Cisco VPN :: ASA5505 Error Processing Pay Load
Sep 12, 2011
Having being able to get a basic Ipsec VPN (with userid/password) connection to work between my Cisco ASA5505 and iPad over the Internet, I now am trying to introduce a digital certificate in the authentication VPN mechanism. However, I am getting an "Error processing payload: Payload ID: 1" , as seen on the Real time log viewer of my ASDM 6.2.This is what I did on the 5505 ASA to create a digital certificate:-
1) go to Configuration -> Remote Access VPN -> Network (Client) Access -> IPsec Connection Profiles and using the DefaultRAGroup profile I exported the Identity certificate (previously created) as PKCS12 with an appropriate passphrase/password.
2) I then created a new connection profile on the iPad using the CISCO ASA exported identity certificate. And unfortunately the connection fails, with the above message.
I would like to know if I am on the right track thinking I can use the CISCO identity certificate on the Client computer. The identity certificate is RSA 1024 bits and is self enrolled.I have not ebabled the CA Server in the Local Certificate Authority of the ASA 5505, I wonder if I have to.
View 0 Replies
ADVERTISEMENT
Dec 20, 2011
Ths only hapeens at one location. All the other locations are working the difference is this location goes through the firewall. If I bypass the firewall at this location it works.
View 1 Replies
View Related
Mar 12, 2012
I have a new install of LMS 4.2 on a virtual appliance. No syslog messages are getting into LMS. They are being received by the server, but are showing up in /var/adm/CSCOpx/log/dmgtd.log, and aren't getting processed by SyslogAnalyser.
View 3 Replies
View Related
Jun 18, 2012
I am coming to this forum because TAC and several CCIEs are having trouble finding me a solution to my problem.
I have Two 5520s each running 841 connected in two different data centers with two different internet providers. I have 100+ 5505s that have the capability to connect to either 5520 via EZVPN to either 5520. Up to now there has not been a need for a 5505 connected to one 5520 to talk to another 5505 on the other 5520. Each 5505 accesses network resources as in any enterprise network. Our company recently started telecommuting and I have been giving 5505s and a VOIP phone out to people. What was discovered is, if you are on one 5505 connected to a 5520 and the other 5505 is connected to the other 5520 the audio in voip does not work. If both the 5505s are connected to the same 5520 than everything works fine. Conversely a 5505 on one 5520 cannot ping a 5505 on the other 5520. 5505s on the same 5520 can ping each other no problem.
My problem: All 5505's are configured for a 172.18.xxx.xxx 255.255.255.224 subnet. This subnet is not used anywhere else. So I have a 100 Class "C" subnets carved up into 255.255.255.224 networks. If I look at a specific route for a subnet on one 5520 I see it pointed to the outside interface via RRI. I can look for the route in the 5520s connected CORE switch and I see the route pointed to the 5520. We have a fiber connection to the CORE in the other data center. The route is in this CORE switch as well. When I look for the route in the 5520 connected to this core it is not there. I have all other routes visible but not this particular route which should show on the inside interface. All I show on the 5520 are the 5505s connected to this ASA. So the 5520 is not processing the RRI subnets from the other 5520 and vise versa. Thats why a 5505 on one 5520 cannot ping a 5505 on the other 5520. I only see 172.18.0.0/27 on the outside interface of both 5520s. I do not see any 172.18.0.0/27 on the inside interface on either.
I have had numerous TAC cases open on this and no one seems to either understand my problem or have a solution for me. My local sales rep CCIE says the problem looks like a bug in 841 (which I am running) and that the ASA is not processing RRI from eigrp which I am running as well. The whole network is running the same instance of EIGRP including the 5520's.
My questions:
1) Is it possible the 5520 is not allowing 172.18.0.0/27 on both the outside and inside interface? Even though all subnets are masked proper the ASA maybe thinks it is being spoofed? I have not been able to confirm this using the real time log.
