Cisco Firewall :: 5540 - Remote VPN Authentication Fail?

Mar 15, 2011

wht would be change on configuration of remote access VPN on asa 5540.
  
4|Mar 16 2011|15:26:01|713903|||Group = tesTGroup, Username = GSDc2gsIdc, IP = 5.1.9.9, Error: Unable to remove PeerTblEntry3|Mar 16 2011|15:26:01|713902|||Group = tesTGroup, Username = GSDc2gsIdc, IP = 5.1.9.9,

[Code].....

View 3 Replies


ADVERTISEMENT

Cisco VPN :: All Remote Wireless IPSec Remote Clients Fail Connecting To ASA 5500

Sep 12, 2012

We have two ASA 5500 series Firewalls running 8.4(1).  One in New York, another in Atlanta.They are configured identically for simple IPSecV1 remote access for clients.  Authentication is performed by an Radius server local to each site.
 
There are multiple IPSec Site-to-Site tunnels on these ASA's as well but those are not affected by the issues we're having.First, let me start with the famous last words, NOTHING WAS CHANGED.
 
All of a sudden, we were getting reports of remote users to the Atlanta ASA timing out when trying to bring up the tunnel.  They would get prompted for their ID/Password, then nothing until it times out.Sames users going to the NY ASA are fine.After extensive troubleshooting, here is what I've discovered. Remote clients will authenticate fine to the Atlanta Firewall ONLY IF THEY ARE USING A WIRED CONNECTION.
 
If they are using the wireless adapter for their client machine, they will get stuck trying to login to Atlanta.These same clients will get into the New York ASA with no problems using wired or wireless connections.Windows 7 clients use the Shrewsoft VPN client and Mac clients use the Cisco VPN client.  They BOTH BEHAVE the same way and fail to connect to the Atlanta ASA if they use their wireless adapter to initiate the connection.
 
Using myself as an example.
 
1. On my home Win 7 laptop using wireless, I can connect to the NY ASA with no issues. 
 
2. The same creditials USED to work for Atlanta as well but have now stopped working.  I get stuck until it times out.
 
3. I run a wire from my laptop to the FiOS router, then try again using the same credentials to Atlanta and I get RIGHT IN.
 
This makes absolutely no sense to me.  Why would the far end of the cloud care if I have a wired or wireless network adapter?  I should just be an IP address right?  Again, this is beyond my scope of knowledge.We've rebuilt and moved the Radius server to another host in Atlanta in our attempts to troubleshoot to no avail.  We've also rebooted the Atlanta Firewall and nothing changed.
 
We've tried all sorts of remote client combinations.  Wireless Internet access points from different carriers (Clear, Verizon, Sprint) all exhibit the same behavior.  Once I plug the laptops into a wired connection, BAM, they work connecting to Atlanta.  The New York ASA is fine for wired and wireless connections.  Same with some other remote office locations that we have.
 
Below I've detailed the syslog sequence on the Atlanta ASA for both a working wired remote connection and a failed wireless connection.  At first we thought the AAA/Radius server was rejecting us but is shows the same reject message for the working connection.  Again, both MAC and Windows clients show the same sequence.Where the connection fails is the "IKE Phase 1" process.

-------------------------------------------------------------------------------------------------------------------------
WORKING CONNECTION
-------------------------------------------------------------------------------------------------------------------------
 %ASA-6-713172: Automatic NAT Detection Status: Remote end is|is not behind a NAT device This end is|is not behind a NAT device
NAT-Traversal auto-detected NAT.
 %ASA-6-113004: AAA user aaa_type Successful: server = server_IP_address, User = user
 %ASA-6-113005: AAA user authentication Rejected: reason = string: server = server_IP_address, User = user

[code]...

View 1 Replies View Related

Cisco :: 1310 - 802.1x Authentication Fail Through WLC But OK On Autonomous APs

Jun 5, 2013

I migrate 1310 APs from Autonomous to Lightweight. Migration is OK with Cisco Upgrade Tool, and AP are registered on my 2504 WLC.
 
Previously, a 802.1x network was broadcasted by autonomous APs, supplicants were identified on a freeradius server with MSCHAPv2/PEAP method.
 
