Tag: Cisco

Cisco IP SLA ICMP Echo Example

This is how I setup an ICMP-echo IP SLA on my Cisco Router to monitor when my internet goes out. If it goes down, I re-route traffic (I’ve excluded this part of the config). When it comes back up, I set the routing/NATing back to the original state (again, excluded from this post).
IP SLA Configuration:

ip sla 10
 ! Connection Monitor
 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
 frequency 10
ip sla schedule 10 life forever start-time now

Configure Cisco Embedded Event Manager (EEM) to handle an UP or DOWN state of SLA 10:

event manager applet primary_circuit_down
 event track 10 state down
 action 1.0 syslog msg "Primary Circuit is DOWN"
 ! You can insert other commands here to do something useful...
event manager applet main_circuit_up
 event track 10 state up
 action 1.0 syslog msg "Primary Circuit Appears UP"
 ! You can insert other commands here to do something useful...

This is the SLA configuration overview:

ciscorouter#sh ip sla conf
IP SLAs Infrastructure Engine-III
Entry number: 10 (Primary Circuit Monitor)
Owner:
Tag:
Operation timeout (milliseconds): 5000
Type of operation to perform: icmp-echo
Target address/Source interface: 8.8.8.8/GigabitEthernet0/0
Type Of Service parameter: 0x0
Request size (ARR data portion): 28
Verify data: No
Vrf Name:
Schedule:
   Operation frequency (seconds): 10  (not considered if randomly scheduled)
   Next Scheduled Start Time: Start Time already passed
   Group Scheduled : FALSE
   Randomly Scheduled : FALSE
   Life (seconds): Forever
   Entry Ageout (seconds): never
   Recurring (Starting Everyday): FALSE
   Status of entry (SNMP RowStatus): Active
Threshold (milliseconds): 5000
Distribution Statistics:
   Number of statistic hours kept: 2
   Number of statistic distribution buckets kept: 1
   Statistic distribution interval (milliseconds): 20
Enhanced History:
History Statistics:
   Number of history Lives kept: 0
   Number of history Buckets kept: 15
   History Filter Type: None

Statistics of the IP SLA:

ciscorouter#sh ip sla stat
IPSLAs Latest Operation Statistics
IPSLA operation id: 10
        Latest RTT: 32 milliseconds
Latest operation start time: 17:42:41 EDT Fri Mar 30 2012
Latest operation return code: OK
Number of successes: 103
Number of failures: 0
Operation time to live: Forever

List Connected VPN Users on Cisco ASA

From time to time I need to track down a user that is having trouble either connecting to a hosted solution at their datacenter or some other remote connectivity need and they are using a Cisco ASA to handle the VPN connectivity.  In troubleshooting, I like to find out licensing restrictions on the ASA as quite often this is more the problem than not as well as checking for logins currently active.  If I can determine the user has been connected to the VPN endpoint successfully, I can usually escalate this to the right group to assist with whatever the issue might be.

Quickly list VPN sessions on a Cisco Adaptive Security Appliance (ASA).

Some commands you can use:

ciscoasa# sh vpn-sessiondb ?
  detail       Show detailed output
  email-proxy  Email-Proxy sessions
  full         Output formatted for data management programs
  index        Index of session
  l2l          IPsec LAN-to-LAN sessions
  ratio        Show VPN Session protocol or encryption ratios
  remote       IPsec Remote Access sessions
  summary      Show VPN Session summary
  svc          SSL VPN Client sessions
  vpn-lb       VPN Load Balancing Mgmt sessions
  webvpn       WebVPN sessions
  |            Output modifiers

Get an overview of all VPN sessions: show vpn-sessiondb summary

ciscoasa# sh vpn-sessiondb summary
Active Session Summary
Sessions:
                           Active : Cumulative : Peak Concurrent : Inactive
  SSL VPN               :       3 :       2274 :               8
    Clientless only     :       0 :         68 :               2
    With client         :       3 :       2206 :               8 :        0
  IPsec LAN-to-LAN      :      19 :      10367 :              23
  IPsec Remote Access   :       3 :       1743 :               6
  Totals                :      25 :      14384
License Information:
  IPsec   :    250    Configured :    250    Active :     22    Load :   9%
  SSL VPN :     50    Configured :     50    Active :      3    Load :   6%
                            Active : Cumulative : Peak Concurrent
  IPsec               :         22 :      12227 :              27
  SSL VPN             :          3 :       2274 :               8
  Totals              :         25 :      14501
Active NAC Sessions:
  No NAC sessions to display
Active VLAN Mapping Sessions:
  No VLAN Mapping sessions to display

