Cisco VPN :: ASA 5510 - Client Connections Getting Dropped
Mar 30, 2011
I have some remote locations that connect to my ASA 5510 cluster (Aktive/Passive) using the Cisco VPN Client, from which the connection gets disconnected at random intervals (could be 5 minutes, but sometimes after 15 minutes). However, some other remote locations do not have this problem. All locations have the same VPN client configuration (distrubited by pcf file).
I already disabled isakmp keepalive on the ASA but this did not work. If I read it correctly, the Cisco vpn client logging shows that the ASA initiates the ending of the connection.
Code...
View 2 Replies
ADVERTISEMENT
Dec 5, 2012
Our Cisco ASA 5510 running 8.4(4)1 just started dropping packets and our AnyConnect clients are seeing horrible performance. The system is extremely slow compared to just a couple days ago.Nothing has changed on the system. I can post the configs if needed.
firewall# sho int
Interface Ethernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: == WAN Interface ==
[code]....
I have done a "sho vpn-sessiondb detail svc" and I can see the dropped packets of the individual users, but cannot see why the packets are still dropping.how I can correct this and restore speeds?
View 1 Replies
View Related
Jun 29, 2011
I have an issue witch Cisco VPN-Client V 5.0.06.0160 Remote VPV-Access to ASA 5510 8.2(3)
Evrything works fien but sometimes after about 4-5 Hours the Connection is dropped by the ASA. The Client still prtends to be connected, but there is no connection seen on teh ASA.
View 7 Replies
View Related
Aug 22, 2012
I have cisco WS-C2960S-48FPS-L stacked. Weekly twice, my PoE connections are dropped and when the device is restarted, everything starts working normal. This issue happens weekly once or twice. [code] I can see that there is a bug id : CSCtg86211 and no work around for it. Any updates received from Cisco TAC ?
View 7 Replies
View Related
Mar 5, 2011
My DIR-655 drops WiFi connections every few days. All wired connections are fine. Rebooting the router fixes the problem at that time. Cable modem works perfectly fine. [code]
I'm sure I'm missing some devices, but that should give you the general mix of wired/wireless devices that I use. I'm single with visits from my son every other weekend, so network traffic is not that high at my house. I've had this router for a couple years now and didn't use to have this problem. I've been updating the firmware, and I suspect this problem happened after on one those updates. I just don't know which one. Also, I didn't use to have any neighbors with Wireless Routers (that I could detect), but recently there have been 2 who have gotten them. I was hoping this was a problem that D-Link was aware of, but that does not seem to be the case. I would hate to have to go out and buy a new router (not D-Link).
View 14 Replies
View Related
Oct 11, 2011
I am using Windows 7 Home premium SP1 (x86). I can connect fine and after a (seemingly random) amount of time the connection will drop (at least according to windows). I can also easily reconnect without a problem, but it will not pick back up the connection automatically, which is a problem because I use programs that need to access the internet and Often leave large files to download while I'm sleeping or not home. So If I'm not sitting at my computer to manually reconnect, then whatever i'm trying to accomplish doesn't get done.I'm using the ALFA AWUS036H USB wifi adapter. I had previously been running windows XP and this same thing would happen (though, much less often) but when it happened in XP it would automatically reconnect in a few seconds. I downloaded the drivers from ALFA's website incase the ones on disk were not up to date, and I tried both of them (they have a "normal" and "power control driver" option) and the problem remains. Also, I've never used an external wifi adapter before so I'm not sure if its supposed to work this way, but there are 2 "signal strength meters" in the system tray the standard windows one that you can click on and see available networks or go to windows "network and sharing center" and then there is the ALFA one that you can click on and it takes you to the ALFA wireless LAN utility, where you can also get a list of available networks.According to windows there is a problem with the connection, however according to the ALFA wireless LAN utility, the connection is fine (green bars means good connection, red bars means no connection)When clicking on the Windows "signal strength indicator" in the system tray, it shows 1 of 2 different problems (notice the differences that I've highlighted with red boxes). No matter which one happens I can NOT access the internet. Despite the "problems" shown above, the ALFA wireless LAN utility shows that its still connected (while windows is showing a connection problem)To reconnect I switch to the "profile" tab (which is just a list of neworks that i've previously connected to) and double click on the network. In this case it will be Enotria Public.... the same one that (according to the ALFA wireless LAN utility) I'm already connected too After clicking on the network, the ALFA wireless LAN utility "signal indicator" in the system tray will briefly turn red (signaling NO connection) while it "reconnects". Then it will turn back to green, and Windows network manager/signal indicator (whatever you call it) will proceed to reconnect as well. After this happens, all is good and I'm reconnected and can access the internet.
