Slow window domain logon over ezvpn netw ext mode tunnel

I have 4 branch offices connected to a central EZVPN server in network extension mode.
tunnels are working correctly but domain logon is extremely low (often more than 10 minutes).
Do you think it could be a fragmentation issue?
If it is, do you know any way to solve it?
The errors reported are in windows XP system logs are the following:
     System     > LSASRV 40961 no secure connection with server, no authentication protocol available
     Application> usernv 1030
     Application> usernv 1006
Thanks
Johnny

Hi
I am in exactly the same situation with the ASA 5510 running security plus license, version 8.0(5) 512 MB RAM
going to try to upgrade the IOS tonight and upgrade the RAM to 1GB to take it up to version 9 will let you know if it helps,
cureently download speeds are very bad aroudn 14MB where as uploads are around 96 MB

Similar Messages

  • Very slow Windows domain login over IPSec VPN

    Hi
    I'm experiencing very slow Windows domain logins over an IPSec VPN connection. The AD is in Site 1, some users are in Site 2. Two Cisco ASA firewalls connect both sites by an IPSec VPN over the Internet.
    I made some registery changes on the Windows XP client on site2 to let Kerberos communicate over TCP instead of UDP. Still the logins take extremely long (45 minutes). Profiles are very small, so there had to be a problem with Kerberos, MTU sizes or somethin like that. I already changed the clients MTU settings to 1000 byes, but login is still very slow. I made some sniffer logs...
    Does anybody know what the problem can be ?
    Regards
    Remco

    Hi Remco,
    The most common issue with slowness over VPN is going to be fragementation. In general below are the recommendations to avoid fragmentation
    1. For TCP traffic, use "ip tcp adjust-mss 1360" on the Internal LAN Interface on the Router. If you are using GRE then configure "ip mtu 1400" under the Tunnel Interface.
    If you are not using GRE then the value of "ip tcp adjust-mss" depends on the type of transform-set being used E.g. AES\3DES etc, so you can increase the value of TCP adjust command from 1360 to a higher value. Though I will start from 1360 first for testing.
    Also take a look at the below article for MTU Issues
    http://www.cisco.com/en/US/customer/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
    Thanks,
    Naman

  • Leap and windows domain logon

    I'm doing some test with an Air 1200 and some 352 Pc card for one of our customers.
    With ACU ver. 4.25.23, I enabled LEAP authentication using the windows user name and password.
    Leap authentication is successful, while windows domain logon not.
    Not to say using a "normal" NIC that logon succeed.
    Sniffing the packets that come out the AP, it seems the domain logon happens... I see the requests/answers between my client and the domain controller...
    However, after canceling the windows domain logon I have normal connectivity with the entire network.
    Someone experienced that? Any help will be greatly appreciated.
    Antonio Tassone

    Sure.
    My attempts to logon in a windows domain using the same user/password for LEAP authentication and windows logon were unsuccessful (either using Win9x or Win NT/2000 on the client), indeed the login dialog box was stuck in something like "searching primary domain controller" or similar (I'm sorry but it's been some month ago).
    Looking the Radius server log, I found an error like " xxxxx DLL rejected".
    Searching the Cisco web site and the forums for that error, I read the advice to make the authentication services on the NT server to run with the privileges of one of the Windows Domain Administrator accounts.
    Following that advice, and with some other tweaking explained in the document I read, I reached my goal.
    I regret I can't be more precise.
    Regards.

  • Configure Windows Domain Logon on Airport Express

    The question is... How can I configure Windows Domain Logon data on an Airport Express so it connects automatically without asking each of my other devices for login credentials?
    I use my Airport Express at work connecting it through ethernet, and the network uses Windows Domain credemtials to login, that is user, password and domain server. I have all data needed, this is, static IP, Gateway, DNS, user, password, etc., but I haven't found how to do this inside de Airport Express so I configure just one device instead of 3 or more.
    I have tryed configuring the Airport Express as PPPoE, but that's not the solution for this problem.
    Thanks in advance for the answer.

