Cisco VPN :: VPN Connections Fail When ASA 5520 Running IOS 8.41?
Sep 20, 2011
I have an ASA 5520 running, user web trafic, incoming VPN and systems NAT for DMZ services. Nothing new for a standard firewall. I have upgraded the memory in it to 2GB, per Cisco so that I could install and run IOS 8.41. I have uploaded the both the IOS bn image and the ASDM 645 image and set it as the primary boot file. When I reload the ASA, everything boots fine, no errors and all traffic appears to be working fine.But here is my problem:ALL the previously configured VPN sessions will connect to the ASA and show that they are passing traffice (TX and RX increments through the monitor) but if I try to access a device on the other side of the VPN or they try to access services in the corporate network, the connection fails. Ping works, So I know I can reach the devices and the tunnel has been correctly created, but nothing else, . I did not change anything in the configurations for the VPN connectors.But, if I reload the ASA with the 8.21 version image, everything works just as before and all connections are good.
View 3 Replies
ADVERTISEMENT
Jun 29, 2011
I have a pair of 5520s running 8.2(3) in failover active/standby, routed mode. I have an issue with SSH as it's stopped worked after a short time, less than 8hrs during the network being installed, telnet is working fine as is https/asdm. I have re-created the crypto key and the ssh access is allowed. When I try to connect I just get a flashing cursor, telnet to the ip and port 22 also works.
View 1 Replies
View Related
Sep 18, 2012
We have a second ASA 5510 that is suppose to be a hot standby. I need to find out that, as a hot standby, does it have to have the same licenses as the ASA that it backs up. We purchased 50 SSL VPN licenses for that unit. If it fails over, we need to make sure the failover asa can allow SSL VPN connections.
View 3 Replies
View Related
Mar 7, 2011
I have an asus K52f laptop running windows 7, and i cant connect to my schools wifi router, some Cisco model. However i can connect with my iTouch and most apple computers can connect. My friend who has an HP on Win7 was able to connect. I asked him how and he said something about changing the properties of the network card so it was on cisco. Im not sure what he meant, and when he tried on my computer he said i needed to update the card something
View 3 Replies
View Related
Feb 22, 2012
I have a IOS firewall on a 2921 router, zone-based config. The remote and main sites have Cisco WAAS , running 4.4.1 software. I am using WCCP redirection on the WAAS/router combination. If I leave it off the firewall passes SSH correctly to the devices on the other side of the firewall. If I enable WCCP the SSH connections fail. The SSH to the router itself is fine, I am not using the self zone for router protection. I had seen a few posts on WAAS but the only one mentioning a config statement in the firewall was on 4.0 WAAS and the command is no longer on the IOS firewall. Is this supposed to work transparently or am I missing a config?
View 2 Replies
View Related
May 19, 2012
We have a site with two inbound circuits, one for internet and one for our MPLS. Each circuit is being terminated by a 2921 Router and matching ASA 5510 Firewall. For the internal network, the Internet ASA's inside interface (172.16.0.1) is the default gateway for all hosts. OSPF is the routing protocol between all the routers and ASA's and routing is working. In fact, ICMP is working as well. From an inside host (172.16.0.81), we can ping anything on the MPLS network. But when I try to use telnet (for example), the connection fails. If I add a route to 10.10.10.0 to the host, or re-configure the host to point to the MPLS ASA (172.16.0.254) as it's default gateway, connections will establish.
Both ASAs are running 8.4(3), and have the following commands:
same-security-traffic permit intra-interface
interface Ethernet0/0
nameif outside
[Code]....
And from the MPLS nodes, I can see a tcp request is made.
View 6 Replies
View Related
Dec 3, 2012
I am having problems with these types of 3G cards(EHWIC-3G-HSPA+7) from Cisco.We are using them on ships where we have a SAT connection and the 3G connection. Fail over between the two connections are handled by an IP SLA echo and a track on the cellular interface, towards an public IP where we have configured a static route to via the Cellular interface.
Once configured the connection comes up fine, the VPN tunnels comes up and all is good.But after some time the connection dies, the track goes down because no data goes through.a sh cell 0/0/0 all however say that the profile is active.
