Is it possible to use this feature on WLC 2504 ? ( Passive client feature). I found just this note :" The passive client feature is supported on Cisco 5500 and Cisco 2100 Series Controllers. "
View 8 RepliesI'm on WLC 5508 . It doesn't matter if passive client feature is turned on or turned off , when you try to increase "User Idle Timeout" you can see this message:
In our network, a lot of clients gets deauthenticated. I thought it would be useful to enable "Passive-client" feature, or increase "user idle timeout" , but how these works with each other?
I am seeing a lot of client has joined profile XXX in the logs, and the customer has been saying the PC's are dropping constantly and take up to 5 minutes to reconnect.
I found a lot of Auth flood signiture hits, and disabled the signature as a temp test. I also had one WPA WIC error on one AP. The Auth sig was deteced on several AP's at one time.
Now the question, is it normal to see Clients joining like this, and does the auth flood disable the AP for a short period?
2504 WLC, 1042 AP's
I have my NPS server setup, Group Policy, Certs (RAS+IAS), DHCP option 43, DNS A record
If I look in the event viewer on NPS, it says
Log Name: Security Source: Microsoft- Windows -Security -Auditing Date: 5/22/2013 12:36:37 PM
Event ID: 6272Task Category: Network Policy Server Level: Information Keywords: Audit Success User: N/A Computer: mfs1.Mitchell. internal Description:Network Policy Server granted access to a user.
[Code] .....
But the laptop won't connect or get an IP.
I recently setup a 2504 WLC that has two primary WLANs (internal and guest) which get their IP addresses from a central DHCP server using the local router's broadcast forwarding. Things seem to be working well for the internal wlan, but clients on the guest wlan don't seem to be getting IP addresses. If I give the client a static IP they are able to communicate across the wlan okay.
It is worth noting that I am using LAG between the controller and router and this guest wlan is really just a regular wlan (with PSK) that has an access-list applied to force it to the internet only. The access-list should be allowing dhcp requests through, but in any case, I removed the access-list and it made no difference.
Here is a debug client for a machine connected to the guest vlan (vlan 33). The internal wlan is on the 10.10.10.0/24 network (same as wired and same that the AP's are connected to) and the guest wlan is 10.33.0.0/16. I don't understand why I am seeing the dhcp request come from the internal vlan/ wlan first and it gets an IP address on this network. I then see a request on the guest wlan/vlan at which point it appears to get a valid IP address on the guest network (10.33.0.0), but the client never sees this. [code]
Can add feature "release" and "renew" to wan dhcp client? Is it WOL not possible in RV220w? i tried forward broadcast magic packet from wan side, change broadcast IP and through VPN tunnel (PPTP & IPSEC)...got failed i change from draytek 2130n to rv220w, 2130n much better. except SSL VPN.
View 2 Replies View RelatedI own a wireless router (ZTE W300) and due to the large number of devices in my house, and limited broadband usage, can I limit downloads/uploads (in other words, limit data usage) to a particular device over the network?I think the stock firmware on my router doesnt allow that (and its pretty base level too). If so, do you recommend any other firmware that can do the task, and is compatible with my router?
View 1 Replies View Relatedhowever recently when i check my internet usage log on my wireless company (Rogers) the usage is totally off from what my bandwidth tracker shows me. So i decide to turn off my wifi and see what happens, there has always been this weird wifi connection appearing whenever my wifi appears, then afterwards when i turn off my wifi the suspicious wifi connections disappear. is this possible that someone is using our wifi? i might just be overreacting but it has brought me to concern that if the usage continues my family will have to end up paying over $30 for extra internet use. it is very frustrating me because when i check my DHCP client table it only shows 3 connection, ethernet - my desktop which is not turned on, 2 wireless connection - my laptop and my sister's laptop.
View 6 Replies View RelatedI have a client with a WLC 2504 that wants to route "guest" users through a gateway appliance "radiusgateway.com" and all others through the network. It appears to me this would require the use of two fa ports on the WLC. One directly connected to the radiusgateway (which is connected to a switchport) and the other fa interface connected directly to a switchport bypassing the proxy server.