    Your wireless Netgear router and AirPort Express Base Station (AX) are pretty much useless if you don't have wireless capability for your Dell desktop. The AX uses AirTunes to receive, wirelessly, iTunes from your desktop.
    Just add a wireless card to your Dell and you should be in good shape. In fact, once you go wireless, you can return the Netgear router as your AX will provide Internet connectivity, stream iTunes, and share a USB printer.

  • Windows 8.1 Group Policy to Force Domain Logon as Default?

    I recently purchased a new Windows 8.1 computer for use in our organization.  The default logon option for the device is for a Microsoft Account (the default username field prompt is for an e-mail address, rather than for a username.)  However,
    I would prefer that the default logon option be for a Windows domain account logon, so that users don't have to click the "Sign-in options" link and select "Local or domain account password" each time they need to log onto the computer.
    I have learned that setting the "Interactive logon:  Do not display last user name"
    policy (located under Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options) to
    Disabled allows the domain logon option to be retained across sessions.  However, I would prefer to keep this option set to Enabled so that the previous user name is not displayed.
    Does anyone have any suggestions on how the default logon option can be forced to a domain logon, while still suppressing the display of the last username?

    Hi Arowitv,
    According to your description, we can use the following policy to check the result.
    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options:
    Accounts: Block Microsoft accounts
    Click this option, and select" Users can't add or log on with Microsoft account"
    Note: Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
    Computer Configuration\Administrative Templates\System\Logon :Assign default domain for logon
    Set the option to Enabled, and add the Default Logon domain.
    Hope this helps.
    Regards,
    Kelvin Xu
    TechNet Community Support

  • How to connect MBA to Windows domain over Wi-Fi?

    Hi. I`m on a university campus. MBA automatically picks up wi-fi connection, which is great. Because MBA does not have an Ethernet port, how do I join my office's Windows 2003 network domain over Wi-Fi? Thanks for any help I can get!

    Hi dufus,
    Are you looking to access domain resources over WiFi? Such as printers, AD resources, etc.? This sounds like a question for the domain administrators, unfortunately. Reason I say that, the domains that I manage at work specifically restrict access to resources based on connection Subnet and VLAN. As such unless you're hard wired to specific ports you don't get access to my resources.
    Everyone manages their domains differently and without knowing how your domain is configured it's impossible to recommend steps.

  • Slow transfer speeds between Mac Pro and Shared Drive on Windows Domain

    Hi Guys,
    Getting really slow transfer speeds when I try and transfer a file from a Mac Pro to a shared network drive on one of our Windows 2003 Servers.
    The Mac Pro is logged on to windows domain. This data is transferring via our hard network, not via wireless. Not having any other transfer speed issues on any other PC's.
    For example an 8mb file took around 45 mins.
    Hope you can help. Many Thanks.

    I saw this at a site where they were using DFS with Server 2003. When the few Mac's they had connected to the actual server and uploaded the file it was okay. But when it was sending the file via the \\DFS_node\share_name the Mac took heaps longer for the same file. Watching the Activity Monitor > Network monitor you could see gaps with the data transfer, as if there was some pausing between packets. A pcap showed that there was constant DNS requests coming from the Mac, even after the connection to the share was made. The same wasn't happening when the connection via SMB was directly to the actual file server. As there was only a few Mac on site they left it with the direct connection but were getting an MS specialist in to look at it. Never heard what happened with that one but you may want to try monitoring the packet transfer to see if the data movement is contstant or breaking. I'd also recommend getting Wireshark to monitor the transfer. You can compare upload to download and maybe even the transfer from the Mac to an MS workgroup share.

