Cisco VPN :: 2911 ISR Remote Client Connects Just Once?
Feb 2, 2011
After trying to configure remote client VPN access to a Cisco 2911 ISR using the CLI I tried to use the Cisco Configuration Professional. However, either way I have the same problem. A client can successfully connect and access servers but just once. When the client disconnects and tries to connect again there is no access to the servers even though the VPN tunnel appears to be up. I've tried multiple versions of the Cisco vpn client SW and all behave the same: 1st connection can access servers, subsequent connections can't. I've also tried a second (different) client after the original connection and still no luck. If I reload the router the client can get the vpn connection and access the servers but if the client disconnects from the vpn and tries again there is no access to the servers.
I've also tried it with and without NAT but it doesn't seem to make any difference.
The config generated using CCP is as follows:
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
[Code].....
View 4 Replies
ADVERTISEMENT
Feb 13, 2013
I have one user who is unable to Access Remote Network resources when connected to the VPN on his home network. VPN shows connected and he is given a remote IP from the VPN Pool, but he cannot ping any IP on our network. When connected using Sprint Wi-Fi card he is able to connect and access remote network from the same laptop. Maybe there is some network overlap that I am missing.
see attached firewall config (zzz... being firewall public IP) and remote user route table. ASA 5505 VPN Client 5.0.07.0290
View 5 Replies
View Related
Nov 24, 2011
I want a simple remote client-initiated VPN for employees to access corporate resources from home simultaneously with being able to access the internet. I am using CCP and seem to have several options including Easy VPN server, SSL VPN. I also can choose "Full Tunnel" or not.I have a 2911 router. I have a static range of internet IP addresses. The router is already functioning with inside to outside and outside to inside NAT, etc.
View 1 Replies
View Related
Jun 13, 2012
We have a few users connecting to another companies Firewall using the Cisco VPN Client, we are pretty sure our PIX (sat at the edge of our network) is causing issues whereby after an unknown amount of time the VPN client will timeout and lose connectivity.I did outputted some level 7 debug to syslog and I cannot see anything that happens during the time he has lost connectivityI can see his RDP packets getting denied to the remote ends private IP address but nothing that shows a denial or a drop of anything from our pix.We are sure its this pix as we used to connect via a different route and a different pix and it never dropped
View 2 Replies
View Related
Sep 23, 2012
Client connects to PIX 501 but cannot see the LAN in Windows Explorer.Devices can be pinged by IP and hostname (netbios name)I can navagate to a server by typing in \servername.Why can I not get a resolution from Cisco techs? [code]
View 1 Replies
View Related
Mar 15, 2010
we just got several laptops that came with Windows 7 Pro 32bit installed, and we have installed the VPN Client 5.0.06.0110. The VPN client appears to connect to our ASA5510, but we are unable to connect to any machines on our network as it does on our XP machines.
Furthermore, we cannot ping any as well. Also, while connected the Windows 7 machine is still able to access internet site as if split-tunneling was configured, which its not! I've seen alot of people posting on the internet about the same issue, but I have not run into any resolutions that work.
View 14 Replies
View Related
Aug 9, 2011
I am using Cisco 2911 router , i configured remote client in that . i need to provide the static ip to the remote users instead of providing from the dhcp pool. is it possible? if it is how we can do that.
View 5 Replies
View Related
Sep 19, 2012
I have a cisco 5505 and am trying to configure it with ASDM 6.4.
My vpn client connects ok to the network but I am unable to reach any of the servers.
I'm sure its a simple configuration issue as I don't have much experience with Cisco configuation.
View 5 Replies
View Related
Jun 3, 2012
In my test lab I can't to make work my webvpn configuration = I have several components: MS AD, MS CS (but without NDES), router 2911 and client computer. Client and router have a certificate from MS CS. In my configuration I use authentication by certificate or aaa (LDAP) and authentication by aaa working good. But authentication by client certificate doesn't work. And my internal https services don't work also - "Invalid or no certificate", but this strange because I imported CA certificate for this.
