Cisco VPN :: ASA5510 To 2951 - Phase 2 Failures With 10.x Subnets
Apr 25, 2013
I have a site to site ipsec tunnel setup between an ASA5510 and a 2951 Router. The ASA 5510 is on a 10.x subnet with a few vlans behind it. There are also 7 other ASA5505 that connect to this box with ipsec.
The 2951 is on a 10.x subnet with multiple vlans behind it (10.x and 192.x subnets).
When I had ACL to allow traffic from 10.20.0.0 (ASA) to 192.168.111.0 (2951 - voice vlan) the connection comes online and is stable.
The minute I add any of the following, the connection drops off with Phase 2 errors: 10.20.0.0 to 10.1.200.0 10.20.1.0 to 10.1.1.0
I can add a second 10.20.0.0 to 192.168.10.0 with no problem at all. The issue only seems to occur when attempting to add traffic from 10 to 10 on the tunnel.
View 2 Replies
ADVERTISEMENT
Jan 21, 2013
I am setting up a VPN between my client and their owner, in order for the owner to access ressources at my clients site.Unfortunatly their owner already has an VPN connection to another site with the same subnet as the one on my clients site.I have setup a policy NAT to translate my clients internal LAN to a "NAT" LAN, and i can ping from my clients LAN to their owners LAN, but their owner can not reach any ressources at my clients LAN.
My client has a ASA5510 with a base license, but their owner has their firewall and routing "leased" or something like that, it actually was their ISP who configured the VPN settings. That means of course that i have very limited (no) access to the other site's firewall and I actually even dont know make and model of it.
And last but not least, the subnet the Owner needs to access is on my clients Core Switch and the ASA has an internal route to it.I have pasted in a interresting parts of the ASA config here below, the displayed subnets are not the real ones . [code]
View 2 Replies
View Related
Aug 15, 2012
I need to NAT some subnets to one IP and other subnets to another IP. The range command want work because some of the subnets are out of order.For example subnets 192.168.1.0 - 192.168.7.0 and 192.168.25.0, 192.168.28.0 nat'd to 1.1.1.1. subnet 192.168.26.0-192.168.27.0 nat'd to 1.1.1.2
View 2 Replies
View Related
Oct 16, 2012
I want to setup a vpn tunnel from a Cisco VPN Client in the internet over a fritzbox to the Cisco 876 (Version 15.1(4)M3) so that the vpn tunnel terminates at the Cisco 876.For that reason I used the command "crypto map mymap" on the int fastethernet 1. When I try to connect, the VPN Client opens the window for username and password but then ends with the message "not connected". When I do "debug crypto isakmp" the Cisco 876 shows the message: "phase 2 SA policy not acceptable!". [code]
View 3 Replies
View Related
Mar 12, 2013
Will the 3945 router work on 208 V single phase (line to line)? I know it mentions 100-240 VAC, but would the line-to-line issue cause a problem?
View 1 Replies
View Related
Jul 24, 2011
How to do the above thing.
View 3 Replies
View Related
Feb 27, 2011
I have a little problem with a Easy VPN, this is the topology:
-One router 2811: This is the Easy-client (Who has a ip address by dhcp)
-One ASA 5540: This is the Easy-server
View 11 Replies
View Related
Feb 25, 2013
Configuration is simple, from one side ASA 5580 with soft asa844-5-smp-k8.bin, from another side: ASA 5520 with asa845-k8.bin. Between them is builded IPsec LAN-to-LAN.Usually it works fine, but: In random time I can get error in logs something like that on ASA 5520: %ASA-5-713904: Group = x.x.x.200, IP = x.x.x.200, Phase 2 rekey collision, found centry 0x6cec9d28 or on ASA 5580: %ASA-5-713904: Group = x.x.x.234, IP = x.x.x.234, Phase 2 rekey collision, found centry 0x00007ffe782dfa60 The main problem that if this error is occured on 5520 - all continues to work (only this message is appear in log).
