Mavericks VPN dropouts with native VPN client and Cisco IPSec
Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
I am connecting via a WIFI router to a remote VPN server
The conenction is good for a while but eventually it drops out.
I had Zero issues in mountain lion and only have issues since the update to 10.9
I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
My thoughts are:
1 -issue with mavericks ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
2- Issue with cisco router compaitibility or timing with Cisco IPSEC
3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
Any thousuggestions?
Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
I am connecting via a WIFI router to a remote VPN server
The conenction is good for a while but eventually it drops out.
I had Zero issues in mountain lion and only have issues since the update to 10.9
I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
My thoughts are:
1 -issue with mavericks ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
2- Issue with cisco router compaitibility or timing with Cisco IPSEC
3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
Any thousuggestions?
Similar Messages
-
DirectAccess - IPHTTPS Tunnel with native IPv6 client
I observed that in a DirectAccess KerbProxy scenario, a Windows 8.1 DirectAccess client with native IPv6 Internet connectivity is still using the IP-HTTPS transition technology for connecting to a Windows 2012R2 DirectAccess server also with native IPv6
Internet connectivity.
Is this normal behavior, even when native IPv6 Internet connectivity is available?
Note 1: the use of the IP-HTTPS transition technology is confirmed with a Wireshark/NetMon trace.
Note 2: see also the related thread
http://social.technet.microsoft.com/Forums/en-US/e4bbb30e-161a-4847-918d-ba34934b4877/directaccess-double-dns-registration-issue-with-native-ipv6-client?forum=winserverNIS
Regards,
StefaanAfter some more research I found the Technet article
http://technet.microsoft.com/en-us/library/ee844198(v=WS.10).aspx. If that's still valid then no IPHTTPS should be used at all as both the DA client and the DA server have a public IPv6 address and can reach each other.
DA Client:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 9C-B6-54-EF-D9-37
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2a02:a010:1:12::10(Preferred)
Link-local IPv6 Address . . . . . : fe80::75df:2d9e:9fa6:a730%3(Preferred)
IPv4 Address. . . . . . . . . . . : 172.29.0.16(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . : 2a02:a010:1:12::1
172.29.0.1
DHCPv6 IAID . . . . . . . . . . . : 60601940
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-74-91-FD-9C-B6-54-EF-D9-37
DNS Servers . . . . . . . . . . . : 195.238.2.21
195.238.2.22
NetBIOS over Tcpip. . . . . . . . : Enabled
DA Server:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2
Physical Address. . . . . . . . . : 00-50-56-87-24-4C
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2a02:a010:1:20::203(Preferred)
Link-local IPv6 Address . . . . . : fe80::7960:e687:d4f3:4bf6%18(Preferred)
IPv4 Address. . . . . . . . . . . : 193.75.143.203(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 2a02:a010:1:20::21
193.75.143.21
DHCPv6 IAID . . . . . . . . . . . : 520114262
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-39-9F-8F-00-50-56-87-31-60
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Disabled
Also, why do we see in the "DirectAccess Policy-DaServerToCorpSimplified" as "Local Tunnel Endpoint" on the DA Server and as "Remote Tunnel Endpoint" on the DA Client the IPv6 address 2002:c14b:8fcb::c14b:8fcb ? That's the "Tunnel adapter 6TO4 Adapter"
of the DA Server. Shouldn't that be the IPv6 address 2a02:a010:1:20::203 in our case?
Regards,
Stefaan -
Asa 5505 vpn from internet native vpn client, tcp discarted 1723
Hello to all,
I'm configuring this asa for to connect home users to my network using the native microsoft vpn clients with windows xp over internet.
This asa have on the outside interface one public intenet ip and in the inside inferface have configured in the the network 192.168.0.x and i want to acces to this network from internet users using native vpn clients.
I tested with one pc connected directly to the outside interface and works well, but when i connect this interface to internet and tried to connect on user to the vpn i can see in the logs this, and can't connect with error 800.
TCP request discarded from "public_ip_client/61648" to outside:publicip_outside_interface/1723"
Can help me please?, Very thanks in advance !
