Cisco VPN :: 5520 - Primary And Secondary ASAs / L2L Tunnels Not Responding?
Apr 12, 2011
I have a pair of ASA5520s in active/active failover - this works fine. Both primary and secondary ASAs are running 8.2(2) code.I have a 30-day temp 50 seat SSL license that I applied to the primary. I then started having problems with L2L tunnels.
I noted that if the 'show crypto isakmp sa' state for an L2L was MM_STANDBY, then the remote protected net could not reach my side. However, I could ping across to the other side at which time the state changed to MM_ACTIVE as I would expect and the remote could then reach my side.
I believe this results from the differences between the two licenses. When I applied the 50 seat SSL lic. it disabled failover, but I was willing to risk that for a few days to do show my customer the benifits of SSL connectivity. Note license differences. Is this causing the MM_STANDBY IKE issue and if so can I overcome it and use the 50 SSL VPN Peers lic.
[code]...
View 3 Replies
ADVERTISEMENT
Jun 22, 2011
How can you figure out your primary and secondary DNS? I have a linksys router, and i'm trying to figure out what my primary and secondary DNS are so i can hook up my PS3 online.
View 1 Replies
View Related
Apr 25, 2011
I have been having problems when trying to host servers on games, etc.I have 2 routers. A modem router, which is a Thomson router. That is the main one. It has a wire connecting from it, to a D-Link router that is near my Computer, and my brother's one. Then that D-Link router has 2 wires from each port, to mine, and my brother's computer.So, I am trying to host games.I didn't connect to the Thomson one, which is also wireless. I am connected to the wired one (D-Link). When I try to host while connected to it, my brother, and other people can't find the server. My brother and me can find it on LAN, but not Internet.But when I disconnect from the Wired, and connect to the Thomson wireless one, and then when I host, I can find it on INTERNET. Even my brother can. He can connect to it perfectly.
I do not want to connect to the wireless, because then it will cause lag spikes every 5 minutes.So, when I disconnect from the wireless, and connect to the wire, I went into the CMD, and typed in ipconfig. I found out that the Default Gteway is the D-Link IP.When I connect to the wireless, and disconnect the wired, I went into CMD, and then the Default Gateway is the Thomson one, which is the main router.So what I want to do, is use the D-Link router, and that router will have the same IP as my thomson one, so that I can host perfectly with no lag spikes, and using a wired connection.
View 19 Replies
View Related
Jan 22, 2012
I have a question about the number of Cisco licenses needed in two cases for ACS 5.3 Virtual Machine.One primary + One secondary : Just one license for all or one license for the primary + another one for the secondary ?One primary + several secondaries : Just one license for all or one license for the primary + just one license for all the secondaries ?
View 1 Replies
View Related
Jun 16, 2011
it is possible de use two servers ACS 5.2 (primary and secondary) in active/ active? or just in active/ passive?
View 3 Replies
View Related
Jun 11, 2012
Today I ran a failover test between our primary and secondary ACS systems (ran 'acs stop' on the primary) and in the process decided to promote the secondary while I had the primary down. All was fine until I brought the primary back up and tried to re-register the secondary to it. I get the following error message: I went into System Administration >Operations >Distributed System Management on each and it showed the other device as deregestered, tried to promote from there but it failed too, so I deleted them and tried to register the secondary again. After that didn't work I tried rebooting both but that didn't work either. I know the user/pass I'm using is good and I've tried using both the IP address and the hostname.
ACS/admin# sh app version acs
Cisco ACS VERSION INFORMATION-----------------------------Version : 5.3.0.40.5Internal Build ID : B.839Patches :5-3-0-40-5
View 3 Replies
View Related
Jun 19, 2012
We are trying to configure vrf aware GET VPN with COOP having primary and secondary key servers and also 3 GM routers. All GM routers we use are Cisco 888 and Key servers we use cisco 2911 routers. All GMs crypto maps have been applied into Vlan interface as there's no L3 interface on 888 routers.