My issue is, "how do you segment the ssid traffic via the WLC". The interfaces cia the gui aren't that intelligent, there's an enable and logging drop down. Via the command line, I didn't see any methods of routing traffic.
My e3200 is running great Unfortunately it seems that the ftp server does not use/support passive mode transfers, which means that clients behind a "corporate style fw" cannot access the server. The solution would be running the ftp server using passive mode (and opening the necessary ports on the server side), but it seems that it is not supported. Or at least I don't know the passive mode port range.
View 6 Replies View RelatedI have a few remote locations that use a Cisco 5505 to connect to my server through a VPN Tunnel. When they establish a connection through the tunnel they use FTP with the PASV command and successfully send and receive data. No issues. The same remote locations will connect to external FTP sites without a VPN tunnel and attempt to use FTP with PASV and the connection fails after the PASV command is issued.Also, when these sites connect to my FTP server all their internal addresses are configured with a Dynamic HIDE NAT. They don't use this NAT rule when they connect to other FTP sites.
The question is why would an FTP connection through a VPN Tunnel work with PASV, but on a non-tunneled connection the Cisco 5505 blocks the connection.I would think that the connection should drop in both scenarios. What makes the VPN Tunnel connection special to prevent the connection drop? (I just learned about the fixup protocol with the group policy change to resolve the problem. So I can resolve the issue. But I'm interested in knowing why there is a discrepancy.)I did ask our network team and they thought it was somewhat strange too.
How can I allow passive ftp communication in PIX 6.3(5)106.
View 5 Replies View Relatedsetting up ASA to allow passive FTP connection! I can get the FTP client to connect but it does not pull the directories. I have opened 21 and range of 55536-55566. I had some trouble gettting the range opened and saved. Normally with other small business routers (GUI) I make sure those ports are forwarded and ftp works.
Is the ftp inspection killing connection or is it my config?
ASA Version 8.4(2)
!
hostname ciscoasa
enable password vRLm0eRL2O14iLM6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
[Code].....
what is active/passive port-channel..? and how it will do load balancing when my network traffic is flowing on both the ports.
View 5 Replies View RelatedUsers cannot download some files from a FTP in a software over VPN Explanation users work with a program and inside the program they download claim (the software goes to the FTP and download the file)
But the program returns an error 3018 in FTPGET. If the user goes to the old PPTP VPN it works like a charm so the problem is the Cisco VPN.
I cannot post my complete config but we use the filter vpn value to associate a special access-list to a user.
The user that has this problem has this as an access-list.
access-list 201 extended ip permit 10.250.128.0 255.255.255.0 192.168.202.0 255.255.255.0
I've made some research and i've added this info
policy-map global_policy
class inspection_default
Inspection ftp
Still doesn't work.
I have to add that normally the internal network is 2.0 and not 202.0 but since we have user with 2.0 at home we had to do this.
So when a user sends a request to 202. the cisco fowards it to the Juniper inside the network and it translate it back to 2.0 Also that is the ONLY thing that doesn't work. The client can work all day on that program and it will work #1 exept when she does the claims
I am also been working on this VPN for 2-3 months without any problems.
I am using ftp server over internet, for this I am able to connect with ftp server successfully but unable to transfer data. I am unable to see the file's list on connected ftp server. I am using the router Cisco 1941 with 15.0 (1r) M12.
There is no firewall or any ACL policy applied that could stop the any type of traffic.
I have also configured ip ftp passive command on it. But still passive ftp not working.
I have 3750 switch and there are couple of vlans.....i dont want to run the instance on all vlans....so i have decided that i will run passive intreface default command....now my lan link is layer three and i want to run eigrp on that so the command shd be as under?
no passive interface default interface gig1/0/10
no passive interface default interface gig1/0/22
(as i have 2 conections) and want to have two neibours.
