Cisco VPN :: ASA 5510 With Windows XP And Windows 7 VPN Clients
May 10, 2010
We have a working configuration for L2TP-IPSec connection from a native Windows XP client to the ASA 5510. When trying to set up a connection from a Windows 7 client, the connection fails with the message that all SA proposals are unacceptable? Is this coexistence possible, and what parameters would I have to change to get this working. I have understood that the Windows 7 client requires som higher security proposals, but have not found what these are. And at the sam time we are concerned about not destroying the VPN connection for our existing XP clients.
I've just discovered this thing in Windows Event log. The DHCP-Client log is full with this: the client received a NAK from the DHCP Server. Strangely, they still get the desired IP address. (Which are reserved adresses for the MAC adresses.)So I've looked at the logs in the DIR-615 (rev.D, FW: 4.13), and found this:
Working on Windows desktops and cannot map drives to unix servers without undoing a particular windows update. network policy pushes this update out again. Cannot change that policy....Active Directory Bridge solution needed to map drive letters from windows users to Unix (SUN) systems?
I have a trouble with PPTP VPN between Windows clients and Cisco 2921 router with RADIUS (IAS) authorization. When I try to connect to Cisco 2921 from Windows 7 using MS-CHAP v2 I receive error 778: it was not possible to verify the identity of server . Then I use PAP - everythig is OK. On Windows XP the same situation.
Cisco config: version 15.0 service timestamps debug datetime msec
We've got 5 remote offices with cisco 881 routers, Win Clients behind them and all routers connected via vpn site-to-site to central software router.
Mostly all clients recieve ip addresses from routers in their subnets 192.168.x.024 We have Win DHCP Server in subnet 192.168.181.024
The problem is that some of clients,physically sutuated in 192.168.10.024 subnet, recieve ip addresses from Win DHCP server from 192.168.181.024 subnet.
Here's part of cisco cfg:
interface FastEthernet0 no ip address ! interface FastEthernet1
I am trying to make an application sharing software which shares multiple applications in windows to various clients. My idea is to modify VNC code and use it to share applications on different ports to different clients.
We are deploying BYOD with Cisco ISE 1.1.2 and WLC (5508) using 802.1x authentication.Windows clients cannot connect to 802.1x SSID with the following error on ISE:Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
The client doesn't have preconfigured wifi profile or root certificate installed.The concept of BYOD suppose that you can connect your device without any installed certificates and preconfigured wifi-profiles.
The problem is that Windows 7 supplicant does not send TLS alert in pop up window, when connecting to 802.1x SSID.If this alert is seen, than you can accept it and proceed the connection. After that you will be asked to install ROOT-cert, get your own cert and etc.So, the question is: how to make the windows supplicant to show the pop-up window with TLS alert?
p.s. the attached file shows the example of pop up TLS-alert window
We currently have an ASA 5520 communicating with 10 ASA 5510's, all on static outside addresses. I was asked to add 5 additional 5510's on dynamic address. All worked well in testing until it was decided that some of the dynamic clients needed to talk to each other.
I have the ASA 5510, I just upgraded to Windows 7 and installed the ASDM software. The installation went smoothly but when I launch ASDM all that comes up is the top right of a window, here is a screenshot of what happens.
We have a SSL Gateway setup with the anyconnect client.We have picked up on some of the Windows 7 Tablets that you can install via the web page.Once installed you are connected to the network.However once you disconnect, and try with the anyconnect client u get the following error;
" Anyconnect was not able to establish a connection to the specified secure gateway. Please try connecting again"
We have not seen this on any of the Windows 7 laptops nor Windows XP.
The URL have been added to the trusted zones.We have gone as far to disable anti-virus / windows firewallDisabled the "Protected mode" with in internet explorer.
Anyconnect client version 2.5.3055..ASA 5510 Serial number JMX1504L05Y - ver asa841-k8
I have a cisco ASA5510 and I'm having fun experience some configurations.I can not connect to VPN, windows me error 809. I configured the firewall to accept connections to microsoft L2PT/IPsec client by authenticating users on the domain controller LDAP.
Clientless vpn connection work, so the server connection is correct. [Code] ......
