Cisco WAN :: 857 EZVPN - Cannot Ping Anything From Remote To Server
Mar 14, 2012
We have a VPN using 857 and 877 routers as remote connecting in to a 2800 EZVPN Server.
The VPN is working fine. However, the VPN connections sometimes (after a few hours/days) seem to "freeze". A "show crypt sess" shows the connections as Up/Active, but you can not ping antyhing from remote to server, or visa versa, nor does any traffic flow. I then added a "isakmp keep-alive" on the 2800, which improved the situation a bit, but not as much as I hoped.
On the 877 I then implemented a IP SLA, with Object Tracking and then use a Event Manager to just issue a "clear crypto session" . This solved the problem.
However, what do I do on the 857 ? It does not support Object Tracking or the Event Manager. Is there any other mechanism to monitor and reset these frozen/stale VPN connections automatically ?
View 5 Replies
ADVERTISEMENT
Jan 14, 2013
I have lots of 857's routers in the field with mostly the latest OS - 12.4(15)T17 making ezVPN connections to a 2951 with 15.1(4)M5.All the 857's have lookback and vlan interfaces similar to :
interface Loopback0
ip address 50.43.8.1 255.255.255.255
ip tcp adjust-mss 1452
end
[code]....
Now lately for some or other reason we have instances where I can ping either the VLAN or the LOOPBACK interface, but not both. Or I have instances where the 2951 can ping all the interfaces on the 857, but the 857 can not ping the 2951. Or I have instances where the 2951 can not ping the 857, but the 857 can ping the 2951.The way I have been fixing this is either to add crypto ipsec client ezvpn SMS_VPN inside to the loopback interface, or if it is there already to remove it. This usually works for a few days, but then suddenly I have to reverse this again. If that does not work then I usually do lots of clear crypt sess and/or clear crypt ipsec client ezvpn on the 857, or clear crypt sess remote 857_ip_address from the 2951 and then suddenly it starts working again.
View 1 Replies
View Related
Feb 2, 2012
I try to configure a simple EzVPN infrastructure:
EzVPN Server (CISCO2811, hostname cme) < -- > EzVPN Remote (ASA5505, hostname ezvpn-asa) < -- > Client
Attached you find both configuration of the EzVPN server and remote. The tunnel is getting up and if I ping from the ASA to the Router, I see the packets getting encrypted:
ezvpn-asa# ping 172.16.100.1
...
ezvpn-asa# show crypto ipsec sa
interface: outside
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 172.16.100.2
[code]....
If I connect a client with IP address 192.168.1.2 to the interface eth0/1 and do a ping to the cme, I don't see any packets getting encrypted. I don't have any idea about VPN, I just need it for a wireless lab environment. What do I have to configure on the ASA, so the inside traffic is encrypted?
View 2 Replies
View Related
Mar 18, 2011
configured Ezvpn Server/client with client mode configuration on IOS router with ver advipservicesk9-mz.124-15.T3.bin of ISR 1841 routers. Only my main issue is that once the tunnel is up I cant access the server side local LAN. However I could each site my icmp traffic is encrypt or decrypt but not both at the same time. However I can ping from the server to the client ip address which is assigned by the pool (int loopback10000)
Also once the tunnel is up I could also see there's static route towards the client side via virtual-access interface and also static route on client side. I have already configure SPLIT ACL on server side allowing the required network access.Attached is the configuration of both server and client with all required show output.
View 1 Replies
View Related
Aug 9, 2011
I am attempting to get a solid setup for a remote office we have going up and I am running into little issues that I cant seem to get around.
Basically, we have a remote office that will have dual ISPs, one hard wired circuit from a local carrier and the other will be a Verizon 4G router that plugs in via Ethernet and hands out DHCP to my Cisco router.The Cisco router is a 2911 with IP SLA configured. I have it setup to ping my DC out one interface and if that fails, it removes the default route and injects a new default route from the other ISP,
The problem I am having is with the VPN. I figured using EZVPN would be the only solution because the Verizon 4G only supports DHCP so I have to be able to connect from a dynamic remote host. The other caveat is that failover needs to be seamless as we have no person onsite that can troubleshoot. Its fine if it takes a few minutes, but the VPN just needs to come back up on its own without any intervention.
I attempted to setup two different EZVPN crypto maps on the router but realized you can only have one inside cryptomap per interface, which would cause a problem with the internal network. I thought I could just create subinterfaces off the router to have two inside interfaces to work with but that wouldnt have supported because they would now be on different subnets.
I decided that adding an ASA5505 behind the router may be the simplest solution. Use the router only for the purpose of handling routing between the two ISPs and performing NAT out the interfaces. Then use the ASA to do EZVPN from. This works well but there are some issues I am trying to work through.
