Cisco VPN :: ASA 5510 / RVS 4000 - VPN Tunnel Reset
Nov 7, 2012
I have an ASA 5510 at V8.2(5) with something near 20 site to site VPN tunnels. I am having a problem with 1 tunnel to a RVS4000. The tunnel is completely closed and reset during Phase2. Here is a small snipet at the time of the tunnel reset
x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: IPsec, Duration: 7h:36m:30s, Bytes xmt: 333755, Bytes rcv: 86281, Reason: User Requested
Followed by Group = x.x.x.x, IP = x.x.x.x, Active unit receives a centry expired event for remote peer x.x.x.x.
We use a number of connection oriented sessions and this blowing them out of the water. all other tunnels are up for DAYS to more than a Month.
View 8 Replies
ADVERTISEMENT
Dec 16, 2011
how to establish tunnel between rvs 4000 and rv042 ?
View 2 Replies
View Related
Feb 20, 2008
Just bought myself an ASA5505 to replace a PIX 501, and having transferred over most of the previous config I've managed to get the two IPSEC VPN tunnels working as before.
Unfortunately when I try and SSH to the ASA the connection just resets instantly even when the tunnel is up. It seems as if the ASA is actively refusing the connection, though the log doesn't state this. I had always presumed that traffic over an established IPSEC tunnel was implicitly trusted and not subject to usual access-list rules.
I am unable to SSH to the ASA from the 10.0.0.x range, but I can SSH to a machine on 10.27.0.4 (so I know the tunnel is up and working)
Config (minus irrelevant sensitive information) is attached for reference.
Also - though I'm not sure how relevant it is given the tunnels appear to work - when I enter the line "crypto map meepnet-map interface outside" in config mode the ASA reports "WARNING: The crypto map entry is incomplete!" even though I have supplied the access-list, peer and transform-set variables.
View 12 Replies
View Related
Jun 2, 2013
We are facing a strange issue with GRE tunnel. We are using this tunnel from a branch office to Hub office. All other tunnels terminated on Hub router are working fine. Issue with this tunnel is that whenever WAN connection goes down Line protocol on tunnel interface some times comes up and sometimes not (therefore we have to reset the tunnel interface and it comes up). IOS used on this router : c2900-universalk9-mz.SPA.152-1.T2
View 5 Replies
View Related
Sep 15, 2011
I was hoping that the latest firmware would fix my (2) 'bugs', but it did not. We are using the RV042s at our remote medical clinics as an end-point VPN router to our Nortel 1700 VPN router, replacing our old Nortel Contivity 100s.When I try and do a reset when connected remotely via the WAN interface, the RV042 hangs and will only reset by re-powering.
View 1 Replies
View Related
Jun 16, 2011
I installed a 1941 router with an encrypted GRE tunnel yesterday. The router has ipbasek9 and securiyk9 licensed. Initially the router was running the image c1900-universalk9-mz.SPA.150-1.M5.bin and was working fine. The tunnel was up and passing traffic. I then upgraded the IOS to c1900- universal k9-mz.SPA.151-2.T2.bin and when I reloaded the router the tunnel was stuck in a reset/down state. I tried doing shut/no shut on the interface and reloading the router again, no change. Being under some time pressure to get the device back into production I rolled back to the previous IOS image and the tunnel worked fine again. Is there a known bug that causes this behavior? I have searched cisco.com but have not found one. [code]
View 1 Replies
View Related
Jun 9, 2011
We have a site to site VPN tunnel that consists off a Cisco 877 at a remote site and a Cisco ASA5510 at the Head Office.
Remote Site 192.168.100.0/24 > Head Office 192.168.0.0/24
telnet 192.168.0.36 25 works
telnet 192.168.0.34 443 works
telnet 192.168.0.202 21050 fails
ping 192.168.0.202 works
The VPN tunnel is working in No NAT mode and allows IP any from each subnet. AD replication works fine across the VPN tunnel and so does telnet from the remote subnet to an exchange/web server at the Head Office.
The device on 192.168.0.202 is listening on the required port as we can telnet to it locally. The device does have a different gateway, but a route statement is in place to use 192.168.0.2 as it's default gateway for 192.168.100.0/24 traffic.
What doesn’t work is a connection to the phone system, we get the following in the logs:
6 Jun 09 2011 22:20:20 302013 192.168.100.1 60759 192.168.0.202 21050 Built inbound TCP connection 5799085 for outside:192.168.100.1/60759 (192.168.100.1/60759) to inside:192.168.0.202/21050
[Code].....
View 1 Replies
View Related
Nov 15, 2012
I am trying to reset the password of ASA 5510,it is entering in Rommon mode but after boot command i am getting following error.
