address and NMS the unicast address. I don't think the hash algorithm is publically documented, as vendor probably does not want customers to rely on it not changing. I like this configuration, but there is one catch to it, it tends to make PMTUD issues more pronounced, as there are no guarantees that the ICMP message generated by transit router will reach correct server, so it might cause blackholing. There are two cures for this, use smaller MTU on servers, which is statistically unlikely to be too large for relevant portion of hosts. Second, prettier solution is to ask vendor to do ECMP hash for the embedded IP packet in ICMP message, instead of the top headers. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Get Cisco CEF hash function
Thanks for the answer. I hadn't thought about that. I wasn't using tunnels just to be sure PMTUD would not hit me (ouch !). I am not sure Cisco IOS can load-balance on embeded IP packet as you say. Cheers, 2014-12-17 17:08 GMT+01:00 Saku Ytti s...@ytti.fi: On (2014-12-17 10:25 +0100), Xavier Nicollet wrote: Hey, I know I could use show ip cef [VIP/32] detail show ip cef [VIP/32] internal or show mls cef exact-route [IPSRC] [VIP] However, I guess it would be easier to have exact internal hashing algorithm. Or is there another way to monitor each real server with such configuration You probably want to have unicast address as well as anycast address and NMS the unicast address. I don't think the hash algorithm is publically documented, as vendor probably does not want customers to rely on it not changing. I like this configuration, but there is one catch to it, it tends to make PMTUD issues more pronounced, as there are no guarantees that the ICMP message generated by transit router will reach correct server, so it might cause blackholing. There are two cures for this, use smaller MTU on servers, which is statistically unlikely to be too large for relevant portion of hosts. Second, prettier solution is to ask vendor to do ECMP hash for the embedded IP packet in ICMP message, instead of the top headers. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Xavier Nicollet ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR9k question
On 17/12/2014 09:14, R LAS wrote: does anybody knows the maximum number of VPLS instances supported on ASR9k ? Is there a reference on cisco.com ? I was able to find numbers of pseudowires but I'm not currently sure i'ts the same... Router# show l2vpn capability note that there are a pile of line-card dependencies here, and that the documentation says: To achieve the scale values, subinterfaces must be evenly allocated between the line card’s physical ports. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Inline Fan Controllers?
Hello, Has anyone on the list ever messed putting in a fan controller in a switch so its inline between the motherboard and fan? I had one of these ( http://www.quietpc.com/images/products/gel-fan-controller.jpg ) laying around and plugged into a spare 2950g and 3560g I have kicking around and the fan powers up and the fan works like normal and turning the knob has no effect. I thought it would be like a standard 3 wire computer fan and that this would be easy way to lower rpm on a stock fan with replacing the fan. This is only to minimize noise when labbing, we arent lookinng to do this to any production equipment. Anyone ever tried anything like this and had any success? I was hoping it would work because the controllers are only a few dollars and it would be cheaper and more flexible as we could move the controllers around from box to box as needed If you have any experience with anything that worked, I would be interested to hear about it chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Get Cisco CEF hash function
Hey, 7600 certainly can't, by design. But things like ASR1k, ASR9k would have HW capability for it, if there is customer demand. On 17 December 2014 at 18:35, Xavier Nicollet xnicol...@gmail.com wrote: Thanks for the answer. I hadn't thought about that. I wasn't using tunnels just to be sure PMTUD would not hit me (ouch !). I am not sure Cisco IOS can load-balance on embeded IP packet as you say. Cheers, 2014-12-17 17:08 GMT+01:00 Saku Ytti s...@ytti.fi: On (2014-12-17 10:25 +0100), Xavier Nicollet wrote: Hey, I know I could use show ip cef [VIP/32] detail show ip cef [VIP/32] internal or show mls cef exact-route [IPSRC] [VIP] However, I guess it would be easier to have exact internal hashing algorithm. Or is there another way to monitor each real server with such configuration You probably want to have unicast address as well as anycast address and NMS the unicast address. I don't think the hash algorithm is publically documented, as vendor probably does not want customers to rely on it not changing. I like this configuration, but there is one catch to it, it tends to make PMTUD issues more pronounced, as there are no guarantees that the ICMP message generated by transit router will reach correct server, so it might cause blackholing. There are two cures for this, use smaller MTU on servers, which is statistically unlikely to be too large for relevant portion of hosts. Second, prettier solution is to ask vendor to do ECMP hash for the embedded IP packet in ICMP message, instead of the top headers. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Xavier Nicollet -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Inline Fan Controllers?
