Marcin Latosiewicz

Member Since: Jan 03, 2008

English
Marcin Latosiewicz commented on FlexVPN Spoke to Spoke , NHRP Redirect not working in VPN 2 months ago

NHRP is L2 protocol, VTI is a L3 encapsulation. So yes, you do need GRE (default).

Marcin Latosiewicz commented on in VPN 6 months ago

ASA does not support virtual interfaces for VPN - it does support IKEv2 for Remote access and L2L...

Marcin Latosiewicz commented on Ikev2, CA, trustpoint, FlexVPN in VPN 8 months ago

Mind that I haven't been working on this tech for almost 3 years. The aaa authorization rule is not...

Marcin Latosiewicz commented on Ikev2, CA, trustpoint, FlexVPN in VPN 8 months ago

Spoke doesn't have an identity cert. Enroll the spoke to CA (yes, itself). Also make sure you have...

Marcin Latosiewicz commented on Advantages of VTI configuration for IPSec tunnels. in VPN 9 months ago

Split tunnelling being enabled or disabled is a matter of policy typically, this particular example...

Marcin Latosiewicz commented on IPv6 Link local address format in LAN, Switching and Routing 1 year ago

Is the OS using CGA?  https://en.wikipedia.org/wiki/Cryptographically_Generated_Address

Marcin Latosiewicz commented on IP source routing must be disabled in Unified Computing 1 year ago

Mohan,  But there is no data plane routing on FIs, NXOS. Let me demonstrate.    bdsol-6296-01-B...

Marcin Latosiewicz commented on IP source routing must be disabled in Unified Computing 1 year ago

UCS/Fabric Interconnects are not routing devices. The operate either in end host or FC/Ether...

Marcin Latosiewicz commented on FlexVPN Spoke to Spoke , NHRP Redirect not working in VPN 1 year ago

 tunnel mode ipsec ipv4 <--- NHRP in IP world, may not work ...  Try with GRE?  1544368: Oct 14...

Marcin Latosiewicz commented on Why do we need upgrade Fabric Interconnect catalog version in Unified Computing 1 year ago

Do you mean the capability catalog?If so, Cisco is releasing upgraded version (/revisions) of...

Marcin Latosiewicz commented on GETVPN KEK TEK in VPN 1 year ago

In quite practical terms IKE phase 1 authentication and rekey authentication should be using...

Marcin Latosiewicz commented on Fibre Channel and Fibre Channel Over Ethernet Slow Drain - Details Required in Other Data Center Subjects 1 year ago

Probably best doc we have is from MDS family: http://www.cisco.com/c/en/us/products/collateral/...

Marcin Latosiewicz commented on Multiple Inbound and Outbound SAS being established in VPN 1 year ago

Truth be told best way to check who's starting QM exchange causing those SPIs to be introduced. I...

Marcin Latosiewicz commented on DMVPN problem with 2 hubs in VPN 1 year ago

Look into NHRP holdtimes and registration timers. The default values are quite long.

Marcin Latosiewicz commented on Using PKI for Authentication only in VPN 1 year ago

Brian,  The certs (actually RSA sig) are only used to authenticate IKE exchange. The key material...

Marcin Latosiewicz commented on CIsco UCS FI ( 2.23e) License issue in Unified Computing 1 year ago

https://tools.cisco.com/bugsearch/bug/CSCui19338/?reffering_site=dumpcrpossibly?

Marcin Latosiewicz commented on Can only ping across VTI or DMVPN as long as no crypto is applied in VPN 1 year ago

You might want to try EPC to check if you're seeing those packets ingressing/egressing correctly...

Marcin Latosiewicz commented on Can only ping across VTI or DMVPN as long as no crypto is applied in VPN 1 year ago

Do you mind trying using pure ESP for test? You also might also use tunnel path mtu discovery ......

Marcin Latosiewicz commented on Can only ping across VTI or DMVPN as long as no crypto is applied in VPN 1 year ago

Could be some weird padding/fragmentation problem in transit. " if I remove the transform-set...

Marcin Latosiewicz commented on Can only ping across VTI or DMVPN as long as no crypto is applied in VPN 1 year ago

Not sure about the platforms you're running on, but not all platforms support nesting AH and ESP. ...

Marcin Latosiewicz commented on Crypto IPsec tunnel commands related in VPN 1 year ago

Check the command references: http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-...

Marcin Latosiewicz commented on Syslog Logging in Other Data Center Subjects 1 year ago

Doug, That depends on OS/system.NXOS supports setting logging level per server:http://www.cisco.com...

Marcin Latosiewicz commented on IPSEC ERROR: Advancing IPsec ring in VPN 1 year ago

https://tools.cisco.com/bugsearch/bug/CSCuu36639/?reffering_site=dumpcr

Marcin Latosiewicz commented on Encaps and decaps in different tunnels. in VPN 1 year ago

Once you have new IPsec SA there's no good reason not to start using the new ones, but should...

Marcin Latosiewicz commented on Encaps and decaps in different tunnels. in VPN 1 year ago

To be honest it could be a number of things. You can see multiple SAs (with same parameters) in a...

Marcin Latosiewicz commented on locate a switch port a wwpn is logged into in Storage Networking 1 year ago

Both MDS and N5k provide "show flogi database" and "show fcns database" commands. This should show...

