Cisco Application :: LMS 3.2 SSH Sessions On ACE?
Apr 11, 2013I have an issue with LMS not terminating SSH sessions on the Cisco ACE?
Cisco LMS 3.2
Cisco ACE A2(3.3)
I have an issue with LMS not terminating SSH sessions on the Cisco ACE?
Cisco LMS 3.2
Cisco ACE A2(3.3)
I´m detecting on my ACE 20.
I´m monitoring the total number of concurrent sessions of my ACE 20 (using Cacti), and from time to time, with no discernable pattern, I see an instant drop of sessions to half...I don´t detect any disturbance with our traffic and service, I have no complaints, but it's a very accentuated drop.
I´m able to get 1 or 2 days withouth any suddent drop of connections, and then for no reason I pass from 500.000 to 200.000 sessions in a minute. Then they gradually go up again.
I´ve seen in ACE´s session table that she keeps a great number of half-open, or closed sessions, and those are counted as part of concurrent sessions. Is there any flush on ACE´s table when she reaches a certain number of closed TCP sessions or something like that?
What is the maximum allowed number of BGP sessions on Cisco platforms sup720 BXL and 7200 G2? Particulaty what are these numbers if BGP sessions are under MPLS vrf (i.e. maximum number of BGP session per vrf?).
View 2 Replies View Relatedthe customer has a problem with LMS 3.2. This software doesn't terminate ssh sessions created by LMS on ACE. All ssh sessions still exist on ACE, so no new ssh session can be created until the administrator manually clear these session on ACE.
View 7 Replies View RelatedI've got a problem with an ASR1004 running "asr1000rp2-adventerprisek9.03.02.00.S.151-1.S.bin".
When I'm performing extended ping tests using a tclsh script i'm geting this error message:
ASR_X1A2#ping 172.27.1.250
% Authorization failed.
When i'm pinging 12 diffrent destinations this happens to about 3 of them.
Checking the logs I found this:
Apr 24 19:42:56.071: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection
In my entire backbone this is happening only in this equipment, I've checked the connection between my ASR and the TACACS and it's OK, no packet loss. CPU and MEM are OK too.
Cisco Works (LMS 3,2) is not closing SSH sessions to a Cisco ACE module, I see the following thread and tried the workaround to no avail.
[URL]
I have also seen the following caveat (CSCtz42393) but this seems to be LMS 4.x, would this be 4.x and below or do I need to find the equivalent LMS 3.2
Router is running with IOS 12.4(24T) and we are having problems like file download stalls, some emails not being send or received. CBAC is enabled on this router with default values. MTU is also the default value. This problem has started all of a sudden. seeing lot of errors in the logs as below:
Oct 27 16:47:52: %FW-6-DROP_PKT: Dropping smtp session X.X.X.X:4443 Y.Y.Y.Y:25 due to Stray Segment with ip ident 25800 tcpflags 0x5014 seq.no 288975356 ack 3363647737*Oct 27 16:48:31: %FW-6-DROP_PKT: Dropping http session X.X.X.X:2020 Y.Y.Y.Y:80 due to Stray Segment with ip ident 1472 tcpflags 0x5011 seq.no 2686554796 ack 4275837539
Earlier we had same problem with LMS 3.2
(RME-Admin-Config Management- Fetch Interval) from 180s 420s.
Now after LMS upgrade ( 4.2.2 ) the SSH sessions are stucked on ACE. We had not experienced it with 4.2.1
[code]....
Someone told me the commands, but I can't remember them. Have a router (2801) at the end of a highly utilized T1 link/router. How do I protect it so my SSH and/or Telnet sessions will get serviced if the router is real busy.
View 9 Replies View Relatedwhile traversing through Cicso ASA Firewall 5520,VPN sessions are disconnecting.In Accelissts for VPN-Outbound traffic from LAN to Client VPN ,we have allowed all Ports.Is there any inspection Rules are cause for this issue. In ASA Firewall,presently the inspection rules are [code]
View 1 Replies View RelatedWe are using ACS 5.1 in our network. We have created users and grouped them as per the requirements. We want to restrict the user sessions in the network. A user should authenticate and able to access a network resource. But when he is active with that session, we need to block him from another successful authentication. We want to avoid multiple users using same user credentials for logging into the devices. whether this can be achieved by making configuration changes in ACS.
View 2 Replies View RelatedI have the default license for a ASA 5505 and this last Friday I received the attached log for SSH sessions through this firewall; we want to be clear about this issue. This limitation has to be with the 10 Inside Host or the Total VPN Peers limitations in this license? This firewall exists only to agree with a PCI requirement between our router and a communication with a Payment Card Industry Brand, all of this in the same site.
ASA5505 <164>Sep 09 2011 10:42:08: %ASA-4-450001: Deny traffic for protocol 6 src DMZ:X.X.X.X/2479 dst DMZ1:X.X.X.X/22, licensed host limit of 10 exceeded.
I hope that the communications through 22 TCP port, are not countable for license propose.
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
[code]....
I am curious of the max supported SIP sessionf of the SRP500 series.
