OK guys... heres your weekly EVPL problem thread
real quick, we installed 2 new Adtran routers joining our main and remote sites. our term servers are at the main site, many times a day (especially end users running telnet based apps) users on thin clients at BOTH sites are now getting "protocol error" messages that kill their rdp connections and they have to log back in. this did not happen prior to adding the new Adtrans. I dont even know where to begin with this one....
Comments
-
networker050184
Mod Posts: 11,962 Mod
First thing that comes to mind os some sort of timeout. NAT maybe? How are the sites connected?An expert is a man who has made all the mistakes which can be made. -
tdean
Member Posts: 520
networker050184 wrote: »First thing that comes to mind os some sort of timeout. NAT maybe? How are the sites connected?
its just a point to point evpl with the 2 Adtrans in the middle. once traffic destined for the internet hits the adtran its bounced back out and over to an ASA 5510. I was told this is ok. We also have no errors on any interface, router, switch or firewall. the strange part is that the users at the main site are experiencing it also. i can post running configs if it would help. -
tdean
Member Posts: 520
Do you manage the Adtrans?
yes. any info you guys need i will do my best to provide. it seems the remote site is still having "random slowdown" for everyone that is accessing a term server at the main site. i honestly have done a ton of research and cant figure out why this has ended up working so poorly. -
Monkerz
Member Posts: 842
Can you give us a rough diagram of the setup and the configs of both adtrans? What was in their place before the adtrans? -
tdean
Member Posts: 520
I will do my best! Configs will be seperate in the next post. prior to this, there were watchguard firewalls in place doing everything. they expired and we had to set up a few vpn's so we went with ASA's.Can you give us a rough diagram of the setup and the configs of both adtrans? What was in their place before the adtrans?
Remote Site
Core Switch---ASA (to internet and seperate Adtran) and EVPL Adtran (to Main Site) Both connected
Main Site
Core Switch --ASA to internet and Adtran (other side of EVPL)
this site has all the term servers etc. -
tdean
Member Posts: 520
ASA Running config:
ASA Version 8.2(4)1
!
hostname asa5510
domain-name tcxxx.com
enable password AtZdPYziKTyHRqbO encrypted
passwd AtZdPYziKTyHRqbO encrypted
no names
name 172.22.1.0 Hyannis_LAN
name 10.10.10.0 Link_to_WG
name 172.22.0.0 TCxxx_Internal_Nets
!
interface Ethernet0/0
description Comcast Internet
nameif outside
security-level 0
ip address 75.xxx.xxx.73 255.255.255.248
!
interface Ethernet0/1
description TCxxx Lan
speed 100
duplex full
nameif tcxxx
security-level 50
ip address 172.22.1.234 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif dmz
security-level 10
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/3
shutdown
nameif unused
security-level 0
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa824-1-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 172.22.1.7
name-server 172.22.1.92
domain-name xxxxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any echo-reply
access-list lan_nat0_outbound remark No NAT to MDxxxxx via VPN
access-list lan_nat0_outbound extended permit ip 172.22.1.0 255.255.255.0 host 192.168.100.16
access-list lan_nat0_outbound remark No NAT for VPN Clients
access-list lan_nat0_outbound extended permit ip 172.22.0.0 255.255.0.0 192.168.200.0 255.255.255.0
access-list lan_nat0_outbound remark No NAT to Sandwich via VPN
access-list lan_nat0_outbound extended permit ip 172.22.1.0 255.255.255.0 172.22.4.0 255.255.255.0
access-list lan_nat0_outbound remark No NAT to Ixxx Hosting
access-list lan_nat0_outbound extended permit ip 172.22.1.0 255.255.255.0 172.18.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 172.22.0.0 255.255.0.0 host 192.168.100.16
access-list lan_access_out extended permit ip any any
access-list mdaxxxxx_vpn_filter extended permit ip host 192.168.100.16 host 172.22.1.80
access-list VPNClient_splitTunnelAcl standard permit 10.10.10.0 255.255.255.252
access-list VPNClient_splitTunnelAcl standard permit 10.50.70.0 255.255.255.252
access-list VPNClient_splitTunnelAcl standard permit 172.22.0.0 255.255.0.0
