Cisco WAN :: ASA 5505 - PPPoE Error
Apr 27, 2011
I am using ASA 5505 with firmware 8.2(2). My ISP uses PPPoE as a WAN connection protocol. There is a problem with getting PPPoE session started on my ASA 5505. The debug output says that after negotiation of PPP-authentication protocol ASA receives a PADT packet from ISP’s concentrator. To get more information I captured all packets on outside interface with WireShark. Packet-dumps (in .pcap format) are attached in this post. I have tried all possible combinations of PAP/CHAP/MSCHAP values in “vpdn group MYGROUP ppp authentication” command. If you take a look at the packet-dumps you can see, that in case of “PAP” – ISP’s concentrator rejects negotiation (PAP is not supported by my ISP). In case of CHAP/MSCHAP (that ARE supported by my ISP) – ASA acknowledges the using of MSCHAP v.2 PPP-auth protocol, which is actually not supported by it…
Judging by MAC-addresses of ISP’s concentrators it is visible that Cisco’s equipment also is used.
The questions is: Why ASA acknowledges using of unsupported ppp-auth protocol during negotiation and what I need to do to resolve this issue? (ISP’s support says, that they cannot change PPP-auth protocol negotiation order. Also they says that I need to contact with manufacturer of my equipment).
View 3 Replies
ADVERTISEMENT
Mar 1, 2012
I am tyring to remotely diagnose a troublesome ASA5505
It is connecting via PPPOE and the original suscpicion was that the PPPOE was going down during heavy loads during the day, i.e 9am and lunchtime. I suspected MTU and have verified the MTU outside is set to 1492
However further troubleshooting doing a remote ping to the PPPOE address indicates that this does not drop at all.
When remoteley connected to the ASA my session dies and any outbound internet fails, then in a few minutes it comes back.
all the time the PPPOE line stays up?
One thought is that although the line does not go down it is being crippled with traffic and just getting so unresponsive it appears it has died.
View 2 Replies
View Related
Jun 18, 2012
We currently use a linux software based firewall called IPCop that sits between our network and router (This is in bridged mode) IPCop conects over PPPoE and everything works fine.
However the system is not reliable and I fear not that secure so have purchased an ASA5505 now I have added the PPPoE info to the device using the ADSM software however although it picks up my external static IP I'm unable to access the internet. On IPCop I only had to enter the broadband credentials and it worked however I feel like I may have to add more to the Cisco, for example do I have to specify DNS servers and do I have to set a static route?
Here is my config file so far (Note I think I have turned on the ability to ping from internal to external). My config I have done through the ADSM as opposed to the CLI
: Saved:ASA Version 8.4(3) !hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface
[Code].....
View 17 Replies
View Related
Jan 25, 2011
I've been having this issue for about 3 months now, off and on, never seemed to be predictable but started happening more and more, which prompted me to look into it.
Currently, the DSL Modem is configured in bridge mode with the ASA handling PPPoE. The WAN address is being assigned via DHCP. The ASA is running 8.2(1). The WAN interface will drop it's DHCP lease and will not renew it without power cycling the DSL modem. I did a little bit of googling and found mention of setting "dhcp-client client-id interface outside", specifically this was an issue pre 7.2(22), but doesn't seem to affect my situation. Originally, I had the MTU on the outside interface configured as 1500, changing it to 1492 has not resolved my issue either.
I've enabled PPPoE and DHCPC debugging and posted the results below when the event occurs, I'm thinking this is moreso a PPPoE issue than it is a DHCP/DHCP Lease issue as I am not seeing any debug messages from DHCPC.
Code...
View 1 Replies
View Related
Feb 23, 2011
configure my ASA 5505. It is setup using PPPoE. What I want to do is this:
I have one of my IP addresses (99.23.119.78) setup for ftp using the ftp protocol to our internal IP address 192.168.1.3. What I need is to also allow for HTTP access but not just that, I need it to forward the http port to port 9000 because the web interface requires port 9000 for customer access. Previously on our old firewall customers were able to access the web interface by browsing to [URL]. I would like to not have to not require the port in the URL.
