I am using a pptp server running on windows 2008 server and I have configured my ASA 5520 to let the PPTP traffic to pass throught.
The solution works quite well but exactly every 120 minutes the connection drops and people have to reconnect. Is there any setting to change? In the PPTP server I haven't found any setting to change.
We are working with an ASA 5520 and it seems there is an issue with some email messages sent throught it. When there are many recipients in the emails the email messages are not sent, and I have revised the server an the only thing I see is connecting dropped. When I went to see ASA log and see this log report: ESMTP Classification: Dropped connection for ESMTP Request from 'interface': servername/portnumber to outside: IP address/25; matched Class 2: cmd RCPT count gt 100 tcp flow from interface:servername/portnumber to outside: IP address/25 terminated by inspection engine, reason - inspector disconnected, dropped packet. So I think there should be an inspection of ESMTP packets and if they detect an email message sent to over 100 addresses, then the packet is dropped, am I right? if so, what should I do to let those email messages be sent?
View 6 Replies View RelatedI have a Dell Latitude d810 laptop that has XP Professional and an Intel PRO/Wireless 2200BG driver. It has been working fine for nearly 3 years. Recently I changed it from a domain to a workgroup and now the internet connection drops after about 5 - 10 minutes.When I say "drops", I am referring to the browser can no longer display the webpage. The internet connection still shows to be "Excellent". I even tried pinging www.google.com and it can still ping the website but the browser just stops working. I have tried Firefox and IE.I updated the DNS to use the default primary DNS suffix. The only way to get the browser to re-establish a connection is by rebooting the laptop.[CODE]
View 10 Replies View RelatedOur Local Network is behind the CISCO ASA Firewall.Whenever we are accessing to Client VPN server,it is getting connected but after few Minutes (May be 5/10/30 Min),the sessions are terminating. The same traffic through PIX is no issue , only with ASA Firewall. See the following Error and request you give the possible root cause for this.
2011-04-09 16:15:09 Local4.Info 172.16.1.68 %ASA-6-302016: Tear down UDP connection 87447908 for OUTSIDE:68.22.26.66/4500 to inside:172.16.9.10/4410 duration 0:27:49 bytes 18653
one last try before boxing up my new DIR-655 and taking it back to Microcenter. I've opened a case via email and got the standard response, below.I have a Dlink DP-300U print server that works fine with my 'old' Belkin router, a F5D-7230-4 wireless unit. Nothing wrong with the Belkin, I'm just getting some service drops from my lousy AT&T ifitl 1.5mbps ISP and thought a new router might work. I actually read the manual (!!) before installing the DIR-655 and even followed it. The print server just isn't visible on the network. Everything else is, though. The 'suggestions' from Dlink tech support below are very useful. If I could 'see' the print server to verify its IP address, we wouldn't be having this conversation. I've rebooted everything, several times and even reinstalled my old Belkin router (which always sees the print server.) And Dlink, no...I'm not interested in paying you $32.95 for up to a half hour to maybe fix a problem caused by your new device. And dropping my call after almost 15 minutes on hold is not cool, either. With reference to the issue you are facing, we suggest you to kindly ensure that the IP address assigned to DP-300U print server is in the same network range as that of your DIR-655.
NOTE: The default IP address of DIR-655 is 192.168.0.1 Once it is done, try to ping the IP address of DP-300U using any of the wired / wireless client connected to DIR-655.note the DP-300U is not currently supported in North America. D-Link offers a premium fee based support line that will be able to support any issues you have with this product.
I have a WRT400N and approximately every 30-45 minutes the router will drop all connections (wired and wireless), all the lights will go out and then power light (far right light) will flash for a minute or so. I have tried connecting directly to my modem and I have no problems at all.
