Cisco Switches :: Management HTTPS Session To SF200-24 Suddenly Timeout
May 6, 2013
what would be causing my management HTTPS session to a SF200-24 to suddenly timeout? I receive "The session has been timed out. You may log in again" few mins after logging into to switch.Sometime it happens within 45seconds, other times after 3mins, timouts are not consistent. And, i was not idle when it timed-out. My HTTPs idle time-out is set for 10mins.
I had a continuous PING going to managment IP, and it did not drop any pings when session timed-out.Interface stats are also clean. I tried IE, FireFox, Chrome and all are timming out.
I've changed the HTTP default idle-time out from 1 to 10 and my HTTPs stopped timing out. Management Access Authentication is cleary set for HTTPs, and the Idle-timeout for HTTPs was set for 10mins since install. Yet, adjusting the HTTP idle-timeout cleared the issue.
View 1 Replies
ADVERTISEMENT
Jan 25, 2012
I have an SG300-20 here for testing (firmware: 1.1.2.0, boot version: 1.0.0.4, language version: 1.1.1.6 English). Everything seems to work on it, except, that if I choose Radius authentication by mac address only, then the switch does not honor the Idle-Timeout and Session-Timeout attributes from the Radius server (freeradius).
The setup is the following: I have a no name access point plugged in to switch port gi1. The port gi1 is set up for Radius authentication by mac address only. The access point itself is authenticated, no problem with that. If I connect through the access point by (say) a mobile phone, it is authenticated, no problem. The radius server does send the Idle-Timeout and Session-Timeout attributes, I checked it by running "freeradius -X", both are set to 30 seconds. Then I turn off the wireless card in my mobile phone and check the dot1x users by "show dot1x users". My mobile phone's mac address remains there for 5-10 minutes, so the Idle-Timeout and Session-Timeout does not work.
Another way I could resolv this problem is by explicitely asking the switch to reauthenticate the user. Unfortunately there is no CLI command to do just that, I can do however a reauthentication on a port using "dot1x re-authenticate gi1" (for example). But it does not work as it is expected: the switch uses the stored mac-address to reauthenticate the user, so nothing changes on the port (unless something changes in the radius server). I think it should work like the following: remove the authenticated user from the port, and whenever that mac address makes some network traffic, then reauthenticate as if it were a completely new connection. BTW: it would work for me also if I could just remove an authenticated user from a port, but I did not find a command to do that.
As a last resort I can simply shutdown the port, bring it up again ("shutdown" and "no shutdown" in the interface config), then all users are removed from the port and they all mush reauthenticate. But it causes a network outage for a couple of seconds for all users on that port, on a busy access point it is quite disturbing, and it is not an elegant way to do this.
So my actual question is: is there a way to remove an authenticated user either automatically (Idle-Timeout and Session-Timeout) or manually from this switch?
I enclose the relevant part of the running config.
interface range gi1-2
dot1x host-mode multi-sessions
exit
vlan database
vlan 2-4
exit
[code]....
View 2 Replies
View Related
Sep 20, 2012
we just received 5 new SF200-48 Smart Switches for small business. I noticed only way I can configure them is by using the web gui. Is there a way to enable good old CLI?
View 6 Replies
View Related
Jun 4, 2012
I have inherited the support of an ASA5520 running 8.0(3)12 code and I believe I have a pretty simple question here that I haven't been able to figure out on my own. I have a few users that connect to the box via IPSEC VPN client connections. They want to be able to leave up a RDP based connection, for monitoring purposes, for a most of the day, but thier RDP connection keeps getting discounnted after a few hours. The VPN connection never gets disconnected, just the RDP session running through it. I have another box running 8.0(4) code and they can leave up the RDP sessions as long as they like without getting disconnected from the server(s). I have compared the configs of both boxes and don't see any glsring differences in regards to the configuration that would cuase the RDP sessions to either to stay up or be disconnected after an inactivity type scenario.
What to look for in regards to identifying the timer that is disconnecting the RDP session after a period of time.
View 2 Replies
View Related
Jun 20, 2011
We are trying to configure our 2106 wireless lan controller to expire wireless users sessions so the user is not remembered indefinitely. We are using freeradius to validate the users login information and passing back a "session-timeout" avpair but the WLC seems to be ignoring this value.
How to configure the session expiration time of wireless users on a 2106?
View 2 Replies
View Related
Jan 19, 2012
We're having trouble trying to deploy 802.1x authentication on a brand new site.