I have an ASA5510 connected to a computer running Windows 7 (the NTP Server) on its "inside" interface.Using the ASDM, I have configured the ASA5510 to use the Windows 7 as its NTP server (my architecture forces me to use a local machine as an NTP server):
-IP address: 192.0.99.1 (the ASA5510 has an IP address of 192.0.99.40) -Interface: inside -Key number: None -Enable NTP authentication: no.
I have other Windows computers on the "inside" interface using the NTP Server, so NTP traffic is relayed without any problem. But somehow, the ASA5510 is not able to synchronize with the NTP Server.I see the following log entry:
so it seems like the ASA5510 sends a request to the NTP Server, but I am not sure whether the reply doesn't get processed correctly, or the connection stays open too long (my UDP connection timeout is the default, 2 minutes).
I had trouble getting SonicWALL NSA2400s to use Windows 7 devices as NTP servers. I had to get a firmware version where there was no MD5 authentication (which I think is OK in this case), and change a setting in the Windows registry (HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/W32Time/Config/AnnounceFlags: from 0xa to 0x5)
I have an ASa 5510 and setup remote dial in users.
I wanted to use the windows 7 built in client and also the draytek site to site VPN options however when they connect VPN traffic will not work however when i use the cisco VPN client then everything works fine.
All the VPN's connect pretty quickly.In the syslog I a getting errors when i try and ping something: [code]
Having an issue with the ipsec client being unable to add routes in Windows 7 while connecting to an asa 5510 running 8.3(2). Client connects, but the split-tunnel routes do not get installed on the OS. Vpn client versions used are 5.0.07.0290 and 5.0.07.0440 x64. The client status window shows that it received the split tunnel networks, but the log shows that the routes do not get installed with the following message:
Sev=Warning/2 CVPND/0xE3400013 AddRoute failed to add a route with metric of 100: code 87 Destiantion 192.168.100.0 Netmask 255.255.252.0 Gateway 0.30.1.1 Interface 10.30.1.201
I have cisco ASA 5510 with basic configuration (default policies). The problem is that windows XP users are unable to send emails form MS outlook and unable to log on to Hotmail , Gmail or any mailing site. While windows 7 and 8 users are not facing any problem.
I'm having a wierd issue with the VPN client installed on Windows. Eventhough it connects and receive and IP address, I'm not able to access any of the servers on the remote network.
Is there any special configuration need it for it to work on Windows 7 proffesional?
The client works perfect with windows XP, we have a ASA 5510 Version 8.2(2) is in routed Mode
I have an RV042 setup for quick vpn access.The remote computer in question is a win 7 64bit. The PC uses McAfee SAAS firewall. This disables the windows firewall.
1. I can connect to the vpn with SAAS disabled and windows firewall enabled. 2. I cannot connect to the vpn with both windows firewall and SAAS disabled. 3. I cannot run SAAS and windows firewall together to check if this would work.
I need to figure out what windows firewall is doing to allow the vpn to connect, and so how do this with windows firewall disabled. I can then leave the windows firewall disabled and enable McAfee SAAS.The message quickvpn provides when it fails to connect is that the remote gateway is not responding. The client logs show that the tunnel had been opened but it was unable to ping.
My new Windows 8 computer is not wi-fi capable, I bought the adapter but it only works with Windows 7, they have a link to upgrade to Windows 8 but I don't know where to go from there.
I wan to access a folder shared on windows 2003 server 32bit from a Windows 7 64bit ultimate WS. but after asking password, beside giving correct password, it asks again and agian and do not show folder
We have a network of approximately 20 computers, network printers, and one Windows 2003 Server (used simply as a file server). I have an issue with two specific Windows 7 Pro workstations that just will not logon. The username and password details we're using are correct, but the server rejects them. I can logon using the same account from any other Windows 7 Pro workstation, or Windows XP station, so I know the issue is specific to the two workstations communicating with the server.
Both afftected stations show Logon attempted by: MICROSOFT_AUTHENTICATION_PACKAGE_1_0 error 0xC000006A which all searches on Google point towards incorrect login credentials, however I've tried plenty of perfectly valid login credentials and they don't work either.I've tried checking that the 128bit option on the Windows 7 machines is disabled in file sharing etc.