First, when the ISP fails over to the backup, the NAT translations have to timeout before things start working again. For a constant ping, this is fine, I have the timers set down to 15 seconds for NAT timeouts and after 15 seconds the ping picks right back up again. However, this breaks the EZVPN. The ASA keeps trying to bring up the ISAKMP nearly every second, which keeps resetting the countdown on the NAT timeout for the remote EZVPN server. Because of this, the VPN will never come up until I manually clear the NAT translations on the router. So my first question is this; is there a way to adjust the timer that the VPN uses to try to bring the tunnel up? I tried the crypto isakmp keepalive command but that didnt work, it looks like it doesnt work with EZVPN.
The second issue is really with the IP SLA and is only an issue because of the first issue I mentioned. When the router first comes up after a reboot, both the primary and secondary interfaces come up. However, since the primary default route is only injected into the routing table once IP SLA is up and can reach its destination, the secondary route gets injected initially and the VPN comes up over the secondary ISP. In a few seconds, the primary default route is injected, changes the path and because of the NAT translation, breaks the tunnel and never comes up again because of the first issue with the VPN tunnel renewing the NAT translation continuously.
I could easily go out and purchase a $100 Linksys router that will do the failover and clear its NATs and everything, but I need better reliability out of the hardware than that. There has got to be a way to do this on a Cisco device since consumer level equipment can.
View 1 Replies
View Related
Sep 6, 2012
I have a RVS4000 with client VPNs setup and have created all 5 users......trouble I run into is that when one of the users attempts to connect to the VPN from a second device (ie the sixth device to connect to the VPN), the connection does not establish....cannot ping remote server (using QuickVPN). In looking at the logs, the device that isn't working is getting a different IP (172.16 vs 192.168). I know I'm limited to 5 users, but am I limited to 5 devices as well?
View 2 Replies
View Related
Apr 20, 2011
i have a new smc router and my local ip address and remote ip addresses are very similar. The remote ip address is updating my dns server but i am unable to ping it. Its something like 122.61.xxx.1 ?
View 8 Replies
View Related
Jul 24, 2012
I try to set up EZVPN server. I cannot get any response from server.
View 1 Replies
View Related
Dec 3, 2011
I have the following problem on configuring ezvpn for the following situation: 3 different locations - 1 HQ with 2901 server and 2 offices with 861 clients.
Clients connects to HQ, I do traffic between HQ and offices but I cannot ping between offices (ping from 192.168.1.0/24 to 192.168.2.0/24 and vice versa.
The configs:
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_1 local
[Code]....
View 2 Replies
View Related
Nov 24, 2011
i am going to configure asa5505 as the azvpn client . and configre primay and secondary vpn server in the list.i find some feature that is support by ios ROUTER ezvpn, not sure it will be support on ASA ezVPN???
will the ezvpn fall back to the primary vpn server , if primary back on line, on ASA? The Reactivate Primary Peer feature allows a default primary peer to be defined. The default primary peer (a server) is one that is considered better than other peers for reasons such as lower cost, shorter distance, or more bandwidth. With this feature configured, if Easy VPN fails over during Phase 1 SA negotiations from the primary peer to the next peer in its backup list, and if the primary peer is again available, the connections with the backup peer are torn down and the connection is again made with the primary peer.
View 1 Replies
View Related
Jun 30, 2011
If you have a headsite with multiple EZVPN clients (PIX 501 & 515) connected in a star configuration can you have one remote site connect to another remote site using the intra-interface command and modifying the encryption domain on the EZVPN Server?
View 3 Replies
View Related
Mar 13, 2013
i configured cisco asa 5520 as cisco ezvpn server and cisco 891 as ezvpn client .the configurtion is working fine.i am using client mode on the ezvpn client side.but my quesion is , is it possible to communicate to ezvpn client side internal ip from the ezvpn server side?and one more thing what is the benefit of network extension mode on the client side and how it will work what are possible changes need to do in the server and the client side.
View 4 Replies
View Related
Jan 26, 2012
I installed window server 2003 in a old Pentium III server as a standalone test server. Now I want to use it as a print server and connected it to the domain. I can ping workstations and other servers from that test svr. But i cannot ping that test server from the work stations.