In addition, I would like to be able to setup a different IP address in our range (99.23.119.73) to be setup for http access using the standard port 80 for the same internal IP address (192.168.1.3). This URL will allow us to access the administration web interface for the FTP server.
Here is my current config:
Result of the command: "show running-config"
: Saved:ASA Version 8.2(1) !hostname ciscoasaenable password qVQaNBP31RadYDLM encryptedpasswd 2KFQnbNIdI.2KYOU
[Code].....
View 4 Replies
View Related
Mar 3, 2013
I need to use a Cisco ASA 5505 on a BT Openreach connection, The configs that I have ben using are below -
interface vlan2
nameif outside
security-level 0
[Code]....
View 1 Replies
View Related
Apr 25, 2013
I just bought a 5505 to learn from and am trying to attach my VDSL modem as a transparent bridge.It goes....
Laptop >>> (VLAN1) Cisco 5505 (VLAN2) >>> VDSL modem >>> internet
X.X.X.10 >>> (X.X.X.254) ------ (Y.Y.Y.254) >>> Y.Y.Y.10 >>> A.B.C.D.
I'm using the ASDM, if I configure VLAN2 with the IP address of the VDSL interface I can ping the modem from the console session via Putty. If I take that off and configure up the PPPOE client I can't ping the VDSL modem, I'd expect that. If I then add in an IP address to the PPPOE client config like I assigned to VLAN2 it doesn't ping either.If I can't ping the VDSL modem I don't expect it would work but it seems I can only either give it a static address which pings but has no pppoe or give it a PPPOE config which means I can't ping the VDSL. why I can't ping the VDSL modem when the interface is set as PPPOE with an IP address?Presumably if I'm on the ASA console doing pings from there to the modem then I'm ruling out problems with the routing from the laptop (trying to isolate where the issue is)
View 3 Replies
View Related
Mar 12, 2013
I've an ASA 5505 connecting to a vdsl modem. The ASA is doing the PPPoE encapsulation. I've noticed the traffic amount on the outside interface is always twice the bandwidth it receives on its inside interface. I can't believe the PPP encapsulation is taking that much. Only two interfaces (inside and outside)
View 4 Replies
View Related
Oct 10, 2012
I would like know is that possible to connect two 5505 ASA in site to site VPN with 1 site using ADSL pppoe connection?
View 5 Replies
View Related
May 18, 2011
This might actually go into Networking Basics because of the nature of the problem, but I tossed it in here because of the Cisco product involved. Long story short, I need to do some detective work to figure an apporpriate IP address for a NIC.I recently started working at a company with the ASA 5505 and I need to upgrade the software image on a bunch of them. There's already a computer set up with a TFTP server and Hyper-Terminal to do it. I'm trying to use the CLI update procedur[URL] but when I get to the beginning of the actual transfer from the TFTP, I get stuck at "Accessing" and then the connection times out with the message "Unknown Error".The only thing I can think of is that somehow the ASA is not making it all the way to the TFTP server, probably because the IP address settings on the NIC for the computer is set wrong. I say this because in the config file provided me, the ASA is given an address X.Y.Z.1, subnet mask /24 (where all the letters are constants) and the TFTP server has an addess in its software config of X.Y.Z.10 mask /24, but the NIC on the computer is set to A.B.C.105, which is an entirely different network.I need to figure out what I can make the NIC IP address so I stop getting the error. I tried a couple of different X.Y.Z.x addresses, but haven't gotten anything yet.
View 1 Replies
View Related
Jul 6, 2011
I have configure L2TP vpn using ASDM and now i am not able to connect my Cisco ASA 5505. it's showing error message 3Jul 07 201118:57:38IP = *.*.*.*, Error processing payload: Payload ID: 1
View 1 Replies
View Related
Apr 12, 2011
I am unable to connect to the vpn I set up on my ASA 5505 using the Cisco VPN Client on a Windows machine. The log of the vpn client and the config of the ASA 5505 are below.