As you can see in pics above the ALFA wireless LAN utility is always connected, and it never drops the connection but even so, the internet will not work when Windows drops the connection. However, When reconnecting I can access the internet BEFORE Windows reconnects. (I still have to reconnect as described above, but after I do so I can access the internet before windows FINISHES reconnecting) The tab shown in this picture was a web page that I loaded BEFORE Windows ever reconnected, and it is a page that I have NEVER viewed before, so its not just loading it from cache.
View 9 Replies
View Related
Jul 27, 2012
[code] When the connection is online, the speeds are fine- the issue is the 2-3 times a day when the connection drops off. The error that we are getting is "cannot connect with primary dns server" however in our attempts to restore the connection we have: [code] is there some issues in the area that we are not aware of?
View 3 Replies
View Related
Jun 13, 2008
I have a WRT110 router (firmware v. 1.0.04) and a PC and an XBox 360 connected to it (both via cable). Every 15-20 minutes the connection is dropped for appr. 1-2 minutes. I tried modifying several router settings, but the connections are still being dropped
View 9 Replies
View Related
May 31, 2012
I have two XPS 15 (L502x) laptops (purchased in March '12) with Intel Wifi link 1000 BGN adapters. On a regular basis both laptops lose their connection to the internet (via FIOS), at the same time. I'm convinced that is not FIOS or my router. I have a Dell STUDIO 8100, an iPhone and iPad, and these wireless devices do not lose their connections. Sometimes I'm able to resolve the issue by using "troubleshooting" via the adapter, often restarting the laptop and/or the router is the only way to resolve my problem. I've run the Dell Support software, it indicates no drivers are available for update, so I assume I'm current.I've read about turning off 802.11n, I've read about problems w/ power management and conflicts with wireless.
View 10 Replies
View Related
Mar 13, 2011
I have a WRT400N and approximately every 30-45 minutes the router will drop all connections (wired and wireless), all the lights will go out and then power light (far right light) will flash for a minute or so. I have tried connecting directly to my modem and I have no problems at all.
View 7 Replies
View Related
Jun 28, 2013
I'm trying to configure a L3 switch with some vlans. Despite we add a "ip default-gateway", that is displayed on the "show run", when we look "show ip route" there is no default gateway or gateway of last resource.On the show running we see the following:
interface vlan 31
ip address 10.221.31.177.255.255.255.0
!
interface vlan 32
ip address 10.221.36.125 255.255.255.240
interface vlan 36
ip address 10.221.36.105 255.255.255.248
ip default-gateway 10.221.36.105
One server connected to the vlan 32 is not able to ping the switch svi on vlan 36 (10.221.36.105).When we look the "show ip route" we see that the default gateway is not set.Ip routing is enabled on the switch. I tested the same configuration on my simultator and it works fine.I'm attaching the "show running", "show version", "show protocols" and "show ip routing".The ip routing is enabled on the switch!
View 10 Replies
View Related
Dec 23, 2011
I've been fighting with my E2500 since I got it back in June with lag, dropped connections, etc. It's a bit intermittent but can hang around for hours at a time when it kicks in. Restarts but the issue always comes back. Most noticeable while gaming online or on a VOIP program such as Team Speak. Generally when it happens If I'm monitoring my Team Speak connection the incoming packet loss shoots up between 20-30%, starting to drop out every other word or so. No out going packet loss. The connection drops are random between computers (I have one mac and one pc in the house) where one will be fine and the other wont, or when the whole system will stay connected and drop all transfer. In the case of this last one it's not my ISP's connection as any streaming happening between one computer and an Apple TV device will also cease. I've also swapped back to my old router (an older model linksys) and all problems have stopped. Fully rebooted and reconfigured the router about 3 or 4 times and am on the latest version of firmware (1.0.003). It was much worse on 1.0.002 but still very noticeable on 003. Also no difference with a different wireless adapter. I've tried the chat technical support but all they did was take 45 minutes to tell me how to reboot my router after telling them I already had.