I have a win xp laptop which connects via wireless to a cheap belkin router I have a Win 7 pro laptop which is hardwired to the router. The Win 7 machine is NOT set up for home groups. We are all on the same workgroup.
I have added the user name from the XP machine to the Win 7 pro machine with admin rights. I shared a folder on Win 7 and added the user name and gave read/write rights. I have no software firewall.
When I try to connect via win explorer via the workgroup I see the Win 7 machine (after 10 seconds). I see 'User' folder which I can browse and I see the folder that I shared but I can't access it. Access denied...
My Win7 laptop was unable to ping another WinXP within the same network. When I first got this Win7 laptop, I experienced this problem. The WinXP laptop has no problem pinging the Win7 system. A visiting friend changed the setting on the Win7 laptop and suddenly the two laptops were able to talk to each other. I wiped the WinXP laptop a few weeks ago. Since then, the Win7 laptop is again unable to ping the WinXP. I have googled for many hours now. I tried just about all the methods that make sense to me but still cannot ping from Win7 to WinXP. How I can reestablish communication between these 2 systems on the same network?
I have this test windows 2008 r2 server. I can connect to the internet on this server.However my client xp machine, cannot see the server via windows explorer. I can however ping the windows 2008 r2 server. Using the servers ip of 192.168.1.230 Another thing is I cannot also remote to the server on the internal LAN. Using RDP.I ve even tried with firewalls turned off on the server for some mins.
I've some strange problems with multiple ASA (NEM) VPN remote clients (v8.4.5). On the HQ I've an ASA5510 (v8.4.5) with multiple NEM's connected to it. The group policy used on the HQ is configured for split tunneling. Now here's the problem;
The remote ASA (NEM) constructs easily a VPN connection to the main location; it seems that everything works well. Traffic through most of the tunneled networks works perfectly. Traffic to certain subnets or hosts brings me into trouble, there is no traffic flowing through the tunnel at all!
When using the command "show crypto ipsec sa | i caps|ident|spi” I can see all of the tunneled subnets. The subnets that works perfecly gives me the correct "local and remote ident" output. The subnets with problems gives me wrong values in the "remote ident". The remote ident should be the IP address of the inside LAN (of the remote NEM) and not the IP address of the ouside interface (of the remote NEM). How is this posible?
Here's is the crypto ipsec sa output:
Result of the command: "show crypto ipsec sa | i caps|ident|spi"
local ident (addr/mask/prot/port): (10.200.60.0/255.255.255.0/0/0) <-- this is the good subnet of the inside interface (NEM) remote ident (addr/mask/prot/port): (10.100.2.2/255.255.255.255/0/0) <-- this is the good subnet (HQ) #pkts encaps: 54712, #pkts encrypt: 54712, #pkts digest: 54712 #pkts decaps: 31893, #pkts decrypt: 31893, #pkts verify: 31893 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 current outbound spi: A4FA947A
I planned for my customer to replace his old LMS 4.0.1 server under Windows 2003 by a new server under Windows 2008 R2.Customer wants also to set a new LMS name and IP address for the new server under Windows 2008 R2 and keep both servers on the network.I'm wondering what could be the best procedure to do that migration.Can I used backup / restore procedure in that case ?If yes, what file must I modify to adapt the new LMS configuration to new hostname and IP Address ?
I'm trying to understand my options for assigning addresses to VPN clients on an ASA 5510. Under the ASDM, I have a field for DHCP servers, radio buttons: none, dhcp link, dhcp subnet, and field: client address pools. Cisco's VPN examples demonstrate setting up a client address pool, which I did, but the VPN client isn't assigned a gateway in the process so it can't connect to anything; I really don't understand the point of this. I'd like to create a DHCP pool on the ASA for VPN clients as this seems to be the standard configuration. However, I don't know where in the ASDM to configure this and how it's applied. The only DHCP options I found involved creating a DHCP server on an interface, which I don't want to do since VPN users aren't on a physical interface, right?