But on the WLC, supplicants can't auth on Radius server.I configured a WLAN with WPA/TKIP/802.1x with my radius server in AAA tab.When clients try to authenticate, I get these messages where xxx is login:

-AAA Authentication Failure for UserName:821 User Type: WLAN USER
-AAA Authentication Failure for UserName:200 User Type: WLAN USER
-AAA Authentication Failure for UserName:209 User Type: WLAN USER
 
Security info on client page is:

Security Policy CompletedNo ###Policy TypeWPA###Encryption CipherTKIP-MIC###EAP TypePEAPSNMP NAC State Access ###Radius NAC State8021X_REQD .

What is strange, there are some clients which are OK in RUN State, and 50 other % which are not.

View 10 Replies View Related

Cisco VPN :: ASA 5540 AnyConnect Client Certificate Authentication

Jan 22, 2012

I want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see:aaa-server LDAP protocol ldap aaa-server LDAP (inside) host ldap.com ldap-base-dn DC=x,DC=x,DC=x,DC=com ldap-scope subtree ldap-login-password ***** ldap-login-dn ***** server-type microsoft ,I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = DomainMember I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.

View 2 Replies View Related

Cisco VPN :: 5540 ANyConnect Client Certificate Authentication

Jul 13, 2011

want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.
 
Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see: [code]I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = Domain Member I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.

View 3 Replies View Related

Cisco VPN :: 5540 - Prompting For Domain Name When Requesting Authentication To User

Jun 26, 2011

I have a remote access VPN profile configured on an ASA 5540. This profile is almost identical to the same profiles configured on other ASA 5540. The profile is linked to Active Directory for authentication. For some reason, users are not being prompted for the domain name field when connecting to the firewall, on the other firewalls they get prompted for all three (user/pass/domain).
 
All the firewalls are running 8.0(4) 32. And the following is the configuration of the firewall that I am experiencing issues with:
 
ip local pool TESTVPN 10.244.124.1-10.244.127.254 mask 255.255.252.0
 
group-policy TESTCERT internal
group-policy TESTCERT attributes
banner value **** WARNING ****
banner value You are Now Successfully Connected (code)

View 1 Replies View Related

Cisco VPN :: ASA 5540 - Client IPsec Authentication Using Digital Certificate

Sep 11, 2011

I need some clarification with configuring my ASA 5540 with IOS 8.3x for remote client certificate authentication.
 
I have my root certificate from the Microsoft CA but not quite sure if the outlined steps in the Cisco websites below are exactly what I need since the firewall seems to be generating the certificate to be used. [URL]. 
 
My setup is such that the CA will issue certificates to the remote clients and to the ASA firewall, and the remote clients will authenticate and connect with their certificates which the firewall constantly updates using the CRL update from the CA. The dhcp pool is to be issued by the domain controller on the inside network and not on the firewall. Any examples or best practice steps to achieve this.

View 8 Replies View Related

Cisco :: WLC 4402 Web-authentication Fail With External RADIUS Server

Jul 3, 2007

I follow step by step the link bellow to configure web-auth with external RADIUS server but I receive a error on console debug of the WLC "Returning AAA Error No Server (-7) for mobile"My Radius Server is fine, because I can authenticate on WLC Web page with RADIUS user.  WLC 4402 version 4.1.171.0 [URL]

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Http Radius Authentication Fail In 12.2.58 And 15.0.1 For 2960

Aug 18, 2011

Find here the extraction of the configuration and the debug sysout. The radius servers works fine with all the other accesss like ssh, telnet...
 
Just the http access fail. This configuration work fine with the version 12.2.55 installed before.
  
Aaa new-model
aaa authentication login default group radius local
aaa authentication login physique local

[Code].....

View 2 Replies View Related

Cisco Switching/Routing :: C2969-48PST-L - PC Will Fail Authentication Intermittently

Jun 19, 2012

I have a c2969-48PST-L switch running IOS Version 12.2(55) SE. The switch is configured for 802.1x authentication. The radius server is a Cisco ACS 5.2. We are using PEAP and allowing EAP-TLS and EAP-MS-CHAPv2. Windows 7 PCs (HP Elitebooks) are using the "windows" supplicant and configured to 802.1x authentication is enabled using Microsoft Protected EAP (PEAP), we are not validating any certificates and the authentication method is Secured password (EAP-MSCHAP v2). What is occurring every so often is that the PC will fail authentication (intermittently) and the ACS shows the reason as being 5411 EAP session timeout. This is a pretty generic message according to TAC. The interesting part to me is the Authentication Method showing on the ACS when the authentication fails is simply PEAP. However, when it does not fail the Authenication Method is shown as PEAP (EAP-MSCHAPv2). We have the Cisco TAC looking at the ACS and they are saying the issue is the client not reponding to the request correctly from the switch.if the version of IOS softare on the switch maynot be handling the communication to the ACS correctly. I have wireshark traces of a successful authenication and unsuccessful one. There does seem to be any difference from the client side at all.

