My client has two ASA-5500 in failover (8.4.4.1).To create AnyConnectVPN, the package must be uploaded on both machines - uncomfortable, but it can be accepted. The REAL problem is that the profiles (.xml file) are not synchronized.When I make a change of any of the parameters, after failover switching I loos alle the change.
View 1 Replies
I have 2 routers on 1 the internet work fine on the other the internet not work and I see this when I start diagnostic "Testing ADSL Synchronization---fail"
View 4 Replies View RelatedWe have two ASA 5500 series Firewalls running 8.4(1). One in New York, another in Atlanta.They are configured identically for simple IPSecV1 remote access for clients. Authentication is performed by an Radius server local to each site.
There are multiple IPSec Site-to-Site tunnels on these ASA's as well but those are not affected by the issues we're having.First, let me start with the famous last words, NOTHING WAS CHANGED.
All of a sudden, we were getting reports of remote users to the Atlanta ASA timing out when trying to bring up the tunnel. They would get prompted for their ID/Password, then nothing until it times out.Sames users going to the NY ASA are fine.After extensive troubleshooting, here is what I've discovered. Remote clients will authenticate fine to the Atlanta Firewall ONLY IF THEY ARE USING A WIRED CONNECTION.
If they are using the wireless adapter for their client machine, they will get stuck trying to login to Atlanta.These same clients will get into the New York ASA with no problems using wired or wireless connections.Windows 7 clients use the Shrewsoft VPN client and Mac clients use the Cisco VPN client. They BOTH BEHAVE the same way and fail to connect to the Atlanta ASA if they use their wireless adapter to initiate the connection.
Using myself as an example.
1. On my home Win 7 laptop using wireless, I can connect to the NY ASA with no issues.
2. The same creditials USED to work for Atlanta as well but have now stopped working. I get stuck until it times out.
3. I run a wire from my laptop to the FiOS router, then try again using the same credentials to Atlanta and I get RIGHT IN.
This makes absolutely no sense to me. Why would the far end of the cloud care if I have a wired or wireless network adapter? I should just be an IP address right? Again, this is beyond my scope of knowledge.We've rebuilt and moved the Radius server to another host in Atlanta in our attempts to troubleshoot to no avail. We've also rebooted the Atlanta Firewall and nothing changed.
We've tried all sorts of remote client combinations. Wireless Internet access points from different carriers (Clear, Verizon, Sprint) all exhibit the same behavior. Once I plug the laptops into a wired connection, BAM, they work connecting to Atlanta. The New York ASA is fine for wired and wireless connections. Same with some other remote office locations that we have.
Below I've detailed the syslog sequence on the Atlanta ASA for both a working wired remote connection and a failed wireless connection. At first we thought the AAA/Radius server was rejecting us but is shows the same reject message for the working connection. Again, both MAC and Windows clients show the same sequence.Where the connection fails is the "IKE Phase 1" process.
-------------------------------------------------------------------------------------------------------------------------
WORKING CONNECTION
-------------------------------------------------------------------------------------------------------------------------
%ASA-6-713172: Automatic NAT Detection Status: Remote end is|is not behind a NAT device This end is|is not behind a NAT device
NAT-Traversal auto-detected NAT.
%ASA-6-113004: AAA user aaa_type Successful: server = server_IP_address, User = user
%ASA-6-113005: AAA user authentication Rejected: reason = string: server = server_IP_address, User = user
[code]...
We have two Cisco 2960 TT-L switches. I'd like to reduce single points of failure and have dual servers for most tasks. For example, two firewall servers and two web servers. Should one server fail the other will act as a failover.I'd like to extend the redundancy to the switches, and am thinking of connecting one web server to one switch, and one to the other. In the event a switch failed a set of servers would still run, and be able to talk to each other.I'd like to run two VLANs, one for the LAN, and one of the WAN, and connect the two VLANs on each of the switches with the associated VLAN on the other switch.
