Cisco VPN :: Stops Forwarding Traffic On Subsequent Connections 861
Mar 23, 2011
I have a very strange problem on 2 (independent) Cisco 861 routers in different places.They are both configured as easyVPN servers. One uses UDP, the other TCP. VPN clients connect by using Cisco VPN client software. This cannot be changed because the customer expects it this way. Both routers have the same problem:
* the first VPN connection after a reset works fine. Traffic passes through and it is perfectly usable. I can ping the internal network interface on the router side from the client without problems.
* the second connection (and all subsequent ones from different client machines etc.) connects fine, no errors on the client whatsoever (not sure I evaluated all possible debug output on the "server" side). However, no traffic passes through. Pings do not come back from the 861 anymore through the VPN tunnel.I already enabled ICMP debugging and saw that pings are actually answered by the 861, but do not reach the client.The same seems to happen to any and all other packets as well.
* If I restart the 861 the very same thing happens: first VPN connection works fine. You disconnect, try another connection from the very same client computer, and it does not work anymore until the next router reset.I append the configuration for sake of completeness. confidential parts are represented by XXX. Some ACLs are not in use right now; I used them for testing. [code]
Since the power failure two days ago, my -ASA stops forwarding traffic to internal servers, for no apparent reason. Packet trace shows all OK, packet capture buffer stays empty when I try to http into the mail server. The only way to get it working is to change the Outside Ip to the one used for mail, then to change it back. It will work OK for a few hours, then stop, with nothing obvious in the logs.
I am using a RV110W with the latest firmware 188.8.131.52 I have some port forwarding configured, which normally work. But sometimes, all port forwarding stop working. Everything else continues working normally, just all port forwarding don't work any more. I tried disabling the port forwarding and enabling them again, this doesn't work. Also disabling the firewall completely does not work. You have to reboot the router, then everything works fine again. When I make a portscan from outside with a "fresh" started router, the forwarded ports are open. When the error occurs and I make a portscan from outside, all ports that should be open (and have been open before) are closed.
A client has an ASA 5505 with a base license. The version information and configuration is attached. In 8 hours, sometimes less and infrequently more, it becomes inaccessible. All connections are dropped and the only way to access the device is through a console connection. The WAN interface (VLAN 3) is connected to Verizon FIOS. The interface was set to 100 MBps and full duplex, but I just changed it to auto on both the speed and duplex to see what would happen. The LAN interface (VLAN 1) is also set to 100 MBps and full duplex It has not been changed.
The last time it happened logging was running, but nothing in the log indicated a problem. In fact, the last log entry was a couple of hours before the lockup (there's little or no traffic on the ASA while the problem is being diagnosed).
I have recently been experiencing a problem. This started to occur after I had gotten new internet service and a new router. I now have comcast, and a new NetGear router. I also have a VOIP phone connected to the router call "AllVoi". Now, whenever I use this phone, all connections on WiFi go down as I am using it. While, when I am using any ethernet connections dirctly from the router, it works fine. It becomes a large problem when you are watching a video or something from a laptop WiFi connection.
A short while ago, I had my data backed up onto a new HDD, as the old one was showing signs of failing soon. When I got the computer back, I noticed a problem where I need to constantly hit "Diagnose" in the Wireless Network Connection Status to get my internet working again. When it gets into this stage, several websites continue to work, I don't lose my connection to them. Some websites I can still connect to without a problem. However, many websites, even google, keep giving an error that the host could not be found. It appears that it stops accepting new connections until I reset the wireless card. My Laptop (using wireless) and other PC (Connected directly) have had no issues at all with our wireless router.
I have a DIR-655 with both wired and wireless connections. Yesterday, network stopped working on one wired machine while using it to surf the internet and a 2nd wired machine has not worked in 3 weeks after moving it from one room to another. Wireless connections are working fine.
