VPN Tunnels Monitoring on ASA5510 with IOS 7.0 (Monitoring through Nagios Server).I want to use Nagios to monitor each of the S2S Tunnels built on ASA 5510. I can use the icmp on Nagios by adding Nagios host in IPSEC network of each tunnel but in that case the change needs to be done at other end of Tunnel as well.
View 2 RepliesI'm trying to monitor Tunnels activity. We want to gather statistics like bandwidth utilization per Tunnel and in the case of Remote Access also the user name associated with a tunnel. All this via SNMP
I've browse through the Cisco-IPSec-Flow MIB and found the TunnelTable, this seems to provide everything I need in Regards to Tunnels, I just need a tip in how to calculate or obtain the bytes Tx and Rx. I can obtain packets and Octets amounts but not actual bytes. Is there another OID I should be inquiring?
In regard to Remote Access I found the CRASSessionTable From here I can obtain the Group associated with the tunnel and I should be able to obtain the User name through the 1.3.6.1.4.1.9.9.392.1.3.21.1.1 OID, but I'm getting an UnSupported response when querying this particular OID.
What OID can provide the User name?
I know that Cisco Performance Monitor can in fact obtain all that info from the ASA so there must be an appropriate OID I can query to obtain this particular info.
I have 3 tunnels established (full mesh) with 3 CISCO ASA (all security+), through Internet : - Site A : ASA5510 - Site B&C : ASA5505, There is no main site or client site, each site has more than one network behind it. So I'd like to setup OSPF between all the ASA for them to exchange their route within the tunnel. I thought this was automatic when establishing the tunnel, but it isn't.
View 1 Replies View RelatedI need two vpn tunnels from one ASA5510 to two customer endpoints but with the same host on the remote side, the two tunnels are for redundancy reasons. Can I just configure two tunnels with the same host on the remote side and assume the ASA will understand to just use one of the tunnels when both active or the one left when one is down? Or do I need extra configuration for that.
View 1 Replies View RelatedHow to configure CISCO ASA 5510 for multiple IPsec tunnels?On other side is CISCO 2801.
View 20 Replies View RelatedWe have many VPN tunnels back to our corporate office. All of these tunnels are very slow (same with our client VPN's). Our main firewall device at the corporate office is an ASA5510. We have a 100 Mb/sec Metro Ethernet internet connection here. We do not allow split-tunneling.
Our remote sites vary. We have DSL connections, cable internet connections, and other types of broadband that vary in speeds from 5 to 100 Mb/sec (up and down). The remote sites mostly have PIX 501's, but we have an ASA 5505 in one of the locations.
To take an example. On one of our remote sites that has a 100 Mb/sec connection, if I ping device to device, I'm getting ping times of about 50ms. And I'm pinging back through another 100 Mb/sec connection. If I get on a computer down there and run a speed test, I'm showing down speeds of about 1.5 Mb/sec... nowhere near 100. Some of that could be due to the lack of split tunneling, but I also suspect this could be an MTU issue.
Right now, all my MTU's are just set to the default 1500. Perhaps this is too high. I used this site to check my max: [URL]
I did a few tests from behind several of my firewalls. I pinged from a machine on one side of the tunnel to the firewall on the other end. I'm assuming the max MTU I come up with is the max MTU for the firewall I'm behind while pinging, right? The max amounts I came up with for some of my devices were as follows: Corporate ASA 5510 > 1272 (if you add the 28 byte packet header that would make it 1300) Remote PIX 501 > 1416 (if you add the 28 byte packet header that would make it 1444) Remote ASA 5505 > 1418 (if you add the 28 byte packet header that would make it 1446)
So, do I just need to set my MTU values to the appropriate amounts? I have tried changing the value, but I don't see any change in speed/performance. But I also don't know if I need to reboot the firewalls after changing the MTU. I know with Catalyst switches, you have to reload. But I didn't see any messages about needing to reboot on the ASA's/PIX's.
Question on ASA VPN tunnels. I have one ASA 5510 in our corporate office, I have two subnets in our corporate office that are configured in the ASA in a Object group. I have a site to site IPSEC tunnel already up and that has been working. I am trying to set up another site to site IPSEC tunnel to a different location that will need to be setup to access the same two subnets. I'm not sure if this can be setup or not, I think I had a problem with setting up two tunnels that were trying to connect to the same subnet but that was between the same two ASA's. Anyways the new tunnel to a new site is not coming up and I want to make sure it is not the subnet issue. The current working tunnel is between two ASA 5510's, the new tunnel we are trying to build is between the ASA and a Sonicwall firewall.
View 3 Replies View RelatedI have a setup with a pair off ASA5510 on the central site, and approx 20 sites with ASA5505.A couple off network are configured as site to site tunnels to every remote site.Its very stable, but the last year or so ocassionally one of the tunnels go one-way.Just like one of the nat exeptions suddenly stops working.I can see the remote side transmitting packets, but no answer.Central site is running 8.22, want to upgrade but have to mount more RAM.The only cure i have found is to reboot the central pair off ASA5510, not very popular as all 20 tunnels goes down.
