Cisco Firewall :: ASA 5540 - 3000 Simultaneous IPsec Connections
May 15, 2013
We are planning to use an ASA 5540 to terminate about 3000 IPSec connections. The maximum supported IPsec VPN Peers for this platform ist 5000, so this should be ok in theory.
What is a bit unclear to me is what exactly happens when (for whatever reason) all 3000 clients try to connect at once ? Perhaps it's not at once but depending on timers this could mean 3000 incoming IPsec connection within 10-20 seconds.
Will the the ASA cope with it ? I can't find any info regarding this on CCO. It's also not that easy to test/simulate.
View 2 Replies
ADVERTISEMENT
Jun 14, 2011
I've setup access via our ASA5510 portal which is working fine but I can't seem to connectto the ASA when there are two active connections. If there is only one, it's fine.
Problem - Unable to Connect More Than Three WEB VPN Users to PIX/ASAProblem :Only three WEB VPN clients can connect to ASA/PIX; the connection for the fourth client fails.
Solution :In most cases, this issue is related to a simultaneous login setting within the group policy.Use this illustration to configure the desired number of simultaneous logins. In this example, the desired value was 20.
ciscoasa(config)# group-policy Bryan attributes
ciscoasa(config-group-policy)# vpn-simultaneous-logins 20Would this be the same thing?
If so how whould I check the existing setting in the GUI?
View 7 Replies
View Related
May 3, 2011
I need to configure multicast between 2 Csico 5540's lan to lan ipsec tunnel for a Voip application.
View 2 Replies
View Related
May 28, 2011
Today I read a comment on a review of DIR-615 [URL], saying it supports only 32 concurrent connections where as other routers support more than 200
View 6 Replies
View Related
Feb 6, 2012
Does any body know what is the maximum of simultaneous connections that the AIR-LAP1131AG-E-K9 access point supports?
View 2 Replies
View Related
May 31, 2012
This has to be the most weirdest issue I have seen since the past year on my ASA. I have an ASA 5540 running the 8.4(2) code without any issues until I stumbled upon this problem last week and I have spent sleepless nights with no resolution! So, take a deep breath and here is a brief description of my setup and the problem:
A Simple IPSEC tunnel between my ASA 5540 8.4(2) and a Juniper SSG 140 screen OS 6.3.0r9.0(route based VPN)
The tunnel comes up without any issues but the ASA refuses to encrypt the traffic but decrypts it with GLORY! below are some debug outputs, show outputs and a packet tracer output which also has an explanation of my WEIRD NAT issue:
My setup - ( I wont get into the tunnel encryption details as my tunnel negotiations are **** perfect and comes up right off the bat when the ASA is configured as answer only)
CISCO ASA - IPSec networking details
LOCAL NETWORK - 10.2.4.0/28
REMOTE NETWORK - 192.168.171.8/32
JUNIPER SSG 140 - IPSec networking details
PROXY ID: LOCAL NETWORK - 192.168.171.8/32
REMOTE NETWORK - 10.2.4.0/28
HOST NAME# sh cry ipsec sa peer <JUNIPER SSG PEER>
peer address: <JUNIPER SSG PEER>
[code]...
As you can see, there is no echo reply packet at all as the packet is not being encapsulated while it is being sent back. I have been going mad with this. Also, this is a live production multi tenant firewall with no issues at all apart from this ****** ip sec tunnel to a juniper!!
Also, the 192.168.10.0/24 is another IP Sec tunnel remote network to this 10.2.4.0/28 network and this IP SEC tunnel has a similar Juniper SSG 140 screen os 6.3.0r9.0 at the remote end and this woks like a charm without any issues, but the 171 is not being encrypted by the ASA at all.
View 2 Replies
View Related
Nov 5, 2012
I bought this router to temporarily replace my firewall while I wait for it to be replaced. We have a training center that when running full tilt, we probably have 50 devices trying to get on the internet.
