Cisco VPN :: 3000 Concentrator Intermittent Login Failures
May 11, 2011
I manage a VPN 300 concentrator which has been happily working for several years without any problems. All users are part of the same group and authenticate to an RSA server. We recently moved from RSA authentication manager 6.1 to RSA authentication manager 7.1. Everthing continued working fine for several weeks, then at the beginning of this week we started getting users intermittently failing to connect to the VPN. I'm not sure if this problem relates to our new RSA server, but we have other network devices which authenticate to it with no problem so I guess the problem is with the VPN concentrator itself.
When users fail they just get a generic "Reason 427 connection terminated by peer" error message. The live event log shows "group = vpn, status = Not-in-service" when their connection fails. Other times they connect normally and no error messages are displayed. There seems to be no real pattern, sometimes your connection fails but if you keep trying you will eventually get in [however it can take many attempts over an hour or two before you succeed, or you may get in straight away with no problem].
I dont believe its a network problem, as I have run continuous pings to the concentrator and the RSA server whilst users are experiencing these problems and there are no drops.
The RSA servers authentication monitor always shows that the user has successfully authenticated, whether the users connection actually succeeds or not. I am tempted to just reboot the concentrator, but we have site-to-site VPN tunnels connected off it and I'm a little concerned that if it is faulty it may not come back up at all.
View 2 Replies
ADVERTISEMENT
Apr 14, 2011
Our VPN 3000 concentrator's admin password was changed by somebody so i reset the password by using straight through serial cable, now the problem is it allows me to login with admin through console but not through admin web interface or telnet. I have enabled telnet and http access but still no success. Concentrator is using internal database so no AAA server is configured.
View 1 Replies
View Related
May 28, 2011
I have been trying to setup a LAN-to-LAN VPN between two sites that are using a 3000 series CISCO Concentrator. After following the basic setups from the CISCO site, I am still unable to create a tunnel. At the moment I'm starting to believe it is how I have physically setup the network. Site 1 is using a Billion BiPAC 7404VNPX ADSL2+ Modem, Site 2 is using a Netgear DGN2000 ADSL2+ Modem, The VPN Concentrators are setup behind these devices with each firewall setup to allow the needed ports forwarded.
View 5 Replies
View Related
Aug 14, 2011
I have a client who saw there was a android version of the AnyConnect client and want me to go through and get their VPN 3000 Concentrator confingured to be able to connect in with it.
The Conncentrator is currently setup several groups of users and the base group is set up to all other products to connec tin via a pre shared key. It took alot research to get it configured to this point and all the searches i pull up are for a ASA.
View 1 Replies
View Related
Apr 4, 2012
I have a VPN Concentrator 3000 with LAN-to-LAN DES-56 connections connected to it (Cisco PIX 506). Everything was working fine and then over the night something messed up on it. No settings were changed or anything.
First issue was anything using DHCP (getting IPs from the sites local PIX) couldn't be pinged or reach out through the Concentrator. It was only Thin Clients that didn't work. I could still ping the PIX, printers and desktop computers that were static set IPs. But this was happening at every site going through this Concentrator. The sites going through out MPLS network are fine.
I tried setting the Thin Clients to a static IP but still couldn't ping them.
I then decided to reboot the Concentrator, when it came back up all sites reconnected back to the Concentrator but now couldn't ping anything at the sites, not even the LAN IP of the PIX (or printers and desktops now). I power cycled a few of the sites PIXs but they still were not pingable even though the Concentrator showed they were connected.
I then decided to physical power cycle the Concentrator, it's back up and all sites are connected but none of the devices on the LAN side are reachable.
The Concentrator can ping the sites WAN IP but nothing on the LAN side going through and out the Concentrator. It can ping the LAN through the private interface (going back towards my LAN) just not going through the public interface (over the WAN).
The sessions show that Bytes are Rxing but no Bytes are Txing.
View 0 Replies
View Related
Aug 8, 2011
I have 3000 concentrator in 192.168.1.x/24 network (concentrator has static IP of 192.168.1.4/24 assigned to its private int). I can manage it thru HTTP from any PC in the same subnet, but connection failes while trying to connect from PC on different subnet (i.e. 10.1.1.x/24). Is there ACL in concentrator config which needs to be modified to allow management from different subnet?
View 2 Replies
View Related
Nov 21, 2010
Our enterprise uses a VPN Concentrator 3000 for our VPN access. Is there a way to view a log history of what user connected to VPN and what IP address they were assigned? It would be for 2 days ago which was over the weekend.
