Cisco VPN :: ASA 5505 - S2S VPN Tunnel Fails After Upgrade 8.3 To 8.4
Jun 6, 2012
I upgraded an ASA 5505 from 8.3(2) to 8.4(4) this evening. The 5505 is a backup and used to perform testing prior to production changes. After the upgrade was complete, a VPN tunnel began to fail. I did a limited search online to see if this was a known issue or something new. I also reviewed the release notes but did not see anything that matched the issue I received.
My concern is that this tunnel configuration is scheduled to be deployed to the production firewalls next week after their upgrade. But if it failed on the upgraded test unit, it may fail on the production units.
I downgraded the backup unit to 8.3(1) and verified that the tunnel indeed worked at that level.
A group of Citrix Clients connect to a Citrix Metaframe Server. The port numbers involved are Citrix Metaframe (TCP/UDP 1494) and MS Terminal Server (TCP/UDP 1604).
The network is configured such that the communication between the Citrix clients and server goes through a GRE tunnel. Traceroutes from client to server, and vice versa, confirm that it passes thru the GRE tunnel. There's no ACL, firewalls or NAT devices along the IP path, in both directions.
The issue is, all Citrix clients can ping to the server but some fail to log on to the server; some have no problem. Also, other applications, e.g. PCAnywhere, can go through. If the GRE tunnel is taken away, all Citrix clients can log on to the Citrix server.
We are using a 5510 and have issues trying to use VPN with full tunnel to connect from inside the firewall to a customer site. I don't seem to have a problem when using split tunnel profiles. How would you troubleshoot this?
I have an AC 3.0 connection that works fine prior to CSD. Once I've enabled CSD I get CSD to load and then the AC tunnel fails. Ive attached the DART bundle and a few screen shots.
I'm using a RV082 with latest firmware v4.0.4.02tm in one of our branch offices. Sometimes the tunnel to the main office (IPCOP 1.4.21) fails. Both sides display the status "tunnel connected" but IP traffic doesn't go through. If i try to ping the main office using the RV082 diagnostic feature, the RV082 seems to run into a loop...the window continues refreshing without any error message and i'm not able to cancel the test. If I restart the RV082 using the web interface, the "diagnose" and VPN problem still exists, even if the web interface told me that the device did a restart.
The only solution is to to a cold restart of the RV082. After that, the VPN tunnel works again....
This problem occurred 3 times in the last 3 weeks. I never hat this problem with previous firmware versions at this ot other sites.
I try upgrade ACS 5.3.0.40 to new version 5.4.0.46. Everything looks ok:
ACS-machine/acsadmin# application upgrade ACS_5.4.0.46.tar.gz rep01 Do you want to save the current configuration ? (yes/no) [yes] ? Generating configuration. Saved the running configuration to startup successfully
% CARS Install application required post install reboot...
Broadcast message from root (pts/0) (Thu Dec 6 23:36:41 2012):
The system is going down for reboot NOW!
Application upgrade successful
But ACS machine (vmware instance) can't boot with this result: Volume group "smosvg" not found. (for details see attachment)
I am trying to upgrade ISE from 1.1.0 to 1.1.2.145 but failed. Find the details below.
DR-ise-pdp-01/admin# application upgrade ise-appbundle-1.1.2.145.i386.tar.gz ISE1 Save the current ADE-OS running configuration? (yes/no) [yes] ?
Generating configuration... Saved the ADE-OS running configuration to startup successfully Initiating Application Upgrade... Stopping ISE application before upgrade... Running ISE Database upgrade... % Application upgrade failed. check logs for more details.
I have a rv082 small business router and the current firmware will not apply. I downloaded the v4.04 firmware update and tried to apply it yet the update does not seem to work. I have downloaded it a second time and used the UPDATE FIRMWARE button to load and apply but no change.
I'm attempting to update the software on three aironet 1100 from System Software Filename:c1100-k9w7-tar.122-13.JA2 System Software Version:12.2(13)JA2 Bootloader Version:12.2(8)JA To the latest release or the 12.3x family and it fails."the software upgrade was interrupted and was not able to be completed" I also disabled the Radio braodcast?