View 1 Replies
View Related
Nov 3, 2012
this issue with my WRT54G2:
- when i open more than 2 or 3 browser windows or anything that access internet, it stop routing
- shutdown and power up make it work again (then stops again after some simultaneous tcp connections)
- hard reset dont work
- WRT54G2 V1 Firmware Version: 1.0.04
View 1 Replies
View Related
Jul 27, 2011
We have to setup an IPSEC tunnel for a client that does not what to exchange private IP address information for security and overlapping address space reasons. We will both be natting our source private ip address space as public IP address space and send those packets through the established tunnel. Im using a Cisco 3000 concentrator.
View 1 Replies
View Related
Aug 16, 2011
Phase1 is complete, Phase2 isn't coming up...everything has been verified on both sides but we're getting unknown errors.
Aug 17 11:33:15.609 CDT: ISAKMP (0:2): Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Aug 17 11:33:15.609 CDT: ISAKMP (0:2): Input = IKE_MESG_INTERNAL,
[Code].....
View 1 Replies
View Related
May 20, 2011
I'm currently setting up two VPN 3000 Concentrators at two different sites to create a IPsec LAN-to-LAN Tunnel. I have gone through all the basic configuration guides on the CISCO site, but a LAN-to-LAN session is never created. I have enabled the logs on the Concentrator and it displays no errors at all - it appears the Concentrator is not even trying to establish a IPsec LAN-to-LAN Tunnel.After running through the standard setup provided by CISCO, is there anything I need to do to make the Concentrator try to create a Tunnel, or should this be automatic once all settings are in place?
View 2 Replies
View Related
Nov 4, 2012
I need to check and possibly change which Network address is allowed down a tunnel and check our Phase 2 IPSEC proposal. How would I do this on a VPN3000?
View 3 Replies
View Related
Feb 6, 2011
I'm trying to set up remote access IPsec VPN on a pair of ASA 5540 without much success. I can connect with a client on the outside, and when I try to ping something on the inside I can see the ping requests reach the target but the answers don't come back to the VPN client. I've tried with different NAT rules without success.
View 3 Replies
View Related
May 15, 2013
I have a remote WRVS4400N that has a dynamic outside address that's initiating a connection to a ASA 5540 with a static address.
I'm all set on the ASA side. My questions relate to the 4400N. It doesn't appear to have a very robust configuration/setup available for L2L tunnels. For one my encryption is limited to 3DES.
But I'm wondering if I'm missing something in the config. I have to set up L2L tunnels to two other firewalls. One firewall has 3 discontiguous networks, and the other has 2. I have 5 tunnels setup, is this the only way? What I would like to see is 2 tunnels, one for each remote firewall, but then each tunnel would have access to the appropriate networks (like on the ASA side), is there anyway to do this? Perhaps a command line util for this unit?
My other issue relates to the tunnel-groups I have set up on my ASA's, and I would like to use appropriate names...however I can't seem to find a way to enable this to happen on the 4400N side....what I mean is I need a way to create either a "keyword identifier" or a "firewall identifier" on the 4400N and I don't see an appropriate field in the web interface.
View 3 Replies
View Related
Sep 11, 2011
I need some clarification with configuring my ASA 5540 with IOS 8.3x for remote client certificate authentication.
I have my root certificate from the Microsoft CA but not quite sure if the outlined steps in the Cisco websites below are exactly what I need since the firewall seems to be generating the certificate to be used. [URL].
My setup is such that the CA will issue certificates to the remote clients and to the ASA firewall, and the remote clients will authenticate and connect with their certificates which the firewall constantly updates using the CRL update from the CA. The dhcp pool is to be issued by the domain controller on the inside network and not on the firewall. Any examples or best practice steps to achieve this.
View 8 Replies
View Related
Nov 1, 2011
I am having issues getting my ASA 5540 at site A, to pass TFTP and SYSLOG from itself across the IPSEC tunnel to our SYSMON servers (Syslog and TFTP) that live at site B. I have followed the suggestions of other threads and I am still not getting anywhere. Here is a quick topology diagram.