I like to just look for a user, so I’m interested in only the username listing.  From here I can do more troubleshooting if I find the user connected.

ciscoasa# sh vpn-sessiondb remote | inc Username
Username : user1 Index : 14415
Username : user2 Index : 14840
Username : user3 Index : 14841

To get more detailed information on, say, user1, you can use the index command.

ciscoasa# sh vpn-sessiondb index 14415
Single Session
Username     : user1                   Index        : 14415
Assigned IP  : 172.16.0.104           Public IP    : 12.34.56.78
Protocol     : IKE IPsecOverNatT
License      : IPsec
Encryption   : DES 3DES               Hashing      : MD5 SHA1
Bytes Tx     : 116218822              Bytes Rx     : 8332463
Group Policy : dlm                    Tunnel Group : dlm
Login Time   : 08:04:53 EST Thu Feb 16 2012
Duration     : 6d 0h:17m:22s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

I can also show any users connected via SSL VPN (Cisco AnyConnect)

ciscoasa# sh vpn-sessiondb svc

You can also logoff VPN sessions easily as I’ve outlined in a previous post.

Traffic Shaping and Policing in Cisco IOS

I needed to setup bandwidth shaping on a router recently for testing purposes and decided on the below configuration on my Cisco router.  I know this drops packets and I don’t really care;  this is a guest network and it isn’t mission critical.

policy-map POLICY_GUEST_OUT
 class CLASS_GUEST_OUT
  shape average 1000000
policy-map POLICY_GUEST_IN
 class CLASS_GUEST_IN
  police 1000000 1000 1000 conform-action transmit  exceed-action set-qos-transmit 4 violate-action drop
class-map match-all CLASS_GUEST_IN
 match any
class-map match-any CLASS_GUEST_OUT
 match any
interface GigabitEthernet0/1.102
 encapsulation dot1Q 102
 service-policy input POLICY_GUEST_IN
 service-policy output POLICY_GUEST_OUT

Confirming things are working:

ciscorouter# sh policy-map interface
 GigabitEthernet0/1.102
  Service-policy input: POLICY_GUEST_IN
    Class-map: CLASS_GUEST_IN (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      police:
          cir 1000000 bps, bc 1000 bytes, be 1000 bytes
        conformed 0 packets, 0 bytes; actions:
          transmit
        exceeded 0 packets, 0 bytes; actions:
          set-qos-transmit 4
        violated 0 packets, 0 bytes; actions:
          drop
        conformed 0000 bps, exceeded 0000 bps, violated 0000 bps
    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
  Service-policy output: POLICY_GUEST_OUT
    Class-map: CLASS_GUEST_OUT (match-any)
      3284 packets, 2742876 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/28/0
      (pkts output/bytes output) 3161/2741698
      shape (average) cir 1000000, bc 4000, be 4000
      target shape rate 1000000
    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0

References:

Cisco AP Detailed Client Info

Trying to figure out what some of these mean…
You can use show dot11 assoc to find clients associated to the AP then you can use show dot11 assoc xxxx.xxxx.xxxx to show detailed information for a specific client or even use ‘all-clients’ to show all clients detailed information that are associated to the Access Point.
Here’s the output from show dot11 all-clients

Address           : 0023.68b1.b06a     Name             : NONE
IP Address        : 0.0.0.0            Interface        : Dot11Radio 0
Device            : unknown            Software Version : NONE
CCX Version       : NONE               Client MFP       : Off
State             : Assoc              Parent           : self
SSID              : WiFi
VLAN              : 101
Hops to Infra     : 1                  Association Id   : 28
Clients Associated: 0                  Repeaters associated: 0
Tunnel Address    : 0.0.0.0
Key Mgmt type     : NONE               Encryption       : WEP
Current Rate      : 48.0               Capability       : WMM ShortHdr ShortSlot 11h
Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates       : disabled           Bandwidth        : 20 MHz
Signal Strength   : -75  dBm           Connected for    : 299 seconds
Signal to Noise   : 21  dB            Activity Timeout : 16 seconds
Power-save        : On                 Last Activity    : 44 seconds ago
Apsd DE AC(s)     : NONE
Packets Input     : 225                Packets Output   : 68
Bytes Input       : 11342              Bytes Output     : 5154
Duplicates Rcvd   : 34                 Data Retries     : 45
Decrypt Failed    : 0                  RTS Retries      : 0
MIC Failed        : 0                  MIC Missing      : 0
Packets Redirected: 0                  Redirect Filtered: 0

I need to find out what “Capability : WMM ShortHdr ShortSlot 11h” means and available options. These clients are connecting at lower speeds when they do not have “WMM” in the Capability column.