View 1 Replies
View Related
Jun 21, 2011
I am currently using g0/3 for failover between my two ASA5520's. I would like to move that to the management interface to free up g0/3 for a second DMZ segment. are there any implications to doing this live other than i would only have a single ASA during the move?
View 1 Replies
View Related
Dec 29, 2011
I have a 1941 router with the security licence. I am setting up both a T1 wic that connects to my enterprise MPLS cloud and one of the two gig interfaces that will connect to my home office through a VPN tunnel to a ASA 5520. I have tried multiple solutions though my gues is that I am making this WAY more difficult than it needs to be. What I am trying to create is a primary on the serial interface and then a failover through the VPN.So far, I have tried to:
-Track the serial interface and then set the default route, based on the tracking
-Create an IP SLA to echo the gateway of the serial interface to change the routing
-Started to create HSRP between the two interfaces though I could not figure out if / how a standby could be put into a sub-interface on the serial
The SLA seems to be working somewhat. The problem is that it is not transparent and sometimes even needs me to clear the VPN tunnel to get things back to smoothly through the serial interface. [code]
View 1 Replies
View Related
Jul 21, 2011
last night we tried to upgrade our cluster (2x ASA5520) from 8.0(4) to 8.2(3) and failed miserably.
1. Both units got the new image, but when we reloaded the secondary unit then we got the following strange message:
"Mate's license (10GE I/O Enabled) is not compatible with my license (10GE I/O Disabled). Fail over will be disabled."
After this message fail over was not there anymore and both units became active (!!!) which killed everything. Of course ASA5520 doesn't have 10GE and we have exactly the same units. What could be the problem here? Currently we run with a single unit with 8.2(3) and the secondary unit is switched off.
2. After the upgrade we cannot connect with multiple VPN sessions from the same client, this gets logged:
"Multiple sessions per tunnel are not supported"
This was working just fine with 8.0(4) and doesn't work with 8.2(3). Do we have to update something in the config or what is causing this? If you ask why we went with 8.2(3) instead of 8.2(5) then the answer is because we were testing that for several month in our secondary data center, but unfortunately only on a single ASA and not on a cluster. We couldn't go higher due to the 512MB RAM we have in all units.
And we had to upgrade, because we had crashes with 8.0(4) which was working fine for a long-long time.
View 7 Replies
View Related
Jul 16, 2012
we have a situation that we need to run ASA as a router. we have two sites connected via a private p2p link, we also have ASA5520 in each site and we have L2L IPsec tunnel over Internet, we want to failover to IPsec over Internet pipe in case p2p link fails. With BFD/OSPF this design works at L3 level. But we have problem to keep existing TCP connections when failover happens, the reason is, I believe, when ASA sees a new connection coming in without seeing SYNC flag in the packet, it will not create a connection entry and drop the packet unless a new connection is initiated from either side. So my question is, is there anyway I can configure ASA to behave more like a L3 device, ideally to turn off L4 checking for IPsec traffic?
View 4 Replies
View Related
Feb 28, 2011
I have a Cisco ASA 5520 running 8.2.2 with the VPN Plus license. I am wondering what is the max number of sub-interfaces you can have on a physical interface. I know on the 5505 it was 20 sub-interfaces if you were running the Security Plus license. What is the magic number for the 5520. I have hit 20 sub-interfaces on gi0/1 interface and now I am starting to run into problems with sub-interface #21.
View 1 Replies
View Related
Jun 3, 2012
The customer forgot the password for the ASA SSM-20 ips module installed in ASA 5520 Fw.show module in customer FW shows it up state. I brought it to our office teat bed. here it show
ASA1# sh module
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5520 Adaptive Security Appliance ASA5520-K8 JMX1022K03A
1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 JAB101003C2
Mod MAC Address Range Hw Version Fw Version Sw Version
[code]....*-
what to do with this module in my test bed.I have to take it back to the customer site to use it in their ASA itself to troubleshoot.There it the status is up and i did use all the hw-module option but no use. The version is 5.0. This module is more than 5 years old and so far no one upgrade the image. ASA 5520 running 8.2.5.
