Cisco VPN :: ASA 5500 - Remote Access VPN Intermittent Disconnect
Oct 11, 2012
I am having the peculiar issue in our ASA5500 firewall (version 8.2(5) ), where the remote access vpn is getting issue, I am unable to ping the internal resource for sometime, however without any modification the problem gets resolves.
During the issue we can see Tx count 0
Username : xxxxxx Index : 3147
Assigned IP : 172.17.254.24 Public IP : 14.99.x.x
Protocol : IKE IPsec
License : IPsec
Encryption : 3DES AES128 Hashing : SHA1
Bytes Tx : 0 Bytes Rx : 8764
Group Policy : EMP-VPN Tunnel Group : EMP-VPN
Login Time : 15:07:51 IST Fri Oct 12 2012
Duration : 0h:06m:34s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
View 2 Replies
ADVERTISEMENT
Feb 23, 2011
Currently i m experiencing VPN Remote access intermittent disconnection on the asa 5540,what is the reason for that?how to start a proper troubleshooting?
View 2 Replies
View Related
Dec 22, 2011
I have a Dell studio 15 with Windows 7 x64 and internal Bluetooth. I am trying to install Manhattan 2800 Bluetooth bookshelf speakers. They sometimes play but disconnect intermittently. When Bluetooth disconnects I have to completely shut down and start over. (I haven't been able to fix it with just Restart.) Here is a clue: In "devices and Printers" it shows the laptop as a device: Studio 15 [properties] Selecting: [Bluetooth L2CAP Interface] -- properties/General "Device status Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)" Selecting: [Bluetooth Hands free audio] -- properties Driver= Broadcom Corp, 7/1/2009,6.2.0.9500 Digital Signer: Microsoft Windows Hardware compatibility Publisher. The speaker documentation indicates Bluetooth v1.2, class 2 and A2DP protocol support The Bluetooth icon on the bar at the bottom of the desktop disappears when the connection breaks while looking at properties. This might be related -- I also have a Kensington Bluetooth trackball mouse that has intermittent problems with connecting at start-up. When the mouse doesn't work at start-up, I can usually make it work by removing its batteries and putting them back.
Q1 - Can my internal Bluetooth devices be updated or replaced?
Q2 - Otherwise, how would a USB based Bluetooth adapter interact with my current internal Bluetooth?
View 3 Replies
View Related
Oct 20, 2012
is it possible to restrict the Remote Access VPN to ASA based on the Source Public IP , if so how ?
here I am not talking about the VPN-Filter under group-policy . I Want to restrict the access from specified source IP ( Public IP)
View 1 Replies
View Related
Oct 20, 2012
Is it possible to restrict the Remote Access VPN to ASA based on the Source Public IP , if so how ? here I am not talking about the VPN-Filter under group-policy . I Want to restrict the access from specified source IP (Public IP)
View 1 Replies
View Related
Oct 15, 2011
Is it possible for the wlc (5500) block wireless users attempting to login to the network more than 3 times?I have several devices trying to connect to the network automatically using rhe old password, after 3 attempts the account will lock out! Im running peap mschapv2 with radius and active directory.
View 1 Replies
View Related
Sep 12, 2012
We have two ASA 5500 series Firewalls running 8.4(1). One in New York, another in Atlanta.They are configured identically for simple IPSecV1 remote access for clients. Authentication is performed by an Radius server local to each site.
There are multiple IPSec Site-to-Site tunnels on these ASA's as well but those are not affected by the issues we're having.First, let me start with the famous last words, NOTHING WAS CHANGED.
All of a sudden, we were getting reports of remote users to the Atlanta ASA timing out when trying to bring up the tunnel. They would get prompted for their ID/Password, then nothing until it times out.Sames users going to the NY ASA are fine.After extensive troubleshooting, here is what I've discovered. Remote clients will authenticate fine to the Atlanta Firewall ONLY IF THEY ARE USING A WIRED CONNECTION.
If they are using the wireless adapter for their client machine, they will get stuck trying to login to Atlanta.These same clients will get into the New York ASA with no problems using wired or wireless connections.Windows 7 clients use the Shrewsoft VPN client and Mac clients use the Cisco VPN client. They BOTH BEHAVE the same way and fail to connect to the Atlanta ASA if they use their wireless adapter to initiate the connection.