View 3 Replies
View Related
Mar 27, 2011
I've the following scenario VPN Concentrator is connected to a router which is connected to a router and at the edge Cisco 515E PIX is connected to the internet. The problem is that the normal VPN Dial-up connection (a utility of windows) are getting connected but Cisco VPN Client throws error 412. Here's what I've tried (Initially groups and user were created):
(1) Allowed port 10000 on PIX ( access-list from-outside-coming-in permit tcp any host <public ip> eq 10000) and checked IPSec over UDP on VPN Conc. under Mode Config tab. Also checked IPSec over TCP tab under tunneling panel at port 10000. Tried connecting through VPN Client but it threw error 412
(2) In the reference guide, I read that IPSec over NAT is allowed on ports ranging from 4000 something to 40000 something.
I tried 33333, both on PIX and VPN Conc. under Mode Config tab but still no use. Same error 412.
View 3 Replies
View Related
Jun 27, 2011
is it generally possible to configure a site to site VPN connection between Cisco VPN Concentrator 3000 and Cisco RV220W / RV120W?
View 2 Replies
View Related
Jul 8, 2012
I have an old VPN 3000 Concentrator that I do not have any idea what is running on it. The previous network admin didn't leave a password for it, so I tried to reset the password. I was successful in doing so, but when I try to access it with the default of admin/admin via web browser, I still cannot access it. I am loathe to remove or power off this device without knowing what is on it.
View 6 Replies
View Related
May 19, 2012
We have two 3000 vpn concentrators. Under both of their load balancing fields, Configuration - Load balancing , the checkbox for loadbalancing is enabled.However both have different priorities, one with 10 and other with 1. Does this mean both are actually loadbalancing. What does the priorities indicate here?If we replace the concentrators with ASA , how will this load balancing need to be configured on ASA & how will it work.
View 5 Replies
View Related
Jul 27, 2011
We have to setup an IPSEC tunnel for a client that does not what to exchange private IP address information for security and overlapping address space reasons. We will both be natting our source private ip address space as public IP address space and send those packets through the established tunnel. Im using a Cisco 3000 concentrator.
View 1 Replies
View Related
Sep 21, 2011
We recently had a Port Scan done on our external IP Addresses. One of those IP Addresses scanned was our Concentrator 3000. The report came back with the following TCP ports being open on the Concentrator 3000 - 80, 443, 1723, 10000, 10001, 10002, 10003, 10004, and 10009. I am unsure if it is necessary to have any or all of these open. The Concentrator 3000 is in front of our ASA5520.
View 1 Replies
View Related
Oct 10, 2011
is it possible to use cisco AnyConnect client to connect users with Cisco VPN 3000 appliance?If so how to configure VPN 3000 concentrator to work with AnyConnect?
View 1 Replies
View Related
Jul 1, 2011
I just built a new computer running Windows 7 with an Intel 82579V Gigabit on the motherboard. Since last night while playing an online game, I have occasionally noticed sudden network failures where I either time out of my game or severely lag for 10 seconds before the game catches up.
My other network hardware and setup remains unchanged during this build.I have never had issues with my internet connectivity from my ISP.
The problem is not consistent and I'm not sure how to repeat it. I was playing my online game for several hours and then suddenly started having problems every 5 minutes with disconnecting.I can watch the network utilization in the Windows Task manager drop suddenly and then spike back when I reconnect to the game. Similar visual seen on the Tomato software on my router.
So far I've grabbed the latest drivers for the network chip from my motherboard manufacturer's website and turned off Teredo. I also made sure no power saving features were enabled on the network chip in the device manager.
View 1 Replies
View Related
Jan 23, 2013
Is it possible to configure a site-to-site VPN between an ASA 5510 running 8.2(1) and an old Cisco VPN Concentrator 3000? I've only been able to find an old 3000 to PIX guide on Cisco's site, and I cannot figure out how the two device's VPN options match up.