Always members can form a tunnel with primary KS, we have configured redundancy with secondary key server and listed on each GM primary and secondary KS on GDOI group.
The issue we facing is that whenever we shutdown the primary or secondary servers the tunnel is not forming with available KS unless otherwise we mannually clear the crypto session. In another way when primary KS down it doest not fall back to secondary KS and no GM get registered. We have already played with all the timers such as DPD, SA lifetimes, GDOI rekey lifetime etc and also exchanging the keys (import/export) with KS and COOPs but there's no luck. We could see the following message was seen on both KS.
[code] 192.168.1.3 is the primary KS and 192.168.1.6 is the secondary KS.I captured attached debug output from 1 GM and secondary KS while I shutdonw the primary KS and also attached is our senario we were trying get work.
Also attached is the show output from both KSs when it form a tunnel with GM.
View 2 Replies
View Related
Feb 22, 2013
I have more than 5000 sq. ft home and have some dead places other end of the house. Now I am looking for Range Extender/Repeater to boost signal. My primary wireless router is Motorola Surfboard SBG6580 and Secondary Linksys E3000 (planning to update firmware to DD-WRT). So I wanted something such that I can roam between the two routers without switching SSID (use single SSID name for primary and secondary DD-WRT routers) and connect automatically to whichever the best signal (or) strength router. In work place we have same thing like that single wireless SSID name which automatically connect wireless SSID from one end to another end of the building.
View 1 Replies
View Related
Dec 5, 2011
We have 2 ASA 5505s in a data center at a remote site.
Whilst troubleshooting another issue I noticed the below. I don't know much about fail over but this would suggest that the secondary ASA is active and the primary ASA is on standby.
if the primary is "active" then how come the secondary is the active ASA? I would have thought that once the primary ASA became active this would assume the "main" role".
[Code] .....
View 7 Replies
View Related
May 15, 2013
Management purchased a HA package from Cisco consisting of 2 5508's with pre installed 500 users license on the Primary WLC and none on the secondary WLC. We have 5508's already so I am familiar with setting them up and so forth. What I am not familiar with is setting them up using HA for failover and license sharing. I've looked and looked and can't find documentation online showing how to set this up. I have found some but nothing that is complete. I have spent 2 days spinning my wheels.
View 2 Replies
View Related
Apr 21, 2013
I have a couple of ACS 5.2 configured as active and backup and I am doing dot 1x authentication using these servers . I have configured the switch with the bellow configuration.
radius-server host 10.0.10.15 auth-port 1645 acct-port 1646
radius-server host 10.0.10.16 auth-port 1645 acct-port 1646
radius-server key 7 aaaaaaaaaaaaaa
please help to understand what will happen in switch
1) in case of primary failure
2)in case if primary returns alive .
View 8 Replies
View Related
Aug 9, 2011
IP address of Primary had to be changed, to respond to a hardware failure of TACACS server with IP in many device configs.
Now the Secondary fails to respond to repeated "Deregister from Primary" requests, even after reload - apparently because it cannot reach the Primary at its old IP address.
Requesting Deregister in GUI generates pop-up that says, "This operation will deregister this ACS Instance from the Primary Instance. Management applications on this ACS instance will be restarted and you will be required to login again. After performing this operation
[code]....
View 1 Replies
View Related
Nov 2, 2011
Cisco ACS 5.2 secondary server is configured as a log collector for both primary and secondary server .Now i am facing problem in log collection from primary server .ACS secondary server is not collecting any logs from primary .
View 2 Replies
View Related
Aug 25, 2011
I am currently having some problems on our 5520 ASAs. The problem is the IPSec VPN clients not being able to connect. We have had an issue twice this week where this happened. Earlier in the week we had folks not able to sign in, but some folks who were connected already stayed connected. The ASAs had been up for 200+ days and no changes have been made to it recently. At that point I had to reload the ASAs so users could start signing back in to it. Today we had a similar issue, but I didn’t have to reload the ASAs. The issue‘resolved’ itself. The VPN clients are getting Error code: 433 and the ASAs are getting Reason: Peer Address Changed when this occurs.
ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz version 8.3.2.
View 5 Replies
View Related
May 11, 2012
I have recently configured secondary ip address on LAN Interface of Cisco C6509.. We have some application which needs to use broadcast traffic communication to communicate with client... Broadcast is working within subnet & also working from broadcast server to primary subnet. But not working from secondary subnet.. I have checked broadcast within secondary IP range & it's working fine... Secondary not working broadcast with primary and also with broadcast server... broadcast address is different for these subnet but both should be communicate since configured on same interface... When I went through Cisco website found that command "ip directed broadcast" which will pass broadcast to different subnet... But I'm not sure whether any other impact if I enable that command on particular Ethernet interface...
View 6 Replies
View Related
Aug 25, 2011
Cisco ASA 5505 Security Plus 1 link with PPOE dialup for internet access
desirable situation: Primary link with a PPOE dialup Secondary Link with DHCP address Asignment
Problem: i want to configure Dual ISP Failover modus, but the problem exist when i configure the ip sla syntax it looks good in the running config. but after a reload the secondary line becomes primary
It looks like the ppoe client authentication is busy when the ip sla tracking mechanism becomes active. can i tweak the settings that the ip sla tracking mechanism starts later?
What i the correct config for Dual ISP setup with primary PPOE and secondary DHCP
View 1 Replies
View Related
Jun 19, 2012
I got an internet from provider (which is LAN cable sticking from the wall) - and it works fine when I connect via LAN cable - when I write the IP Address, Subnet Mask, Default Gateway, and DNS servers on the LAN adapter and create a PPPoE connection with username and password. I want to do the same but wirelessly. I have an ASUS RT-N10 LX wi-fi router - and connected the cable from the provider to the WAN slot on the router. Then I have accessed the router from my laptop [URL] - and configured everything as it was on my laptop.
IP Adddress: 192.168.17.191
Submask: 255.255.252.0
Default Gateway: 192.168.16.1
DNS1: 192.168.1.250
DNS1: 192.168.1.10
Wireless network works fine, the default gateway is pinging - but DNS servers are not accessible. As a result no internet connection available ( Moreover - when I want to ping the DNS (ping 192.168.1.250) - I tries to get a response from other location 192.168.1.3
View 9 Replies
View Related
Jan 7, 2013
We an 887m router in our office with an unmanaged switch. We have two networks, 192.168.0.x and 192.168.11.x connected to router on the same interface (192.168.11.253 is a secondary ip) but I can seem to be able to route packets from one network to the other. Internet traffic is fine from both networks. I can't see what I'm doing wrong here. I can ping the 192.168.11.253 (router) from the 192.168.0 network but nothing beyond that.
I tried this at home with no other config and its the same. Is this by design?
View 4 Replies
View Related
Dec 27, 2012
We have a customer who has a network consisting of two ISPs, one as a primary and the other as a backup. We are trying to create a configuration that would allow the primary link to fail and the secondary link to automatically pick up traffic and begin routing .how to set something like this up. Both routers are non Cisco routers and there for HSRP is out.
View 14 Replies
View Related
Jun 20, 2012
I am trying to setup a VPN tunnel between a PIX and an ASA. I went through the IPSec Site to site wizzard using the same settings but I cannot ping hosts from either side.
Here is the setup
ASA 5520
Device Manager 6.4(5)106
Software version 8.0(5)
Inside network 10.0.0.0/24
Inside IP 10.0.0.1
[code]....
View 3 Replies
View Related
Sep 27, 2011
We have 2 Cisco ASA 5520 configured as Active/Standby with public IPs 68.171.xxx.xx6 and 68.171.xxx.xx7 respectively.We have 3 different vendors who are trying to access our Data Center. Do I have to have 3 different public IPs for these 3 different vendors? Or, just share the public IPs assigned to our 'Outside' interface?