access-list VPNClient_splitTunnelAcl standard permit host 172.22.1.80
access-list outside_cryptomap extended permit ip 172.22.1.0 255.255.255.0 172.22.4.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 172.22.1.0 255.255.255.0 172.18.1.0 255.255.255.0
pager lines 500
logging enable
logging monitor debugging
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu tcsma 1500
mtu dmz 1500
mtu unused 1500
mtu management 1500
ip local pool RemotePool 192.168.200.1-192.168.200.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any tcxxx
icmp permit any dmz
icmp permit any management
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (tcxxx) 0 access-list lan_nat0_outbound
nat (tcxxx) 1 172.22.1.0 255.255.255.0
nat (dmz) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group lan_access_out in interface tcsma
route outside 0.0.0.0 0.0.0.0 75.xxx.xxx.78 1
route tcxxx 172.22.2.0 255.255.255.0 172.22.1.240 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 8081
http 192.168.10.0 255.255.255.0 dmz
http 0.0.0.0 0.0.0.0 tcxxx
http 71.xxx.xx.232 255.255.255.255 outside
http 173.x.xx.213 255.255.255.255 outside
http 173.xx.xxx.125 255.255.255.255 outside
http redirect outside 80
snmp-server host outside 71.xxx.xx.232 poll community *****
snmp-server location Telco Room
snmp-server contact TDean at XXXXXXXsts
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 64.xxx.xxx.180
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer 173.xx.xxx.125
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 match address outside_cryptomap_1
crypto map outside_map 3 set pfs group5
crypto map outside_map 3 set peer 207.xxx.xx.31
crypto map outside_map 3 set transform-set ESP-AES-128-SHA
crypto map outside_map 3 set security-association lifetime seconds 86400
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
fqdn vpn.tcxxx.com
subject-name CN=vpn.tcxxx.com,OU=IT,O=The xxxxxxx xxxxxxxx,C=US,St=MA,L=Hyannis
keypair vpnsslcert.key
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 07f75c9a1b2d75
30820559 30820441 a0030201 02020707 f75c9a1b 2d75300d 06092a86 4886f70d
01010505 003081ca 310b3009 06035504 06130255 53311030 0e060355 04081307
dd ad976c33 REMOVED
546e672f 60ebfbf3 3c07552d 4a0eb144 b68887bc 32c4437a 30ec40bc 45
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca 0301
fc bf144c0e cc6ec4df REMOVED
3db71271 f4e8f151 40222849 e01d4b87 a834cc06 a2dd125a d1863664 03356f6f
776eebf2 8550985e ab0353ad 9123631f 169ccdb9 b205633a e1f4681b 17053595 53ee
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 71.xxx.xx.232 255.255.255.255 outside
ssh 173.xx.xxx.125 255.255.255.255 outside
ssh timeout 60
ssh version 2
console timeout 0
dhcpd dns 4.2.2.1 4.2.2.2
!
dhcpd address 192.168.10.5-192.168.10.20 dmz
dhcpd dns 4.2.2.1 4.2.2.2 interface dmz
dhcpd update dns both override interface dmz
dhcpd enable dmz
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
url-list value RemoteAccess
svc ask none default webvpn
group-policy vpn_to_sandwich internal
group-policy vpn_to_sandwich attributes
vpn-filter none
vpn-tunnel-protocol IPSec
group-policy VPNClient internal
group-policy VPNClient attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNClient_splitTunnelAcl
group-policy vpn_to_ihs internal
group-policy vpn_to_ihs attributes
vpn-filter none
vpn-tunnel-protocol IPSec
***SSL Users Removed***
webvpn
url-list value RemoteAccess
tunnel-group 64.xxxxxx180 type ipsec-l2l
tunnel-group 64.xxxxx.180 general-attributes
default-group-policy mdxxxxxct-vpn
tunnel-group 64.xxxxxxx.180 ipsec-attributes
pre-shared-key *****
tunnel-group VPNClient type remote-access
tunnel-group VPNClient general-attributes
address-pool RemotePool
default-group-policy VPNClient
tunnel-group VPNClient ipsec-attributes
pre-shared-key *****
tunnel-group 173.xxxxxx125 type ipsec-l2l
tunnel-group 173.xxxxx.125 general-attributes
default-group-policy vpn_to_sandwich
tunnel-group 173.xxxxx125 ipsec-attributes
pre-shared-key *****
tunnel-group 207.xxxxx.31 type ipsec-l2l
tunnel-group 207.xxxxx.31 general-attributes
default-group-policy vpn_to_ihs
tunnel-group 207.xxxxx.31 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/...es/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9ccf61f1a248d3858a93efa68354ddb4
Adtran running config "Main" site :
User Access Login
Password:
Hyannis>en
Password:
Hyannis#show run
Building configuration...