If this problem occured on 5580 - tunnel stopped his work. One thing that works - it is drop crypto SA (clear crypto ikev1 sa x.x.x.234), after that tunnel reinitialized and all starts work again. As far as I know, this problem was on 5520 to version 8.4.2 and was solved in 8.4.3. But, as you see, in version for 5580 (-smp) this bug is still present in newer versions.
View 2 Replies
View Related
Apr 22, 2012
I am trying to set up a site to site VPN tunnel using GRE over IPSEC. Below is the configuration from both routers and debug output. I'm scratching my head on this one. I'm using two Cisco 7600 routers with SSC-400 SPA modules and 720 Supervisors. The IOS on R1 is 12.2 SXI2 and R2 has 12.2 SXI3.
View 1 Replies
View Related
Aug 5, 2012
I am configuring VPN on an 831 rotuer using a dynamic-map configuration. I can connect to the network and I can see phase 1 and 2 complete from the debugs however from what I can tell I can only ping across the VPN. I can't connect to and web services or RDP to any hosts on the local network. Here is a copy of my config.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
[code]....
View 6 Replies
View Related
Aug 6, 2011
Just setup a site to site vpn between 2 ASA 5520 Firewalls in two locations but vpn doesn't work even though i see phase 2 completed on the logs. I can't ping across the LANs.
View 2 Replies
View Related
Dec 11, 2012
I am migration an IPsec site to site VPN config to a new ASR1001 router «facing» a Linux box (ipsec-tools + racoon). As the Debian Linux does not offer VTI, I am using a crypto map.
The working config is given below with the corresponding logs on the Linux side.
When I try to apply this previously working config to the ASR1001, I get the following error :
000855: *Dec 12 18:28:21.859 UTC: %ACE-3-TRANSERR: IOSXE-ESP(14): IKEA trans 0x1350; opcode 0x60; param 0x2EE; error 0x5; retry cnt 0
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: initiate new phase 1 negotiation: 194.214.196.2[500]<=>130.120.124.8[500]
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: begin Identity Protection mode.
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: CISCO-UNITY
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: DPD
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt(code)
View 8 Replies
View Related
Dec 12, 2010
i tried to configured L2TP connection on ASA5505.Phase 1 and Phase 2 are completed but Windows Client doesn't work. [code]
View 4 Replies
View Related
Feb 8, 2012
Got a classical remote access vpn with Cisco VPN Client and ASA-5520, Some weeks ago I noticed in my ASA logs this severity 5 Message. Group = xyz, Username = abc, IP = 84.n.n.n, Duplicate Phase 2 packet detected. No last packet to retransmit. This message comes with every connect, but then connections works fine.
Remark: See ASA ADSM:
- 1. Duplicated Phase II (!!)
- 2. Phase I
- 3. Phase II
View 4 Replies
View Related
Nov 8, 2012
My netbook keeps getting DNS Lookup Failure messages. This happens about every 20 minutes, give or take, though sometimes it can go longer before the failure. I can "solve" the problem by quickly repairing the network connection, but that's tedious. It happens only on my laptop and not on my housemate's desktop (wired connection) though he did say that it happens to him on his laptop as well. In looking around I thought the problem might be because i'm using Chrome, but it happens on Firefox and Opera as well.
View 5 Replies
View Related
May 8, 2011
I have over 20 units doing the same thing and it seems to be a software isssue but i dont see any bugs or posts on it. This is only on 2960S switches and not 2960 or 2960G units.
If i use the password reset feature to break the units into rom and then type "boot" instead of power cycling the unit, they will fail MBIST post tests. If the unit is power cycled or left to boot normally on its own, there is no issues and all post tests pass. I know MBIST is Memory Built In Self Test and was thinking maybe breaking the unit into rom disrupts those memory tests for some reason. I tried the following software and got the same results with all of the images:
122-55.SE2
122-55.SE
122-53.SE2
122-53.SE1
Logs attached are from the same switch, one with password reset procedure used and while left to boot on its own.