View 3 Replies View RelatedIn our network two Domain Controllers are configured as the central (S)NTP Servers. For a switch in Layer 3 mode it is quit easy to synchronise with these (S)NTP Servers. But what is actually the best approach for access switches in layer 2 mode, that are connected to the layer 3 switch? The only IP Address they have are part of the management VLAN ID 1 which is not routable. I am actually looking for something like a broadcast without having to put a NTP Server in management vLAN.
View 4 Replies View Relatedtime.windows.com keeps showing error code? Error Code says:( An error occurred getting the status of the last synchronization.) I have even but the info. in manually and the same code appears.
View 1 Replies View RelatedI have a problem with the time synchronization via NTP between a Catalyst 2960 and Catalyst 6509. When I configure the 6509 switch as a NTP reference on the 2960, it does not synchronize with the 6509's NTP server. There is no reachability or ACL-related issue between both switches.
As soon as I configure a second Catalyst 6509 (which is completely identical to the other 6509 and in the same subnet) as a NTP server for the 2960, the time sync with the second 6509 happens immediality.
The first 6509 switch works as a NTP reference for at least 50 other switches and routers in the network - so why not for this one more switch? I checked some "debug ntp packet" and "debug ntp events" outputs and can clearly watch the NTP requests going out of the 2960, but on the 6509 just nothing happens - no debug outputs for this specific 2960, while requests from other devices come in all the time.
Maybe you have already experienced this strange behaviour in the past or got some deeper knowledge in the Cisco NTP server implementation. I could think of some sort of "maximum client limit" in the IOS NTP server, but could not find any mechanism like this in the standard NTP specification. Eventually, you can approve that this is a IOS-specific issue.
I have a Cisco Nexus Datacenter solution with this design:Every Nexus 5K is connected with every Nexus 2K with a Port-Channel and vPC.
What is the best way,to keep the configurations of the nexus switches synchronous? I have no DCNM (Mgmt.-Tool).
My problem is if I configure for example a Nexus2K-host port on one Nexus 5K, the change has no effect. Only when I make the same change on the second N5K the port-config really changes.
How many synchronization methods are utilize in an Ethernet network?
View 1 Replies View RelatedI have a simple question: In 6500 CatOS, we had that feature of image synchronization, which added the ability to download the image from the active supervisor to the standby via internal TFTP of the CatOS. Can this be done on IOS? I was looking fot this over the Internet and couldn't find anything.
View 1 Replies View RelatedI've beating my head against the the above said problem for a quite a while. Our client has a very strict security policy and they require all standard protocol to comply with the expected behaviour. It was discovered that their 3750 switch running c3750-ipservicesk9-mz.122-25.SEE3 software and configured to sync its time with an external public NTP server triggers IPS signature - DNS Info leak. The problem is that the switch initiates the packet on UDP port 53 and not as I would expect on port 123 for NTP. Of course I can tune the IPS sensor and make it not to fire this signature but the client needs to know why it is happening and if it is faulty IOS software that doesn't comply to the rules.
View 2 Replies View RelatedCisco 891 configuration Details: [code] I could connect to the Giga bite thernet wan, based on above configuration.When I test on FastEthernet8 for the secondary ISP connection it will not go through the internet.
View 17 Replies View RelatedI tried to backup ACS 5.1 but i found error messages as below
acs backup25Nov11 repository 25Nov11Repository
% Repository not found
% Error: Invalid repository name 25Nov11Respository
Please use a configured repository.
I have just started my installation of Prime 1.2. I have the OVA loaded (NCS-APL.1.2.1.12-K9) and I went through all of the setup. I have the webpage loaded but unable to get past the Root login. I then tried to change the password using the "ncs password root password password" command but get the error message "Execution failed: Cannot find user: root". I have seen some people talking about the wrong OVA file but that was for Version 1.1 I think.
View 1 Replies View Relatedwe installed a new CPI 1.3. Both machines are in the same subnet and close to each other. Everything looks fine and is installed as we see in the config guide.When we halt the VM of the primary Server, the backup takes over but with errors. I'm also not able to login! [code] my colleauges did the same a few days ago also with problems or similar problems and restore the server from backup.
