Cisco VPN :: ASA5505 Crashes When AD Agent Is Unreachable
Mar 15, 2013
in my test LAB i have used a 5505 running 9.1.1.I have setup a DC (2008R2) and then AD Agent.I have configured and used Identity firewall rules which worked like a charm.I have also used LDAP Auth which also worked fine.I then disabled all the rules but kept the identity firewall checked.Since it was a lab environment, i had to remove the DC for other tests.A few hours later the ASA initially was stuck.I used the console and i saw it could ping noone! not even directly attached PCs or defgw (i was able to ping them before it stucked).No arp table also!the asa did no NATing so no xlate entries were vavailable.Then i sshed to it.I got a blank screen and from console i could see cpu-usage from ssh to 20%I opened a second ssh: nothing. Blank Screen again. cpu-usage from ssh to 40% (overall ~50%)I opened a third ssh: nothing. Blank Screen again. cpu-usage from ssh to 65% (overall ~75%)I issued reload from console! Nothing! it was trying to shut down!I issued reload quick-> that is when console was lost!!I have to unplug it.
The DC that was removed was also the DNS for the ASA.The only log message i could see, before it stuck was "AD Agent is out of reach".i have ttried this 4 times. Always the same. 100% reproducible.I disabled the identity firewall-> no problem! it worked for days.100% reproducable.I downgraded to 8.4.5--> the same for both above actions.
View 1 Replies
ADVERTISEMENT
Feb 27, 2011
I have a problem with my ASA5505 after enabling botnet filter my ASA reboots.Also while booting it usualy takes around 30minutes of random cycles before loading the OS. It seems to be falling at the license check.To fix the boot I usualy unplug the ASA for about 15minutes and then it will boot up fine.
View 3 Replies
View Related
Mar 18, 2013
We have ACS 4.2.0.124 runnning with remote agent installed on win 2003/32 bit ent server. Now we are facing issue like logs (daily backup) from ACS to the Remote Agent is not happening properly. We usually get logs around 1 MB everyday in remote agent but sometimes we are getting 1 KB continuosly untill the services to be restarted in ACS manually.
View 9 Replies
View Related
Jun 9, 2013
After reconfiguring my LMS 4.1 from snmp v2 to snmp v3 the endhost aren't reachable anymore. Before configuring the snmp v3 I have purged the endhost database in order to repopulate it. After the jobs run no endhost could be added to repository. It just says unreachable.
Could it really be a snmpv3 issue? Everytihng else is working as before. I'll have to go back to snmp v2.
View 4 Replies
View Related
Jun 13, 2011
I'm using NAC 4.8, and I'd like to login using NAC Web Agent on Ipad. When I'm trying to do that, I'm receiving a message on Ipad that I need to install Java Plug-In, but there is no JavaPlug-in available for Ipad. Any additional configuration that I have to do on NAC Manager to be able to access the network using NAC Web Login on Ipad ?
View 3 Replies
View Related
Dec 27, 2012
I have created a NAC Agent Customization Package and sucsesfully uploaded the 'custom.zip' file to - Policy>Policy Elements>Results>ClientProvisioning>Resources.
However, when I try to edit my Client Provisioning Policy and select AgentCustomizationPackage, my custom package dosn't appear on the drop down list, so i'm unable to select it!
View 4 Replies
View Related
Jul 6, 2011
I am implementing Cisco Network Access Control with Wireless Controller 5508 (WLC5508 below) . Could you tell me how to register WLC5508 as SNMP Agent for Cisco Access Manager (CAM below) ?
[System Information]
IOS version of WLC5508: 7.0.98.218
Version of CAM: 4.8.0
[Code]....
I succeeded to register WLC5508 by using IP address of Service Port on the CAM Web Console. But WLC5508 has only one Service Port, which has no redundant port. I want to register it by usin Management Interface, which has backup port. It is also desirable to implement redundancy of Service Port if possible.
View 2 Replies
View Related
Jul 30, 2012
We have a working L2 OOB VG deployment. The NAC agent pops up then says it has granted full access. The issue is about 45 seconds later it pops again then says it has granted full netowrk access. Then it does it again...etc.... The CAM thinks things are fine as it just keeps adding the user to the OUL.
View 4 Replies
View Related
Mar 20, 2012
Presently we are upgrading the existing domain controller to Windows Server 2008, R2 Standard Edition.
I'm bit confound with the information available for the upgrade scenarios. Listed out the present working versions.
Cisco ACS SE - Release 4.1(1) Build 23 Patch 5
Cisco ACS Remote Agent version 4.2(0.124)
As the new operating system is going to work on 64 Bits, I think the existing ACE SE and remote agent may/should be upgraded.
Based on my existing versions, provide the possible upgrade scenarios available for me.After upgrading SE and Remote Agent should be working for 64 bit OS.
View 6 Replies
View Related
Jun 17, 2011
So we have a cisco asa 5505. Once a day now (random times) it will suddenly be unreachable along with the hosts connected. If I console in and ping a host from the asa, suddenly it becomes reachable from the outside world again. My job prohibits me from posting the configuration online.