View 3 Replies
View Related
Dec 18, 2011
We have an ASA 5520 in production with a brand new internet feed we've just finished installing. We connect to our corporate office via a VPLS. In our corporate office we have a Cisco 1841 (I think that was the year it's made! ) with an ADSL feed with a static IP address plugged in directly.
We have a user VPN that we integrate with our user directory on the router, which connects via the ADSL. The users get an IP addres at the tail end of the 172.31.14.0/24 range, which is the same as one of our corporate subnets (we just reserver a few address, we don't have many VPN users).
Both the ASA and the router connect to each other (via the VPLS) on the internal subnet 10.255.255.0/24.
-The ASA is 10.255.255.1
-The router is 10.255.255.100
Currently the default route for the corporate office goes out the Dialer interface for the ADSL, which means that's where our internet goes out there (all proxying aside, we'll leave that out of this one). ip route 0.0.0.0 0.0.0.0 Dialer1
We'd like to change that default route to go via the VPLS to the ASA, and then out to the internet using the new feed. All the ACLs and rules are in place at both ends for this to work. If I change the default route on the router to: ip route 0.0.0.0 0.0.0.0 10.255.255.1Then it works as expected.
The problem is that then the user VPN breaks. I had hoped I wouldn't have to do any configuration on this but it looks to be so. I'm guessing that the VPN packets are coming in via the ADSL and back out via the new internet. It would be simple if the remote client had a static IP address as I could put in a static route for each user, but it's always going to be dynamic.
What do I need to put in place to get this working? I thought maybe I could leave the default route via the ADSL and put in a next hop rule to go via the VPLS for the specific subnets that need the new internet, i.e. have a subnet specific default gateway, is this possible? (I gave it a go but it didn't seem to work, I think I didn't implement it properly though as it still went via the ADSL, maybe because there is a nat route-map as well?).
View 3 Replies
View Related
Oct 8, 2011
My question is very simple is there any way or feature that could allow us to have a backup VPN tunnel on at the secondary ISP at the asa 5520? Lets assume if the primary isp goes down is there any way for the VPN tunnel come online at the backup isp ? [code]
View 2 Replies
View Related
Nov 24, 2012
We already have a subnet defined to inside interface and is in produciton. the default gateway is this interface ip. In that setup now I have to add one more subnet and as the first subnet is been defined in ASA indside interface, I have to assign secondary Ip to the inside interface so that new subnet users can easily reach here and go outside.
View 1 Replies
View Related
Nov 8, 2012
I have a working DMVPN solution. I am trying to stand up a secondary DMVPN hub at our disaster recovery site. We are trying to deply to a Dual HUB SIngle DMVPN solution. The HUB2 DMVPN router has an INSIDE trusted interface and has an OUTSIDE UNTRUSTED interface.
The inside is 10.248.11.X...the Untrust/public is 192.168.93.11 which is connected to our DMZ 3 on the ASA 5520.....then I am trying to NAT the 192.168.93.11 to an outside public IP 199.248.30.X....just not working...have had 2 tickets open with Cisco this week and they still are unable to resolve. I am sure it is the ASA5520 is not configured correctly.
View 1 Replies
View Related
Apr 10, 2012
i just received a RMA for failed ASA 5520 that was acting as secondary unit in multicontext configuration. What would be correct procedure to install it back in production? Do i need to restore backed up config of the fallen unit or is it just enough to enable multimode and connect to existing (primary) unit? Any good link for documentation that deal with this issues.
View 5 Replies
View Related
Feb 24, 2013
I am trying to establish routing between two Site to Site vpn tunnels, both of which are terminating on the same outside interface of my Cisco ASA.
find attached Network Diagram for the same. All Firewalls used are Cisco ASA 5520.