!
!
! ADTRAN, Inc. OS version 18.01.01.00
! Boot ROM version 17.06.01.00
! Platform: NetVanta 3430, part number 1202820G1
! Serial number LBADTN1130AF995
!
!
hostname "Hyannis"
enable password Axxxxx
!
clock timezone -1-Cape-Verde
!
ip subnet-zero
ip classless
ip routing
ipv6 unicast-routing
!
!
ip domain-proxy
!
!
no auto-config
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
no service password-encryption
!
username "xxxxx" password "pxxx"
!
!
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
!
!
!
!
!
!
no ethernet cfm
!
interface eth 0/1
speed 100
encapsulation 802.1q
no shutdown
!
interface eth 0/1.37xx
vlan-id 37xx
ip address 1.1.1.1 255.255.255.0
no shutdown
!
interface eth 0/2
speed 100
ip address 172.22.1.240 255.255.255.0
no shutdown
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip route 0.0.0.0 0.0.0.0 172.22.1.234
ip route 128.1.0.0 255.255.0.0 172.22.1.3
ip route 172.17.150.0 255.255.255.0 172.22.1.3
ip route 172.22.2.0 255.255.255.0 1.1.1.2
ip route 172.23.10.0 255.255.255.0 172.22.1.3
!
no tftp server
no tftp server overwrite
no ip http server
no ip http secure-server
no ip snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
ip sip udp 5060
ip sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
line con 0
login
password Axxxxxx
!
line telnet 0 4
login
password pxxxxx
no shutdown
line ssh 0 4
login local-userlist
no shutdown
!
!
!
!
!
end
Hyannis#
Adtran running config "Remote" site:
User Access Login
Password:
Falmouth>en
Password:
Falmouth#sh run
Building configuration...
!
!
! ADTRAN, Inc. OS version 18.01.01.00
! Boot ROM version 17.06.01.00
! Platform: NetVanta 3430, part number 1202820G1
! Serial number LBADTN1129AM816
!
!
hostname "Falmouth"
enable password Axxxxx
!
clock timezone -1-Cape-Verde
!
ip subnet-zero
ip classless
ip routing
ipv6 unicast-routing
!
!
!
!
no auto-config
!
event-history on
no logging forwarding
no logging email
!
no service password-encryption
!
!
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
ip dhcp-server excluded-address 172.22.2.1 172.22.2.100
!
ip dhcp-server pool "lan"
network 172.22.2.0 255.255.255.0
dns-server 172.22.1.7
netbios-name-server 172.22.1.15
default-router 172.22.2.1
!
!
!
!
!
!
!
no ethernet cfm
!
interface eth 0/1
speed 100
encapsulation 802.1q
no shutdown
!
interface eth 0/1.3711
vlan-id 3711
ip address 1.1.1.2 255.255.255.0
no shutdown
!
interface eth 0/2
ip address 172.22.2.1 255.255.255.0
no shutdown
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip route 0.0.0.0 0.0.0.0 172.22.2.234
ip route 128.1.0.0 255.255.0.0 1.1.1.1
ip route 172.17.150.0 255.255.255.0 1.1.1.1
ip route 172.22.1.0 255.255.255.0 1.1.1.1
ip route 172.23.10.0 255.255.255.0 1.1.1.1
!
no tftp server
no tftp server overwrite
no ip http server
no ip http secure-server
no ip snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
ip sip udp 5060
ip sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
line con 0
no login
!
line telnet 0 4
login
password Axxxx
no shutdown
line ssh 0 4
login local-userlist
no shutdown
!
!
!
!
!
end
Falmouth# -
Lizano
Member Posts: 230 ■■■□□□□□□□
Do the thin clients actually loose conectivity to the other site? Or is it only the applications that die?
I once had someone reporting a similar issue with RDP over a VPN. I ended up leaving a ping running with FREEping from a PC at the site to the RDP server, which proved to me that the RDP server never was unreachable, it ended up going away after changing the session timeout limit on a firewall. -
Monkerz
Member Posts: 842
I guess we can start by troubleshooting the main site. Are the users and term servers on the same LAN? If not, what is between the users and term servers at the main site?
