RE: Cisco 3560 switch has a ghost in it...keeps trying to auth

As I was saying yesterday, I have seen a high level (cisco live?) type white paper where the logic and abilities of the Cisco ASA multi-context packet forwarder are explained. This is true for both shared and non-shared interfaces for the ASA and FWSM. With the ASA, often context's share the same physical interface, where with the FSWM, logical vlan interfaces are created within each context from vlans allocated to the system context by IOS, and further allocated by the system context to each context.

Because of the way the packet forwarder is designed to (sorry for lack of a better term) "match flows with contexts" stateless protocols can't be forwarded, such as OSPF, RIP, EIGRP and crypto maps can't be applied, presumably where further action would be required (like decryption) before the packet router could forward traffic back to the correct context.

For these reasons, without some major "ipad" level invention in the works, I don't see the ASA ever supporting multiple contexts and routing protocols/crypto maps.

Perhaps, I'm just being pessimistic- but buying a cisco product with the expectation they will "eventually" add a feature you require in production via a future code release is a mistake. However, getting dmvpn in my ISR's in 2005 was better than sex and cold drinks on a private beach, having previously managed 50 (50-1)/2 fully meshed VPN TUNNELS! (YIKES)

-Joe

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Joseph L. Brunner
Sent: Thursday, October 07, 2010 8:02 PM
To: Brad Ellis; Travis Niedens; Cisco certification
Subject: RE: Cisco 3560 switch has a ghost in it...keeps trying to auth to an ACS server

I once had a Qwest NOC engineer tell us our DS-3 was down because of radio interference in the C.O., effecting the router's routing table.

My colleague at the time, a rather experienced radio/microwave guy told the guy that if there was that much radiation his insides would be hamburger.

LOL

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Brad Ellis
Sent: Thursday, October 07, 2010 7:54 PM
To: Travis Niedens; Cisco certification
Subject: RE: Cisco 3560 switch has a ghost in it...keeps trying to auth to an ACS server

Yeah, bounced her already. I'm guessing there's something plugged into
the con port as well...we'll have to see. :)

thanks,
Brad Ellis
CCIE#5796 (R&S / Security)
CCSI# 30482
CEO / President
CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
Email: brad_at_ccbootcamp.com
Toll Free: 877-654-2243
International: +1-702-968-5100
Skype: skype:ccbootcamp?call
FAX: +1-702-446-8012
YES! We take Cisco Learning Credits!
Training And Remote Racks: http://www.ccbootcamp.com

-----Original Message-----
From: Travis Niedens [mailto:niedentj_at_hotmail.com]
Sent: Thursday, October 07, 2010 4:49 PM
To: Brad Ellis; 'Cisco certification'
Subject: RE: Cisco 3560 switch has a ghost in it...keeps trying to auth
to an ACS server

Unplug the cable? Reload ? Perhaps solar flares ? :) No tracebacks
either?

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Brad Ellis
Sent: Thursday, October 07, 2010 4:33 PM
To: Travis Niedens; Cisco certification
Subject: RE: Cisco 3560 switch has a ghost in it...keeps trying to auth
to an ACS server

It's actually happening on two 3560s, and only those... console port
looks
okay:

(from one of them)

C3560G-24PS #sh line con 0
   Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns
Int
     0 CTY - - - - - 0 154 0/0
-

Line 0, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600, no parity, 2 stopbits, 8 databits
Status: Ready, 0x40000
Capabilities: none
Modem state: Ready
Special Chars: Escape Hold Stop Start Disconnect Activation
                ^^x none - - none
Timeouts: Idle EXEC Idle Session Modem Answer Session
Dispatch
                never never none not
set
                            Idle Session Disconnect Warning
                              never
                            Login-sequence User Response
                             00:00:30
                            Autoselect Initial Wait
                              not set
Modem type is unknown.
Session limit is not set.
Time since activation: never
Editing is enabled.
History is enabled, history size is 10.
DNS resolution in show commands is enabled Full user help is disabled
Allowed input transports are none.
Allowed output transports are telnet.
Preferred transport is telnet.
No output characters are padded
No special data dispatching characters

It's happening on two out of 80 something switches...very weird.

Both devices have the same config as about 100 other 3560s...the mystery
continues! :)

thanks,
Brad Ellis
CCIE#5796 (R&S / Security)
CCSI# 30482
CEO / President
CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
Email: brad_at_ccbootcamp.com
Toll Free: 877-654-2243
International: +1-702-968-5100
Skype: skype:ccbootcamp?call
FAX: +1-702-446-8012
YES! We take Cisco Learning Credits!
Training And Remote Racks: http://www.ccbootcamp.com

-----Original Message-----
From: Travis Niedens [mailto:niedentj_at_hotmail.com]
Sent: Thursday, October 07, 2010 4:18 PM
To: Brad Ellis; 'Cisco certification'
Subject: RE: Cisco 3560 switch has a ghost in it...keeps trying to auth
to an ACS server

Nothing plugged into the console port that might be shorted out?