Using myself as an example.
1. On my home Win 7 laptop using wireless, I can connect to the NY ASA with no issues.
2. The same creditials USED to work for Atlanta as well but have now stopped working. I get stuck until it times out.
3. I run a wire from my laptop to the FiOS router, then try again using the same credentials to Atlanta and I get RIGHT IN.
This makes absolutely no sense to me. Why would the far end of the cloud care if I have a wired or wireless network adapter? I should just be an IP address right? Again, this is beyond my scope of knowledge.We've rebuilt and moved the Radius server to another host in Atlanta in our attempts to troubleshoot to no avail. We've also rebooted the Atlanta Firewall and nothing changed.
We've tried all sorts of remote client combinations. Wireless Internet access points from different carriers (Clear, Verizon, Sprint) all exhibit the same behavior. Once I plug the laptops into a wired connection, BAM, they work connecting to Atlanta. The New York ASA is fine for wired and wireless connections. Same with some other remote office locations that we have.
Below I've detailed the syslog sequence on the Atlanta ASA for both a working wired remote connection and a failed wireless connection. At first we thought the AAA/Radius server was rejecting us but is shows the same reject message for the working connection. Again, both MAC and Windows clients show the same sequence.Where the connection fails is the "IKE Phase 1" process.
-------------------------------------------------------------------------------------------------------------------------
WORKING CONNECTION
-------------------------------------------------------------------------------------------------------------------------
%ASA-6-713172: Automatic NAT Detection Status: Remote end is|is not behind a NAT device This end is|is not behind a NAT device
NAT-Traversal auto-detected NAT.
%ASA-6-113004: AAA user aaa_type Successful: server = server_IP_address, User = user
%ASA-6-113005: AAA user authentication Rejected: reason = string: server = server_IP_address, User = user
[code]...
View 1 Replies
View Related
Jan 7, 2013
I have a existing wireless setup of 4400 WLC with some AP's connected remotely,now i am migrating the whole setup to the new WLC 5500. All the AP has been registered to the new WLC 5500 except the remote location AP's.As there was no option of giving IP address in GUI of the controller in 4400 WLC, i have changed the controller name and restarted the AP, but even though it is going back to the old controller.
View 15 Replies
View Related
Aug 13, 2011
i am trying to configure static ip on remote client user side , i am using the following doc as an example but i am not getting the ip which i am mentiong in the user .[url]...
View 10 Replies
View Related
Nov 11, 2012
I have intermittent internet access from a new laptop. When it works it is fast and consistent, but it seems there is a problem where I can sometimes start getting only part of an internet page, and then it stops downloading altogether.Below are ipconfig /all and ping tests and a screen shot of the device manager.A bit of background:1) There are 4 computers on the network, this laptop (samsung NP530) is the only one where internet is not working2) It is new, has avast installed as antivirus. Norton came with the laptop but I did not click on the button to activate it when it popped up on first opening3) A small strange thing: I get "SWMagent is restarting" message when I restart the computer. I don't know what this is.[CODE]
View 14 Replies
View Related
Jul 23, 2011
Experiencing intermittent problem with access to home wifi for one PC (win 7) in the house (2 other PC's access internet OK via same wifi) Dell Studio one - details below - 50% of time will connect if we reset router or re-start PC or try again the next day.[CODE]
View 1 Replies
View Related
Apr 11, 2013
I recently moved and got a new internet provider. All the laptops connected get intermittent internet access but stay connected to the network which has excellent signal strength. what could be causing this ?
View 2 Replies
View Related
Oct 15, 2012
I have a Cisco 1242 AG wireless access point with the goal of having multiple SSIDs. I set up one network which broadcasts correctly but only sometimes can I connect to it.
And, even if I connect to the network, I cannot get a DHCP address for the client.Other devices connected (but not through this Access Point) to the associated VLAN 60 can get a DHCP address and connect just fine.Here is the configuration for the Cisco 1242 AG access point in question: [code]
Lastly, here is the information on VLAN 60 from the distribution switch. As mentioned, other devices connect to this VLAN and get IP addresses just fine.
View 11 Replies
View Related
Jun 4, 2013
I have a 5500 controller that we use to manage our lightweight access-points. We have had complaints that the 'guest' vlan in the boardroom is not usable. Our guest vlan is in fact overloaded.