-
tdean
Member Posts: 520
Do the thin clients actually loose conectivity to the other site? Or is it only the applications that die?
I once had someone reporting a similar issue with RDP over a VPN. I ended up leaving a ping running with FREEping from a PC at the site to the RDP server, which proved to me that the RDP server never was unreachable, it ended up going away after changing the session timeout limit on a firewall.
Both, actually. Sometimes they get booted right out of their rdp connection (thats the protocol error) and other times the performance is so bad the app just hangs for 2-3 minutes and everyone has the "hourglass." -
tdean
Member Posts: 520
I guess we can start by troubleshooting the main site. Are the users and term servers on the same LAN? If not, what is between the users and term servers at the main site?
main site, users and servers all on the same subnet. -
networker050184
Mod Posts: 11,962 Mod
main site, users and servers all on the same subnet.
So the traffic that doesn't traverse the routers and ASAs have the same issue? Sounds like a problem with the server or local LAN to me. Have you looked into the server/application?An expert is a man who has made all the mistakes which can be made. -
tdean
Member Posts: 520
networker050184 wrote: »So the traffic that doesn't traverse the routers and ASAs have the same issue? Sounds like a problem with the server or local LAN to me. Have you looked into the server/application?
it is intermittant with the main site... the performance is very good. the main site gets the protocol error. the remote site gets that and also poor performance. Sorry i didnt clarify.
***EDIT: the protocol error happens when a user launches a telnet based app (Meditech) that is routed through the Adtrans to the Hospital we are affiliated with,.
also, this didnt happen prior to the "upgrade" where we removed the watchguard firewalls and replaced them with the "faster" circuit and the combo of Adtrans and ASA firewalls, which is why i am not focusing on the server/app end of things. -
networker050184
Mod Posts: 11,962 Mod
it is intermittant with the main site... the performance is very good. the main site gets the protocol error. the remote site gets that and also poor performance. Sorry i didnt clarify.
also, this didnt happen prior to the "upgrade" where we removed the watchguard firewalls and replaced them with the "faster" circuit and the combo of Adtrans and ASA firewalls, which is why i am not focusing on the server/app end of things.
Yeah, but the traffic that doesn't traverse these new devices is having trouble also. How would that have anything to do with the new equipment unless there is something I'm missing here? The poor performance could be do to the same issue thats causing the protocol error at the main site.
What kind of traffic is this application using? Have the users at the remote site noticed any issues with other connectivity or just this application?An expert is a man who has made all the mistakes which can be made. -
tdean
Member Posts: 520
networker050184 wrote: »Yeah, but the traffic that doesn't traverse these new devices is having trouble also. How would that have anything to do with the new equipment unless there is something I'm missing here? The poor performance could be do to the same issue thats causing the protocol error at the main site.
What kind of traffic is this application using? Have the users at the remote site noticed any issues with other connectivity or just this application?
Sorry, i updated my previous post....
***EDIT: the protocol error happens when a user launches a telnet based app (Meditech) that is routed through the Adtrans to the Hospital we are affiliated with,.... that is the 128.x.x.x route in the Main site router config.
So, the main site performance is good but protocol error when launching this telnet based app.
Remote site, also getting protocol error but ALSO poor performance in general across the P2P link to the extent that sometimes all the thin client desktops will just have an hourglass for 2-3 minutes. -
it_consultant
Member Posts: 1,903
If I were you, and we have talked about this before, if you have the WGs handy I would perform an experiment. You won't normally hear people on these boards recommend WG over Cisco/Adtran but in this case we need to test something. I have clients on an EVPL and we use WGs to sort the traffic out. My experience is that it is easier to configure the WGs in these funny situations where you have to both firewall the WAN AND terminate a layer 2 connection from another site. The WG sees that layer 2 connection as just another ethernet port, you can set the port you plug the EVPL into as a "trusted" port and the WG will route the EVPL and WAN traffic appropriately if you set up both fireboxes correctly. That way you don't have 2 routers (one for the EVPL and one for the WAN).