LOG CISCO VPN CLIENT
Cisco Systems VPN Client Version 5.0.06.0160
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
[Code]......
View 2 Replies
View Related
Oct 19, 2009
I get the following error when trying to connect a vpn client through an ASA5505 with an already configured ipsec AES/256 site to site connection:
regular translation creation failed for protocol 50 src:inside:192.168.1.167 dst:outside:xx.xxx.x.64
The site to site addressing is not relevant, I'm not trying to pass traffic over the site-to-site, but rather create a new vpn from inside client to outside external vpn box that's not under my control. The client is able to create a connection, but no traffic is passed, when I try to ping / rdp, the above message is returned to me. If I add the rule static(inside, outside) interface 192.168.1.167 netmask 255.255.255.255 then it works, everything works, but ONLY from this computer.
Been Google for hours, but with no result as of yet.
View 6 Replies
View Related
Jan 16, 2011
I am get stuck on this issue, i have asa 5505 which was working more than 4 months, after power recycle the firewall is not booting now, it gives the below error. i have tried to upload the new image however the story is same.
i2c_write_byte_w_suspend() error, slot = 0x0, device = 0x40, address = 26 byte count = 1. Reason: I2C_UNPOPULATED_ERROR.
View 2 Replies
View Related
Feb 24, 2012
Just installed an ASA 5505 with AnyConnect Essentials. AnyConnect installation works fine on some windows boxes (All flavors) but have a couple machines with issues. This makes it clearly a computer side issue. When I try to log into the ASA to download the client with IE 9 the ASA just keeps asking for my logon credentials. If I I use Firefox my credentials work and I get as far as the "Using Sun java for installation" with instructions to click yes on the java security warning. The Java Security warning never arrives like on machines that don't have this problem. Firefox just hangs and has to be killed by task maanger. Remove and reinstall of both Java and Firefox fail to correct the problem. Any AnyConnect clientside recovery tips beyond Java and Browser reinstall?
A Google search show a few folks using Ubuntu and old PPC Macs seeing the same java error I get on these couple of windows boxen. [code]
View 2 Replies
View Related
Apr 7, 2011
I use a CISCO ASA 5505 with ASA 8.3. Everything works fine, but when I type the following line I get an error message:
nat (inside,outside) source dynamic OBJ_SPECIFIC_192-168-1-0 10.1.5.5ERROR: 10.1.5.5 doesn't match an existing object or object-groupI even tried to create the missing object but it did not work. The document also explains how to use ASDM for this configuration. It seems that there an object 10.1.5.5. is created.
This is the output of "show running-config":
ASA Version 8.3(1) !hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 !interface Vlan2 nameif outside security-level 0 ip address 10.1.5.1 255.255.255.0 !interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2! interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passiveobject network obj_any subnet 0.0.0.0 0.0.0.0object network
[code]....
View 1 Replies
View Related
Apr 15, 2012
Whenever I use the following command I get an invalid input error
ciscoasa#conf t
ciscoasa (config) # crypto isakmp enable outside
ciscoasa (config) #object network net-local
ciscoasa (config-network) # subnet 192.168.101.0 255.255.255.0
^
I have reset the firewall (cisco 5505) to factory default. The marker ^ is under the subnet
View 10 Replies
View Related
Apr 1, 2012
I Have a Firewall ASA 5505 with asa 8.4(2) asdm 6.4(5) I have only one Public IP services and need to publish on the Internet
External User (Internet) -> Calls connection on port 22 Internal server 192.168.1.124
External User (Internet) -> Calls connection on port 80 of the Internal 192.168.1.124 server or other server the same inside.
In the first moment I'm just testing the access port 22.I had it working in version 8.2 but after I updated to 8.4 does not work, I've tested several different configurations.
