Cisco VPN :: ASA 5540 Remote VPN With DHCP Failing
Feb 28, 2013
I am currently running an ASA5540 version 8.3(2). I have multiple remove vpn users currently working on this server. Lately, I have had issues with people getting booted or not being able to route anywhere and it appears to be cause they keep fighting for the same IP address using the local pool, so I decided to attempt to do DHCP instead (I have no idea why it keeps overlapping IPs, we have tons in the pool and they keep fighting for the same one). This just started about a month ago, we are only using maybe 3-5 IPs out of the /24 block. The only thing that has changed was we have hired more people, but we have separate groups for corporate vs operations team.
So, I setup the dhcp-network-scope for the subnet and the dhcp-server under the policies. I see the request going to the server, but it seems to be putting the ASA MAC into the Client Hardware Address field of the DHCP header. I have attached the PCAP from the ASA showing this.
View 7 Replies
ADVERTISEMENT
Jun 11, 2012
We are attempting to PXE boot from clients obtaining their DHCP lease information from DHCP pools configured on our 4506. The PXE server, and the client are configured in separate VLANs. We have configured option 66 to point to the PXE server IP address, and the bootfile option to point to the PXE boot configuration filename. On the client side SVI, we also have configured the ip helper-address command to point to the PXE server (which also acts as another DHCP server for redundancy).
The PXE boot continuously fails stating it is unable to find the configuration file. If we remove the DHCP pool from the 4506, and allow the client to receive their DHCP lease info from the secondary server (Windows 2k8 - same server as PXE server), they PXE boot with no issues.
We have no problem obtaining DHCP info, just completion of the PXE process.
View 6 Replies
View Related
Mar 12, 2012
I have a Cisco ASA 5510 that was set up as a VPN server for working remote. I have disabled split tunneling so that all traffic created while VPN'd in goes through the ASA. The problem I'm having I believe would be resolved if I enabled split tunneling but I would prefer another solution. Now..for the problem.When a user is connected via VPN, they can hit all intended devices both public and private accept servers that have static NATs in the FW. So Server A has a public of 1.1.1.1 which is one to one mapped to private address of 10.1.1.1. Now if the remote user brings up a browser and goes to 1.1.1.1 it wont work. The FW gives me a error which is posted below. However, using the private IP of the server works. I thought about trying to manipulate DNS to resolve this as the remote users are using URLs and not IPs when trying to reach these servers but again, was hoping I could resolve the NAT problem that the FW seems to be having.
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src Outside:192.168.202.100/49238 dst INSIDE:1.1.1.1/80 denied due to NAT reverse path failure 192.168.202.x/24 is the remote vpn ip given via the ASA.
Here are some configurations on the ASA:
static (INSIDE,Outside) 1.1.1.1 10.1.1.1 netmask 255.255.255.255
access-list INSIDE_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 192.168.202.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
[code].....
Outside with 4.4.4.4 as the public ip traffic gets NAT'd do dynamically Inside with 10.1.1.x network on it.The ASA is running 8.2
View 2 Replies
View Related
Feb 15, 2013
I have a school with 550 iPads. We are using two 5508 WLCs sharing the number of APs. The DHCP server and the default gateway for the network are on the firewall. The clients are able to get a DCHP. After some time, maybe about longer than a month, the clients are no longer able to get DCHP addresses. A reboot of both controllers takes care of this. Presently we are runing 7.2.110 OS. I am going to upgrade to the latest 7.4.100, and reload tonight.
View 1 Replies
View Related
May 22, 2013
I have two Firewalls one on MAIN site and another on BR site. I have configured RA VPN for both and i am able to access the internal networks of respective Firewalls. But the requirement is i want to connect to the Main site through RA VPN and access the BR SITE internal networks through that connection.
View 4 Replies
View Related
Mar 15, 2011
wht would be change on configuration of remote access VPN on asa 5540.
4|Mar 16 2011|15:26:01|713903|||Group = tesTGroup, Username = GSDc2gsIdc, IP = 5.1.9.9, Error: Unable to remove PeerTblEntry3|Mar 16 2011|15:26:01|713902|||Group = tesTGroup, Username = GSDc2gsIdc, IP = 5.1.9.9,
[Code].....