Dollars to donuts the protocol errors and performance issues you are having is related to how the ad trans and Ciscos are configured. You have 2 more routers (2 at each site, should be one at each site) than you actually need to get the job done. -
networker050184
Mod Posts: 11,962 Mod
Adtran looks pretty basic so I doubt your problem is there. I see you have speed and duplex set a few places. Have you verified there are no mismatches causing errors?
Since you said these are new circuits also I'd have the carrier check them out for errors.An expert is a man who has made all the mistakes which can be made. -
Monkerz
Member Posts: 842
Yeah that was going to be my next question, are there any duplex mismatches on any routers, switches or servers?
-
tdean
Member Posts: 520
there were errors at the beginning b/c some things were set to "auto". everything has been reset and there are 0 errors on the routers, core switches or firewall ports.
it_consultant, i have been thinking about going straight into the ASA's since the ports are available. Do you think that would be the best idea? I mean, at least its up and running right now... before, i had to replace the e-lan with the EVPL with no downtime. -
tdean
Member Posts: 520
From the remote router:
User Access Login
Password:
Falmouth>en
Password:
Falmouth#show int
Displaying interfaces...
eth 0/1 is UP, line protocol is UP
Hardware address is 00:A0:C8:7E:3E:F0
Running 802.1Q Encapsulation
100Mb/s, full-duplex
Last clearing of counters never
5 minute input rate 1361856 bits/sec, 263 packets/sec
5 minute output rate 908672 bits/sec, 224 packets/sec
Queueing method: fifo
Output queue: 0/256/0 (size/max total/drops)
Interface Shaper: NOT ENABLED
343705880 packets input, 718623725 bytes
343703993 unicasts, 1887 broadcasts, 0 multicasts input
0 unknown protocol, 0 symbol errors, 0 discards
0 input errors, 0 runts, 0 giants
0 no buffer, 0 overruns, 0 internal receive errors
0 alignment errors, 0 crc errors
229380293 packets output, 2409898157 bytes
0 unicasts, 0 broadcasts, 0 multicasts output
0 output errors, 0 deferred, 0 discards
0 single, 0 multiple, 0 late collisions
0 excessive collisions, 0 underruns
0 internal transmit errors, 0 carrier sense errors
0 resets, 0 throttles
eth 0/1.3711 is UP, line protocol is UP
Vlan Id is 3711
Ip address is 1.1.1.2, netmask is 255.255.255.0
MTU is 1500 bytes
ARP type: ARPA; ARP timeout is 20 minutes
eth 0/2 is UP, line protocol is UP
Hardware address is 00:A0:C8:7E:3E:F1
Ip address is 172.22.2.1, netmask is 255.255.255.0
MTU is 1500 bytes, BW is 100000 Kbit
100Mb/s, negotiated full-duplex, configured full-duplex
ARP type: ARPA; ARP timeout is 20 minutes
Last clearing of counters never
5 minute input rate 915080 bits/sec, 229 packets/sec
5 minute output rate 1365280 bits/sec, 267 packets/sec
Queueing method: fifo
Output queue: 0/256/0 (size/max total/drops)
Interface Shaper: NOT ENABLED
242439264 packets input, 2113455187 bytes
241973981 unicasts, 393652 broadcasts, 71631 multicasts input
0 unknown protocol, 0 symbol errors, 0 discards
0 input errors, 0 runts, 0 giants
0 no buffer, 0 overruns, 0 internal receive errors
0 alignment errors, 0 crc errors
356394083 packets output, 4026541336 bytes
0 unicasts, 0 broadcasts, 0 multicasts output
0 output errors, 0 deferred, 0 discards
0 single, 0 multiple, 0 late collisions
0 excessive collisions, 0 underruns
0 internal transmit errors, 0 carrier sense errors
0 resets, 0 throttles
Falmouth#
Main router:
User Access Login
Password:
Hyannis>en
Password:
Hyannis#show int
Displaying interfaces...