View 8 Replies
View Related
Jan 30, 2012
I am trying to setup an active/standby failover with 5520's running 8.4(2) and am having problems with it not dropping connections during the failover. I am using a portchannel from the switch to each ASA and using sub-interfaces off that. I'm using the command Failover mac address Port-Channel1 “mac-address on primary Port-Channel1” “mac-address on standby Port-Channel1”.The command goes through but doing a show interface port-channel1 doesn't show a change in the mac address on the secondary unit after a failover when it becomes active.
View 3 Replies
View Related
Jun 22, 2011
I am trying to figure out how to create an etherchannel with sub-interfaces on an asa 5520 running 8.4.1 code. It doesn't seem to allow me to configure any type of sub interface on the port-channel or anywhere else once I create it.
View 4 Replies
View Related
Sep 12, 2012
On the ASA5520 we would like to create a report that gives us trending over 6 monthes for the amount of people logged in via the SSL VPN and for how long. Is there a way to do this on the ASA5520? Does it have this ability? Could I do this in SolarWinds? My boss mentioned a software package that Cisco has that will show a history - is this correct?
View 1 Replies
View Related
Apr 25, 2012
Currently we are using a single connection to our ISP and in the coming months will be moving to a two seperate connections (to same ISP). In our current setup we utilize active/passive ASA's (5520, single context) and would like to utilize that going forward as well, the reason being is our DMZ's all hang off of these ASA's and we have fiber connectivity between our datacenters.Our main datacenter and DR Datacenter are basically one big LAN with fiber between them, so we have our DMZ networks at both locations currently with both terminating in our ASA's. That way if the ASA at our current site fails the DMZ's are still accessible via the secondary firewall at our DR facility.
View 1 Replies
View Related
Jan 13, 2012
I have a remote office that currently connects back to a Central data center via Site to Site VPN. I am bringing up a 2nd internet connection as a fall back in the Remote Office. How do I configure the Site to Site VPN to work correctly so that if the primary internet connection goes down, the site fails over to the secondary? On Remote the internet connections are from different providers so they have completely different blocks of public IPs.
Central
ASA 5520 8.0(4)
Gig 0/0 Public IP
Remote
ASA 5520 8.4(1)
Gig 0/0 Public IP
Gig 0/3 Public IP (2nd internet)
View 1 Replies
View Related
Jun 5, 2013
how many active TCP sessions my ASA has but having a hard time finding this information. When I do "show conn count" from the CLI it shows what I'm guessing is a sum of both TCP and UDP. Is there any way to get just the TCP connections?
View 3 Replies
View Related
Jan 16, 2012
I have one ASA5520 with version 8.4(3), and a few ACL rules defined. One ACL is permit traffic from one interface(EXT_SERVICE) to another interface(DMZ_SERVICE), if i change that rule to deny traffic, all new connections that match the rule is denied, but no the established connectios. ¿Why the established connections can pass the deny rule? ¿How I can change that? I need create a ACL with deny type and stop all comunications that is running and match the deny rule.
Running-config of my ASA5520:
ciscoasa# show run
: Saved
:
ASA Version 8.4(3)
!
hostname ciscoasa
enable password 8ay2wjIyt7RRXU24 encrypted passwd 2wFQnbNIdI.2KYtU encrypted names !
interface GigabitEthernet0/0
[Code] ........
View 9 Replies
View Related
Apr 14, 2012
I am using asa 5520 and asa 5540 for remote access vpn connections. Is it possible to do active monitoring of my vpn connections so that there would be alerts for vpn tunnels that fail to establish due to other reasons other than user authentication?
View 5 Replies
View Related
Feb 22, 2012
We have two Cisco 2960 TT-L switches. I'd like to reduce single points of failure and have dual servers for most tasks. For example, two firewall servers and two web servers. Should one server fail the other will act as a failover.I'd like to extend the redundancy to the switches, and am thinking of connecting one web server to one switch, and one to the other. In the event a switch failed a set of servers would still run, and be able to talk to each other.I'd like to run two VLANs, one for the LAN, and one of the WAN, and connect the two VLANs on each of the switches with the associated VLAN on the other switch.
