Cisco VPN :: Unable To Use ASA 8.4.2 And U-turn For Remote Traffic?
Mar 13, 2012
I have a problem with ASA 8.4.2 and U turn for remote vpn traffic that needs to exit from Remote VPN and then to make a u turn on outside interface to enter another site to site VPN.
Interesting traffic access list is modified as needed, routing is ok, but debug icmp trace 20 is showing that icmp packet from remote vpn client address to the host on the other side of maintained site to site tunnel is going to the inside - not to the outside as it should go.
S 172.17.1.2 255.255.255.255 [1/0] via Internet Provider, outside
ASA# ICMP echo request from outside:172.16.10.149 to inside:172.17.1.2 ID=1 seq=159 len=32
ICMP echo request from outside:172.16.10.149 to inside:172.17.1.2 ID=1 seq=160 len=32
ICMP echo request from outside:172.16.10.149 to inside:172.17.1.2 ID=1 seq=161 len=32
Whenever I select it and apply changes, then reopen, it has reverted back to the off position. I have removed all firewalls and software that could interact with it (disconnected it from the network whilst in this state). I have set the correct services to automatic as they should be. It is getting rather frustrating not being able to share my media across the home network. I can see and utilise other computers media but none can utilise said computers media
I have a dell inspiron 1545 and recently the OS crashed. It was terrible I couldn't do anything not even boot up in safe mode. So my friend said they could fix it. They installed Vista Ultimate and managed to save all my files from my previous system but I can't turn on the wireless capability. When I hit the F2 key nothing happens.
I have a higrade VA250D laptop, I have just connected a wireless adapter to my main pc, but when i try to connect the laptop to the wireless connection i get the message that "the wireless adapter is turned off. turn the wireless connection on by means of the switch usually found on the side or front of the unit or by means of the function keys". I do not have a switch on anywhere of the outside of the laptop and i am unable to find a function key to turn it on. How to switch the wireless capabilities on. I have checked on the device manager and it has a green tick and says that the device is working properly.
I am having to use my ethernet for my lap top, Satellite Toshiba. I have a router and the other laptop in the house works but mine wont. Cox blames it on Toshiba and Netgear and netgear blames it on Toshiba. i blame it on Cox who says for some reason my Toshiba wont allow the signal to be picked up. It goes elsewhere but not my laptop. PS is my satellite burner capable or do I have to buy softwARE?
I have a few ASAs with L2Ls in a hub-and-spoke fashion, works great. All ASAs are 8.2(1). I've tried to add remote-vpn to the HQ ASA. I have this working on a PIX 6.3 box at HQ, but have not been able to make it work completely on the ASA.
Just to check, I also set up remote client vpn access on one of the spoke ASAs, and that actually did go well. Applying the equivalent config on the HQ ASA - won't function.
The problem with the HQ ASA remote client vpn is that after completed phase 1 & 2, the traffic goes one way only, from client side towards the ASA. I e remote side only encaps, no decaps; ASA side only decaps, no encaps. If the remote client pings a host on the inside (i e behind the HQ ASA) the packets arrive, and are returned towards the ASA (a correct route for the remote vpn network is in place on the inside host). However, it seems as if the ASA doesn't send that traffic back into the tunnel, but rather sends it unencrypted through the default route (doing a traceroute from the inside host for instance suggests this).
The ONLY way I can pass traffic towards the remote client is by initiating a ping from within the HQ ASA, it's the only time I get encaps on the ASA side and decaps on the remote side of the tunnel. Interestingly, it's actually the "ping outside 192.168..." that works, doing an "inside" ping fails. Compare this to the spoke ASA and its remote vpn client, there an inside ping is succesful, but not a outside ping, i e the spoke ASA functions as expected with its remote vpn. Given that the configs on the two ASAs are the same for remote client access, I would have expected both to work, not only one of them. But then, the HQ ASA has more lines of code, and I guess that something there gets in the way. [code]
I have a game launcher who do not want to update because:"The system is unable to connect to the update server url... The Windows operating system has a proxy redirecting port 80 to your local machine port 8877.If you have a real proxy, make sure it is configured to allow port 80 .NET remoting traffic. If you do not have a proxy, you may have leftover problems from malware in which case you will have to disable the proxy on your machine."i have made many tests and i have no malware and no proxy! so as the error message says, the problem is because the port 80 is not allowed .NET remoting traffic, how do i allow it ?
I have a customer which has a main location office and a remote one. Recently we interconnect their facilities using a local ISP service called Virtual Connectivity, which basically is a private network which can be accessed over aDSL or any other data circuit. They are using Cisco 888 routers to interconnect both sites.At the main site the customer also has an Internet circuit (with a Cisco 857 router)and he wants to remove the Internet circtuit from the remote site and provide them access over their main location Internet circuit.At the primary offices, we installed Cisco 2811 router as a gateway to route the Internet and remote network traffic over the required data circuit. Everything is working fine, but we can not access Internet from the remote location over the circuit installed a the main site. I understand this is a routing issue, since the traffic hits the main office network it does not knows how to reach the Internet. I am assuming this routing must be set into the main office Cisco 888 router (installed by the ISP to interconnect to their private cloud) in order to properly route it over the Internet circuit.Since I already have access over the Internet router and the gateway router at the main site, but not into the ISP router, is there any other way I can make this configurtion over the routers I already have access?
