Cisco VPN :: ASA 8.4 - Limit IPSec User Traffic Volume

Nov 22, 2012

Is there anyway to limit a user's traffic volume on ASA8.4? if there is, how?

View 3 Replies


Cisco VPN :: ASA 8.2 - Site-to-Site VPN Stops When Traffic Volume Rekey Reached

Jan 12, 2010

We have several site-to-site IPSec VPN's setup.

All are running on ASA's 8.2(1).

All have a Security Association Lifetime (Time) of 8 hours.
All have a Security Association Lifetime (Traffic Volum) of 4608000 KiloBytes.

We have an issue when we do Oracle logshipping between the sites.

This triggers the Traffic Volume rekey as can be seen by this entry in the logs: -

%ASA-7-702307: IPSEC: An inbound L2L SA (SPI= 0x169FA1C1) between and (user= ) is rekeying due to data rollover.

However it does not appear as if the renegotiation is occurring properly. Within 10 to 15 minutes data stops being transmitted along the link, even though the IPSec tunnel still appears up in the ASDM GUI.

The 'fix' for this is that we are using is to login to the ASDM GUI and bounce the link by going to Monitoring => VPN => VPN Statistics => Sessions => IPSec Site-to-Site. Then select the appropriate VPN tunnel and click on 'Logout'. This forces a link renegotiation which works fine.

I have attached a logfile from the local ASA (there's nothing in the logfile of the remote ASA until we bounce the VPN tunnel).

View 10 Replies View Related

Cisco Firewall :: Traffic Limit For Internet Traffic Usig ASA 8.2

Nov 27, 2012

I am testing limit bandwith using my ASA 8.2, i am trying to limit internet access for certains users , i order to save Bandwith for the important things but i can´t get any limitation  
My configuration is the following, the acces list is just for my pc in order to test, and the service policy is  applied to outside interface (called internet in my case)  for incoming traffic
access-list Internet_mpc_1 extended permit ip host any class-map Internet-class-TEST match access-list Internet_mpc_1 policy-map Internet-policy-web class Internet-class-TEST police output 1024000 1500
service-policy Internet-policy-web interface Internet
With show service policy i can´t see any activity on the policy , but if i do a similar configuration for inside interface outgoing traffic i can see packets allowed and dropped

View 3 Replies View Related

Cisco Wireless :: Allow User To User Traffic On WLC 5500?

Nov 21, 2012

Is it configurable to allow wifi user to user traffic on WLC 5508?

View 4 Replies View Related

Cisco :: LMS 4.2.1 - Limit Local User Access?

Nov 14, 2012

I want to limit a local user's access to some specific groups of devices. In Role Management Setup I can define which service they can access, but I want to restrict it to a specific device as well.

View 3 Replies View Related

How To Limit Speed Of Wireless User

Oct 22, 2011

How can I limit the speed of the wireless user.(I am using lan connection).

View 8 Replies View Related

Cisco VPN :: ASA 5505 IPSec SA Limit?

May 2, 2012

I am trying to replace a 1751 IPSec VPN that connects a single LAN behind the 1751 to ~45 remote networks behind a single peer.  There are a small number of workstations (~50) and low throughput (< 1MBps) across this VPN, the biggest trouble is the number of remote networks needed.
I have tried to connect an ASA5505 Security Plus in place of the 1751 and am able to get Phase 1 and Phase 2 up, except I don't get all of my ipsec sa's and can only pass traffic to some of the remote networks.  Does the 25 IPSec limit apply to multiple sa's one one peer, I've only ever seen it spoken of as a 25 peer limit?  

View 4 Replies View Related

Limit User Bandwidth Via Cable Modem?

Feb 10, 2012

The rest of us use wifi for our internet services but this isn't good enough for are newest member so they have now connected a cable directly into the modem, so now whenever he is online ALL wifi suffers dramatically! What can i do to limit his bandwidth and allow the wifi to gain more access is there a way to limit via his MAC address or IP address?

View 3 Replies View Related

Cisco Security :: ASA 5520 - VPN Client Remote User Limit

Jun 16, 2012

how many remote user connect using Cisco VPN client on Cisco Firewall ASA5520-BUN-K9? Already i read VPN Client FAQ But their have no information about user limitation.

View 1 Replies View Related

Cisco WAN :: 3900 The Actual Limit On The Number Of IPSEC

Nov 16, 2010

Any actual limit on the number of IPSEC SAs  that can be negotiated on the crypto module of a 3900 series G2 router?  When I issue the command on a 2900 G2,This implies the 2900 series can handle 1800 IPSEC tunnels with an SA used for each direction.  All of the documentation and support requests have stated that the crypto module is better than the AIM module in the older series routers but I have been unable to get a concrete answer to the limit.