-2 wired systems (Windows 7 and Windows XP), both stopped working -2 wired Xboxes - working fine -2 laptops, wireless working fine -1 smart phone, wireless working fine
I've power cycled my DSL modem and DIR-655 multiple times.Power cycled computer multiple times. Tried Win7 built-in diagnostics.Tried setting up static IPs.Tried filling in preferred DHCP server address.Disabled Windows firewall. [code]
I have a RV042 router on a single WAN and an internal LAN. I have configured port forwarding as follows: HTTP[TCP/80~80]->10.0.0.6HTTPS[TCP/443~443]->10.0.0.6IMAP[TCP/143~143]->10.0.0.5IMAP SSL[TCP/993~993]->10.0.0.5SMTP SSL[TCP/587~587]->10.0.0.5
Everything works just fine when I have the firewall DISABLED. However, when I enable it the behaviour is erratic. 1 out of 10 attempts to connect to ANY port forwarded works. Almost all attempts time out. Notice that this happens even if using only the default firewall rules (which should be bypassed by the port forwarding as I read in other posts).
My second try was to create firewall rules manually, overriding the default ones. I tried adding rules from source WAN1 (where my connection is) to ANY and to SINGLE IP's on every port. Nothing seems to work.
I don't know what I'm doing wrong, this is really bugging me. I had to turn the firewall off so we can access our servers from outside the office. This shouldn't have to be done.
Just found out that my firewall is getting LOTS and LOTS of Blocked - SYN Flood entries. I think this is why we are having trouble with the firewall. Could this be the problem? I have no idea where all these SYN packets are coming from since they appear with spoofed IPs or come from different bots all over.
Having a problem with port forwarding on their WRT400N? I'm forwarding one service (https) and this stops working if it's not accessed after a 10 days or so. The only way to get it to work again is to reboot the router. I’m running the “latest" firmware, which is an oxymoron considering it's been over 12 MONTHS since Linksys updated the code... Which is appalling considering this appears to be their flagship wireless N router.
We have an AP541N that has been deployed to replace a Cisco 1200 AP (B/G radio). The 1200 functioned perfectly in our environment. The new AP541N on the other hand seems to work fine right after a reboot but immediately starts to degrade service. Over a short period of time, the devices bandwidth degrades to the point were the wireless network is not usable. This happens with just one device connected. Eventually, the device stops accepting client connections. We are unable to get any relevant logging out of the device to diagnose the problem.
I tried to update my firmware on my DIR 615 by clicking the check now button within the routers parameters and got the file DIR615C1_FW311NAB04.bin The update bombed. I have hardware ver. C1 Firmware ver. 3.11NA dated June 23, 2009.Should I try and install the other firmwares in subsequent order, i.e. ver 3.11NA (dated 7/15/2009), then ver. 3.12 and then ver. 3.13 Or should the latest and greatest cover them all?
dwest.Wireless to router. No factory reset. ISP Ser. Cable ISP Router. Stand Alone.Modem Make & Model. I have to get up for that one, will have to report back tomorrow.
I have been using a TP-Link WR1043-ND for a while now. It is configured as a dumb switch with DHCP disabled. Every other day or so, the device stops taking connections and I cannot access via the IP address. A simple power toggle resets everything immediately. Through this, the LAN connected devices never lose connectivity, I simply am not able to connect wirelessly or access the router via web browser.The only device I connect to the wifi is my phone, so it may actually be more frequently and I do not notice due to my low utilization (and I have 3G so I don't always notice right away if I'm connected). I have a WDTV Live SMP connected to one of the LAN ports and that functions non-stop regardless of the wifi. When the wifi is "down", my phone can see the network and attempts to connect. Sometimes it times out, other times I am repeatedly prompted that the password is incorrect, even though I am POSITIVE that I am entering it correctly. Once I toggle power on the router, the phone connects fine with the stored password.
I have updated to the latest firmware (about a month or so ago): Version: 3.13.12 Build 120405 Rel.33996n My hardware version is: WR1043ND v1 00000000 The router is connected (via LAN port 1) to a wall drop. My upstairs roomate maintains the gig switch and modem, as well as handling the network admin. I simply am using the router as a switch to provide extra ports and broadcast the network over wifi in my apartment.All that said: I need troubleshooting this router and it's configuration before I consider buying a more expensive replacement (and if I go this route, I might add a small switch as well to give me more than 4 LAN ports to work with). I am also considering flashing to DD-WRT before replacing as well to see if that makes a difference in reliability and uptime.