View 1 Replies View Related

Cisco Switching/Routing :: WS-C3750X-48T-S - Error On Default IOS / Authentication Fail

Feb 8, 2012

I am getting the below error on my new switch though I can’t find out A. why I am getting the error and obviously B. how to resolve said error as I need to ensure I am operating under the letter of the law and compliance.  The switch is a WS-C3750X-48T-S running C3750E-IPBASEK9-M, per my research IP base is the correct IOS for a T-S switch, the label on the outside of the switch matches the show ver (WS-C3750X-48T-S) so I know that IPBase is the right IOS for the hardware.  Could it be that I don’t have the license file installed? Below is what I get when I do a show license.  Lastly is there a place that I can find what IOS ships default with what switches, not version but type like c3750e-ipbasek9-mz.150-1.SE vs c3750e-ipbase-mz.150-1.SE
 
Error“%ILET-1-AUTHENTICATION_FAIL: This Switch may not have been manufactured by Cisco or with Cisco's authorization.  This product may contain software that was copied in violation of Cisco's license terms.  If your use of this product is the cause of a support issue, Cisco may deny operation of the product, support under your warranty or under a Cisco technical support program such as Smartnet.  Please contact Cisco's Technical Assistance Center for more information.”

[code].....

View 3 Replies View Related

Cisco VPN :: Remote Access On ASA 5540 Version 8.4?

May 22, 2013

I have two Firewalls one on MAIN site and another on BR site. I have configured RA VPN for both and i am able to access the internal networks of respective Firewalls. But the requirement is i want to connect to the Main site through RA VPN and access the BR SITE internal networks through that connection.

View 4 Replies View Related

Cisco VPN :: ASA 5540 Remote VPN With DHCP Failing

Feb 28, 2013

I am currently running an ASA5540 version 8.3(2). I have multiple remove vpn users currently working on this server. Lately, I have had issues with people getting booted or not being able to route anywhere and it appears to be cause they keep fighting for the same IP address using the local pool, so I decided to attempt to do DHCP instead (I have no idea why it keeps overlapping IPs, we have tons in the pool and they keep fighting for the same one). This just started about a month ago, we are only using maybe 3-5 IPs out of the /24 block. The only thing that has changed was we have hired more people, but we have separate groups for corporate vs operations team.
 
So, I setup the dhcp-network-scope for the subnet and the dhcp-server under the policies. I see the request going to the server, but it seems to be putting the ASA MAC into the Client Hardware Address field of the DHCP header. I have attached the PCAP from the ASA showing this.

View 7 Replies View Related

Cisco AAA/Identity/Nac :: C2960 Doit1x Monitor Mode / Client Fail Authentication

Mar 21, 2013

I have a setup with a were I configured monitor mode on a switch with ISE as RADIUS server. This is for testing before a bigger deployment at a customer site.Im using ISE 1.1.3, C2960 and IOS 15.0(2) and a laptop with Windows 7 Enterprise SP1. The correct configuration with EAP-TLS and machin cert is working like it should but it is when I remove this and make the laptop fail that I get wierd results with monitor mode. I cant get DNS to work in dot1x monitor mode if the client fail authentication.
 
When the client fail dot1x and MAB it gets a IP with DHCP. I can ping but DNS/browsing is not working. If I put the AuthC back and the client authenticates DNS is working, or if I turn of dot1x on the client then DNS work as it should. [code]

View 3 Replies View Related

Cisco AAA/Identity/Nac :: C3560E / Authentication Event Fail Action Authorize VLan

Jul 15, 2012

when the supplicant is missing vlan500 is open for port and everything is ok, but when supplicant has wrong configuration something happend and port is always authenticating(every 30s, vlan500 is not assign to this port with bad configuration supplicant) and logs show something like that
 
Jul 10 10:20:12.362: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A3545161E4 Jul 10 10:20:44.365: %AUTHMGR-5-START: Starting 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %MAB-5-FAIL: Authentication failed for client (001e.3718.7297) on Interface Ga0/1AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11
  
version - Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 15.0(1)SE2
  
port config:

interface GigabitEthernet0/1
switchport access vlan 104
switchport mode access
switchport voice vlan 200
authentication event fail action authorize vlan 500

[code]....