View 2 Replies
View Related
Sep 29, 2011
i am facing the same problem now but am using windows 2003 server
View 1 Replies
View Related
Sep 13, 2011
Remote access VPN. Its configured on a Cisco PIX525 running ver 6.3(5) (old I know!) and I am running Cisco VPN client ver 5.06.0160 on the client end. Ok so here's the thing. The client connects ok, and it gets an IP address no problem. But I cannot ping anything on the remote LAN. So the client is coming across the internet, the VPN adapter has a 192.168.1.1 address assigned by the PIX and I am trying to ping the 192.168.0.4 address assigned to a switch on the inside of the firewall but with no joy. [code]
View 1 Replies
View Related
Jul 28, 2011
I have a ASA 5505.|I configured it for remote access VPN from cisco VPN client.the ASA receives a public ip address on outside interface via PPPoE.I can connect to public ip of outside interface and address 10.1.1.2 is assigned to my Cisco vpn client.the problem is that I Cannot ping or reach ASA internal IP address 172.16.29.1 in any way when I am in VPN from outside,while I Can ping other hosts on 172.16.29.0/24 when connected in VPN.this is a problem brcause when I am connected in VPN to ASA I Cannot configure it..Then I Wanted to ask if it is possible a configuration which gives addresses from network 172.16.29.0/24 (the same as inside network) to VPN clients instead of another network (10.1.1.0/24) [code]
View 1 Replies
View Related
Jun 24, 2012
configuring ASA 5505 to be able to ping remote host.Setup - We have a site-to-site (192.168.1.0/24 - 192.168.2.0/24) VPN setup with client VPN access (IP Pool, 172.16.50.0/24) on 192.168.1.0 ASA 5505.Issue - Not able to ping host on 192.168.2.0 from VPN client 172.16.50.0 but able to ping 192.168.1.0 host.
View 8 Replies
View Related
Sep 9, 2012
I am having problem connecting to my work PC via VPN Cant ping and RDP. I sometimes need to log into my work PC to check out a problem. I connect via VPN and I can access servers (using Citrix and local intranet sites) that can only be accessed once connected to my work domain. So it looks like the VPN actually works fine.
But I cannot Remote Desktop Connection to it. I also tried to ping the PC using a command prompt. Using the command prompt, I ping MyWorkPC And I can see that it tries to ping MyWorkPC.domain.name.co.za. So it looks like it sees the MyWorkPC on the network. But all pings fail.
A work colleague tried to remote connects to MyWorkPC from his home PC and he can successfully connect. So I do believe that the work network and PC is setup correctly. I am running window 7 Ultimate SP1 (32bit) with a 3G dongle in a router. I also have Avast antivirus installed on my PC. I was not sure if the router or the antivirus was the issue so I tried:
1.Removing the 3G dongle and attach it to my USB port on my home PC directly. No luck
2.Some blogs said that the P2P or IM shield on Avast might be the problem so I disable it. No luck
3.Then I uninstalled Avast completely to see if it has any shield that might still block it. I restarted. No luck
View 2 Replies
View Related
Sep 27, 2012
I have 4 x 2960 switches in a remote site. These are managed by an NMS in our DC, the NMS IP ends in 35.100 with a /23 mask.
When they are first booted, the switches are visable to the NMS, but after a week or 2, 3 of them drop connection to it. If you reboot them again they are fine. You are able to log onto them form thier local router and use a Radius server which is in the same subnet as the NMS.
The odd thing is, whilst they can not ping the NMS, they are able to ping any other addresses in the 34.0/23 range.
The config on the one that does not lose connection is the same as the other 3 and I have also rebooted the NMS.
View 3 Replies
View Related
Nov 2, 2012
I can use PPTP and access all the PCs on a flat network at a remote site. I can ping the pcs and connect with netsupport manager. When I use QVPN I cannot do this. Why? I have added custom ports 5405 for NSM and applied ACL put no joy. I also added PING to ACL but it still doesn't work.
View 1 Replies
View Related
Jun 6, 2011
I've setup a CISCO 871 which receives DHCP IP address on WAN interface Fa4 and DHCP-assigned static IP Address on virtual-ppp1. The static address is used for site-to-site VPN's, while I've planned the DHCP address for standard web access and CISCO VPN Client dial-out.
Internally, I've created 2 VLAN's, one for standard PC's with access to the remote sites via site-to-site and cisco client, and the other for a 'secured' area with only HTTP/S allowed out. [code]
Clients in the PCLAN should also be allowed to dial-out using CISCO VPN client to remote sites via the OUTSIDE interface. This is partially working because the client does log into a remote site, however I cannot ping or rdp remote stations once connected."ip inspect log drop-packets" does not reveal dropped packets when trying to ping or rdp. [code]
View 5 Replies
View Related
Jul 26, 2011
I'm configuring ASA 5510 Remote Access VPN, I can connect from Cisco VPN Client to the ASA VPN. I obtain from ASA some routes to inside networks, but I can't do any ping to those inside hosts. I have got those error in ASDM log file: [code]
View 1 Replies
View Related
Apr 16, 2012
I recently purchased a RV110W wireless router for a client. I am having issues with the VPN access. Here is the client's access log:
2012/04/17 10:59:41 [STATUS]Disconnecting...2012/04/17 10:59:47 [STATUS]Success to disconnect.2012/04/17 11:00:03 [STATUS]OS Version: Windows XP2012/04/17 11:00:03 [STATUS]Windows Firewall is OFF2012/04/17 11:00:04 [STATUS]One network interface
[Code].....