I have used those before, it should decrease the voltage, forcing the fan spin slower. It should work in theory on any device using a 3pin connector. Possibly a defective or junky fan controller. You could put a volt meter on the end of it to see if turning the knob has any affect. Stephen -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of chris Sent: Wednesday, December 17, 2014 10:02 AM To: cisco-nsp@pu ck.nether.net Subject: [c-nsp] Inline Fan Controllers? Hello, Has anyone on the list ever messed putting in a fan controller in a switch so its inline between the motherboard and fan? I had one of these ( http://www.quietpc.com/images/products/gel-fan-controller.jpg ) laying around and plugged into a spare 2950g and 3560g I have kicking around and the fan powers up and the fan works like normal and turning the knob has no effect. I thought it would be like a standard 3 wire computer fan and that this would be easy way to lower rpm on a stock fan with replacing the fan. This is only to minimize noise when labbing, we arent lookinng to do this to any production equipment. Anyone ever tried anything like this and had any success? I was hoping it would work because the controllers are only a few dollars and it would be cheaper and more flexible as we could move the controllers around from box to box as needed If you have any experience with anything that worked, I would be interested to hear about it chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] AS Download ipv6 Was: AS missing in Netflow data, ASR 9001
Hi, On Tue, Dec 16, 2014 at 08:21:33PM +0100, Tim Kleefass wrote: On 16.12.2014 11:10 AM, Florian Lohoff wrote: No success even with -T all - As the asr9k shows no OriginAS when looking in the flowcache with the cli i guess 4.3.2 is broken in this respect. Need to check newer Software. 4.3.2 should be fine, we are running 4.3.1. Which line-cards do you have ? - AS numbers (BGPDstOrigAS and BGPSrcOrigAS) for IPv6 flows are only exported starting with Typhoon (SFP+) line-cards. No chance for Trident (XFP) cards... That explains it A9K-40GE-L - Trident - Interesting that I can configure the attribute download in the BGP section without the machine complaining. Flo -- Florian Lohoff f...@zz.de signature.asc Description: Digital signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Inline Fan Controllers?
It was a Zalman, cheapo unit http://www.newegg.com/Product/Product.aspx?Item=N82E16835118217 I have used a few others over the years, but they were usually for 3.5” and 5.25” bays on desktops, might be a bit bigger than what you want. Stephen From: chris [mailto:tknch...@gmail.com] Sent: Wednesday, December 17, 2014 10:54 AM To: Steve Mikulasik Cc: cisco-nsp@pu ck.nether.net Subject: Re: [c-nsp] Inline Fan Controllers? I had 2 of the same exact fan controllers both do the same thing so I'm counting out that both are defective but guessing that most likely theres something they arent doing right. The controllers I have say they control any 12V fan, and the fan on the 2950g im playing with says its 12V 0.46A so i think it should work. You don't happen to remember a model or part # of one you used that worked? chris On Wed, Dec 17, 2014 at 12:35 PM, Steve Mikulasik steve.mikula...@civeo.commailto:steve.mikula...@civeo.com wrote: I have used those before, it should decrease the voltage, forcing the fan spin slower. It should work in theory on any device using a 3pin connector. Possibly a defective or junky fan controller. You could put a volt meter on the end of it to see if turning the knob has any affect. Stephen -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.netmailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of chris Sent: Wednesday, December 17, 2014 10:02 AM To: cisco-nsp@pu ck.nether.nethttp://ck.nether.net Subject: [c-nsp] Inline Fan Controllers? Hello, Has anyone on the list ever messed putting in a fan controller in a switch so its inline between the motherboard and fan? I had one of these ( http://www.quietpc.com/images/products/gel-fan-controller.jpg ) laying around and plugged into a spare 2950g and 3560g I have kicking around and the fan powers up and the fan works like normal and turning the knob has no effect. I thought it would be like a standard 3 wire computer fan and that this would be easy way to lower rpm on a stock fan with replacing the fan. This is only to minimize noise when labbing, we arent lookinng to do this to any production equipment. Anyone ever tried anything like this and had any success? I was hoping it would work because the controllers are only a few dollars and it would be cheaper and more flexible as we could move the controllers around from box to box as needed If you have any experience with anything that worked, I would be interested to hear about it chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MBUS-2-DNLDFAIL in cisco 12404
Do the following show inv dir sh ver -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of thiyagarajan b Sent: Wednesday, December 17, 2014 9:02 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] MBUS-2-DNLDFAIL in cisco 12404 Hello everyone, I am finding a MBUS-2-DNLDFAIL error log thrown in cisco 12404 in 4 port GiGE card. When I reset the LC I find the IOS is downloading but getting timeout after sometime, Slot 2 type = 4 Port ISE Gigabit Ethernet state = FABLSTRT Launching Fabric Downloader . . Slot 2 type = 4 Port ISE Gigabit Ethernet state = IOSDNLD Downloading IOS . . . Slot 2 type = 4 Port ISE Gigabit Ethernet state = RTRYWAIT Waiting to retry download after persistent failures . This process is continuing and finally finding the below log: *Dec 17 12:31:09.287 IST: %MBUS-2-DNLDFAIL: IOS download to slot 2 fail, timeout *Dec 17 12:31:09.287 IST: %RP-3-ABANDON_DOWNLOAD: End attempt to start the linecard in slot 2 Any issue in hardware or? Warm Regards, Thiyagarajan B. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Inline Fan Controllers?