Configuration (see asa5505_config.txt file)
object network remoto_ssh
host 189.120.190.229
object network linux_ssh
host 192.168.1.124
nat (inside,outside) static remoto_ssh
access-list outside_access_in line 1 extended permit tcp any object linux_ssh eq ssh
ERROR: Address 189.120.190.229 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
View 12 Replies
View Related
Apr 4, 2010
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password EhxQ5dBfvkyaUj52 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.10.8 W2K3-X32-SP
[code]....
I have a problem with a dmz vlan. I can´t surf over internet on a remote host.The dmz vlan links with remote network on host 192.168.20.3 .
INSIDE (192.168.10.0) -------------- Outside (88.88.88.0) -------------- DMZ (192.168.20.0)
^
|---------- Remote network (192.168.9.0)
View 8 Replies
View Related
Nov 6, 2011
I'm trying to set up a 5505 (running 8.3) so that i can use the client vpn through RADIUS authentication.I have set up a new local RAIDUS windows box and used the ASDM asistant and a few other guides to setup the 5505.
View 3 Replies
View Related
Jan 9, 2013
it's probably just me but I have tried real hard to get a simple AnyConnect setup working in a lab environment on my ASA 5505 at home, without luck. When I connect with the AnyConnect client I get the error message "User not authorized for AnyConnect Client access, contact your administrator". I have searched for this error and tried some of the few solutions out there, but to no avail. I also updated the ASA from 8.4.4(1) to 9.1(1) and ASDM from 6.4(9) to 7.1(1) but still the same problem.
The setup of the ASA is straight forward, directly connected to the Internet with a 10.0.1.0 / 24 subnet on the inside and an address pool of 10.0.2.0 / 24 to assign to the VPN clients. Please note that due to ISP restrictions, I'm using port 44455 instead of 443. I had AnyConnect working with the SSL portal, but IKEv2 IPsec is giving me a headache. I have stripped down certificate authentication which I had running before just to eliminate this as a potential cause of the issue. When running debugging, I do not get any error messages - the handshake completes successfully and the local authentication works fine as well.
ASA Version 9.1(1)
!
hostname ASA
domain-name ingo.local
enable password ... encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
[Code] .....
View 9 Replies
View Related
Jul 19, 2011
I recently had some trouble with my ASA 5505 in that the running config would not be saved after a reboot. Definitely looked like a hardware problem with the flash memory. I have since bought a new flash memory card and copied the contents of the old card to the new card. 1st problem I have is that I can see the image on the new card, but for some reason it wont boot into that image. I get /file not found
I then successfully load a new image to the device and it boots successfully. I then follow it with a
Cisco asa# config t
Cisco(config)# boot system disk0:/asa831-k8.bin
(to ensure it boots from the flash in the future) and I get
WARNING: BOOT variable added, but unable to find disk0:/asa831-k8.bin
I have since tried
ciscoasa# fsck disk0:
Unsupported file system type!
%Error checking disk0: (No such file or directory)
When ever I try to do anything with Disk0: i get the same error. (No such file or directory). I have also tried putting the old flash card in the ASA and I now get the same response.
View 11 Replies
View Related
Nov 16, 2012
[OK] webvpn
webvpn
[ERROR] anyconnect image disk0:/anyconnect-win-3.0.08057-k9.pkg 2
copying 'disk0:/anyconnect-win-3.0.08057-k9.pkg' to a temporary ramfs file failed
Trying to add the windows anyconnect to the list of usable software for clients and that error happened. What is going wrong? I assume I dont have enough RAM...