View 7 Replies View RelatedOur client tried to a download a real time generated file from a website, the generation process around 5 mins, after 5 mins, the file will be started to download
When my client direct connect to internet, the file can be download successfully, but when pass through the ASA 5510 and using the internal IP address, a message something like "Are you sure want to logout from this web page?" appears in Safari after 5 mins, i think the time of the error message appear when a "you can start to download" message send from the server to client, the page session timeout so that make the user cannot download the file from internet as the session is not vaild.
I couldn't find any timeout setting in "show runn", is it possible the setting in ASDM? how can I find it and configure it?
Can I configure a PIX (515), as PPTP client to establish a tunnel with non-Cisco PPTP server ? Can my PIX initiate this type of connection ?Today, I use a PC with PPTP client to establish this and I want replace this with a PIX and I don´t want depends of a PC.
View 5 Replies View RelatedI have a problem with the connections to the remote webservice passing through ASA 5520 firewall. Connections are usually interrupted in perod of half an hour in every few days.
This ASA 5520 firewall is only one firewall in a path to the remote webservice.
During the interruption I find the logs:
UTC: %ASA--4-419002: Duplicate TCP SYN from dmz1:x.x.x.x/.... to outside:y.y.y.y/p with different initial sequence number
Teardown TCP connection 28309406 for outside:y.y.y.y/p to dmz1:x.x.x.x/.... duration 0:00:30 bytes 0 SYN Timeout
How I could find root cause? Could it be solution implemetation of TCP State Bypass?
We recently replaced our Cisco 5510 with a 5520. I had the SSL Client VPN working on the 5510, I cannot get it working on the 5520. The IOS version is 8.2(5) and the ASDM version is 6.4.I run through the SSL Client wizard and get everything set up. When I try to get to my outside interface Internet Explorer just comes up with an error. When I try to connect through the Cisco AnyConnect client on my Android it used to come up with a "No address available for SVC connection". After deleting an address pool not even related to my SSL VPN profile I cannot get that far. I just get a "login failed". Even after I create a user with level 15 privilege and assign to my vpn group policy.I still get the "No address available for SVC connection" when I try to connect to the default profile, which doesn't really go anywhere.
View 23 Replies View RelatedDevice Cisco ASA
Model:5520
OS 8.4(2)
I am not able to access the device via SSH .After connecting to teh console I have found that allowed SSh session are fully utilized with show resource usage command and the output is [code]
So I used show ssh session command to see who is using the sessions but in the output it has showed only one session and the output was [code]
I was wondering why it shows only one session above instead of showing all the 5 sessions which are utilized as confirmed by show resource usge command.We are usning some internal tool for ssh monitoring on device which is poling the device after a fixed interval for port 22 reachabilty .I dont think these tools are making any issue as this is secondary firewall and we are not facing any reachabilty issue for primary firewall.also we are using 10 min for idle ssh timeout.
I configured multiple vlan on my Cisco ASA5520. Everything work perfectly except RDP (3389) connections. The connections are established but but after a period of inactivity, the user is disconnected from server (black screen). The same problem happens with other type of connections (client/server), exemple : Oracle, file sharing. Before installing the ASA, computers and servers were in the same vlan and it worked well.
There's a notion of inter vlan timeout connection ?
I have a Cisco ASA 5520 that I'd like to be able to connect directly to our gigabit fiber connection (we're currently connected through a media converter that's causing problems). I've found the following:Cisco ASA 5500 Series 4 Port Gigabit Ethernet Security Services Module [URL]. I only need a single fiber connection, as opposed to the 4 copper + 4 fiber.
View 1 Replies View RelatedI have a Cisco ASA 5520 that we was working properly. I tried to create a VPN IPSEC to test but when I finished the wizard I lost the conection between the inside interface and outside. I use other interface for DMZ and other for printers network but this adapters are working properly. I have reviewed the NAT's and the ACL's but I don't see the problem?
