I´ve try to configure a VPN IPSEC between a Cisco 7200 and Juniper ISG2000.The tunnel looks like good but when a ping is sending, I´ve packets lost and getting the next error:IPSEC(epa_des_crypt): decrypted packet failed SA identity check.My configuration en both sites is the follow: [code] What is the possible problem here. mea be in the Cisco 7200 configuration or in ISG Configuraton??
View 4 Replies
when using egress netflow (v9) and output marking.
The topologie : Server <-----> R1 1>-----<1 R2 2>----<2 R3
R2 is a 7200 with c7200p-adventerprisek9-mz.124-15.T11.bin What I'm doing :- R2 forwards ping packets from Server to R3. When they arrive on R2, icmp packets are marked with CS3
- I change the DSCP to CS4 on R2 before forwarding packet to R3. I'm using for that an output service-policy on the R2-2 interface like this : interface ATM2/0.36 point-to-point
ip address 192.168.1.1 255.255.255.252
ip flow ingress
ip flow egress
[Code]....
We have a Cisco 7204 G1 running c7200-advipservicesk9-mz.122-33.SRE7.bin and we're having a lot of difficulties getting a VTI working to a Cisco 2921 with adv. security. I've ruled out that the 2921 is at fault by successfully establishing a VTI to another 2921 and a 7200 running a different IOS release.
We see the tunnel come up, but when I sent a ping from the 2921 to the 7204 there isn't a reply. When I look at the results on the 7204 from a 'sh crypto engine connection active', I see the decrypt counters increase, but I don't see the Encrypt counters increase as it's trying to reply to the ping. I'm not sure if this is because there is an issue with the encryption or whether there might be a more fundamental issue with the router not replying to the pings.
I've tried the following IOS releases (c7200-advipservicesk9-mz.122-33.SRE7 & c7200-advipservicesk9-mz.122-33.SRE6) and they all behave the same way - this makes me think it might be a config issue rather than and IOS bug which is what I first thought. c7200-advipservicesk9-mz.122-33.SRE7.bin.
sh crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP Address
1 Tu10 IPsec 3DES+SHA 0 31 10.5.5.1
2 Tu10 IPsec 3DES+SHA 19 0 10.5.5.1
1001 Tu10 IKE SHA+3DES 0 0 10.5.5.1
Here is a copy of my config on the 7204 - the other end (Cisco 2921) is configured in the same way.
crypto isakmp policy 1
encr 3des
authentication pre-share
[code].....
I have a Cisco 7200 and need to establish L2TP over IPSEC session with a Draytek Fly200. Draytek must use L2TP over IPSEC to provide LAN-to-LAN connectivity. IPSEC phase 1 and 2 is ok, L2TP tunnel is also established, but on cloned virtual-access IPCP negotiation is not completed:
*Sep 16 09:50:36.911: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
L2X_ADJ: Vi3:midchain adj reqd for ip 0.0.0.0, cid 0
*Sep 16 09:50:38.911: Vi3 IPCP: O CONFREQ [REQsent] id 2 len 10
*Sep 16 09:50:38.911: Vi3 IPCP: Address 192.168.176.2 (0x0306C0A8B002)
*Sep 16 09:50:38.911: Vi3 IPCP: Event[Timeout+] State[REQsent to REQsent]
I think my VPDN configuration from Cisco side is not correct, but I cannot find configuration examples for this kind of solution.
I have made some test and i noticed that qos input policy does not classify the icmp packet based on their dscp.The "match dscp ef" or "match precedence 5" is not working only the "match protocol icmp" shows hits.
We need to classify the different icmp packets based on dscp ( TOS ) for measurement purpose.CISCO 7200, 12.4.25d and 12.4.20T have a same behavior.
I am facing a problem when configuring the ipsec vpn on my 7200 router. [code]
View 5 Replies View RelatedI am configuring some of my devices to use CHAP when their backup ISDN interface dials out to the 7200 concentrator node. I wan the CHAP requests to hit our ACS 5.2 appliances and be authenticated via this method. I have built a rule for 'Default netowrk access' which specifies these devices only however when I bring up the ISDN call the process fails. When I look at the logs it doesn't give an error reason but it does say that it failed on one of the rules in the 'default device admin' rule set.I even went to the bother of specifying a single IP address of one of the ISDN backup devices but the result is always the same.
View 3 Replies View RelatedI need to set up several L2L ipsec tunnels using ASA 5540 (8.2) as a central node and ASA 5505s (8.4) for branch offices. So far I've configured ipsec for the sake of testing between a 5540 and one of 5505, but it blocks ICMP between hosts behind ASAs. Although there's an echo response from 5540's inside interface (172.30.0.1) to echo requests from a host behind ASA 5505 and I see ipsec counters growing. I still can't figure it out despite hurting my eyes with cisco manuals for the relevant ASA software versions.
One thing I couldn't understand in the 8.4 documentation - it says I need ACLs to allow ipsec traffic on outside if I don't NAT/PAT it. Isn't it achieved with "sysopt connection permit-vpn" or do I have to do it manually? I've actually tried adding access-groups for the "in" traffic on outside and those ACLs get hits on both ASAs.
The packet-tracer shows some weird DROP at phase 6 on 5505, but I see no rule denying this traffic and the description doesn't mention implicit rules. [code]
I have a 1841 router connected to an ISP (currently SDSL EFM 10Mbps through an ISP modem, the router and the model are connected with a FastEthernet interface). On another location I have a linux server.There is an ipsec tunnel (3des-sha esp) between the router and the linux server (actually done with a crypto mac).The router has a hierarchical QOS policy on the egress interface.When sending traffic from the network inside the router to the linux host without the ipsec tunnel, everything is working fine and throughput is correct.When sending traffic from the inside network to the linux host internal ip through the ipsec tunnel, some packets are lost and the traffic throughput decrease.When sending traffic through the tunnel in the reverse direction (from the linux host to the internal network), everything is fine.I looked at the QOS statistics and the dropped packets counters don't increase. I looked at the egress/ingress interface statistics and no packets dropped there.I lowered the MTU on the egress interface, but it didn't solve the problem. I played by sending various ping icmp packets size, but even small packets are sometimes lost.I tried to check the router CPU, but it seems relatively fine (<= 10%)I captured the traffic on both side, and I see the packets emitted, and then I can see that some of the esp packets of the corresponding side are not received, so it looks like the cisco router is the culprit. This 1841 router is running: 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(24)T4,How can I troubleshoot where and why those packets are lost?
View 0 Replies View RelatedI have an existing site-2-site VPN between a Cisco 2621 router (IOS 12.3) and Cisco 1841 (IOS 12.3) and I can ping packet size of 17000 over the IPSec tunnel without any issue:c2621#ping 192.168.230.254 source f0/1 repeat 20 size 17000,Type escape sequence to abort.Sending 20, 17000-byte ICMP Echos to 192.168.230.254, timeout is 2 seconds:Packet sent with a source address of 192.168.208.254!!!!!!!!!!!!!!!!!!!!Success rate is 100 percent (20/20), round-trip min/avg/max = 144/146/148 msc2621#I replaced the Cisco 2621 with a more powerful ASR 1002 running IOS version asr1000rp1-adventerprisek9.03.01.00.S.150-1.S.bin. However, I can not ping packet size larger than 9200 over the IPSec tunnel:Feb 24 02:42:52.362: %IOSXE-3-PLATFORM: F0: cpp_cp: QFP:00 Thread:015 TS:00000015834854465792 %IPSEC-3-PKT_TOO_BIG: IPSec Packet size 10072 larger than maximum supported size 9216 hence dropping it.Success rate is 0 percent (0/10)asr1002# Why is not working? Basically the more expensive ASR router can not perform the same task as the old Cisco 2621 router.
View 6 Replies View RelatedI just installed a new ISR G2 3925e (spe200 integrated) in a VPN environment it works well but I lost latency (it adds around 8-10 ms in the VPN) because of " IPsec packet batching" :Queues multiple packets at the interrupt service routine level after being processed by crypto engine Reduces interrupt context switching by allowing one crypto interrupt for multiple crypto packetsIt's not very good specaly if you tunnel ToIP and/or video streamsI'm trying to find a solution how to disable it without impact other things or is there something planned soon to improve itfyi I use IOS c3900e-universalk9-mz.SPA.151-4.M.bin
View 3 Replies View RelatedI'm trying to troubleshoot a random packet drop issue for an IPSec tunnel between two VTIs. For over a month, we didn't see any issue, and starting today, we have up to 30% packet loss across an IPSec tunnel.
After some analysis, I concluded that the packet loss happens somewhere on the path from the uc520 to the 2921. Packet counts show up correctly on the uc520 physical egress interface, but the packet count is low on the ingress interface on the 2921.
Pings outside the tunnel along the same path are fine.
I also cleared the tunnels on both ends and after they reestablished, the issue was still present.
Any pointers on finding where the packets get lost?
rr-hq-2921#ping 10.1.13.1 source g0/1 rep 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:
[Code].....
I'm trying to setup a GDOI based IPsec connection between a cisco AS901 (advanced Metro lic - asr901-universalk9-mz.152-2.SNI ) and a 7606-S.What I see is that the ASR901 is capable of decrypting the IPsec packet but I cannot encrypt the ICMP packet back, so the question is if the AS901 can support IPsec in software. What I could not find in the docs on CCO. [code]
View 1 Replies View Relatedhow I can determine what attribute is coming up as 'invalid' ?Tried full debug and looked at all the logs - nothing.
View 1 Replies View RelatedWe have a strange issue may be an known issue. We have the ACS 5.3.0.40 with Bluecoat Packetshaper (Packeteer) as the Radius Client and tried with PAP as well as CHAP with the suggested VSA. But once we try to authenticate with GUI in the PS end we get authentication failed. i.e its says invalid password but in the ACS end we get it as the Auth success log. We are not able to login to the PS as well. What is the issue anything to be done with the patch upgrade or any issue with the packetshaper? [code]
View 3 Replies View RelatedAlthough, ACS states its installed, after going through the startup. However when I do show application nothing comes up. When I do a application start acs, %Application failed to start.
View 7 Replies View RelatedI've just had to rebuild my ACS appliance with new hardrives but I am unable to register the devices to each I get a system error. I thought it may have had something to do with the rebuilt device not being joined tothe domain but it has now been joined albeit using a different ad account, but still cannot register to primary.
View 11 Replies View RelatedI have already set up a lab comprising of 1x2950-24 switch, 2x3750-24T in stack mode and 2x MS Domain Controller with AD 2008 Servers and NPS enabled (Domain level 2008). I use NPS as a Radius Server. I am trying to test the 802.1x framework in two scenarios.
1. I use as client a domain laptop with Windows XP SP3 with the embedded 802.1x MS supplicant. As authenticator use the 2950 switch and as authentication servers I use the two NPS integrated in MS DCs. Everything is working fine as I expected with basic configuration guidelines from Cisco & Microsoft.
2. I use as client a domain laptop with Windows XP SP3 with the embedded 802.1x MS supplicant (the same as before). As authenticator I use the 3750 Stack switch and as authentication servers I use the two NPS integrated in MS DCs (the same as before). I have configured the supplicant for both machine or user authentication in both scenarios. However the client never pass the authentication in the second one. I disconnect and connect the same supplicant in the 2950 switch and the authentication is completed successfully. Getting back to the 3750 stack the authentication failed and the laptop gains network access in the configured Auth-Failed Vlan. I have tried several configuration changes without success. I cannot understand why does this happen. I have made some debugs and I am sending them a long with a partial basic configuration of 3750 stack switch.
I´ve implemented 2 Cisco ISE v1.1 in HA to run MAB and 802.x Authentication / Authorization. Using Local ISE DB and Active Directory as an External Identity Source for wireless and wired users and devices. This was working fine 2 weeks ago after finishing installation.
My NAD devices are a Core SW 6500 for wired users (there are no access SW, just the Core for the whole network, its a small office) and a WLC 2405 for Wireless Users.[code].....
we have a ACS server V4 installed on W2003 server ,when we make a telnet to an equipement on the wan the authentication pass on the first connexion ,but when we telent to a switch on the lan the first connxion fails and we need to retry to login .when i check the field attempt log on the ACS i dont find the field attempt.i find this issue in ALL switch on the LAN ,from the switch i can ping the the ACS server .this problem appear frequently?
View 1 Replies View RelatedI have ACS 5.3.0.40 Primary Secondary Authenticators , of which the Scheduled backup has stopped.When checked the : Monitoring Configuration > System Operations > Data Management > Removal and Backup > Incremental Backup , it had changed to OFF mode. without any reason.Later i did the acs stop/start "view-jobmanager" and initiated the On-demand Full Backup , but no luck, same error reported this time too.
View 2 Replies View RelatedI'm in the middle of my very first wireless ISE deployment and I'm hitting issues with EAP-TLS based authentication. In short, all EAP-TLS authentication is failing with the following error. Below that is the relevant excerpt from the logs:
Authentication failed : 12508 EAP-TLS handshake failed
OpenSSLErrorMessage=SSL alert: code=0x233=563 ; source=local ; type=fatal ; message="X509 decrypt error - certificate signature failure", OpenSSLErrorStack= 597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown
[Code].....
While installing ISE 3395 i am getting error failed to start DB!
Database is not available withintimeout of 240 seconds.this could be reason of incorrect network configuration or lack of resources on the appliance or VM, run the folloing CLI to re-prime database 'application reset-config ise'
I am gettning warning messages in ISE saying
Cause:Dynamic Authorization Failed for Device: 0002SWC003 (switch)Details:Dynamic Authorization Failed
It is not only on that switch but on all switches I have configured. I am using 3560 IPBase 12.2(55)SE6. I have configured them according to Trustsec 2.1. My end devices are none-802.1x. I can't figure out what is causing this error.
The thing is that I have not experienced any problem. In Live Authentications there are some 'Unknown' and 'Profiled' devices hitting the DenyAccess rule, but other then that everying is beeing Authorized fine.
Having an issue where a user will plug a PC into a switch. The switch does a MAB authenticaiton and the MAC is not located in the ACS server. It logs the failed attempt, but when the PC is removed from the switch, the failed attempts keep getting logged until the port is bounced. Any way to keep the attemps from happening after the PC is removed? If not, any way to make it stop without bouncing the port?
running ACS version 5.2.0.26
switch port config:
interface GigabitEthernet1/0/2
sw access vlan 2 sw mode access
authentication control-direction in
authenticaion host-mode multi-auth
authentication port-control auto
mab
spanning-tree portfast
I have configured Radius authentication on Windows 2008 server (NPS) The following configuration is working perfectly on Cisco Switch 3560. [code]But, the same configuration is not working on Cisco Catlyst Switch 6509 (C3560-IPBASEK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)/
View 2 Replies View Relatedhave a ACS 5.2 version installed on Vmware . I purchased below liscense
Product Name : L-CSACS-5-LRG-LIC=
Product Description : L-CSACS-5-LRG-LIC= : ACS 5 Large Deployment License (Electronic Delivery)
When i am trying to upgrade the liscense i am getting an Error " Liscense file installation failed : The liscense file must contain single base liscense "
I am facing an issue with several ACS appliances (some other work well) when upgrading to version 5.2.0.26.8.
When I launch the command acs patch install, I receive the following error message (we use FTP):
Failed to copy file '5-2-0-26-8.tar.gpg' from repository PatchRepository
(Error -302)
% Error: patch install 5-2-0-26-8.tar.gpg from repository PatchRepository - transfer failed (code 1)
This happens on three appliances but I could successfully upgrade 4 other appliances.
What is the reason behind this error code ? What could I do solve it ? I have already tried to create another repository on another server, without success.
We have a group in TACACS ACS4.2. I configure it can do show command. When logged, it can do show command some parameters, like show ip interface, but it cannot do show running-config. it says "command authorization failed".
View 2 Replies View RelatedI've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1).
tacacs-server key 7 "xxxxxxxxxxxxx"aaa group server tacacs+ tac_admin server xx.xx.xx.xx
aaa authentication login default group tac_admin local aaa authentication login console group tac_admin local aaa accounting default group tac_admin
I have a pair of ASA 5520 firewalls running in active/standby mode on 8.3.2.34 code. My configuration performs authentication/authorization into ACS 5.1, however command authorization is failing when I try to execute a command on the standby from the active unit...
failover exec standby dir disk0:/
Fallback authorization. Username 'adminuser' not in LOCAL database Command authorization failed
I don't even see the authentication attempt going into ACS.
I have a Cisco WLC talking to a ACS 4400 version 5.1 which in turn talks to Active Directory.Ive been trying to get 802.1x for wireless clients going, I have a cert on the ACS from verisign on the box but when users try to sign in they get 12309 PEAP handshake failed in the ACS RADIUS log.The cert was exported and placed directly on the testing laptop and at one point it all worked. I stepped away from it for 2 weeks to get a new internal CA built on a windows box, now coming back to it with the intent of issuing new certs to the ACS from the internal CA and thought I would check it to make sure all was good, but its not.Google doesn’t return happy results for “12309 PEAP handshake failed”, I opened a TAC case on it and they took my cert to their lab. Haven’t heard back.
View 6 Replies View RelatedI have a question its posible to authenticate an cisco phone and PC with the same vlan(voice and data)when i do this configuratión , the phone and pc dont work. The phone display registering and never finished.interface FastEthernet0/5 switchport mode access switchport voice vlan 1 authentication event fail action authorize vlan 11 authentication event no-response action authorize vlan 11 authentication host-mode multi-domain authentication port-control auto authentication periodic authentication violation protect mab dot1x pae authenticator dot1x timeout tx-period 10 dot1x max-reauth-req 3 spanning-tree portfastend.
View 1 Replies View Related