These are the options from the 3000:
IKE Proposal
Authentication:
Encryption options:
On the 5510's Site-to-Site Connection Profile, all the options are clumped into two boxes under Encrption Algorithms:
IKE Proposal: Encryption, Hash, DH Group, Authentication
IPsec Proposal: ESP Encryption, ESP Authentication
We have a pre-shared key configured, but I cannot find a set of options on the 5510 to match the 3000; I always get this error:
3Jan 24 201310:10:09713902Group = 63.192.x.x, IP = 63.x.x.191, Removing peer from correlator table failed, no match!1Jan 24 201310:10:11713900Group = 63.x.x.191, IP = 63.x.x.191, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
View 2 Replies
View Related
Nov 8, 2012
My netbook keeps getting DNS Lookup Failure messages. This happens about every 20 minutes, give or take, though sometimes it can go longer before the failure. I can "solve" the problem by quickly repairing the network connection, but that's tedious. It happens only on my laptop and not on my housemate's desktop (wired connection) though he did say that it happens to him on his laptop as well. In looking around I thought the problem might be because i'm using Chrome, but it happens on Firefox and Opera as well.
View 5 Replies
View Related
May 8, 2011
I have over 20 units doing the same thing and it seems to be a software isssue but i dont see any bugs or posts on it. This is only on 2960S switches and not 2960 or 2960G units.
If i use the password reset feature to break the units into rom and then type "boot" instead of power cycling the unit, they will fail MBIST post tests. If the unit is power cycled or left to boot normally on its own, there is no issues and all post tests pass. I know MBIST is Memory Built In Self Test and was thinking maybe breaking the unit into rom disrupts those memory tests for some reason. I tried the following software and got the same results with all of the images:
122-55.SE2
122-55.SE
122-53.SE2
122-53.SE1
Logs attached are from the same switch, one with password reset procedure used and while left to boot on its own.
View 11 Replies
View Related
May 18, 2011
My internet connect works fine for hours at a time, then suddenly will get 7 or 8 General Failures while pinging (long enough to boot me off the net) then will be back to working fine immediately afterwards.Pinging 127.0.0.1 works fine. I've checked the firewall (Norton) and it has the default settings
View 3 Replies
View Related
Feb 10, 2012
I have a website account with fatcow. I created the website with Dreamweaver software and uploaded it to fatcow via port 21.My internet connection was via xplornet and I had no access problems. I upgraded to xplornet's new g4 system and now I can no longer access my account online or upload to my website.We have two computers. The first is a desktop system that has the dreamweaver software. The second is a laptop which connects wirelessly. We share the signal through a dlink router. The modem is a viasat Surfbeam 2 residential satellite modem.1. When I attempt to login to the fatcow control panel, the tab shows successfully authenticated and then re-directs me back to the login page. This happens on both the laptop and the desktop.
I have tried bypassing the router and the problem still exists.I took the laptop to the computer center and I can login to the account no problem.I used a free proxy server page on the internet and can login from my home system on my desktop no problem.I have completely turned off virus scan and firewalls. It doesn't work. I have tried IE7, Chrome, Firefox and they all have the same problem. The laptop runs IE8 and has the same problem.I can ping the page successfully. I can traceroute the page successfully. I can't nslooup any site at all. I get the domain not existant message.My ip and dns settings are the automatically find option.I have renewed ips and dumped the dns cache.Using alternate dns addresses doesn't rectify the problem. When I attempt to upload via dreamweaver, I connect but within seconds I get a Dreamweaver message that says "Connection to remote host has been lost. Click refresh to continue" and the log reads "FTP Error. Dreamweaver could not connect to server." I haven't taken my desktop anywhere to try to see if it works on a different network. I'm in a remote location (hence the satellite internet)and it is an hours drive to the nearest private internet connection and a 2 hour drive to the nearest public connection.
View 19 Replies
View Related
May 9, 2013
We have a Linksys WRT120N wireless router set up at one of our small offices. I noticed recently when trying to log in to the router to make some admin configurations that it will not accept the login credentials when trying to log in from IE10 browser. Works fine from Chrome, IE9, ect. logging in to a linksys router with IE10?
View 3 Replies
View Related
May 23, 2012
C3745-ENTSERVICESK9-M version 12.4(10b). ROM version 12.2(8r)T2.This router appears to be generating spurious fan failure alarms. The fan assembly has been changed for a new one, the engineer checked and was satisfied that in a physical functional sense the replacement fan assembly was definitely working, but we now have all 4 fans showing as failed. We are being told that the replacement unit is believed to be part of a batch of faulty fan assemblies and that it was a known Cisco issue.
View 3 Replies
View Related
Apr 25, 2013
I have a site to site ipsec tunnel setup between an ASA5510 and a 2951 Router. The ASA 5510 is on a 10.x subnet with a few vlans behind it. There are also 7 other ASA5505 that connect to this box with ipsec.