The Port 80 port fowarding stops functioning after a few hours and requires the router to be rebooted to start forwarding again. The firmeware is the latest 1.0.04 Build 7. I require it to operate reliably for many days without intervention. I assume that it is a port forwarding problem because I can access the IP on my network from within my network even when I can't access it from outside my network. I am using the correct IP addresses as it sometimes works OK. A characteristic is that when I can't access the page it loads as completely blank white with no error message.
We have a managed service provider voip network that requires us to use our own router for the data network. We wanted to use the RV042 for it's easy vpn setup. After installing it worked great for about 10 min. then the WAN port stopped passing traffic. 3 min. later it started working again. We tested the RV042 on a different network and it works fine. We tested an older Pix on the managed network and that works fine. But the RV042 will not work on the managed service provider voip network. The service provider says that on their end it shows our WAN port going up and down.
Cisco ASA 5510. Between 5 to 10 minutes of reseting the asa traffic stop accessing outside ip addresses. Ping from console fails to ISP router IP. Ping to google name server failes. I have reset to factory default only setting up nic and natting and it still happens.
I have configured multicast (ip pim dense-mode) on two 2911 routers that are connected by a Multilink (3Mbps) Wan connection.The configuration work fine for awhile and sometimes all day but at some point one of the Multilink interfaces stop passing multicast traffic.I perform a sh multilink 1 on the interfaces and one interfaces show the multicast packets incrementing and the other does not, it just stops.The only fix for this is to hard reboot both routers and the multicast traffic begins to flow once again.
I have created an L2L tunnel between my self and a 3rd party. I am using a Cisco ASA 5520 and the other end is using a Cisco 3005 VPN concentrator. The tunnel will get established and pass traffic both ways for a little while, it varies, sometimes 1 hour or last time we built it it was working for 17 hours, but at some point my ASA will stop transmitting but it will still be receiving packets. These errors start to show up when I look at the traffic going through my ASA interfaces:
713042 IKE Initiator unable to find policy: Intf Outside, Src: 192.168.xx.16, Dst: 10.1.xx.30
Then when I try to ping their hosts .30 and .27 I get:
713041 Group = 68.23.xx.xx, IP = 68.23.xx.xx, IKE Initiator: New Phase 2, Intf private, IKE Peer 68.23.xx.xx local Proxy Address 192.168.xx.16, remote Proxy Address 10.1.xx.30, Crypto map (Outside_map) 713041 Group = 68.23.xx.xx, IP = 68.23.xx.xx, IKE Initiator: New Phase 2, Intf private, IKE Peer 68.23.xx.xx local Proxy Address 192.168.xx.16, remote Proxy Address 10.1.xx.27, Crypto map (Outside_map) 713050 Group = 68.23.xx.xx, IP = 68.23.xx.xx, Connection terminated for peer 68.23.xx.xx. Reason: Peer Terminate Remote Proxy 10.1.xx.27, Local Proxy 192.168.xx.16
When I first configured this tunnel it was with 3DES and SHA for phase 1 & 2, but when the tunnel would come up my phase 1 would negotiate to an MD5 hash, even though I specifically entered SHA, so me and the 3rd party decided to bring all the hashes for phase 1 & 2 down to MD5, and that was when it was up for the longest, but the problem still came back eventually. My ASA config posted below:
ASA Version 8.2(3) name 192.168.xx.16 Server description Server name 10.1.xx.27 XYZ_01 name 10.1.xx.28 XYZ_02 name 10.1.xx.29 XYZ_03
I have configured multicast(ip pim dense-mode) on two 2911 that are connected by a Multilink( 3 Mbps) Wan connection.The configuration works fine for awhile and sometimes all day but at some point one of the Multilink interfaces stops passing multicast traffic.I perform a SH Multilink 1 on the interfaces and one show multicast packets incrementing and one does not, it just stops.The problem acts like there is a buffer that gets full and after that happens it just stops working.
Every so ofter, the switch of the router just stops moving traffic between the LAN and to/from internet, though the WiFi keeps working and can still use internet.