I am having trouble making my remote access vpn decrypt traffic. I am using an ASA5510 and the cisco 5.0 vpn client. I have no problem getting the tunnel to come up. But the "decrypted traffic" stays zero and the "discarded traffic" increments continuously.Here is the ASA5510 crypto config:OK I guess this site doesn't allow pasting text so I attached the config.I am pretty sure that I can't pass traffic because I have not been able to figure out how to specify the interesting traffic for the vpn connection. What is the syntax for this? It looks like it should be some kind of tunnel- group commands.
Am I the only one who thinks that the Cisco documentation is worthless on this subject? The ASA config guide gives you everything you need to set up a tunnel, but has absolutely nothing on the config required to actually pass traffic.
We have a Cisco 2921 router at the head office (Easy VPN Server) and been deploying Cisco 887VA (EasyVPN remote - Network Extension) for remote offices using EasyVPN. We are allowing Voice and Data traffic over VPN. Everything has been working great until this issue was discovered today:
When a remote user behind Cisco 887VA calls another remote user also behind Cisco 887VA, the call connects and Avaya IP phone rings but no voice in either direction.
Calls to/from head office and external mobiles/landlines are fine. Only calls between two remote sites are affected. As there is no need for DATA connection between Remote office, our only concern is Voice support.
I think "hair-pinning" of traffic over VPN interface is needed. (Examples configs etc).
Is there any way to Mirror a CISCO C3750 Switch Port Taffic to a remote Host IP Address?I know Port Mirror (SPAN/RSPAN) can copy one Interface Packet to another Interface. But I am looking for a way to miror Switch Port Packets to a remote Host (having Public IP Address and running Wirehark). Is it possible?
We are facing strange issue in our network. We have a remote branch which is connected to main branch using Leased Line. Remote branch is having Cisco 1700 Router. Every day in the morning time the remote router is unreachable. We are not able to reach (ping/telnet) the remote Router but able to reach L3 switch/ LAN behind this router. The users from remote branch is also not able to reach the local router but they are able to ping the Main branch.Users in the remote branch are not able to access any resources in the main branch during the issue.
During the issue, we have checked the remote branch router and found the CPU utilization of the Cisco 1700 router is very high (99%). If we run "Show process CPU" command (please find the attachment) specially IP input process is very high (97%).
I have a Cisco ASA 5505, with basic 50 license, that is connected directly to the Cable Modem with a public IP. I have VPN configured and active on the Outside interface. When we connect, we connect just fine with no errors, but we are not able to access any resources on the remote network.
ASA IOS version 8.2(5) Remote Network IP: 10.0.0.0/24 VPN IP Pool: 192.168.102.10 - 25
I have two computers side by side 192.168.1.7 and 192.168.1.8 both running xp pro sp3. On 8 I can RDC to the 7, but on 7 I cannot RDC to 8. I can see port 3389 listening on both using netstat -a. But 7 just can't RDC connect to 8. 7 cannot ping 8 either. I have the firewall turned off on 8, I had tried allowing RDC 3389 earlier with the firewall but that didn't work either.I don't have any extra firewalls running.Life will be like perfect, if I can just RDC to 8.Both are on the same wired belkin wireless router, 4' from itl.I tried taking the no ping no rdc computer to work and it didn't work there either.
I have the router configured for remote admin from the web outside the network however I cannot establish a connection with the router.Other than adding the check mark and selecting a port are there any other considerations for remote admin?
I have two ACS 5.2 running as primary and secondary instances respectively. When I try to delete a remote log target under System Administration > ... > Configuration > Log Configuration > Remote Log Targets I get the following error message...."The item you trying to delete is referenced by other items. You must remove all references to this item before it can be deleted".
I have searched the configuration within the web gui and was unable to find anything that reference the object that I'm trying to delete.
We have a VPN setup and here's the configuration on the Cisco ASA 5505: [code] The problem is that i'm able to ping the otherside of the tunnel i.e. 192.168.23.14 from the dmz IP 172.16.1.2 but i'm unable to ping from the hosts behind the ASA.Also the other side is able to ping 172.16.1.2 IP but no IP's behind the ASA.
We have ASA5510 with version 7.x and asdm 5.X, i upgraded it to 8.3 and asdm 6.2, and i got vpn peers 250 and 2 ssl.when i try to connect through client software , i can see in the logs UDP 500 port is created as shown below.Mar 31 2011 23:54:40 302015 220.127.116.11 57013 x.x.x.x 500 Built inbound UDP connection 56694 for outside:18.104.22.168/57013 (22.214.171.124/57013) to identity:x.x.x.x/500 (x.x.x.x/500) no other things are going on , and i get error as shown below.