  • Inconsistent domain logon times

    I have logon times that vary from 5 to 90 seconds for a domain login. If the user logs on for the first time it takes about 90 seconds; this appears fair due to the work that is do with preparing the desktop and copying profiles... etc. The next time the
    user logs on it take around 10 seconds, which I am happy with.
    All group polices all work fine. My only problem is to keep the logon time down and consistent.
    The problem is that when the system is rebooted the logon time is around 30-40 seconds. After that they go back to 10 - 15 seconds. That seems to hint at a network issue. I have been tracing what is happening using PROCMON and PROCEXE; currently trying to
    see if that tells me anything.
    One thing that I have also noticed is that the Network name appears to have an impact on what the logon times will be. For example if the Network name is the same as my domain name "domain.xxx" the login times are good (10 - 15 secs). However,
    for some reason that I don't know the Network name may be "Network 3", "Unidentified Network", "domain.xxx 2 (unauthenticated)". When this happens I can pretty well guarantee that the logon times go out the window.
    Can anyone advise what I can do to fix this?
    The enviroment is Windows 7 PCs, Windows 2008 R2 servers in a Domain/Forest  Functional level of Windows Server 2008 R2.
    Ron Rose

    Hi,
    It’s normal to take a few time to logon a new user for the first time. When first logon, the time depends on many factors:
    Do we use roaming profile?
    Is there any software settings in group policy?
    Do we need to attach a network printer?
    Is there any automatic map drive?
    You may refer to the link below to find some useful informations: Root Causes for Slow Boots and Logons
    http://social.technet.microsoft.com/wiki/contents/articles/10130.root-causes-for-slow-boots-and-logons-sbsl.aspx#Network
    If you still want to improve it,  I'd like to recommend that you contact Microsoft Customer Support Service (CSS) for assistance so that this problem can be resolved efficiently. To obtain the phone numbers for specific technology request please take
    a look at the web site listed below:
    http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS
    If you are outside the US please see http://support.microsoft.com for regional support phone numbers.
    Hope it helps.
    Regards,
    Blair Deng
    Blair Deng
    TechNet Community Support

  • Windows 8 Logon times default user profile size

    With the addition of Chromebooks and other devices that boot in 3 seconds, we are re-evaluating our Windows 8 environment.  Windows 8 does boot up much quicker, but our domain logon times are still 2+ minutes or more if there is no user profile. 
    So I took our policies down to the bare minimum to see what is really taking forever for computers to log on.
    Using unattend.xml, we use the copyprofile flag to customize the default desktop experience for our users.  The default profile then becomes 185MB and I'd like to try and reduce that to improve logon times when no profile exists.  The
    following folders are where the majority of space is being used and I want to know if I can delete them in the default user profile. 
    25MB c:\users\default\appdata\local\microsoft\windows\explorer  -  Icon and Tile Cache
    40MB c:\users\default\appdata\local\microsoft\windows\WebCache - log files in machine language
    7MB   c:\users\default\appdata\local\microsoft\windows\notification 
    7MB c:\users\default\appdata\locallow\adobe\shockwave player 11\xtras\download\adobesystemsincorporated
    3MB c:\users\deafult\appdata\roaming\microsoft\Bibliography
    4MB c:\users\deafult\appdata\roaming\microsoft\Document Building Blocks\1033\15\Built-in Building Blocks.dotx
    How fast can I make it?   I used autologon registry keys to logon to a domain account (non-administrator).  Timings are from totally off to viewing the Start Screen. 
    The BIOS on our HP 6306 takes about 12 seconds to even start booting Windows 8 and so the total boot time till the start menu shows is 25 seconds with Windows 8 taking 13 seconds to boot and logon.  That is really, really nice. 
    So then I added 3 mapped drives (not redirection) and one printer to the group policy and that didn't add any time once the profile was created.
    Creating a profile is what really slows down the logon process.  Granted this is much after after the profile is done, but the vast manjory of our machines are public with random students/staff logging on to them. 
    More testing to come.

    Were you able to reduce the size of the default profile?
    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer".

  • Log on to an apple computer using a Windows Domain 2003 Users

    I work in a Windows 2003 environment with Active Directory (AD). All of our users are store in AD. The network has one apple computer, but user need to logon to the apple computer by using their window domain account. The OS on the apple is Tiger 10.4.11 and is update. I bind the apple computer to the domain example:
    Active Directory Forest = MRC.EDU
    Active Directory Domain = PAT.MRC.EDU
    Preferred Domain Controller = MRC01K.PAT.MRC.EDU
    Able to log on with one Windows Domain account, but no other can log on. The error message I get are:
    You are unable to log in the user account " " at this time.
    Logging in to the account failed because an error occurred. The home folder for the user account is located on AFB or SMB Server.
    (We use a SMB and all of our servers OS is Windows 2003 Server.)
    AND
    The system is unable to log you in at this time.
    I am weak on apple OS and need some help to solve is problem.