View 11 Replies
View Related
May 18, 2011
My internet connect works fine for hours at a time, then suddenly will get 7 or 8 General Failures while pinging (long enough to boot me off the net) then will be back to working fine immediately afterwards.Pinging 127.0.0.1 works fine. I've checked the firewall (Norton) and it has the default settings
View 3 Replies
View Related
Nov 4, 2012
I need to check and possibly change which Network address is allowed down a tunnel and check our Phase 2 IPSEC proposal. How would I do this on a VPN3000?
View 3 Replies
View Related
May 23, 2012
C3745-ENTSERVICESK9-M version 12.4(10b). ROM version 12.2(8r)T2.This router appears to be generating spurious fan failure alarms. The fan assembly has been changed for a new one, the engineer checked and was satisfied that in a physical functional sense the replacement fan assembly was definitely working, but we now have all 4 fans showing as failed. We are being told that the replacement unit is believed to be part of a batch of faulty fan assemblies and that it was a known Cisco issue.
View 3 Replies
View Related
May 11, 2011
I manage a VPN 300 concentrator which has been happily working for several years without any problems. All users are part of the same group and authenticate to an RSA server. We recently moved from RSA authentication manager 6.1 to RSA authentication manager 7.1. Everthing continued working fine for several weeks, then at the beginning of this week we started getting users intermittently failing to connect to the VPN. I'm not sure if this problem relates to our new RSA server, but we have other network devices which authenticate to it with no problem so I guess the problem is with the VPN concentrator itself.
When users fail they just get a generic "Reason 427 connection terminated by peer" error message. The live event log shows "group = vpn, status = Not-in-service" when their connection fails. Other times they connect normally and no error messages are displayed. There seems to be no real pattern, sometimes your connection fails but if you keep trying you will eventually get in [however it can take many attempts over an hour or two before you succeed, or you may get in straight away with no problem].
I dont believe its a network problem, as I have run continuous pings to the concentrator and the RSA server whilst users are experiencing these problems and there are no drops.
The RSA servers authentication monitor always shows that the user has successfully authenticated, whether the users connection actually succeeds or not. I am tempted to just reboot the concentrator, but we have site-to-site VPN tunnels connected off it and I'm a little concerned that if it is faulty it may not come back up at all.
View 2 Replies
View Related
Jun 7, 2012
I'm looking for a way to monitor client authentication failures with our 3 standalone 1142N APs. I know that I can see failures under the log viewer of each AP
View 4 Replies
View Related
May 23, 2012
After upgrade from ACE20 with A2(3.5) to ACE30 with A5(1.2) I get failures in a number of server farm's, where before upgrade the number was zero. No drops in VIP and logs from applications do not notice any new errors.
View 2 Replies
View Related
Oct 17, 2012
I have a 2851 and a 1841 both serving as hub routers in a GRE multipoint configuration. They are both receiving buffer misses and failures on startup. I will post the output of show buffers below:
LAB-HUB-RTR#show buffers
Buffer elements:
607 in free list (500 max allowed)
9071 hits, 0 misses, 618 created
Public buffer pools:
Small buffers, 104 bytes (total 71, permanent 50, peak 71 @ 00:11:33):
68 in free list (20 min, 150 max allowed)
7083 hits, 74 misses, 0 trims, 21 created
55 failures (0 no memory)
[code]....
I have tried increasing the small/medium buffers initial size and permanent size, however there is no change. The buffer failures for small and medium buffers are always around this many every boot.I have also changed the IOS versions between 12.4.24(T4) to 15.1 with no luck in stopping the failures.
View 1 Replies
View Related
Sep 23, 2011
I made a custom-built V1 Windows Home Server that I really would like to be able to remote access. I have tried the Netgear 3700, but it did not allow remote access. A D-Link DIR-825 does, but it, and many D-Link products, have a persistent problem of requiring a reset due to dropped connections. I have had 2 of the DIR-825's drop connections. I have been told that their QoS components cannot handle the load on them and fail, causing the drops, but I cannot corroborate that.Perhaps what I need is a router that allows "NAT loopback"? This way I can see the WHS Console verify that I can access the server from outside my network. I have tried to do so with the above routers via a 3G connection on my iPhone 4 and all except the D-Link failed to allow access to my WHS.