My 2911 version: Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(3)T, RELEASE SOFTWARE (fc1)
My Config:
aaa authentication login webvpn group ldap local
ip local pool webvpn 192.168.200.1 192.168.200.254
bind authenticate root-dn cn=webvpn,ou=staff,dc=domain,dc=com password P@ssw0rd
webvpn gateway vpn
ip address <ip address> port 4443
ssl trustpoint root-ca
[code].....
View 3 Replies
View Related
Nov 11, 2012
We already have IPSEC VPN connectivity established between sites but would like to introduce some resilience/redundancy at a remote site.
Site A has an ASA with one internet circuit.
Site B has a Cisco 2911 with one internet circuit and we have established site-to-site IPSEC VPN connectivity between the 2911 and the ASA.
Prior to getting the new internet circuit, Site B had a Cisco 877 with an ADSL line which are still available but aren’t currently in use.
The internet circuit at Site B has dropped a few times recently so we would like to make use of the ADSL circuit (and potentially the 877 router too) as a backup.
We thought about running HSRP between the 877 and 2911 routers at Site B and, in the event of a failure of the router or internet circuit, traffic would failover to the 877 and ADSL.
However, how would Site A detect the failure? Can we simply rely on Dead Peer Detection and list the public IP address of the internet circuit at Site B first with the public IP address used on the ADSL line second in the list on the ASA? What would happen in a failover scenario and, just as important, when service was restored – I’m not sure DPD would handle that aspect correctly?
I’ve read briefly elsewhere that GRE might be best to use in this scenario – but I can’t use GRE on the ASA. I have an L3 switch behind the ASA which I may be able to make use of? But I don’t want to disrupt the existing IPSEC VPN connectivity already established between the ASA and the 2911. Can I keep IPSEC between the ASA and 2911 but then run GRE between the L3 switch and the 2911? If so, how would this best be achieved? And how could I also introduce the 877 and ADSL line into things to achieve the neccessary redundancy?
View 6 Replies
View Related
Mar 4, 2012
I am having cisco 2911-sec-k9 router.
And I got 2 internet connections from isp one is static ip leased line and the other one i dsl dynamic ip one.
What I want is i need to configure internet load balance between these 2 internet and also i need to use static ip for remote access vpna and for my exchange port forwarding.
My dsl line in 100 mps and my leased line 2mb dedicated.
I configured the router as with some example config i got on internet my internet is fine but load balancing not happening and i configured the REMOTE ACCESS VPN . I am able to connect the remote access vpn but no communication through remote access . i cannot reach any device through remote access.
Note: if load balancing is not possible how i can configure for internet traffic use dsl line and for remote access vpn and live exchange port forwarding through leased line.
I am attaching my configuration and also debug crypto isakmp status
View 1 Replies
View Related
Aug 9, 2011
I am attempting to get a solid setup for a remote office we have going up and I am running into little issues that I cant seem to get around.
Basically, we have a remote office that will have dual ISPs, one hard wired circuit from a local carrier and the other will be a Verizon 4G router that plugs in via Ethernet and hands out DHCP to my Cisco router.The Cisco router is a 2911 with IP SLA configured. I have it setup to ping my DC out one interface and if that fails, it removes the default route and injects a new default route from the other ISP,
The problem I am having is with the VPN. I figured using EZVPN would be the only solution because the Verizon 4G only supports DHCP so I have to be able to connect from a dynamic remote host. The other caveat is that failover needs to be seamless as we have no person onsite that can troubleshoot. Its fine if it takes a few minutes, but the VPN just needs to come back up on its own without any intervention.
I attempted to setup two different EZVPN crypto maps on the router but realized you can only have one inside cryptomap per interface, which would cause a problem with the internal network. I thought I could just create subinterfaces off the router to have two inside interfaces to work with but that wouldnt have supported because they would now be on different subnets.
I decided that adding an ASA5505 behind the router may be the simplest solution. Use the router only for the purpose of handling routing between the two ISPs and performing NAT out the interfaces. Then use the ASA to do EZVPN from. This works well but there are some issues I am trying to work through.
