Cisco ASR1K - 100M link issue. [SOLVED]

I was labbing today and hit one strange issue - a link between Cisco ASR1001-X (GLC-T transceiver) and Catalyst 3750 switch (100Mbps ports) was up at both sides, but CDP didn’t work, I didn’t see MAC addresses learned on the switch side. To fix an issue I had to disable auto-negotiation and hardcode 100M speed on ASR side.

interface GigabitEthernet0/0/0
 no negotiation auto
 speed 100

Even more, on Catalyst side I had to hardcode “duplex full” to get rid of duplex mismatch issue. Looks like it’s an issue with ASR or a transceivers. Anyways, it’s strange and annoying to see the link UP on both ends, but without actual connectivity:

Good luck!

Cisco ASA - crypto ipsec df-bit clear-df. [TESTED]

When you use Cisco ASA to build a VPN you better make sure that you’re passing packets with max size with DF-bit enabled. Here is the way to do it:

crypto ipsec df-bit clear-df outside

Before:

Router#ping vrf TEST 1.1.1.1 size 1500 df-bit
Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with the DF bit set
M.M.M
Success rate is 0 percent (0/5)
Router#

“M” means “Could not fragment.”

After:

Router#ping vrf TEST 1.1.1.1 size 1500 df-bit
Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with the DF bit set
.!!!!
Router#

Good luck!

How to figure out your IPv4 public IP from CLI (using TELNET). [TESTED]

This thing is known for decades, but the whole purpose of this post is for me to memorize new test public FTP server that I can use - speedtest.tele2.net [90.130.70.73]. The one that I used before for years is not working anymore.

All you need to do it so use any TELNET client (PuTTY for example). The only thing I noticed is when you use PuTTY you have to hit ENTER to get the prompt, then you can do user, pass, stat…

All you have to do is this:

telnet speedtest.tele2.net 21

user ftp
pass ftp
stat

!!! You should see your public IP here !!!

quit

Here is an example:

C:>telnet speedtest.tele2.net 21

220 (vsFTPd 3.0.3)
user ftp
331 Please specify the password.
pass ftp
230 Login successful.
stats
500 Unknown command.
stat
211-FTP server status:
     Connected to ::ffff:123.4.5.6
     Logged in as ftp
     TYPE: ASCII
     No session bandwidth limit
     Session timeout in seconds is 300
     Control connection is plain text
     Data connections will be plain text
     At session startup, client count was 58
     vsFTPd 3.0.3 - secure, fast, stable
211 End of status
quit
221 Goodbye.

Good luck!

Cisco Catalyst - %PM-4-ERR_DISABLE: link-flap error detected. [SOLVED]

If you have a device connected to a Cisco Catalyst switch that sometimes behaves weirdly and flapping interfaces (during reboot process, for example) mostlikely Catalyst switch will shut this interface with the following log message:

May  6 09:26:34.805 PDT: %PM-4-ERR_DISABLE: link-flap error detected on Gi0/49, putting Gi0/49 in err-disable state

As you know, link-flap error detection is enabled by default with the following parameters:

Switch#show errdisable flap-values
ErrDisable Reason    Flaps    Time (sec)
-----------------    ------   ----------
pagp-flap              3       30
dtp-flap               3       30
link-flap              5       10
Switch#

Switfch#show errdisable detect
ErrDisable Reason            Detection        Mode
-----------------            ---------        ----
arp-inspection               Enabled          port
bpduguard                    Enabled          port
channel-misconfig (STP)      Enabled          port
community-limit              Enabled          port
dhcp-rate-limit              Enabled          port
dtp-flap                     Enabled          port
gbic-invalid                 Enabled          port
iif-reg-failure              Enabled          port
inline-power                 Enabled          port
invalid-policy               Enabled          port
l2ptguard                    Enabled          port
link-flap                    Enabled          port
loopback                     Enabled          port
lsgroup                      Enabled          port
mac-limit                    Enabled          port
pagp-flap                    Enabled          port
port-mode-failure            Enabled          port
pppoe-ia-rate-limit          Enabled          port
psecure-violation            Enabled          port/vlan
security-violation           Enabled          port
sfp-config-mismatch          Enabled          port
sgacl_limitation             Enabled          port
small-frame                  Enabled          port
storm-control                Enabled          port
udld                         Enabled          port
vmps                         Enabled          port
psp                          Enabled          port
Switch#

We have two ways: Configure show errdisable recovery mechanism or disable detection based on port-flapping. Here is how you can disable it:

conf t
 no errdisable detect cause link-flap
 end

Checking:

Switch#show errdisable detect
ErrDisable Reason            Detection        Mode
-----------------            ---------        ----
arp-inspection               Enabled          port
bpduguard                    Enabled          port
channel-misconfig (STP)      Enabled          port
community-limit              Enabled          port
dhcp-rate-limit              Enabled          port
dtp-flap                     Enabled          port
gbic-invalid                 Enabled          port
iif-reg-failure              Enabled          port
inline-power                 Enabled          port
invalid-policy               Enabled          port
l2ptguard                    Enabled          port
link-flap                    Disabled
loopback                     Enabled          port
lsgroup                      Enabled          port
mac-limit                    Enabled          port
pagp-flap                    Enabled          port
port-mode-failure            Enabled          port
pppoe-ia-rate-limit          Enabled          port
psecure-violation            Enabled          port/vlan
security-violation           Enabled          port
sfp-config-mismatch          Enabled          port
sgacl_limitation             Enabled          port
small-frame                  Enabled          port
storm-control                Enabled          port
udld                         Enabled          port
vmps                         Enabled          port
psp                          Enabled          port
Switch#

Good luck!