Check that the wiring is normal with a multimeter. I know a lot of those boards use odd pinouts. I had to splice the fans on the last switch I silent modded due to this very issue. -Blake On Wed, Dec 17, 2014 at 9:57 AM, Steve Mikulasik steve.mikula...@civeo.com wrote: It was a Zalman, cheapo unit http://www.newegg.com/Product/Product.aspx?Item=N82E16835118217 I have used a few others over the years, but they were usually for 3.5” and 5.25” bays on desktops, might be a bit bigger than what you want. Stephen From: chris [mailto:tknch...@gmail.com] Sent: Wednesday, December 17, 2014 10:54 AM To: Steve Mikulasik Cc: cisco-nsp@pu ck.nether.net Subject: Re: [c-nsp] Inline Fan Controllers? I had 2 of the same exact fan controllers both do the same thing so I'm counting out that both are defective but guessing that most likely theres something they arent doing right. The controllers I have say they control any 12V fan, and the fan on the 2950g im playing with says its 12V 0.46A so i think it should work. You don't happen to remember a model or part # of one you used that worked? chris On Wed, Dec 17, 2014 at 12:35 PM, Steve Mikulasik steve.mikula...@civeo.commailto:steve.mikula...@civeo.com wrote: I have used those before, it should decrease the voltage, forcing the fan spin slower. It should work in theory on any device using a 3pin connector. Possibly a defective or junky fan controller. You could put a volt meter on the end of it to see if turning the knob has any affect. Stephen -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.netmailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of chris Sent: Wednesday, December 17, 2014 10:02 AM To: cisco-nsp@pu ck.nether.nethttp://ck.nether.net Subject: [c-nsp] Inline Fan Controllers? Hello, Has anyone on the list ever messed putting in a fan controller in a switch so its inline between the motherboard and fan? I had one of these ( http://www.quietpc.com/images/products/gel-fan-controller.jpg ) laying around and plugged into a spare 2950g and 3560g I have kicking around and the fan powers up and the fan works like normal and turning the knob has no effect. I thought it would be like a standard 3 wire computer fan and that this would be easy way to lower rpm on a stock fan with replacing the fan. This is only to minimize noise when labbing, we arent lookinng to do this to any production equipment. Anyone ever tried anything like this and had any success? I was hoping it would work because the controllers are only a few dollars and it would be cheaper and more flexible as we could move the controllers around from box to box as needed If you have any experience with anything that worked, I would be interested to hear about it chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Inline Fan Controllers?
I had 2 of the same exact fan controllers both do the same thing so I'm counting out that both are defective but guessing that most likely theres something they arent doing right. The controllers I have say they control any 12V fan, and the fan on the 2950g im playing with says its 12V 0.46A so i think it should work. You don't happen to remember a model or part # of one you used that worked? chris On Wed, Dec 17, 2014 at 12:35 PM, Steve Mikulasik steve.mikula...@civeo.com wrote: I have used those before, it should decrease the voltage, forcing the fan spin slower. It should work in theory on any device using a 3pin connector. Possibly a defective or junky fan controller. You could put a volt meter on the end of it to see if turning the knob has any affect. Stephen -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of chris Sent: Wednesday, December 17, 2014 10:02 AM To: cisco-nsp@pu ck.nether.net Subject: [c-nsp] Inline Fan Controllers? Hello, Has anyone on the list ever messed putting in a fan controller in a switch so its inline between the motherboard and fan? I had one of these ( http://www.quietpc.com/images/products/gel-fan-controller.jpg ) laying around and plugged into a spare 2950g and 3560g I have kicking around and the fan powers up and the fan works like normal and turning the knob has no effect. I thought it would be like a standard 3 wire computer fan and that this would be easy way to lower rpm on a stock fan with replacing the fan. This is only to minimize noise when labbing, we arent lookinng to do this to any production equipment. Anyone ever tried anything like this and had any success? I was hoping it would work because the controllers are only a few dollars and it would be cheaper and more flexible as we could move the controllers around from box to box as needed If you have any experience with anything that worked, I would be interested to hear about it chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Inline Fan Controllers?