First, when the ISP fails over to the backup, the NAT translations have to timeout before things start working again. For a constant ping, this is fine, I have the timers set down to 15 seconds for NAT timeouts and after 15 seconds the ping picks right back up again. However, this breaks the EZVPN. The ASA keeps trying to bring up the ISAKMP nearly every second, which keeps resetting the countdown on the NAT timeout for the remote EZVPN server. Because of this, the VPN will never come up until I manually clear the NAT translations on the router. So my first question is this; is there a way to adjust the timer that the VPN uses to try to bring the tunnel up? I tried the crypto isakmp keepalive command but that didnt work, it looks like it doesnt work with EZVPN.
The second issue is really with the IP SLA and is only an issue because of the first issue I mentioned. When the router first comes up after a reboot, both the primary and secondary interfaces come up. However, since the primary default route is only injected into the routing table once IP SLA is up and can reach its destination, the secondary route gets injected initially and the VPN comes up over the secondary ISP. In a few seconds, the primary default route is injected, changes the path and because of the NAT translation, breaks the tunnel and never comes up again because of the first issue with the VPN tunnel renewing the NAT translation continuously.
I could easily go out and purchase a $100 Linksys router that will do the failover and clear its NATs and everything, but I need better reliability out of the hardware than that. There has got to be a way to do this on a Cisco device since consumer level equipment can.
View 1 Replies
View Related
Oct 11, 2012
I have couple of issues with my EasyVPN server and Cisco VPN Client on Win7.
1: VPN Client establishes the connection, traffic flow, destination network can be pinged. After a few minutes traffic stops passing the VPN. No ping to IP or DNS names can be made. In order to resole it. Users have to re-establish the VPN again. Occastioanl it stays and continue to work.
2: VPN Clients don't pick the same IP address from local address pool even though I specified "RECYLE" option in the IP local pool command.
Configuration:
##############################################################################
TQI-WN-RT2911#sh run
Building configuration...
Current configuration : 7420 bytes
!
! Last configuration change at 14:49:13 UTC Fri Oct 12 2012 by admin
! NVRAM config last updated at 14:49:14 UTC Fri Oct 12 2012 by admin
[code].....
View 2 Replies
View Related
Sep 4, 2011
I recently purchased a Cisco 2911 to replace my Cisco 1711 router. I copied the configuration from the Cisco 1711 router to the Cisco 2911 router. Everything seemed to work correctly except when I VPN tunnel into the Cisco 2911 router using Cisco's VPN client version 5.0. I can ping the router LAN interface from my PC that is VPNed into the router but I can no longer ping or access the devices on the LAN side of the router as I did on the Cisco 1711 router. I don’t see errors in the log or hits blocking anything in the acls. It’s using the same configuration that I had on the Cisco 1711 router, and this did work on the Cisco 1711. The Cisco 2911 router is running IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1).
Here is the VPN clinet portion of the configuration: The LAN is addressed as 192.168.0.0/24. The router LAN interface is 192.168.0.1, which I can ping and access. I can't ping or access anything on the LAN (192.168.0.0/24) beside the router.
aaa authentication login vpnclientauth local
aaa authorization network vpngroupauth local
!
crypto isakmp client configuration group remote-clients
key 6 xxxx
pool clients
[Code]....
View 11 Replies
View Related
Aug 4, 2012
I have site to site vpn between cisco asa and cisco 2911 router.asa is static ip and cisco 2911 side is dynamic ip. my site to site vpn is working fine. I am just trying to make PAT over the vpn means i want forward one ip in my public pool to one of my local ip in the cisco 2911 side.
View 2 Replies
View Related
Nov 2, 2011
I have a 2911 router where I was configuring the device to allow remote desktops connections. Everything is working properly, but for some reason my ACL has disappeared.
View 5 Replies
View Related
May 16, 2013
i have router 2911
pub ip: 121.97.65.61-74
interface gigabitethernet 0/1
ip address 121.97.65.61/28
[Code].....
and other ip will drop/kick/disconnected automatically
how to implement this on access list
View 6 Replies
View Related
Apr 20, 2009
We are using an ASA 5510 and remote access (SSL VPN) using the AnyConnect client.