Secure VPN Connection terminated Locally by the client Reason 412: Remote peer is no longer Responding Connection terminated on.
i am suspecting it is VPN-3DES-AES activation key issue.when i go to Remote Access VPN ---Advanced---SSL Seetings--From Left Encryption Panel Available Algorithems i have DES-SHA1 when i try to drag it tto Right panel of Active algorithems it gives me error *** below [ERROR] sl encryption rc4-sha1 des-sha1 The 3DES/AES algorithms require a VPN-3DES-AES activation key and currently in right panel of Active Algorithms i have only RC4-SHA1,
I am in a test environment using an ASA 55005 and a Cisoc 2611xm router. ASA is running version 8.4 and router is running is ios12.4. My VPN tunnel comes up but I am unable to ping between remote hosts. I used the ASDM and SDM for the configuration. Attached is a copy of both configs.
We have two sites, Site-A with a ASA 5520 (Remote Access IPSEC VPN server) at one end and a new ASA 5515-X at Site-B. Users at Site-B are unable to establish a VPN connection to Site-A via Cisco VPN client from behind the new ASA 5515-X. They see the following error:
"Secure VPN Connection terminated locally by the client. Reason 412: The remote peer is no longer responding.
They are able to access the same from home or elsewhere so I believe there is nothing wrong with Site-A ASA vpn config which we have been using for a while now. The new 5515-X (version 8.6) has a very basic config with all outbound traffic allowed. I'm pasting the config below. Do I need to enable/allow anything for it to work?
CISCOASA# sh run: Saved:ASA Version 8.4(3)!hostname CISCOASAenable password xxxxxxxxxxxx encryptedpasswd xxxxxxxxxxxxxx encryptednames!interface Ethernet0/0 nameif outside security-level 0 ip address x.x.x.x 255.255.255.248!interface Ethernet0/1 nameif backup security-level 0 ip address
We are configured the Remote IPSec VPN on cisco 1800 series router.The Clients are able to login to VPN and access the local corporate network Servers . But VPN Clients are not able to communicate with other VPN clients using their VPN Adapter IP.
Components used : CISCO VPN Client 5.7 Router 1800 Series
I am having issue with network connectivity between remote access (RA) VPN users and remote site VPN hosts.
Topology is: RA VPN laptop (192.168.200.3 /24) ---- internet ---- Head Office (ASA5505) -- LAN subnet 10.0.0.0 /24
SiteB (10.0.10.0 /24) ---- internet ----- Head Office (ASA5505) ---- LAN subnet 10.0.0.0 /24
From head office there is no issue communicating with RA VPN and siteB hosts but Site B hosts and RA VPN users can not communicate each other totally (ping failed too).
Site B is using Cisco 867 router with IPSEC VPN to the ASA5505 at head office. I have added the ACL on this router to access 192.168.200.x /24 for VPN traffic and exempt from NATing. When I enabled ' drop log' in the class-map in the Zone based firewall config, I could not see any ping packt comes in so I believe the issue is at ASA5505 config.
At ASA5505 I use split VPN tunnel ACL and have included the subnet for 10.0.10.0/24 as well as 192.168.200.0 /24. This split tunnel ACL are applied to both the IPSec VPN tunnel and also the RA VPN group policy. The ASA is using sw version 151-4.M5.
I have an issue where I can get traffic to pass from HDQ to two branch offices over our ipsec/gre tunnels even though the tunnels appear to be UP. The HDQ is a 2811, branch is a home office using an 871W and branch runs a 2801 router. I initially had HDQ working fine with the 871W but when I configured branch2 (2801), they both broke. The tunnels appear to be up but traffic is not routing across them. The two 2801 routers run 12.4 (c2800nm-adventerprisek9-mz.124-24.T2.bin). These are gre over ipsec tunnels. Currently traffic flows over an exsting MPLS network that we are getting away from due to cost. As soon as I change the routes to point to the Tunnels, it breaks. Traffic doesn't appear to pass through the tunnel. I have attached my sanitized configs.
HDQ#sh crypto sessCrypto session current status Interface: FastEthernet0/1Session status: UP-ACTIVEPeer: 126.96.36.199 port 500 IKE SA: local 188.8.131.52/500 remote 184.108.40.206/500 Active IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 4, origin: crypto map IPSEC FLOW:
Im facing with some DHCP lease issue and its like this,Our Cisco 2951 edge router is configured with local dhcp pool for a set of remote users when they connect through Cisco VPN which was working fine until we planned to change it to a Windows box that is configured for DHCP.The basic idea now is to relay the DHCP requests that are coming from the remote clients through Cisco VPN to the DHCP Windows server. So we added the scope on the server and changed the client config on the router as follows (highlighted is the dhcp relay config). [code]
I have a weird problem which I have already submitted a TAC ticket about. When users authenticate through AnyConnect into our HQ ASA 5510 they grab an address from 172.16.254.x. What we have been noticing intermittently is that when logged into our network through the client they are unable to access their resources at one of our remote offices which is connected over l2l to the HQ ASA. This problem just started randomly a week ago and we have been working with Cisco trying to create a solution.
My quick fix is logging into a device at the remote office which is trying to be accessed and pinging the gateway of the virtual subnet for AnyConnect users. When I ping 172.16.254.1 it goes through after a few dropped icmp packets and then the issue is resolved for about 8 hours or so.