2) Could this really be a bug? I have looked at all the release notes and have not found anything resembling my problem. TAC has not recommended that I upgrade or downgrade my IOS.
View 6 Replies
View Related
Jun 19, 2012
My Cisco devices send syslog messages to LMS but it wont`t show any messages from device. Older LMS 3.2 and other collector showe all syslog messages. What to do with LMS 4.0.1?
View 2 Replies
View Related
Feb 8, 2012
I am having a customer suffering from a vairours RIP problems and i can see these loggs (what do they mean and what to do to aviod that?):
RMS-PE3#show logg | i RIP
Feb 9 14:51:16: %SCHED-3-STUCKMTMR: Sleep with expired managed timer 56528110, time 0x6CBFD5EB5 (00:00:00 ago). -Process= "RIP Router", ipl= 5, pid= 480
.Feb 9 14:53:52: %SCHED-3-STUCKMTMR: Sleep with expired managed timer 4AE46A24, time 0x6CBFFC104 (00:00:00 ago). -Process= "RIP Router", ipl= 5, pid= 480
[Code]....
View 5 Replies
View Related
Mar 24, 2013
I've deployed AnyConnect on Windows 7 clients, and they are throwing this message after few days of usage: "The VPN client driver has encountered an error."
-Version: anyconnect-win-2.4.0202-web-deploy-k9
-OS: Windows 7 Pro 64-bit
-FW: ASA 5505
What seems to fix it:
1. Uninstall Any Connect Client then,
2. Remove C:UsersUserAppDataLocalCisco folder
View 4 Replies
View Related
Aug 16, 2012
when load MIB file have error unable to load the MIB file Error: can't find RFC1155-SMI.I can not find RFC1155-SMI.my Where I can find or download RFC1155-SMI.my.
View 5 Replies
View Related
Apr 3, 2011
My computer had a filter on it that used a proxy server. The company (called Familink) went out of business. They provided an application for removing the filter, but it did not work, and the filter was never removed. I believe when the filter was installed, it modified the registry to prevent internet browsing unless the proxy was active. Now, since the company is out of business, there is no way to use the proxy, and I cannot browse the internet at all. I can still connect to secure (https://) sites just fine, but not any other channel. It is not a problem with the ISP, because I can browse the internet just fine on the same computer using linux. It just does not work with windows. When running a diagnostic test, I get error 0x2751, or "WSAEHOSTUNREACH"
View 3 Replies
View Related
May 7, 2012
I have a Cisco 1841 router connected to two different lines (same ISP) and I would like to load balance between them. I think I have achieved this point, but the problem is that remote VPNs do not work (only from Dialer1).This is my diagram:
ISP1----ISP Router----------Fa0/1 ROUTER 1841
----------Fa0/0 LAN
ISP2 ----------------pppoe Dialer1 ROUTER 1841
I have tried to redirect all my vpn traffic through the Dialer1 with PBR, but it does not work.
View 4 Replies
View Related
Apr 11, 2011
Ok starting about an hour ago I seem to be having a problem accessing youtube as well as Facebook & now Microsoft?I have done some searching around and tried a few of the suggestions I found including; trying another browser (happens using both Mozilla and IE), clearing internet cache, unplugging my modem for a minute then plugging it back in, etc, and so far none of these have worked. I did get youtube to work once since then long enough to upload a 10 sec video but once it was uploaded and I tried editing the video details I once again found myself taken to the page that says The connection was reset.
View 3 Replies
View Related
Feb 27, 2013
I need to create a vpn connection between two ASA firewalls and when trying to create this AI get an error message below, The config I was to use is -
object net-local
Subnet 10.51.212.1 255.255.255.0
object network net-remote
subnet 10.10.2.65 255.255.255.0
ERROR: network IP address/mask <10.10.2.65/255.255.255.0> doesn't pair
View 2 Replies
View Related
Mar 12, 2013
The router 1841 is connected directly to the layer switch. the network diagram is below:
Office A --> Switch (L3) --> Router 1841 --> Internet --> Office B
However, when I transfer the file from Office A to office B, the speed very slow ( only around 40 kb/second), and there are an input error and CRC error:
Cisco-R1841#sh interfaces FA0/1
FastEthernet0/1 is up, line protocol is up
Hardware is Gt96k FE, address is 0019.e02f.03dd (bia 0019.e02f.03dd)
[Code]......