I did this to a Cisco/Linksys 2008 switch using a 5V 3-wire voltage regulator to bring the tiny fan's speed down from howling loud to quiet enough for desktop use. Only then did I discover that the box was so electrically noisy that it wiped out the local AM NPR station. Anyone looking for an acoustically quiet 8 port POE gigabit switch who does not listen to weak AM radio signals can contact me off-line :-] Vince On Wed, 2014-12-17 at 12:02 -0500, chris wrote: Hello, Has anyone on the list ever messed putting in a fan controller in a switch so its inline between the motherboard and fan? I had one of these ( http://www.quietpc.com/images/products/gel-fan-controller.jpg ) laying around and plugged into a spare 2950g and 3560g I have kicking around and the fan powers up and the fan works like normal and turning the knob has no effect. I thought it would be like a standard 3 wire computer fan and that this would be easy way to lower rpm on a stock fan with replacing the fan. This is only to minimize noise when labbing, we arent lookinng to do this to any production equipment. Anyone ever tried anything like this and had any success? I was hoping it would work because the controllers are only a few dollars and it would be cheaper and more flexible as we could move the controllers around from box to box as needed If you have any experience with anything that worked, I would be interested to hear about it chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TCN's - Causing brief outages on ASR1K
Another update on thisTAC are recommending that we enable bpdufilter on all ports, as any port that is root and receives a TCN will cause an outagewe have bpdufilter enabled on customer facing ports(to other switches), but some of our legacy equipment/connections would be missing this command Im sureI find it incredibly difficult to believe that we have not been hit by this in the past, if this is expected behaviour on any switch. Would love to hear from any switching experts on TAC's recommendation, and have we just been lucky not to be impacted by this in the past? Cheers. From: cisconsp_l...@hotmail.com To: peteli...@templin.org; mrantoinemonn...@gmail.com; luky...@hotmail.com; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] TCN's - Causing brief outages on ASR1K Date: Tue, 16 Dec 2014 10:51:07 +1100 Thanks for all the replies. Just an update to this - No issues for 4 days (with spanning-tree portfast trunk enabled on trunk port from 4948 - ASR), then this morning, another TCN was received on an AGG port(On the 4948) to a carrier (The TCN's (Since we are now looking for them)) seem to only arrive on 2 ports...both being carrier AGG ports, with multiple vlans, and to the same carrier.we do not have any visibility into the carriers network This TCN did also cause OSPF+LDP flaps on the ASRagain, only for a ~5seconds It's RRR(So highest priority) with TAC, but we are still in the same place we were over a week ago.as you can imagine, customers are not impressed! Date: Mon, 15 Dec 2014 09:04:43 -0800 From: peteli...@templin.org To: mrantoinemonn...@gmail.com; luky...@hotmail.com; cisconsp_l...@hotmail.com; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] TCN's - Causing brief outages on ASR1K You can run RSTP or MST all day long on a switch to get rapid STP convergence, but you'll only gain the rapidness of RSTP/MST on ports where they neighbor is actually participating in the correct STP variant. Routers don't participate in STP, so the 4948 has to treat those ports as legacy STP. Whenever there's a root placement event, the 4948 has to block the port until the STP process/timers can confirm that there's no superior root bridge hiding inside or behind the router. Now, if there's a small enough event going on that SHOULDN'T be causing a root placement event but IS, that could be a bug in the 4948 code. However, I'd say very strongly that you SHOULD have portfast [trunk] towards any devices that aren't participating in the STP process, unless those devices are capable of creating an L2 loop. On 12/15/2014 1:18 AM, Antoine Monnier wrote: A TCN will cause all the learned MAC addresses to be flushed by the switiches, but it will not block traffic. So the TCN on its own should not be the cause of OSPF and LDP flaps. Is your switch running out of space for all the learned MAC addresses? I dont see how enabling portfast trunk would help in that scenario (it should only change the behavior if an interface flaps). Has the source of TCN being identified? Configuring ports as portfast will lower the probability of generating TCN, that may be why they advised you to do this. However applying to a port that is stable (no interface flap) is not really going to help for this specific problem. On Mon, Dec 15, 2014 at 9:06 AM, Lukas Tribus luky...@hotmail.com wrote: Is it expected behaviour for a TCN to cause a flap on an ASR...We have many other POP's with switches 4948's/4500's etc(trunk)-ASR+7200's and do not have spanning-tree portfast trunk enabled, and they do not experience any flaps? This has nothing todo with the ASR1k at all. Its expected behavior that STP on the switch will block traffic when there's a reconvergence, especially when malconfigured (like not using portfast on router or host connected links). Why this doesn't happen on your 7k2 we can't tell, there are a lot of moving parts that only you know (for example whether you are using pvst, rapid-pvst or mst and where exactly the root of those particular vlans is). Regards, Lukas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TCN's - Causing brief outages on ASR1K
