Rss

How to configure SNMPv3 on Cisco IOS, Nortel ERS8600, and Nortel ESU1850.

Cisco IOS SNMPv3 configuration (authPriv):

Cisco IOS SNMPv3 config (authNoPriv):

Nortel ESU1850 SNMPv3 configuration:

Nortel ERS8600 SNMPv3 configuration:

Spoofing IP traffic with python/scapy to bring up IPSec tunnels

I work with IPSec tunnels quite a bit, usually for encrypting traffic from internal servers out to the internet.  In the past I’d have to get someone with server access on the line to generate traffic to cause the tunnel to establish, that was a pain in the ass sometimes.

Then while I was messing around with python I came across scapy. You can generate packets from scratch with whatever options you want, so I’ve started using that to spoof the source address and generate packets that match the crypto ACLs.

 

Heres an example:

Cisco IOS IPSec configuration example:

A9K-RSP-4G troubleshooting logs

Cisco SIP-400 FPD Upgrade

I came across something new (new to me, at least) last night when installing a SIP-400 card in a Cisco 7600. Apparently the FPGA image was out of date and needed to be upgraded to a more recent version.  So here is how I did it.

 

After inserting the card these messages showed up, an automatic upgrade was attempted and failed, then the card was disabled.

Apr 25 23:27:32.717 CDT: %CWAN_RP-6-CARDRELOAD: Module reloaded on slot 7/0

Apr 25 23:27:32.721 CDT: %OIR-6-INSCARD: Card inserted in slot 7, interfaces administratively shut down

SLOT 7: *Mar 1 00:00:08.783: %FABRIC_INTF_ASIC-5-FABRICSYNC_DONE: Fabric ASIC 0 Channel 1: Fabric sync done.

SLOT 7: *Mar 1 00:00:10.351: %FABRIC_INTF_ASIC-5-FABRICSYNC_DONE: Fabric ASIC 0 Channel 2: Fabric sync done.

Apr 25 23:27:49.313 CDT: %DIAG-SP-6-RUN_MINIMUM: Module 7: Running Minimal Diagnostics…

Apr 25 23:27:52.598 CDT: %DIAG-SP-6-DIAG_OK: Module 7: Passed Online Diagnostics

Apr 25 23:27:53.693 CDT: %FPD_MGMT-3-INCOMP_IMG_VER: Incompatible SWITCH FPGA (FPD ID=3) image version detected for 7600-SIP-400 card in slot 7. Detected version = 0.31, minimum required version = 0.39. Current HW version = 2.1.

Apr 25 23:27:53.693 CDT: %FPD_MGMT-5-UPGRADE_ATTEMPT: Attempting to automatically upgrade the FPD image(s) for 7600-SIP-400 card in slot 7. Use ‘show upgrade fpd progress’ command to view the upgrade progress …

Apr 25 23:27:54.289 CDT: %FPD_MGMT-3-PKG_FILE_SEARCH_FAILED: FPD image package (c7600-fpd-pkg.122-33.SRD1.pkg) cannot be found in system’s flash card or disk to do FPD upgrade.

Apr 25 23:27:54.289 CDT: %OIR-6-REMCARD: Card removed from slot 7, interfaces disabled

Apr 25 23:27:54.321 CDT: %FPD_MGMT-3-CARD_DISABLED: 7600-SIP-400 card in slot 7 is being disabled because of an incompatible FPD image version. Note that the c7600-fpd-pkg.122-33.SRD1.pkg package will be required if you want to perform the upgrade operation.

Apr 25 23:27:53.835 CDT: %OIR-SP-6-INSCARD: Card inserted in slot 7, interfaces are now online

Apr 25 23:27:54.319 CDT: %C7600_PWR-SP-4-DISABLED: power to module in slot 7 set off (FPD Upgrade Required)

 

I found the c7600-fpd-pkg.122-33.SRD1.pkg on the Cisco web site and put it on my TFTP server. Then upgraded the card.

 

Router#upgrade hw-module slot 7 fpd file tftp://0.0.0.0/c7600-fpd-pkg.122-33.SRD1.pkg

Loading c7600-fpd-pkg.122-33.SRD1.pkg from 0.0.0.0 (via Vlan00): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 

% The following FPD will be upgraded for 7600-SIP-400 (H/W ver = 2.1) in slot 7:

 

================== =========== =========== ============

Field Programmable Current Upgrade Estimated

Device: “ID-Name” Version Version Upgrade Time

================== =========== =========== ============

3-SWITCH FPGA 0.31 0.39 00:02:00

================== =========== =========== ============

 

% NOTES:

- Use ‘show upgrade fpd progress’ command to view the progress of the FPD

upgrade.