(running configuration)
: Saved
ASA Version 8.4(3)
hostname ciscoasa
enable password *** encrypted
passwd *** encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address publicinternetaddress 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network gatewayono
host gatewayofinternetprovideraccess
description salida gateway ono
object service remotointerno
service tcp destination eq 3389
description remoto
object network pb_clienteing_2
host 192.168.0.15
description Pebble cliente ingesta 2
object service remotoexternopebble
service tcp destination eq 5353
description remotoexterno
object network actusmon
host 192.168.0.174
description Actus monitor web
object service Web
service tcp destination eq www
description 80
object network irdeto
host 192.168.0.31
description Irdeto
object network nmx_mc_p
host 192.168.0.60
description NMX Multicanal Principal
object network nmx_mc_r
host 192.168.0.61
description NMX multicanal reserva
object network tarsys
host 192.168.0.10
description Tarsys
object network nmx_teuve
host 192.168.0.30
description nmx cabecera teuve
object network tektronix
host 192.168.0.20
description tektronix vnc
object service vnc
service tcp destination eq 5900
description Acceso vnc
object service exvncnmxmcr
service tcp destination eq 5757
description Acceso vnc externo nmx mc ppal
object service exvncirdeto
service tcp destination eq 6531
description Acceso vnc externo irdeto
object service exvncnmxmcp
service tcp destination eq 5656
object service exvnctektronix
service tcp destination eq 6565
object service exvncnmxteuve
service tcp destination eq 6530
object service ssh
service tcp destination eq ssh
object service sshtedialexterno
service tcp destination eq 5454
object-group service puertosabiertos tcp
description remotedesktop
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object object irdeto
network-object object nmx_mc_p
network-object object nmx_mc_r
network-object object nmx_teuve
network-object object tektronix
object-group service vpn udp
port-object eq 1723
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq pptp
object-group network DM_INLINE_NETWORK_2
network-object object actusmon
network-object object tarsys
access-list inside_access_in extended permit object remotointerno any any
access-list inside_access_in extended permit object ssh any any
access-list inside_access_in extended permit object-group TCPUDP any any eq www
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit object vnc any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit object remotointerno any object pb_clienteing_2
access-list outside_access_in extended permit object-group TCPUDP any object actusmon eq www
access-list outside_access_in remark Acceso tedial ssh
access-list outside_access_in extended permit tcp any object tarsys eq ssh
access-list outside_access_in extended permit object vnc any object-group DM_INLINE_NETWORK_1
access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list outside_access_in extended deny icmp any any
access-list corporativa standard permit 192.168.0.0 255.255.255.0
access-list Split-Tunnel-ACL standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging monitor debugging
logging asdm debugging
logging debug-trace
mtu inside 1500
mtu outside 1500
ip local pool clientesvpn 192.168.0.100-192.168.0.110 mask 255.255.255.0
ip local pool clientesvpn2 192.168.1.120-192.168.1.130 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (outside,inside) source static any interface destination static interface actusmon service Web Web unidirectional
nat (outside,inside) source static any interface destination static interface tarsys service sshtedialexterno ssh unidirectional
nat (outside,inside) source static any interface destination static interface pb_clienteing_2 service remotoexternopebble remotointerno unidirectional
nat (outside,inside) source static any interface destination static interface irdeto service exvncirdeto vnc unidirectional
nat (outside,inside) source static any interface destination static interface nmx_mc_p service exvncnmxmcp vnc unidirectional
nat (outside,inside) source static any interface destination static interface nmx_mc_r service exvncnmxmcr vnc unidirectional
nat (outside,inside) source static any interface destination static interface nmx_teuve service exvncnmxteuve vnc unidirectional
nat (outside,inside) source static any interface destination static interface tektronix service exvnctektronix vnc unidirectional
nat (any,outside) source dynamic DM_INLINE_NETWORK_2 interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside per-user-override
route outside 0.0.0.0 0.0.0.0 gatewayinternetprovideracces 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
eou allow none
aaa local authentication attempts max-fail 10
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set clientewindowsxp esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set clientewindowsxp mode transport
crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev1 transform-set clientewindowsxp
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto dynamic-map L2TP-MAP 10 set ikev1 transform-set L2TP-IKE1-Transform-Set
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map L2TP-VPN-MAP 20 ipsec-isakmp dynamic L2TP-MAP
crypto map L2TP-VPN-MAP interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint Ingenieria
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8
dhcpd auto_config outside
dhcpd address 192.168.0.5-192.168.0.36 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point Ingenieria outside
webvpn
tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server none
dns-server value 192.168.0.1
vpn-tunnel-protocol l2tp-ipsec
default-domain none
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
group-policy ingenieria internal
group-policy ingenieria attributes
vpn-tunnel-protocol l2tp-ipsec
default-domain none
group-policy L2TP-Policy internal
group-policy L2TP-Policy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel-ACL
intercept-dhcp enable
username ingenieria password 4fD/5xY/6BwlkjGqMZbnKw== nt-encrypted privilege 0
username ingenieria attributes
vpn-group-policy ingenieria
username rjuve password SjBNOLNgSkUi5KWk/TUsTQ== nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool clientesvpn
address-pool clientesvpn2
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
default-group-policy L2TP-Policy
authorization-required
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
class-map inspection_default
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
prompt hostname context
call-home reporting anonymous
Cryptochecksum:59b54f1d10fe829aeb47bafee57ba95e
: end
no asdm history enableYes with this command creates this
policy-map global_policy
class inspection_default
inspect pptp
But don't work. I also tried to add the pptp and gre in the outside access rules but nothing...