I have delete the VPN IPSEC but it's still not working and I have the network down
I am configuring a 2921 with enhanced security using the CCP. I have found a behavior that seems strange to me and I'm not sure if I'm misunderstanding something or missing a setting. It seems that if I create a firewall rule to "allow" traffic through, that traffic gets dropped, but if I set the action to "Inspect", the traffic comes through fine. I can actually reproduce this at will by setting up a rule from out-zone to self to allow traffic and I cannot telnet into it from an external ip, but if I change that rule to "inspect" i can connect fine (i dont want that rule set up permanently, was just using it to test the firewall).
If I set the allow rule to log, I see the following line in the application security log:
(target:class)-(ccp-zp-out-self:user-fw-ccp) Passing telnet pkt 1.1.1.1:58141 => 2.2.2.2:23 with ip ident 0
(where 1.1.1.1 is the external laptop and 2.2.2.2 is my WAN IP address of the 2921)
So it looks to be passing the traffic, but that traffic is getting dropped somewhere because the connection is unsuccessful.
Is this the expected behavior of "Allow" action? Is there something I can do to make sure "allow" traffic actually gets through?
I have a server in a DMZ behind the ASA, connections to this server work sometimes and then fail others, so I dont think i'm looking at an ACL or NAT problem here.The syslogs report a SYN Timeout,I have taken a trace on the ASA, it seems that a SYN-ACK does come from the destination server within the 30sec timeout, but its not passed through the ASA back to the source ? there is one odd thing, what seems to be an out of sequence ACK from the destination which arrives before the SYN-ACK at the ASA, i'm wondering if this might be the problem ? This only occurs on the connections which fail, the connections that work, the destination responds quickly to the initial SYN, and the 3way handshake completes.
Syslogs :
Oct 18 19:17:32 nzlsudfedsi001-pri Oct 18 2011 19:17:32 NZLSUDFEDSI001 : %ASA-6-302013: Built outbound TCP connection 42327212 for IIP-ARCHIVE-PROD:172.24.32.31/21 (172.24.32.31/21) to BPO-TRANSIT:x.x.x.x/59392 (x.x.x.x/59392)
Oct 18 19:18:02 nzlsudfedsi001-pri Oct 18 2011 19:18:02 NZLSUDFEDSI001 : %ASA-6-302014: Teardown TCP connection 42327212 for IIP-ARCHIVE-PROD:172.24.32.31/21 to BPO-TRANSIT:x.x.x.x/59392 duration 0:00:30 bytes 0 SYN Timeout
[code].....
Ive got a virtualised firewall running 3 security contexts in routed mode. What am experiencing is that i cannot connect to an OUTSIDE host through the security contexts. From the firewall itself i cannot ping the directly attached host on the OUTSIDE interface but i can ping the directly attached host on the INSIDE interface. When i reload the firewall box, the first ping to the OUTSIDE host would be successful but subsequent pings fail and thus total connectivity is lost.
I even tried upgrading to ASA version 8.4(1) but still the same.
We have ASA 5520 firewall.For broadband Internet access, we have T1 Router(edge router provided by ISP) which provides public IP's 198.24.210.224 / 29. We have usable public IP's 198.24.210.226 - 198.24.210.230 with default gateway 198.24.210.225. We assigned 198.24.210.230 255.255.255.0 to the outside interface.
If we connect the ASA 5520 outside interface directly to T1 router, can all packets with destination addresses 198.24.210.224/29 reach the outside interface without using other device like another router or switches?I just assume that only packets with destination address 198.24.210.230(outside interface ip) can reach the outside interface from the edge router.Is it wrong assumption? If it is correct, then is there any way to route all packets with destination address 198.24.210.224/29 to the outside interface?
Currently in our environment we have have two buildings with an ASA 5520 in each and a core stack of 3750's in each building. I am currently working on a network segmentation project and am thinking of adding another stack of 3750's in each building to add more redundancy to our network. This will allow our access layer switches to have a trunk to each stack and prevent an outage if one of the links or stacks were to go down.
My question is how I would set this up on the ASA end of things while using a common subnet and HSRP on the 3750's. I understand how to use HSRP and STP on the switches to achieve this on the 3750 end of things. I saw you can do etherchannel on the ASA with 8.4 but how does that work in a failover situation?