View 6 Replies
View Related
Jan 2, 2013
I have an RV220w in office, which I have configure it for ipsec vpn connections. Behind router there is a NAS for file storage. [code]I have managed to connect to router from my home with ShrewVPN and I can ping every client connected to RV220w.The problem is that I can't connect to neither to router's web interface nor to NAS web interface or any other intranet web page ( the browser doesn't give any error, but keeps loading without showing the web page). Although, I can access web pages from my laptop.Also, in windows file explorer when I connect to NAS, although I can browse folders I can't copy files from my laptop to NAS and vice versa, I always get timeout error (I have checked the permissions to NAS and in addition I succeed to copy a small txt file 1kb, but no luck with bigger files).I also tried with QuickVPN client, but I had the same results. When I connect with pptp from windows everything works like a charm.My laptop has windows 7 64bit.
View 2 Replies
View Related
May 18, 2011
I have a hub and spoke network with over 100 remote sites that connect to me via ipsec vpn. One of these locations, the only one using FIOS coincidently, is initiating 200+ tunnels back to my side which is causing saturation issues on my DS3. (I can post config if requested), and how can I limit the number of active tunnels it's establishing?
View 1 Replies
View Related
Mar 15, 2012
How are asa5540 in high availability mode upgraded for their versions.
View 1 Replies
View Related
Dec 28, 2012
I am encountering some problems setting up my new polycom hdx 8000 behind ASA 5540?I have opened reuired ports through the firewall ( incoming and outgoing). I have enabled inspection h323 on ASA and enabled the option NAT is 323 compatible on Polycom.
3230-3243 tcp
h323 tcp
h323 udp
3230-3285 udp
Here is the problem.I get connected to the call but I cannot the remote site cannot see and hear me.But I can see and hear them.
View 9 Replies
View Related
Apr 6, 2011
I am having some trouble with one of our servers at work. Basically it won't allow any TCP/IP connections as the IPSec driver has entered Block mode. I have been advised by our external IT support (I can't get hold of him at the moment, that's why I am here ) to go into the command prompt and type: regsvr32 pdstore.dll but when I do this is can't find the file.What is pdstore.dll as when I Google this it comes up with nothing, so is this the correct command?
View 10 Replies
View Related
Jul 16, 2012
i need to upgrade ASA 5540 from 7.1 to 8.4 for secure connect feature of Cisco Jabber Configuration. Support forum guides that, i need to follow upgrade path from 7.1 --> 7.2 --> 8.0 --> 8.2 -->8.4 and also do a memory upgrade from 1GB to 2GB.
[URL]
I need to use this feature for only three or maximum four users in company then would i really need to do memory upgrade? or can i go with 1GB memory?also how i can get the prices of part number "ASA5540-MEM-2GB=" at cisco.com?
ASA-ISB-HQ# sh version
Cisco Adaptive Security Appliance Software Version 7.1(2)
Device Manager Version 5.1(2)
[Code].....
View 2 Replies
View Related
Nov 19, 2011
ASA5540# sh run nat-control
no nat-control
this means higher security can talk to lower security without NAT rules
Question 1) - if I want higher security zone to to talk to lower security with NAT rules. I would use statements like below. Am I correct?
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
global (dmz) 1 interface
global (inside) 1 interface
Is this correct? So in this case I am kindly of like overriding the no nat-control statement ...right?