View 3 Replies View Related

Cisco VPN :: Set Up Remote Access IPsec VPN On Pair Of ASA 5540

Feb 6, 2011

I'm trying to set up remote access IPsec VPN on a pair of ASA 5540 without much success. I can connect with a client on the outside, and when I try to ping something on the inside I can see the ping requests reach the target but the answers don't come back to the VPN client. I've tried with different NAT rules without success.

View 3 Replies View Related

Cisco VPN :: ASA 5540 - Client On Windows 7 With No Remote Access

Feb 22, 2011

Recently i have received one of my collegue's laptop that is running windows 7.I have installed cisco VPN client version 5.0.07.0290 on it and  VPN client appears to connect to our ASA5540, but we are unable to connect (remote desktop) to any machines on our network as it does on our XP laptops.  Furthermore, we cannot ping any as well.  Also, while connected the Windows 7 machine is still able to access internet site as if split-tunneling was configured, which its not.
 
But after some searching , i found from "routeprint" output (shown below ) that my local internet gateway is prefered over the VPN gateway which is 10.10.4.1.Here 10.10.4.19 is the IP address assigned for VPN adaptor.
 
Network Destination        Netmask          Gateway       Interface  Metric          0.0.0.0                    0.0.0.0      192.168.1.1      192.168.1.2     25          0.0.0.0                    0.0.0.0        10.10.4.1       10.10.4.19    100
 
But after i manually add the below route on windows 7 laptop , it started connecting to remote desktop successfully.
 
route change 0.0.0.0 mask 0.0.0.0 10.10.4.1 metric 20
 
But aftersome time of idle state , it is again going back to original route state of prefering the local gateway of 192.168.1.2 and thus unable to connect to Remote Desktop again.

View 3 Replies View Related

Cisco VPN :: 5540 VPN Remote Access Intermittent Disconnection

Feb 23, 2011

Currently i m experiencing VPN Remote access intermittent disconnection on the asa 5540,what is the reason for that?how to start  a proper troubleshooting?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Accounting Setup On WLC 440x / 5508 ACS Takes It As Authentication Request And Fail

Dec 8, 2011

accounting in ACS 5.3. When I setup accounting on WLC 440x / 5508 ACS takes them as an authentication request and fail.
 
Here are some logs what I see in acsview:
 
Dec 9,11 6:05:11.783 PM
Radius authentication failed for USER: navrka2  MAC: a.b.c.d  AUTHTYPE: Radius authentication failed
 ACS Session ID:
dc2aaa1v/112555963/420
Audit Session ID:
0a9a01d7000001fd4ee23a3d
Tunnel Details:

[code]...

View 4 Replies View Related

Cisco VPN :: 6509 / 7609 - L2L VPN Negotiations Fail From Remote End

May 31, 2011

We have a problem with an existing L2L VPN connection. The connection has to this day served only connections originating in one direction. Meaning only one end initiates the connections. This has worked normally so far. Now the third party behind the L2L VPN also wants to access some resources trough the L2L VPN and because of that also initiates the connections. This is where we face our problem.
 
For some reason the remote end cant bring up the L2L VPN where as we can (and the second party in our end of course). The connection was originally on a Cisco 6509 WS-SVC-IPSEC-1 module. For the tests in new equipment we moved the connection to a Cisco 7609 with SPA-IPSEC-2G module. The remote end uses Checkpoint FW1 R70 (or something like that. I'm not familiar with Checkpoints) With both equipment the problem remains. We did the tests today and i took some debug messages on our end with "debug crypto isakmp" and "debug crypto isakmp error" enabled. I also enable the "debug crypto condition peer ipv4 x.x.x.x" for the debugs as there are several other connections on the same device. This is what the debug shows (Remote end IP replaced with x.x.x.x):
 
Jun  1 2011 07:20:58.062 UTC: ISAKMP: local port 500, remote port 500Jun  1 2011 07:20:58.062 UTC: insert sa successfully sa = 207E7B00Jun  1 2011 07:20:58.062 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCHJun  1 2011 07:20:58.062 UTC: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1
[code]..... 