View 1 Replies
View Related
Sep 2, 2012
We have one ASA 5510 but we got the error attached periodically for IPSec/SSL VPN connection but i configured timeout connection as none
View 6 Replies
View Related
Jul 27, 2011
I have just deployed a 881 router at a clients site & configured it to allow remote IPSec VPN connections using the Cisco VPN Client software.
The router works fine except for the remote VPN connections.
Client VPN connections are not being allowed and I am sure the problem is the zone based firewall. I have had very little experience with this, most of my experience is with ACL based security.
View 2 Replies
View Related
Mar 22, 2011
I am using Cisco VPN client for windows 4.0.5 (C)I use the VPN client to connect to my office from home and to connect to a customer via their VPN connection.Is there any way that I can have these two VPN clients active at the same time instead of needing to diconnect one to connect the other ?
View 1 Replies
View Related
Feb 8, 2010
We have an AP541N that has been deployed to replace a Cisco 1200 AP (B/G radio). The 1200 functioned perfectly in our environment. The new AP541N on the other hand seems to work fine right after a reboot but immediately starts to degrade service. Over a short period of time, the devices bandwidth degrades to the point were the wireless network is not usable. This happens with just one device connected. Eventually, the device stops accepting client connections. We are unable to get any relevant logging out of the device to diagnose the problem.
View 84 Replies
View Related
Sep 18, 2011
1 isp connection which splits into two. One plugs into 5510 with ouside ip and the other plugs into the other 5510 with outside ip address.
see diagram below:
Router routes are set as:
ip route 0.0.0.0 0.0.0.0 10.x.x.1
##
ip route 10.x.x.0 255.255.255.0 10.x.x.2
We will be introducing another isp into our network. We want to remove our current isp and switch. But we dont want to do the cut overnight. We will migrate into our new isp. so for a while we will have both isp connections.
What i am thinking of doing is taking one of the ports on 10.x.x.1 and configuring it for our replacement isp network and the same for 10.x.x.2. Will that work?
Can i have ASA 5510 configured for 2 seperate ISP connections? What kind of route will i set on my router?
View 1 Replies
View Related
Nov 29, 2011
Context:1- My company has one ASA 5510 configured with Site-to-site VPN, Ip sec Cisco VPN and Any Connect VPN.2- We use ASA to connect to the single ISP (ISP 1) for internet access. ASA does all the Na Ting for internal users to go out.3- A second link is coming in and we will be using ISP 2 to load balance traffic to internet (i.e. business traffic will go via ISP1 and “other” traffic will go via ISP2).4- A router will be deployed in front of the ASA to terminate internet links.5- No BGP should be used to implement policy (traffic X goes via ISP1, traffic Y goes via ISP2). Questions:How do I get this done, particularly, how do I tell the router, for traffic X use ISP1 and for traffic Y use ISP2? PBR is my friend?Since I will be having 2 public Ip Addresses from the 2 ISPs, how do I NAT internal users to the 2 public Ip addresses ?. Finally, which device should be doing the Na Ting? The ASA just like now or move Na Ting to the Router?
View 9 Replies
View Related
Apr 5, 2013
Is it possible to have a Cisco ASA5510 with two internet connections performing as follows.
Internet A---------All traffic except LAN to LAN vpn
Internet B---------LAN to LAN vpn
I cant find anything definitive on google to say it will or wont, i know it cant do policy based routing.
View 3 Replies
View Related
Jun 7, 2012
My ASA 5510 has stopped accepting connections today. I cannot connect with ASDM either. ASDM hangs at "Contacting the device. Please wait" and does not return an error or time out. I can telnet into the device but my CLI knowledge is elementary at best. I'm trying to determine how to view or enable the correct logging and view via CLI. I have looked at the client log from one of the users that cannot get in and have attached it. It looks like Phase 1 is not completing but I'm not sure how to view what the ASA is logging. I have run debug cry isa and debug cry ipsec but it just returns to the prompt and I'm not sure what I should expect to see or what command to run to view the results.
View 3 Replies
View Related
Aug 1, 2011
We are in the process of getting two new connections pulled in that I would like to utilize in the following configuration.
DS3 - 45/45 I would like to use this circuit for all of our servers to NAT out of as well as our VPN tunnel to our remote site. It will be much more reliable than our cable line.