I went back to the original site survey and noticed that coverage for the room is not ideal so I would like to have a new lightweight access-point installed in the boardroom and somehow limit the access to it to only a few people.
View 11 Replies
View Related
Dec 31, 2012
on WLC 4400 Guest vlan is configured with local authentication, the users get disconnected after 10mins were should i disable the option of 10mins restriction
View 3 Replies
View Related
Jun 12, 2011
I got a CISCO wap4410n access point and it is disconnecting uses after a shorl while. I hv to again connect them manually.
View 1 Replies
View Related
Aug 18, 2011
I have a new notebook Sony Z217GG, I connected WAP 4400N was very smooth, but after connected WAP 4410N, the internet connecting always connect and disconnect, I check the notebook wireless model is intel 6230.
View 1 Replies
View Related
Nov 21, 2012
Region : Singapore
Model : TL-WDR4300
Hardware Version : V1
Firmware Version : 3.13.23 Build 120810 Rel.44064n
ISP : starhub
1) Always auto disconnect (limited access),
2) My smart phone Motorola MB860 (android 4.0.4) Can connect but can access internet.
3)Always connect to 2.4GHz ,never see connect to 5GHz.
4)Wireless connection 15-20 Max Mbps Only ,LAN can up to 50 Mbps .
View 9 Replies
View Related
Mar 18, 2013
I have a 3750X set up with a number of VLANs and have connected a WLC5500 to this. I've assigned the port on the switch to the correct VLAN, given the WLC a management address on that VLAN and it has the correct gateway. I can ping to this gateway from other devices, but not from the WLC and can't ping or browse to the management address of the WLC (I can browse to it when plugged directly into the SP).
When checking the switch arp table, it shows the IP entry of the WLC as INCOMPLETE yet show cdp nei detail shows the device on the correct IP and all the device details. I have changed the port on the switch, the port on the WLC, the cable and the GBIC, cleared the arp and rebooted all devices and it hasn't made any difference. On the switch, I tried assigning the burned-in MAC to that IP statically but it didn't work - does each port have an individual MAC?
View 3 Replies
View Related
Jan 30, 2013
I have a Cisco aironet 3502i access point which I am using with a 5500 Wireless Controller. I was configuring the AP for flexconnect and accidentally enabled PPPoE authentication - but never set configured login details for PPPoE. Now when the AP boots up it tries to use PPPoE but fails - it never even looks for an IP address. I have no way to get the AP connected to the controller again.I tried logging into the AP via console, the AP gives me output but I never get a login, even when I hold down the Mode button during startup.I also tried holding the Mode button and waiting for the AP to boot with its default IP (10.0.0.1) and connecting to the AP via telnet, but I was unable to connect or even ping with my PC on the same network configured as 10.0.0.2.What can I do to set this AP back to defaults, to become a normal DHCP client, and reconnect to the wireless controller where I can reconfigure it?
View 9 Replies
View Related
Aug 8, 2012
In the ISE documentation is states that under a Guest_Activity report you must have guest access logging enabled on the NAD in the ISE network. My question is where do I enable guest access logging in the WLC that is our NAD?
View 1 Replies
View Related
Feb 16, 2011
My web server sits behind an ASA 5500.When I access the web site from outside, it works fine. When I try and access it from the server itself, I get"Internet Explorer cannot display the webpage" error. I can access other web sites, such as Yahoo.com, Google.com, etc. I have rules setup to restrict/enable incoming traffic, but I don't have any rules setup to "loop back".
View 18 Replies
View Related
Jun 6, 2013
I am going to deploy Cisco ISE with WLC 5500. I have two kinds of users one for which I want to deploy just open access Wi-Fi network, without working with Cisco ISE and Second group of Users for which I want to deploy Cisco ISE services like advanced authentication, posture and profiling. For both users I have just one WLC. Is there any problem to just deploy two SSID one for open access (without Cisco ISE) and second Secure with Cisco ISE ?
View 5 Replies
View Related
Mar 9, 2011
administrator wants to manage ASA 5500 using inside interface.{telnet or ssh].Allowed telnet and ssh in ASA 5500 but unable to get access from administrator PC..Is there a way to do it without enabling NAT on the ASA? Will a specific rule on ASA allow adminstrator to access ASA 5500 inside interface via ssh or telnet?