View 2 Replies View Related I am attempting to register QPM 4.1.5 into LMS 3.2.1 Portal, under Home Page Admin - Application Registration but It fails.It seems to be a bug where it puts the details in the wrong place when submitting the info.
This is the output that it tries to submit obviously - Description, host name, port number and protocol are mixed up.You have selected the following application to be imported from the remote server. [code]
I'm not sure where to find the Tomcat logs or how much use they would be.
I just set up a new Linksys/Cisco RV082 router with the intent to get VPN working from outside the building. I have gone through the setup and while everything looks good, I have not been able to connect yet. I have tried everything that I know how, and am now hoping to get the answer from some pros.
Here's my setup. We use Comcast Business class internet. The modem is plugged into WAN port 1 on the RV082. I'm using the router as a DHCP server, that is working fine. My local subnet is 192.168.0.0/220
Right now all I want is to be able to log in as a client using QuickVPN. I set up one user and a client to VPN tunnel using the router's config page. Here's the settings I have:
Tunnel Interface is setup on WAN1, checkbox is enabled.
Local Group Setup
Local Security Gatewaytpe: IP Only
Local Security Group Type: Subnet
[Code]....
It seems like something is blocking the connection, but seeing that I have tried this after disabling the firewall completely it doesn't make sense to me. I also went into the config page for the modem and set up the router as a DMZ. I have also tried connecting with the client built into Windows 7, but that doesn't work either, I just get "connection failed with error 619"
I have the port in QuickVPN set to auto, but have tried both 443 and 60443 with same results.
I ran a port scan at [URL] and it shows I have 3 ports open...80,443, and 1723
We've recently sold and implemented a wireless solution using a WLC, WCS and 1140 APs.
There is a HQ site where the WLC, WCS, DNS and DHCP reside. Active Directory and a RADIUS server are also located there. There is then a WAN link to remote sites which sometimes fails. At the remote sites you'll just have a router, switches and the APs. The intention is for the APs to work in lightweight mode, falling back to H-REAP when the WAN link fails.That works fine, but what doesn't work fine is the APs rejoining once the WAN link is restored.
They just don't. Even days later, the APs are still all disassociated from the controller despite the WAN link being up. I've 'hardcoded' the controller IP into the AP configuration, while the APs initally get the IP for the WLC from DHCP using Option 43. Despite the APs therefore knowing where WLC is, once they're disassociated from it (WAN link failed) they will not reassociate by themselves. Restarting the APs is the only way to get them to rejoin.
With hundreds of APs and in excess of 30 switches, restarting all the APs each time the WAN link fails is pretty ridiculous.
I've logged a TAC case and gone through the whole rigmarole, this is an offical bug and Cisco have informed us that it's due to be fixed sometime early 2011, but besides that there is nothing they can do. So to be perfectly clear, Cisco have sold and shipped a product that doesn't work as advertised and they best they can offer us is a promise to fix it soon. I'm pretty shocked, I've never had this experience with Cisco in the past.
Ok, so now I've got to come up with a decent workaround until we get a firmware release where this is fixed. I'm looking at using CNA to automate the reloading of all the switches, I guess when an outage is reported I'll just write a procedure for the client to follow to reload all their APs.
A script that can query the associated status of APs and reload them as needed, automatically, would be pretty cool. Perhaps that can be done with SNMP.
I am running a home configuration where there are 2 PC's each using a different ISP. If one of those ISP's goes down, I would like both PC's to switch over to the working ISP.
View 5 Replies View RelatedI can't tracert or ping certain websites or servers for games.Before I go on, no I wasn't doing this because of DDoS-ing. I was doing this so that I could find an exact latency number for a gaming server. Now, to continue.What I mean is if I try to ping this server, the session will timeout no matter what the millisecond limit is (using CMD)
Ping: Pinging (IP Host Name) [IP] with 32 bytes of data
Request Timed Out
Request Timed Out
Request Timed Out
Request Timed Out
[code].....
Why does this happen? I am pretty sure this is a security tactic used to stop DDoS-ing, but why does it not matter how long I allow the tracert or ping to run? I really want to understand this so I can understand how people don't get traced as well as don't get DDoS-ed. I didn't put any of the IP's just to keep it anonymous. If you really need the host IP, I will supply it, but I will not supply the tracert IP's.
fail to connect with net through wifi
View 1 Replies View RelatedHow do you monitor ASA firewall fail over events?
