We are using a 5510 and have issues trying to use VPN with full tunnel to connect from inside the firewall to a customer site. I don't seem to have a problem when using split tunnel profiles. How would you troubleshoot this?
View 12 RepliesI have an AC 3.0 connection that works fine prior to CSD. Once I've enabled CSD I get CSD to load and then the AC tunnel fails. Ive attached the DART bundle and a few screen shots.
View 3 Replies View RelatedI have a 5510 and a 5505 that I'm attempting to configure a simple VPN tunnel over. I have tried step by step configurations form CISCO ASA configs, as well as every source I can find. I have walked throught the config with IOS commands as well as Wizards. All my packets are dropped at the the inside or outside interface.
When I show SH ISAKMP command all I get are 0's straight down.
I need to work with the full tunnel feature of the IOS SSL VPN using a Cisco 1841. Here is what I see...
-I login to the portal page and click the "Start" button for "Tunnel Connection (SVC)"
-Security Alert message "This page requires a secure connection which includes server authentication. The Certificate Issuer for this site is untrusted or unknown. Do you wish to proceed?" I click yes.
-Anyconnect says "Please wait while VPN connection is established"
-Anyconnect error "The certificate on the secure gateway is invalid. The VPN connect will not establish"
I have ip phones at the remote location that connect into the phone switch(it's a nortel cs1000 system) over the tunnel. Internal calls work just fine, however when somebody calls from the outside, or calls are made to the outside the connection is never finalized. Like if I call from my cell it rings the phones, but when I answer there is nothing but dead air.In the group policy for the tunnel, I gave the remote site FULL access to the phones vlan and vice versa...which obviously works since internal calls work fine. If I remove my group policy and give it the Default group policy which essentially gives that tunnel full access to everything since the tunnel is set to bypass interface ACLS, external calls work fine. So it's definitely related to the group policy.
The group policy is basicallyAllow remote site to X network/host on these ports no denies since it blocks whatever isn't specifically allowed. However since it can get the phone switch and it can get to the internet I'm not seeing why the calls aren't working.The only thing I can think of to try doing as well is remove the allow inbound traffic to bypass interface rules and treat it just like another vlan interface on the ASA. Create the rules on each interface for the remote site network etc and see if it works that way.
We have ASA 5540. We setup Site-to-Site VPN and Remote Access VPN (Cisco VPN client). If are running full tunnel on the Cisco VPN client, the internet access is slow. For example, when we are running full-tunnel, the internet speed is 16 Mbps based on Speedtest.net. When we go to Speedtest.net, some of the graphics do not load. If we are running Split-tunnel, the internet access speed is 78 Mbps based on Speedtest.net and the Speedtest.net web site loads all the graphics.
View 6 Replies View RelatedA group of Citrix Clients connect to a Citrix Metaframe Server. The port numbers involved are Citrix Metaframe (TCP/UDP 1494) and MS Terminal Server (TCP/UDP 1604).
The network is configured such that the communication between the Citrix clients and server goes through a GRE tunnel. Traceroutes from client to server, and vice versa, confirm that it passes thru the GRE tunnel. There's no ACL, firewalls or NAT devices along the IP path, in both directions.
The issue is, all Citrix clients can ping to the server but some fail to log on to the server; some have no problem. Also, other applications, e.g. PCAnywhere, can go through. If the GRE tunnel is taken away, all Citrix clients can log on to the Citrix server.
I upgraded an ASA 5505 from 8.3(2) to 8.4(4) this evening. The 5505 is a backup and used to perform testing prior to production changes. After the upgrade was complete, a VPN tunnel began to fail. I did a limited search online to see if this was a known issue or something new. I also reviewed the release notes but did not see anything that matched the issue I received.
My concern is that this tunnel configuration is scheduled to be deployed to the production firewalls next week after their upgrade. But if it failed on the upgraded test unit, it may fail on the production units.
I downgraded the backup unit to 8.3(1) and verified that the tunnel indeed worked at that level.
I'm using a RV082 with latest firmware v4.0.4.02tm in one of our branch offices. Sometimes the tunnel to the main office (IPCOP 1.4.21) fails.