View 5 Replies
View Related
May 1, 2012
I'm trying to open certain websites but the browser gives me this message: "Network Error (tcp_error) A communication error occurred: "Operation timed out" The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.
View 8 Replies
View Related
Apr 20, 2011
i'm currently studying at a college which has a website with a student intranet that is available to log in from any computer. So far it has been working well and I can log in on my home laptop and upload documents and look at presentations etc. Today for no reason when I try and log in I get the message Error Code 500: Internal Server Error and the webpage does no appear.I have had no problems previously and this has only happened today and yesterday, I went down to the college and accessed the website fine from the computers in the library but still no joy from my home computer.
View 1 Replies
View Related
Jul 20, 2012
i have the asa5505 with asa8.4.5 and asdm 6.4.2. my asa work like site to site vpn with the other asa5505. i would be love that monitoring status of VPN. i enabled on asa logging, i puted address of smtp server, receipent email, source email, the problem is because my smtp server require authentication, TLS. how set configuration on asa5505?
configuration of logging for send notification on email.
View 3 Replies
View Related
Jan 22, 2011
We are pulled the plug on our PIX 501 as its not letting us use all 100Mbit that our cable provider is now piping to us. I read the conversion guide but it made no mention of the 501's. Only the 515's or newer.The ASA5505 is putting up a little bit of a fight (This what I get for failing my CCNA??)After refusing to configure the LAN ip address to something other than what it was shipped with, I broke down and connected to the management console and forced an IP address on the LAN side. Now I reset my default config and everyone can get on the internet.Until the ISP cuts you off because you forgot to set your static IP. Oh, and by the way, they dont support Cisco gear.
When I attempt to assign the IP to the outside interface, it accepts without a hitch, but everything grinds to a halt. I cannot have this, as I have off-site users that operate with dedicated ports using Remote Desktop. I've attempted to set the IP via both ASDM and management console. I've tried setting a static route, but that doesnt give me any love either. Im running ASA Version 8.2(1) and ASDM Version 6.2(1)Once I get the static IP set and working properly, I can tackle moving the port configs.
View 10 Replies
View Related
Jun 17, 2012
Can I have two IPSec tunnels over two different Internet links to two different destination?
View 1 Replies
View Related
Aug 22, 2012
Our client has a vendor who needs to establish a VPN tunnel to their own router which sits behind our Firewall.
VPN Concentrator (Vendor) <------> ASA5505 Client (7.2) <-------> 3750 Switch <-------> VPN ASA outside Interface - 208.64.1x.x4 DG - 208.64.1x.x3
ASA Inside Interface - 172.20.58.13/30
3750 Switch Interface Connected to ASA - 172.20.58.14/30 and DG - 172.20.58.13
3750 Switch Interface connected to VPN router - 172.20.58.21
VPN Router Interface connected to the 3750 - 172.20.58.22/30 DG - 172.20.58.21
I have also attached a Visio for this and the running configuration from the ASA and 3750. We don't have access to the TNS VPN router. Our responsibility is to just to make sure the tunnel comes up.
1) Create a static NAT on the ASA for Public to Private IP of the VPN router
Public - 208.64.1x.x5 / 28
Private - 172.20.58.21 / 30
Will the ASA automatically ARP for this address or do i have to configure another interface on the ASA with this public IP?
2) What would the access list look like on the ASA?
3) The client gave us some config to copy the stuff on the ASA so that they can create the tunnel but i couldn't put those commands in the ASA. How would this be applied and on what interface?