    Hi the system is unable to log, and a warm welcome to the forums!
    What Workgroup & AD settin gs do you have set on the Mac in Directory Access Utility?
    See if these 2 links help also...
    http://www.macosxhints.com/article.php?story=20050302023720578
    http://allinthehead.com/retro/218/accessing-a-windows-2003-share-from-os-x
    Mac Tiger and Panther can't access Windows 2008 sharing...
    http://www.chicagotech.net/netforums/viewtopic.php?t=4578&sid=85c5f48e8552283bec fa356c9c34096

  • Problems on NW PI 7.1 after setting up a Windows Domain

    Hello Experts,
    we have had a SAP system running without a windows domain name. Everything works fine until we need to set up a windows domain because of the "full qualified domain name error".
    Now after setting up the domain we have problems to access the PI system  by SAP Logon from a client. Within the server everything works fine with SAP Logon.
    Thanks for your answers in advance!!!
    Regards, Alexander

    Hi Moog,
    Check if server hostname and server IP is pingable from client.
    If yes then check for  dispatcher port connectivity using telnet
    telnet server ip 32<instance number>
    Paste the results , adding server to domain will not harm unless its pingable from client.
    Regards,

  • Domain Logon fails using wireless LAN

    Hi Sir,
    I am setting up an ACS server to authenticate the wireless LAN users using PEAP MS-CHAPv2for one of my existing customer. They need to login to domain whenever they need to access to the network
    On the wireless client's end, the OS is Xp and the client will use Windows XP wireless zero configuration. I have put in the necessary setting in order for it to support PEAP. I managed to get authenticated by checking against the passed authentications log found in the ACS.
    However, the problem happens when I tried to reboot the desktop and Domain Logon appears, I was not able to logon to the Domain. I think I know the cause of the problem. It was because the wireless card is not authencated yet prior to the Domain logon screen.
    How can I connect to the wireless network prior to the appearance of the Domain logon windows. There is no options for me to try in the XP wireless zero configuration to activate the wireless LAN before the Domain Logon windows comes out.
    Thank you.
    Delon

    Even if still it does not work, ensure the following:
    1) Change the logon credentials for the ACS services to use a domain administrator account. Often times the local member server administrator account does not have any rights on the AD.
    a. Ensure the ACS services start with the Domain Administrator account.
    b. Ensure you are able to log in to the server using this Domain Administrator account .
    c. Ensure the Domain Administrator account (or the account with which the services start) have privileges to log on locally, Log on as a service and Act as part of the operating system.
    2) Ensure the FQDN of all domain controllers is added to the DNS names.

  • Automatic windows agent fail over in SCOM 2012 / 2012 R2

    Hi All,
    I have a question with respect to SCOM 2012 / 2012 R2 windows agent fail over.
    For example i have only 400 windows agents and i have 2 MS in my environment. So 200 windows agents are managed by MS1 and the rest 200 are managed by the MS2.
    What i want to know is if either of the MS (MS1 or MS2) Shutdown / restart or any thing happens to them, Do the agents automatically fail over to the other MS ? As i have not configured ant thing for this as i don't know.
    So is there any configuration to be done for the above to happen after the deployment of both the management servers is done before discovering the agents or does it automatically understand take the rest 200 agents thinking that the other MS is down ?
    Gautam.75801

