I have an ASA (8.4.5) configured with a connection profile that does AAA and Certificate authentication. Once I have the anyconnect 3.1 on a win Xp system, it works perfectly. When I do a web install, it goes through the normal download, log-in, re-download then says "Certificate Authentication Failure" If I change the profile to AAA only, it installs fine. I even get the error if I launch from the web after I have the client on the PC. Why this is not working?
how to install a certificate (.p7b and .crf) on my second ACE in a HA pair.
On ACE01 i generated a CSR and gave the details to our SSL provider, they provided the certificates and i imported them. All good there.
How can i install the same SSL on ACE02 if i haven't generated a CSR on my backup devicde, or do i generate a CSR and import the same certificate?
Since bringing the ACE's into HA all contexts have sync'd and the backup ACE is in 'hot standby' state. But one context fails the sync and i think this is because the SSL certificate is not installed correctly on the second ACE02.
I have a SR520 where WAN configured as PPPoE with Dyndns address. I have done all the configuration through the CCA, so far everything is working fine. But now i want to configure SSL VPN, but I have getting an error message : SSL VPN cannot be configured, please configure wan interface using a static IP address. Is there any way that I can configure the ssl vpn through a dyndns address?
i have a demroom set up which includes a sr520 as the edge router connecting to the ISP and i have a uc 560 connected to that which is working fine i also have a new business edition 3000 and a 800 series router which im looking to connect to the sr 520 for access to the ISP as the 800 series doesn't have a ADSL line on it .i have given the 800 series routers wan interface a static address of 192.168.75.14 wich is from the address range in the sr520s default vlan and excluded the address from the DHCP pool. now from the ccp express on the 800 s i can ping the wan port of the 800 s and the default vlan/gateway of the sr520 and the wan ip of the sr520 but no further also once i try pinging it from the cmd on windows i cant ping any further that the wan interface on the 800 s .
I'd like just notify the missing "no ip name-server" command in sr520 series router. However is possible to enter the command "ip name-server" the only way to delete it is to copy a modified config from tftp or other source to the startup config. This behavior is normal?
I'm trying to combine dynamic and static NAT on a SR520. My dynamic NAT is specified with:ip nat inside source list 1 interface Dialer0 overload access-list 1 permit 192.168.0.0 0.0.7.255 In addition to this I want to perform static NAT for a couple of selected internal hosts. I can do this:ip nat inside source static 192.168.1.5 10.85.10.2 which works fine but means that the source address 192.168.1.5 is translated to 10.85.10.2 for all destination IPs. What I want is for the above static translation only to occur for a particular destination subnet.To accomplish this I have tried:
ip nat inside source static 192.168.1.5 10.85.10.2 route-map toOtherSite route-map toOtherSite permit 10 match ip address 150 access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
But this does not appear to work. Instead it seems to render the host 192.168.1.5 unable to progress through the NAT, whether the destination subnet is 192.168.10.0/24 or not, and I can't work out what I'm doing wrong.
We've (an independent school) just bought an SR520 with a view to replacing one of our Draytek 2820s. We need to set up some site-to-site VPN with NAT and the Drayteks won't do it.
I've been trying to configure the SR520 in just the most basic fashion using CCA (3.1) and the CLI but with no success. I can't get a PPP connection with our ISP.
I've tried following the instructions in the software config pdf and also tried replicating the various 'running configs' reported in other posts in this forum to allow connection to a UK ISP, with no success. I don't know how many times I've reset the poor thing to factory defaults.
I have to say that I'm dismayed at how flaky the CCA appears to be. Many of the things I've tried with it simply don't work and often end up in it hanging. Close to useless in my view.
So instead I've tried to use the CLI which seems a lot more solid but is somewhat impenetrable and there's precious little by way of supporting explanation.
My operations manager says "Could you go on-site and configure a new clients new internet connection?" I make the arrangements and go on-site. As I'm working with the providers tech he says "Do you have a sub-interface confgured for a dot1q VLAN id of 1057?", I say "What?". Anyway my firewall is not capable of dot1q VLAN, so he says "Do you have a Cisco router that can provide the trunking?", I say "Yes, I tink so but not with me". The question is can I use an SR520 between my firewall and the provider demarc to route the VLAN he is talking about? My initial discovery says yes but I am not quite sure of the details on how to achieve this on the SR520.