Firewall Access: The following information pertains to access between the VPN router and the
VPN concentrator. If a firewall/router is present in front of the VPN the following services need to be
allowed:
permit esp host 208.224.x.x any
permit gre host 208.224.x.x any
permit udp host 208.224.x.x any eq isakmp
permit udp host 208.224.x.x any eq non500-isakmp(code )
View 2 Replies
View Related
Jan 19, 2012
am not sure if it is different on the 8.2 or if I am missing something. I can connect to the vpn but cannot get to the inside computers. I can ping them from the ASA but not from the vpn client.
View 17 Replies
View Related
Jun 16, 2011
I have ASA 5505 with outside interface IP 206.206.206.5 I configured the SSL vpn on this but still i am getting page can not be displaed when opening https://206.206.206.5 from broadband.
Below is the related configuration in ASA. What needs to be done in order to able to connect SSL vpn.
group-policy GroupPolicy1 internalgroup-policy GroupPolicy1 attributesvpn-tunnel-protocol IPSec l2tp-ipsecwebvpn functions url-entry file-access file-entry file-browsing
tunnel-group DefaultWEBVPNGroup general-attributesdefault-group-policy GroupPolicy1tunnel-group DefaultWEBVPNGroup webvpn-attributesnbns-server 10.10.10.11 timeout 2 retry 2
policy-map type inspect http Http_inspect_policyparameters protocol-violation action drop-connectionclass BlockDomainClass resetpolicy-map global-policyclass global-class inspect dns inspect esmtp inspect ftp inspect netbios inspect rsh inspect rtsp inspect snmp inspect sqlnet inspect tftp inspect xdmcp inspect icmppolicy-map inside-policyclass HTTPTrafic inspect http Http_inspect_policy!service-policy global-policy global
webvpnenable outsideurl-list nuk001 "abc002" cifs://10.10.10.1 1
View 2 Replies
View Related
Jun 26, 2012
We have multiple servers on the DMZ (192.168.2.0/24) but they cannot access any resources in the Inside, by default. We would like to open up a Syslog server from the Inside (10.1.1.5) to the DMZ servers, so we can collect system log from the servers.
View 2 Replies
View Related
Nov 17, 2011
I have an ASA 5505 with the Security License running 8.4 and 6.4.5 software, I have a fully working VPN solution on there using a ISP IP - works fine. My boss wants to split the lines/bandwidth to another ISP we have coming into the office. So what I want to acheieve if possible is this Say my current isp is 5.5.5.5, my internal network is 192.168.2.x and my other ISP is 6.6.6.6 - is it possible to use the ASA to accept VPN clients from both ISP's and use the internal network?
View 2 Replies
View Related
Jan 17, 2012
I have 4 remote sites that are using a ASA as thir firewall / router. I'm setting up a full mesh VPN between all the sites. One of the sites have a UC500 and the other sites access that UC over the VPN tunnels. I would like to set up some basic QoS for the VOIP traffic
The site that has the UC will have multiple vpn tunnles coming in from the remote sites. How will I do QoS with voice traffic on that site?
View 11 Replies
View Related
Jul 8, 2012
I have 2 office buildings using Cisco 800 series routers with a L2L VPN between both. I'm upgrading the router to an ASA5505 at one of the offices but can't figure out the L2L VPN on the ASA. Specifically, can't figure out how to set the pre-shared key. On the Cisco 800 it's:That doesn't seem to work on the ASA. Here is my current config on the Cisco 800. [code]
View 9 Replies
View Related
Jun 17, 2011
I need to create second VPN in same ASA5505, it has already a VPN to one of our clients. So it alredy have a transformset,cryptomap,policy.Now i need to create new one. i like to create a seperate transformset and crypto map for this 2nd VPN with a new name to identfy very easily.But i have doubt like may it will affect the current VPN? because it has another VPN with another tranformset and cryptomap.......
1) will it affect the current VPN?
2) do i need to create a seperate tranformset and cryptomap? or with same tranformset and cryptomap with different number.....if it possible to create multiple cryptomap then i would like that to create.....