Cable Internet - 50/10 I would like to use this for all internet traffic that users generate. I would like to be able to fail over to the DS3 if this line goes down.
To get all traffic go out the cable line would take a dynamic NAT rule and a default route. How would I automate a failover to the DS3 with a backup route and dynamic NAT rule?
I understand that if the DS3 goes down it will take manual intervention to bring the tunnel back up and servers with static NAT will need reconfiguration.
View 1 Replies
View Related
May 23, 2011
Dropped VPN connections.I experienced a similar issue a few years ago with my LinkSys WRT54G router with dropped connections to my corporate network using the Cisco VPN Client. To make a long story short the problem was the result of the following:
1. The default ""Client Lease Time" on LinkSys routers is 0 which means 1 day or 24 hours.
2. By DHCP Protocol definition, DHCP clients must renew the DHCP client IP address lease at the 1/2 life cycle of the lease (12 hours if using the router's default setting). This is deadly for VPN clients as the short period of time when the client IP address is no longer valid, the VPN client considers this a loss of network connection. The LinkSys E-series routers further aggravate the situation by randomly assigning new IP addresses to DHCP clients instead of reassigning the client's previous IP address and tends to favor higher host IP addresses in the defined range.
Suggestions to prevent lost VPN client connections:
1. Change the "Client Lease Time" on the router to 8640 minutes (6 days 00:00:00).
2. Prior to establishing a VPN client connection, use the Windows Command Prompt to issue the "ipconfig /renew"
command to obtain a new IP address from the router that will be good for 3 days (72 hours).
3. Configure your E-series router to use the <DHCP Reservation> option to pre-assign IP addresses to your systems making sure they are outside the range of the dynamically assigned DHCP addresses. Using default settings,these would be in the range of 192.168.1.2 thru 192.168.1.99 as the router starts at 192.168.1.100 thru 192.168.1.149.
View 1 Replies
View Related
Sep 12, 2011
normaly the agents has a persistent connection with the kaseya server (monitoring server),The connection re-established afther the next check-in of the agent, instead of a persistent connection. Now we need to wait to the next check-in before we can connect to the agent. This is a big performance issue, the check-in time of the agents are 3 minutes.I see a lot of the following messages in de syslog:
6Sep 12 201120:27:48302013customer site527985721Built inbound TCP connection 5418112 for outside:(customer site)/52798 (customer site/52798) to inside:kaseya server/5721 (outsideIP/5721)
6Sep 12 201120:29:09302014customer site527985721Teardown TCP connection 5418112 for outside:(customer site)/52798 to inside:kaseya server/5721 duration 0:01:21 bytes 45 TCP FINs
I create a normal static nat rule from the kaseya server to a public ip address, and i define the protocols in de secutiry policy.ICMP has been allowed.cisco asa details:System image file is "disk0:/asa824-k8.bin" This platform has an ASA 5510 Security Plus license.It's look like a connection time-out between the agents and our cisco asa.
View 8 Replies
View Related
May 22, 2011
We have an ASA5510 and we're currently using 1 internet connection to handle our site-to-site VPN connection and our internet traffic. We have a second internet connection on hand. What we would like to do it use BOTH internet connections: (1) will be dedicated to our VPN connection, (1) will be handling all our internet traffic. How can we get this setup? We're running Software Version 8.4(1)
View 1 Replies
View Related
Jan 26, 2011
i have a 5510 with a working VPN but discovered that anyone connecting from a public IP can connect to VPN but can't go anywhere.so if i have say a linksys wifi on my cable modem and a private IP i can connect no problem. but if i'm on like a verizon data card which gives me a public IP i can connect to VPN but receive the below errors in my asa logs and can not reach anything on the network.What do i need added to allow remote ends without a nat device to also work?
View 4 Replies
View Related
Jan 1, 2012
Since last week we are having problems with remote users working with VPN client on Windows XP.The connection is stablished but no data traffic occurs.
As we didn't do any change in vpn remote settings I did a test from Linux machine running VPNC client and it works well.It sounds so weird because it happens only on Windows client platform.We have CISCO ASA 5510 and PIX 515 running 8.0(4).