Both VPN tunnels between Point A and Point B, Point B and Point C too are up. I have enabled Same security level intra interface permit command also.
How do i enable traffic originating from LAN Subnets behind Point A to reach LAN Subnets behind Point C without having to create a Seperate tunnel between Point A and Point C
View 5 Replies
View Related
Feb 8, 2011
I've deployed L2L VPN between ASA's dynamic to static in a hub and spoke format.Everything works great if you are on a spoke ASA and you need to go to the hub but you can not go from the hub to spoke.
I'm using ASA code version 8.4(1) ... Below is what I have so far...
HUB
crypto ipsec ikev1 transform-set ts-dyna esp-aes-256 esp-sha-hmac crypto dynamic-map dm-dyna 65000 set ikev1 transform-set ts-dynacrypto dynamic-map dm-dyna 65000 set reverse-routecrypto map cr-vpn 65000 ipsec-isakmp dynamic dm-dynacrypto map cr-vpn interface outside
crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes ikev1 pre-shared-key *****
[code].....
Is there any way to apply a crypto map on the Hub side to encrypt the traffic to the spokes?
View 4 Replies
View Related
Oct 18, 2012
I've two sites, the branch with an ASA 5505 and on the corporate office i've an ASA 5510.I need to make a easy vpn tunnel between this to sites and I've made some configuration, but for now, the ikev1 isn't working.
View 1 Replies
View Related
Feb 17, 2013
I'm looking for automating a couple failover scenarios. Both VPN redundancy and black hole internet traffic redundancy.I currently use the more reliable T1 connection for the VPN connection and the DSL for internet traffic.My current configuration is working but requires a manual update to get the VPN or black hole back up and operational when either link fails.
[code]....
View 7 Replies
View Related
Dec 4, 2012
I am having a hard time getting tunnel fail over working. My setup is illustrated below:
I derive my default route on the border routers. The 6513 peers with the 7206's using BGP to get the default route from each ISP into the core. On the core I use BGP weighting to get my primary default to point to ISP1. So far so good. When I look at my core I see to defaults with ISP1 preferred.
Each ASA has an IP Sec tunnel to the head end site configured (Not shown). The head end site has a crypto map entry with ISP1 and ISP2 defined (in that order) using the "set peer" command.
Fail over works great if an ISP drops the connection or my 7206 or ASA fails, but... While testing fail over I had an issue where both tunnels would be active and there were issues with traffic between sites. I could not determine the root cause. I can only guess that some traffic was going out one tunnel and when trying to come back across the other tunnel was dropped from the firewall because there was no connection built for it. After reading I found that in order to use multiple peers in the "set peer" statement, I needed to configure my head end as "originate-only". I have not done this yet as I have concerns. If the head end site is "originate-only" and the tunnel, for whatever reason drops, I cannot wait for interesting traffic at the head end site bound for this site to bring up the tunnel as most of the traffic originates at this site.
I have been reading about IKE keep alives and DPD but that doesn't sound like it will re-initiate the tunnel. Is this correct? If so I'm looking for a way to make this work.
View 10 Replies
View Related
Feb 9, 2012
We have to make disaster recovery site EasyVPN tunnels on Cisco 5505 ASA firewalls. Now there is only one main site and 3 remote sites.For DR we have to use the same subnet as it is on the main site because the Vmware virtual machines will be replicated to DR.For DR we are using Double Take software.What is the best solution for this? I think that we could use Destination NAT on ASAs. The other sites (HQ and remote) will se only the NAT address of theDR and not the real one which is the same as on the main site.We are using IPSec VPN? In packet-tracer on ASA I see that the packet is first NATed and then encrypted, so it should work, yes?
View 2 Replies
View Related
Jan 16, 2013
I just learned that the licensing structure for the ASAs is changing, but I don't have any details. We have roughly 30 ASAs (from 5505s to 5585s). If there's a licensing change, I need to do an impact assessment and plan accordingly.
View 5 Replies
View Related