This seems like...interesting advice. At that point, you might as well just turn spanning-tree off. This is somewhere around cutting off your foot to stop your toe bleeding. That said: This seems like design problem not so much gear problem. Why are you running spanning tree with devices you don't administratively control? And if you do control them, why the hell are you seeing TCNs so often if your network is stable? -Blake On Wed, Dec 17, 2014 at 8:35 PM, CiscoNSP List cisconsp_l...@hotmail.com wrote: Another update on thisTAC are recommending that we enable bpdufilter on all ports, as any port that is root and receives a TCN will cause an outagewe have bpdufilter enabled on customer facing ports(to other switches), but some of our legacy equipment/connections would be missing this command Im sureI find it incredibly difficult to believe that we have not been hit by this in the past, if this is expected behaviour on any switch. Would love to hear from any switching experts on TAC's recommendation, and have we just been lucky not to be impacted by this in the past? Cheers. From: cisconsp_l...@hotmail.com To: peteli...@templin.org; mrantoinemonn...@gmail.com; luky...@hotmail.com; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] TCN's - Causing brief outages on ASR1K Date: Tue, 16 Dec 2014 10:51:07 +1100 Thanks for all the replies. Just an update to this - No issues for 4 days (with spanning-tree portfast trunk enabled on trunk port from 4948 - ASR), then this morning, another TCN was received on an AGG port(On the 4948) to a carrier (The TCN's (Since we are now looking for them)) seem to only arrive on 2 ports...both being carrier AGG ports, with multiple vlans, and to the same carrier.we do not have any visibility into the carriers network This TCN did also cause OSPF+LDP flaps on the ASRagain, only for a ~5seconds It's RRR(So highest priority) with TAC, but we are still in the same place we were over a week ago.as you can imagine, customers are not impressed! Date: Mon, 15 Dec 2014 09:04:43 -0800 From: peteli...@templin.org To: mrantoinemonn...@gmail.com; luky...@hotmail.com; cisconsp_l...@hotmail.com; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] TCN's - Causing brief outages on ASR1K You can run RSTP or MST all day long on a switch to get rapid STP convergence, but you'll only gain the rapidness of RSTP/MST on ports where they neighbor is actually participating in the correct STP variant. Routers don't participate in STP, so the 4948 has to treat those ports as legacy STP. Whenever there's a root placement event, the 4948 has to block the port until the STP process/timers can confirm that there's no superior root bridge hiding inside or behind the router. Now, if there's a small enough event going on that SHOULDN'T be causing a root placement event but IS, that could be a bug in the 4948 code. However, I'd say very strongly that you SHOULD have portfast [trunk] towards any devices that aren't participating in the STP process, unless those devices are capable of creating an L2 loop. On 12/15/2014 1:18 AM, Antoine Monnier wrote: A TCN will cause all the learned MAC addresses to be flushed by the switiches, but it will not block traffic. So the TCN on its own should not be the cause of OSPF and LDP flaps. Is your switch running out of space for all the learned MAC addresses? I dont see how enabling portfast trunk would help in that scenario (it should only change the behavior if an interface flaps). Has the source of TCN being identified? Configuring ports as portfast will lower the probability of generating TCN, that may be why they advised you to do this. However applying to a port that is stable (no interface flap) is not really going to help for this specific problem. On Mon, Dec 15, 2014 at 9:06 AM, Lukas Tribus luky...@hotmail.com wrote: Is it expected behaviour for a TCN to cause a flap on an ASR...We have many other POP's with switches 4948's/4500's etc(trunk)-ASR+7200's and do not have spanning-tree portfast trunk enabled, and they do not experience any flaps? This has nothing todo with the ASR1k at all. Its expected behavior that STP on the switch will block traffic when there's a reconvergence, especially when malconfigured (like not using portfast on router or host connected links). Why this doesn't happen on your 7k2 we can't tell, there are a lot of moving parts that only you know (for example whether you are using pvst, rapid-pvst or mst and where exactly the root of those particular vlans is). Regards, Lukas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list