View 3 Replies
View Related
Jun 11, 2013
We currently run dual ASA 5510's in A/S config on our main campus. We would like to create a VPN tunnel to a branch campus. Trying to decide between a 5505/5510/5512x, We would like to extend many of the capabilities of our network to the branch campus which will be 20-50 users on a 50mb/10mb internet connection.
Domain login
System Center workstation management
Cisco WCS
Shoretel voip
(Cisco NAC?)
Several different VLANs for wireless guest, student traffic, staff traffic, voip traffic, etc. Which device would be best and should we get the security plus license with it?
View 4 Replies
View Related
May 2, 2012
I have two 5510's that I am trying to get a tunnel established. One has an exsistinig tunnel to a 5505 that works but I cant get the next one to get past the first phase. I have sanitized the attached configs
View 5 Replies
View Related
May 30, 2012
I had a pix that had two working tunnels going to one 5510 and one 5520. Today the VPN tunnel to our 5520 stopped working but if I do sh cry isa sa both tunnels have QM_IDLE as the state. (both ends) I tried to debug crypto isakmp 255 but all I get is PEER_REAPER_TIMER and no other output on the pix side.
View 20 Replies
View Related
Dec 12, 2011
I am using a Cisco ASA 5510. Our tunnels always drop due to inactivity, which is a security issue I understand, and it only takes some "interesting traffic" to bring it back up. My problem is that it looks like the interesting traffic has to originate from my side of the tunnel, when our clients send traffic and the tunnel is down due to inactivity it does not come back up. Is there a setting that I am overlooking that will make it come back up no matter who sends traffic? Or, is there a way to make it stay up through inactivity?
View 4 Replies
View Related
May 23, 2011
Firewall ASA5510. I'm planning to get one of ASA5510 for our office in order to secure our network properly, however we have quite specific routing configuration to allow us failover to the remote location (data center) in case of any disaster with our server. I'd like to find out if I can just install firewall between our ISP Ruter and internet and allow traffic to/from Data Centre. In this situation will I have to change routing configuration on Company Router or do I have to do anything with our Company Router
View 1 Replies
View Related
Apr 25, 2013
I have been struggling to come up with the proper config to do a NAT of an incoming VPN tunnel to a VLAN on my network. I have an ASA 5510 with an IPSEC site-to-site tunnel to a partner network of 166.110.0.0/17.I have several VLANs on the ASA interface behind a cat4500 router (192.168.100.024, 172.16.4.0/24, 166.110.128.0/22 etc). The only network that the partner network sees is the 166.110.128.0/22.My problem is that I need to give them access to a node on my 192.168.100.0/24 net, but can't get the admin on the other side to add a route and adjust his tunnel.
View 4 Replies
View Related
Dec 5, 2010
I've a asa 5510 on the main site and different ASA 5505 on secundary sites for VPN tunneling between the sites. The problem is that the tunnels are acomplished but no traffic is going over them. What am i doing wrong? For the moment there is a ASA 5505 on the main site managing the tunnels but I want the 5510 to take over the job.
View 5 Replies
View Related
Nov 27, 2012
I don't know if this is in the right section, but I cannot set up a vpn tunnel between an asa 5510 and a cisco rv042 router. I believe the problem is because i need to set up a nat exempt rule on the rv042 route but don't know how.
View 1 Replies
View Related
May 15, 2013
I have our main site using a Cisco 5510 running 8.4.2 code and a remote site using a Cisco 5505 running 8.4.2 code. The main site has a T1 and the remote site is using a DSL connection. About every other day I have to reset the connection at the remote site. The process that I have found that works is to remove the nat statement, clear the cry ips sa and then add back the nat statement. The connection usually comes back up and a few minutes. I am trying to see what is causing this to drop.
View 5 Replies
View Related
May 9, 2013
I have an ASA 5510 and I am building a site-to-site vpn tunnel, peer on the other end is a sonicwall. I can initiate the tunnel from my end, but when he tries from his end it fails on phase 2 with this error in the logs:
"Rejecting IPSec tunnel: no matching crypto map entry for remote proxy"
Obviously our crypto map's don't match, i have it restricted to specific ports on my end and he had it wide open on his end, but said he is not sure how to restrict it down to specific ports. My question is why would I be able to bring the tunnel up on my end if the crypto map's don't match and he can't bring it up?
View 5 Replies
View Related
Dec 5, 2012
I have an ASA 5510 and I am building a site-to-site vpn tunnel, peer on the other end is a sonicwall. I can initiate the tunnel from my end, but when he tries from his end it fails on phase 2 with this error in the logs:
"Rejecting IPSec tunnel: no matching crypto map entry for remote proxy"
Obviously our crypto map's don't match, i have it restricted to specific ports on my end and he had it wide open on his end, but said he is not sure how to restrict it down to specific ports. My question is why would I be able to bring the tunnel up on my end if the crypto map's don't match and he can't bring it up?