Question 2) - Now I have no nat-control enabled. Would the below statements (nat 0) be of any use for NAT exemption??
nat (dmz) 0 access-list dmz-nonat
nat (inside) 0 access-list dbase-nonat
And do I have to have a global statement for NAT 0 ...like below?
global (dmz) 0 access-list dmz-nonat
global (apps) 0 access-list dbase-
View 2 Replies
View Related
Jun 10, 2012
I Have Cisco 5540 with AIP-SSM-40, recently i config AIP-SSM-40 to capture all traffic from all interface any to any with promiscous mode and if card fail traffic still flow throuh asa, but after that i can't login to cisco ASDM, the error is "Un Able To Launch Device Manager From xx.xx.xx.xx"
View 2 Replies
View Related
May 11, 2008
I have a remote site customer with a Cisco ASA 5540 running SSLVPN (Anyconnect)(8.03). It currently only serves about 450 SSLVPN clients. Since last friday, they've seen the CPU utilization go up to high 90% while only serving 400+ remote users. I saw some high cpu utilization bugs, but none looked to be relevant. How I can find the root cause of the CPU high utilization?
View 2 Replies
View Related
Apr 26, 2011
Just upped our external ASA-5540 pair to 8.4(1), and now one of our nat's is busted.
Here's the lowdown:
Our public IP for our IronPorts ends in .167. That IP is natted to a VIP on our ACE, which load balances to the IronPorts.
The outside interface of the ASA uses .162, which has been the pat for all outbound traffic for a few years... except for the subnet that houses the IronPorts. Due to reverse lookup, that subnet uses the .167 IP address for all outbound traffic.
After the code upgrade, the nat won't work. No email sent or received. Nothing but Deny's on the ASA with flags reading either "SYN" or "RST". IE: Apr 27 12:56:11 10.22.151.41 local5.crit %ASA-2-106001: Inbound TCP connection denied from 69.25.174.17/36917 to 207.236.211.167/25 flags SYN on interface outside
If I return the subnet pat back to the outside interface, then inbound traffic works fine, though reverse lookup fails and anyone running a reasonable spam filter won't send to us.
View 6 Replies
View Related
Apr 29, 2012
I have two Cisco ASA 5540, these ASA running ver 7.2. and used mainly as VPN gateways.My question is simple, Apart from the extra AnyConnect client functionality and the higher encryption, is there any specific security benefits (related to the VPN use) for upgrading to ver. 8.x ?
View 4 Replies
View Related
Jan 26, 2013
I have to use GNS3 for simulate ASA5540.but it does not work. I've installed latest GNS3(0.8.3.1 all in one) in Win7 32bit environment, and used IOS file is asa842-k8.bin.but i can't unpack it properly. it said "Couldn't find any ZIP header in asa842-k8.bin".
View 2 Replies
View Related
Dec 19, 2011
I have two ASA 5540 working in Active/Standby mode. After I've upgraded them to 8.2.3 ver. I have the following issue: once a day presently active device arbitary reloadI have no err in show version and in syslogs:11:15:50 ASA : %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.0.36/512 gaddr 10.0.0.16/0 laddr 1011:15:58 ASA : %ASA-1-104001: (Primary) Switching to ACTIVE - HELLO not heard from mate.
View 4 Replies
View Related
Jan 3, 2012
I am having the EXACT same problem as this user:URL
Error: GnuTLS error -53: Error in the push function.
Response: 425 Can't open data connection.
Error: Failed to retrieve directory listing
Response: 421 Connection timed out.
However I am using implicit instead of explicit. Here are the outputs of items that have been requested in the other thread.
View 1 Replies
View Related
Mar 13, 2011
We are try to connect ssh via outside system (from Internet) its was not getting connected.
When we try to connect from outside pool of ip than its working.
View 1 Replies
View Related
May 20, 2012
I have 2 ASA 5540's that I want to run in HA A/F. The active ASA has an IPS module running. I no longer need this and would rather remove it than purchase another module for the spare. What is the process to do this safely? After removal will the HA wizard recognize that the module was removed or do I have to update the software?
View 3 Replies
View Related
Sep 23, 2012
we have noted the automatically removing of the only "nat (inside,any)" line, during the upgrade of ASA 5540 from 8.4(3) to 8.4(4) 1: why ?
View 1 Replies
View Related