View 1 Replies View RelatedI've looked at the forum posts and the document post, and I understand the explanations. My question is, under system administration>max user session global settings, would setting a timeout (say 1 hour) purge these sessions?
Under access policies, I am not enforcing max concurrent sessions per user, due to some of our devices using a generic log in. But if I understand the explanation, and my understanding might be wrong, then setting an expiry timeout should purge the accounting sessions, right?
I have DSL line that gives 7mb down and 768k up. I have 2 users running win7 RDP session and after a few hours the session is unusable its so slow and then eventually it hangs . don't know where to start.
View 1 Replies View RelatedI am having a recurring problem with tcp sessions timing out / getting reset. I'm using the DIR-655 with PPPoE on a Qwest DSL line. Everything appears to be working fine (including my ipv6 tunnel) except for this issue where my long running ssh & database connections are being reset after a period of time.Currently have 2.03NA loaded, tried using 2.07NA but couldn't get ipv6 working correctly with the newer version.
View 7 Replies View RelatedIn our organization ,recently we are facing a issue with VPN connections are disconnecting abruptly in reandom time periods ( 5Min,15Min,1Hr also).We have verified in our SysLog .[code] The same was worked well in Cisco Pix 515E Firewall ,After changed to Cisco ASA 5520,it is giving the issue.- All Ports are allowed for outbound traffic with a Source Network 172.16.40.0/24 to their Client VPN.- This issue is giving for other Subnet Users i.e 172.16.33.0/24 to their Cleint VPN sessions & I allowed all Ports for them for Outbound traffic. Any feature in ASA is casuing for terminating the sessions which was not in Cisco PIX 515E.- ASA version is 8.0.
View 2 Replies View RelatedI have a issue with 1142n.If I start from 15 sessions per AP then it becomes a very costly affair. Because there are almost 20.000 student.20,000 students * 60% concurrent use divided by 15 = 800 APs.what is a realistic number of sessions on this AP? What is max concurrent connections on this AP?
View 9 Replies View RelatedWe are using ACS 5.1 and from time to time we are getting a warning saying that the active sessions are over the limit (250000). It is just a warning, so my assumption is that its not a big deal, but how do we keep from getting the event, or prevent the event?
View 2 Replies View RelatedI have upgraded my ASA 5520 til version 9.1 with ASDM version 7.1. After the upgrade ASDM shows a lot of IPSEC VPN-sessions in the GUI that i cannot see from the ASA. Right now the GUI says that I have 28 IPSEC-sessions while the output from "show vpn-sessiondb l2l" shows the expected 4 tunnels and the output from "show vpn-sessiopndb remote" shows 0 as expected. (I do not use IPSEC from remote users).
View 3 Replies View Relatedhow many sessions a BGP Route Reflector can support? is it 10, 100 or 1000 BGP sessions? What degradation of performance may arise in the case of a BGP RR sessions overload? Consider that the RR I'm deal with has both the control plane and teh forwarding plane. Which command I may use for get the output about BGP sessions resurces used level?
The following are the data about the RR:
Cisco 7600
WS-SUP720-3BXL
Version 12.2(33)SRD5
cisco CISCO7609 (R7000) processor (revision 1.2) with 983008K/65536K
We have a new 2911 that needs to be configured, unfortunately it's at a remote site. I had installed the following config: [code]
Now, I do get a dhcp ip on the G0/0 interface and I can ping it from my remote network and the local router as well as the local lan. The hands and eye guy is able to telnet from the local lan but I am unable to telnet from either my remote lan or the local router.The only error I receive is "connection refused by remote host". All lines are clear so I have no conflicts with multiple telnet sessions.
There is a page in the DIR-825 that logs your computers IP and the other IPs it is connecting to. I was wondering if there was a way to disable that function on select devices? My handhelds and legitimate computers that should be on the internet are filling it with spam and it is hard to check for unauthorized users on the network. If that is not possible, then would I be able to completely disable the feature?
View 1 Replies View RelatedI have recently installed four Cisco RV042 v3 VPN routers for a customer of ours to replace existing Nortel Contivity 1010 devices which were providing VPN tunnels from the customer's 3 branches to their headoffice. The original Nortel devices were working perfectly but the customer wanted some firewall rule changes and the Nortels were proving to be somewhat inflexible and incomprehensible in their configuration hence why they were replaced.
When installing the Cisco routers I configured the VPN settings to match the Nortel device settings so that I could swap out a branch at a time without taking the whole setup down for a day.The customer has a Unix based dumb-terminal application running on a server at headoffice that they access from their branches using terminal emulators on Windows PCs and thin client hardware devices that support vt100 terminal emulation.
Prior to installing the Cisco RV042's everything was working fine. Now they are using the RV042's they keep getting the sessions from their branches dropped. Both PC users and thin client users are losing sessions and it happens with active and idle sessions. I have checked the logs on the routers when users are disconnected and there is nothing logged at that time (other than my login)... I had thought maybe it was to do with tunnel renegotioations so I have set to phase 1 / phase 2 SA timeouts to 86400 & 28800 seconds respectively but this has had no effect. I had also seen somebody advised disabling 'SPI' in the firewall... I have tried this and it makes no difference.