View 1 Replies
View Related
Mar 5, 2012
I'm attempting to debug an ipsec tunnel on an ASA 5510 (8.4(3)) and when I turn on `debug crypto ipsec` and then execute `logging monitor` I get an constant stream of TCP debugging events, is it possible to only view ipsec messages?
View 2 Replies
View Related
Jun 8, 2011
I got a stange vpn problem, just added a new vpn tunnel to our ASA5510 and then the users report that the traffic through the tunnel is very slow, when I try it myself I get a speed like 50kb/sec to the internal server.If I use our regular tunnel or any other tunnel the speed is just fine. I´ve added the new tunnel in the same way as the other tunnels, that is thorugh ASDM vpn wizzard.
View 2 Replies
View Related
May 13, 2011
I would like to ask some question about VPN clinet and SSL VPN, on my ASA 5510 i have many tunnel-group it have around 5 tunnel-group and i have one SSL VPN,i also have user 20 user. let me show you that:
1- tunnel-group Staff-VPN remote-access
2- tunnel-group Manager-VPN remote-access
3- tunnel-group normalstaff-VPN remote-access
4- tunnel-group guest-VPN remote-access
5- tunnel-group other-VPN remote-access
and tunnel-group sslgroup type remote-access
and i have user around 20 user and i want to specific user to tunnel-groups like this
1- tunnel-group Staff-VPN remote-access
username AAA password AAA
username AAA01 password AA01
2- tunnel-group Manager-VPN remote-access
username BBB password BBB
username BBB01 password BBB01
3- tunnel-group normalstaff-VPN remote-access
username CCC password CCC
username CCC01 password CCC01
5- tunnel-group other-VPN remote-access
username DDD password DDD
username DDD01 password DDD01
So, How can i manag tunel-groups with user?
View 3 Replies
View Related
Mar 31, 2012
We are using a 5510 and have issues trying to use VPN with full tunnel to connect from inside the firewall to a customer site. I don't seem to have a problem when using split tunnel profiles. How would you troubleshoot this?
View 12 Replies
View Related
Jul 31, 2012
I have a 5510 and a 5505 that I'm attempting to configure a simple VPN tunnel over. I have tried step by step configurations form CISCO ASA configs, as well as every source I can find. I have walked throught the config with IOS commands as well as Wizards. All my packets are dropped at the the inside or outside interface.
When I show SH ISAKMP command all I get are 0's straight down.
View 7 Replies
View Related
Nov 5, 2011
I am trying to setup a VPN tunnel between a Cisco ASA 5510 (Version 8.2(2)) and Sonicwall TZ200. I got tunnel up and going and I am able to ping the Cisco ASA internal IP from the Sonicwall LAN but nothing else works.
When I try to ping a host behind the Cisco ASA from the Sonicwall LAN I get the following message "Asymmetric NAT rules matched for forward and reverse flows;
[code]...
View 14 Replies
View Related
Apr 3, 2011
I have 2 Cisco 871 set up to vpn in to an ASA 5510. Everything has worked even when the 871 is behind a nat.
We use these routers to send to employees home for temporary use.
The WAN ports on the 871 are configured to pick up an IP via DHCP.
Office ASA 5510 - Public IP address
WAN - Public IP
Internal - 192.168.1.0/24
|
Internet
|
Home Router
WAN - Public IP
Internal - 192.168.1.0/24
|
Cisco 871 picks up 192.168.1.x on WAN port from user's home router
Internal vlan1 192.168.10.x/24
The problem is - this user's home router is using the same subnet as the internal network at the office. Is there anyway to force traffic bound for 192.168.1.x to go over the VPN tunnel? It does this correctly if the 871's WAN port is not also on the same subnet. The vpn tunnel does come up. And I can ping to and from the router, it's just the clients behind the 871 that cannot ping or access the corp network.
View 2 Replies
View Related
Apr 18, 2012
We have a ASA 5510 (v8.2.2 with ASDM 6..4.7, 256Mb mem) with a license for 250 VPN Peers. The machine has currently one site-to-site VPN active. I've added a remote-access IPSec VPN for some users but when connecting from the remote site the connection is dropped and the ASA reports %ASA-4-713239 Tunnel Rejected : The maximum tunnel count allowed has been reached.
I've searched for info relating to this message but I found none. Before I plan a restart (it's up for 222 days), is there something I could do on CLI to fix this ?