Both sides display the status "tunnel connected" but IP traffic doesn't go through. If i try to ping the main office using the RV082 diagnostic feature, the RV082 seems to run into a loop...the window continues refreshing without any error message and i'm not able to cancel the test. If I restart the RV082 using the web interface, the "diagnose" and VPN problem still exists, even if the web interface told me that the device did a restart.
The only solution is to to a cold restart of the RV082. After that, the VPN tunnel works again....
This problem occurred 3 times in the last 3 weeks. I never hat this problem with previous firmware versions at this ot other sites.
I have a Cisco ASA 5510 with a strange issue. When I power it ON, the following is the status of the front panel LED:
Power is OFF
Status is Amber
Active is Amber
VPN is Green
Flash is OFF
Also nothing comes up on the console. I suspected a Power supply issue and replaced it, but still it doesn't seem to work.I cant open up a TAC as I do not have a Smart Net contract.
I am trying to customize a web VPN portal on my 5510 but I get errors whenever I try to add a customization object. Running ADSM 6.1(5)51 on ASA 8.0(5). The error I get when I try to apply a newly created customization object is:
[ERROR] export webvpn customization DfltCustomization disk0:/tmpAsdmImportFile2090698426 export webvpn customization DfltCustomization disk0:/tmpAsdmImportFile2090698426 ^
% Invalid input detected at '^' marker.
[ERROR] import webvpn customization test disk0:/tmpAsdmImportFile2090698426 % copying 'disk0:/tmpAsdmImportFile2090698426' to a temporary ramfs file failed
[ERROR] delete /noconfirm disk0:/tmpAsdmImportFile2090698426 %Error deleting disk0:/tmpAsdmImportFile2090698426 (No such file or directory)
Tried revert webvpn all but I get error on that as well:
Result of the command: "revert webvpn all"
%ERROR: ifs_rm_dir_rec: unknown type of file `disk0:/csco_config/97/customization/86D3828A0A0EB0FFA3B55870AAA43E4F'
I have a problem when trying to access from a workstation on the internal network to an external FTP server using Explicit FTPS. After the server requires the client TLS Authentication the client inits TLS but the connection is closed by timeout.
I have disabled the FTP inspection on the firewall and I have opened some high ports from the Internet to the test workstation (ACL and NAT rules), but without results.
If I try to connect from a workstation to the FTP server using a direct Internet connection I can access the FTP server without problems, so I think the problem is in the ASA.
So I recently got a new computer today and it won't let me use my 100mbps of internet bandwidth. (Asus Sabertooth Z77 with an Intel 82579v gigabit lan controller) I noticed that at the LAN connection properties>Properties>Configure>Link Speed tab the 'Speed and Duplex' option was on Auto Negotiation and it was only accepting (or supporting) the 10mbps Full Duplex. When I switched it to 100mbps Full Duplex it would mark my connection icon with a red cross and when I clicked diagnose it said "Please connect your ethernet cable or your cable might be broken". So I tested my internet speed with that same cable on a different computer (laptop) and it worked with 40Mbps, so I don't think the cable is broken. Also I just recently downloaded some drivers but one was specifically for the Intel LAN controller but I'm a total noob for all of this computer stuff I don't know if it messed it up or something. Is it the motherboard that's not working correctly?
View 3 Replies View RelatedI'm standing beside my wireless access point with my laptop. It shows full signal in my laptop but I cannot connect to internet. I clicked on the view available networks and then the SSID names, typed my network key, and clicked "connect". It keeps on connecting, connecting and finally disappears and WAN connection remains with crossed mark. But it shows full signal in laptop and I'm standing beside the WAP.
View 4 Replies View RelatedI have an ASA 5510 running ASDM 6.4(9) and Cisco Adaptive Security Appliance Software Version 8.4(4)1.I am trying to configure for the first time and I am accessing the ASA via its Management Interface.I am successfully able to connect to the device and get to the Cisco ASDM 6.4(9) page.When I try to run the startup wizard, a couple of prompts displays up to the point where the java applet runs and aks me to enter my IP, username and password.As it is a new system, password and username is blank so I enter and I get a message saying "loading software from cache" which later changes to "software Update completed" and then nothing happens.I am running MacOSX 10.7 Lion, Java version 1.6.0_33.I did try and run this on a Windows system and i was able to load the interface.