I have recently enabled the SMTP alert function in ACS 5.3. It seems to work well for most of the alerts. One thing though, the active sessions are over limit warning that comes up every so often. I know it is not impacting operations and it is ACS's way of clearing out sessions that had no accounting stop, but how do I disable this alert from being sent by e-mail from ACS 5.3?
View 3 Replies View RelatedHow to limit maximum SSL VPN sessions per group-policy on ASA5510?
There are 2 group-policy: in one maximum of 10 connections, in the second - 15 (In total licenses for SSL VPN 25 connections).
This is an issue I'm currently exploring with TAC, but I'd like a quick reality check. We have a pair of ASA 5510s in Active/Standby stateful failover mode. In some tests failing over from the active to the standby system breaks SSH connections from hosts on our Inside to hosts on our DMZs.
A specific example is our backup server on Inside which is connecting to our mail server in the DMZ2, and running ssh/rsync/scp for the backups. A running backup job fails with network timeout errors when I trigger the failover. Also, sometimes the mail server loses or hangs on its connection to our LDAP server in DMZ1, although sometimes this connection is fine (DMZ2 is more "inside" than DMZ1, and I assume the LDAP look ups are many short connections, vs the rsync backup being one long connection).
TAC has suggested that open SSH sesions will always fail when the ASAs failover. I believe this is true for management connections to the ASA, but I don't see why it should be the case for an SSH session through the ASA to a server in the DMZ. TAC has suggested that I open some connections to servers in the DMZ and test what happens, and I can do so this Wednesday morning during a maintenance window.But, in general, is this true? That is, given an SSH session from a workstation to a server, should a failover break it? If so, why?
The setup is:
MyWorkStation-INSIDE -> CoreSwitch (vlan 10) -> [ ASA-INSIDE - - (ASA-internal-connection) - - ASA-DMZ ] -> CoreSwitch (vlan 3) -> TargetServer
That is, all our inside VLANs are routed by our core L2/3 switch to a VLAN that connects to the Primary and Secondary ASA's INSIDE ports. There are also seperate VLANS on the core for the ASA's DMZ1 and DMZ2 connections, which go to both ASAs and to any servers in these zones.
The description of the ASA Stateful failover [URL]says: "The state information passed to the standby unit includes these:
· The NAT translation table
· The TCP connection states
· The UDP connection states
· The ARP table
· The Layer 2 bridge table (when it runs in the transparent firewall mode)
· The HTTP connection states (if HTTP replication is enabled)
· The ISAKMP and IPSec SA table
· The GTP PDP connection database
[code]....
I'm not quite sure what the ISAKMP and IPSec SA tables do, but shouldn't an SSH connection through the ASA be just a TCP connection? "For us, SSH from Inside to hosts in the DMZ survives failover," or, "Yah, failover breaks all SSH sessions."
intra-confederation labs -
Ibgp router (R1 ) - propagate updates packets to intra-confederation neighbor (64512) and 64512 - member as sending notification errors to ibgp router R1 - with Malformed AS_Path
R1 neighborship going down after receiving notification
i dont what exact root cause of this issuse
in Cisco ASA 5540 Adaptive Security Appliance Platform Capabilities and Capacities, I see Concurrent Sessions: 400,000. Which mean what device can handle 400,000 session and no more. But if I'm using TCP State Bypass Feature (Inbound traffic pass via ASA but Outbound goes via different device). I can see such connections via show conn command with b flag.
My questions: 1. Will this limit (Concurrent Session) affect in this case? Or ASA can handle more such connections (for example 800,000 ...) in bypass state? 2. It's possible to tune timeout for such connection without using global timeout conn? My problem what I want to do by pass tcp connection for one IP with has very high connection/sec rate.
We have asa 5520 with 8.4(2) release and asdm 6.4(5). When we create new ipsec connection profiles (by ipsec wizard for example), ASA reset all vpnclients sessions active. Now we need to create new profiles, but we have 170 vpnclients sessions active, so we cant'.
View 3 Replies View RelatedI am in the early planning stages for a 6509 to Nexus 7K migration. Based on my experience with the 7K's at a previous company where we ran into a lot of issues, I am trying to be very careful.
I am more at home with the 6500 chassis and know what I can do with them. I remember running into a limitation on the Nexus that involved their not supporting span sessions like the 6500's do. Is that still the case ?
If that isnt an option in the short term, I will need to look at a substantial investment in ethernet tap's to replace the lost span functionality because the security group's heavy use of span sessions.
Everytime I make a config change to one of the contexts on our ACE20, I get this message: Config Application in Progress. This command is queued to the system
If I run show download info, I get:
context : context1
Interface Download-status
--------------------------------------------------------------
187 In Progress
199 Pending
Regex download optimization status : Couldn't get status[TNRPC Timed out]
It eventually seems to complete, but it takes a very, very long time. We are running Version A2(3.5) [build 3.0(0)A2(3.5)].
How to schedule automatic Xlate sessions cleaning in ASA5550. I want to clear few global nat sessions manually every week.Is there any way to automate that?
View 1 Replies View Related