Re: [c-nsp] TCN's - Causing brief outages on ASR1K
This seems like...interesting advice. At that point, you might as well just turn spanning-tree off. This is somewhere around cutting off your foot to stop your toe bleeding. That said: This seems like design problem not so much gear problem. Why are you running spanning tree with devices you don't administratively control? And if you do control them, why the hell are you seeing TCNs so often if your network is stable? We dont control the device this port is connected to, and when the port was configured, bpdufilter was not enabled(12months ago)TCN's have only recently been arriving on this port. -Blake On Wed, Dec 17, 2014 at 8:35 PM, CiscoNSP List cisconsp_l...@hotmail.com wrote: Another update on thisTAC are recommending that we enable bpdufilter on all ports, as any port that is root and receives a TCN will cause an outagewe have bpdufilter enabled on customer facing ports(to other switches), but some of our legacy equipment/connections would be missing this command Im sureI find it incredibly difficult to believe that we have not been hit by this in the past, if this is expected behaviour on any switch. Would love to hear from any switching experts on TAC's recommendation, and have we just been lucky not to be impacted by this in the past? Cheers. From: cisconsp_l...@hotmail.com To: peteli...@templin.org; mrantoinemonn...@gmail.com; luky...@hotmail.com; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] TCN's - Causing brief outages on ASR1K Date: Tue, 16 Dec 2014 10:51:07 +1100 Thanks for all the replies. Just an update to this - No issues for 4 days (with spanning-tree portfast trunk enabled on trunk port from 4948 - ASR), then this morning, another TCN was received on an AGG port(On the 4948) to a carrier (The TCN's (Since we are now looking for them)) seem to only arrive on 2 ports...both being carrier AGG ports, with multiple vlans, and to the same carrier.we do not have any visibility into the carriers network This TCN did also cause OSPF+LDP flaps on the ASRagain, only for a ~5seconds It's RRR(So highest priority) with TAC, but we are still in the same place we were over a week ago.as you can imagine, customers are not impressed! Date: Mon, 15 Dec 2014 09:04:43 -0800 From: peteli...@templin.org To: mrantoinemonn...@gmail.com; luky...@hotmail.com; cisconsp_l...@hotmail.com; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] TCN's - Causing brief outages on ASR1K You can run RSTP or MST all day long on a switch to get rapid STP convergence, but you'll only gain the rapidness of RSTP/MST on ports where they neighbor is actually participating in the correct STP variant. Routers don't participate in STP, so the 4948 has to treat those ports as legacy STP. Whenever there's a root placement event, the 4948 has to block the port until the STP process/timers can confirm that there's no superior root bridge hiding inside or behind the router. Now, if there's a small enough event going on that SHOULDN'T be causing a root placement event but IS, that could be a bug in the 4948 code. However, I'd say very strongly that you SHOULD have portfast [trunk] towards any devices that aren't participating in the STP process, unless those devices are capable of creating an L2 loop. On 12/15/2014 1:18 AM, Antoine Monnier wrote: A TCN will cause all the learned MAC addresses to be flushed by the switiches, but it will not block traffic. So the TCN on its own should not be the cause of OSPF and LDP flaps. Is your switch running out of space for all the learned MAC addresses? I dont see how enabling portfast trunk would help in that scenario (it should only change the behavior if an interface flaps). Has the source of TCN being identified? Configuring ports as portfast will lower the probability of generating TCN, that may be why they advised you to do this. However applying to a port that is stable (no interface flap) is not really going to help for this specific problem. On Mon, Dec 15, 2014 at 9:06 AM, Lukas Tribus luky...@hotmail.com wrote: Is it expected behaviour for a TCN to cause a flap on an ASR...We have many other POP's with switches 4948's/4500's etc(trunk)-ASR+7200's and do not have spanning-tree portfast trunk enabled, and they do not experience any flaps? This has nothing todo with the ASR1k at all. Its expected behavior that STP on the switch will block traffic when there's a reconvergence, especially when malconfigured (like not using portfast on router or host connected links). Why this doesn't happen on your 7k2 we can't tell, there are a lot of moving parts that only you know (for example whether you are using pvst, rapid-pvst or mst and where exactly the root of those particular vlans is).