eth 0/1 is UP, line protocol is UP
Hardware address is 00:A0:C8:7E:9D:1C
Running 802.1Q Encapsulation
100Mb/s, full-duplex
Last clearing of counters never
5 minute input rate 722416 bits/sec, 195 packets/sec
5 minute output rate 1178728 bits/sec, 235 packets/sec
Queueing method: fifo
Output queue: 0/256/0 (size/max total/drops)
Interface Shaper: NOT ENABLED
143812252 packets input, 4068588207 bytes
143811171 unicasts, 1081 broadcasts, 0 multicasts input
0 unknown protocol, 0 symbol errors, 0 discards
0 input errors, 0 runts, 0 giants
0 no buffer, 0 overruns, 0 internal receive errors
0 alignment errors, 0 crc errors
228268260 packets output, 3198391055 bytes
0 unicasts, 0 broadcasts, 0 multicasts output
0 output errors, 0 deferred, 0 discards
0 single, 0 multiple, 0 late collisions
0 excessive collisions, 0 underruns
0 internal transmit errors, 0 carrier sense errors
0 resets, 0 throttles
eth 0/1.3711 is UP, line protocol is UP
Vlan Id is 3711
Ip address is 1.1.1.1, netmask is 255.255.255.0
MTU is 1500 bytes
ARP type: ARPA; ARP timeout is 20 minutes
eth 0/2 is UP, line protocol is UP
Hardware address is 00:A0:C8:7E:9D:1D
Ip address is 172.22.1.240, netmask is 255.255.255.0
MTU is 1500 bytes, BW is 100000 Kbit
100Mb/s, full-duplex
ARP type: ARPA; ARP timeout is 20 minutes
Last clearing of counters never
5 minute input rate 10982400 bits/sec, 1119 packets/sec
5 minute output rate 10520720 bits/sec, 1076 packets/sec
Queueing method: fifo
Output queue: 0/256/0 (size/max total/drops)
Interface Shaper: NOT ENABLED
920876315 packets input, 5981752 bytes
917139583 unicasts, 3694455 broadcasts, 42277 multicasts input
0 unknown protocol, 0 symbol errors, 0 discards
72173 input errors, 0 runts, 0 giants
0 no buffer, 0 overruns, 0 internal receive errors
0 alignment errors, 72173 crc errors <
this is from before i changed the duplex. no errors since
832781461 packets output, 312246507 bytes
0 unicasts, 0 broadcasts, 0 multicasts output
0 output errors, 0 deferred, 0 discards
0 single, 0 multiple, 0 late collisions
0 excessive collisions, 0 underruns
0 internal transmit errors, 0 carrier sense errors
0 resets, 0 throttles
Hyannis# -
it_consultant
Member Posts: 1,903
there were errors at the beginning b/c some things were set to "auto". everything has been reset and there are 0 errors on the routers, core switches or firewall ports.
it_consultant, i have been thinking about going straight into the ASA's since the ports are available. Do you think that would be the best idea? I mean, at least its up and running right now... before, i had to replace the e-lan with the EVPL with no downtime.
I have a similar set up at a couple of my clients. For each I only have one router for the WAN and the EVPL. The WAN port is configured as an "untrusted" port, the port the EVPL is plugged into is set as a "trusted" port (essentially just another network hanging off the firewall) a simple route to the other side of the EVPL and a couple of "allow allow" statements for inbound and outbound traffic over the EVPL and you are off to the races. -
tdean
Member Posts: 520
it_consultant wrote: »I have a similar set up at a couple of my clients. For each I only have one router for the WAN and the EVPL. The WAN port is configured as an "untrusted" port, the port the EVPL is plugged into is set as a "trusted" port (essentially just another network hanging off the firewall) a simple route to the other side of the EVPL and a couple of "allow allow" statements for inbound and outbound traffic over the EVPL and you are off to the races.
Hi it,
i remember you trying to walk me through that before but im just having a tough time visualizing it. heres what mine is on both ends... both the AdTrans and ASA's are physically connected to the core switch... the AdTran is the default gateway and there are routes on there to send internet traffic out the ASA. I wonder if the routers Verizon recommended are appropriate... heres what they are.
NetVanta 3430 (2nd Gen)
If im understanding you, i will have to change the default gateway to the ASA at one location and config the vlan on it?
this is driving me crazy, all i think about when i sleep is resolving this. i ordered a couple Wireshark books, maybe that will help. -
it_consultant
Member Posts: 1,903
I work with a consulting network engineer who works with a lot of EVPL providers in the Denver Area, she is in love with the adtran routers and the adtran router/switch combo devices.