We had a firewall fail over, didn't know it, the configs were out of sync and the customer went down we want to avoid this is the future.
I have a Question i am testing mobility group with Failover for redundend connection between 2 Cisco 5500 Wlc.On both the controllers i got the mobility working And both the controllers have the same version.And configuration. But when i unplug the main controller the access-Points don't convers to the second one .The just keep on creaming can't find the main controllerAlso with this thus the second wlc need to have the same.Interface ip address like management.
View 8 Replies View RelatedI am trying to configure a Cisco ASA 5505 for Remote Clients.I am using ASDM interface and used the startup and ipsec wizards for my configuration but im hitting a stumbling block.For the last 2 days i have tried a number of configuration changes in attempt to make this work but failed, so i have done a factory reset and gone through the wizards again, so i have a clean configuration. Currently i have a Static Public IP Address 81.137.x.x and i am using a Netgear ADSL router, which is forwarding VPN traffic (UDP 500) to 192.168.171.35 (the wan port on the ASA 5505).The Cisco ASA has a default address of 192.168.1.1 I am using Cisco Client 5.0.06.0160.I have configured the client to use Group Authentication with the same credentials as setup through the wizard and im using Transparent Tunneling IPSec over UDP.I have attached 2 documents running_config.txt - which is shows the current ASA configuration Log-View.txt - showing error messages displayed in the real-time log viewer when i try to connect from the remote client.Im not sure whether i need to do any additional configurations for my setup other than simply run the wizards.
View 3 Replies View RelatedI have an ASA 5520 running, user web trafic, incoming VPN and systems NAT for DMZ services. Nothing new for a standard firewall. I have upgraded the memory in it to 2GB, per Cisco so that I could install and run IOS 8.41. I have uploaded the both the IOS bn image and the ASDM 645 image and set it as the primary boot file. When I reload the ASA, everything boots fine, no errors and all traffic appears to be working fine.But here is my problem:ALL the previously configured VPN sessions will connect to the ASA and show that they are passing traffice (TX and RX increments through the monitor) but if I try to access a device on the other side of the VPN or they try to access services in the corporate network, the connection fails. Ping works, So I know I can reach the devices and the tunnel has been correctly created, but nothing else, . I did not change anything in the configurations for the VPN connectors.But, if I reload the ASA with the 8.21 version image, everything works just as before and all connections are good.
View 3 Replies View RelatedI have configured eigrp routing on cisco 1941 ISR with two interfaces advertised. However i can not ping the router interface on g 0/0 but can ping the device and computers attached to that network. When i ping from the same network i'm able to ping the interface but not from anyway else. i can also ping the other devices on other network from g 0/0 attached hosts. How can i enable ping to this interface so that i start monitoring the network?
Below i have attached the network configurations for the router;
!boot-start-markerboot-end-marker!!enable secret 5 xxxxxxxxxxx!no aaa new-model!no ipv6 cefip source-routeip cef!!!!!multilink bundle-name authenticated!crypto pki token default removal timeout 0!!license udi pid
[Code].....
I have a lab network setup at my house with similar equipment to our office that I use for testing different features and functionality. Since I have had this installed (~ 2 years) I've had an intermittent but recurring problem with connectivity to various wireless devices that I have never been able to fully resolve.I have a 5508 Wireless controller with a handful of 3502i APs spread throughout my house. The controller is connected to a 3560X switch. And I have an ASA 5510 firewall as my Firewall/Internet Gateway. When I work from home I most often work from a desktop computer in my office and have a Windows RDP session to a laptop located in another room in my house on one of my monitors as a working space (I know this is weird but there is a good reason). This laptop is connected via WiFi at all times.Occasionally, I will lose connectivity to this laptop (or not be able to connect back to my desktop from it) and have to start an extended ping from the laptop to the desktop to re-establish connectivity. A while ago I performed some deeper analysis on what was happening and what I found is that when the connectivity breaks the problem is that the desktop is unable to resolve the MAC address of the laptop. It sends out ARP requests but never receives any reply back.
