Cisco VPN :: ASA 5500 IP Sec Connection Profile - Multiple Dhcp-server?
Jun 10, 2013
We assign in our IPSec VPN the tunnel-address from our centralized dhcp server pools.In the profile we have two server's ip configured.In test (whireshark) we noticed that the discover always go to the first configured ip.
I do not understand and could not finf hints how the function is.
- backup server with a timeout when no answer comes from primary ?
- should ASA do simultaneous discover to all configured ip's ?
=>Problem is, that although the first server not answered in a timely manner, we noticed no discover to the second.
Here the partial CLI - Config:
++
tunnel-group AZInt07 type remote-access
tunnel-group AZInt07 general-attributes
authentication-server-group ActivPack
default-group-policy AZInt
dhcp-server 10.x.x.y
dhcp-server 10.x.y.y
[code].....
View 3 Replies
ADVERTISEMENT
Feb 20, 2013
2 days ago, my laptop was connected to my router and working fine. But it then randomly disconnected and haven't been able to connect back since. I am using an ethernet cable to access the internet, and have tried many ways to try and resolve the issue but nothing is working.
I have a Dell L501x (Win 7 64-bit) with the Intel Centrino 1000 BGN wifi card. I have restarted the router and modem and disconnected all devices and tried reconnecting, but to no avail. I have tried updating the drivers, system restoring and using safe mode (with network) but nothing works. The modem and router are working fine as other devices connect and access the internet, it is just my laptop that cannot.
I am sure it is not a hardware issue as the card detects all the surrounding networks. The troubleshooter only says "An administrator profile failed to obtain an IP address from the DHCP server.
View 10 Replies
View Related
Jan 26, 2013
How to configure DHCP server if i have 2 vlans. I know how to configure rest of the network, just i don't know server.I use packet tracer and i attached file with my network. PC1 is on VLAN1 and PC2 is on VLAN2.I want ip addresses in vlan1 to be from 192.168.1.2 and in vlan2 from 192.168.2.2. I would like to do it just like in the designed network, without router.
View 5 Replies
View Related
Jan 31, 2011
DHCP is assigning multiple leases per machine. The server itself grabs about 10 IPs with Unique ID "RAS"
View 1 Replies
View Related
May 30, 2011
I have a Cisco ASA 5500 as the main router with a DIR-655 as a wireless access point behind it. DHCP is turned off on the 655 as the ASA is providing DHCP. This worked great for about a year and now suddenly, without any changes, I'm having problems. The only thing that connects without a problem is a laptop, which shows up on the device list with an IP. Other devices have problems. iPhones connect, show an IP on the device itself, but when listed in the connected list on the 655 show no IP. The connection is super slow. An Airport Express will connect, but again, shows no IP in the connected list on the 655. Using the ethernet cable from the Airport Express, nothing can get an IP. I can live with the iPhone not connecting, but the Airport Express not connecting is a major problem. Any reason why this would just stop working one day?
View 2 Replies
View Related
Sep 18, 2012
My question is if I can configure 3 ssid, for 3 different VLAN and add the DHCP address from a WAP4410N AP, when you upgrade to the latest version of IOS I can have this functionality?
View 2 Replies
View Related
Mar 9, 2010
Is it possible to have multiple dhcp pools for multiple VLANs? The switch is a 6509 and/or 4506 catalyst. I don't want to use server-based products.
View 5 Replies
View Related
Jun 5, 2011
We have a WLC 5500 apliance, but i have a problem, the APs have a administrative IP in a diferent segment, only conected to WLC the AP have same segment of the management interface, the 5500 don´t have APmanager interface.How configurate the WLC to conected and administrate all AP with different segment IP
Product Version.................................. 6.0.182.0
chasis: AIR-CT5508-K9
View 3 Replies
View Related
Feb 21, 2011
The public IP address of my 2800 router where all VPN clients terminate will change shortly. There are some technique to auto-change the client´s profile for clients to connect to the new IP address? I have seen that VPN 3000 concentrator is able to do this so i can´t get one of those right now
View 1 Replies
View Related
Dec 2, 2012
Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 7.0(2)
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
#show webvpn anyconnect
1.disk0:/anyconnect-win-3.1.00495-k9.pkg 1 dyn-regex=/Windows NT/
CISCO STC win2k+
3,1,00495
Hostscan Version 3.1.00495
Profile in atthach-file. After this profile is uploaded to client Optimal Gateway Selection doesn't work propertly: When 'vpn1.mydomain.com/mygroup' (it best TTL server) is unreachable, then OGS try to be connected to other servers, but without group-url, for example 'vpn2.mydomain.com' (instead of 'vpn2.mydomain.com/mygroup')
View 2 Replies
View Related
Jan 1, 2013
I have two WAP321s in my office. The network they are on is a single VLAN (172.16.10.x). Both WAPs are setup with the same SSID, and I have setup Single Point Setup.