The 2951 is on a 10.x subnet with multiple vlans behind it (10.x and 192.x subnets).
When I had ACL to allow traffic from 10.20.0.0 (ASA) to 192.168.111.0 (2951 - voice vlan) the connection comes online and is stable.
The minute I add any of the following, the connection drops off with Phase 2 errors: 10.20.0.0 to 10.1.200.0 10.20.1.0 to 10.1.1.0
I can add a second 10.20.0.0 to 192.168.10.0 with no problem at all. The issue only seems to occur when attempting to add traffic from 10 to 10 on the tunnel.
View 2 Replies
View Related
Jun 7, 2012
I'm looking for a way to monitor client authentication failures with our 3 standalone 1142N APs. I know that I can see failures under the log viewer of each AP
View 4 Replies
View Related
May 23, 2012
After upgrade from ACE20 with A2(3.5) to ACE30 with A5(1.2) I get failures in a number of server farm's, where before upgrade the number was zero. No drops in VIP and logs from applications do not notice any new errors.
View 2 Replies
View Related
Oct 17, 2012
I have a 2851 and a 1841 both serving as hub routers in a GRE multipoint configuration. They are both receiving buffer misses and failures on startup. I will post the output of show buffers below:
LAB-HUB-RTR#show buffers
Buffer elements:
607 in free list (500 max allowed)
9071 hits, 0 misses, 618 created
Public buffer pools:
Small buffers, 104 bytes (total 71, permanent 50, peak 71 @ 00:11:33):
68 in free list (20 min, 150 max allowed)
7083 hits, 74 misses, 0 trims, 21 created
55 failures (0 no memory)
[code]....
I have tried increasing the small/medium buffers initial size and permanent size, however there is no change. The buffer failures for small and medium buffers are always around this many every boot.I have also changed the IOS versions between 12.4.24(T4) to 15.1 with no luck in stopping the failures.
View 1 Replies
View Related
Sep 23, 2011
I made a custom-built V1 Windows Home Server that I really would like to be able to remote access. I have tried the Netgear 3700, but it did not allow remote access. A D-Link DIR-825 does, but it, and many D-Link products, have a persistent problem of requiring a reset due to dropped connections. I have had 2 of the DIR-825's drop connections. I have been told that their QoS components cannot handle the load on them and fail, causing the drops, but I cannot corroborate that.Perhaps what I need is a router that allows "NAT loopback"? This way I can see the WHS Console verify that I can access the server from outside my network. I have tried to do so with the above routers via a 3G connection on my iPhone 4 and all except the D-Link failed to allow access to my WHS.
I should add that I am using a D-Link DSL-520B modem on ATT DSL. It is a 6MB connection from the ISP. Previously the modem was in "bridge mode" on the D-Link router. Also, contacting ATT I was told they do not block any ports. I have tried forwarding the proper ports (80, 443, 4125) for the WHS, but that has not given me remote access. I did get them by enabling UPnP on the D-Link. Is all this an issue of needing the modem on "bridge mode" in order to work properly? Any router for my needs that allows remote access (NAT loopback needed?) and also has a solid connection? Gigabit ethernet is a must have too. Otherwise I am open to options. I would like a combined router/modem unit to make things a little easier.
View 3 Replies
View Related
Apr 28, 2012
does a spanned drive have any protection against disk failures?
View 2 Replies
View Related
Aug 6, 2012
I'am a bit newbie at using Cisco products and here is my problem : I have set up a VPN tunnel between 2 Sites (A and B) a few month ago using 2 cisco SR520-ADSL-K9. All was working fine until power failures occured on the sites B (secondary site).
What happened was that none of the ethernet ports were working, excepting during booting, I was then able to ping computers linked to ports Fastethernet0, FastEthernet1, FastEthernet2 and FastEthernet3 but after a few seconds all ports were disabled but my DSL seemed to be working.
So I took back the router home to check it. I managed (I think) to make a factory reset using a serial terminal and following the procedure described here [URL]
Since I did the reset, I thought I would be able to re-use Cisco Configuration Assistant (3.1) to re-configure the router (I am very bad at using the command lines) but I am unable to connect to the router using the supposed default IP : 92.168.75.1 (I set my computer to use 192.168.75.50 IP adress with mask 255.255.255.0). But I can't connect to the router ... even if the Ethernet ports seem to work because green light is on when plugging my cable. connect to my router using CCA ?