View 21 Replies View Related

Cisco VPN :: DS3 - Limit Number Of Active IPSec Connections Per Host

May 18, 2011

I have a hub and spoke network with over 100 remote sites that connect to me via ipsec vpn. One of these locations, the only one using FIOS coincidently, is initiating 200+ tunnels back to my side which is causing saturation issues on my DS3. (I can post config if requested), and how can I limit the number of active tunnels it's establishing?

View 1 Replies View Related

Cisco Switching/Routing :: 3560 - Limit Bandwidth For Specific User On Switch Or Router?

Jan 24, 2013

configuring a switch or a router to limit the bandwidth for a specific user/IP when need it. Most of my remote offices are configured like this:
Users ------ 3560 switch ------- 2801 router -------- T1 to NOC -------- 7204 router with channelized DS3
I use Netflow Analyzer for high bandwidth usage alerts and can see the user's IP right away when someone is clogging our T1s. My goal is to be able to temporarily limit the bandwidth of the user taking over the T1.  Whatever is best switch config or on the router.

View 2 Replies View Related

Cisco Wireless :: 3502 - WLC User Rate Limit On Guest SSID Anchor Controller

Jul 30, 2012

We have been deploying 3502 APs remotely to locations with full T1s that backhaul to where I sit at HQ. Both the foreign and anchor controller are here at my location.
I am seeking to rate limit per user the bandwidth each client will get on the guest internet ssid. As you know this traffic is encapsulated in capwap between the AP and the controller so I cant use a standard ACL on the switch or router.
We are trying to keep the guest internet access usage in check on the T1 at any given site so the other ssid's & local lan traffic is not overly competing for the bandwidth.
I found the place to edit the default profiles in the controller but the documentation really isnt clear on best practices.
So I put it to you my fellow wireless engineers to suggest how you are implementing bandwidth management on your wireless guest internet.
Oh and here is my hardware & software levels.
5508wlc - forgeign
4402wlc - anchor
Software Version7.0.230.0

View 3 Replies View Related

Cisco VPN :: 881 W Limit VPN Traffic From Single IP

Jul 27, 2011

I have just set up a 881W appliance for a satellite office. At this time, we don't need a site to site vpn. However, I have EZVpn configured on it and working great so that I can connect from our main office for admin purposes. How can I setup up a firewall rule/policy in order for only our main office IP to connect to Ezvpn? I don't want to allow access to the VPN from any other IP other than our IP at our main office.

View 2 Replies View Related

Cisco Switching/Routing :: 4500 - STM-4 (622) / How To Limit FTP Traffic

Mar 10, 2012

I have the attached setup. now i would like to limit my ftp transfer to 10 mb  from a specific vlan to ftp server on the STM-4 (622) link.  what would be the best way to limit ftp traffic to 10 mb .
following is  my switch deatils
Video_Main#sh verCisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSAL-M), Version 03.02.00.SG RELEASE SOFTWARE (fc4)Technical Support:

Cisco IOS-XE software, Copyright (c) 2005-2010 by cisco Systems, Inc.All rights reserved.  Certain components of Cisco IOS-XE software arelicensed under the GNU General Public License ("GPL") Version 2.0.  Thesoftware code licensed under GPL Version 2.0 is free software that comeswith ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify suchGPL code under the terms of GPL Version 2.0.  For more details, see thedocumentation or "License Notice" file accompanying the IOS-XE software,or the applicable URL provided on the flyer accompanying the IOS-XEsoftware.


View 2 Replies View Related

Cisco Firewall :: 881 - Limit All Traffic Except DHCP To Self Zone?

Dec 22, 2009

On router Cisco 881 with ZBF I have dedicated VLAN for AP connection. AP is getting IP address from router dhcp server, I would like to limit all access to Router "Self" zone to only DHCP traffic if possible. How to limit all traffic except DHCP to self zone?What ever I do to traffic to/from self zone I must always specify last statement as "class class-default/inspect" and not drop as I would like to. 

View 5 Replies View Related

Cisco Switches :: FS-300-24 QoS To Limit HTTP And HTTPS Traffic

Apr 20, 2011

Never seen a Cisco, or any other L3 switch before. Nor an Lx router. Any step by step,or class room or web based training, or a partner or Cisco helper to get us up to speed on this.Goal is to limit http and https traffic in favor of telnet to an AIX server and RDP to a Windows TS. Printing would be ahead of http/s and below the others.
Interstingly, the web site promises 9 videos, but there are only 8.  The demo guide says about OoS:  "Coming Soon".Where to go? Who(m) to call?