View 3 Replies
View Related
Feb 6, 2011
I'm trying to set up remote access IPsec VPN on a pair of ASA 5540 without much success. I can connect with a client on the outside, and when I try to ping something on the inside I can see the ping requests reach the target but the answers don't come back to the VPN client. I've tried with different NAT rules without success.
View 3 Replies
View Related
Feb 22, 2011
Recently i have received one of my collegue's laptop that is running windows 7.I have installed cisco VPN client version 5.0.07.0290 on it and VPN client appears to connect to our ASA5540, but we are unable to connect (remote desktop) to any machines on our network as it does on our XP laptops. Furthermore, we cannot ping any as well. Also, while connected the Windows 7 machine is still able to access internet site as if split-tunneling was configured, which its not.
But after some searching , i found from "routeprint" output (shown below ) that my local internet gateway is prefered over the VPN gateway which is 10.10.4.1.Here 10.10.4.19 is the IP address assigned for VPN adaptor.
Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 25 0.0.0.0 0.0.0.0 10.10.4.1 10.10.4.19 100
But after i manually add the below route on windows 7 laptop , it started connecting to remote desktop successfully.
route change 0.0.0.0 mask 0.0.0.0 10.10.4.1 metric 20
But aftersome time of idle state , it is again going back to original route state of prefering the local gateway of 192.168.1.2 and thus unable to connect to Remote Desktop again.
View 3 Replies
View Related
Feb 23, 2011
Currently i m experiencing VPN Remote access intermittent disconnection on the asa 5540,what is the reason for that?how to start a proper troubleshooting?
View 2 Replies
View Related
Mar 7, 2011
I have an ASA 5540 cluster that is configured as my remote access VPN point. Users connect using IPSEC Profiles with Cert based authentication, the profile is configured to query two DHCP servers (infoblox appliance servers).
The problem I am encountering, is that I need to make reservations on the DHCP server for some users for specific business needs. What happens is that the ASA passes the request to the DHCP server with it's own MAC address and not the MAC of the remote host.
Is there any way I can configure the ASA to pass the request using the hosts actual MAC address?
View 1 Replies
View Related
Oct 3, 2012
I am configuring IPSec Remote Access VPN on a ASA 5505. There are one external interface and one internal interface configured on the device. Internal interface connected to subnet 192.168.1.0/24.en VPN client get connected, I would like to assign the IP from some subnet(for example 192.168.2.0/24) other than the current internel subnet (192.168.1.0/24), but the VPN client can still access to 192.168.1.0/24. Is there a way to do this?
View 2 Replies
View Related
Sep 16, 2012
I am having trouble getting DHCP working for a site connected using Flex Connect. Here is my setup. I have a single 5508 Controller at one site using the 10.3.0.0 network. All AP's at that site are in local mode and use the local DHCP server, 10.3.0.2. Everything works fine there. Each site uses a different SSID as well.
At my second site, 10.4.0.0, all AP's there connect back to the controller at the site above and are in Flex Connect mode. The AP's work fine and the clients work fine there but they get an IP address on teh 10.3.0.0 instead of the 10.4.0.0 network. If i setup the SSID at this site to override the DHCP server settings and tell it to use 10.4.0.2, which is our local DHCP server, the clients don't get an address at all.Is this simply a matter of setting an IP Helper address on the router where the WLC is located or is there more to it than that?
View 4 Replies
View Related
Nov 28, 2011
why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
!
ASA Version 8.2(5)
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.6.0.12 255.255.254.0
[code]....
View 3 Replies
View Related
Jan 15, 2013
why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?
I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
!
ASA Version 8.2(5)
!
interface Ethernet0/1
[Code]....
View 9 Replies
View Related
Apr 16, 2012
City A is the data center with 2 WLC (CT2504-K9) and a number of AP. City B is a branch with MPLS between A and B. Right now the APs at City B has joined the controller. Users at B is getting ip's assigned from DHCP at City A. How do I configure the WLC so users can get ip's assigned from DHCP server present at B. Option 43 is enabled.
View 2 Replies
View Related
Aug 16, 2012
The network scheme is this one, I have Lightweight APs distributed and a pair of WLC 5508 centralized. We use a pair or SSID for all the branches, concretely Voice and Data.