I don't understand why if a connect directly to the outside interface with the same outside network works well.
ej: the pc have 89.120.145.14 ip and the outside asa have 89.120.145.140 and if I create one vpn in this pc the outside ip 89.120.145.140 with the correct parameters the asa don't discart 1723 and connect ok but if this ip is not of this range discards 1723... -
IEEE 802.11k roaming with client and cisco router
I found information that Cisco supports IEEE802.11k WLAN standard with their routers.
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/5700/software/release/ios_xe_33/11rkw_DeploymentGuide/b_802point11rkw_deployment_guide_cisco_ios_xe_release33/b_802point11rkw_deployment_guide_cisco_ios_xe_release33_chapter_010.html
If read this article I think for assisted roaming I only need neigbor reports but IEEE 802.11k standard also defines several reports like channel load report etc.
Do I need these other reports also for roaming decisions if my device is a client?The reason why you can't remote desktop is because you have configured the following static PAT statement that unfortunately take precedence over your NAT exemption:
ip nat inside source static tcp 10.10.1.2 3389 192.198.46.14 3389 extendable
Do you require RDP with the public IP? if you don't and only require RDP via VPN, then please take the static PAT statement out, and RDP via VPN will work. -
My quicktime is very jerky with 1080p video but when I play the video file in FCPX its smooth. I recently upgraded to OS mavericks on 2011 iMac with 16gb of ram and should not be having this problem. Is it possible to reinstall older software? I cant figure whats causing the jerky video so I'm assuming its the new OS. Any one have any suggestions?
I have the same but not the same problem. When I play a sound or a video on a website (other than youtube)on safari, a weird nois is comeing from the speakers, the sound has pops/clicks but if I play the same video/sound on mozilla it works fine.. If wnyone know what's the problem.. please let us know
-
Strange problem with SQLPLUS when client and server on the same box
Hi,
I have the problem with SQLPLUS when clinet and server on the same machine.
With client and server on the same machine i am running the command
sqlplus -l username/password@connect_identifier as SYSDBA.
With this command, even if you pass in wrong username or wrong password or both as wrong you can able to connect to database and execute queries.
Once Connect_identifier is correct and trying to log in as SYSDBA ,sqlplus will log in to DB with any username and password.
How to get rid of this behaviour. Is there any way to do this.
I am running this command by creating a process in C#
Edited by: user11000236 on Jun 16, 2009 10:31 AMuser11000236 wrote:
Thanks for the info.
How does Oracle/SQLPLUS allows any username or password to log in to DB with SYSDBA Privillages? What is the concept behind this.?
This is explainted in the above mentioned link:
Operating system authentication takes precedence over password file authentication. If you meet the requirements for operating system authentication, then even if you use a password file, you will be authenticated by operating system authentication. -
IMAP push on native email client and dovecot
Hi.
I'm using nokia's email client (declined the agreement, so the client makes the connection) to connect to a dovecot IMAP server.
My question is, I'm using IMAP push and it works, but the client disconnects from the server (cca 5 min) and makes a traditional sync (if using freq. syncing). If I disable the freq. syncing, it just disconnects.