In your configuration I would find the ad tran to be unnecessary. I would take a cable from the CPE provided by verizon and plug it into an unused port on the ASA. Configure that to be a trusted port by giving it a private address scheme and get rid of the deny statements and put in allow statements. Do the same at your other location. Create a little network between the two ASA ports which are plugged into the CPE at each location and create routes to the networks on either side of the verizon network. Remember that the EVPL is essentially like physically dragging an ethernet cable from building to building. So, if you remember your CCNA lab, this should be like configuring your Ciscos as if they are plugged right into each other.
Where is your verizon EVPL plugged into now, the core switches or the Ad tran? -
tdean
Member Posts: 520
it_consultant wrote: »I work with a consulting network engineer who works with a lot of EVPL providers in the Denver Area, she is in love with the adtran routers and the adtran router/switch combo devices.
In your configuration I would find the ad tran to be unnecessary. I would take a cable from the CPE provided by verizon and plug it into an unused port on the ASA. Configure that to be a trusted port by giving it a private address scheme and get rid of the deny statements and put in allow statements. Do the same at your other location. Create a little network between the two ASA ports which are plugged into the CPE at each location and create routes to the networks on either side of the verizon network. Remember that the EVPL is essentially like physically dragging an ethernet cable from building to building. So, if you remember your CCNA lab, this should be like configuring your Ciscos as if they are plugged right into each other.
Where is your verizon EVPL plugged into now, the core switches or the Ad tran?
yeah, i see what you're saying... originally i couldnt do it like that b/c all the ports were taken up on the ASA. i was also told i need to add the vlan, although thats not a huge deal. now there are 2 ports open, so maybe i can at least start. the EVPL is currently the default gateway and plugged directly into the switch at both locations. -
it_consultant
Member Posts: 1,903
It isn't a good idea to have the evpl plugged directly into your switches unless you intend on having a layer 2 connection across your two offices. I asked because I thought for a second you might have done that, this can cause all sorts of issues since the devices on both ends will pollute each other with their ARP traffic. This can be an OK arrangement provided you are on the same layer 3 LAN and you don't mind your ARPs going across the EVPL. I have seen this configuration, it works if your remote offices have only a few PCs.
-
tdean
Member Posts: 520
it_consultant wrote: »It isn't a good idea to have the evpl plugged directly into your switches unless you intend on having a layer 2 connection across your two offices. I asked because I thought for a second you might have done that, this can cause all sorts of issues since the devices on both ends will pollute each other with their ARP traffic. This can be an OK arrangement provided you are on the same layer 3 LAN and you don't mind your ARPs going across the EVPL. I have seen this configuration, it works if your remote offices have only a few PCs.
ok... been a while since my CCNA studies... when you say "a layer 2 connection across the 2 offices" isnt that what the vlan is for? also, does the arp traffic traverse the vlan if they are on different subnets? i guess it would since there are routes to direct the traffic....
we are having a lot of trouble with our thin clients and term servers since this upgrade... protocol errors that i am researching. the causes seem to be apps using the same port as the TS and default gateway problems.
i dont have much experience with the ASA's yet and i dont want to pile a bunch of work on our FW guy b/c he is just helping out for now... are you suggesting i plug the Adtrans into the ASA's or eliminate the adtrans altogether and config vlans on the ASA? or FW guy said "lets let the adtrans do what routers do, and let the ASA's do what firewalls do...."
im torn. -
it_consultant
Member Posts: 1,903
ok... been a while since my CCNA studies... when you say "a layer 2 connection across the 2 offices" isnt that what the vlan is for? also, does the arp traffic traverse the vlan if they are on different subnets? i guess it would since there are routes to direct the traffic....
we are having a lot of trouble with our thin clients and term servers since this upgrade... protocol errors that i am researching. the causes seem to be apps using the same port as the TS and default gateway problems.
i dont have much experience with the ASA's yet and i dont want to pile a bunch of work on our FW guy b/c he is just helping out for now... are you suggesting i plug the Adtrans into the ASA's or eliminate the adtrans altogether and config vlans on the ASA? or FW guy said "lets let the adtrans do what routers do, and let the ASA's do what firewalls do...."
im torn.
A firewall and a router are basically the same thing. You can easily configure a firewall to operate exactly like a basic router. Take the ad trans out all together, they add complexity and don't add needed capability. Networking is game of keeping stuff as simple as possible to get the job done. The ASA is a fully functional router as well as a 'firewall'.