After upgrading from a 1231 autonomous to an 1142 autonomous AP some machines can no longer authenticate. AP logs show authentication failure and access reject coming from the Radius server. Radius server shows authentication failures but no specific reason. Using the same account on another machine works fine. Machine settings have been verified and if we go back to the 1231 all users authenticate fine. Below are the configs:
OLD AP: ! version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec localtime show-timezone service password-encryption
Having problems losing connectivity so decided to upgrade firmware from v1.00.7 to latest version available.
Downloaded the upgrade file and log into web based administrator. Select file and click on UPGRADE button. A couple of clicks on timeline then: UGRADE FAILED
I am trying to upgrade the firmware on my Linksys v1 router from 1.0.02 to 1.0.03 over a remote 56Kb circuit. I appear to be having a timeout problem. The upgrade always fails. I have upgraded several E1200s in my office over ethernet, and the upgrade appears to finish when the progress bar is at 15%. However, on my remote upgrade, the progress bar gets to 98%, hangs for a few more seconds, and then pops up a window with "Upgrade failed".
I suspect that there is a timeout on the upgrade process, and that I can't upload the 3.8 MB firmware file fast enough. If so, is there any way to increase the upgrade timeout?
I have tried repeatedly to upgrade my firmware from 1.0.03 to 1.0.04, but it always fails with a message :cannot upgrade at this time..." I've tried both IE and FireFox, and both wired and wireless connection to my PC (Windows 7).
I'm trying to upgrade my frmware to the lastest one (classic firmware) I've downloaded this file multiple times [URL] When I try the firmware upgrade (manual upgrade) and select the file, it always complains about the file being corrupt (using the .ssa file in the zip).
I have a stack of 4 Cisco Switch 3750 (1 x WS-C3750G-24T, 2 x WS-C3750-48P and 1 x WS-C3750V2-48PS) and I want to do an firmware upgrade of this stack. Actually, all the 4 switches are at the firmware version 12.2(50) SE1 "IPBase" and I want to upgrade them to 12.2(55)SE5 IPBase. According to the release notes, all the switches in my stack are supported.
To upgrade the firmware, I use the command "archive download-sw /imageonly /overwrite tftp://IP_Address/c3750-ipbaselmk9-tar.122-55.SE5.tar" The firmware gets uploaded correctly but then I get the error message "There is insufficient space in flash: to install the required image. Clean up some old images, and try again."
When I do a "show flash", I see that the switch has 5650944 bytes free of 15998976 bytes.
How can i upgrade my switches? Is there an error in my command which I use? Do I need to add an other option?
The problem is, the switches are located in a branch office and there is no direct access to them. Everything must be done remotely.
If by mistake I have attempted to upgrade the firmware my router "WRT610N" via my wireless laptop and after 24 hours the same screen "upgrading router" continues displayed and the router does not respond, How do I fix this?
I have an ASA-5505 which I have been managing using ASDM from a PC and a Mac.I just happens that the Mac has not been used in a little while and when I tried to use ASDM on it, it fails.I've had a trawl through various posts and release notes (after updating various components in the process, incl Java with all the diabling/security updates of late) but am still having the problem and this is where I'm at:
- the ASA runs v8.4(2) and ASDM 7.1(1)52 - release notes state that ASDM 7.1 should work on Java 7 on Windows 7 and MacOS 10.7 - ASDM starts fine on my Windows 7 PC running Java 1.7.0_13 - I am also running Java 1.7.0_13 on MacOS 10.7.5 - on MacOS, ASDM starts, asks for credentials, download/refreshes the cached app... and then crashes with the following exception message:
The root cause of the issue seems to be that a Java class called apple.laf.AquaTableHeaderUI is not found..Now, I don't know much about Java, but that seems to be an Apple UI related class - I presume that it would be good to use this to give ASDM a more native look and feel, but why on earth is there no fallback? or am I missing something?
i got a person who connect with vpn on a adsl connection to the corporate network.this person is using cisco ip phone on his remote location and i did configure the ASA 5505 to priorize voice over data.i still get voice skips when the remote pc is uploading data to the corporate network...what i've done is :
1.with asdm i did create 2 priority queues one for inside (queue limit 2048 trans ring limit 512) and outside (queue limit 2048 trans limit 256)
2. with the service policy wizard i did create a global service policy (all interface) and a traffic class for dscp 46 ef and on qos tab i did check the "enable priority for this flow"...