View 6 Replies View Related

Cisco :: Assign Static IP To IPSec VPN User In ASA 8.2?

Nov 29, 2011

I want to assign static IPs to users that login to IPSec VPN using Group Authentication in ASA 8.2.  The authentication through a Windows RADIUS server.  Right now, they are connecting just fine and pulling an IP from the pool I have configured in the IPSec policy. 
What would the best way to assign static IPs through VPN?

View 1 Replies View Related

Cisco Switching/Routing :: Rate Limit Traffic In 3560

Oct 20, 2011

I am using Cisco 3560 as distrubution switch and want to limit port 445 traffic on 1 MB and applied rate limit statment on Gi0/1 port but switch unable to limit said traffic.rate-limit output access-group 120 1024000 128000 128000 conform-action transmit exceed-action drop.

View 25 Replies View Related

Cisco Switching/Routing :: 6513 - Rate Limit And Traffic Shaping?

Mar 21, 2012

I am looking for step-by-step configuration on how to enable rate-limit and traffic shaping on Cisco 6513 vlan interfaces.  I am not able to find this particular document on CCO.

View 3 Replies View Related

Cisco Switching/Routing :: 800 Series - Limit Monthly Traffic On 3G Access

Oct 29, 2012

Is it possible to configure a limit on monthly traffic over a 3G access on a Cisco 800 Series?
The scenario is that a customer has a Cisco 800 3G routers with a 3G card from a Service Provider, that offers a rate for X Mbytes per month and that when those monthly X Mbps are exceeded, a differente rate (much more expensive) is applied for the excess traffic that month. The customer would like to have the router NOT to active the 3G access when the X Mbytes (on that month) are exceeded. Maybe this is possible to implement using a TCL script and ip accounting?

View 1 Replies View Related

Cisco Switching/Routing :: 6509 QOS To Limit Bandwidth For Internet Traffic

Nov 5, 2012

We run a workers camp here and we currently have around 2500-3000 people using our 100MB internet pipe.  We are upgrading the pipe to 200MB soon but I still would like to limit how much bandwidth everyone is using.
We allow streaming media such as Netflix, youtube, apple TV and of course .So it gets full pretty fast.  We have QOS implemented although I wasn't here when it was done so I don't know a lot about it.  I would like to limit IPs to a certain amount of bandwidth. [code]

View 1 Replies View Related

Cisco WAN :: 1921 - Traffic Control / Packet Priority And Bandwidth Limit

Nov 29, 2011

We have 3 sets of applications. The first does not require much bandwidth but is very critical, the other two is more bandwidth consuming but less critical. I would like to know if it's possible to reflect this priorities on the router configuration. Is it possible to set the ports 10000, 10001 and 10002 of the external IP have higher priority to be handled, for example? Also, is it possible to limit the bandwidth that goes through a set of ports?
I must prevent the 2 sets of less critical applications to strugle the critical ones. What router can provide this capabilities? Is the 1921 able to do this job?

View 2 Replies View Related

Massive Upload Volume - Analog X Net-stat Shows 0

Oct 30, 2011

For 10 days, I have had massive upload volumes (2 - 7 GB) per day on my home network, not sure why. I am not downloading streaming video or any videos. We have several computers on our network, and I am not sure which one is diong all of this uploading. So, I installed AnalogX Netstat version 2.15 to monitor the stats on my computer, and it shows all totals for incoming and outgoing are "0kb", which I know isn't true.Why isn't it measuring my transmission? I am running Windows 7.
It shows local machine IP x.x.x.x, device All TCP/IP devices, and "remote" worked - I was able to ping url..successfully. But no stats are being measured at all. Not even CPU usage.

View 1 Replies View Related

Cisco Switching/Routing :: How To Limit Broadcast Traffic On 3560 Switch Port

Dec 17, 2012

How do I limit broadcast/mulitcast traffic on a switchport to e.g. 5000 pps ? I don't want the port to shut down, just block or drop broadcast traffic that exceeds 5000 pps.

View 19 Replies View Related

Cisco Switching/Routing :: 3560 - Traffic Only Can Achieve Half Of Limit Bandwidth

Jul 15, 2009

I use WS-C3560G-24TS and try both ios 12.2.50.SE1 and 12.2.46.SE but problem the same. The config as following,
interface GigabitEthernet0/1
no switchport
ip address
but I find the int g0/1 output traffic only can achieve about 500kbps then I try config below,

interface GigabitEthernet0/1
no switchport
I find int g0/1 output traffic only can achieve about 5Mbps,but if I change "srr-queue bandwidth limit xx" command xx to 20-90,the int g0/1 can achieve normal traffic bps, for example,

interface GigabitEthernet0/1
no switchport
the int g0/1 output can achieve 2Mbps that is correct,just only when limit set to 10%,the traffic only can achieve half of limit bandwidth.