Is it possible to display a user message when a user connects using the AnyConnect client, matching a specific dynamic access policy? Can the message be displayed when the action is "Continue" rather than "Terminate"? I can't seem to get this to work and wondered if there was a LUA function to do this.
We have a DAP which gives a restricted ACL when the user's anti-virus is out of date, and I wanted to notify the user to update their anti-virus and reconnect.
View 4 Replies
View Related
Sep 20, 2012
I have a few ASAs with L2Ls in a hub-and-spoke fashion, works great. All ASAs are 8.2(1). I've tried to add remote-vpn to the HQ ASA. I have this working on a PIX 6.3 box at HQ, but have not been able to make it work completely on the ASA.
Just to check, I also set up remote client vpn access on one of the spoke ASAs, and that actually did go well. Applying the equivalent config on the HQ ASA - won't function.
The problem with the HQ ASA remote client vpn is that after completed phase 1 & 2, the traffic goes one way only, from client side towards the ASA. I e remote side only encaps, no decaps; ASA side only decaps, no encaps. If the remote client pings a host on the inside (i e behind the HQ ASA) the packets arrive, and are returned towards the ASA (a correct route for the remote vpn network is in place on the inside host). However, it seems as if the ASA doesn't send that traffic back into the tunnel, but rather sends it unencrypted through the default route (doing a traceroute from the inside host for instance suggests this).
The ONLY way I can pass traffic towards the remote client is by initiating a ping from within the HQ ASA, it's the only time I get encaps on the ASA side and decaps on the remote side of the tunnel. Interestingly, it's actually the "ping outside 192.168..." that works, doing an "inside" ping fails. Compare this to the spoke ASA and its remote vpn client, there an inside ping is succesful, but not a outside ping, i e the spoke ASA functions as expected with its remote vpn. Given that the configs on the two ASAs are the same for remote client access, I would have expected both to work, not only one of them. But then, the HQ ASA has more lines of code, and I guess that something there gets in the way. [code]
View 7 Replies
View Related
Apr 3, 2013
I have two Cisco routers - 2911 in HQ and RV180 in branch office. Because in HQ LAN network I have some development servers, to which guys from branch office need to have acces, I decided to setup VPN site-to-site between HQ and branch office. Everything went quite smoothly, on both devices I see, that ipsec connection is established. Unfortunately I am not able to ping resources from one network to other one and vice versa. Below is the configuration of 2911 router (I skipped som unimportant (imho) configuration directives) :
crypto isakmp policy 1
encr 3des
hash md5
[Code].....
View 9 Replies
View Related
Jan 22, 2011
I have A setup in different location with the the ASA Firewall with VPN enabled and a Print server. on Network B i have a server with 2008 installed and its my NAT server, DNS and File server.Now the Client on Netwrok B wants to access the Server in Network A Remotely through VPN they could connect to but cannot user Remote Desktop either its Ip translation issue or i dont know.
View 2 Replies
View Related
Feb 2, 2012
I try to configure a simple EzVPN infrastructure:
EzVPN Server (CISCO2811, hostname cme) < -- > EzVPN Remote (ASA5505, hostname ezvpn-asa) < -- > Client
Attached you find both configuration of the EzVPN server and remote. The tunnel is getting up and if I ping from the ASA to the Router, I see the packets getting encrypted:
ezvpn-asa# ping 172.16.100.1
...
ezvpn-asa# show crypto ipsec sa
interface: outside
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 172.16.100.2
[code]....
If I connect a client with IP address 192.168.1.2 to the interface eth0/1 and do a ping to the cme, I don't see any packets getting encrypted. I don't have any idea about VPN, I just need it for a wireless lab environment. What do I have to configure on the ASA, so the inside traffic is encrypted?
View 2 Replies
View Related
Mar 10, 2013
I have an ASA 5505 that is on the perimeter of a hub & spoke vpn network, when I connect to this device using the VPN client I can connect to any device across the VPN infrastructure with the exception of the sub net that the client is connected to, for instance:
VPN client internal network connects to 192.168.113.0 /24 and is issued that ip address 192.168.113.200, the VPN client can be pinged from another device in this network however the client cannot access anything on this sub net, all other sites can be accessed ie. main site 192.168.16.0/24, second site 192.168.110/24 and third site 192.168.112/24. The ACL Manager has a single entry of "Source 192.168.113.0/24 Destination 192.168.0.0/16 and the "Standard ACL 192.168.8.8./16 permit.