View 2 Replies
View Related
May 20, 2012
I have a new WLC 5500 series which i upgraded to a newer version. We got brand new AP's 1242 from Cisco. My ex-colleague had said that we can pre-image the AP's using the controller, so the new AP's get the image directly from the Controllers.
I have the following devices with me for this: A WLC 5500, 1242 AP ( 12 No.'s) and a 2960 switch. I tried to create dhcp pool in wlc so the ap get the ip and gets the image . However, i cant see the ap appearing in wireless tab.
The WLC & AP will be connected to this same switch.
What configuration needs to be done on the WLC & the Switch so that the 1242 AP's when connected physically to the ports on the switch will get the image from the WLC.
View 7 Replies
View Related
Mar 5, 2013
I use the Service port connected to the managementVLAN to manage the WLCs. When configuring HA with AP SSO, I lost HTTPS connectivity to the WLC, telnet still works fine.I researched the deployment guide and it states:
- When AP SSO is enabled, there is no SNMP/GUI access on the service port for both the WLCs in the HA setup.Why is remote access disabled using GUI when using HA, and how can I keep management of my WLC using HTTPS and an address in the ManagementVLAN.
View 10 Replies
View Related
Oct 20, 2010
One of my Clients just aquired a CISCO ASA firewall, and they would like to restrict internet access, that is they want to block internet for Junior employees while managemnet remains connected, Looking at the situation, The ASA serves as the gateway,I tried an Access list like below for one pc to test if it works but instead everyone just went off, may be i misfired somehwere.
Access-list 110 deny tcp any host 192.168.20.100 eq wwwAccess-list 110 deny tcp any host 192.168.20.100 eq 443Access-list 110 permit tcp any any eq wwwAccess-list 110 permit tcp any any eq 443access-group 110 in interface inside
View 11 Replies
View Related
Nov 1, 2012
Got a bit of a quandary with joining new access points to our 5500 series W LAN Controller. It looks like the LAP is initially able to see the W LAN controller, but after that things go sideways. The LAP is pulling a valid IP address from DHCP, and the W LAN Controller is able to ping it.
In the controller's AP Join Statistics we get this:
Last AP Message Decryption Failure
Last AP Connection Failure -Timed out while waiting for ECHO repsonse from the AP
Last AP Disconnect Reason
[code]...
View 7 Replies
View Related
Jun 15, 2012
i have cisco CAP 3602e series access point to work with 5500 series controller with code 7.0i did not find VCI option 60 for this type of APs to configure DHCP. How I can let these APs will join the controller, i mean through which process DNS discovery methode and what about if i need to configure option 60 and 43 in dhcp for ap joining process to controllers.
View 4 Replies
View Related
May 7, 2012
I have created remote access vpn in my ASA 5505. The tunnel is established but i am not able to access the internal network.
View 3 Replies
View Related
Aug 16, 2012
Im currently connected to a remote acess vpn setup using the vpn client and am unable to get anywhere around my network, this normalyl works fine The only difference i can see is that the are multiple virtualaccess interfaces pointing to my public ip address, which im presuming is causing routing issues How can i clear these unsed virtual access lines and how can i make it forget them automatically after disconnects?
View 5 Replies
View Related
May 17, 2011
We have an ASA5510 and a few days ago we were unable to access some segments from remote access VPN, the problem was not the config. A few hours later the problem was resolved on its own and I suspect we have an IOS bug. This has happened a few times in the past and its becoming an issue. How can this be confirmed and which IOS should we upgrade to? Prefer not 8.3 given the syntax difference
View 1 Replies
View Related
Nov 1, 2011
Based on my diagram, my computer A (192.168.100.11) can ping and access my computer B (192.168.10.14). But, when i'm home and i use remote access vpn (192.168.200.x) in cisco asa 5520 to connect to my computer A is okay. But, when i try to ping my computer B is not okay. I already do the exemption for 192.168.100.x and 192.168.10.x in nat rules for inside interface (192.168.100.2) ...
Should i put routing from outside 1.1.1.2 to 192.168.10.x by using 192.168.100.1 as a gateway?
View 1 Replies
View Related