I've called Cisco tech support but the answer is disregard the log message and everything is working, and that I have a configuration issue on my end.
View 2 Replies
View Related
Jun 11, 2011
I have two computers side by side 192.168.1.7 and 192.168.1.8 both running xp pro sp3. On 8 I can RDC to the 7, but on 7 I cannot RDC to 8. I can see port 3389 listening on both using netstat -a. But 7 just can't RDC connect to 8. 7 cannot ping 8 either. I have the firewall turned off on 8, I had tried allowing RDC 3389 earlier with the firewall but that didn't work either.I don't have any extra firewalls running.Life will be like perfect, if I can just RDC to 8.Both are on the same wired belkin wireless router, 4' from itl.I tried taking the no ping no rdc computer to work and it didn't work there either.
View 19 Replies
View Related
Apr 18, 2013
I have a need to Remote Desktop connect to company’s employees for support then they are abroad and using Cisco AnyConnect client.Cisco AnyConnect client connection works fine, clients can reach company’s inside network without problems, but I cannot make revers connection, I cannot Remote Desktop connect or ping VPN clients from companies inside network. I cannot ping clients from ASA too.I am using ASA 5520, Cisco Adaptive Security Appliance Software Version 8.4(3) Device Manager Version 6.4(7), and Cisco AnyConnect VPN Client 2.2.0133. Protocol Encryption- AnyConnect-Parent SSL – Tunnel DTLS-RC4 RC4 AES 128.
View 0 Replies
View Related
Dec 6, 2011
I have setup a VPN connection on a 891 router. I can connect to the VP both but am unable to ping or access any resources on the remote network.
Here is my running configuration:
[code]...
View 5 Replies
View Related
Apr 20, 2012
I am in a test environment using an ASA 55005 and a Cisoc 2611xm router. ASA is running version 8.4 and router is running is ios12.4. My VPN tunnel comes up but I am unable to ping between remote hosts. I used the ASDM and SDM for the configuration. Attached is a copy of both configs.
View 8 Replies
View Related
Sep 19, 2012
I have a cisco 5505 and am trying to configure it with ASDM 6.4.
My vpn client connects ok to the network but I am unable to reach any of the servers.
I'm sure its a simple configuration issue as I don't have much experience with Cisco configuation.
View 5 Replies
View Related
Apr 7, 2011
I have an GRE Tunnel across my head office and remote site with multiple subnets using cisco 1841 routers.I can ping most of the devices on the remote side, but I can not ping certain devices.These devices respond to ping requests on the local LAN, but not through the WAN link. If I change the IP of device than it start responding. I am using same gateway and mask on these devices.The remote site is running classic STP on switches with distribution switch being the root bridge.
View 4 Replies
View Related
Sep 13, 2012
I am trying to access and ping the inside interface of a ASA5505 from a remote network. From the remote network, I am able to access anything on the local network, but the ASA5505 inside interface.The 2 networks linked by a fiber link which have a transport network on another interface. From the remote network, I am able to ping the transport network interface IP, but I would like to be able to ping the inside interface IP. When I do a packet tracer, I get a deny from an implicit rule.How can I achieve that?
Here are the subnets involved and the ASA5505 config.
Remote network : 10.10.2.0/24
Local network : 10.10.1.0/24
Transport network : 10.10.99.0/24
[code]....
View 1 Replies
View Related
Apr 30, 2013
I am being told from my remote end I do not have port 22 opened up. I have single port forwarding to SSH 22 and Port Range 22 enabled.
View 1 Replies
View Related
May 30, 2012
I am just setting up a simple scenario with a 1841. Server @ 172.31.1.1 cannot ping 172.31.0.254 or 172.31.0.105. It can ping 172.31.1.250. The router can, on the other hand, ping devices on both networks. This is just for testing routing theory so I don't know why hosts on either side of the network cannot ping each other.
I am only using the FastEthernet interfaces on Router 1841.
View 3 Replies
View Related
Jul 8, 2011
I've recently swapped out an old pix firewall for a new ASA5505 and have been trying to match the configs as best I can. However I still can't ping the new firewall from the server and it still won't let them serve out. The firewall exists on a separate VLAN (vlan30), but the previous pix never seemed to care about that. I'm wondering if that might be part of the problem.
View 8 Replies
View Related