View 10 Replies
View Related
Aug 20, 2011
I any running Cisco Works LMS 4.0 on Windows 2008 Enterperise Edition with SP2.I am facing 2 issue which are below:
1. Get message "You are using unsupported Version". As per Cisco document Windows 2008 Ent edition is support by LMS 4.0
2. All of my devices are showing unreachable. I already double check the Devices Credential include SNMP (Read and Write community) and Username and passwords.I can accessble all devices via telnet from the same Cisco Works Machine.
View 1 Replies
View Related
Jan 31, 2013
I have discovered my switches in LMS but it is showing unreachable what can be the reason ?
View 5 Replies
View Related
Jun 24, 2012
I have two ISE appliances installed in a distributed deployment (primary "ISE1" and secondary "ISE2"), each node has the three personas installed on it. The servers are registered together and the replication is working properly between the nodes.When we are working on the first node everything is fine, if I try to disconnect ISE1 and do my tests on ISE2, the cisco NAC agent doesn't popup, unless I uninstall it and reinstall it again from the ISE2. Then it will work properly.
View 31 Replies
View Related
May 13, 2013
its been a while since I configured a Cisco firewall (PIX 6.0, SDM) - I've now been thrown in the deep end with a pair of 5525-X's (Latest Software) and I need to achieve the belowWebsense integration (Got this working)AAA Authentication for various outbound traffic routes.I'm using ASDM as I'm more comfortable with the GUI than CLI (I'm the other way round with switches!!!), I have AD Agent configured but the ASA isn't doing anything based on User Name but I have a few other things to try. What I'm trying to achieve now is ignoring certain user names from being matched to IP Addresses as I believe that this may have something to do with it.We use Sophos AV and each PC requires a Service Account to run Sophos under. Each update that Sophos attempts is seen as a login and that is the user attached to the IP Address of the machine. Within Websense, it can be told to ignore certain users for purposes of filtering and reporting etc.. but I dont seem to be able to do this with the AD Agent.
View 3 Replies
View Related
Nov 15, 2011
I have done a ADSSO config. Following all the steps in the guide with the specifics steps for windows 7 to modify the krb.txt and the strattomcat.I restart services activate the "Enable Agent-Based Windows Single Sign-On with Active Directory (Kerberos)" option on the NAM.Then, the ADSSO service start on the NAS.I modify the local policy according to the guide allowing all encryption except the one for future use.Then the NAC client say "User unknown" contact your network administrator.
View 3 Replies
View Related
Feb 7, 2011
i can configure a requirement type as audit (opposed to mandatory or optional), so the client will still access the network, the user will not be notified, and the information will be sent to the cas.It is possibile to generate an email or similar automated process to notify administrators on these audits?
(version in use 4.7.2)
View 2 Replies
View Related
May 7, 2012
I have been doing a bit of reading on the ACS 4.2 remote agent compatibility with Windows 2008 R2, and it seems like the only way out is to upgrade the ACS to 5.2. We have Cisco ACS 4.2 SE and if I install the Remote agent on a Windows 2003 member server instead of the 2008 R2 DC.
View 3 Replies
View Related
Jan 14, 2012
I have two NAC appliances version 4.8.2, one Manager and one Server, I want to know if the “nacagentsetup-win-4.8.2.1.tar.gz” software exists in my appliance or it’s CD or not? Should I download it?
When my client wants to download the software by clicking on “download Clean Access Agent 4.8.2” button this error appears “Failed to download (states=-2)”. I guess I should upload the software first but I don’t know how or where it is?
View 1 Replies
View Related
Feb 9, 2011
We have NAC 4.0.5 and windows active directory domain the clients log on to the client to access the network with their domain credentials and they used to get the "Certificate is issued from an untrusted." until I installed the url.. certificate to the local certificate store.
I seem to have done something on the NAC manager that messed up something, cause now the client considers the certificate issued from a trusted source, BUT a warning stating that the name on the certificate does not match the name.
View 1 Replies
View Related
Jul 17, 2012
We having difficulties with installing remote agent on windows 2008 R2 64-bit server and got the attached error.
Our ACS is 4.2.0.124 and remote agents we tried are :Remote-Agent-ACSse-win-v4.2.1.15-K9.zip and Acs-4.2.1.15.9-RA.zip.
[code]...
View 3 Replies
View Related
Jun 7, 2011
The problem is that i had configured the ACS appliance with a remote agent to Integrate with Microsoft active directory and I installed that agent on one of our domain controls and it is working fine.
When I installed another agent on anther domain control and add it to the ACS server it appear that the remote authentication service is working on it but when try to make the new agent the primary and the old one the secondary from External database configuration all the domain users authenticated but only to one group which configured in Unknown User Policy.It appeared like it can't read any more groups from active directory.
View 2 Replies
View Related
Jul 17, 2011
it's possible to install ACS Remote Agent 4.2.1 on VMWare server. Is it supported by Cisco?Do you have any experience with running the remote agent on VMWare servers?