View 4 Replies
View Related
May 29, 2012
I am having an issue when implementing an additional internet connection on our ASA 5510. The new connection is "TWCOutside". I was my understanding that static NAT would force our externally hosted servers (Email, PPTP VPN, and FTP) to continue to utilize the "ATTOutside" connection. Our remote site-to-site VPN traffic has two static routes configured to force it to continue to use the ATTOutside connection.When I switch the metric on the 0.0.0.0 0.0.0.0 98.103.148.145 route to 1, and change out default dynamic xlate to use "TWCOutside", it "mostly" works as expected. Email, the PPTP VPN server, and our remote site-to-site VPN server continue to use the ATTOutside connection as designed. Our end users begin using the new connection for thier internet browsing.
However, our FTP server, in the DMZ, completley loses outside access. It cannot ping to 8.8.8.8, or resolve DNS queries. The is a static NAT statement for this server, as it is using one of our dedicated public IP addresses. I need it to continue to do so for the next few weeks.Effectivley, we just want to give our end users internet browsing on the new TWC link, but leave everything else on the old ATT link for the time being. The only problem I am having is the DMZ connection. I am currently "rolled back", so no one is using the new connection until I figure this out. I can easily switch the metric and dynamic PAT back to using the TWC connection, but I need to have some things to try with the DMZ before doing so. [code]
View 2 Replies
View Related
May 19, 2012
We have a site with two inbound circuits, one for internet and one for our MPLS. Each circuit is being terminated by a 2921 Router and matching ASA 5510 Firewall. For the internal network, the Internet ASA's inside interface (172.16.0.1) is the default gateway for all hosts. OSPF is the routing protocol between all the routers and ASA's and routing is working. In fact, ICMP is working as well. From an inside host (172.16.0.81), we can ping anything on the MPLS network. But when I try to use telnet (for example), the connection fails. If I add a route to 10.10.10.0 to the host, or re-configure the host to point to the MPLS ASA (172.16.0.254) as it's default gateway, connections will establish.
Both ASAs are running 8.4(3), and have the following commands:
same-security-traffic permit intra-interface
interface Ethernet0/0
nameif outside
[Code]....
And from the MPLS nodes, I can see a tcp request is made.
View 6 Replies
View Related
Feb 24, 2012
I have configured VPN client on my ASA 5510,
I am trying now to telnet my call manager on port 5060 and on port 2000.
When i am connected localy i am able to telnet both ports, but when i am trying to connect through cisco VPN client i am able to telnet the port 2000 and not able to telnet 5060. Both ports are on the same call manager.
When using windows VPN i am able to telnet both ports.
if i removed inspect SIP from: policy-map global_policy class inspection_default
View 8 Replies
View Related
Nov 15, 2011
I have a VPN client running on a laptop connected a DSL circuit. The VPN client is configured correctly for an external address on another firewall, this external firewall passes through ISAKMP / IPSEC to an ASA where it terminates. The client authenticates and gets an address from the client pool (VPNCLIENTS – 10.2.16.x / 24) and the tunnel completes with no problems. From the internal ASA I can ping any internal network behind the 10.0.3.240 interface (INSIDE) and I have a route on the inside network to get to the 10.2.16/0 clients to point to this address (10.0.3.240). All good so far.
Now the problems begin. I cant ping anything from the VPN clients (10.2.16.0) network to anywhere, I cant ping any interface on the ASA or any internal network. I also cant ping the client from the ASA and therefore not from the internal network either. This configuration is bare bones configuration so I don’t even have the NAT exception rules added. Network diagram attached too.
interface Ethernet0/0
nameif outside
security-level 0
[Code]......
View 3 Replies
View Related
Aug 9, 2011
I am having an ASA 5510 and have configured Clientless SSL VPN in it. Now I need to allow my SSL VPN user to access on a particular application(like mspaint.exe for example).When the user login to the SSL VPN, he should see only the particular aplication or must be able to access on the particular application.
View 2 Replies
View Related
Oct 30, 2011
I woudl like to ask all of you that i have ASA 5510 and i want to do VPN client authetication with LDAP, after verify username and password with AD and it use policy with ACS?
View 3 Replies
View Related
Mar 13, 2013
I've found that my clients can NOT access to my ASA 5510 with their Cisco VPN Client Ver 5.0 through IPsec over UDP.By comparing my new running config with the old one I found some strang following configuration: [code]
We have 3 diffrent IT expert who have access to our router and I think this configuration is cause of our VPN access problem.Is it really because of that or something else.Any way I want to know how can I get rid of these configuration?
View 7 Replies
View Related