Our primary and secondary ACS are located in Paris and the new site located in Toulouse, France. Both sites are connected through the WAN. Everytime a computer/user connects to this new site in Toulouse, ACS 5.2 sends a "5411 EAP session timeout" error message.
View 9 Replies
View Related
Mar 1, 2013
I have a DIR-825 with 2.60VT firmware (rented from Videotron).
Even though the manual says the stateful firewall should have a timeout on connections of 240 seconds or 7800 seconds, all of my connections start at a mere 120 seconds. I'm having trouble with IMAP IDLE pushing e-mails because the connections timeout so quickly (before any stay alive can be sent). A connection to the e-mail server gets opened on 143 (Videotron) or 993 (encrypted - google, e.g.), and I see the connection on the Internet Sessions page, the timeout starts at 120. When it hits 0, the connection is no longer displayed (it is not renewed), and the IMAP IDLE ****s out because the server can't find the client (i.e. the connection has been closed). But it's not just on those ports or servers. ALL of my TCP sessions begin at a mere 120 seconds! Even for a home router, isn't this way too low?
confirm that their DIR-825, on the Internet Sessions page, shows initial timeout values of greater than 120 for a TCP connection? I would love to see a picture of that screen showing higher values. Does it start at 240? Do you ever see a connection start at a timeout of 7800?
I see no way of changing the timeout value. Is it possible to force connections on certain ports to begin at a higher timeout value?
View 5 Replies
View Related
Sep 1, 2011
Per PCI & company policy all VPN users have a 12 hour session limit. They will disconnected after 12 hours regardless of use. Is there any way to send a message prior to the 12 hour limit to warn the users that they will be disconnected in x minutes? I'm running SSL VPN on a ASA 5520 ver 8.4(1)
View 1 Replies
View Related
Oct 11, 2011
Is there any way to change a setting which causes a user logged in to the web browser interface (or connected via ssh) to have to re-authenticate. Im getting annoyed by being disconnected from the AP and having to re-authenticate.
View 1 Replies
View Related
Nov 3, 2011
What the command to prevent a telnet session to the 4400 controller from timing out is?
View 1 Replies
View Related
Aug 27, 2012
For guest clients , we have configured guest vlan and applied external web authenication on WLC 5508 , the session timeout value is 2700secons . When a client open a browser to internet page , wlc will redirect to URL and get the login page . After completed the login , he can go to internet page .
We find the iPhone and ipad clients will get the login page again ahfter ~ 5 mins , it is mismatch with session timeout value 2700 sec (45 mins) .
View 5 Replies
View Related
Aug 15, 2011
Our company has installed ACS Version: 5.1.0.44.6 Internal Build ID: B.2347 with patches: 5-1-0-44-5, 5-1-0-44-6. The security policy of our company includes a password change every 3 months. Our programmers had written a script that allows us to do it. When testing revealed that the script does not work. This is due to the fact that it is not possible to enter the mode "acs-config". In determining the reasons it was found that to enter this mode there is a limit on sessions (6 sessions). When the number of connections becomes larger than 6 then the script does not work. The documentation says that the update is not active sessions is set with terminal session-timeout. In this case, the terminal session-timeout 30. But after 30 minutes of the session will remain active. It interferes with our script.
View 1 Replies
View Related
Mar 28, 2012
default inactivity connection time out for A3(1.0) So by defult any tcp connection(http or https) will be timed out in an hour. [code]Was this change in the A4(2.0) code or is it still the same? I heard a TAC engg say that default inactivity timeout for http and https are now 5 mins that is 300 seconds.
View 3 Replies
View Related
Jan 14, 2013
I have an ancient Alteon load balancer which only supports HTTP and telnet access. Our management people only allow HTTPS through the management firewall farm, and don't want to change this policy. So I need a low cost HTTPS to HTTP conversion, ideally on Cisco hardware like an ASA5505. It only needs one concurrent user. Is there a way to configure an ASA 5505 to terminate the inbound HTTPS seession and re-originate a HTTP management session to the Alteon? It looks to me as if the Clientless SSL VPN might do the job.Is there a way to do a SSH to telnet conversion on the ASA, or on a router?
View 1 Replies
View Related
Oct 29, 2012
I wonder what is the difference between SF200 and SF200E smart switch. They seem like having same spec.