I am having a problem that was happening before I setup Single Point Setup, and it is still happening. Basically wireless will be up and running fine for part of the day. Then people throughout the office will begin to lose their connections to the DHCP server. They still retain the connection to the WAP, but can no longer access the network.
The only way I have been able to fix this issue is to reboot the WAP. As soon as it reboots the connections come back. At first I thought it was due to the number of connections (which is why we now have 2 WAPs), however we only have about 20-25 conncurrent connections.
I put in the second WAP to try to balance out the load but this does not seem to be working. Is there a setting I need to change on the WAPs to balance out the load?
View 13 Replies
View Related
Jan 17, 2012
I have two Nexus 5520 running 5.0(3)N1(1c).
I have both boxes heading off to ACS for TACACS lo gin authentication and for command authorization. When I first set things up everything works fine. I have a shell profile configured in ACS with Cisco-av-pair*shell:roles="network-admin" to set the network-admin role. I even have command sets configured to deny the use of configure terminal as I am using switch configuration profiles. Everything runs fine. User lo gins are authenticated by ACS and users have the correct command set applied to them.
The problem comes when I make a change to a shell profile in ACS. Even something as simple as changing the name of a shell profile causes the 5520's to crash as soon as I try to log on. If I unplug the management link so that the TACACS server is unavailable I can log on fine with the local admin user.
The NEXUS console reports this error. (amongst many others)
EDNAM-NEXUS-2 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 4331) hasn't caught signal 11 (core will be saved).
A show system reset-reason shows:
EDNAM-NEXUS-2# sh system reset-reason
----- reset reason for Supervisor-module 1 (from Supervisor in slot 1) ---
1) At 389 usecs after Wed Jan 18 12:32:49 2012
Reason: Reset triggered due to HA policy of Reset
Service: Tacacs Daemon hap reset
Version: 5.0(3)N1(1c)
Could this be a bug with Nexus/ACS?
View 3 Replies
View Related
Dec 15, 2011
I have an ASA 5500 series and am looking to set up the AnyConnect VPN. Looking at this guide everything seems fairly straightforward. However, on the inside private network DHCP is setup and I was wondering if it was possible to just use DHCP instead of providing a static address pool? I did not see any option to do this.
View 1 Replies
View Related
Oct 2, 2012
Is there a way to configure a DHCP server for my internal subnet of 192.168.20.1 which is on a 3550 layer 3 switch from my 5505 ASA Firewall.My subnet of 10.1.1.0/30 is connecting my 5505 to 3550. All I'm trying to do is run a DHCP server down to my hosts. The only options on ASA 5505 is
dhcpd address 192.168.20.1 - 192.168.20.254 outside or inside, which conflicts with my subnet of 10.1.1.0 used to connect my internal subnet of 192.168.20.1 for the whole network.
When I used my router it did not need the (inside, outside) keywords and just an ip helper-address command. How do I configure my my firewall DHCP server to propagate the 192.168.20.0 network through my 10.1.1.0 connection.
View 3 Replies
View Related
Jun 6, 2011
I have a problem with one of our IPSec site-to-site vpns.
-we use ASA5540 and the remote site uses a software based FW (steelgate borderware). -there are some old ACLs on our FW that have the remote site's IP address as an incoming node having TCP.... access to some servers on our LAN (why they didn't use static/dynamic NAT for clients of both end to have TCP connection???)
-when I try to set up the vpn the name entry of the remote site (which is optional) changes with IP address of the peer in vpn profile and it confuses the vpn, so the IKE phase1 won't establish. the name entry is because of those ACLs that have been entered in the past.
Q- How to stop ASA creating names via ASDM when adding ACLs?
Imagine the other site's network people are the most inflexible IT guys to do any changes in terms of using static or dynamic nat for their clients to have access to ours, so I can replace their FW IP address in ACL with other NAT addresses.
View 1 Replies
View Related
Mar 7, 2011
editing the name of a vpn connection profile and its policy, i have created the profile throught ipsec VPN wizard, the profile got automatically the name: DefaultRAGroup and also its grouppolicy got the name: DefaultRAGroup, in the edit window i cant change the Name?how can i rename them?