View 2 Replies View RelatedMy laptop is reading a full WiFi signal from my router. I am currently connected to the router via Ethernet on the same laptop. I've been reading tons of old threads to troubleshoot this. I'm at a loss. I have used this current networking hardware for more than a year without any problems. I do have a pretty old router but my iPod connects to the WiFi no problem at the moment. Here's what I've tried so far:
- soft reset of router
- power cycle modem and router
- removed saved network information from the laptop
[Code]......
I have Virgin Media XXL broadband in the UK. I have Avast antivirus. Windows firewall is enabled and all security updates are up to date. I have a 50mbit virgin fiber optic broadband which is working fine on my flatmate's pc's. While making sure the internet wasn't being used my speedtest still returned around 1mbit with full signal strength. I have run speedtest on 3 pc's at the same time and 2 of them were over 30mbit while mine was still barely 1mbit. I am using an Edimax EW-7811Un nano usb adapter. From reviews I read that it should work great with Virgin. But for some reason it doesn't work well despite the full signal strength.
View 7 Replies View RelatedWe currently run dual ASA 5510's in A/S config on our main campus. We would like to create a VPN tunnel to a branch campus. Trying to decide between a 5505/5510/5512x, We would like to extend many of the capabilities of our network to the branch campus which will be 20-50 users on a 50mb/10mb internet connection.
Domain login
System Center workstation management
Cisco WCS
Shoretel voip
(Cisco NAC?)
Several different VLANs for wireless guest, student traffic, staff traffic, voip traffic, etc. Which device would be best and should we get the security plus license with it?
I have two 5510's that I am trying to get a tunnel established. One has an exsistinig tunnel to a 5505 that works but I cant get the next one to get past the first phase. I have sanitized the attached configs
View 5 Replies View RelatedI had a pix that had two working tunnels going to one 5510 and one 5520. Today the VPN tunnel to our 5520 stopped working but if I do sh cry isa sa both tunnels have QM_IDLE as the state. (both ends) I tried to debug crypto isakmp 255 but all I get is PEER_REAPER_TIMER and no other output on the pix side.
View 20 Replies View RelatedI have 100 mbps fiber connection. I bought 320N today I bought 320N and here is the problem:
We have a switch in the building. I am getting connection via CAT5. So I choosed "Use as WAN Port" from Ethernet settings. There is not much you can do here. I just used PPPoE and connected internet without any problem. The problem is I am only getting 32mbps. When I connect CAT5 cable directly to my computer I am getting 92mbps.
Maybe WAG320N is not establishing a full duplex connection.
I am using a Cisco ASA 5510. Our tunnels always drop due to inactivity, which is a security issue I understand, and it only takes some "interesting traffic" to bring it back up. My problem is that it looks like the interesting traffic has to originate from my side of the tunnel, when our clients send traffic and the tunnel is down due to inactivity it does not come back up. Is there a setting that I am overlooking that will make it come back up no matter who sends traffic? Or, is there a way to make it stay up through inactivity?
View 4 Replies View RelatedFirewall ASA5510. I'm planning to get one of ASA5510 for our office in order to secure our network properly, however we have quite specific routing configuration to allow us failover to the remote location (data center) in case of any disaster with our server. I'd like to find out if I can just install firewall between our ISP Ruter and internet and allow traffic to/from Data Centre. In this situation will I have to change routing configuration on Company Router or do I have to do anything with our Company Router
View 1 Replies View RelatedI have been struggling to come up with the proper config to do a NAT of an incoming VPN tunnel to a VLAN on my network. I have an ASA 5510 with an IPSEC site-to-site tunnel to a partner network of 166.110.0.0/17.I have several VLANs on the ASA interface behind a cat4500 router (192.168.100.024, 172.16.4.0/24, 166.110.128.0/22 etc). The only network that the partner network sees is the 166.110.128.0/22.My problem is that I need to give them access to a node on my 192.168.100.0/24 net, but can't get the admin on the other side to add a route and adjust his tunnel.
View 4 Replies View RelatedI've a asa 5510 on the main site and different ASA 5505 on secundary sites for VPN tunneling between the sites. The problem is that the tunnels are acomplished but no traffic is going over them. What am i doing wrong? For the moment there is a ASA 5505 on the main site managing the tunnels but I want the 5510 to take over the job.