All the branches has a local DHCP Win2k3 Server, and APs get its IP address correctly from the local DHCP, but the wireless clients obtains the IP address from the centralized DHCP Server, because all the DHCP traffic go through LWAPP/ CAP WAP tunnel to WLC.
I want that the clients get its IP address from the branch DHCP, i have reading and i think that we need to use H-REAP with local switching configuration and the correct vlan mapping in local switch and H-REAP for it works that we want. Is it correct? Is possible that the client obtain the IP address for the local/branch DHCP Server instead of the Local DHCP?
View 6 Replies
View Related
May 5, 2010
i have configure a remote access ipsec vpn in asa5510 and it is working fine when i configure local dhcp address pool assignment. but not working in dhcp-server
below is my configuration
tunnel-group test type remote-accesstunnel-group test general-attributes default-group-policy test dhcp-server 10.1.1.200tunnel-group test ipsec-attributes pre-shared-key *
group-policy test internalgroup-policy test attributes dhcp-network-scope 192.168.135.0 ipsec-udp enable ipsec-udp-port 10000
---snapshot Ping test to DHCP-Server 10.1.1.200----
ciscoasa# ping 10.1.1.200Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.200, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
the DHCP server is working when i assign ip address to the LAN network.
View 20 Replies
View Related
Mar 17, 2011
I have DHCP server running in windows 2003. Presently its unable to provide Ip address for VPN clients who connect remotely. What I should do / reconfigure in DHCP, so that the DHCP server provides address for VPN clients.
View 4 Replies
View Related
Feb 12, 2013
Im facing with some DHCP lease issue and its like this,Our Cisco 2951 edge router is configured with local dhcp pool for a set of remote users when they connect through Cisco VPN which was working fine until we planned to change it to a Windows box that is configured for DHCP.The basic idea now is to relay the DHCP requests that are coming from the remote clients through Cisco VPN to the DHCP Windows server. So we added the scope on the server and changed the client config on the router as follows (highlighted is the dhcp relay config). [code]
View 1 Replies
View Related
May 29, 2012
Is it possible to assign IP addresses to remote site WIFI users from local DHCP server and forward all other traffic to 2504 WLC?
[WIFI Users] >--------<AP (DHCP server) >------ VPN ---------< WLC
View 1 Replies
View Related
Jan 13, 2011
When I select Job Broser I get the following crash, LMS 3.2, server has been restarted but I continue to get the error. [code]
View 4 Replies
View Related
May 1, 2011
I'm running a Cisco 891 it has both crypto maps and ipsec VTI's running on the external interface. The cryto maps are for sites that do not have a cisco router and the Tunnels are for the sites that use crypto maps work perfectly fine. But I much prefer using unnels as it gives a routable interface, ospf works ect.
The tunnel interfaces will periodicly fail (Line protocol down) at no set interval, they will then not come back up again. To bring them back up I either have to shutdown and then re-enable the interface or run "clear cry ses rem *.*.*.*"
Logging with isakmp and ipsec errors provides the following:
55801: *May 1 10:31:16.015: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.55802: *May 1 10:31:16.015: ISAKMP:
[Code].....
View 3 Replies
View Related
Nov 29, 2012
My VRF Collector job has started failing. I have attached the contents of the vnmcollector.log file after setting debug level to DEBUG.
View 1 Replies
View Related
Aug 5, 2011
I've got a fully working 877w that I'm trying to get to boot from tftp, but I just can't seem to get that going.I have a tftp server running and can copy images back and forth without any trouble.I have this in my config:boot-start-markerboot system tftp c870-advipservicesk9-mz.124-24.T2.bin 192.168.1.200boot-end-markerDuring the boot process I get an error message that says there is a missing or illegal ip but I really don't see how that can be as my tftp server is 192.168.1.200 just like my config says.
View 16 Replies
View Related
Oct 3, 2012
My tunnel had been running fine for a couple of months. Now, not so much.Here is some debug.
View 6 Replies
View Related
Mar 31, 2013
Any issues upgrading the IOS on a 921 router.How can i create a certificate for the new IOS? I've never had to do this for other IOS 15 upgrade?I've confirmed the IOS is not corrupt and if i upgrade the router in ROMMON the router boots correctly.