Best regards.My question is, I'm using IMAP push and it works, but the client disconnects from the server (cca 5 min) and makes a traditional sync (if using freq. syncing). If I disable the freq. syncing, it just disconnects.
It is quite simple: The native email client on e72 does not support IMAP idle / push IMAP.
(The client on my old E51 did though).
If you use Nokia Messaging and give Nokia the email account credentials there should be a push-like function but I did not test that.
I addition, there is no way to get the sent messages to the "sent messages" folder on the server, which makes the use of IMAP totally pointless.
Get another email client.
E72-1, product code 0586718, firmware 022.007 -
OSD with Configuration Manager Clients and PKI certifications
My team and I had just set up PKI Certs on our System Center 2012 R2 Server. We want the opportunity to utilize Out Of Band Management, but we also would like to make our OSD available to the following "Only Configuration Manager Clients." I have
done some testing and have found that without PKI enabled we have been able to use this feature. Once we enabled PKI we could only perform OSD through PXE or Boot Media.
Is there a way to have PKI enabled but also allow OSD's to be available through "Only Configuration Manager Clients"?Thanks for the reply, I will relay the info concerning OOB. It is not necessarily a technical problem we are running into, more of an inconvenience. OSD works great as long as you make your TS deployment available through Boot media or PXE. Our end goal
is to create a zero touch environment. To do this I was thinking of making the TS available only configuration manager clients. With PKI I loose that capability and it forces me to use boot media or PXE.
Is there a way to have PKI enabled and still be able to deploy TS with only configuration manager clients, and no other deployment method?
Thank you again.
-
EAP with Windows 2000 client and IAS server
Several messages on this site point to peole using EAP on a Windows 2000 client and authenticating against an IAS server. I am running an Aironet 350 AP and trying to setup my Windows 2000 clients to use EAP only and authenticate against a Windows 2000 AD forest via IAS. The access point and client are on the latest firmware and drivers (12.0 for AP). I have two basic questions.
1. It is my understanding that by enabling Network-EAP as the only authenticaiton type that users will authenticate and then dynamic WEP keys will be used, greatly reducing the risks of compromised WEP keys while at the same time keeping the data encrypted.
2. Does anyone have a quick HOW-TO or point-by-point list of how to configure the Windows 2000 client to authentication using the Network-EAP method? I am currently running into a situation where no matter what I configure on the client, the IAS server reports and error with "Reason: The authentication type is not supported on this system." I also noticed that the "Authentication-Type" and "EAP-Type" fields shown in the IAS messages in the Windows 2000 Event Viewer log have the value "<undetermined>". Has anyone else run into this?I'm having a similar problem. I'm trying to do PEAP and it appears that IAS is not handling the request properly. It keeps trying to log the user PEAP-##### in instead of setting up the TLS and then asking for Username, Pass, Domain. The IAS error message I'm getting is:
User PEAP-00097CFCD901 was denied access.
Fully-Qualified-User-Name = APPLY\PEAP-00097CFCD901
NAS-IP-Address = 172.16.200.31
NAS-Identifier = AP1
Called-Station-Identifier = 004096570d87
Calling-Station-Identifier = 00097cfcd901
Client-Friendly-Name = WirelessAP
Client-IP-Address = 172.16.200.31
NAS-Port-Type = 19
NAS-Port = 37
Policy-Name =
Authentication-Type = EAP
EAP-Type =
Reason-Code = 8
Reason = The specified user does not exist.
So if anybody has the needed settings for Win2k (SP3 and 802.1x patch) IAS it would be much appreciated.
Ben
Note: if I had PEAP-####### as a user in Win2k I get:
User PEAP-00097CFCD901 was denied access.
Fully-Qualified-User-Name = apply.org/Users/PEAP TEST
NAS-IP-Address = 172.16.200.31
NAS-Identifier = AP1
Called-Station-Identifier = 004096570d87
Calling-Station-Identifier = 00097cfcd901
Client-Friendly-Name = WirelessAP
Client-IP-Address = 172.16.200.31
NAS-Port-Type = 19
NAS-Port = 37
Policy-Name = Wireless Policy
Authentication-Type = EAP
EAP-Type =
Reason-Code = 16
Reason = There was an authentication failure because of an unknown user name or a bad password. -
Issue with hp ipaq 614c and cisco ap
Hello. I tried to connect an ipaq 614c to a cisco ap1131 using wpa-psk tkip with no success. The ipaq connects without any problem to other access points including linksys. I've tried odysey client and I get the message: waiting for keys. The event log of the AP says: Packet to client reached max retries, removing the client. I am able to connect with other models of ipaq to the ap. Anyone know what the problem might be? I also tried disabling QOS but the result is the same.
