We run a hub&spoke network with dual GRE tunnels from each spoke site to seperate independant adsl routers at the hub.IPsec is enabled on each tunnel with crypto maps and then QOS is enabled with pre-classify for voice traffic priority. We also have defined a class for Citrix traffic by identifying port1494 traffic out and anything bound for our citrix servers IPs.Ok so the problem is that once the encryption comes up on the tunnels, the citrix programs wont connect. Take the crypto map off the tunnel and all works fine.
Here is the relevant config
crypto isakmp policy 1 encr 3des authentication pre-share group 2crypto isakmp key **** address *.*.*.*
crypto isakmp key **** address *.*.*.*
crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to hub1
set peer *.*.*.*
set transform-set ESP-3DES-SHA match address 104 qos pre-classifycrypto map SDM_CMAP_1 2 ipsec-isakmp description Tunnel to hub2
set peer *.*.*.*
set transform-set ESP-3DES-SHA match address 105 qos pre-classify
[code]....
I deliberately weight EIGRP to favour Tun0 and have Tun1 as a failover. I was thinking of Route-mapping the Citrix traffic to Tun1?
A group of Citrix Clients connect to a Citrix Metaframe Server. The port numbers involved are Citrix Metaframe (TCP/UDP 1494) and MS Terminal Server (TCP/UDP 1604).
The network is configured such that the communication between the Citrix clients and server goes through a GRE tunnel. Traceroutes from client to server, and vice versa, confirm that it passes thru the GRE tunnel. There's no ACL, firewalls or NAT devices along the IP path, in both directions.
The issue is, all Citrix clients can ping to the server but some fail to log on to the server; some have no problem. Also, other applications, e.g. PCAnywhere, can go through. If the GRE tunnel is taken away, all Citrix clients can log on to the Citrix server.
My router is Cisco 2811 with IOS version 12.4(22)T1. It had established IPSec with another peer (203.*.*.250 shown below) for long until recently we make it re-establish IPSec VPN with another peer (203.*.*.30 shown below). It showed that the new sa is active but the result still showed there were 4 deleted SAs. The 4 obsolete sa entries won't vanish no matter what I do i.e. reset the interface, re-create crypto map, clear all sa and etc.
From numerous testings we knew that the VPN doesn't work even the desired sa is there remaining active. I reckon it has something to do with those deleted sas ( i mean it is supposed to show only the last one if it is working fine ). I don't know how it would be come like this as we did pretty much the samething on other VPN routers with no problems.
I have a pair of ASA 5520s operating in failover pair as active/standby, having two contexts on them. I am planning to share the load and make it active/active making first context active on the primary unit and second context active on the secondary unit. My question is if this will disrupt any connectivity thru these firewalls when I do "no failover" on the active/standby and assign the contexts to different failover groups and enable the failover back.
We have built IPSEC VPN over MPLS P2P circuit between Head & Branch office using Cisco ASA 5510. Client systems at Branch office connects to Citrix app at Head office, but it gets disconnect intermittently for all user. if any recommendations/changes required for Citrix App whn passing over IPSEC VPN/ ASA.
by saying "open ports" in a router or PC or other Network System what we mean basically? what is opposite terminology, "closed ports"?-used or unused-sensitive-vulnerable or non vulnerable to attacks-exploited easily and when so may attacked and have much bad/serious consequences/results
Ive serched everywhere for this problem and couldnt find it, ive tried the basic troubleshooting, one of are users is using the 32 bit client of citrix and it is not lauching, other users have no issues with it, only her computer does. When I click to lauch the desktop it thinks a bit and then the receiver will shoot me an error saying :
"The network connection to your application was interrupted. Try to access your application later, or contact technical support." Her computer is running Windows 7 64 bit, IE8. Im really not sure what could be causing this error
My colleague wants to use our load balancers for VPN. We are coming off 3030s which are serving remote access IPSec as well as terminating LAN to LAN tunnels for like 7 sites.I want to secure the 5540s behind our front end 5585Xs when we move prod to the new dc.We have no immediate need for clientless but need to support osx lion and IPSec client does not. Thats all that's driving this effort currently. I already reminded mgmt that the 3030 and the IPSec client are end of life.I just think anyconnect is the better solution based on current skillset and the popularity of the solution.
Is it possible to have ASDM and SSH authenticate via different means on a RADIUS server? In particular, I have a single aaa-server group that's used for both ASDM and SSH, but I want to limit ASDM access to only a particular group in Active Directory (for example). I looked at various different requests (from the server's perspective) to see if there was a way that they (ASDM requests and SSH requests) were differentiated but was unable to find any. It would be ideal if there was something inherent about the RADIUS request coming from ASDM vs SSH so that I could build that decision making into the RADIUS server.I know I could do this by just using a different aaa-server group for each access method, but I want to avoid that if possible.
What the user specification with the asa5505 means.there is a 50 user and an unlimited license with the asa5505. with 50 user does this mean that only 50 user can work simultaneously over the asa, or what?