I don't really know how this things work, but somehow i know that when you summarized few subnets into 1 in RIPv1 protocol in router, you would need this command, but how this things actually works?
View 5 Replies View RelatedI had a design question, Currently we have a active/passive asa 5520 firewall setup. We have our edge router (3845), on which Gig 0/0 connects to the internet, Gig 0/1 connects to a port on the active firewall. We also have a one port fast ethernet card on the router.How can i use the fast ethernet port on the router to connect to the passive firewall, so that if the active firewall fails, there is internet connectivity through the fast ethernet port on the router.
View 3 Replies View RelatedCurrently we are using a single connection to our ISP and in the coming months will be moving to a two seperate connections (to same ISP). In our current setup we utilize active/passive ASA's (5520, single context) and would like to utilize that going forward as well, the reason being is our DMZ's all hang off of these ASA's and we have fiber connectivity between our datacenters.Our main datacenter and DR Datacenter are basically one big LAN with fiber between them, so we have our DMZ networks at both locations currently with both terminating in our ASA's. That way if the ASA at our current site fails the DMZ's are still accessible via the secondary firewall at our DR facility.
View 1 Replies View RelatedWe have an ACE 4710 that has two web servers in an active/passive scenario. The issue is that if node 1 fails and node 2 takes over connections to node 2 stay active even if node 1 becomes available again. Is there are way to ensure that node one is not placed back into service if it becomes available again.
how active/passive failover shoudl be configured, so I can make sure I have it set up correctly;
i have a problem with a Failover Pair of 5510. The Boxes run with the software version 8.2.5.
If the Active ASA goes down, the Standby ASA switch to Active.
If i switch on the old Active ASA, both ASA are Active. This problem don't solved with the command 'no failover active' on the Standby box. This problem only solved with the command 'no failover' and then 'failover' on the Standby box.
The following diagram is showing what I "Plan" on doing or "Hope" I can do. This is the most complicated deployment I have taken on in my profession, and Honestly it is very exciting, but had some questions.
1. The network between the ASA's and Routers, is that suppose to be a Private network or Public Network? I have to assume Public because I want my ASA's to take care of the NAT.
2. ASA's are runing single context Active/Standby so what way will the ASA push out going traffic?
3. The routers need to know about each other in a BGP configuration, correct? We accomplish this using iBGP so will that traffic need to be allowed through my firewall to allow the routers to share that information, or should these routers be talking to each other outside the firewalls?
Is this design possible? I am sure there are limitations as always, just trying to wrap my head around the flow of traffic and where to start.
Additional Details/Requirements -
BGP routers are 2921's that I have control of. Both routers have 4 port GigEtherswitches in them.
ASA's are Active/Passive and cannot be Active/Active due the limitations of the Active/Active Design (VPN limitations)
Both ISP's must be used for outbound traffic, I would like to be able to load balance, but can send some traffic one way and the rest of the traffic the other way based on Routes.
ISP's are not Symentrical, one is 50mbps and the other is 250mbps.
All NAT should take place at the ASA's
Additional Questions:
The routers that have gig etherswitches, can they run HSRP?
Should I be putting Layer 3 switches between the routers and the ASA's instead?
Where should I run my iBGP communication for the routers?
I've been having a problem with my cisco routers (7600s) where sub-interfaces that we create for ldp tunnels are added automatically to the main ospf process as no passive when created. In order, here is how to reproduce the issue:
- Configure ospf process as "passive-interface default"
- Configure interfaces that have to be active as "no passive-interface blah"
- ospf works as expected.
- Create new sub- interface somewhere with encapsulation on a certain vlan for xconnect.
- New sub-interface gets added as "no passive-interface" in main ospf process.
- When adding a new port-channel interface, behavior is the same.
Is that normal for cisco, should I continue removing sub-interfaces manually every time from the ospf process?
I'm having problems getting FTP to work through two FWSM virtual contexts which are connected via a vrf. All this is configured on a 6500 switch with the FWSM running 3.1(4)
CLIENT-----CONTEXT_1-------VRF------CONTEXT_2--------FTP_SERVER
At the moment we can make the control connection but when we issue commands the connection times out.