View 1 Replies
View Related
Jul 7, 2011
I have connected an ASA 5505 to an ADSL router that is able to assign the IP address and the also the DNS servers for the ISP for the outside interface. The ASA is loaded up with IOS "asa842-k8.bin"
I am using vpnclient with a hostname as oppose to an IP address to connect to a headend remote server. If I hardcode the DNS servers IPs in the "dns server-group DefaultDNS" I am able to resolve the hostname. If I then remove the IPs from the group and rely on the dhcp to assign them, when I try to resolve the name I have an error at the console "ERROR: % Invalid Hostname"
View 2 Replies
View Related
Apr 28, 2011
Connection denied due to NAT reverse path failure
View 2 Replies
View Related
Mar 12, 2013
The router 1841 is connected directly to the layer switch. the network diagram is below:
Office A --> Switch (L3) --> Router 1841 --> Internet --> Office B
However, when I transfer the file from Office A to office B, the speed very slow ( only around 40 kb/second), and there are an input error and CRC error:
Cisco-R1841#sh interfaces FA0/1
FastEthernet0/1 is up, line protocol is up
Hardware is Gt96k FE, address is 0019.e02f.03dd (bia 0019.e02f.03dd)
[Code]......
View 5 Replies
View Related
May 1, 2012
I'm trying to open certain websites but the browser gives me this message: "Network Error (tcp_error) A communication error occurred: "Operation timed out" The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.
View 8 Replies
View Related
Apr 20, 2011
i'm currently studying at a college which has a website with a student intranet that is available to log in from any computer. So far it has been working well and I can log in on my home laptop and upload documents and look at presentations etc. Today for no reason when I try and log in I get the message Error Code 500: Internal Server Error and the webpage does no appear.I have had no problems previously and this has only happened today and yesterday, I went down to the college and accessed the website fine from the computers in the library but still no joy from my home computer.
View 1 Replies
View Related
Oct 3, 2011
I have a Cisco 877 doing PPPoE through a ISP supplied modem that is in bridge mode (long story). When the DSL drops on the modem it takes around 5 to 10 mins for the 877 to redial the connection.
Here is the config I'm running:
interface Vlan1
description PPPoE-Interface(WAN)
ip address dhcp
load-interval 30
pppoe enable group global
pppoe-client dial-pool-number 1
[code]....
Its possible some of that config is redundant but I've tried as much as I can see online.
View 6 Replies
View Related
Dec 16, 2011
Cisco 877W. I configured it for PPPoE. But once I plug in the ADSL line, the dialer interface will get IP Address. But after like 2 minutes the PPP link will go off and I will get this log message: "Interface Vi1 unbound from profile Di1".
View 2 Replies
View Related
Mar 2, 2011
Is it possible to set up a pppoe client on a VLAN interface, or a switch interface associated to an VLAN?. For example, in a 881 ethernet router, could I configure a pppoe client on any of the lan interfaces in addition to the pppoe client configured on the WAN interface?.
View 4 Replies
View Related
Aug 29, 2011
Trying to find a way to configure my 851 for home use. My internet provider use PPPoE with PAP and althrough I found many configuration options they all are incomplete...or i cant find the logic behind those commands. First of all I need to say what I need:
1. Configurate my int Fa4 (WAN) with pppoe so when i insert my ISP cable in it it will negotiate and take IP.
2. Configurate DHCP on LAN (Fa0-3) so that when I insert my PC it will take a fake IP.
Here is the place where i found some conf examples: [URL] and I have some questions:
1. MTU - Should I use the 1492 value or the "pppoe-client ppp-max-payload 1500"?
2. ip route 10.10.25.2 255.255.255.255 dialer 0 - How can i set an IP route when my connexion informations only come after i connect? (Because is PPPoE)?
3. I cant configurate the DHCP because I dont know the default route, I dont know the DNS, and i dont know the default gateway because I dont know them due to PPPoE !
View 20 Replies
View Related
Apr 18, 2012
I have cisco router model 1921 , how can i terminate my existing pppoe connection to 1921, so that my other LAN users can use internet.
1- One cable (RJ45) which is comming from ONT has connected with Integrated WAN Port on router.
2- One cable (RJ45) which going to my LAN switch has connected with Integrated LAN Port on router.
Now i need to configure my router, so that i can give internet access to my LAN users. I red cisco's guides but not clear regarding configurations, because in guides they use modules to configure pppoe. But i am not using any module, i am simply connecting one cable for WAN and one for LAN.
View 1 Replies
View Related