Is the ssid only config for 1 security policy? I had an issue one time where the SSID was config for both WPA and WPA2 and i had issues. It wasnt till i selected just a single security policy that it worked.
You may want to try a real simple key at first. Try connecting it to an open network. Start 'unpacking' it so to speak...
You may see more info if you go into the CLI of the controller and debug the client. Also, if you have a layer 2 analyzer (AirMagnet or Peek you may see something of interest...) -
hi,
I'm trying to setup a VPN solution, connecting to a 800 series router and authenticating off a Cisco ACS tacacs server.
I've basically followed the suggested config at http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800a393b.shtml and the setup works fine if I use local authentication, but as soon as I switch to using TACACS the client authentication fails.
Debugging tacacs on the router i can see the requests being sent to the server, and the replies coming back - the login detail are definitely correct so I'm guessing that TACACS isn't authorising me to use VPN or IPSEC or something. But there is nothing in the ACS logs to suggest why I'm not getting through - no failed attempts are shown.
Any ideas?here is some debug from the router:
Feb 24 12:28:58.973 UTC: TPLUS: processing authentication start request id 129
Feb 24 12:28:58.973 UTC: TPLUS: Authentication start packet created for 129(vpngroup)
Feb 24 12:28:58.973 UTC: TPLUS: Using server 10.10.10.10
Feb 24 12:28:58.973 UTC: TPLUS(00000081)/0/NB_WAIT/823A9F04: Started 5 sec timeout
Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: socket event 2
Feb 24 12:28:58.989 UTC: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Feb 24 12:28:58.989 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
Feb 24 12:28:58.989 UTC: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Feb 24 12:28:58.989 UTC: T+: svc:LOGIN user_len:8 port_len:0 (0x0) raddr_len:0 (0x0) data_len:0
Feb 24 12:28:58.989 UTC: T+: user: vpntest
Feb 24 12:28:58.989 UTC: T+: port:
Feb 24 12:28:58.989 UTC: T+: rem_addr:
Feb 24 12:28:58.989 UTC: T+: data:
Feb 24 12:28:58.989 UTC: T+: End Packet
Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: wrote entire 28 bytes request
Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: socket event 1
Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: Would block while reading
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 28 bytes response
Feb 24 12:28:59.009 UTC: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Feb 24 12:28:59.009 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
Feb 24 12:28:59.009 UTC: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
Feb 24 12:28:59.009 UTC: T+: msg: Password:
Feb 24 12:28:59.009 UTC: T+: data:
Feb 24 12:28:59.009 UTC: T+: End Packet
s9990-cr#
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/823A9F04: Processing the reply packet
Feb 24 12:28:59.009 UTC: TPLUS: Received authen response status GET_PASSWORD (8)
"AUTHEN/REPLY status:5" is a permanent fail according to the TACACS RFC
In the VPN Client log it say "User does not provide any authentication data"
So to summarise:
-Same ACS server\router\username combination works fine for telnet access.
-VPN works fine with local authentication.
-No login failures showing in the ACS logs. -
VPN 3005 with 3002 Hardware Client
I have a VPN3002 Hardware Client (172.16.1.x) that is accessing a VPN3005 Concentrator (192.168.x.x) in Network Extension Mode. On the VPN3005, I have a LAN-to-LAN connection to another VPN device. I can access addresses in all scenarios except for from devices behind the Hardware Client through the LAN-to-LAN tunnel. In other words, addresses behind the Hardware Client (172.16.1.x) cannot access addresses through the LAN-to-LAN.
Devices on the network behind the Concentrator (192.168.x.x) CAN access addresses through the LAN-to-LAN and there is bi-directional communication between the network behind the 3005 and behind the 3002 client.
Can anyone help? Thank you.The 3000 is only going to send traffic over the L2L tunnel that is sourced from the Local Network and going to the Remote Network. Trafic from behind the 3002 is NOT going to match this based on the fact you're NAT'ing all the locla traffic to some other address.