- Since the target card is currently in disabled state, it will be

automatically reloaded after the upgrade operation for the changes to

take effect.

 

% Are you sure that you want to perform this operation? [no]: yes

% Reloading the target card for FPD image upgrade … Done!

% Upgrade operation will start in the background once the target card gets

initialized after the reload operation. Please wait …

(Use “show upgrade fpd progress” command to see upgrade progress)

 

Apr 25 23:44:52.398 CDT: %CWAN_RP-6-CARDRELOAD: Module reloaded on slot 7/0

Apr 25 23:44:52.402 CDT: %OIR-6-INSCARD: Card inserted in slot 7, interfaces administratively shut down

SLOT 7: *Mar 1 00:00:08.759: %FABRIC_INTF_ASIC-5-FABRICSYNC_DONE: Fabric ASIC 0 Channel 1: Fabric sync done.

SLOT 7: *Mar 1 00:00:10.327: %FABRIC_INTF_ASIC-5-FABRICSYNC_DONE: Fabric ASIC 0 Channel 2: Fabric sync done.

Apr 25 23:45:08.975 CDT: %DIAG-SP-6-RUN_MINIMUM: Module 7: Running Minimal Diagnostics…

Apr 25 23:45:13.519 CDT: %DIAG-SP-6-DIAG_OK: Module 7: Passed Online Diagnostics

Apr 25 23:45:14.499 CDT: %OIR-SP-6-INSCARD: Card inserted in slot 7, interfaces are now online

Apr 25 23:45:15.392 CDT: %FPD_MGMT-6-UPGRADE_TIME: Estimated total FPD image upgrade time for 7600-SIP-400 card in slot 7 = 00:02:00.

Apr 25 23:45:15.464 CDT: %FPD_MGMT-6-UPGRADE_START: SWITCH FPGA (FPD ID=3) image upgrade in progress for 7600-SIP-400 card in slot 7. Updating to version 0.39. PLEASE DO NOT INTERRUPT DURING THE UPGRADE PROCESS (estimated upgrade completion time = 00:02:00) …

Router#show upgrade fpd progress

 

FPD Image Upgrade Progress Table:

 

==== =================== ====================================================

Approx.

Field Programmable Time Elapsed

Slot Card Type Device : “ID-Name” Needed Time State

==== =================== ================== ========== ========== ===========

7 7600-SIP-400 3-SWITCH FPGA 00:02:00 00:00:11 Updating…

==== =================== ====================================================

Apr 25 23:45:54.056 CDT: %FPD_MGMT-6-UPGRADE_PASSED: SWITCH FPGA (FPD ID=3) image in the 7600-SIP-400 card in slot 7 has been successfully updated from version 0.31 to version 0.39. Upgrading time = 00:00:38.588

Apr 25 23:45:54.056 CDT: %FPD_MGMT-6-OVERALL_UPGRADE: All the attempts to upgrade the required FPD images have been completed for 7600-SIP-400 card in slot 7. Number of successful/failure upgrade(s): 1/0.

Apr 25 23:45:54.060 CDT: %FPD_MGMT-5-CARD_POWER_CYCLE: 7600-SIP-400 card in slot 7 is being power cycled for the FPD image upgrade to take effect.

Apr 25 23:45:54.084 CDT: %OIR-6-REMCARD: Card removed from slot 7, interfaces disabled

Apr 25 23:45:54.088 CDT: %C7600_PWR-SP-4-DISABLED: power to module in slot 7 set off (Reset)

Apr 25 23:46:50.843 CDT: %CWAN_RP-6-CARDRELOAD: Module reloaded on slot 7/0

Apr 25 23:46:50.847 CDT: %OIR-6-INSCARD: Card inserted in slot 7, interfaces administratively shut down

SLOT 7: *Mar 1 00:00:08.783: %FABRIC_INTF_ASIC-5-FABRICSYNC_DONE: Fabric ASIC 0 Channel 1: Fabric sync done.

SLOT 7: *Mar 1 00:00:10.375: %FABRIC_INTF_ASIC-5-FABRICSYNC_DONE: Fabric ASIC 0 Channel 2: Fabric sync done.