View 1 Replies
View Related
Feb 16, 2011
Started this morning woke up checked my phone no wifi hmm weird checked my hp tpuchsmart connected but jo internet access checked my router(netgear wireless N 300) made sure my modem and all wires are connectedNext went to my router ip 192.168.1.1 after reading some forrums i thought maybe if i changed the ip or sum i would have worked i know dumb though.. any way i believe i disabled my dhcp.. and one of the ip ad on the same page to 192.168.1.3 thats when it got worst i tried ipconfig/release saysNo operation can be performed on bluetooth network connection 2 while it has media disconnected.No operation can be performed on local area connection while it has its media disconnected(Its a wireless connection from my touchsmart to my router) I have tried goin back to the routers page but i can no longer find itI have also tried ipconfig/renew but i get this...No operation can be performed on bluetooth network connection 2 while it has its media disconnectdAn error occured while renewing interface wireless network connection : unable to contact your dhcp server. Request has timed out.No opration can be performed on local area connection while it has its media disconnected
View 3 Replies
View Related
Sep 30, 2011
Can the DHCP server on an ASA be configured with static bindings like IOS routers can?
View 2 Replies
View Related
Jul 2, 2012
While configuring a 5500 wireless controller, i came across this option of DHCP proxy under Advanced tab of Controller Option.It asks for the dhcp option 82 remote id format & the dhcp timeout.
1. What is the significance of this & when do we use it?
2. Also, under each wlan ssid that we create, there is an option of dhcp address required under the advanced tab. Do we need to use this option, if we are defining a normal dhcp pool in our controller for that ssid.
View 3 Replies
View Related
Apr 30, 2013
how we can clear the username in the Anyconnect Connection Profile on a users laptop? Currently it defaults to the last username used but our security group would like that cleared so that the field comes up blank every time. This feature was available in the old Cisco 3030's but I can't find it in the ASA.
View 3 Replies
View Related
Mar 8, 2013
i've configured 4 connection profiles (IT,HR,Admon,VIP) on the asa everything works well, but our boss wants to know if it's possible to assign the right connection profile without using group drop-down list, what he wants is to use a unique connection profile (non-default) and via radius attributes using ACS 5.X to assing the right profile.
View 6 Replies
View Related
Jul 5, 2011
I have a pair of ASA 5550s running Anyconnect Essentials, with multiple connection profiles configured. I would like the login page to the portal to default to our main corporate profile (so the users get NAM and all the policy goodness), but presently it is defaulting to the last profile I created. Is there any way to modify the default connection profile in the drop down list so it always defaults to my preferred profile? It seems like I saw this sometime in the past.
View 2 Replies
View Related
Jul 11, 2012
I have a big problem with my Cisco 1841 and the WIC-1AM-V2 in Slot 0.I got the task, to test if it is possible, to build up a connection (Dial on Demand Routing) to a remote modem, which is connected to a console port of another Cisco 1841, with the integrated modem card over POTS from the CLI of the router. My router will only dial out to the remote modems and only if its needed.I am connected to the router with the integrated modem card over a console cable on the console port. The remote modem is also connected to the console port of the remote Cisco 1841.
I found out, with my Dialer Profile configuration, it is possible to build up a connection. I configured a dialer list, that specifies that all ip traffic is permitted an interesting for my dialer interface. So a telnet or ping brings up my dialer, which brings up my Async interface. With the "show line" command, I can see that the TTY line, connected with the Async0/0/0 Interface is in use for 5 minutes, because of the "exec-timeout 5 0", which is configured on the remote router. Now the problem is, in this 5 minutes, I can not use a remote telnet on this line with my loopback interface, because the line is already in use and I get a "connection refused". The first telnet I use runs in a timeout, because the remote host is not responding. When I dial out directly from the modem card and not from the CLI with the AT-commands, I get also the connection and with a return i get the login prompt. I will post my actual config, so that you can see maybe a mistake I did or which command I must use, to get a working connection. [code]
View 6 Replies
View Related
Oct 30, 2012
with our WLC 5500 controller, once the clients get the DHCP address the page is not redirecting them to the guest portal.What is the best way to check as to why the redirection is failing.