View 5 Replies View RelatedI don't know if this is in the right section, but I cannot set up a vpn tunnel between an asa 5510 and a cisco rv042 router. I believe the problem is because i need to set up a nat exempt rule on the rv042 route but don't know how.
View 1 Replies View RelatedI have our main site using a Cisco 5510 running 8.4.2 code and a remote site using a Cisco 5505 running 8.4.2 code. The main site has a T1 and the remote site is using a DSL connection. About every other day I have to reset the connection at the remote site. The process that I have found that works is to remove the nat statement, clear the cry ips sa and then add back the nat statement. The connection usually comes back up and a few minutes. I am trying to see what is causing this to drop.
View 5 Replies View RelatedI have an ASA 5510 and I am building a site-to-site vpn tunnel, peer on the other end is a sonicwall. I can initiate the tunnel from my end, but when he tries from his end it fails on phase 2 with this error in the logs:
"Rejecting IPSec tunnel: no matching crypto map entry for remote proxy"
Obviously our crypto map's don't match, i have it restricted to specific ports on my end and he had it wide open on his end, but said he is not sure how to restrict it down to specific ports. My question is why would I be able to bring the tunnel up on my end if the crypto map's don't match and he can't bring it up?
I have an ASA 5510 and I am building a site-to-site vpn tunnel, peer on the other end is a sonicwall. I can initiate the tunnel from my end, but when he tries from his end it fails on phase 2 with this error in the logs:
"Rejecting IPSec tunnel: no matching crypto map entry for remote proxy"
Obviously our crypto map's don't match, i have it restricted to specific ports on my end and he had it wide open on his end, but said he is not sure how to restrict it down to specific ports. My question is why would I be able to bring the tunnel up on my end if the crypto map's don't match and he can't bring it up?
I'm attempting to debug an ipsec tunnel on an ASA 5510 (8.4(3)) and when I turn on `debug crypto ipsec` and then execute `logging monitor` I get an constant stream of TCP debugging events, is it possible to only view ipsec messages?
View 2 Replies View RelatedI have an ASA 5510 at V8.2(5) with something near 20 site to site VPN tunnels. I am having a problem with 1 tunnel to a RVS4000. The tunnel is completely closed and reset during Phase2. Here is a small snipet at the time of the tunnel reset
x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: IPsec, Duration: 7h:36m:30s, Bytes xmt: 333755, Bytes rcv: 86281, Reason: User Requested
Followed by Group = x.x.x.x, IP = x.x.x.x, Active unit receives a centry expired event for remote peer x.x.x.x.
We use a number of connection oriented sessions and this blowing them out of the water. all other tunnels are up for DAYS to more than a Month.
I got a stange vpn problem, just added a new vpn tunnel to our ASA5510 and then the users report that the traffic through the tunnel is very slow, when I try it myself I get a speed like 50kb/sec to the internal server.If I use our regular tunnel or any other tunnel the speed is just fine. I´ve added the new tunnel in the same way as the other tunnels, that is thorugh ASDM vpn wizzard.
View 2 Replies View RelatedI would like to ask some question about VPN clinet and SSL VPN, on my ASA 5510 i have many tunnel-group it have around 5 tunnel-group and i have one SSL VPN,i also have user 20 user. let me show you that:
1- tunnel-group Staff-VPN remote-access
2- tunnel-group Manager-VPN remote-access
3- tunnel-group normalstaff-VPN remote-access
4- tunnel-group guest-VPN remote-access
5- tunnel-group other-VPN remote-access
and tunnel-group sslgroup type remote-access
and i have user around 20 user and i want to specific user to tunnel-groups like this
1- tunnel-group Staff-VPN remote-access
username AAA password AAA
username AAA01 password AA01
2- tunnel-group Manager-VPN remote-access
username BBB password BBB
username BBB01 password BBB01
3- tunnel-group normalstaff-VPN remote-access
username CCC password CCC
username CCC01 password CCC01
5- tunnel-group other-VPN remote-access
username DDD password DDD
username DDD01 password DDD01
So, How can i manag tunel-groups with user?