View 1 Replies
View Related
Mar 13, 2013
Im preparing a lab and I have 2 ASA 5520's. I have configured them for failover so the Primarys config will replicate over to the Secondary. They are connected via a 3560 switch. the switch ports are configured as access ports on vlan 1. Spanning-tree portfast is enabled
Firewall (Primary)
Cisco Adaptive Security Appliance Software Version 9.1(1) Device Manager Version 7.1(2)
Compiled on Wed 28-Nov-12 10:38 by buildersSystem image file is "disk0:/asa911-k8.bin"Config file at boot was "startup-config"
[Code].....
View 5 Replies
View Related
Sep 4, 2011
config collection is failing.in detail its partial success(config fetch is success but archieve is failed).
View 1 Replies
View Related
Mar 20, 2012
I'm currently unable to upgrade certain devices since Cisco Prime incorrect believes there is not enough room in the flash partition.For example.
Getting the following error messsage trying to upgrade some Cisco 871 routers: "Catastrophic - SWIM1200: Selected Flash partition requires minimum (28 MB) to upgrade selected software/image."The images are around 18 MB in size. Why does Cisco Prime thinks its 28 MB in size? Bug?
View 1 Replies
View Related
Jan 22, 2010
I have a rv016 that's been in 24x7 operation since I bought it a few years back. It is out of warranty. It is connected to three cable modems on WANs 1-3. Behind it are a bunch of PCs getting IPs via DHCP. There is a gateway to gateway vpn tunnel setup on wan3 to a rv082 at another site. There is a forwarding entry for http to an internal http server. Everything else is pretty much default.
The router is primarily used to aggregate bandwidth for uploading large numbers of photos. The systems behind the router initiate the uploads and the router automatically load balances the outgoing bandwidth.
This was all working fine until just recently. The ISP is Knology who is upgrading each of the 8m/768k cable modems to 25m/5m. They are also moving from DOCSIS 1 to DOCSIS 3. They are currently in the middle of this upgrade and have upgraded the modems to DOCSIS 3 as well as the speeds to 12m/2m. The problem is that the rv016 Network Service Detection, which is set to "Default Gateway" indicates that the modems fail randomly. Usually only one will be failed, but up to two will fail the Network Service Detection simultaneously.
Knology insists that there is nothing wrong with their modems. I have removed a modem from the rv016 when Network Service Detection indicates it is in a failed state and connected it directly to a computer. It will work, but it has a different IP address and default gateway. As soon as I connect it back to the rv016, it works there too, but on the original IP address and gateway. I've only tried this test this twice so far, so it is a bit inconclusive.
Speed tests behind the rv016 are the same as directly connected to one of the cable modems. The router works normally as it has for years. Nothing else is acting funny.
So my question is, is the rv016 failing or is the ISP having problems?
View 17 Replies
View Related
Jun 4, 2012
Backup failed on 2012/06/03 at 22:02:52. REASON: Unable to proceed with the backup operation as some files are being accessed by jobs. Reschedule the jobs such that the backup job does not coincide with other jobs.
Randomly the backup for lms 4.2 is failing. it has suceeded but majority of the time its failing. i have tried changing times but nothing seems to work. previously we were running 4.0.1 and had noproblems with the backup time.
Just found the bug
CSCtz29665
URL
View 14 Replies
View Related
Dec 4, 2012
I set up a connection from a laptop (Windows 7) that goes through a LAN proxy server to a secure ftp server (Windows Server 2003).The sftp server is assigned a public ip address.I opened the firewall at the destination and allowed port 22 traffic to the sftp server. Well, the connection is failing.I know for a fact the connection from the client laptop is making it to the sftp server.If I issue this command on the client laptop:
telnet sftpserver 22
The DOS screen clears and tells me the type of SSH server I'm connecting to. While this connection is still active, I logged into the destination sftp server and did a netstat command. I can see the address of the proxy server in the "Foreign Address" column of the netstat results. I also can see the proxy server address when I look at the Application Log on the sftp server, so I know the connection is making it to the sftp server.
I beleive the problem is the control port (return traffic) from the server back to the client. Something is being blocked or is misconfigured. I always thought the router negotiated the control port, and that the control port didn't need to be put into any firewalls.
View 1 Replies
View Related
Dec 16, 2012
For everybody else in the house the internet works fine on their devices, however, on my laptop and ipod it will often not allow me to connect for ages, but then finally connecting (without me changing anything)
View 3 Replies
View Related