View 5 Replies View Related

Disk Space - Reduce Administrative Effort And Minimize The Chance Of Volume Failure?

Mar 1, 2012

One of the file servers in your office is running out of space on the D: volume. There is unallocated space available on the same disk as the D: volume, as well as on other disks.What option should you choose to reduce administrative effort and minimize the chance of volume failure?

View 3 Replies View Related

Cisco :: IPSec VPN Not Forwarding Traffic?

May 25, 2011

why my VPN setup is not working correctly. The device is an ASA 5505 running IOS version 8.2. It has a license for 2 SSL VPNS, and 25 IPSec VPNs. The previous Admin had set up both but only the SSL VPN apparently works. I attempted to set up my own IPSec VPN using the ASDM wizard, with an IP range of I am connecting from a Mac, 10.6. My local network (home) is a standard; the remote networks are and I tried connecting using the built-in Snow Leopard client, and although it said I was connected I couldn't actually contact anything on the corporate LAN.\

View 3 Replies View Related

Cisco VPN :: Configure IPsec L2L To Allow Only One Way Traffic

May 9, 2011

We have a business need that we have to set up a IPsec L2L tunnel (from multiple locations) to a business partner, we require that the connection can only be initiated from our side, not business partner side. I searched the web, one option is configure our side ASA to initate IKE only, this does not seem to meet our requirement, because once IPsec SA is up, IP layer traffic will flow freely in either direction; the other option people suggested is to use VPN filter in tunnel group policy, but the documention of how to use this vpn-filter to enforce one way traffic policy is not crystal clear to me;  I actually configured reflexive ACL on core L3 switch before the traffic hits ASA to reflect/evalulate specific traffic to businness partner's LAN network, that worked well. However one of our branch office's core L3 switch is Cat4K which does not support reflexive ACL with the image it is currently running, so I am stuck again .

View 1 Replies View Related

Cisco VPN :: 877 - IPSec Traffic Is Only Initiated From One End

Apr 27, 2013

I have configured the IPsec vpn between Cisco 877 and ISA server which is working fine and ok. But the issue is I have multiple subnet on the TMG "Treat Managmenet Gateway" side and only one subnet on the Cisco 877 side. I can only sending some subnet's traffics from Cisco 877 through the vpn tunnel to the other side which is TMG server and I have recieved teh timeout request for the rest of teh subnets.
However, if I initiated the ping from inside the ISA with different sources , I can reached the Cisco 877 and from then I can be able to send traffic.
So, the tunnel is up and active but it should be initated from ISA server to have a full connectivity. 
Here is the IP sec configuration on Cisco side:
crypto isakmp policy 1
encr 3des
authentication pre-share


View 1 Replies View Related

Cisco VPN :: C1841 -Traffic Won't Go Via IPSec

Jul 26, 2011

I have C1841 as EZVPN server and remote C1841 as EZVPN client. Connection between them is providers L3 VPN, so it is not over the internet. IPSec tunnels go up with no problem. Client is NEM. Problem is that traffic won't go via IPSec. No packets are encapsulated. I want all trafiic to go via tunnel, no split tunneling here. On client side Dialer0 is outside interface, since L3 VPN is over ADSL. On server's side I have only one interface connected to corporate network. Peer address is server's loopback address.

After IPSec is up, server gets remote subnets as static routes and redistribute them to OSPF. That part works fine, but remote site's traffic doesn't flow over IPSec to the coorporate LAN.
Could be TCP MSS or something like that?
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2

View 2 Replies View Related

Cisco VPN :: ASA Or 871 IPSec L2L To SSG-140 - Tunnel Is Up But No Traffic

Aug 8, 2012

i am curently troubleshooting a ipsec l2l VPN between
1. ASA 7.2(4) to SSG-140
2. Cisco 871W to SSG-140
In both scenario's the tunnel is nicely established, and traffic goes into the tunnel, but nothing comes out. All encap's, but no decap's                    
It seems like a routing issue, but we can not find anything on both sites.
So maybe i m running into a (known) issue between cisco VPN equipment and the SSG-140?
Could it be a proxy-id issue? Cause they configure stuff like and i configure

View 7 Replies View Related

Cisco VPN :: 881 / Route Traffic Thru IPSec Tunnel To DMZ

Jun 29, 2011

I need to route traffic to DMZ (and internal) from the branch office thru the IPSec tunnel. How do I manage that with my Cisco 881?

View 1 Replies View Related

Copyrights 2005-15, All rights reserved