Apr 25 23:47:06.536 CDT: %DIAG-SP-6-RUN_MINIMUM: Module 7: Running Minimal Diagnostics…

Apr 25 23:47:06.804 CDT: %DIAG-SP-6-DIAG_OK: Module 7: Passed Online Diagnostics

Apr 25 23:47:07.580 CDT: %OIR-SP-6-INSCARD: Card inserted in slot 7, interfaces are now online

Apr 25 23:47:10.076 CDT: %DIAG-SP-6-RUN_MINIMUM: Module 7/0: Running Minimal Diagnostics…

SLOT 7: Apr 25 23:47:09.100 CDT: %CARDMGR-2-SYNC_CHECK_FAIL: The SPA in subslot 7/1 egress SPI4 interface sync with the host failed.

Apr 25 23:47:12.576 CDT: %SPA_OIR-6-ONLINECARD: SPA (SPA-2X1GE) online in subslot 7/0

Apr 25 23:47:12.416 CDT: %DIAG-SP-6-DIAG_OK: Module 7/0: Passed Online Diagnostics

SLOT 7: Apr 25 23:47:13.924 CDT: %SPA_PLUGIN-3-SPI4_NOTSYNC: SPA-2X1GE[7/1]: Can not synchronize SPI4 bus.

-Traceback= 401280D4 40128634 404FACDC 405E4D54 405E6290 407B8360 405E47F8 405E6588 405E3CF0 405E3F50

Apr 25 23:47:18.920 CDT: %SPA_OIR-3-RECOVERY_RELOAD: subslot 7/1: Attempting recovery by reloading SPA

Apr 25 23:47:18.920 CDT: %SPA_OIR-6-OFFLINECARD: SPA (SPA-2X1GE) offline in subslot 7/1

Apr 25 23:47:32.580 CDT: %SPA_EEPROM-3-RPC_FAILED: Failed to send RPC message to read EEPROM of SPA in subslot 7/1 – rpc timeout

Apr 25 23:47:42.581 CDT: %SPA_EEPROM-3-RPC_FAILED: Failed to send RPC message to read EEPROM of SPA in subslot 7/1 – rpc timeout

Apr 25 23:47:52.581 CDT: %SPA_EEPROM-3-RPC_FAILED: Failed to send RPC message to read EEPROM of SPA in subslot 7/1 – rpc timeout

Apr 25 23:48:02.581 CDT: %SPA_EEPROM-3-RPC_FAILED: Failed to send RPC message to read EEPROM of SPA in subslot 7/1 – rpc timeout

Apr 25 23:48:12.581 CDT: %SPA_EEPROM-3-RPC_FAILED: Failed to send RPC message to read EEPROM of SPA in subslot 7/1 – rpc timeout

Apr 25 23:49:12.580 CDT: %SPA_EEPROM-3-RPC_FAILED: Failed to send RPC message to read EEPROM of SPA in subslot 7/1 – rpc timeout

SLOT 7: Apr 25 23:49:21.064 CDT: %CARDMGR-2-SYNC_CHECK_FAIL: The SPA in subslot 7/1 egress SPI4 interface sync with the host failed.

Apr 25 23:49:22.580 CDT: %SPA_EEPROM-3-RPC_FAILED: Failed to send RPC message to read EEPROM of SPA in subslot 7/1 – rpc timeout

SLOT 7: Apr 25 23:49:22.520 CDT: %SPA_PLUGIN-3-SPI4_NOTSYNC: SPA-2X1GE[7/1]: Can not synchronize SPI4 bus.

-Traceback= 401280D4 40128634 404FACDC 405E4D54 405E6290 407B8360 405E47F8 405E6588 405E3CF0 405E3F50

After the upgrade completed I was seeing “Can not synchronize SPI4 bus” for the second SPA card, a reset of the module seemed to fix that problem.

 

Using a non-cisco SFP in a Cisco 7600 router

If you put a non-cisco SFP into a Cisco device you’ll likely see an error message and the port will be in err-disabled state.

To get around this you can issue the following command in global config mode:

service unsupported-transceiver

You’ll see a message like the one below, but non-cisco SFPs should be usable now.

Oct 18 09:16:29 CDT: %PM_SCP-SP-3-TRANSCEIVER_UNSUPPORTED: Unsupported transceiver in LAN port 1/3