I have a client that has an ASA 5520 that has two internet connections, FIOS and Comcast. The ASA is configured to failover from the FIOS to the Comcast if the FIOS fails. This works perfectly fine. However, I was wondering if VPN and other inbound traffic will come into the secondary connection when it is active. I think VPN will work inbound when the FIOS connection fails, but I am not sure about the other inbound connections.
View 1 Replies View Relatedan RVS4000 shall establish a pptp VPN connection. The router is connected trough its WAN port to the first router which connects to the internet.
The PPTP VPN connection cannot be established but the pptp server can be pinged from the VPN router. Login data and password is OK. Connection can be established from a win7 computer without any problem.
We have a Cisco 891 with this configuration belowI got several computer on my lan that needs to connect to an external Windows server with pptp. The windows server is not mine but it works. The clients are using the windows connection manager. We can connect to the windows pptp server for hours sometimes.But, sometimes we can just connect about 3-4-5 minutes, and it auto-disconnects. Is there something wrong in my configuration ? I heard the cisco router is messing with the keepalive or the connection state.It seems to happens when i have more than 5-6 clients connected at the same time on the same server. I got theses mesages : Link to VPN failed. OR ERROR 619 OR ERROR 651Before, I had a RV042 and it worked like a charm. We were 10 on the vpn server and it was working. I dont see why Its not working now.
version 15.0no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryptionservice sequence-numbers!hostname Quantis891!boot-start-markerboot-end-marker!!aaa new-model!!aaa authentication login local_authen localaaa authorization exec local_author local !!!!!aaa session-id common!!!clock timezone PCTime -5clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00!!!no ip source-route!!ip dhcp excluded-address 10.10.10.1ip dhcp excluded-address 10.1.1.201 10.1.1.254!
[Code] .....
I am using wireless connection and my VPN connection ets dropped all the time. Are there any settings I need to change?I am using juniper networks client. Is there any settings I need to change?
View 1 Replies View RelatedI have an issue witch Cisco VPN-Client V 5.0.06.0160 Remote VPV-Access to ASA 5510 8.2(3)
Evrything works fien but sometimes after about 4-5 Hours the Connection is dropped by the ASA. The Client still prtends to be connected, but there is no connection seen on teh ASA.
My etherenet connection dropped out of my network sharing center and i can not get it to come back. I dont know where to look or how to reactivate it.
View 3 Replies View RelatedI am having problem when try to connect through VPN from MacOS to my RV016 router.The situation is like this. I can connect to the router,the connection is succesfull, but when I try access resources inside the network it disconnects me.The message is "You are dissconnected by the PPTP Server". I encountered this problem on MacOS Snow Leopard and Lion. I tried to connect from 3 different Apple machines, but the problem is the same.
View 1 Replies View RelatedI've got trouble using PPTP connections with the RV220W small business router.When trying to connect to the router of a branch office with the Windows PPTP client (i.e. on Windows 7) from outside the companies network first everything seems to be in working order (user name and password are checked, the device is registered in the remote subnet) but then a window pops up saying there has been an error connecting.
Here is some information on my setup:RV220W with firmware 1.0.3.5It connects to the Internet using PPPoE dialindyndns account configured and workingAnother router working in "Act as a DSL modem" mode is used as a modem (AVM FRITZ!Box 7170)The RV220W is maintaining a IPSec tunnel to a main office, which is working finethere are 2 local VLANs (one with access to VPN tunnel, one without), each with a own subnet (192.168.201.0/24 and 192.168.202.0/24)PPTP users are on a seperate subnet (192.168.203.101 - 192.168.203.111) My first guess was, that the intermediate router acting as the modem could be a problem, but i verified all settings on that router and it should not filter anything. After all port forwardings, the IPSec tunnel and so on are working.