I should add that I am using a D-Link DSL-520B modem on ATT DSL. It is a 6MB connection from the ISP. Previously the modem was in "bridge mode" on the D-Link router. Also, contacting ATT I was told they do not block any ports. I have tried forwarding the proper ports (80, 443, 4125) for the WHS, but that has not given me remote access. I did get them by enabling UPnP on the D-Link. Is all this an issue of needing the modem on "bridge mode" in order to work properly? Any router for my needs that allows remote access (NAT loopback needed?) and also has a solid connection? Gigabit ethernet is a must have too. Otherwise I am open to options. I would like a combined router/modem unit to make things a little easier.
View 3 Replies
View Related
Apr 28, 2012
does a spanned drive have any protection against disk failures?
View 2 Replies
View Related
Jul 26, 2010
We just purchased a Nexus 7010 switch and we are at a stand still with our COLO trying to figure out what power source should be provided. APC recommends a 50amp 3phase vertical cabinet PDU (AP7867). What type of power source�reakers will be sufficient in handling the Nexus 7k /w (3) power supplies? Do the COLO need to provide single phase or 3 phase power recepticals?
View 7 Replies
View Related
Aug 6, 2012
I'am a bit newbie at using Cisco products and here is my problem : I have set up a VPN tunnel between 2 Sites (A and B) a few month ago using 2 cisco SR520-ADSL-K9. All was working fine until power failures occured on the sites B (secondary site).
What happened was that none of the ethernet ports were working, excepting during booting, I was then able to ping computers linked to ports Fastethernet0, FastEthernet1, FastEthernet2 and FastEthernet3 but after a few seconds all ports were disabled but my DSL seemed to be working.
So I took back the router home to check it. I managed (I think) to make a factory reset using a serial terminal and following the procedure described here [URL]
Since I did the reset, I thought I would be able to re-use Cisco Configuration Assistant (3.1) to re-configure the router (I am very bad at using the command lines) but I am unable to connect to the router using the supposed default IP : 92.168.75.1 (I set my computer to use 192.168.75.50 IP adress with mask 255.255.255.0). But I can't connect to the router ... even if the Ethernet ports seem to work because green light is on when plugging my cable. connect to my router using CCA ?
For more information, here is what I get when I run "show startup-config" and "show running-config" in terminal console. I guess the objective is to make the startup-config beeing the running-config, but I have no idea on how to do that ..
show startup-config
show running-config
Router#show startup-config
[Code]......
View 2 Replies
View Related
Mar 7, 2012
I have seen this at two sites now: after migrating the site T1 to 10-Mbps Opt-E-MAN and replacing old 10/100 switches with 10/100/1000 switches, users frequently get http connection errors. The error goes away if the user reloads the page--sometimes they have to reload more than once. They never had this problem before.I thought it was due to the large number of 5-port desktop switches infesting the networks (I'm getting rid of them as fast as I can) but it happens even on a PC directly connected to one of the new GigE switches. It does not happen when accessing internal web pages. It looks like a DNS failure -- but nothing has changed in our DNS setup, except that users have a fatter pipe to our DNS servers.
View 3 Replies
View Related
May 6, 2013
Installed Cisco AnyConnect Secure Mobile Client on a new Asus CM6870, downgraded to Windows 7 Pro. It worked fine for 3 days, establishing VPN connections with my workplace without a probllem. Then it repeatedly failed to connect.
I attempted an uninstall/re-install, and the install now fails as well, returning the following error: The VPN client agent was unable to create the interprocess communication depot. When I do manage to get it re-installled, it works sometimes, then fails to establish connections other times. I am not an IT professional, so trying to diagnose the issue by reviewing the Windows/Inf/setupapi.app.log and .dev files is a no go. I do not hold a contract with Cisco so I am not authorized to open a support ticket, or receive phone support (again, I tired).