    Hi All,
    I have a question with respect to SCOM 2012 / 2012 R2 windows agent fail over.
    For example i have only 400 windows agents and i have 2 MS in my environment. So 200 windows agents are managed by MS1 and the rest 200 are managed by the MS2.
    What i want to know is if either of the MS (MS1 or MS2) Shutdown / restart or any thing happens to them, Do the agents automatically fail over to the other MS ? As i have not configured ant thing for this as i don't know.
    So is there any configuration to be done for the above to happen after the deployment of both the management servers is done before discovering the agents or does it automatically understand take the rest 200 agents thinking that the other MS is down ?
    Gautam.75801
    This happens automagically for Windows agents within a domain that are assigned to a Management Server.  For other scenarios, such as Gateways, the Gateways should be configured for failover between Management Servers, and the agents attached to those
    Gateways should be configured to failover between the Gateways.  Cross platform agents report to a resource pool, so that happens automagically as well.
    To confirm your scenario, simply run the Get-SCOMAgent cmdlet.
    To test you can do the following, assuming first agent in the array isn't a Management Server/Gateway :)
    $SCOMAgents = get-scomagent
    $SCOMAgents[0].PrimaryManagementServerName
    $SCOMAgents[0].GetFailoverManagementServers()
    Supporting article:
    http://blogs.technet.com/b/jimmyharper/archive/2010/07/23/powershell-commands-to-configure-gateway-server-agent-failover.aspx

  • Windows Domain/Workgroup problems

    I connect via an AirPort to a Windows Domain at work and to a Workgroup at home. (I have not "Joined" either the domain or the workgroup)
    With Tiger, the networks "automagically" appeared on the Network icon in Finder and I could connect to shares on the Windows computers.
    Since I "upgraded" to Leopard (technically it was a clean install, not an upgrade) I cannot see any of the Windows computers on either network, although I can get out over the Internet using the LAN connections in both places.
    If I try to connect explicitly using Go/Connect to Server in Finder and giving smb://servername in the Server Address field, the connection fails, although the server is visible on the other Windows boxes. The same is true if I use the syntax afp://workgroup//servername or just the IP address. I CAN ping the server from a terminal window. Also nmap sees all of the computers on the network.
    I must be missing something obvious, but I haven't been able to find it. Help, please!
    TIA
    Walt

    I finally connected my Windows XP machine to my Macbook running Leopard but Im not 100% sure how I did it. I think what you need to do is untick "share files and folders using AFP" and tick the one that share it using SMB. That way the PC can see your Mac within the workgroup. Like I said Im not 100% sure but Ive got it working so it does work. If you want to ask me questions on what I have set, checked, ticked etc then let me know.

  • Integration a web system which had window domain validation to EP7.0

    I have a EP7.0 system which on AIX ,another web system which on win2000,and when you access the web system,you had to access a windows domain Authentication,how I can implement the oss for them?

    Hi,
    check out the Document <a href="https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/47d0cd90-0201-0010-4c86-f81b1c812e50">Using SAP Logon Tickets for Single Sign on
    to Microsoft based web applications</a>.
    Best regards,
    Martin

Maybe you are looking for

  • My iPhoto won't open and I can't download a new app.

    My iPhoto won't open (having upgraded to Yosemite in Janurary 2015). When I try to open it it says that my version is not compatible with Yosemite and that I need to upgrade the app from the app store - but cannot find iPhoto on the app store. I also

  • HP Pavilion dv6-6b10tx two of the usb ports are not working

    I have recently bought a HP Pavilion dv6-6b10tx....and had it fixed by hp for a problem with the beeping noise. After sending my laptop for repairs( replacing the system board), I received my laptop but two of my usb ports are not functioning... I di

  • New MAC PRO: itunes audio playback-stuttering, glitching, skipping

    I have a brand new mac pro 3.2ghz quad, with 8gb ram (bought a couple weeks ago). All seems fine with the exception of brief skips, glitches and stutters with audio playback in itunes. I tried updating to itunes 11 and this did not resolve the proble

  • Fcp x wont create new projects/events

    I'm trying to use final cut pro x but it won't create a new project or event. I go to start a new project and it asks for a Default Event, but there are no options. So I went to create a new event, but it says that it cannot allocate memory. Are ther

  • Photoshop CS5.5 makes my screen black out on my iMac. How can I fix?

    When I use Photoshop CS 5.5 it makes my iMac screen flicker or black out. This is only a recent problem, I have been using this version of Photoshop for three years with no trouble.  I don't think its a problem with the screen as it only happen when