When I say a layer 2 connection, I am talking about a data-link connection. The EVPL is providing you a virtual ethernet connection. It isn't real ethernet, the CPE translates the transport technology (Fiber, COE, etc) and emulates ethernet signaling so to your equipment it will look like the EVPL is just another ethernet device. Which is quite cool. If you have your ethernet switches plugged into the EVPL, the broadcast packets they send will go over that link. I think the protocol errors are happening because on the network layer (layer 3) the computers have a route to resources, but on the data link they also have a route and the two do not follow the same paths. Remember that even though your machines are on different subnets, since you have EVPL running they are on the same BROADCAST domain, which means ARPs will be flying around. Segregate the two subnets on layer 1 (physical) by plugging the EVPL into your firewall as opposed to your switches and you will eliminate this from happening.
I have never seen the answer for EVPL problems be "put the VLAN into your port configuration" because the VLANs you use and the VLANs the provider use operate on a different layer. That is the magic of EVPL. The provider has thousands of VLAN tags floating on their network, imagine you hook up your network to EVPL and you are using the same tags as your provider, chaos. In order to prevent this Verizon is able to segregate your VLAN tags to just your EVPL connection. -
tdean
Member Posts: 520
well, the vlans are on a subinterface... doesnt that matter? its strange b/c the Adtran guy set these up and this was the set up recommended by our Verizon guy... although thats not saying much. i am going to config a port on each ASA for testing. i should be able to use the same 1.1.1.1 and 1.1.1.2 on the other, the way the routers are set up, right? then i'd have to add all the static routes like for the internet and our other apps... oh damn... i'd have to change the ip of the ASA to do this b/c the Adtrans are the default gateway.....
-
phoeneous
Member Posts: 2,333 ■■■■■■■□□□
Just an observation, if you have end to end connectivity then I doubt it is a vlan issue. Have you asked your thin client vendor for support? -
it_consultant
Member Posts: 1,903
well, the vlans are on a subinterface... doesnt that matter? its strange b/c the Adtran guy set these up and this was the set up recommended by our Verizon guy... although thats not saying much. i am going to config a port on each ASA for testing. i should be able to use the same 1.1.1.1 and 1.1.1.2 on the other, the way the routers are set up, right? then i'd have to add all the static routes like for the internet and our other apps... oh damn... i'd have to change the ip of the ASA to do this b/c the Adtrans are the default gateway.....
Your third statement is right on the money. You will have three internal networks. Two for each remote office and one for the ASA's to communicate with each other over the EVPL link. Each router needs 2 routes, one to the other side of the EVPL and one off to the internet. So in reality, it is one static route and one route of last resort - a term that is basically interchangeable with default gateway.
Your ASA will have three plugs -
1. Dirty internet to ASA. This is the interface where you apply all of your traditional firewalling features.
2. ASA to internal switches, a "trusted" interface.
3. EVPL to ASA. This interface should be configured as an "trusted" interface. On a firebox you can actually tell it that it is a trusted interface and the firebox configures itself to route between the to trusted interfaces. On an ASA you might have to enter allow statements so traffic can flow both ways.
Lets slice one of my EVPL connections. I have a firewall in a colo facility where all the EVPL connections converge, this handles all of my internet. The firewalls at the remote offices have an interface plugged into their switch and an interface plugged into the EVPL. I set up a random private network on the inside of my remote office firewall and I set up the other interface with a static IP address on the same network as my main firewall. I then enter a route on my remote office "0.0.0.0 0.0.0.0 192.168.1.3". This tells it to push all the packets to the main firewall. The main firewall has routes to all the remote offices plus a route to the internet.
Lets take your ASA. Lets say office number 1 is 192.168.1.xxx and your second office is 192.168.2.xxx you will inevitably set up the EVPL network as 192.168.3.xxx.
office one asa
port 1 - local WAN provider
port 2 - 192.168.1.1 (inside switches)
port 3 - 192.168.3.1 (evpl)
office two asa
port 1 - local WAN provider
port 2 - 192.168.2.1 (inside switches
port 3 - 192.168.3.2
Office 1 ASA
"0.0.0.0 0.0.0.0 WAN default route"
"192.168.2.0 255.255.255.0 192.168.3.1"
Office 2 ASA
same default route
"192.168.1.0 255.255.255.0 192.168.3.2"
Set your allow statements so traffic can go to your other private network on each side of the EVPL.
Does this make sense?