Why would the controller stop replying to ARP requests for the IP address of the laptop?If I log into the controller while this is happening it shows the laptop as a connected client, and has its IP address and MAC address listed fine in the clients section. In order to avoid getting up every time I need to reconnect, I normally hop to a system I control across one of my VPN tunnels via RDP, then connect BACK to the laptop and start the ping to re-establish connectivity back to my main desktop machine. This works because the firewalls ARP cache hasn't cleared yet. And then everything works fine again... unless I manually clear my ARP cache. Sometimes clearing the ARP cache will result in the exact same problem again and I will lose connection. Other times it seems to repopulate almost immediately and the connection doesn't drop.
A wireshark debug from the desktop reveals that ARP requests simply go out with no reply, confirming what is happening.As a note, I have set both the User Idle Timeout and the ARP timeout to 24 hours to try but this has not had any effect.This problem seems to go away and then come back. In fact, I havent been experiencing this issue for probably a couple months recently and then it just started again in the last few days which is why I am back to posting here. No changes to the network were made in the meantime that could account for this change in behavior. I am currently running version 7.2.111.3 but this behavior has persisted through at least four software upgrades so I don't think it's an issue with a specific version but I don't really know.I occasionally epxerience connectivity issues in my house to other devices as well that I use less often like a printer, network camera, apple tv so I now feel like these issues are likely all related.
We have a second ASA 5510 that is suppose to be a hot standby. I need to find out that, as a hot standby, does it have to have the same licenses as the ASA that it backs up. We purchased 50 SSL VPN licenses for that unit. If it fails over, we need to make sure the failover asa can allow SSL VPN connections.
View 3 Replies View RelatedI have to configure failover on both router. if one get fail then the other router should be dial.Physical connection
•1. Two routers (Cisco 2801) are connecting with splitter through RJ 11 port.
•2.Only one ISP link is coming in splitter.
Requirement: As per as customer requirement. He wants redundancy with in both 2 routers. If one goes down then the other router come up. And same configuration on 2801_R2 router. I am planing to do HSRP on our lan network (2801R1,2801R2 ehternet interface which connected to switch). from switch i will create two default route with (next hope) virtual ip address.
I have configured Site-to-Site IPSec VPN and it works. Our clients have access to inside network and Internet ("hairpinning").How can I configure access to Internet on remote networks clients if VPN tunnel fail?Remote devices is ASA5505 and Cisco 861.When VPN works i have access to Internet over central office gateway.In case when VPN fail i need still have access to Internet over local (remote device) gateway.
View 2 Replies View RelatedI migrate 1310 APs from Autonomous to Lightweight. Migration is OK with Cisco Upgrade Tool, and AP are registered on my 2504 WLC.
Previously, a 802.1x network was broadcasted by autonomous APs, supplicants were identified on a freeradius server with MSCHAPv2/PEAP method.
But on the WLC, supplicants can't auth on Radius server.I configured a WLAN with WPA/TKIP/802.1x with my radius server in AAA tab.When clients try to authenticate, I get these messages where xxx is login:
-AAA Authentication Failure for UserName:821 User Type: WLAN USER
-AAA Authentication Failure for UserName:200 User Type: WLAN USER
-AAA Authentication Failure for UserName:209 User Type: WLAN USER
Security info on client page is:
Security Policy CompletedNo ###Policy TypeWPA###Encryption CipherTKIP-MIC###EAP TypePEAPSNMP NAC State Access ###Radius NAC State8021X_REQD .
What is strange, there are some clients which are OK in RUN State, and 50 other % which are not.
I have HQ and Branch router
HQ = 2811
Branch = 2801
Connection type Freme-relay between HQ and Branch
CDP enable on interface
The Branch router show in UNCONNECTED DEVICE VIEW of Topology
i have 1262 LAP which is fail to boot and went to rommon mode
here are the logs
ap: boot
Loading ""...: permission denied
Error loading ""
[Code].....