Cisco Nexus 5010 - Secondary power supply.

Quick note on secondary power supplies in Cisco Nexus 5010.

Today I did some maintenance with Nexus 5010 - installed secondary power supplies and rerouted power cables. It was pretty straightforward. Here is the status without secondary power supply:

n5k-1# show environment power 

Power Supply:
Voltage: 12 Volts
-----------------------------------------------------------
PS  Model                Input Power       Power     Status
                         Type  (Watts)     (Amp)
-----------------------------------------------------------
1   N5K-PAC-550W         AC     544.56     45.38     ok
2   --                   --         --        --     absent              

Mod Model                   Power     Power       Power     Power       Status
                            Requested Requested   Allocated Allocated
                            (Watts)   (Amp)       (Watts)   (Amp)
--- ----------------------  -------   ----------  --------- ----------  ----------
1    N5K-C5010P-BF-SUP      349.20    29.10       349.20    29.10       powered-up

Power Usage Summary:
--------------------
Power Supply redundancy mode:                 Redundant
Power Supply redundancy operational mode:     Non-redundant

Total Power Capacity                              544.56 W

Power reserved for Supervisor(s)                  349.20 W
Power currently used by Modules                     0.00 W

                                                -------------
Total Power Available                             195.36 W
                                                -------------
n5k-1#

I followed Cisco Nexus 5000 Series Hardware Installation Guide > Replacing or Installing Power Supplies. After you install secondary power supply you will see the following syslog messages. If power cable is not plugged in yet you will see “FAIL” yellow led on PS.

2019 Apr 29 08:41:30 n5k1 %PFMA-5-PS_FOUND: Power supply 2 found (Serial number DTM142700X1)
2019 Apr 29 08:41:30 n5k1 %NOHMS-2-NOHMS_DIAG_ERR_PS_FAIL: System minor alarm on power supply 2: failed
2019 Apr 29 08:41:30 n5k1 %PFMA-2-PS_FAIL: Power supply 2 failed or shutdown (Serial number DTM142700X1)

Status with two PSUs installed, but cable is not yet connected to the 2nd PSU:

n5k1# show environment power 

Power Supply:
Voltage: 12 Volts
-----------------------------------------------------------
PS  Model                Input Power       Power     Status
                         Type  (Watts)     (Amp)
-----------------------------------------------------------
1   N5K-PAC-550W         AC     544.56     45.38     ok
2   --                   --         --        --     fail/shutdown       

Mod Model                   Power     Power       Power     Power       Status
                            Requested Requested   Allocated Allocated
                            (Watts)   (Amp)       (Watts)   (Amp)
--- ----------------------  -------   ----------  --------- ----------  ----------
1    N5K-C5010P-BF-SUP      349.20    29.10       349.20    29.10       powered-up

Power Usage Summary:
--------------------
Power Supply redundancy mode:                 Redundant
Power Supply redundancy operational mode:     Non-redundant

Total Power Capacity                              544.56 W

Power reserved for Supervisor(s)                  349.20 W
Power currently used by Modules                     0.00 W

                                                -------------
Total Power Available                             195.36 W
                                                -------------
n5k1#

After I plugged in the power cable I had to wait ~15 seconds to get the following syslog messages:

2019 Apr 29 08:45:42 n5k-1 %NOHMS-2-NOHMS_DIAG_ERR_PS_RECOVERED: Recovered: System minor alarm on power supply 2: failed

Here is the status with two PSUs and both cables plugged in:

n5k-1# show environment power 

Power Supply:
Voltage: 12 Volts
-----------------------------------------------------------
PS  Model                Input Power       Power     Status
                         Type  (Watts)     (Amp)
-----------------------------------------------------------
1   N5K-PAC-550W         AC     544.56     45.38     ok
2   N5K-PAC-550W         AC     544.56     45.38     ok                  

Mod Model                   Power     Power       Power     Power       Status
                            Requested Requested   Allocated Allocated
                            (Watts)   (Amp)       (Watts)   (Amp)
--- ----------------------  -------   ----------  --------- ----------  ----------
1    N5K-C5010P-BF-SUP      349.20    29.10       349.20    29.10       powered-up

Power Usage Summary:
--------------------
Power Supply redundancy mode:                 Redundant
Power Supply redundancy operational mode:     Redundant

Total Power Capacity                             1089.12 W

Power reserved for Supervisor(s)                  349.20 W
Power currently used by Modules                     0.00 W

                                                -------------
Total Power Available                             739.92 W
                                                -------------
n5k-1#

Then to reroute power cables I disconnected 1st power supply for ~5 seconds and haven’t got any syslog messages. So, there’s some delay and you have to be aware that brief power cable disconnection will not be registered in the logs.

Good luck!

Admin area