Looking at the logs we can see the initial connection made to the server on port 21 from the client, this is also seen on the second firewall context (nearest the FTP server). The data channel is then seen on the first context, made using high src & dst port numbers and initiated from the client, successfully passing the ACL/Inspection, then on the second context we see the connection being denied by the incoming ACL on the second contexts interface connected to the VRF instance.
The rules are identical on the contexts and have been made by copying and paste the rule using CSM, we are using the predefined service group 'FTP-Group' which contains both tcp 20 & 21. FTP inspection is at default on both contexts.
We have tested with Win XP (capable of Active FTP only) & Firefox 3.6.12 which is the connections we are seeing in the logs trying to do Passive FTP.
Is this a problem with teh contexts randomizing sequence numbers or TCP Normalization? Or do we just have a problem with the Inspection engine on one of the contexts (I would have expected to see this on both contexts if it was a bug).
I am purchasing 2 5512x ASAs to be configured as an Active/Passive pair as a VPN device. Do I need to purchase anyconnect licenses for both devices?
View 2 Replies View RelatedI have the following Setup, Two Cisco ASA 5520 needed to be configured in HA Active/Passive. The Firewalls includes also AIP module. Does the ASA 5520 will internally make the AIP modules also HA Active/Passive? Is there a document regarding the issue? Is there a seperate license for the AIP modules for HA scenario?
View 1 Replies View Relatedwe operate an active/passive cluster with 2 ASA5510 in Routed Mode. Is it possible to add another node, so that we have one active and two standby nodes in the cluster? Unfortunately, I have found no documentation on this .... The data sheet say only up to 10 nodes can be mentioned as a VPN load balancing cluster.
View 1 Replies View RelatedCurrently l have two ASA 5520's in a active/passive failover scenario. Currently the interfaces for the inside and outside are fixed at 100/FULL.I want to repatch them into GigE ports setup as Auto Negotiate.Is there anyway of keeping the connections through the firewall active in this type of scenrio or will l have downtime disconnecting and repatching? or could l possibly disable failover and reconfigure each ?
View 6 Replies View RelatedI have a customer who is having some issues with 5m passive HP twinax cables, 537965-001, with a Chelsio 10G NIC. Aside from NIC driver issue, if NX-OS recognizes this SFP+, should it be expected to work in a 5020 running 4.2(1)N1(1)? Whether Cisco has certified passive HP twinax cables? I have included output to 'transceiver details' to a Cisco twinax and the HP (WL GORE) cables.
Nexus5020# show interface eth 1/7 transceiver details
Ethernet1/7
sfp is present
name is CISCO-MOLEX
type is SFP-H10GB-CU3M
[code]....
We need U-APSD (a special WMM Feature).Does the WAP321-E-K9 Support this feature?We need it for powersave mode from cordless wlan phones.
View 1 Replies View RelatedI have a remote site that has an AP running in H-REAP mode which connects over our MPLS cloud to a WLC, which has one interface on the "inside" network and one on our DMZ. The remote AP in H-REAP mode currently only runs our Guest SSID, but now I need to established an isolated VLAN.
Two of the hosts on this isolated VLAN, which is need to support some conference room devices, need to run on wireless and communicate with two devices on the same VLAN that are hard-wired to the switch.
Getting the wireless devices to connect remotely is easy enough by setting up an SSID that uses an IP subnet which one of the WLC's interfaces actually connects to...but can I do that for a completely remote IP subnet (i.e. one that the WLC does NOT physically connect to?). I'm not sure and I'm wondering whether that's the purpose of the "Remote LAN" feature...which is a very new feature.
Has used the "Planned AP association" feature in WCS 7 planning mode? I haven't been able to find any documentation on it, but I was hoping that it allowed you to map your planning AP's and locations to freshly deployed AP's and place them on the floorplan when doing a synchronize, but I can't get it to complete successfully.
View 3 Replies View Related