View 8 Replies
View Related
Feb 27, 2013
Region : Italy
Model : TD-W8970
Hardware Version : V1
Firmware Version : 0.6.0 1.2 v000c.0 Build 130201 Rel.54921n
ISP : wind infostrada
TD-W8970 Wireless connection problems|
Region : Italy
Model : TD-W8968
Hardware Version : V1
Firmware Version : 0.6.0 1.2 v000c.0 Build 130201 Rel.54921n
ISP : Wind Infostrada
That's a wonderful router on the paper! Really it has some problems with the wireless connection and the dhcp server. After 2 days of i must forced to reset the router because it refuse any wireless connection while the internet browsing on the other pc connected via ethernet ARJ45 is very slow.To complete the scenario the router doesn't allow any acces to his console page ..so what's the problem?
I try to change any channel for the wireless without no positive result.I bought it on amazon but if this situation will continue without any solution from tp-link i will forced to send it back with a totally negative feedback on the product.
View 5 Replies
View Related
Nov 19, 2012
We are retiring our current radius server. It is windows 2003 IAS server (also a DC) that we use for 802.1X authentication. We are moving to server 2008r2. I have already installed NPS and Network Authentication services on the server.
On the existing IAS server I exported the settings (using iasmig reader.exe) and was able to import the profiles (I see the 5500 as a radius client etc) Our 5500 is still pointing to the old server.
Is it as simple as changing the ip of the RADIUS server to point to the new server? It looks like I actually have to add the new server and create a new pres hared key on the NPS server but only find documents on adding a new 5500 (vs flipping it to a new NPS server).
View 9 Replies
View Related
Jul 23, 2012
I put multiple rservers in multiple server farms?
So for example rserver1 and rserver2 are put in serverfarm production1 and are in use with particular sticky and load balancing settings.
Can I then create serverfarm test_production and put both rserver1 and rserver2 in it? Then play around with the sticky and load balancing settings as a test without affecting the production serverfarm.
View 1 Replies
View Related
Mar 11, 2003
I need to do one Catalyst 5500 as a TFTP server.Can I do it?Is the catalyst available to be a tftp server?
View 4 Replies
View Related
Aug 27, 2011
I have two 5500-controllers and one WCS-server. Now I will have to move the WCS-server to another subnet and change the IP, but it will keep the name.Will that effect the connection between the controllers and the WCS?Do I have the change anything in the configuration on the controllers or the WCS-server?
View 3 Replies
View Related
Feb 16, 2011
My web server sits behind an ASA 5500.When I access the web site from outside, it works fine. When I try and access it from the server itself, I get"Internet Explorer cannot display the webpage" error. I can access other web sites, such as Yahoo.com, Google.com, etc. I have rules setup to restrict/enable incoming traffic, but I don't have any rules setup to "loop back".
View 18 Replies
View Related
Oct 26, 2011
We use multiple ASA 5500/5580 cluster systems running 8.3 software versions.Actually we send all our FW syslog data to a SIEM appliance in a DMZ on a remote firewall (non-asa). Recently we suffered a strange incident while implementing a new SIEM collection station now situated in a dmz that is located on one of the ASA contexts. We redirected the syslog streams to the new client for one of the contexts on the ASA cluster that holds the new SIEM agent DMZ..since we did this and redirected the syslog we see double traffic and spoofing errors on that context
a/ the ASA keeps sending out the syslog traffic to the OLD SIEM agent server ip (there is however no trace of its ip in the config)
b/ the traffic leaving the interconnection interface towards the OLD SIEM agent gets a SPOOFING error on the traffic
c/ strangely the data gets also correctly forwarded to the new SIEM collection stations.
We started out with redirecting traffic on only one of the 5 contexts to the new environment and kept logging the others to the old system.I finally got out of the issue by reconfiguring al the other contexts to forward their syslog towards the same new server , since that moment we no longer have the double logging and spoofing error , all syslog traffic goes correctly to the new SIEM agent. It looked like some remenants of the old syslog config remainded on the asa event after deleting and introducing a new config line (we used the asdm to execute the action) as said either it kept the old config or it looked in the other context and "decided" to keep sending to the old server also mentioned in that syslog can find the behaviour in any buglists either way.
View 1 Replies
View Related
Aug 11, 2011
I'm looking fot a way to do static URL blocking with ASA and when the URL is blocked present a "Web Page" to the user saying that it's been blocked.
So, i was wondering if i can use the http parameter "spoof server string" to replace the original URL sent by the user for another URL that points to an internal web server holding a basic page saying "Your URL request has been blocked".
The point is to have a way to tell users that the page they are trying to browse is blocked by a policy.
View 1 Replies
View Related
Sep 29, 2011
i am facing the same problem now but am using windows 2003 server
View 1 Replies
View Related