To my eye it seems that the attributes/parameters for Phase 1 are OK on both ends (have to be since the connection forms normally when the traffic is initiated from our side) but somewhere along the way the negotiations stop because our end gets a malformed packet during the negotiations? Does this mean the remote end is somehow faulty? Is there some compatibility problem with the VPN devices in question? or its the sign of some known problem with VPN connections? So far I have not found any explanation to what is causing this.

View 4 Replies View Related

Cisco Routers :: RV220W V1.0.2.4 Remote Management / Load Balanced Proxy Fail?

Sep 26, 2011

I just purchased 5 RV220W to act as internet/wireless router at a remote site. There is no VPN, just LAN and Wireless routing to the internet.I have setup remote management and it works fine when I am directly connected to the internet. However, everytime I try to connect through our HTTP/HTTPs proxy farm, it usually fails. Specificially, I get the log-in page and can log in. It starts to render the landing page but redirects to a page stating "Your session has been terminated." On rare instances the first page will appear, however within a few clicks I end up with the same terminated page.
 
As a test, I bypassed the farm and forced my browser to use one proxy exclusively. At that point I could access the HTTPS interface with no issue. I have not had any issues with other SSL sites with the proxy configuration in use.Is there some sort of MITM prevention I could be running into? If so, can it be turned off.I am new to the RV-series of routers. Is there any logging I could turn on that would provide insight on why the session may be getting terminated?

View 2 Replies View Related

Cisco Firewall :: ASA 5540 - Version Change In Firewall?

Mar 15, 2012

How are asa5540 in high availability mode upgraded for their versions.

View 1 Replies View Related

Cisco Firewall :: Polycom HdX8000 Behind ASA 5540 Firewall?

Dec 28, 2012

I am encountering some problems setting up my new polycom hdx 8000 behind ASA 5540?I have opened reuired ports through the firewall ( incoming and outgoing). I have enabled inspection h323 on ASA and enabled the option NAT is 323 compatible on Polycom.
 
3230-3243 tcp
h323 tcp
h323 udp
3230-3285 udp
 
Here is the problem.I get connected to the call but I cannot  the remote site cannot see and hear me.But I can see and hear them.

View 9 Replies View Related

Cisco Firewall :: ASA 5540 Upgrade From 7.1 To 8.4

Jul 16, 2012

i need to upgrade ASA 5540 from 7.1 to 8.4 for secure connect feature of Cisco Jabber Configuration. Support forum guides that, i need to follow upgrade path from 7.1 --> 7.2  --> 8.0 --> 8.2 -->8.4 and also do a memory upgrade from 1GB to 2GB.
 
[URL] 
 
I need to use this feature for only three or maximum four users in company then would i really need to do  memory upgrade? or can i go with 1GB memory?also how i can get the prices of part number "ASA5540-MEM-2GB=" at cisco.com?
 
ASA-ISB-HQ# sh version  
Cisco Adaptive Security Appliance Software Version 7.1(2)
Device Manager Version 5.1(2)

[Code].....

View 2 Replies View Related

Cisco Firewall :: 5540 - ASA 8.2 No Nat-Control

Nov 19, 2011

ASA5540# sh run nat-control
no nat-control
 
this means higher security can talk to lower security without NAT rules
 
Question 1) - if I want higher security zone to to talk to lower security with NAT rules. I would use statements like below. Am I correct?
 
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
 
global (dmz) 1 interface
global (inside) 1 interface
 
Is this correct? So in this case I am kindly of like overriding the no nat-control statement ...right?
 
Question 2) - Now I have no nat-control enabled. Would the below statements (nat 0) be of any use for NAT exemption??
 
nat (dmz) 0 access-list dmz-nonat
nat (inside) 0 access-list dbase-nonat
 
And do I have to have a global statement for NAT 0 ...like below?
 
global (dmz) 0 access-list dmz-nonat
global (apps) 0 access-list dbase-

View 2 Replies View Related

Cisco :: Aironet 600 Can Remote LAN Interface Be Configured To Skip Authentication For IP

Feb 3, 2013

On an AIRONET 600 AP (officeExtend) with the remote LAN interface is configured to use 802.1x authentication:If a Cisco IP Phone is connected, 801.x authentication challenges for credentials. The AP does not seem to have a way to detect that this is an IP Phone and to skip the challenge (as Cisco switches/routers would do) Is there any way around this? Can the remote LAN interface be configured to skip authentication for IP Phone and only authenticate PCs etc..?