View 0 Replies
View Related
Jan 20, 2011
In each case, the routers have functioned flawlessly for a period of 2 to 8 months, then suddenly begin to require daily to hourly reboots to keep the speed up, and often times fail to respond to any web activity whatsoever. Ping tests are intermittent, sometimes failing but other times succeeding while web sites remain unresponsiveFor three years I lived with two or more room mates at a time, each of us with our own computer (or 2) and all doing a lot of peer to peer downloading. I realize a router can overheat during heavy use like this, so buying new routers so regularly has seemed vaguely understandable. However it doesn't seem like that is the case in my most recent failure.I've lived alone for the past 3 months, and have owned the Belkin Play Max N600 HD since. I have NOT been P2P downloading or putting a heavy load on my router in any way (or so it seems). Yet as of about two weeks ago, it has suffered a major slowdown just like all of its predecessors. Yet my 30 mbps internet connection roars to life the moment I plug the modem directly into a computer.
My desktop remains on 24/7 but like I said before, I do not do constantdownloading/uploading. Both wired and wireless connections are effected equally, and I have always kept all my routers WPA encrypted.When websites become unresponsive on my Belkin today, it is usually after everything has been sitting idle for some time (overnight, or all day while I am at work). Speaking of work, today is a perfect exampleI remoted into my home desktop and was able to interact just fine, yet when I would launch a browser and try to load any website at all, I get absolutely nothing. I had to transfer a text document through DropBox (which also still worked) because I couldn't get Google Docs (or gmail) to load on the remote computer
View 9 Replies
View Related
May 14, 2012
For more than 6 months I have been happily using a Sierra Wireless AirCard313U to connect my Win7 Pro (64-bit x86) laptop to the internet, and using another corporation's VPN (Citrix Access Gateway) as a contractor - so networking problems ARE my problem.
Now what happens is: DNS failures halt my internet browsing and any hope of RDP'ing into the corporate LAN whenever I connect to the VPN while using the AirCard (its a USB/cell modem device). The DNS lookups and RDP'ing works fine when I'm using the VPN with my wifi.
What changed recently:Installed Connectify software Uninstalled Connectify software (didn't work w/AirCard) Installed VirtualRouter software Uninstalled VirtualRouter software (didn't work w/AirCard) Installed Sierra Wireless' AirCard Watcher software (manager app, may have included updated drivers for the AirCard) Re-install Connectify software (now worked w/AirCard)Uninstalled Connectify software (DNS problem had appeared)
I've tried removing ISATAPs, running these commands & rebooting, to no avail:netsh int ipv4 reset reset.log netsh int ipv6 reset reset.log netsh winsock reset catalog
Right now, connected to VPN via wifi my ipconfig /all looks like this:
Windows IP Configuration
Host Name . . . . . . . . . . . . : W7
Primary Dns Suffix . . . . . . . :
[Code].....
View 3 Replies
View Related
Jan 29, 2011
I leave on one of my computers on all the time, an Acer desktop with Windows XP. I also have two laptops. I have Verizon DSL and a linksy wireless G router. When we have a power outage the Acer desk top loses it's internet connection. Trying to reconnect the connection takes hours. Even when we finally get it back we have no idea how we did it. The laptops which of course were off have no problem.
View 2 Replies
View Related
Jul 1, 2011
I just built a new computer running Windows 7 with an Intel 82579V Gigabit on the motherboard. Since last night while playing an online game, I have occasionally noticed sudden network failures where I either time out of my game or severely lag for 10 seconds before the game catches up.
My other network hardware and setup remains unchanged during this build.I have never had issues with my internet connectivity from my ISP.
The problem is not consistent and I'm not sure how to repeat it. I was playing my online game for several hours and then suddenly started having problems every 5 minutes with disconnecting.I can watch the network utilization in the Windows Task manager drop suddenly and then spike back when I reconnect to the game. Similar visual seen on the Tomato software on my router.
So far I've grabbed the latest drivers for the network chip from my motherboard manufacturer's website and turned off Teredo. I also made sure no power saving features were enabled on the network chip in the device manager.
View 1 Replies
View Related