I presume you have done this NAT'ing on some device before the 3000, in wihch case there's no way to get the 3002 traffic to also be NAT'd since it is going to come in and go straight back out the Public interface of the 3000.
You will have to add another line to your Local Network list that defines the traffic behind the 3002. Similarly, the remote end is going to have to add this same network to their Remote network list. Unless you do that, or find some way to NAT the 3002 traffic to the same address, the 3005 is NOT going to send it over the tunnel because you haven't told it to. -
Yahoo! Mail glitches with Lion mail client and Address Book app
I had really been looking forward to using my Yahoo! mail account in the Lion mail client but now that it is here and I have set it up and used it for a few days I am noticing the following issues:
New mail is not always received or is received late. Yahoo! Webmail portal shows new items but these sometimes do not appear in Lion mail client even after a manual 'get mail' check.
Mail marked as read in Yahoo! Webmail portal or in mail clients in iOS devices such as iPhone or iPad is not marked as read in Lion mail client, however the reverse does work (i.e. mail marked as read in Lion mail client does mark the message as read in webmail and in clients on iOS devices).
Yahoo! Aliases are not supported. Yes, you can add aliases by inserting the other email addresses in the 'Email Address' field of the account settings, but you cannot add more than one display name.
I have also found that if you turn on Yahoo! contacts via the tick-box in the new 'Mail, Contacts & Calendars' pref pane in System Preferences that I end up with random duplicated contacts. These duplicates are not seen on iOS devices, just in the Address Book app. If you delete a duplicate contact, it deletes the contact altogether. However, I have found that if you keep contacts unticked in the pref pane and add your Yahoo! account the old-fashioned way (i.e. via the Address Book app's own preferences) then the contacts sync through perfectly with no duplications.
I would be interested to know if anybody else is experiencing these issues. It may be worth noting that mine is not a @yahoo.com address but @xtra.co.nz which belongs to my ISP here in New Zealand, but the mail is managed by Yahoo!. The account works perfectly as a Yahoo! account on iOS devices and does appear to be working in Lion, except for these small glitches but I don't imagine these are specific to @xtra.co.nz addresses.
Thanks
Stevei've had the same experience here.
essentially it seems like lion mail.app just takes an incredibly long time to pickup new changes from the IMAP server at yahoo.
ios and webmail are obviously much quicker.
if it is working on ios, why does is it so delayed in mail?
any solutions out there? -
Open Directory or LDAP Problem with 10.5 Client and 10.4 Server
Yesterday, the client-server setup we've been using successfully FOR YEARS decided not to work on a v10.5.8 MacBook Pro client. Did not do anything to the v10.5 client recently (other than to boot it up). Not sure if any software was updated on the server recently (where do I check for this?). Curiously, a v10.4.11 client running on a Mac Pro (tower) continues to work fine/as though nothing's changed. It appears as though the only difference is v10.4 client (working) vs. v10.5 client (not working).
Here is what IS working:
1) Network Home Directories on dedicated drive partition of Mac running OS X Server v10.4.11. AFP, DNS, and Open Directory are all up and running (normally, I think) as shown in Server Admin application.
2) Mac Pro (tower) client running v10.4.11 binds to and authenticates at v10.4.11 server. Any valid user can access their home directory on the server seamlessly when logging in at this v10.4.11 client Mac.
3) That same v10.4.11 client Mac also contains a LOCAL admin user with its home directory on the local hard drive. That LOCAL admin account is used to update software on a per machine basis (and preclude users from adding unauthorized software, needing to use a specific machine, etc.).
Here is what IS NOT working:
4) On a MacBook Pro client running v10.5.8, the LOCAL admin account looses access to the partition containing its local home directory. The drive partition literally disappears. The only "solution" I've been able to find (and it's not truly a solution) is to turn off the Open Directory/LDAP binding (using the Directory Utility application). With binding turned off, the LOCAL admin user has no problem accessing their home directory on the local hard drive partition. Turn binding on again (using Directory Utility application), and the LOCAL admin user can no longer see its local home directory.
Again, binding is necessary to allow regular users to use the v10.5 MacBook Pro with Network Home Directories (as in items 1-3 above). Binding should be turned on for this reason. However, with binding on, the LOCAL admin user cannot manage the computer because the local partition containing the admin home directory disappears/is inaccessible. Turn binding off, and the partition containing the admin home directory reappears.