View 3 Replies
View Related
Oct 10, 2012
I have the ASA5520, everyday I have a lot of connections through my ASA5520. But buffer in ASA5520 to save connections is limited. Now, I want my ASA can auto save the conn detail and Xlate to my Syslog server, how can i do that?
View 3 Replies
View Related
May 25, 2011
I currently have the default inspection engine configured in my firewall to inspect http traffic. I noticed that the ASA will drop packets when visting legitimate websites. I've tried googling for a workaround but have been unsucsselful. How can I exclude some websites or IP's from being affected by the inspection engine?
View 1 Replies
View Related
May 23, 2013
What are the possibilities that exist for running a site to site vpn in our environment with the following infrastructure Cisco ASA 5520 - running on a multiple context mode
-Cisco 3750 switches
-Microsoft TMG
I believe these options are limited in terms of providing end point for VPN.Is there a VPN module that we can buy for 5520 to run IPSEC VPN?
View 2 Replies
View Related
Jun 11, 2013
I have 30 switched in my corporate network it’s all up and running all switches running by default configuration and connected to WS-C4506 core switch our dhcp server pooling 192.168.100.1/27 network. Now we need to configure new Vlan for finance department this department has more than 200 users. If my server distributes 192.168.200.0 range ip can vlan2 automatically assign ip 200.0 addresses to finance department.All switches running default config no ip address assigned.
View 9 Replies
View Related
May 7, 2013
I need to replace an existing ASA 5540 with a new ASA 5525X. I would like to pre-stage and configure the new box with the existing config, migrate license and export certificate files before swapping it with the old one during a change window. The new firewall will run 9.1 on deployment. Now the same 7.2(4) cannot just be copied over to 5525X running the minimum 8.6 version. There is a Web based tool available at [URL] according to Cisco documentation but the page does not load for me (Cisco intranet only tool ?). Is there another tool for automatic conversion ?
View 3 Replies
View Related
Feb 2, 2012
Cisco 891 configuration Details: [code] I could connect to the Giga bite thernet wan, based on above configuration.When I test on FastEthernet8 for the secondary ISP connection it will not go through the internet.
View 17 Replies
View Related
Nov 27, 2011
I tried to backup ACS 5.1 but i found error messages as below
acs backup25Nov11 repository 25Nov11Repository
% Repository not found
% Error: Invalid repository name 25Nov11Respository
Please use a configured repository.
View 2 Replies
View Related
Feb 19, 2013
I have just started my installation of Prime 1.2. I have the OVA loaded (NCS-APL.1.2.1.12-K9) and I went through all of the setup. I have the webpage loaded but unable to get past the Root login. I then tried to change the password using the "ncs password root password password" command but get the error message "Execution failed: Cannot find user: root". I have seen some people talking about the wrong OVA file but that was for Version 1.1 I think.
View 1 Replies
View Related
May 6, 2013
we installed a new CPI 1.3. Both machines are in the same subnet and close to each other. Everything looks fine and is installed as we see in the config guide.When we halt the VM of the primary Server, the backup takes over but with errors. I'm also not able to login! [code] my colleauges did the same a few days ago also with problems or similar problems and restore the server from backup.
View 2 Replies
View Related
Mar 12, 2012
I am attempting to register QPM 4.1.5 into LMS 3.2.1 Portal, under Home Page Admin - Application Registration but It fails.It seems to be a bug where it puts the details in the wrong place when submitting the info.
This is the output that it tries to submit obviously - Description, host name, port number and protocol are mixed up.You have selected the following application to be imported from the remote server. [code]
I'm not sure where to find the Tomcat logs or how much use they would be.
View 1 Replies
View Related
Feb 28, 2013
My client has two ASA-5500 in failover (8.4.4.1).To create AnyConnectVPN, the package must be uploaded on both machines - uncomfortable, but it can be accepted. The REAL problem is that the profiles (.xml file) are not synchronized.When I make a change of any of the parameters, after failover switching I loos alle the change.
View 1 Replies
View Related