View 2 Replies
View Related
Oct 19, 2012
Just recently we replaced our HQ Cisco-Pix with Cisco-ASA 5510. where we have many branches connecting to our HQ through site-to-site vpn. Since putting this new ASA5510 at HQ , while we are getting a Remote-Desktop session into our branches clients, and at the time when even a single TIMEOUT occurs on the vpn-link so the remote-desktop session gets completely lost. then we have to re-connect the session.This issue happens as i said above when a single timeout occurs on the vpn link. What is the issue with the ASA5510. because with pix we didn't have this issue, remote-desktops were never getting lost / reset with single timeout
View 1 Replies
View Related
Jul 30, 2012
When a client connecting to a specific AP (example AP01), after every 1800 sec uptime it will reconnect and join other unit AP (example AP02)Both AP physically installed distance is around 6 meters from each other. I conduct the testing where i get myself sitting in middle between these two APs.
01. If i disable settsion timeout this feature, or setting the seconds become higher value, what's the performance and security impact? Is it recomend to change the default 1800 seconds session timeout?
02. Is there anyway i can tweak on WLC controller to prevent the client after session timeout then associate with another AP. This will lead major performance impact as the client woudl possibility connect to the weak signal AP and effect on the performance.
These are the details for reference:Client detail
- Dell DW1520 wireless-N WLAN card, with firmware version 5.100.235.12
- CCX version 4 supported
- Layer 2 security is WPA2 personal with PSK.
- wireless radio an
Controller detail:
model is AIR-CT5508-K9
software version is 7.2.110.0
View 4 Replies
View Related
Mar 14, 2013
i was able to configure (via SF200 web interface) a port mapping from port FE17 to FE7.i have supressed this port mapping.
when i try to reconfigure a port mapping from port FE17 to FE3. The SF200 web interface crash. the SF200 seems to reboot.
i have updated the SF200 firmware from V1.1.2.0 to V1.1.2.9.44.when i was able to configure (via SF200 web interface) a port mapping from port FE17 to FE7.But after having suppressed this port mapping again, i was not able to reconfigure a new port mapping from port FE1 to FE3 (the SF200 hangs).
View 2 Replies
View Related
Feb 15, 2012
I want to make an offer for a public tender for SF200 Switches (P/Ns SLM224GT and SLM248GT). The end user is already using Cat 6 cables and someone from the committee told that these Switches does not support Cat 6 cables and that the SLM224GT doesn't work correctly with an existing SG200 (SLM2008T) switch.
View 1 Replies
View Related
Oct 6, 2011
here comes the incident description: WRVS4400N breaks established VPN session if I am trying to connect to any LAN host via HTTPS.
View 1 Replies
View Related
Feb 27, 2013
Is there a replacement rackmount kit available for a Smart Switch SF200-48?
View 1 Replies
View Related
Mar 18, 2013
We have been deploying Cisco SF200-24P switches for our systems for over a year now. They connect to a Cisco 881 router. In many cases we are also deploying Cisco AP541s.Over the last few months, on an intermittent basis, the switches will simply freeze, blocking all traffic flow. The power LED also goes dark. It appears the switch has frozen. The only thing that seems to revive the switch is a hard reboot by pulling the power cord. In the last couple of weeks, one site in particular has gone down a handful of times. That client of our is fed up. Our patience is running thin too.
I cannot see any indications in the logs to any event that might give a clue as to the problem. We definitely see this problem with the 1.2.7.76 firmware and the 1.2.9.44 (latest as of typing this). Not sure if with earlier 1.1.2 firmware.Without a fix, we likely will have to change switches and possibly vendors as we need a reliable switch.I see some vague references to a similar problem. And one reference to a SG300 series having what sounds like the same issue.
View 8 Replies
View Related
Jun 11, 2012
I am new to the ACE30. I a basic configuration from the CLI and I am trying to use the device manger. I am able to get to the web informational page rather then accessing the login page. I have rest the password for both the admin and www and still no go. my question is how to go into enabling the GUI access.
View 1 Replies
View Related
Mar 2, 2013
I have an issue with new Win8 & IE10. When I try to access web management interface of my wrt160nl (Firmware Version: 1.00.01 B15) via HTTPS I'm receiving the foolowing message:"Continue to this website (not recommended)." If I click on it another error page appears:"Certification error: Navigation blocked. There is a problem with this website's security certificate"
At the same time I'm able to acccess the management interface via HTTPS, but from my laptop with Win7 & IE9. There if I click on the red Certificate Error > View certificate and the certificate information is:Issued by: Linksys Issued to: Linksys Valid from : 1.1.2009 to 1.1.2010
So I'd like to know if I could update the router certificate or what settings should I use in IE10 in order to access the web management interface via HTTPS?