Perhaps there's something in the sever logs that will help. I don't really know how to read these, so if your help involves the logs, please refer to them explicitly (e.g., "in Server Admin, go to Open Directory->Logs->LDAP log" or similar).
Any help greatly appreceated.Nope. Never used sso_util.
I try to use Apple's GUI server management tools unless absolutely necessary/at the end of my rope (i.e., last step before re-install etc.). I figure there's just too many things going on under the hood: using the command line may fix one setting, but not re-configure the two or three others that Apple NEEDS in order to have the whole thing working in harmony. Unless you really know what's going on with all the configuration files, it's best to let the GUI manage the settings.
In my particular circumstance, I've now got ALL Leopard clients, one Leopard v10.5 server, and one Tiger v10.4 server. Everything is working fine now, but it was not a simple matter getting the Tiger v10.4 server re-integrated into the otherwise ALL Leopard environment. OD/Kerberos is on the Leopard v10.5 server. Home directories are still on the Tiger v10.4 server.
Two keys to getting THIS/MY set-up working:
1) Tiger v10.4 server needs to have Open Directory set to "Connected to a Directory System" and has to be joined to the Kerberos realm that was set-up on the Leopard v10.5 server (use Server Admin to do all of this).
2) Sharepoint on Tiger v10.4 server has to have SOME, but NOT ALL checkboxes for guest access enables/checked. See:
http://discussions.apple.com/message.jspa?messageID=10903468#10903468
Number 2 immediately above is contrary to what Apple manual for User Management reads, but this is what worked for me/my set up, after pulling my hair out following the manual's instructions to the letter and not getting the thing to work! -
Problem with Native Web Services and %ROWTYPE
Hi,
I have a simple stand-alone function which takes a varchar2 IN argument, uses the IN argument to retrieve data from a single table, and returns the data as TableName%rowtype.
Accessing the generated WSDL from a browser using http://host:port/orawsv/FUNCTION?wsdl results in the following :
<?xml version="1.0" ?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Client</faultcode>
<faultstring>Error processing input</faultstring>
<detail>
<OracleErrors xmlns="http://xmlns.oracle.com/orawsv/faults">
</OracleErrors>
</detail>
</soap:Fault>
</soap:Body>
</soap:Envelope>
I can see a successfully generated WSDL for a similar function which returns XMLType
Is %rowtype supported as a return argument ?
And on a related note, is ref cursor supported as a return argument in a stored procedure ?
Thanks,
Pete
PS - version details as follows ...
"BANNER"
"Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production"
"PL/SQL Release 11.2.0.1.0 - Production"
"CORE 11.2.0.1.0 Production"
"TNS for Linux: Version 11.2.0.1.0 - Production"
"NLSRTL Version 11.2.0.1.0 - Production"
Edited by: user13046122 on 31-Aug-2012 01:48It appears that %ROWTPYE is not supported directly, and that we need to create a TYPE to wrap the return data
Thanks to Marc Thompson for the details (http://marc-on-oracle.blogspot.co.uk/2007/12/11g-database-installation-and-native.html)
PD
Maybe you are looking for
-
I have inserted a Spry Accordion in Dreamweaver CS5, however, I'm having issues with the viewing of the tabs on load, on hover, etc. I want a dark blue tab on load, have it change to a wavy red white tab, and when opened go to a dark blue tab with a
-
Creative Zen Portable Media Center + Windows 7 = Good Stuff
Found my old Creative Zen Portable Media Center the other day while cleaning. I had put it aside since I found the process of moving/converting AVIs to it really cumbersome. Just for fun I hooked it up to my new laptop running Windows 7. It found the
-
Syncing ratings between iPod & iTunes
Is there any way to sync the ratings between my iPod and iTunes? I keep my song collection on an external drive at home so I usually rate songs with my iPod when I'm at work (via the same laptop).
-
Sync pictures to iphone???
When I sync my picture folders to iphone, they come out distorted.....Do I need to resize the pictures or something??? HP Windows Vista
-
Speeding up the hiding of text?
I have a java script that changes a subform to hidden if an "NA" check box is checked. The only problem is that is seems to take a long time for the text to actually hide. Is there a way of speeding the process up?