I can still use the router's switch, and ping other computers on the local LAN, what happens is that the router stop routing wired traffic from/to internet, the rest of the issue is still the same, I opened reddit on my smartphone and there it was working via WiFi, but the would have none of it for the computers on wired LAN, not even accessing the router's page or telnet.
It is like some service or bridge between the switch LAN and the router itself dies... I'm still clueless.
The only "pattern" that I see is that my desktop is on line, because I can be not at home for 12+ HS and I can connect remotely to the server (rd p and trans droid) so I know it has internet access, but sometimes I think this happens when I turn on my desktop, like just now, this morning, but again, I feel is not every morning, trying to be more scientific about it I come here after every time it happens to record it, and also set the record straight about the issue description.
So, assuming it is not a hardware issue, because I did not had this problem in all 2011 and 2012, I do not overclock the router neither use other than default TX power level.
- How do I begin diagnosing this issue? - If it is a known issue with this builds? I could no find it.
My goal is to be able to provide info for debugging the problem and possible finding a fix/workaround it. If it is indeed hardware failing, how do I even begin to diagnose it from that POV? The message is empty...
Even with the new build r21061 still happened two more times. Now the real problem to me, is that I cant even revert it to stock firmware, I tried even with:
- unplug router - press and hold reset - plug router - keep pressing until power led blinks orange - enter 192.168.0.1 (PC must have static IPA, i use 192.168.0.200)
Can't open 192.168.0.1 in FF nor chrome and does not even ping. [URL]. I just want to get it back to stock or do not hang up the switch-to-router(ing).
I run a AirPort Extreme router. I have my F9K1106 range extender set up and working. works awesome. I get home from work the next day and the range extender seems to fall asleep , it won't pass any traffic. I power cycle it and its back up and running. this happens everyday no fail for a week now.
I have setup port forwarding on the RV220W, to allow outside connections on RDP. I have tested that LAN RDP works fine, but when I test using an outside address trying to connect to an inside windows PC with RDP nothing happens.
1. a LAN with about 10 pcs, a router and a shared internet connection which is connected to the router.
2. One of the PCs is a server, and is accessed from outside. the port 2230 is forwarded to it in the router.
Now the matter is, as the server uses a shared internet connection which is always very slow,I decided to have a dedicated internet connection in the server by adding an extra NIC.but what happens is when the outsiders try to connect to the dedicated internet connection IP address,the port 2230 is not forwared to the server pc.If I dissable LAN in this PC then the outsiders are able to connect.
I am trying to determine why Comcast Business Class modem configured with a static IP (IPV4) works with a laptop or Linksys Cable modem but not with a Cisco ASA 5505. After a few minutes, the 5505 stop passing web traffic. I am able to ping the default gateway even though I can not surf the web. Restarting the 5505 and the Comcast modem, web traffic flows for a short period of time, then stops. I can connect inside the firewall via ASDM 7.1.1 and via SSH. I can not connect via either from the outside. Comcast tech support indicated their router is working and is configured in bridge mode. I swapped out the 5505's memory, and then with another 5505. Nothing seems to resolve the issue. I am trying to determine if the 5505 or the Comcast router is not configured correctly.
Here are the parameters: The 5505 was reset to default factory settings via the command: config factory-default. Configured the outside interface with static IP Address followed by the no shutdown command, then removed DHCP features from outside interface. Added Comcast DNS servers, default route, ntp servers, configured DHCP features on the inside interface. Enabled HTTP/SSH (inside & outside interfaces) and ICMP echo-reply (outside only).
I believe the Comcast modem is not configured correctly. The show version and show startup output are below.