View 2 Replies
View Related
Oct 18, 2011
I'm having an issue where when I upgrade from 8.2(5) to 8.4(2) on an active/passive asa 5585 running in transparent mode I can no longer reach the standby ip. The BVI interface appears to be created properly, the device IP and standby IP are listed in the config under the BVI interface and my inside and outside interfaces are both joined to BVI1-group.
View 1 Replies
View Related
Sep 11, 2012
I have a strange behavior and a simple proble . I configured the following static route
ip route 10.84.22.0 255.255.254.0 10.84.23.254
That I advertsied in eBGP :
router bgp 65000
network 10.84.22.0 mask 255.255.254.0
the IP next hop 10.84.23.254 is cascaded on my customer LAN . At nominal time the router advertsed the route in BGP
pjnb1376#sh ip bgp nei 57.213.169.169 ad
Next Hop Metric LocPrf Weight Path
*> 10.84.22.0/23 10.84.23.254 0 32768 i
When the lan interface of the router goes down , the router still advertise the route !!! Even if the IP next hop
10.84.23.254 is not reacheable anymore ....
The box is a Cisco 1941 using
1900-universalk9-mz.SPA.151-4.M1
View 17 Replies
View Related
Dec 13, 2012
The problem is that that the routers are not reachable form the corporate LAN after some time. Pinging the routers IP is not working anymore. When the network cable is unplugged and plugged in again the routers are responding again. The same applies when I connect my Laptop to the router. The interface is responsive right after I connect the cable. Also other devices on the network can ping the router. But after a few hours or sometimes 1,5 day the router is unreachable form the corporate network.
The problem first started a few weeks ago. The configuration did not change. The router 878 was not responsing and after changing all the cables and conncting it to another swith the problem remained. So I suspected a hardware failure and bought a replacement 888. After configuring the 888 it showed the same behaviour as the 878 router. The DSL connection is working all the time. I can even set up a vpn connection to the router and start a telnet session. than I can ping the internap IP of the router but pinging another device is not working.
What I noticed after the command sh int vlan1 is that the last input counter keeps increasing.whats causing this or how to debug?
View 1 Replies
View Related
Sep 13, 2011
I have one instance of WCS 7.0.172.0 (on a Linux host) and a fleet of WiSMs that I'm upgrading from 7.0.98.0 to 7.0.116.0. Every time I run thru the upgrade process from within WCS (scheduled to run overnight, off peak hours) all of the controllers that were upgraded then show as "unreachable". Grepping thru wcs-0-0.log shows messages that the controllers are unreachable via SNMP but running an "snmpget" from the command line to any of the affected controllers works just fine. The only way I've found to remedy this is to stop and restart the WCS service. Considering how long that takes with my deployment...I'd rather not do that every time .
View 2 Replies
View Related
Feb 5, 2012
I added Cisco AIR-1142 AP which is registered with WLC 5508 in to LMS 4.1. After restarting AP, the status in LMS showing as unreachable. I am not able to save the configuration in AP and also not able to add SNMP parameters . what is the issue or what are the normal procedure to add a LWAPP in LMS.
View 4 Replies
View Related
Jun 27, 2012
Is it really the case that the ASA will not generate ICMP Host Unreachable messages for sub nets connected to any of its interfaces (in breach of RFC1812) as claimed here: [URL]
I'm investigating a situation where an organization uses ASAs to control traffic between different v lans in their internal production systems as well as Internet traffic. They are having problems with internal load balancing because the ASAs do not (as currently configured) generate Host Unreachable packets. Can this be changed in the configuration or not? I have to say, if it can't then I'd urge them to find something else to route between their internal sub nets.
View 5 Replies
View Related
Jun 17, 2012
how to configure dhcp relay agent and how it's work
View 1 Replies
View Related
May 12, 2012
i have my 9 computers 1 prolink modem/router h5200 and tplink switch...for 3 months my connection is quite good..but in the 4th month its starting to Reply 192.168.1.1 Destination net Unreachable..i called up a technician from the network..He changed my modem/router with the same model and it runs for an hour... 5-6 hrs..the problem starts again it begins to ping Reply 192.168.1.1 Destination net Unreachable...b4 my TCP/IP i configured it automatically but now i try to put it manually...my modem/router starts with 192.168.1.1 my first unit starts in 192.168.1.2 and so on.
View 1 Replies
View Related
Feb 1, 2012
we're currently evaluating how we can attach our web based business application to the AD Agent in order to perform Single Sign-On against it. Our users are connecting via VPN to an ASA 5510 which is configured to use our Active Directory for authentication. After access granted the users may access a web server with our business application and should be automatically logged-in there without having to re-type their credentials.
View 0 Replies
View Related
Jul 9, 2012
I want to configure ad agent on windows server 2008 R2 SP1 with all need patch installed.When i try to connect to DC with adacfg dc list, status is UP. Log ADOBserver's don't show any errors. But when try to do command "adacfg cache list", result - empty. In what may be the problem? Perhaps it is related to the language of the OS?
View 4 Replies
View Related
Jun 30, 2012
I have a 2921 with 4 segments: [code] My DHCP server is 172.16.5.2 and I need to serve clients from 172.16.2.0/23 by MAC address and only to that segment.
View 2 Replies
View Related