For more information, here is what I get when I run "show startup-config" and "show running-config" in terminal console. I guess the objective is to make the startup-config beeing the running-config, but I have no idea on how to do that ..
show startup-config
show running-config
Router#show startup-config
[Code]......
View 2 Replies
View Related
Mar 7, 2012
I have seen this at two sites now: after migrating the site T1 to 10-Mbps Opt-E-MAN and replacing old 10/100 switches with 10/100/1000 switches, users frequently get http connection errors. The error goes away if the user reloads the page--sometimes they have to reload more than once. They never had this problem before.I thought it was due to the large number of 5-port desktop switches infesting the networks (I'm getting rid of them as fast as I can) but it happens even on a PC directly connected to one of the new GigE switches. It does not happen when accessing internal web pages. It looks like a DNS failure -- but nothing has changed in our DNS setup, except that users have a fatter pipe to our DNS servers.
View 3 Replies
View Related
May 6, 2013
Installed Cisco AnyConnect Secure Mobile Client on a new Asus CM6870, downgraded to Windows 7 Pro. It worked fine for 3 days, establishing VPN connections with my workplace without a probllem. Then it repeatedly failed to connect.
I attempted an uninstall/re-install, and the install now fails as well, returning the following error: The VPN client agent was unable to create the interprocess communication depot. When I do manage to get it re-installled, it works sometimes, then fails to establish connections other times. I am not an IT professional, so trying to diagnose the issue by reviewing the Windows/Inf/setupapi.app.log and .dev files is a no go. I do not hold a contract with Cisco so I am not authorized to open a support ticket, or receive phone support (again, I tired).
View 0 Replies
View Related
Jan 20, 2011
In each case, the routers have functioned flawlessly for a period of 2 to 8 months, then suddenly begin to require daily to hourly reboots to keep the speed up, and often times fail to respond to any web activity whatsoever. Ping tests are intermittent, sometimes failing but other times succeeding while web sites remain unresponsiveFor three years I lived with two or more room mates at a time, each of us with our own computer (or 2) and all doing a lot of peer to peer downloading. I realize a router can overheat during heavy use like this, so buying new routers so regularly has seemed vaguely understandable. However it doesn't seem like that is the case in my most recent failure.I've lived alone for the past 3 months, and have owned the Belkin Play Max N600 HD since. I have NOT been P2P downloading or putting a heavy load on my router in any way (or so it seems). Yet as of about two weeks ago, it has suffered a major slowdown just like all of its predecessors. Yet my 30 mbps internet connection roars to life the moment I plug the modem directly into a computer.
My desktop remains on 24/7 but like I said before, I do not do constantdownloading/uploading. Both wired and wireless connections are effected equally, and I have always kept all my routers WPA encrypted.When websites become unresponsive on my Belkin today, it is usually after everything has been sitting idle for some time (overnight, or all day while I am at work). Speaking of work, today is a perfect exampleI remoted into my home desktop and was able to interact just fine, yet when I would launch a browser and try to load any website at all, I get absolutely nothing. I had to transfer a text document through DropBox (which also still worked) because I couldn't get Google Docs (or gmail) to load on the remote computer
View 9 Replies
View Related
May 14, 2012
For more than 6 months I have been happily using a Sierra Wireless AirCard313U to connect my Win7 Pro (64-bit x86) laptop to the internet, and using another corporation's VPN (Citrix Access Gateway) as a contractor - so networking problems ARE my problem.
Now what happens is: DNS failures halt my internet browsing and any hope of RDP'ing into the corporate LAN whenever I connect to the VPN while using the AirCard (its a USB/cell modem device). The DNS lookups and RDP'ing works fine when I'm using the VPN with my wifi.
What changed recently:Installed Connectify software Uninstalled Connectify software (didn't work w/AirCard) Installed VirtualRouter software Uninstalled VirtualRouter software (didn't work w/AirCard) Installed Sierra Wireless' AirCard Watcher software (manager app, may have included updated drivers for the AirCard) Re-install Connectify software (now worked w/AirCard)Uninstalled Connectify software (DNS problem had appeared)
I've tried removing ISATAPs, running these commands & rebooting, to no avail:netsh int ipv4 reset reset.log netsh int ipv6 reset reset.log netsh winsock reset catalog
Right now, connected to VPN via wifi my ipconfig /all looks like this:
Windows IP Configuration
Host Name . . . . . . . . . . . . : W7
Primary Dns Suffix . . . . . . . :
[Code].....
View 3 Replies
View Related