3. When using the phone, i clearly see that packets are growing on the LLQ queue (show priority-queue statistics)
4. i still get voice skips when uploading data to the corporate network... upload bandwidth is about 800k for upload the pc and the phone is on the same subnet
I finally got the VPN tunnel between 2 asa 5505's up and running, but I have some error codes on the initiator side that I can not figure out. [code]I have looked at the Crypto transforms on both sides, and they match just fine as far has the DH ID code, Group Number and the encryption. The remote side however, does not have any of there errors.
Is this something that I have skipped over, or missed that I should be looking for? The IP address that is listed above is not in my static addresses, not sure where theose are coming from. I believe that they are outside public IP's.
We're setting up a site to site VPN with a customer. Our side is a Cisco sa520 and there side is a Checkpoint. The tunnel is up, we've verified phase 1 and 2 are good. The issue is passing traffic across the tunnel, our LAN ip address are private addresses 10.10.1.0/24 but the customer states that we need to have a public IP address for our LAN in order to access there server on there LAN. So looking through all the forums, I see that you can NAT before crossing the VPN tunnel, but our issue is that our site only has 6 IP addresses assigned to it and those are the Comcast router, the WAN side of the SA520 firewall.
So we were wondering was there a way that we can either use the WAN interface on the SA520 or use another available of the 6 that were assigned to NAT and pass traffic across the tunnel. Sounds confusing? sorry but it is, rarely do I have a customer say I have to have a public IP for my side of the LAN. Now I also say this is a SA520 firewall, but if it's not possible to do with that is there a way were could with an ASA5505?
I installed a 1941 router with an encrypted GRE tunnel yesterday. The router has ipbasek9 and securiyk9 licensed. Initially the router was running the image c1900-universalk9-mz.SPA.150-1.M5.bin and was working fine. The tunnel was up and passing traffic. I then upgraded the IOS to c1900- universal k9-mz.SPA.151-2.T2.bin and when I reloaded the router the tunnel was stuck in a reset/down state. I tried doing shut/no shut on the interface and reloading the router again, no change. Being under some time pressure to get the device back into production I rolled back to the previous IOS image and the tunnel worked fine again. Is there a known bug that causes this behavior? I have searched cisco.com but have not found one. [code]
I updated the configuration per your response below... It still doesn't work. See my new config files below.
make follow changes on host: officeasa remove this line below highlighted. crypto dynamic-map L2LMap 1 match address Crypto_L2L It is only because group1 is weak, so please change it to group2 crypto dynamic-map L2LMap 1 set pfs group1 route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117
I have an interesting SVPN challenge that I'm asking the subject experts here to assist me in solving.A customer in Domain A wants to transmit data to Domain B. The customers have agreed to establishing a secure vpn connection from Domain A to Domain B to transmit real time data. The challenge comes from sending unencrypted data from nodeA to nodeB & nodeC withing an encrypted VPN tunned to node d.The challenge is sending non-encrypted data from NodeA to NodeB where an encrypted VPN session is active. Every time I attempt to configure the interface (AppC) the VPN session is terminated, and the interface can no longer "see" nodeD via IP mapping. An engineer recommended adding a second NIC card to NodeB thereby permitting control of the AppC even when the VPN is up and running.Can I send live non-encrypted data to NodeB data buffer, while AppC sends data to NodeD in a VPN tunnel ?
Having a strange issue with RDP to a XP machine through a L2L tunnel.Tunnel is between an ASA5505 and ASA5510. Site A 5510, Site B 5505 I have a handful of Win7 and XP Dev machines running on ESXi 4.1 within Site A.Site B to Site A I can RDP to all Server 2008 and W7 machines(physical and virtual).I can also RDP to a physical XP machine.I can ping the XP VMs by name and IP successfully.I cannot RDP to the 5 XP VMs running on the ESXi 4.1 host Site A to Site B I can RDP from the XP VMs on the ESXi 4.1 host to any machine within Site B.Within Site A I can RDP to these XP VMs AnyConnect I can AnyConnect into Site A and RDP to the XP VMs I have tried to Telnet on 3389 to the XP VMs with no success.