View 5 Replies View Related

Cisco WAN :: 2960 Should One Server Fail Other Will Act As Fail Over

Feb 22, 2012

We have two Cisco 2960 TT-L switches. I'd like to reduce single points of failure and have dual servers for most tasks. For example, two firewall servers and two web servers. Should one server fail the other will act as a failover.I'd like to extend the redundancy to the switches, and am thinking of connecting one web server to one switch, and one to the other. In the event a switch failed a set of servers would still run, and be able to talk to each other.I'd like to run two VLANs, one for the LAN, and one of the WAN, and connect the two VLANs on each of the switches with the associated VLAN on the other switch.

View 3 Replies View Related

Cisco Firewall :: Cannot Log In To ASA 5540 ASDM After Configuration IPS

Jun 10, 2012

I Have Cisco 5540 with AIP-SSM-40, recently i config AIP-SSM-40 to capture all traffic from all interface any to any with promiscous mode and if card fail traffic still flow throuh asa, but after that i can't login to cisco ASDM, the error is "Un Able To Launch Device Manager From xx.xx.xx.xx"               

View 2 Replies View Related

Cisco Firewall :: High CPU Utilization On ASA 5540

May 11, 2008

I have a remote site customer with a Cisco ASA 5540 running SSLVPN (Anyconnect)(8.03). It currently only serves about 450 SSLVPN clients. Since last friday, they've seen the CPU utilization go up to high 90% while only serving 400+ remote users. I saw some high cpu utilization bugs, but none looked to be relevant. How I can find the root cause of the CPU high utilization?

View 2 Replies View Related

Cisco Firewall :: ASA 5540 - NAT Not Working After Upgrade

Apr 26, 2011

Just upped our external ASA-5540 pair to 8.4(1), and now one of our nat's is busted.
 
Here's the lowdown:
 
Our public IP for our IronPorts ends in .167.  That IP is natted to a VIP on our ACE, which load balances to the IronPorts.
 
The outside interface of the ASA uses .162, which has been the pat for all outbound traffic for a few years... except for the subnet that houses the IronPorts.  Due to reverse lookup, that subnet uses the .167 IP address for all outbound traffic.
 
After the code upgrade, the nat won't work.  No email sent or received.  Nothing but Deny's on the ASA with flags reading either "SYN" or "RST".  IE: Apr 27 12:56:11 10.22.151.41 local5.crit %ASA-2-106001: Inbound TCP connection denied from 69.25.174.17/36917 to 207.236.211.167/25 flags SYN  on interface outside
 
If I return the subnet pat back to the outside interface, then inbound traffic works fine, though reverse lookup fails and anyone running a reasonable spam filter won't send to us.

View 6 Replies View Related

Cisco Firewall :: Reasons To Upgrade ASA 5540

Apr 29, 2012

I have two Cisco ASA 5540, these ASA running ver 7.2. and used mainly as VPN gateways.My question is simple, Apart from the extra AnyConnect client functionality and the higher encryption, is there any specific security benefits (related to the VPN use) for upgrading to ver. 8.x ?

View 4 Replies View Related

Cisco Firewall :: ASA 5540 Simulation In GNS3

Jan 26, 2013

I have to use GNS3 for simulate ASA5540.but it does not work. I've installed latest GNS3(0.8.3.1 all in one) in Win7 32bit environment, and used IOS file is asa842-k8.bin.but i can't unpack it properly. it said "Couldn't find any ZIP header in asa842-k8.bin".

View 2 Replies View Related

Cisco Firewall :: Asa 5540 8.2.3 Arbitrarily Reload

Dec 19, 2011

I have two ASA 5540 working in Active/Standby mode. After I've upgraded them to 8.2.3 ver. I have the following issue: once a day presently active device arbitary reloadI have no err in show version and in syslogs:11:15:50 ASA : %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.0.36/512 gaddr 10.0.0.16/0 laddr 1011:15:58 ASA : %ASA-1-104001: (Primary) Switching to ACTIVE - HELLO not heard from mate.

View 4 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved