I have about 30 remote EZVPN 1811 routers that never come up after a firewall reload for about an hour. I have watched the EZVPN remotes and they believe they still have an IPSEC SA and they never attempt to reconnect until their IKE SA times out. Is there any way I can change this behavior so that the remotes will more rapidly recognize that their SA is invalid and negotiate a new one?
View 2 RepliesI have ezVPN configured on an ASA 5520 for my server with 5505s as my clients at several remote sites. The tunnels come up no problem and I can hit everything I need to on both sides of the tunnel, but I'm not able to get to another remote network from a remote network. The traffic goes out the tunnel on the 5505 but on the 5520 all I see is a bunch of scrolling tear down messages.
[code]....
I have two 1811's connected in a lab using a ipsec vpn tunnel (using a switch to simulate an internet connection between them).I am trying to configure one of the routers as a ZBPF just to allow a remote windows login (DC on the firewalled side, workstations on the other side).I'm trying to verify that the zbpf is working, but it doesn't seem to stop anything. I had match icmp added to the class-map, but took it out to test if icmp would fail. It didn't. Basically, I don't think the firewall is working at all. Any thoughts on how I can configure this so that the policies will work between zone-pairs?
Here's an quick drawing:
Here are the configurations:
Local router:
hostname sdc-1811-LocalLab
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
[code]....
I have two ASA 5540 working in Active/Standby mode. After I've upgraded them to 8.2.3 ver. I have the following issue: once a day presently active device arbitary reloadI have no err in show version and in syslogs:11:15:50 ASA : %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.0.36/512 gaddr 10.0.0.16/0 laddr 1011:15:58 ASA : %ASA-1-104001: (Primary) Switching to ACTIVE - HELLO not heard from mate.
View 4 Replies View Relatedour FWSM (in 6509) is not coming up, when tried to sesssion up using "Session slot 1 proc 1" command,It is giving error , "Tyring 127.0.0.11 .....connection timed out remote host not responding".
In "show mod" command output at Switch in IOS console: under Card Type Section: it is showing Model & Serial Number correctly, Under MAC address sectino: displaying some MAC address But in Online Diag Status, it showing "Unknown" for Module 1.
We tried re-seating in other slots, but of no use. Giving same error. Some of other forms are saying it is the issue with 128 Mb CF image problem, FWSM is no more reachable from 6509 IOS console. We even tried using FWSM console (using PC-Conse & LCP Console) but FWSM is not contactable.
Last night I switched out our old Cisco pix 515 with a asa 5505. The config is the same and internet and outgoing mail is working but no mail is coming in. Below is a copy of my config. Why my inbound mail is not coming in.
smtp 192.168.51.248 (Barracuda email filter)pop3 192.168.50.11 (exchange server). Tried to telnet into the firewall but connection timed out. Went to mxtool box and that also timed out while trying to connect to smtp. Port scan from mxtool box timed out too on all ports.
[Code] ........
I recently upgraded the flash and the RAM on one of my ASA 5505 lab machines. The flash was upgraded from 128 to 512MB and the RAM was also upgraded from 256 to 512MB. I am using asa845-k8.bin. The firewall boots and runs file until you issue the reload command. The system shuts down but never reloads.
View 11 Replies View RelatedI have problem with traffic coming from GRE interface and going further through FWSM on the same 6509-E chassis.It's very interesting and confusing. If packets are fragmented, I can go through, however, if I use normal packets (usual ping for example) traffic goes from outside to inside and stops on it's way back.
Here is the detailed info:
WS-C6509-E with WS-SUP720-3B
FWSM HW 4.0, SW 4.1(4)
GRE is done in hardware (source is loopback interface - only one loopback per GRE tunnel).
We have a setup of FWSMs configured in single mode in 6509 chassis. Both 6509 are configured in VSS. Recently I have upgraded the firmwre from 4.0(3) to 4.1(3).....before upgradation config sync was not having any problem.
After upgradation...If any one of the FWSM reload..while coming up it gets stuck in config sync and no command we can run on any of the unit and get the error as..
Configuration update in progress by another process. Also on stannby fwsm no running-config displays.
If we used # failover suspend-config on primary and then reloads the standby fwsm...standby boots up with startup config and when # no failover suspend-config command runs on active fwsm..the sync started and completing succssfully within 15 sec..
Also failover works well..with #no failover active..
This is problably a stupid question but how do I open a prot on a cisco 1811? I have a cisco 1811 and a computer that has VNC installed on it. I want to be able to access that computer from out side the network using the external ip address and port 5950. People outside the network will be able to open vnc viewer and type in *external ip address*:5950 and it will be directed to the computer with a static internal ip address of 10.11.101.10. What commands do I use to do this?
View 23 Replies View RelatedWe have a customer who has 4 x 'WS-SVC-FWM-1' modules installed within 2 x 6513 chassis. The FWSMs are all running version 3.1(16) with failover group 1 and 2 enabled.After a few recent planned and un-planned power outages the FWSMs have come up without a full configuration. Is this a common fault? If so it there any kind of workaround that can be implemented?
View 5 Replies View RelatedI am running CBAC on a 1811 running IOS 15.1 and can't figure out how to configure it so that I can preform TFTP upgrades with CBAC enabled. It appears that CBAC doesn't catch self-generated traffic and put in a reverse rule in the ACL. I am trying to upgrade the image on this router using a public-addressed TFTP server on the F0 interface. If I drop the ACL the traffic will work, so why isn't CBAC cacthing the TFTP outbound? [code]
The tftp rule above is for TFTP upgrades on other equipment, using a server behind this router. I tried defining an outbound ACL as well on F0 to get the traffic be "caught" by CBAC but that didn't work. I also tried adding "ip inspect name trust tftp" but that didn't work.
I need to NAT a port range spanning from TCP and UDP 50,000 to 59,999 from inside global address 58.96.x.x on loopback2 to an inside local address of 192.168.5.5.Currently all the existing NAT translations are 1-to-1 that map inside global addresses on a wide span of Loopbacks and a Dialer Interface to inside local addresses on few subnets which are fine.I'm using an 1811 with an ADVIPSERVICESK9-M image, version 12.4(6)TS
View 1 Replies View RelatedWe are testing a Zone Based FW config since 1month, everything run smooth but we're having problem ( big slow speed access ) when a user try to reach a website on a non-standard port ( 8080 in that case ). All the trafic stay in our LAN, using a IPSEC/EZVPN connection between the 2 sites.As soon as I have disabled the Zone Based FW, the speed was much better.
I'm sure I'm missing a parameter to fix that problem but I tried many different options and I didn't find anything yet. All the routers are Cisco 1811 running adv IP Services 15.1.2.T1 IOS.A port-map has been created to map the port 8080 to the HTTP protocol for the inspection.The PC will have an IP address in the 10.2.2.x/24 and will access a server on 10.2.3.x/24, both devices are part of the zone private in each site/LAN.All the access between sites are managed by an ASA; the IPSEC/EZVPN peer.Little summary, it's gonna be something like : SiteA with a PC on private zone then on public zone for the EZVPN to SiteB on public zone and then private zone to access the server in the LAN.
I have seen this a couple of times on two different routers. One is a 3745 and another a 1811 running 12.4(15)T4 and 12.4(6)T11, respectively.
When we have IOS firewall running (either IP inspect or ZFW), we will experience intermittent slow HTTP connections.
Symptoms include page timeouts, CSS not loading and just overall slow performance. Disabling the inspection cures the issues.
my win 7 desktop always disconnect from internet connection after it has been connected and i ran network diagnosis wizard it was saying DNS ERROR CONNECTION. All other systems in my office use the same dns address.
View 3 Replies View Relatedwhere with my computer where it will connect to my network for a second or two then immediately disconnect. Other computer and devices connect without a problem. I have also experienced this with every network I have tried to connect to; it does the same thing. I figure it is therefore a problem with my laptop itself, but trouble shooting has yielded nothing and most of the fixes I have found require connecting to the network, but obviously I cannot do that.I can connect with an Ethernet cable just fine. My guess would be that there is a setting that is incorrect within the wireless on my computer, but what that is I could not even venture to guess.