View 1 Replies View RelatedASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies View RelatedMy ASA's have the follwing Versions: ASA Version 8.4(3) ASDM Version 6.4(7)Have I a chance to configure a site-to-site tunnel with a hostname as peer address when I will use Identity and CA Certificates?
View 2 Replies View RelatedI set up a full mesh LAN-to-LAN VPN for a client with 4 sites. Each site has an ASA 5505 running 8.2(5). Site-to-site VoIP traffic runs in the VPN tunnels, as well as traffic to/from a file-server located at the main site. There are two back-up servers, one at the main site and one at a remote site. The main site has 2 bonded T1s and the other three sites have a single T1. How should I go about setting up my QoS?
My top requirement is that VoIP traffic will never be pushed out of the way for data traffic. My secondary consideration is to give more preference to file-server traffic than to web traffic and to make back-up traffic the least important. I'm currently researching to see if the VoIP provider is DSCP marking EF on the VoIP traffic, but I am going to assume they are for now. I know the IP of the file-server and back-up servers.
Is there a recommended number of GRE tunnels that Cisco 2921 ISR router with default configuration (512MB DDR2 ECC DRAM) can support?
View 5 Replies View RelatedI have read that the cisco 1841 can handle up to 100 VPN tunnels by default. Can this IOS version handle SSL VPN tunnels as well?
View 3 Replies View RelatedConfiguring MPLS over GRE tunnels. I did not find any proper configuration example. I need to do this for encrypt the traffic between two PE routers. I have 7609 routers.
View 20 Replies View RelatedI am trying to setup a VPN tunnel between a PIX and an ASA. I went through the IPSec Site to site wizzard using the same settings but I cannot ping hosts from either side.
Here is the setup
ASA 5520
Device Manager 6.4(5)106
Software version 8.0(5)
Inside network 10.0.0.0/24
Inside IP 10.0.0.1
[code]....
I have an ASA5515 and our remote sites which have a mesh topology of VPN. At some times of the day router to particular links are down do to the ISP core, but the tunnels from the same firewall can communicate to other sites. Is it possible to have a way where you could route traffic to another ASA which has a connection to both the ASA which want to communicate and have the traffic hairpinned, I know this is possible but is it possible to make this automated.
View 5 Replies View RelatedI have a Cisco 1921 and it has 2 VPN IP-sec site-to-site tunnels up and running. Lets say the tunnels goes from the Cisco to Site A and Site B.
Now i want Site A to reach Site B through the existing tunnels. I'm guessing that static routes maybe the answer but i cant seem to get it working.
The LAN networks is as follows:
Cisco: 192.168.15.0/24Site A: 192.168.0.0/24Site B: 10.27.27.0/24
At Site A i have set up a static route as follows:
Traffic destined for 10.27.27.0/24 Go to gateway 192.168.15.1 (the default gateway of Cisco LAN)
At Site B i have set up a static route as follows:
Traffic destined for 192.168.0.0/24 Go to gateway 192.168.15.1 (the default gateway of Cisco LAN)
We have multiple sites that have either fiber 20mb d/u or cable 50/10 d/u. Recently we have upgraded our head end router to a 2921 security based router and noticed that no matter if we are sending or receiving the most we can push is 1.6Mb. I would expect this number to be at least 8Mb for uploading and at least 18mb for downloading from other sites.I have included parts of my config and screen shots of bandwidth usage for troubleshooting. [code]
View 3 Replies View RelatedI am having an issue where the GRE tunnels are up/up but are not pingable. The GRE tunnels are on a cisco 1811 and cisco 2811 routers The tunnel source and destination IP addresses are private addresses. These private addresses are pingable to each other and they are connected via IPSEC. The IPSEC tunnels are generated from the ASA to which the cisco routers connect. Probably the tunnels are up/up because keepalives are not configured. But I am still not able to see why I cnt ping the end points. The ACL for IPSEC in ASA includes the "permit gre host <Private IP 1> hist <Private IP 2>" commands.
View 2 Replies View RelatedMy current set up is 1 HQ router (2911 ISR) and 8 site offices with a non-Cisco router.Each site has an IPSEC tunnel back to the HQ router.All of the site routers have a dynamic external IP address.This set up has worked ok for now, but I would like to look at moving to GRE tunnels so traffic from the sites can be routed to each over.I have read up on the configuration and I can set up an IPSEC GRE Tunnel in test labs using a static IP address on the spokes however I have not been able to find any documentation on how to configure the HQ router to allow the tunnels from any IP address.I did try setting the tunnel destination to 0.0.0.0 on the HQ side but this does not work.