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Brad Ellis
Sent: Thursday, October 07, 2010 3:52 PM
To: Cisco certification
Subject: Cisco 3560 switch has a ghost in it...keeps trying to auth to
an ACS server

Crazy stuff...but I thought this would make an interesting problem for
people to think about.

Every 60 seconds or so:

Oct 7 22:53:21.317: AAA/MEMORY: free_user_quiet (0x27804D8) user=''
ruser='NULL' port='tty0' rem_addr='async' authen_type=1 service=1 priv=1
Oct
7 22:53:21.317: AAA: parse name=tty0 idb type=-1 tty=-1 Oct 7
22:53:21.317:
AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0
channel=0 Oct 7 22:53:21.317: AAA/MEMORY: create_user (0x27804D8)
user='NULL'
ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII
service=LOGIN priv=1 initial_task_id='0', vrf= (id=0) Oct 7
22:53:21.317:
AAA/AUTHEN/START (1037375110): port='tty0' list=''
action=LOGIN service=LOGIN
Oct 7 22:53:21.317: AAA/AUTHEN/START (1037375110): using "default" list
Oct
7 22:53:21.317: AAA/AUTHEN/START (1037375110): Method=tacacs+
(tacacs+)
Oct 7 22:53:21.317: TAC+: send AUTHEN/START packet ver=192
id=1037375110 Oct 7 22:53:21.569: TAC+: ver=192 id=1037375110 received
AUTHEN status = GETUSER Oct 7 22:53:21.569: AAA/AUTHEN (1037375110):
status = GETUSER Oct
7 22:53:21.644: AAA/AUTHEN/CONT (1037375110): continue_login
(user='(undef)')
Oct 7 22:53:21.644: AAA/AUTHEN (1037375110): status = GETUSER Oct 7
22:53:21.644: AAA/AUTHEN (1037375110): Method=tacacs+ (tacacs+) Oct 7
22:53:21.644: TAC+: send AUTHEN/CONT packet id=1037375110 Oct 7
22:53:21.846: TAC+: ver=192 id=1037375110 received AUTHEN status =
GETUSER Oct 7 22:53:21.846: AAA/AUTHEN (1037375110): status = GETUSER
Oct 7
22:53:28.179: AAA/AUTHEN/CONT (1037375110): continue_login
(user='')
Oct 7 22:53:28.179: AAA/AUTHEN (1037375110): status = GETUSER Oct 7
22:53:28.179: AAA/AUTHEN (1037375110): Method=tacacs+ (tacacs+) Oct 7
22:53:28.179: TAC+: send AUTHEN/CONT packet id=1037375110 Oct 7
22:53:28.380: TAC+: ver=192 id=1037375110 received AUTHEN status =
GETPASS Oct 7 22:53:28.380: AAA/AUTHEN (1037375110): status = GETPASS
Oct 7
22:53:30.301: AAA/AUTHEN/CONT (1037375110): continue_login
(user='x~xxxx')
Oct 7 22:53:30.310: AAA/AUTHEN (1037375110): status = GETPASS Oct 7
22:53:30.310: AAA/AUTHEN (1037375110): Method=tacacs+ (tacacs+) Oct 7
22:53:30.310: TAC+: send AUTHEN/CONT packet id=1037375110 Oct 7
22:53:30.813: TAC+: ver=192 id=1037375110 received AUTHEN status = FAIL
Oct
7 22:53:30.813: AAA/AUTHEN (1037375110): status = FAIL Oct 7
22:53:32.818:
AAA/AUTHEN/ABORT: (1037375110) because Login timed out.
Oct 7 22:53:32.818: TAC+: send abort reason=Login timed out

I havent figured this one out yet.

thanks,
Brad Ellis
CCIE#5796 (R&S / Security)
CCSI# 30482
CEO / President
CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
Email: brad_at_ccbootcamp.com
Toll Free: 877-654-2243
International: +1-702-968-5100
Skype: skype:ccbootcamp?call
FAX: +1-702-446-8012
YES! We take Cisco Learning Credits!
Training And Remote Racks: http://www.ccbootcamp.com

Blogs and organic groups at http://www.ccie.net
Received on Thu Oct 07 2010 - 20:12:14 ART