View 14 Replies
View Related
Apr 19, 2011
I have a cisco 2811 with security bundle with IOS 12.4(13r)T I am planing to use this router as a VPN gateway for company ( i.e)
1. LAN 2 LAN VPN ( Supporting if remote site is having dynamic IP)
2. Remote access VPN for VPN client
I have configured the router ( attached is the configuration) I have not tried to use the LAN to LAN VPN ( first i complete remote access VPN and then check L2L) I tried to use the remote access VPN I am able to connect from vpn client software and got the IP address but unable to ping the servers in LAN.
View 13 Replies
View Related
May 25, 2012
This is probably where I should have started my search. During the last 2 days I have taught myself numerous things to try and figure out this problem. I want to run 2x Client on my android to remote into my desktop. I have a Verizon fios actiontec router ver. I and running win 7 prof.. I have been able to easily set up the 2x client and remote into my desktop while on my home wifi but trying to use 3g/4g service has yielded nothing but heartache and stress.
View 4 Replies
View Related
Mar 27, 2012
Question is in the subject line. Maybe I am missing something, but this does not seem to work (No such file or directory).
View 3 Replies
View Related
Apr 28, 2011
I'm having extreme issues in getting my vpn client to connect to a cisco router with a hwic-3g-hspa cellular interface
I have tested the config remotely by traversing the tunnel I have setup with a cisco vpn client and the client does connect, however when out on the road it doesn't respond, I'm litterally hitting my head against a brick here, everything just seem right I can't explain it.
I have done debugs and there is no sign of life, its as though when the vpn client connects to the router its not responding any way here is my config for the vpn clients part that is.
aaa new-model
!
!
aaa group server radius vpn-client-server-group-1
[Code].....
View 2 Replies
View Related
Jun 28, 2011
I've been trying to set up a SSL VPN connection for remote conenctivitiy with AnyConnect Client. I've configured virtually everything necessary, I can connect to the VPN page, download the Client, establish connectivity, Get an internal-IP address. But I can't ping any internal (and of course external IP addresses)
View 12 Replies
View Related
Jun 18, 2011
I am having asa 5520 in my head office and in branches 2811 routers.i connected two branches with my HO through VPN.now i configured remote vpn client in HO asa . now i need to access all the branches using this remote client.how i create route in HO ASA.
View 7 Replies
View Related
Dec 20, 2011
I have difficulties with configuring Remote IPSec VPN with Cisco ASA 5505 and Windows 7 native VPN client. My client PC gets VPN pool IP address, and can access remote network behind ASA, but then I lose my internet connectivity. I have read that this should be an issue with split tunneling, but I did as it is told here and no luck.On Windows VPN Client settings, if I uncheck "use default gateway on remote network" I have internet connectivity (since client is using local gateway), but then, I cannot ping remote network.In log, I see this warnings of this type:Teardown TCP connection 256 for outside:192.168.150.1/49562 to outside:213.199.181.90/80 duration 0:00:00 bytes 0 Flow is a loopback (cisco)I have attached my configuration file (without split-tunneling configuration I tried). If you need additional logs I'll send them right away.
View 4 Replies
View Related
Mar 16, 2012
Device asa 5550 - But can a Client establish a SSL VPN to remote network and devices on the remote network access local network printers? so you got one client one network A that creates a SSL VPN to network B , can network B be configured so that automatic job come across the same ssl vpn to a Different IP?
View 5 Replies
View Related
Oct 26, 2010
I am using Cisco configuration professional to set up one easy vpn server on 887-K9,vpn client can dial up the server successfully but can only ping router but on other lan. Looks like there is a nat issues between lan and vpn client?
View 5 Replies
View Related
Oct 10, 2011
I can't seem to find out how I can generate a PCF file for a new remote vpn SW client? I have a VPN Concentrator 3000 series.
View 1 Replies
View Related