I'm trying to configure a zone-based firewall on an SR520 and am confused about the 'not' criterion. The 'zone-design-guide' says (my stress): Class- maps define the traffic that the firewall selects for policy application. Layer 4 class-maps sort the traffic based on these criteria listed here. These criteria are specified using the match.where my intention is to let only LAN hosts with IPs in the range 192.168.1.1 to 192.168.1.7 out through the firewall. There may be an easier way of doing this which I'd be pleased to hear about. But, even if there is, I'd also be interested to know what I'm doing wrong in the above.
There is ASA with remote access VPN and users are authenticated using third party signed certificates (CA is not local in ASA).When user certificate expires i can see it in syslog messages. For example:
%ASA-3-717009: Certificate validation failed. Certificate date is out-of-range, serial number: (...)
I would like to know if there is an opportunity to view user's certificate expiry date beforehand, say, 3 days before?
When I try to export an SSL Certificate for a Client I get a htps . CSR file instead of the .PEM file. So, I can't update the client computer with the correct certificate.
RV042 router is giving out the outer certificate instead of server certificate. Outlook anywhere is failing and we are receiving certificate errors for any secure site behind this firewall. I'm not talking about remote management. I'm talking about people trying to access our web site, which is secured, and getting an error because the RV042 is giving its own SSL certificate instead of the Server's certificate. Firmware Version: 1.3.13.02-tm. I don't see any updates for that hardware. I do have it working on an RV042 with the same firmware at a different location. How do we turn that off or keep it from happening? Output from a test site Attempting to resolve the host name xxxx in DNS.The host name resolved successfully. Additional DetailsTesting TCP port 443 on host xxxx to ensure it's listening and open. The port was opened successfully. Testing the SSL certificate to make sure it's valid. The SSL certificate failed one or more certificate validation checks. Test Steps ExRCA is attempting to obtain the SSL certificate from remote server xxxx on port 443. ExRCA successfully obtained the remote SSL certificate. Additional Details Remote Certificate Subject:
SN=California, L=Irvine, C=US, O="Cisco-Linksys, LLC", OU=RV042, CN=68:ef:bd:b8:0f:78, Issuer: SN=California, L=Irvine, C=US, O="Cisco-Linksys, LLC", OU=RV042, CN=68:ef:bd:b8:0f:78.Validating the certificate name. Certificate name validation failed. Tell me more about this issue and how to resolve it Additional Details Host name xxxx doesn't match any name found on the server certificate SN=California, L=Irvine, C=US, O="Cisco-Linksys, LLC", OU=RV042, CN=68:ef:bd:b8:0f:78.
When I access setup on an RV220W with Internet Explorer, Mozilla or Safari the following message always displays:
"There is a problem with this website's security certificate. The security certificate presented by this website was not issued by a trusted certificate authority. The security certificate presented by this website was issued for a different website's address."
I access the router by clicking on "Continue to this website (not recommended)."
This also happens anytime a URL filter is triggered by a client. I.e., clients do not see the "Blocked by Cisco Firewall" message unless they also click on the "Continue to this website (not recommended)." option.
Even worse, when I attempt to connect as a VPN, the SLLVPN applet gets java connection refused. This is why I bought this thing!
What do I need to do to fix all these certificate related errors?
The first router is wired to the DSL modem and works just fine as an access point with Internet access. The second router is wired from the first router using one of the 4 ports on both router hubs. The second router is visible but has no Internet. How to configure the second router regarding DHCP, LAN, WAN, DNS etc.
Just installed RV042 router. And it's giving out router certificate instead of server certificate so people who are trying to access our secured server are getting errors. I'm not talking about remote management. I'm talking about people trying to access our web site, which is secured, and getting an error because the RV042 is giving its own SSL certificate instead of the Server's certificate. How do we turn that off or keep it from happenning?
The RV042 firm version is v4.0.0.07-tm (Aug 19 2010 19:19:50)
how to create new unique self-signed certificate on RV120W? I can create request for singning by external CA, but I cannot create new unique self-signed certificate itself.
When I attempt to export the certificate for the quickvpn client via the router web interface, it looks as if the export works, and it asks me to save the zip file. However, upon opening the zip file I receive the error: The compressed folder is invalid or corrupted.
This happens in multiple browsers, from multiple machines.
I like to use "URL Blocking" with keywords in the firewall properties. When I activate this feauture, I get errors from the router certificate when I browsing to any site in the Internet. Is there a way to manage this problem without using a public certificate?
The establishment of IPSEC tunnel between the RV220 and QuickVPN client works properly with the security certificate of origin of the router.RV220 V1.0.3.5QuickVPN V1.4.2.1
Since the establishment of a security certificate self-signed, the RV220 and QuickVPN client refuses to work together .