ciscoasa# show version Cisco Adaptive Security Appliance Software Version 9.1(1) Device Manager Version 7.1(2)
why my VPN setup is not working correctly. The device is an ASA 5505 running IOS version 8.2. It has a license for 2 SSL VPNS, and 25 IPSec VPNs. The previous Admin had set up both but only the SSL VPN apparently works. I attempted to set up my own IPSec VPN using the ASDM wizard, with an IP range of 192.168.40.10-50. I am connecting from a Mac, 10.6. My local network (home) is a standard 192.168.1.0/24; the remote networks are 192.168.2.0 and 192.168.3.0. I tried connecting using the built-in Snow Leopard client, and although it said I was connected I couldn't actually contact anything on the corporate LAN.\
I am experiencing a problem on a Catalyst 4510 (cat4500-ipbasek9-mz.122-53.SG.bin) with 802.1x configured. Client PCs are connected via a mini desktop switch to a Cat 4510 switched port in multi-auth mode. The configuration of the port follows:
!interface GigabitEthernet2/34 switchport mode access ip arp inspection limit rate 30 authentication host-mode multi-auth authentication port-control auto authentication periodic authentication timer reauthenticate server dot1x pae authenticator dot1x timeout tx-period 5 dot1x max-reauth-req 6 spanning-tree portfast ip verify source vlan dhcp-snoopingend
It happens from time to time that the Cat 4510 port stops passing traffic. Reconnecting the mini switch recovers the communication. Client PCs connected to the mini switch seem to be authorized at the moment when the problem occures. The RADIUS Termination-Action attribute is set to RADIUS-Request. The problem is not present if "authentication periodic" is disabled.
I’ve configured a small WLAN for a school that wants to have wireless network access for their staff as well as for guests doing presentations. They want the staff to have access to everything on the 192.168.1.0 /24 network as well as the Internet. They want the guests to only have access to the Internet. I have attached a picture which shows how the network has been configured with 4 Cisco AP1242G AP’s attached to a Cisco SF302-08MP PoE switch and then to a Symantec Security Gateway to the Internet.
I can authenticate wirelessly to the STAFF SSID and ping anything on the 192.168.1.0 /24 network and access the Internet.I can authenticate wirelessly to the GUEST SSID and ping anything on the 172.16.1.0 /24 network, but not anything on the 192.168.1.0 /24 network (which is what we want). However, when on the GUEST network you can’t access the Internet. I added a default route to the Cisco 302-08MP switch to 192.168.1.1 (Symantec firewall) thinking that would forward the traffic from 172.16.1.0 /24 to the Symantec firewall out to the Internet, but that isn’t working.How would I go about getting the traffic from 172.16.1.0 /24 to hit the Symantec firewall and the Internet, without hitting anything else on 192.168.1.0 /24? Do I need to put the Symantec firewall in a different subnet like 192.168.2.0 /24? Am I missing anything else?I’ve worked with Extreme Networks & HP / 3Com CLI in the past, but never with Cisco and never with web based management
I have got 2 Cisco switches (3560G and a 3560X) connected by a trunk port. see config below:
3560G#sh run int gi0/26 Building configuration... Current configuration : 130 bytes
I can't seem to get VLAN 79 through to the first switch (3560G). Beyond this switch there is a router with acts as default-gateway for the respective VLANs. For VLAN 79 it is 192.168.79.1. I can ping this from the first switch but can't ping it from the second (3560X) switch but can ping 192.168.25.1 which also is the default gateway for this switch.
I have a licensing server. Other computers need to turn on a program, they send a message to the licensing server, and it responds that they have permission to run.Until today the licensing server was plugged into its own ethernet wall socket and configured with a static IP address. Today I put a router into that wall socket and now the server's plugged into the router.The router (WRT-54G) was set to the static IP - and now the internet on its network works. I set all ports to be forwarded to the server's internal IP address - and now my programs can detect and ping it. But now the server won't send back permissions to use licensed software, or even reply with a list of the software which it can license.
We have Cisco ASA 5505, 90.x.y.2/29 IP is assigned to outside interface. We have one internal HTTP server so that I use static (inside,outside) tcp interface [URL] to forward all incoming HTTP traffic to internal HTTP server 1. Now we need to add new physical HTTP server 2 so that I would like to forward
HTTP traffic to e.g. 90.x.y.3/29 to 172.16.0.11.
How can I do that? See scenario image (scenario.png) if needed.
We have an ASA5510 and we're currently using 1 internet connection to handle our site-to-site VPN connection and our internet traffic. We have a second internet connection on hand. What we would like to do it use BOTH internet connections: (1) will be dedicated to our VPN connection, (1) will be handling all our internet traffic. How can we get this setup? We're running Software Version 8.4(1)