[c-nsp] ASA 5500 SSL VPN Auth
Hi All, Been searching through the archives and haven't seen this setup, wondering if anyone has done this and has any pointers... I'm attempting to do SSL VPN termination on a pair Cisco ASA 5500(active failover). To do auto-login without storing the username/password on the client machine I plan on deploying a PKI environment which the ASA's will then use for authenticating the end-points. The endpoints are required to have static IP's as well. Anyone who has done this or has some pointers, it would be greatly appreciated. Thanks, Kris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TCN's - Causing brief outages on ASR1K
spanning-tree bpdu-filter is an interesting command and is very useful for certain corner-cases. Understand your topology very well before deploying. ./Randy - Original Message - From: CiscoNSP List cisconsp_l...@hotmail.com To: Blake Dunlap iki...@gmail.com; cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Cc: Sent: Wednesday, December 17, 2014 9:08 PM Subject: Re: [c-nsp] TCN's - Causing brief outages on ASR1K This seems like...interesting advice. At that point, you might as well just turn spanning-tree off. This is somewhere around cutting off your foot to stop your toe bleeding. That said: This seems like design problem not so much gear problem. Why are you running spanning tree with devices you don't administratively control? And if you do control them, why the hell are you seeing TCNs so often if your network is stable? We dont control the device this port is connected to, and when the port was configured, bpdufilter was not enabled(12months ago)TCN's have only recently been arriving on this port. -Blake On Wed, Dec 17, 2014 at 8:35 PM, CiscoNSP List cisconsp_l...@hotmail.com wrote: Another update on thisTAC are recommending that we enable bpdufilter on all ports, as any port that is root and receives a TCN will cause an outagewe have bpdufilter enabled on customer facing ports(to other switches), but some of our legacy equipment/connections would be missing this command Im sureI find it incredibly difficult to believe that we have not been hit by this in the past, if this is expected behaviour on any switch. Would love to hear from any switching experts on TAC's recommendation, and have we just been lucky not to be impacted by this in the past? Cheers. From: cisconsp_l...@hotmail.com To: peteli...@templin.org; mrantoinemonn...@gmail.com; luky...@hotmail.com; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] TCN's - Causing brief outages on ASR1K Date: Tue, 16 Dec 2014 10:51:07 +1100 Thanks for all the replies. Just an update to this - No issues for 4 days (with spanning-tree portfast trunk enabled on trunk port from 4948 - ASR), then this morning, another TCN was received on an AGG port(On the 4948) to a carrier (The TCN's (Since we are now looking for them)) seem to only arrive on 2 ports...both being carrier AGG ports, with multiple vlans, and to the same carrier.we do not have any visibility into the carriers network This TCN did also cause OSPF+LDP flaps on the ASRagain, only for a ~5seconds It's RRR(So highest priority) with TAC, but we are still in the same place we were over a week ago.as you can imagine, customers are not impressed! Date: Mon, 15 Dec 2014 09:04:43 -0800 From: peteli...@templin.org To: mrantoinemonn...@gmail.com; luky...@hotmail.com; cisconsp_l...@hotmail.com; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] TCN's - Causing brief outages on ASR1K You can run RSTP or MST all day long on a switch to get rapid STP convergence, but you'll only gain the rapidness of RSTP/MST on ports where they neighbor is actually participating in the correct STP variant. Routers don't participate in STP, so the 4948 has to treat those ports as legacy STP. Whenever there's a root placement event, the 4948 has to block the port until the STP process/timers can confirm that there's no superior root bridge hiding inside or behind the router. Now, if there's a small enough event going on that SHOULDN'T be causing a root placement event but IS, that could be a bug in the 4948 code. However, I'd say very strongly that you SHOULD have portfast [trunk] towards any devices that aren't participating in the STP process, unless those devices are capable of creating an L2 loop. On 12/15/2014 1:18 AM, Antoine Monnier wrote: A TCN will cause all the learned MAC addresses to be flushed by the switiches, but it will not block traffic. So the TCN on its own should not be the cause of OSPF and LDP flaps. Is your switch running out of space for all the learned MAC addresses? I dont see how enabling portfast trunk would help in that scenario (it should only change the behavior if an interface flaps). Has the source of TCN being identified? Configuring ports as portfast will lower the probability of generating TCN, that may be why they advised you to do this. However applying to a port that is stable (no interface flap) is not really going to help for this specific problem. On Mon, Dec 15, 2014 at 9:06 AM, Lukas Tribus luky...@hotmail.com wrote: Is it expected behaviour for a TCN to cause a flap on an ASR...We have many other POP's with switches 4948's/4500's etc(trunk)-ASR+7200's and do not have spanning-tree portfast trunk enabled, and they do not experience any flaps? This has nothing todo with the ASR1k at all. Its expected