Does RV082 can establish PPTP VPN connection as CLIENT? (i'm aware it can provide function of VPN PPTP server but could not find if it can act as client).To explain further: I'm based in Europe and use US VPN to access some US services like Netflix, Pandora, etc.. (i'm paying for US VPN account as service so I have no other choice than PPTP). I would like to establish permanent PPTP VPN tunnel with remote server so all computers in the house can go through tunnel when i browse for Pandora or Netflix for example (is this router capable of routing policy too so not all the traffic would be routed through tunnel?)
View 1 Replies View RelatedI am working with a RV180w and need to map drives from the internal network to the VPN client but whenever I try to connect to a shared drive I continue to get authentication messages from the DC. Any useful guide for configuration in this scenario. Internal subnet is on Windows 2008 domain.
View 1 Replies View Relatedi read cisco document:[URL] pptp client is in inside,pptp server is in outside.when i donot use firewall, the pptp connection can establish successfully.but use pix 525 7.0(7) i config:
inspect pptp.
pptp connection cannot setup.
show connection in pix:
pptp tcp 1723 is ok.
gre connection only one "E" flag, E means 'outside back connection'.i try second method:delete 'inspect pptp',permit tcp 1723 and gre traffic from outside to inside, and i have config static nat,but the pptp connection cannot work too.so i think there is a pptp bug exist in pix 7.0(7).
I need add following to our firewall configuration ( we are changing watchguard firewall to cisco and it was necessary to be configured this way )
1) I need to create 1-1 NAT for our voip system and video conferencing unit and to do it as bellow
VOIP-SIP : from 85.90.225.100 to 217.207.96.121 on port tcp/udp 5060
VC-SIP : from any_external to 217.207.96.120 on port tcp/udp 5060
VC-Video : from any_external to 217.207.96.120 on port tcp/udp 60000 to 64999
VOIP-RTP : from 85.90.225.100 to 217.207.96.121 on port tcp/udp 10000 - 20000
2) I need to eneble to pass PPTP traffic from outside to inside and vice versa
current config:
Result of the command: "show running-config"
: Saved:ASA Version 8.2(2) !hostname ciscoasa
namesname 10.10.1.19 barracudaname 192.168.1.2 ctxdmzname 10.10.1.39 ftp1name 10.10.1.38 ftp2name 10.10.1.37 ftp3name 10.10.1.192 mailsvrname 217.207.96.114 outside_114name 217.207.96.115 outside_115name 217.207.96.116 outside_116name 217.207.96.117 outside_117name 217.207.96.118 outside_118name 217.207.96.119 outside_119name 217.207.96.120 outside_120name 10.10.1.8 transfer_servername 10.10.1.10 backupsvrname 10.10.1.4 citrixsvr1name 85.90.225.100 voip_sipname 10.10.1.9 minimac1name 82.111.186.146 sdt_rdpname 217.207.96.121 outside_121!interface Vlan1 nameif inside security-level 100 ip address 10.10.1.1 255.255.255.0 !interface Vlan3 nameif dmz security-level 50 ip address 192.168.1.1
[code]....
I'm using two RV180 for a site to site ipsec vpn. The IPSEC VPN connection is working only if I try a manual connect. After some time connection is droped and no auto reconect for it.
View 6 Replies View RelatedThe computer in question is one of 30 computers in the same office that is not currently experiencing this same thing. All connected though the same switch, patch panel, etc. Testing has proven that the switch and line is fine.We have a server set up for all of the multifunction printers on property and we simply map the printers through this unit.We have an exchange server for email.File server... for... files. Okay, here is the situation. This IBM desktop will be connected to everything, able to print, email, connect to files, etc etc.Then, or so it seem, will just lose its connection. no email printing etc. She is asked to put in her network credentials again. and usually this works. (it seems that the network dropping out may take up to 3 minuets to fully restore and she tries to put in her credentials too soon).After each event she is able to restart her computer or type in her credentials and get back to work.. after mapping the printer again.
View 4 Replies View Related