Here are the log of the QuickVPN client
2011/09/27 12:45:14 [STATUS]OS Version: Windows 7 2011/09/27 12:45:14 [STATUS]Windows Firewall Domain Profile Settings: ON 2011/09/27 12:45:14 [STATUS]Windows Firewall Private Profile Settings: ON 2011/09/27 12:45:14 [STATUS]Windows Firewall Private Profile Settings: ON
For some reason this RV082 (code level v2.0.2.01-tm-20110308) has generated a SSL cert that is not valid till 2022?
How to regenerate the cert with a valid date?
SSL Certificate - Future Start Date The SSL certificate is not valid before Mar 3 06:51:27 2022 GMT : Subject : CN=00:0c:41:92:41:71, OU=RV082, O=Cisco-Linksys, LLC, C=US, L=Irvine, SN=California Issuer : CN=00:0c:41:92:41:71, OU=RV082, O=Cisco-Linksys, LLC, C=US, L=Irvine, SN=California Not valid before : Mar 3 06:51:27 2022 GMT Not valid after .
I have set the RV042 up for QuickVPN access. The router config recommends turning HTTPS on in the firewall when using QuickVPN. The side effect to this is any web browser throws me certificate errors and warns me not to continue logging in to the router's config. How do I fix this so the browser does not throw these messages?
Router is Linksys-branded, using latest firmware for this hardware (1.3.13.02-tm)
After a day of troubleshooting I have finally got the QuickVPN client to work. I connect however during the connection I get: "Server's certificate doesn't exist on your local computer. Do you want to quit this connection?" I click no and it connects fine other than this error. So how do I get rid of this error? Also I have exported the client certificate from the RV110 and put it in the quickvpn directory as I saw suggested elsewhere.
Here is my log:
2011/12/21 00:39:44 [STATUS]Connecting... 2011/12/21 00:39:44 [DEBUG]Input VPN Server Address = ***.***.*** 2011/12/21 00:39:45 [STATUS]Connecting to remote gateway with IP address: **.**.**.*** 2011/12/21 00:39:50 [WARNING]Server's certificate doesn't exist on your local computer. 2011/12/21 00:39:56 [STATUS]Remote gateway was reached by https ...
i was connected to my rv042 via remote management / browser, and tried to add vpn clients. i generated a new certificate and then i clicked on export for clients. by doing this, the remote management disconnected and i cannot access the router anymore.
how can i get the new .pem file from remote? do i have to make somebody turn off and on the unit to get back remote access??
p.s.: after turning off an on i tried the same steps again: everytime i click on "export for admin" or "export for client", this kills the remote management and the unit must be hardreset. now: how do i get the newly created client certificate off that unit ?? otherwise i will have to drive 350 km just to grep that file ?!?!
I do not have a valid SSL Certificate on my firewall but I want to use SSLVPN.
If I connect to the IP adress and the SSLVPN Portal I can choose the sslclient launcher but after that I get a error that I need a internet explorer 64bit or that the active I was blocked because of a unsecure publisher.
I recently replaced my RV042 with an RV042G. I did an export of the RV042 Config and used the Config Migration Tool to upgrade the file to v3 (I had an old v1 RV042). When I first logged in to the RV042G it was quite happy and I imported the config file successfully.After installing the RV042G in my system it fired up and worked perfectly. Unfortunately when I now try to log in via the web interface it comes up with 'Invalid Site Certificate' each time. I've tried importing the certificate but that does not work as it is flagged as invalid.All I can assume is I have either imported the origional RV042 certificate as part of the config or importing the config has corrupted the original RV042G site certificate. I assume this is a generic issue and not specific to the RV042G as I have had this problem before but cannot remember how I solved it.The bottom line would be a hard reset and load all my settings manually but I can't spare the time just now.
I bought a new WRVS400n recently because it had Gigabit speed, wireless n and a built in VPN server. The device works perfect except for the Quick VPN client. I'm a system engineer so I thought I could set it up quite easy just like any other device I configured in the past. Painfull but it isn't like this.
I set up the VPN on the WRVS4400n and generated a certificate. I saved both the client and admin certificate to my pc, I gave them a name to easily make up the difference between both of them. When placing the certificate in the installed QuickVPN folder, it doesn't seem to get recognised by the QuickVPN software. When I try to connect, it says 'Server's certificate doens't exist on your local computer'. I guess the naming convention must meet some kind of format, is that correct? If so, this should have been described in the documentation.
Besides that I checked if the required ports used by the VPN server are open on the public port of the device, that is the case. So It seems I'm quite close to get it working.
The version of QuickVPN I used is 1.4.2.1. The WRVS4400n has the latest firmware loaded.