There is a port on 3560E, facing POP, this port is in the dedicated vlan, that is terminated on 7606 on SVI (peering point).There is configuration made on the 3560E port, that prevents storm of ucast or bcast kind. This is: switchport block multicast switchport port-security maximum 1000 switchport port-security switchport port-security violation restrict storm-control broadcast level bps 1m storm-control multicast level bps 1m storm-control action shutdown storm-control action trap no cdp enable no lldp transmit no lldp receive spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable. [code]
I want to get info not only about the fact of storm attack but also about at least source and destination of it (i.e. source and/or destination MAC). Perhaps this could be some logging messages.Are there any means for this on C3560E-UNIVERSAL-M (IOS ver 12.2(53)SE2) and 7606-S.
url..This says an ISR G2 3945 can achieve 502.78 Mbits when CEF fast switching. Is this per port or total for the whole box? Since the router will hold dozens of switch ports and several gig routed ports I don't understand what this half gig switching speed means.
The Cisco 3560 uses a relatively simple classification scheme, assuming you consider only what happens when the forwarding decision has been made. These switches make most internal QoS decisions based on an internal DSCP setting. The internal DSCP is determined when the frame is forwarded. What internal DSCP setting means?
We're trying to access Citrix applications on customer`s server, but the error message attached pops up every time I try to access any application. Actually, this is the same error message when we try to use ssh protocol. I'm pretty sure I have loaded all the plugins for this. All the other functionalists are ok for this equipment.
My company has a cisco ASA 5510 and we have a Citrix remote desktop solution. In a nutshell I have users from outside our network accessing a virtual Citrix NetScaler inside our DMZ. There is a session reliability feature enabled on the Citrix solution. Session reliability uses tcp port 443. A user from outside the network connects to our network and is handed a virtual desktop to work with. When a remote user is working on their virtual desktop and there is a network connection issue the end user loses network connectivity for a brief period of time (in most cases just seconds) then the Citrix session reliability feature takes over and holds in a buffer all data destined for the end user . Once the connection is re-established then the buffer is emptied and the session goes on like before and the end user is able to use the virtual desktop. At least this is the way it should work.
In our case the connection never re-establishes between the end user outside the network and the NetScaler in our DMZ. We have been working with Citrix Support and they believe the issue is in our firewall. We have taken packets captures with Wire shark and we can see when the network failure occurs the NetScaler in the DMZ is holding information in a buffer and trying to communicate with the remote end user outside our network via packets and TCP port 443. We can also do the same packet captures from the end user computer and see where it is not receiving any packets from the NetScaler in our DMZ. The fire wall has an access list allowing any traffic in the outside port destined to the NetScaler Public IP on port 443. Then once in the firewall outside port we have a static rule pointing to the NetScaler IP in the DMZ.Everything is working quite well until we need to rely upon the session reliability. We have tried altering the TCP & Global Timeouts options in the firewall via the ASDM with no luck.
Today i saw on the router dir-655 log file that "UDHCPD Received a SIGTERM" and "received signal 15, good-bye" and the ip address was renewd after 14 days. I want to understand if it's normal behavior of the unit or not. I'm connected to cable modem that is stable more than 15 days.
here is the log of my router:
Oct 23 17:49:48 debug UDHCPD sending ACK to 192.168.0.3 Oct 23 04:01:15 debug Debu: Joining group 224.0.0.252 upstream on IF address 46.117.1.47 Oct 23 04:01:15 debug Debu: Leaving group 224.0.0.252 upstream on IF address 46.117.1.47 Oct 23 03:59:09 debug Debu: Joining group 224.0.0.252 upstream on IF address 46.117.1.47 Oct 23 03:43:58 debug gpio create pidfile /var/run/gpio_wan_green.pid
I have a question around pix 501 (6.3) configuration. I am trying to allow traffic from a single Citrix CAG across a variety of ports (80,443,9001-9005,27000,7279,1494,2598) from external (dmz) interface through to multiple addresses (on the same ports) on the internal (secure) network and dont know how to best approach it or if its possible. The only way I have found to allow traffic through is via Static Nat entries which I cant see will work for this requirement as we need some ports to be allowed into multiple addresses.
We're setting up a Citrix Cloudstack/XenServer environment and having a heck of a time getting VLAN communication to work with the Cisco SG300-28 switches we've got. We have 4 hosts that are running physically connected to 2 SG300-28 switches.The Guest Network NICS are running on XenServer with a VLAN configuration. As you'll see below our problem lies in that the vm on Host1 (10.1.1.254) cannot communicate to the vm on Host2 (10.1.1.5).Our SG300-28 is currently in L2 mode with Trunked ports for the NICS. It's allowed the VLAN 133 as tagged. Here's the guest networking:here's how our SG300-28 are configured for VLAN traffic GE1,2,13,14 are the connected ports with VLAN133 being one of the tagged VLANS
We are trying to isolate the fault. From Aggregator a router, we are receiving MAC address of distant end ethernet interface of a SDH box and vice versa is also possible. However ther is no packet received. My question is does ping test is must to see if the path is through or just receiving MAC adress at both ends would mean that packets have to go over the path.