View 9 Replies
View Related
Nov 5, 2011
The downloadable PDF manual for the WAG160N shows the remote management address as "https://...", while the online support article shows WAG320N screenshots and uses "http://...". The downloadable manuals for the WAG120N & WAG320N don't show either (it's a pretty flimsy manual).point me to, a definitive list of model/firmware combos which do support SSL for remote management?
View 3 Replies
View Related
May 6, 2012
How to get HTTPS to work for local or remote management? Selecting HTTPS for either local or remote doesn't enable HTTPS for me. It still use HTTP.
View 2 Replies
View Related
Mar 14, 2013
i was able to configure (via SF200 web interface) a port mirroring from port FE17 to FE7.i have supressed this port mirroring.when i try to reconfigure a port mirroring from port FE17 to FE3. The SF200 web interface crash. the SF200 seems to reboot.
i have updated the SF200 firmware from V1.1.2.0 to V1.1.2.9.44 when i was able to configure (via SF200 web interface) a port mirroring from port FE17 to FE7.But after having suppressed this port mirroring again, i was not able to reconfigure a new port mirroring from port FE1 to FE3 (the SF200 hangs).
i have also tried to return to default factory setting but this does not solve the issue.i am working on SF200-24P
View 2 Replies
View Related
Aug 7, 2011
Any snmpset commands to add, modify and delete vlan table entries on SG300-10 switches? I checked url... however this information is apparently only valid for catalysts. The latest firmware is installed and the provided MIB files are used.
View 8 Replies
View Related
Aug 9, 2012
At the moment I am trying to connect to a DHCP ISP, but the connection only last for 10-15mins and then it will automatically disconnected. Every time I reset the WAN port , service back to normal for another 10-15 mins >< The are no log or any error message when connection timeout. the status of the WAN port is normal "Up Up"I have tried this config on another ISP and everything work just fine!!!
Fiber connector -------> Cisco 1812 (FastEthernet1) --------->LAN
Router#sh run
Building configuration...Current configuration : 3205 bytes
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
[code]....
View 1 Replies
View Related
Apr 20, 2011
Never seen a Cisco, or any other L3 switch before. Nor an Lx router. Any step by step,or class room or web based training, or a partner or Cisco helper to get us up to speed on this.Goal is to limit http and https traffic in favor of telnet to an AIX server and RDP to a Windows TS. Printing would be ahead of http/s and below the others.
Interstingly, the web site promises 9 videos, but there are only 8. The demo guide says about OoS: "Coming Soon".Where to go? Who(m) to call?
View 6 Replies
View Related
Nov 26, 2012
ASA 8.2(5), uauth absolute timeout is disabled and inactivity timeout is set to 48 hours:
timeout xlate 48:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:00:00 absolute uauth 48:00:00 inactivity
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
Users still get kicked out every 8 hours and they have to reauth. This is a logging message:
%ASA-5-109012: Authen Session End: user 'john', sid 839, elapsed 28801 seconds
View 1 Replies
View Related
Oct 25, 2011
when my Linux VM is running!How's this for a mystery - last night I noticed that I could no longer access my gmail. Thought it might be down. This morning, I still couldn't access it. Thought I would try comcast, no joy either. Changed computers, no difference. Changed routers, no difference. Bought a new router and started plugging in network cables one at a time. My main machine first, everything works - http and https sites, a second computer, all good. The switch. Fine. Powerline. Still good. Then I plug in a Windows server running a Linux VM. Https sites on all the other machines stop working. Pause the Linux VM, restart router - https sites return to life. Went to Linux machine, re-enabled ipv6 (the only recent change on the Linux machine was to disable ipv6 since upon a reboot, Linux didn't have an ipv4 address). Restart Linux everything seems fine. A few hours go by, try to connect my wife's new laptop and at that moment wireless seems to stop. Restart router, wireless is back. But lo and behold, https is gone again. Unplug the machine that has the Linux VM, restart router, all is good.Ever see anything this weird?
View 3 Replies
View Related
May 31, 2011
can't access gmail or any https sites at all such as fnb.co.za or auction sites ect... I've tried resetting my rooter, configured all the settings as they were when working, I have basically gone into my network & sharing centre and change adapter settings to make sure all the settings there are as should be, reset , & config all of those as well, I've also gone into cmd and reset my D-link completelly from the command, and also tried to restore my computer to an earlier stage which did not work either , Now all I can gather is that It has to be a block some where most likely with the rooter , which is blocking access to port 443.
View 14 Replies
View Related