Marcin Latosiewicz commented on CVE-2015-4289 AnyConnect version fix in VPN 1 year ago

Martin,  I wasn't trying to be dismissive, by any means. What I think is that bug toolkit etc guys...

Marcin Latosiewicz commented on CVE-2015-4289 AnyConnect version fix in VPN 1 year ago

Martin, C'mon! We're fighting over 0? Literally "nothing" ?! :-)Well the problem comes from how we'...

Marcin Latosiewicz commented on CVE-2015-4289 AnyConnect version fix in VPN 1 year ago

In case you need software under PSIRT advisory - you can also contact TAC - most of the time :-)

Marcin Latosiewicz commented on CVE-2015-4289 AnyConnect version fix in VPN 1 year ago

Martin,  The release is available on CCO.  screen_shot_2015-08-13_at_10.09.33.png...

Marcin Latosiewicz commented on Distance between FI and Chassis in Unified Computing 1 year ago

I'm not aware of any cabling which will get you over 300 meters. http://www.cisco.com/c/en/us/...

Marcin Latosiewicz commented on Nexus 5672UP FC interfaces in Storage Networking 1 year ago

Colin,  I don't have a N5600 handy, but I remember having a similar discussion a few days back. ...

Marcin Latosiewicz commented on FI firmware upgrade from 2.2(3a) to 2.2(5a) in Unified Computing 1 year ago

There are a couple reasons this good be happening, starting from bad mounting/bad reporting to some...

Marcin Latosiewicz commented on IOS IPSEC with RSA-SIG - moving the CA to a new router in VPN 1 year ago

There is a couple of thing to consider, like where you are storing your CRL etc. But in general you...

Marcin Latosiewicz commented on isakmp SA in VPN 1 year ago

That's how I remember it, it's been two years :-)

Marcin Latosiewicz commented on isakmp SA in VPN 1 year ago

One describes what is local and remote IP, the other describes who's the source and destination for...

Marcin Latosiewicz commented on log - Nexus7000 in Other Data Center Subjects 1 year ago

https://tools.cisco.com/bugsearch/bug/CSCuj78354/?reffering_site=dumpcrandhttps://tools.cisco.com/...

Marcin Latosiewicz commented on DMVPN Spoke Issues after migrating dual hub from ISR2 3925 to ASR-1001X in VPN 1 year ago

200-300 per ASR seems decent, lots of possibility to scale up on most ASR1ks.if-state nhrp ...  it'...

Marcin Latosiewicz commented on DMVPN Spoke Issues after migrating dual hub from ISR2 3925 to ASR-1001X in VPN 1 year ago

Well hard to say, I think you've for a pretty cool thing going. BGP as routing protocol already a...

Marcin Latosiewicz commented on DMVPN Spoke Issues after migrating dual hub from ISR2 3925 to ASR-1001X in VPN 1 year ago

Ha, indeed I only saw one tunnel in the config you've outlined. There are a couple of interested (...

Marcin Latosiewicz commented on DMVPN Spoke Issues after migrating dual hub from ISR2 3925 to ASR-1001X in VPN 1 year ago

Those are IPsec SA count, probably a bit too much, but most likely not all of those are active - a...

Marcin Latosiewicz commented on DMVPN Spoke Issues after migrating dual hub from ISR2 3925 to ASR-1001X in VPN 1 year ago

Try IKEv2? :-) You know it's good for you!  Check whether you may or may not have multiple IKE...

Marcin Latosiewicz commented on DMVPN Spoke Issues after migrating dual hub from ISR2 3925 to ASR-1001X in VPN 1 year ago

It's possible you're hitting this one - the phase 2 negotiation failure:https://tools.cisco.com/...

Marcin Latosiewicz commented on Nexus 5548 Upgrade procedure from NXOS version 5.0(3)N2(2) to version 7.0(5)N(1) in Other Data Center Subjects 1 year ago

Luke,    Start here  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5500/sw/up...  ...

Marcin Latosiewicz commented on Fragmentation after Encryption in VPN 1 year ago

Unless something changed quite recently all fragmentation and reassembly on IOS had to be punted to...

Marcin Latosiewicz commented on Fragmentation after Encryption in VPN 1 year ago

That will depend on your platform and to some extent the accelerator card. On your IOS devices you'...

Marcin Latosiewicz commented on Server 2012 R2 Boot from SAN with ISCSI - Can't recognize in Unified Computing 1 year ago

Cursory glance at the config doesn't show anything odd. A couple of notes:- loading drivers causing...

Marcin Latosiewicz commented on RITE for ipv6 in IPv6 Integration and Transition 1 year ago

Actually only originator of thread can pick the correct answer (unless you're admin/moderator,...

Marcin Latosiewicz commented on Server 2012 R2 Boot from SAN with ISCSI - Can't recognize in Unified Computing 1 year ago

You're able to communicate with storage on IP level, but it looks like LUN masking or similar is...

Marcin Latosiewicz commented on Can we assign IPv4 IP address pool to IPv6 VPN Client in VPN 1 year ago

Patrick,  SSL with IPv6 and IPv6 assigned IP address has been working for some time. Vide: http://...

Bio

CCIE - Security.










Marcin Latosiewicz's Stats

Points3375
Discussion started 0
Answers marked as Correct 389
Endorsed 3
Content Rated 90