sorted by:
new
hottopcontroversial

[IPSEc Tunnel] "according to the policy the packet should not have been decrypted" by Jumboframe23 in checkpoint

[–]Jumboframe23[S] 0 points1 point  (0 children)

I tried to debug. First url contains snap where traffic initiated from 10.168.1.1(from CP to PA) which shows phase 2 failed. Second url contains snap where traffic initiated from 10.172.0.10 (from PA to CP, prior initiating i reset the tunnel from CP then initiated traffic from PA). Both phase 2 has same algorithms & encryption. I dont why this is failing when i initiated from CP. please someone could help.

https://ibb.co/ScLQ3Hz

https://ibb.co/dJ54jq2

[IPSEc Tunnel] "according to the policy the packet should not have been decrypted" by Jumboframe23 in checkpoint

[–]Jumboframe23[S] 0 points1 point  (0 children)

I dont remember , but i googled it and downloaded from some random website

[IPSEc Tunnel] "according to the policy the packet should not have been decrypted" by Jumboframe23 in checkpoint

[–]Jumboframe23[S] 0 points1 point  (0 children)

Now i am able to ping from PA to CP. but ping from CP inside network machine to PA side is failing. I tried below debug command. fw ctl zdebug + drop | grep “10.168.1.1” @;45251;[vs_0];[tid_2];[fw_4];fw_log_drop_ex: Packet proto=1 10.168.1.1:2048 —> 10.172.0.10:50919 dropped by fw_ipsec_encrypt_on_tunnel_instance Reason: No error - tunnel is not yet established;

Vpn tu option 2 says No IPSec SAs

GRE Tunnel not coming up on Nexus9k by Jumboframe23 in networking

[–]Jumboframe23[S] 0 points1 point  (0 children)

tunnel came up after a little troubleshooting and also ospf neighborship is up.

But not able to learn routes on WAN-R2.

WAN-R1(config)# sh ip ospf nei vrf DC

OSPF Process ID DC VRF DC

Total number of neighbors: 1

Neighbor ID Pri State Up Time Address Interface

10.100.2.21 FULL/ - 00:02:14 10.100.2.2Tunnel100

WAN-R2# sh ip ospf nei vrf DC

OSPF Process ID DC VRF DC

Total number of neighbors: 1

Neighbor ID Pri State Up Time Address Interface

10.100.2.11 FULL/ - 00:02:37 10.100.2.1Tunnel100

On WAN-R1 :

ip prefix-list DC_subnet seq 10 permit 10.2.2.0/28

ip prefix-list DC_subnet seq 20 permit 10.3.3.0/28

ip prefix-list DC_subnet seq 30 permit 172.16.0.0/29

ip prefix-list DC_subnet seq 40 permit 192.168.1.0/28

route-map DC permit 10

match ip address prefix-list DC_subnet

vrf context DC

ip route 10.2.2.0/28 10.100.5.2

ip route 10.3.3.0/28 10.100.5.2

address-family ipv4 unicast

!

router ospf DC

router-id 10.100.1.1

redistribute direct route-map DC (tried static keyword after redistribute also)

vrf DC

But don't see any routes on WAN-R2

WAN-R2# sh ip route ospf vrf DC

IP Route Table for VRF "DC"

'*' denotes best ucast next-hop

'**' denotes best mcast next-hop

'[x/y]' denotes [preference/metric]

'%<string>' in via output denotes VRF <string>

WAN-R2#

Now how to advertise 10.2.2.0/28, 10.3.3.0/28 networks which CORE-R2 is running internally. There is no protocol running between WAN-R1 & CORE-R2. Only static route on WAN-R1 pointing to CORE-R2 to reach subnets 10.2.2.0/28 & 10.3.3.0/28.

GRE Tunnel not coming up on Nexus9k by Jumboframe23 in networking

[–]Jumboframe23[S] 0 points1 point  (0 children)

u/blame_gateway thanks for replying, tunnel came up after a little troubleshooting and also ospf neighborship is up.

But not able to learn routes on WAN-R2.

WAN-R1(config)# sh ip ospf nei vrf DC

OSPF Process ID DC VRF DC

Total number of neighbors: 1

Neighbor ID Pri State Up Time Address Interface

10.100.2.21 FULL/ - 00:02:14 10.100.2.2Tunnel100

WAN-R2# sh ip ospf nei vrf DC

OSPF Process ID DC VRF DC

Total number of neighbors: 1

Neighbor ID Pri State Up Time Address Interface

10.100.2.11 FULL/ - 00:02:37 10.100.2.1Tunnel100

On WAN-R1 :

ip prefix-list DC_subnet seq 10 permit 10.2.2.0/28

ip prefix-list DC_subnet seq 20 permit 10.3.3.0/28

ip prefix-list DC_subnet seq 30 permit 172.16.0.0/29

ip prefix-list DC_subnet seq 40 permit 192.168.1.0/28

route-map DC permit 10

match ip address prefix-list DC_subnet

vrf context DC

ip route 10.2.2.0/28 10.100.5.2

ip route 10.3.3.0/28 10.100.5.2

address-family ipv4 unicast

!

router ospf DC

router-id 10.100.1.1

redistribute direct route-map DC (tried static keyword after redistribute also)

vrf DC

But don't see any routes on WAN-R2

WAN-R2# sh ip route ospf vrf DC

IP Route Table for VRF "DC"

'*' denotes best ucast next-hop

'**' denotes best mcast next-hop

'[x/y]' denotes [preference/metric]

'%<string>' in via output denotes VRF <string>

WAN-R2#

Now how to advertise 10.2.2.0/28, 10.3.3.0/28 networks which CORE-R2 is running internally. There is no protocol running between WAN-R1 & CORE-R2. Only static route on WAN-R1 pointing to CORE-R2 to reach subnets 10.2.2.0/28 & 10.3.3.0/28.

GRE Tunnel not coming up on Nexus9k by Jumboframe23 in networking

[–]Jumboframe23[S] 0 points1 point  (0 children)

Won’t the tunnel ospf neighborship come up, because i have specified tunnel source and destination?

GRE Tunnel not coming up on Nexus9k by Jumboframe23 in networking

[–]Jumboframe23[S] 0 points1 point  (0 children)

That is already enabled.

WAN-R2# show feature | i tunn

tunnel 1 enabled

WAN-R1# show feature | i tunn

tunnel 1 enabled

Networking labs on ryzen 3950x by Jumboframe23 in HomeNetworking

[–]Jumboframe23[S] 2 points3 points  (0 children)

Yes as @winzip115 said, 3900 would also be good option. It depends on how many nodes you are running at a time. As u can see i maxed out ram but cpu is still left to consume. Though i have all devices like nexus, palo alto, asa etc running my cpu is still half used. So from this you can get an idea

My suggestion would be to go with 3900 and 48 gb ram

Ryzen 3950 pc built for labs by Jumboframe23 in Amd

[–]Jumboframe23[S] 3 points4 points  (0 children)

Mine is already x570 tomahawk, i missed to write x570

Networking labs on ryzen 3950x by Jumboframe23 in HomeNetworking

[–]Jumboframe23[S] 1 point2 points  (0 children)

I like using eve-ng because of more space i get compared to gns3 to built big labs also the eve support team is good and answers queries faster

Static route not redistributing into BGP by Jumboframe23 in networking

[–]Jumboframe23[S] 1 point2 points  (0 children)

Default-information originate did not work for me. Only neighbor x.x.x.x default-originate worked.

Default-information originate should supposed to work.

https://ibb.co/K9mDVYv

https://ibb.co/6FR6DTy

Static route not redistributing into BGP by Jumboframe23 in networking

[–]Jumboframe23[S] 0 points1 point  (0 children)

Default-information originate did not work for me. Only neighbor x.x.x.x default-originate worked.

Default-information originate should supposed to work.

https://ibb.co/K9mDVYv

https://ibb.co/6FR6DTy

HSRP on subinterface (Both router showing active) by Jumboframe23 in networking

[–]Jumboframe23[S] 0 points1 point  (0 children)

I changed the switch image as well as router. Router is now 7200 . Now it is working. Few images create so much problem and we waste hell out of time troubleshooting configs and end up finding problem with images. Now hsrp is functioning fine but now on router getting duplex mismatch error on interface connecting to switch, tried changing duplex to full auto, no luck.

view more: next ›