I have set up two ASA 5505's (lets call them ASA1 and ASA2) with site to site VPN configuration and i've encountered two problems with my setup.ASA1 has IP 192.168.1.254 on the inside interface and is connects ASA2. It's also an Easy VPN Server for external users to connect through Easy VPN Client.ASA2 has IP 192.168.11.1 on the inside interface and connects to ASA1 Problem #1 None of the ASA's can ping eachothers inside LAN IP address. Computers behind the ASA's are unable to ping the remote ASA's inside IP address. My guess is that this has to do with either NAT or built in security.Problem #2. The Easy VPN clients which connects to ASA1 are unable to access the LAN behind ASA2.
I´m getting a dynamic public IP from my provider and what I´m trying to do is to establish a remote vpn tunnnel using IPSec which I achieve but every time the sessions resets or the ASA 5505 resets I get a new public IP and I need to put the new IP on the remote client so I can establish the vpn... How can I establish an ipsec vpn using DNS? For this scenario the remote vpn client is a vpn phone but it could be for any vpn client.
Private IP Public IP Private IP PBX ---- (LAN) ---- ASA 5505 ---( Internet ) --- Remote Site ( Router ) --- (LAN) -- VPN Phone
I have a site to site IPSec tunnel setup and operational but periodically the remote site goes down, because of a somewhat reliable internet connection. The only way to get the tunnel to re-establish is to go to the remote site and simply issue a ping from a workstation on the remote network. We were having this same issue with a Cisco PIX 506E but decided to upgrade the hardware and see if that resolve the issue. It ran for well over a year and our assumtions was that the issue was resolved. I was looking in the direction of the security-association lifetime but if we power cycle the unit, I would expect that it would kill the SA but even after power cycling, the VPN does not come up automatically.
I've a asa 5510 on the main site and different ASA 5505 on secundary sites for VPN tunneling between the sites. The problem is that the tunnels are acomplished but no traffic is going over them. What am i doing wrong? For the moment there is a ASA 5505 on the main site managing the tunnels but I want the 5510 to take over the job.
I configured an IPSec VPN tunnel between two ASA 5505 firewalls. I would like to make sure that the IPSec tunnel (hence the security association) is permanent and do not drop due to idle condition.
I have a ASA 5505 VPN Concentrator using ADSM 5.2 connecting to a BEFSX41 router. Its a pretty simple set up that has been working for years. However, over the past several weeks the VPN tunnel is consistently dropping every day or two, however both side are able to ping the internet at all times. My current work around is to manually log into the BEFSX41 router and re-connect the VPN tunnel, which simply connects immediately. The tunnel will stay up for about a day or two until it reliably drops the tunnel connection. Every time the tunnel drops I get an alert with an error message: [code] After doing searches about what this error means, all I can find is that its supposed to mean there is a problem with the encryption keys. I have checked the keys many times over and everything is the same. I find it odd that nothing has changed in almost 2 years.
I have 10 other VPN connections that are always up at never have any problems. I have the same make/model router connected to other offices with no problems. I have swapped the router twice, and each time I get the same symptoms.
I have two cisco ASA 5505 devices and two cisco switches plugged to ASAs in each office. I need to create a VPN tunnel between two offices.
-Network behind the ASA1 in office1 is 192.168.1.0/24 with DHCP server – 192.168.1.10
-Networks behind the ASA2 in office2 are 192.168.5.0/25; 192.168.5.128/26 and 192.168.5.192/26
All computers in office2 need to get IPs from DHCP server 192.168.1.10. I have switch in office2 with 3 VLANS and I can assign computers from different subnets to different VLANs.How can I archive this goal? Should I assign 3 IPs for ASA2 inside interface (192.168.5.1, ...5.129, ...5.193) as a default gateways for each subnet? Should I put dhcp helper address 192.168.1.10 on the switch for each VLAN?