View 5 Replies View RelatedI am a employed at a credit union with 17 branches. We have a mpls circuit connecting the branches to our main office. I setup DSL as a backup connection. I have 17 RV042 Cisco VPN Routers. I created a secure vpn tunnel for every branch to the main office. I made a delayed route in our main router to fail over to the VPN, in case the mpls failed. Almost everything works great except our ATM's are required to connect to a router at our main office to a different subnet than the tunnel is connecting, therefore not routing through the tunnel. I've tried creating another tunnel but only works with one of the branches, cause I get a conflict at the main office when I try a second tunnel with the same ip network. Also I tried routing all the traffic through the vpn by putting in the address 0.0.0.0 subnet 0.0.0.0, at the branch site. But I can only do that for one branch, The Downtown Cisco won’t let me create another tunnel with that setting.
View 1 Replies View RelatedI have problem with topology view in LMS 4.2.1, it doesn't show the tunnels connecting branches, though both devices are shown in sh cdp neighbour command output. If I choose Show Devices in Admin > Collection Settings > Data Collection, it is showing cdp neighbours correctly.
View 4 Replies View RelatedI have been tasked by my boss of finding out and implementing a solution of building GRE tunnels from 2 4408 Wireless controllers system for a guest wireless network. I am but a low CCNA wireless, working on getting motivated for CCNP wireless, but I didn't even know if this was possible and if it was where to begin. I have been reading configuration guides but figure I should ask the wireless experts of the world of Cisco.
View 7 Replies View RelatedMy company paid a Cisco 1941 SEC/K9. There is no VPN SSL Licence. I would like to know if I can configure IPSec tunnels basically on my router?
In this case, how many IPSec Tunnels I can configure?
how configuring IPSec Tunnels on my router?
I have an ASA 5510 running ver 8.0(2) that has (4) Ipsec tunnels going from it to various other locations. I am having an issue with data transfer speed on only one of the Tunnels. This tunnel is between the 5510 and the 5555, on that link I am getting a dat transfer rate of a little over 120k a second, whereas if I pull the same set of files from another location I am seeing a transfer rate of 5m per second.
I have verified that it is not a capacity issue on the Internet bandwidth on both locations, and I can pull the same data from the same location to various other locations via Ipsec tunnels, I am only having an issue with a specific tunnel going from the 5510 to the 5555.
Since it is not affecting other tunnels on the 5510 nor is it affecting tunnels on the 5555 going to other locations, I am leaning toward a routing issue within the ISP? I will say the ISP is taking me a long way around to stay in the same Metropolitan area.
We are planing on offering low end ASA 5505s as a customer offer to connect their network to our cloud as this is a business requirment. However, one of my colleagues is convinced that the license for the 5505 is *not* based ont he number of IPSEC endpoints, but the number of distince connections via *any* tunnel. So, according to him, if you have a license for 10 IPSEC endpoints, if you have 11 people connecting via *one* tunnel from a customer's network to our cloud, you go beyond your license.
View 1 Replies View Relatedwe are testing an ASR1002-X which acts as LNS for L2TP tunnels.
- All tunnels are UP (sh vpdn all return list of tunnels)
- VirtualAccess interfaces are UP
- C routes are added in routing table
but ping remote IPs don't work !!! [code]
We have 2 Cisco ASA 5520 configured as Active/Standby with public IPs 68.171.xxx.xx6 and 68.171.xxx.xx7 respectively.We have 3 different vendors who are trying to access our Data Center. Do I have to have 3 different public IPs for these 3 different vendors? Or, just share the public IPs assigned to our 'Outside' interface?
View 3 Replies View RelatedI have an ASA 5510 at Site A with a L2L tunnel to another site, Site B. Single subnet at each site. In a few weeks we will be adding a second Internet connection to Site B, so both connections will be active. But we want traffic to go over the new connection unless it goes down, then use the other. How do I set that up on the ASA so it doesn't get confused as to which tunnel to take to get to the Site B subnet?
View 5 Replies View Relatedhow many GRE tunnels (without IPSEC) can 7206 router supported. I have low bandwidth 2000 links & i want to configure GRE tunnels for them.
View 1 Replies View RelatedDoes the 2911 router support the ability for Netflow V5 to pass through GRE tunnels? I can't seem to find any documentation that indicates this.
View 2 Replies View RelatedI have a trouble with 2 IPSec tunnels on Cisco ASA 5510.Both of them are Site-to-Site tunnels.Both of them are established against the same public IP address on my site.It looks like they cannot run steadily in the same time. It looks like when one of them is actived, the other one could not be up.Is it some kind of limit of Cisco ASA?
View 6 Replies View Relatedi am building new vpn tunnels for multple sites using 2 ASR 1004, and 100 remote devices cisco 2800 routers.I am thinking of using getvpn to do it, am i thinking correct ? can i use DMVPN
View 3 Replies View Related