View 2 Replies
View Related
Sep 25, 2012
My company purchased a PAK for ASA5505-SEC-PL a while back. I found it unopened and need to know if it can be used, without activating it on an ASA. I opened up a case with the Cisco TAC, provided them the PAK serial number and got the following responses from 2 different individuals:
1.Since the product was covered under warranty and then expired this means that the activation key was used before.
2. This PAK number is expired since (Warranty End Date 21-Feb-2009).
I responded that I am not interested in warranty information but I just want to know if the PAK can be used. Just because the warranty expired, does that REALLY mean the PAK can no longer be used? That doesnt make sense to me. Isn't there a tool on Cisco's website to put in the PAK S/N to see if it is available, has been used, and if so, when?
View 2 Replies
View Related
Aug 6, 2012
I have 2 x ASA 5505's , I would like one to sit at my office behind an ADSL router with a static IP address, and be configured as a Server. I would like the other to connect to an ADSL router with a dynamic IP address, and be configured as a Client.
This must be a plug & play setup, so that when the 5505 client is plugged into ANY broadband router, it automatically creates a VPN tunnel to the 5505 server. Incase it's relevant... the purpose of this link will be to stream video data back to my office from remote locations. We have "played" around with the ASDM, EasyVPN and wizzards and still cannot get this to work!
View 3 Replies
View Related
Jul 3, 2012
i exported config file from asa5505. i changed this file and i imported in my asa5510. can you tell me that config file allright
View 1 Replies
View Related
Dec 14, 2011
I set up a full mesh LAN-to-LAN VPN for a client with 4 sites. Each site has an ASA 5505 running 8.2(5). Site-to-site VoIP traffic runs in the VPN tunnels, as well as traffic to/from a file-server located at the main site. There are two back-up servers, one at the main site and one at a remote site. The main site has 2 bonded T1s and the other three sites have a single T1. How should I go about setting up my QoS?
My top requirement is that VoIP traffic will never be pushed out of the way for data traffic. My secondary consideration is to give more preference to file-server traffic than to web traffic and to make back-up traffic the least important. I'm currently researching to see if the VoIP provider is DSCP marking EF on the VoIP traffic, but I am going to assume they are for now. I know the IP of the file-server and back-up servers.
View 3 Replies
View Related
Nov 10, 2011
I have two ASA 5505 on two different locations(main office and remote office) and I need the remote office to be in the same subnet as the main office since they move computers betweend the offices and they have fixed IP addresses on those computers and they have no right to cahnge to dhcp mode when they move to remore office. Is it possible to create like a bridge over the VPN tunnel so it extens the LAN ?
View 18 Replies
View Related
Nov 29, 2011
Is it possible to use IP "aliases" on an ASA5505 to use as static NAT public IPs to private IPs? For example, I have int e0/0 connected to my ISP using a /30 subnet and I have my private LAN connected to e0/1 with a /24 subnet. At the moment I can use the one usable IP from the /30 to NAT to the private LAN. The ISP is also routing a /28 subnet to the one public IP of the ASA. I would like to use some of the /28 IPs for NAT also. Can it be as easy as just adding the NAT commands? I figure I would have to add that subnet to the ASA somehow, no? In other devices (including the SA520) they use a concept called IP aliases whereby you define what additional IPs the device can use in its NAT config. Does the ASA support aliases? Maybe I have to do something with VLANs?
View 2 Replies
View Related
Jul 25, 2011
I have set up a IPsec L2L VPN between a ASA5510 and a ASA5505 which is working just fine.Every now and then our management station receives the following syslog message: Session disconnected. Session Type: IPsec, Duration: 2h:23m:23s, Bytes xmt: 3283338, Bytes rcv: 8637607, Reason: Phase 2 Error.I have already searched the forum for this message to exclude all the possible reasons for this message:
- the complete crypto maps are the same on both ends (lifetime, psk, pfs etc)
- the ACL's used in the crypto maps are exactly the opposite of each other
View 2 Replies
View Related
