Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
716
Views
5
Helpful
4
Replies

Topology Graph Question...

PATRICK KLINE
Level 1
Level 1

‎06-23-2008 04:44 AM

I have many site-to-site tunnels and the Graph doesn't seem to display the connectivity between sites(Peers). It displays them as separate networks with their own Internet Cloud(ISP Gateway). Is it possible or is it a limitation since it is trying to traverse the Internet and an ISPs network. I was hoping that Mars, since that it is a part of Interesting traffic, show at least a line through the clouds to the routers respective peers.

Thanks,

-Patrick..

Labels:
0 Helpful
4 Replies 4

alec.waters
Level 1
Level 1

‎06-23-2008 08:48 AM

Hi Patrick,

I'm in the same boat. I have 100+ IPSec spokes, and the topology graph is a total mess. Giving the MARS knowledge of IPSec links has been on my wishlist since day one.

There are also other issues:

Say your spoke device is a PIX or whatever that gets its "outside" IP address via DHCP from some NATting DSL router over which you have no control. Let's say it gets given 192.168.0.2.

Now let's say that there's a second PIX behind another router from the same vendor, and this PIX gets given 192.168.0.3.

The MARS will think that both of these PIXes are on the same "outside" subnet, which of course they are not. RFC1918 allows us non-unique address space, which the MARS just can't handle.

alec

0 Helpful

PATRICK KLINE
Level 1
Level 1
In response to alec.waters

‎06-23-2008 08:53 AM

Sorry and I'm glad I am not the only one. I did find a workaround, but it doesn't clean things up any. I created a loopback between the peers and added the subnet to the ACL. It now give me the line connecting them, but also shows the cloud. I have a call into my rep. to talk to some of their MARS experts.

Thanks again,

-Patrick.

pmccubbin
Level 5
Level 5
In response to PATRICK KLINE

‎06-25-2008 09:19 AM

Hi Patrick,

Thanks for posting the work around, even though it didn't clean things up the way you wanted. I give it a "5" for helping make this forum useful for others in the same situation.

Speaking of being in the same situation, I wish I had a nickel for everytime someone had told me how unsatisfactory they found the Topology Map in MARS! As someone who does implementations for a living I have found it best to concentrate on the more useful elements of MARS like its ability to correlate syslogs and NetFlow, and the reporting functions. These more than make up for the Maps.

I'm sure Cisco has been given an earful on more than one occassion about how they should fix this and that eventually they will.

Cheers!

Paul

0 Helpful

PATRICK KLINE
Level 1
Level 1
In response to pmccubbin

‎03-26-2009 11:48 AM

I have upgraded to v6.0 and the problem with the VPNs and the Topo Graph still exist. Has Cisco corrected this or should I still be using the loopback work-around?

Thanks,

-Patrick..

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents