Cisco VPN :: 876 Phase 2 SA Policy Not Acceptable
Oct 16, 2012
I want to setup a vpn tunnel from a Cisco VPN Client in the internet over a fritzbox to the Cisco 876 (Version 15.1(4)M3) so that the vpn tunnel terminates at the Cisco 876.For that reason I used the command "crypto map mymap" on the int fastethernet 1. When I try to connect, the VPN Client opens the window for username and password but then ends with the message "not connected". When I do "debug crypto isakmp" the Cisco 876 shows the message: "phase 2 SA policy not acceptable!". [code]
View 3 Replies
ADVERTISEMENT
May 7, 2013
On our public wi-fi network we have an acceptable use policy page that users must accept in order to access the internet. However I would like to exclude a few devices from having to do this. We have a couple of Kindle devices from a vendor that they configured to automatically connect to the internet for updates twice a day. But they cannot accept the policy so they are blocked.
View 3 Replies
View Related
Jan 18, 2012
We have a 7206VXR with an NPE-G1 processor. We're running the standard stuff on it, but here are the highlights.We just enabled netflow on it to send the data to an external source for analysis and the overall CPU level increased, but not significantly. About what should we expect for the overall CPU level? At this point, it's averaging close to 40% during peak hours.
View 4 Replies
View Related
Apr 16, 2012
I took a SANS 401 class a few years back, and I remember them showing us how you could break PING (buffer- overflow? memory stack?)by pinging things you wouldn't normally.This was on WinXP I can't duplicate this on Win7, and have forgotten what exactly it was we typed in....I think it was some ALT-code characters, or a tick, 0x33 or something....I realize PING can take octal, decimal, and hexadecimal values?
View 5 Replies
View Related
Feb 19, 2012
I find myself having to venture out into the realm of wireless (I'm more of a UC/DC engineer...) and i've got a problem i'm trying to track down. Installed two WLC 5508s, WCS, 3502i APs (123 of them...) in a 4-floor high school. What i'm finding is lousy throughput from a lab of PCs with little USB b/g/n adapters. I took my Macbook in and ran iStumbler to get an idea of the SNR but honestly, i'm not sure what i'm looking for.
For the particular room/SSID/band that i was looking at, i found that in the 2.4 range, i was getting 53% signal strength and about 16% noise. Is that a good level? In WCS, i can see close to a dozen APs in relation to the AP in question, so i'm wondering if the SNR is too high..
View 15 Replies
View Related
May 1, 2013
What would be an acceptable number of wireless connections to a WRVS4400N router? I'm working in the IT department for a new company, and one of the offices complains that using VoIP and doing large file transfers are constantly a problem. They are all connecting wirelessly to the WRVS4400N. I managed to vpn in and connect to the web interface of the router, and it shows that there are 30 devices connected wirelessly to it. However, when people plug into the wall jack VoIP and data seem to work fine.I can't find any info on what a best practice would be for number of wireless connections to the router. There's no Vlans setup on it from what I can tell, so that may be my next step, to separate data and voice traffic.
View 2 Replies
View Related
Jun 17, 2012
I have a client devices constantly sending data (~ 13 kb per second) to a server through a Cisco AP1241AG (802.11g).I use Iperf to test throughput, but I am having a difficult time determining what an acceptable throughput rate would be.I know in "theory" the best throughput rate I could get is 54 Mbps, but since my client devices only send 13 kbps is 1 Mbps more than enough? or is 13 kbps the low limit for my throughput test?
View 1 Replies
View Related
Jun 5, 2012
I want to know that what is the minimum acceptable size of preamble in ethernet frame. if it is less than 7 bytes before sfd begins , will the packet drop?
View 1 Replies
View Related
Apr 24, 2013
I am troubleshooting memory leaks and buffers issues on my 1900 and had some doubts regarding the problems that my router causes.Intermitently during the day for no reason the gig0/0 interface connected to ISP stops responding from our management network (log shows that the interface goes down). The ISPs modem responds fine from my management network.The issue goes away by itself in 20 minutes, sometimes more or after a hard reboot.Sometimes a router would increment a throttle value to 1. When running for 4 days without a reboot, the router raised 39 throttles and 57 input drops. [code] The router is running Version 15.1(2)T4 and I was not able to find any caveats on cisco web page (although I havent used the bug finder tool)Is this only leak I found a reason to start worrying or I can disregard it and continue basic troubleshooting (change cable and plug my ISP to another port)
View 3 Replies
View Related
Mar 12, 2013
Will the 3945 router work on 208 V single phase (line to line)? I know it mentions 100-240 VAC, but would the line-to-line issue cause a problem?
View 1 Replies
View Related
Jul 24, 2011
How to do the above thing.
View 3 Replies
View Related
Apr 25, 2013
I have a site to site ipsec tunnel setup between an ASA5510 and a 2951 Router. The ASA 5510 is on a 10.x subnet with a few vlans behind it. There are also 7 other ASA5505 that connect to this box with ipsec.
The 2951 is on a 10.x subnet with multiple vlans behind it (10.x and 192.x subnets).
When I had ACL to allow traffic from 10.20.0.0 (ASA) to 192.168.111.0 (2951 - voice vlan) the connection comes online and is stable.
The minute I add any of the following, the connection drops off with Phase 2 errors: 10.20.0.0 to 10.1.200.0 10.20.1.0 to 10.1.1.0
I can add a second 10.20.0.0 to 192.168.10.0 with no problem at all. The issue only seems to occur when attempting to add traffic from 10 to 10 on the tunnel.
View 2 Replies
View Related
Feb 27, 2011
I have a little problem with a Easy VPN, this is the topology:
-One router 2811: This is the Easy-client (Who has a ip address by dhcp)
-One ASA 5540: This is the Easy-server
View 11 Replies
View Related
Feb 25, 2013
Configuration is simple, from one side ASA 5580 with soft asa844-5-smp-k8.bin, from another side: ASA 5520 with asa845-k8.bin. Between them is builded IPsec LAN-to-LAN.Usually it works fine, but: In random time I can get error in logs something like that on ASA 5520: %ASA-5-713904: Group = x.x.x.200, IP = x.x.x.200, Phase 2 rekey collision, found centry 0x6cec9d28 or on ASA 5580: %ASA-5-713904: Group = x.x.x.234, IP = x.x.x.234, Phase 2 rekey collision, found centry 0x00007ffe782dfa60 The main problem that if this error is occured on 5520 - all continues to work (only this message is appear in log).
If this problem occured on 5580 - tunnel stopped his work. One thing that works - it is drop crypto SA (clear crypto ikev1 sa x.x.x.234), after that tunnel reinitialized and all starts work again. As far as I know, this problem was on 5520 to version 8.4.2 and was solved in 8.4.3. But, as you see, in version for 5580 (-smp) this bug is still present in newer versions.
View 2 Replies
View Related
Apr 22, 2012
I am trying to set up a site to site VPN tunnel using GRE over IPSEC. Below is the configuration from both routers and debug output. I'm scratching my head on this one. I'm using two Cisco 7600 routers with SSC-400 SPA modules and 720 Supervisors. The IOS on R1 is 12.2 SXI2 and R2 has 12.2 SXI3.
View 1 Replies
View Related
Aug 5, 2012
I am configuring VPN on an 831 rotuer using a dynamic-map configuration. I can connect to the network and I can see phase 1 and 2 complete from the debugs however from what I can tell I can only ping across the VPN. I can't connect to and web services or RDP to any hosts on the local network. Here is a copy of my config.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
[code]....
View 6 Replies
View Related
Aug 6, 2011
Just setup a site to site vpn between 2 ASA 5520 Firewalls in two locations but vpn doesn't work even though i see phase 2 completed on the logs. I can't ping across the LANs.
View 2 Replies
View Related
Dec 11, 2012
I am migration an IPsec site to site VPN config to a new ASR1001 router «facing» a Linux box (ipsec-tools + racoon). As the Debian Linux does not offer VTI, I am using a crypto map.
The working config is given below with the corresponding logs on the Linux side.
When I try to apply this previously working config to the ASR1001, I get the following error :
000855: *Dec 12 18:28:21.859 UTC: %ACE-3-TRANSERR: IOSXE-ESP(14): IKEA trans 0x1350; opcode 0x60; param 0x2EE; error 0x5; retry cnt 0
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: initiate new phase 1 negotiation: 194.214.196.2[500]<=>130.120.124.8[500]
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: begin Identity Protection mode.
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: CISCO-UNITY
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: DPD
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt(code)
View 8 Replies
View Related
Dec 12, 2010
i tried to configured L2TP connection on ASA5505.Phase 1 and Phase 2 are completed but Windows Client doesn't work. [code]
View 4 Replies
View Related
Feb 8, 2012
Got a classical remote access vpn with Cisco VPN Client and ASA-5520, Some weeks ago I noticed in my ASA logs this severity 5 Message. Group = xyz, Username = abc, IP = 84.n.n.n, Duplicate Phase 2 packet detected. No last packet to retransmit. This message comes with every connect, but then connections works fine.
Remark: See ASA ADSM:
- 1. Duplicated Phase II (!!)
- 2. Phase I
- 3. Phase II
View 4 Replies
View Related
Nov 4, 2012
I need to check and possibly change which Network address is allowed down a tunnel and check our Phase 2 IPSEC proposal. How would I do this on a VPN3000?
View 3 Replies
View Related
Jul 26, 2010
We just purchased a Nexus 7010 switch and we are at a stand still with our COLO trying to figure out what power source should be provided. APC recommends a 50amp 3phase vertical cabinet PDU (AP7867). What type of power source�reakers will be sufficient in handling the Nexus 7k /w (3) power supplies? Do the COLO need to provide single phase or 3 phase power recepticals?
View 7 Replies
View Related
Nov 29, 2011
we're evaulating the Cisco SM 4.2. After adding my ASA 5520 the Policies are discovered from the device except the RA VPN Policies.I tried to trigger the discovery process manually and i got this errormessage Please verify the device "IP address", "hostname", "domain name" and "port number" are correct, there is network connectivity between the CS Manager server and the device, and the device is configured to accept https connections, the device is running, and then retry this operation.which i don't understand because the other policies were retrieved just fine.
View 0 Replies
View Related
Dec 19, 2010
I have the following policy maps in on my 6509:
policy-map Customer
class QoS-voice
shape average 2000000
class class-default
fair-queue
When I apply it to an interface (int vlan1005)- I get:
Router (config-if)#service-policy output Customer
shape average command is not supported for this interface
Configuration failed!
This also happens with priority, bandwidth, etc. How can I configure QoS on this 6509 then?
View 4 Replies
View Related
Aug 30, 2011
sample config for ASA 8.4 L2L VPN using Policy NAT?We could have multiple VPN tunnels terminated on the central ASA and our customer's LAN subnets could be interfering.Basically I need to build something like this [URL]but the problem is that I have ASAs running 8.4
View 2 Replies
View Related
Apr 5, 2012
I tried to configure policy-map under Cisco Catalyst WS-C3560V2-24TS(c3560-ipservicesk9-mz.122-50.SE5.bin).
View 4 Replies
View Related
Dec 14, 2011
I set up a full mesh LAN-to-LAN VPN for a client with 4 sites. Each site has an ASA 5505 running 8.2(5). Site-to-site VoIP traffic runs in the VPN tunnels, as well as traffic to/from a file-server located at the main site. There are two back-up servers, one at the main site and one at a remote site. The main site has 2 bonded T1s and the other three sites have a single T1. How should I go about setting up my QoS?
My top requirement is that VoIP traffic will never be pushed out of the way for data traffic. My secondary consideration is to give more preference to file-server traffic than to web traffic and to make back-up traffic the least important. I'm currently researching to see if the VoIP provider is DSCP marking EF on the VoIP traffic, but I am going to assume they are for now. I know the IP of the file-server and back-up servers.
View 3 Replies
View Related
Jul 6, 2011
i am doind a policy NAT on the folowing scenarion.
acess-list policy_nat extended permit ip host 10.0.0.1 host 192.168.1.1
static (inside,outempresa) 170.66.53.1 access-list policy_nat
I understand that when host A 10.0.0.1 wants to connect to host B192.168.1.1 its going to be translated to 170.66.53.1 when host 192.168.1.1 wants to connect to10.0.0.1 the same entry will change the destination when the packet hits the asa from 170.66.53.1 to 10.0.0.1, is that correct ?
View 2 Replies
View Related
Feb 1, 2012
Why my 857 adv security don't have class-map and policy map command ? now i wanna use traffic shaping on this but when i use command class-map it doesn't have. [code]
View 3 Replies
View Related
Feb 27, 2011
How can I configure police-based nat to allow ICMP-only traffic on asaos 8.4.1 or 8.3?On 8.3 it was very simple:global (outside) 1 interface ,access-list outside_nat_outbound extended permit icmp any any,nat (outside) 1 access-list outside_nat_outbound.
View 10 Replies
View Related
May 26, 2013
I have a L2L tunnel I need to convert from 8.2 to 8.6 and need to understand the static policy Nat conversion. I have single hosts that require a 1-1 nat to addresses given to be my the vendor that reside on my firewall. Other works i have /24s that I static nat my inside host to so that the vendor can access the host for support.Example. server 10.11.103.44(real server on my inside network)
5.5.98.0/24-Defined for local traffic via L2Ltunnel
object-group network Carebridge_Local
description Mckesson Local network list
network-object 5.5.98.0 255.255.255.0
[code]......
How would I accomplish the same in Ver. 8.6
View 1 Replies
View Related
Jun 24, 2012
How to migrate a following VPN (site-to-site) config from ASA 8.2 to ASA v8.3,ASA 8.2
View 4 Replies
View Related
Aug 22, 2011
I have a weird issue with a QOS policy that I have implemented. Details are below.
This is basically the policy I have created. It is running on a Cisco 877 router (running Advance IP Services 12.4). The internet connection is an Internode ADSL service.
class-map match-any VOIP
match access-group name VOICE-OUT
!
!
[Code]....
View 14 Replies
View Related