I am looking at deploying a pair of 5585X's in an active/active multiple context state. I am creating Mulitple contexts that need to be able to route to each other. I was going to deploy a type of Gateway context that has a shared interface to all of the other contexts, instead of sharing interfaces directly between the contexts, i beleive this will work as basically i am just cascadng the contexts and sharing interfaces.
The main problem i have come across, is that if i deploy active/active across two appliances using 2 failover groups i can not see a way to route between them, for example.
I have Context 1, Context 2 and Context GW A including the shared interfaces of Con1 and Con2 in failover group 1 on appliance A with the respective standbys on Appliance 2. I have Context 2, Context 4 and Context GW B including the shared interfaces of Con 3 and Con 4 in failover group 2 on appliance B with the respective standbys on Appliance 1.
I need to be able to route traffic between Context GW A and GW B so that the contexts can communicate in normal operation and in failover. I do not beleive that I can share an interface between contexts in two separate failover groups and to be honest without adding a L3 device between the appliances i am not sure if this is possible.
I have two ASA 5510s running in Active/Active mode. I need to make config changes on them. How do I go about it? Do I power off the secondary ASA and make the config changes on the primary and then power on the secondary ASA ? Or this another way to do this?
I have an ASA5520 in location A with an ISP connection and a matching ASA5520 in location B with a separate ISP connection. We have fiber connecting the two locations and vlans passing back and forth so I will be able to configure the failover via a vlan as well as extend the ISP's to each location via vlans. The Active/Active configuration with the multiple security contexts does not seem to be an issue but how is a redundant ISP configured in this mode?We want to have context A using the ASA in location A with ISP1 as the primary and failing over to ISP 2 in locaiton B We also want to have context B using the ASA in location B with ISP 2 as the primary and failing over to ISP1 in location A Would route tracking provide the desired result? Is there a better option?
The 6509 Series Switches support the scenario VSS Active-Active Chassis, I would like to setup both switch's as one virtual switch but working at the same time, not with Active - Stand By Chassis.
My plans it to create PortChannel accross both Switches 6509 in order to have 2 links one connected to one slot/switch and the other connected to slot/switch in the second 6509 for servers redundancy.
I am working on a network which has two ISP connections (Active/Active) terminating on router (ASR1000). From the LAN side (6500 switch) all the traffic need to be route on ISP1 but some of the specific subnets like 10.250.0.0/16 need to be route on ISP2 connection.
I am planning to use PBR and NAT with route maps. any documents or refrences are provided.
I faced one problem in our core switch 4507 R . Active sup lost connection and standby came active. We got lot of errors/alerts on console shown below. [Code] Also when I reloaded the switch with reload command only both sups got reloaded but I want to reload all the modules but reload command do not gives any options for that.
I have 2 asa 5520 firewalls including and 1 AIP-SSM-10 module in each of them. the configuration is set using active/active failover and context mode.
Both of them run individualy the IPS module. The IPS is configured using inline mode and fail-open option. However when one of the module fails and the state is changing from up to init or anything else making the IPS to fail then failover is detected and ASA consider it as failover and bounce context to the other unit.
IPS soft is 6.0(4) and ASA soft is 8.0(3)
I have checked cisco doc and it is confusing to me. it says: "The AIP-SSM does not participate in stateful failover if stateful failover is configured on the ASA failover pair." but it really does participate. Running is not really an option because of production network impact matter..
We have an Active/Active ASA 5520 setup, as i know in Active/Active setup there is no remote VPN access, So i could overcome this limitations?I have a solution but i dont know if it is ablecable or not? we have a spare ASA 5510, so i can use it behind Active/Active Firewalls and assign a public static NAT IP address to it and open all IPSEC and VPN ports and let the remote users to connect to it, is this ablecable setup or not?
Currently using intel 5100 & 6200 client cards on multiple driver versions. WiSM is 7.0.116. APs are 1250 and 1260 series. Citrix is setup to send server-side keepalives for session reliability. Randomly, several times a day the client will get disconnected from the Citrix application session but maintain connectivity to the AP and other applications continue to work. Traces show the server-side keepalive reach the controller but are delayed from controller to client by 5-6 seconds. Just enough time for the Citrix server to timeout and tear down to session. Additional testing shows the delay most likely occurs somewhere from controller to AP. It occurs on multiple controllers on multiple campuses.
We have Dell/Broadcom clients that don't experience the problem. The only commonality seems to be the Intel cards. CCX? I know Intel has a special relationship with Cisco regarding CCX and have developed features not available on other cards. Tried disabling power save and other CCX features but hasn't solved the issue.