Re: [c-nsp] ASA 5500 SSL VPN Auth
On Thu, Dec 18, 2014 at 00:29:48, Kris Amy wrote: Subject: [c-nsp] ASA 5500 SSL VPN Auth Hi All, Been searching through the archives and haven't seen this setup, wondering if anyone has done this and has any pointers... What pointers are you looking for? I've done a configuration like this before for Kiosks using a specific group-url, a cert enroll tunnel-group, and a certificate map to match the presented certificate against the device certificate on the ASA and issuing CA. Getting a device certificate on the ASA and importing CA are pretty easy. The bigger pain is at the certificate map. Here's a small example that should point you in the right direction. crypto ca certificate map name 1 issuer-name attr cn eq intermediate crypto ca certificate map name 2 issuer-name attr cn eq root crypto ca certificate map name 3 issuer-name attr cn eq full name I don't recall the crypto debugs now, but you can see where it's matching. I'm attempting to do SSL VPN termination on a pair Cisco ASA 5500(active failover). To do auto-login without storing the username/password on the client machine I plan on deploying a PKI environment which the ASA's will then use for authenticating the end-points. The endpoints are required to have static IP's as well. HTH -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SDN
On 12/17/2014 04:21 AM, GNANESH wrote: I need to understand and setup SDN in my office environment. Can you help me out with necessary videos and installation guides ? 1. could you be a little more vague? 2. is google broken? if google doesn't have what you need, then... 3. reply w/ your timeline and your training budget. /chl ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5500 SSL VPN Auth
On 12/18/2014 12:29 AM, Kris Amy wrote: Been searching through the archives and haven't seen this setup, wondering if anyone has done this and has any pointers... I'm attempting to do SSL VPN termination on a pair Cisco ASA 5500(active failover). To do auto-login without storing the username/password on the client machine I plan on deploying a PKI environment which the ASA's will then use for authenticating the end-points. The endpoints are required to have static IP's as well. you're not doing anything revolutionary here and, as it appears you haven't actually attempted it yet and aren't asking anything specific, it's it's impossible for anyone on the list to know what to tell you without making a metric shit-ton of assumptions. for all we know, you've been given the above as a directive, have never touched an asa, and think a certificate is what your kids bring home from school and hang on the fridge. set it up in test, come back with specific questions if/when it doesn't work how you want it to, get it working, move to production. /chl ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5500 SSL VPN Auth
Hi Ryan, Thanks. That's where I was up to and got stuck. I got auth going no problem but could not assign a specific IP to each end-point. Got what I needed now it's working as expected. Cheers, Kris On 17 December 2014 at 23:58, Ryan West rw...@zyedge.com wrote: On Thu, Dec 18, 2014 at 00:29:48, Kris Amy wrote: Subject: [c-nsp] ASA 5500 SSL VPN Auth Hi All, Been searching through the archives and haven't seen this setup, wondering if anyone has done this and has any pointers... What pointers are you looking for? I've done a configuration like this before for Kiosks using a specific group-url, a cert enroll tunnel-group, and a certificate map to match the presented certificate against the device certificate on the ASA and issuing CA. Getting a device certificate on the ASA and importing CA are pretty easy. The bigger pain is at the certificate map. Here's a small example that should point you in the right direction. crypto ca certificate map name 1 issuer-name attr cn eq intermediate crypto ca certificate map name 2 issuer-name attr cn eq root crypto ca certificate map name 3 issuer-name attr cn eq full name I don't recall the crypto debugs now, but you can see where it's matching. I'm attempting to do SSL VPN termination on a pair Cisco ASA 5500(active failover). To do auto-login without storing the username/password on the client machine I plan on deploying a PKI environment which the ASA's will then use for authenticating the end-points. The endpoints are required to have static IP's as well. HTH -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/