View 4 Replies
View Related
Jun 11, 2012
I working on a security solution using ASA firewall. Is it possible to setup a IPSec tunnels on each subinterface of a physical interface on ASA 5510?
View 3 Replies
View Related
Mar 29, 2012
I have an ipsec tunnel IP is changing from mythical 200.200.200.182 to 200.200.200.254. Is it possible to change the .182 ip in below config via the CLI to .254 and have the site-to-site vpn continue to work? [code]
View 1 Replies
View Related
Jun 28, 2011
i just configued a L2L tunnel between ASA 5510 and ASR 1004. tunnel is up but got serious packet lost (more than 70%) and isakmp always up-down intermittently.i compared parameters on both sides again and again but no luck. [code]
View 4 Replies
View Related
Jan 8, 2013
I am experiencing slow throughput on a L2L IPsec tunnel that we have between one of our offices on the west coast (WC) US and another on the east coast (EC) US. The tunnel endpoint on the WC resides on a 5510 and a 5545x on the EC. The DIA circuit speed on the WC is 45 Mbps and 200 Mbps on the EC. The throughput of this IPsec tunnel is maxing out at approx. 4 – 5 Mbps. The utilization of the DIA circuits at both offices is under 5% when running various FTP test transfers. Both devices have low memory and CPU utilization.
We have a 2nd office on the EC (45 Mbps DIA) which I built a tunnel on a 5510 with the WC office and it is experiencing the same slow throughput. In covering all my bases we have a colocation facility on the WC and in building a tunnel between the 2 WC offices I WAS seeing close to full line rate speeds over the tunnel. Additionally, I built a tunnel between the 2 EC offices and I saw full line rate speeds. With the physical distance between the WC & EC offices I would expect some loss in throughput speeds but I would not expect it to drop as low as 4 – 5 Mbps. In thinking something may be up with the 5510 in our WC office we shipped a 5505 to the WC office and we built the same IPsec tunnels on it and it is experiencing the same.
In working with our support vendor to try and solve the WC <-> EC throughput issue they had me change the MTU, TCP mss, DF-bit, types of encryption/hash on the IPsec tunnel but nothing has resolved it. We are not showing fragmentation or PMTU issues on the tunnel. In contacting the ISP of our WC office they mentioned that they do not have any type or rate limiting in place. Our WC ISP had a CCIE review our configurations but nothing was found.
View 1 Replies
View Related
Jan 30, 2012
We have a new site-to-site configuration comprised of two ASAs (a 5505 at the remote site and a 5510 locally). The site-to-site tunnel is up and appears to be working fine, with the exception of one thing; two identified IP addresses on the remote end cannot seem to communicate across the tunnel.
For example: address 192.168.3.81 is able to see resources at our facility, but 192.168.3.82 (an HP Laser jet P2055dn) cannot. However, 192.168.3.82 is ping able from the inside interface of the remote ASA and doesn't appear to be having any other connectivity issues. Also, the default gateway of this device appears to be set properly. When checking the real-time log viewer, I'm not seeing any error messages, it just appears as if the .82 device is not routing to the remote ASA, but strangely enough the local ASA's logs do seem to show communication with .82. (See the below logs.)
When we attempt to ping the 192.168.3.82 address from a local PC (10.10.10.10) that participates in the VPN tunnel, we see the following:
Local ASA
6|Jan 31 2012|16:03:53|302021|192.168.3.82|0|10.10.10.10|512|Teardown ICMP connection for faddr 192.168.3.82/0 gaddr 10.10.10.10/512 laddr 10.10.10.10/512
[ code]....
Remote ASA
6|Jan 31 2012|16:03:53|302021|10.10.10.10|512|192.168.3.82|0|Tear down ICMP connection for faddr 10.10.10.10/512 gaddr 192.168.3.82/0 laddr 192.168.3.82/0
[ code].....
We can successfully ping 192.168.3.81 from the same local workstation we see the following on the remote ASA :
6|Jan 31 2012|16:03:38|302021|10.10.10.10|512|192.168.3.81|0|Tear down ICMP connection for faddr 10.10.10.10/512 gaddr 192.168.3.81/0 laddr 192.168.3.81/0
[Code]....
We have no IP address overlapping and neither ASA's logs show any errors. Unfortunately, we don't have access to the remote site's router configurations, but we've been assured that the issue is not on their end.
View 3 Replies
View Related
Dec 5, 2011
i have a Ipsec tunnel between a ASA 5510 (Uk) & a router (France) that seems to be going down a specific times during the day. I have attached the sys log as well.
I cannot seem to copy & paste the config onto here for some reason so i have attched the configs, Ipsec details & syslog details from the asa.
View 3 Replies
View Related