View 2 Replies View RelatedI just update my cisco 7609 to Version 12.2(33)SRD6. I encounter a strange problem with this version, everytime i change BGP policy ( input or output ) this will take effect immediately without "clear ip bgp neighbor <address> soft". Are there anyway not to take BGP policy affect unless command "clear ip bgp neighbor <> soft" ?
View 7 Replies View RelatedI am migration an IPsec site to site VPN config to a new ASR1001 router «facing» a Linux box (ipsec-tools + racoon). As the Debian Linux does not offer VTI, I am using a crypto map.
The working config is given below with the corresponding logs on the Linux side.
When I try to apply this previously working config to the ASR1001, I get the following error :
000855: *Dec 12 18:28:21.859 UTC: %ACE-3-TRANSERR: IOSXE-ESP(14): IKEA trans 0x1350; opcode 0x60; param 0x2EE; error 0x5; retry cnt 0
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: initiate new phase 1 negotiation: 194.214.196.2[500]<=>130.120.124.8[500]
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: begin Identity Protection mode.
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: CISCO-UNITY
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: DPD
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt(code)
I have a 3845 router which got reloaded immediately and need to know the reason for the reload .Router have created crash info detail .
View 3 Replies View RelatedHave been experiencing speeds of max 2.5 Mbps for transferring files between Windows 7 machines connected wirelessly to a Billion 800VGT router. A speed of maximum 18 Mbps was achieved. No matter what I did to adaptor settings it was the best possible. Have 6 wireless machines which I cross checked multiple times using Lan Speed Test by Totusoft.I then disabled the wireless security (WPA-PSK) on my Billion 800VGT router and secured the network by using the Wireless MAC address filter. My speed immediately increased to 11Mbps between wireless machines. Speeds to machines on fixed lan increased to 26 Mbps.
View 1 Replies View RelatedMy HW is Version B2 and my firmware is 2.25. My internet conection keeps droping and reconecting. I started off doing this a few times a day but now it does not keep a connection for more than 10 minutes.
View 5 Replies View RelatedI recently upgraded our 5508s to 7.0.98 I am now seeing this message on the primary WLC while running adebug on a client *apfMsConnTask_1: Sep 29 11:05:36.114: Deleting the client immediately since WLAN is changed.
View 6 Replies View RelatedI faced with issue on ME3800. [code] With that configuration there is no problem with DHCP Relay packets.But if I add on interface #xconnect 82.199.1 19.1 77 encapsulation mpls it will stop forward DHCP relay packets immediately. All other traffic transfers without problem.
View 2 Replies View RelatedOur wireless network has started to drop out periodically. If we pull power and restore, the network immediately comes back up on all our our devices. We have the WRT54G, and we have 2 PCs, 2 Macs, and 3 iPhones, and a wired home phone. Normally there are not this many devices connected, but with everyone home for Thanksgiving and all these devices on the network we have started to see this issue.
Are there simply more devices than the router can handle? Is one of the devices crashing the network for everyone? What typically will cause something like this?
I am slowly getting this router configured........I am up and running. Traffic from All nodes inside can go outside. My next step is to configure traffic coming in to go to my server. I have Web, FTP, SMTP and POP running on the same server in my LAN. I need to us NAT/PAT to direct incoming traffic to it. I belive I have this done correctly, but obviously not...I only have port 80 configured in the config file, if I can get that to work the rest would be the same........
View 1 Replies View Relatedwhy Cisco 2921 Gigaethernet 0/1 is not coming up ? I also tried to connect the interface to another SWITCH with no joy.
ME3400 (ISP's switch)<-------------MPLS link--------------> Cisco 2921 Gi0/1 >>>>>>>>>>Port not coming up
I tried connection between ME3400 (ISP's switch) and spare switch and the INTERFACE of spare switch was in UP/UP state .Troubleshooting I did so far on Interface Gi0/1
1> Changed ths speed/duplex manually and revert it back to auto
2>diable keepalive
3> Tried differnet LAN cable with no luck
4> Please see HIGHLIGHTED part (in red colour) of "Show controller Gi0/1" command
I am pasting some of the SHOW command output R2921_MMP#sh run int gi0/1Building configuration.[code]
In our project, we had to configure PAGP between catalyst cisco 3110. there is no problem in configuration of PAGP and everythin is ok,and channel is up.but after reload cisco, chanel can not be up and between switches all packet are in loop between 2 switches.in order to solve this probelm I have to shutdown all port and again create chanel for every port.
View 12 Replies View RelatedRouter with 2 RSP RSP720-3C-GE & Image: c7600rsp72043-advipservicesk9-mz.122-33.SRE2.bin We are getting the message as
------------------ show version ------------------
Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRE2, RELEASE SOFTWARE (fc1)
Technical Support: [URL]
[Code]....
Show log is attached & we are getting %DHCPD-4-DECLINE_CONFLICT: messages constantly.
i am trying to make a simple Site to SiteVPN between two offices, one has Cisco ASA and one has RV042 router.when traffic initiated from ASA side, i keep getting this message in Debug and tunnel wont come up
.
[IKEv1]: Group = A.A.A.139, IP = A.A.A.139, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.Apr 26 00:15:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
whereas if traffic initiated from RV042 side, i keep getting this message in debug and tunnel wont come up.
Apr 26 00:43:44 [IKEv1 DEBUG]: IP = RV.RV.RV.139, Oakley proposal is acceptableApr 26 00:43:44 [IKEv1 DEBUG]: IP = RV.RV.RV.139, IKE SA Proposal # 1, Transform # 0 acceptable Matches global IKE entry # 6Apr 26 00:43:44 [IKEv1]: IP = RV.RV.RV.139, Connection landed on tunnel_group RV.RV.RV.139Apr 26 00:43:45 [IKEv1]: IP = RV.RV.RV.139, Connection landed on tunnel_group RV.RV.RV.139Apr 26 00:43:45 [IKEv1]: Group = RV.RV.RV.139, IP = RV.RV.RV.139, Freeing previously allocated memory for authorization-dn-attributesApr 26 00:43:45 [IKEv1]: Group = RV.RV.RV.139, IP = RV.RV.RV.139, PHASE 1 COMPLETEDApr 26 00:43:45 [IKEv1]: IP =RV.RV.RV.139, Keep-alive type for this connection: DPDApr 26 00:43:45 [IKEv1 DEBUG]: Group =
[code].....
I try to connect 3750X (15.0.1(SE3)) with PC or router that is interface card is fixed to 100Full on 3750X-12S-E I plug a SFP-T, this SFP is ok: [code]
But with Speed and duplex fixed the interface is up arround 1-4s and move to down and errer-disable.
I'm using RADIUS and FlexConnect APs. The issue is intermittently users will lose connectivity as if they're de-authenticated. Their clients still believe they're associated to wireless but they have no network connectivity. On Windows 7 we receive the exclamation point over the signal strength indicator.
There doesn’t seem to be any rhyme or reason as to what is causing this. It doesn’t seem to happen at any particular time intervals or anything else I can identify. Sometimes users will go entire days without experiencing connectivity issues sometimes they can’t go five minutes. When the clients are experiencing the issues they cannot even ping their default gateway.
The setup was initially the following:
Site A: 1142N APs and RADIUS server (server 2003) users are authenticating to.
Site B: Flex 7510 running code 7.0.116
Between site A and site B there is a site to site VPN with no restrictions.
After some time of working with TAC and not getting anywhere I setup the following:Site A: 4402 WLC running code 7.0.116 connected the same 1142N APs HREAP mode. I had the same issue with connectivity with that setup.Today I changed over to local mode and as of yet I haven’t had reports of connectivity issues.
When running ‘debug client MAC’ I see no indication of connectivity issues. I also have an NCS and I don’t see anything indicating what the issue is there as well. I’ve tried with both enabling and disabling ‘H-REAP Local Auth’. We seem to experience the issue in H-REAP standalone mode as well.
Cisco equipment without RTC defaults to "1 Mar 1993" after the reload. Why this date was chosen?
View 3 Replies View Related