2 issues with ASA 8.4

Similar Messages

• Tacacs+ access issue with ASA firewall after integrating with RSA SecureID

  Hi,
  In my earlier post,  I raised the same question but let me rephrased it again. I have configured TACACS+ in cisco ASA firewall and able to access . But when I integrated it with RSA secure ID , I am not able to enter in enable mode. It is not accepting enable password nor RSA passcode. I have created enable_15 in ASA , ACS and RSA server but no luck.
  Did any one face similar issue with ASA access ?
  Rgds
  Siddhesh

  Hi Siddesh,
  In order to help you here, I need to know few things:
  1.] Show run | in aaa
  2.] When you enter enable password on ASA CLI, what error do you see on ACS > Monitoring and reports > AAA protocols > tacacs authentication > "look for the error message"
  3.] Turn on the debugs on ASA "debug tacacs" and "debug aaa authentication" before you duplicate the problem.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Routing issue with ASA and UC540 phone system - at ASA???

  Having an issue with routing from the PC at .242 to the CUE server at 10.1.10.1. The CUE server is built into the UC540 phone system. It is an internal piece of software that is used for voicemail and management. The UC540 is not only a call router, it is also an IOS router. It has it's own WAN connection as does the ASA.
  Here are some facts:
  1. Can ping the UC540's internal CUE server from the PC ( ping to 10.1.10.1 )
  2. Can ping the UC540's VLAN 1 address from the PC ( ping to 10.1.10.1 )
  3. The ASA is the default gateway for the PC.
  4. I have a route inserted at the asa that is:
                 route 10.1.10.1 255.255.255.0 10.19.250.254 1
  5. I have a nat statement that prevents NAT from occuring but I don't think this is necessary as the 10.1.10.0/24 network isn't otherwise defined on the      ASA.
  6. I cannot pull up a web page when I point the browser on the PC to the 10.1.10.1 address
  7. I CAN pull up a web page on the PC when I create a static route on the PC iteslf :
                 route add 10.1.10.1 mask 255.255.255.0 10.19.250.254
       Is is only with this route that I am able to get to the web GUI on the phone system.
  8. The phone system has a loopback interface at 10.1.10.2 that serves as the gateway for the internal CUE server, the internal CUE server is at      10.1.10.1
  9. The switch is a 2960 and has a trunk port to the phone system to allow for the voice vlan which is at 10.1.1.0/24, no issues with this vlan and phones      are connecting to the system fine.
  Since I can get the GUI to come up when I set a static route on the PC, then I would assume that the routing in the phone system with it's internal server is fine as it wouldn't work otherwise. Since I can successfully ping the CUE server from the PC, that would lead me to believe that the ASA's routing is setup correctly..... TCP traffic doesn't seem to get to/from the CUE server.
  Here are the routing tables:
  ASA:
  Gateway of last resort is xxx.xxx.xxx.xxx to network 0.0.0.0
  C    xxx.xxx.xxx.xxx 255.255.255.252 is directly connected, outside
  S    172.16.100.100 255.255.255.255 [1/0] via 38.97.193.65, outside
  S    10.1.10.0 255.255.255.252 [1/0] via 10.19.250.254, inside
  C    10.19.250.0 255.255.254.0 is directly connected, inside
  S*   0.0.0.0 0.0.0.0 [1/0] via xx.xx.xx.xx, outside
  The UC540 phone system's router side:
  Gateway of last resort is xx.xx.xx.xx to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via xx.xx.xx.xx
        10.0.0.0/8 is variably subnetted, 7 subnets, 4 masks
  C        10.1.1.0/24 is directly connected, BVI100
  L        10.1.1.1/32 is directly connected, BVI100
  C        10.1.10.0/30 is directly connected, Loopback0
  S        10.1.10.1/32 is directly connected, Integrated-Service-Engine0/0
  L        10.1.10.2/32 is directly connected, Loopback0
  C        10.19.250.0/23 is directly connected, BVI1
  L        10.19.250.254/32 is directly connected, BVI1
        XX.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C       XX.XX.XX.XX/29 is directly connected, FastEthernet0/0
  L        XX.XX.XX.XX/32 is directly connected, FastEthernet0/0
        172.16.0.0/24 is subnetted, 1 subnets
  S        172.16.100.0 [1/0] via 10.19.250.1
  The UC540's internal CUE server:
  Main Routing Table:
             DEST            GATE            MASK                     IFACE
        10.1.10.0            0.0.0.0           255.255.255.252       eth0
          0.0.0.0             10.1.10.2         0.0.0.0                    eth0
  Any help appreciated!!!
  Thanks!

  Hello,
  Where you able to solve this problem? It does sound like an issue with TCP state checking on the ASA. The Firewall needs to see both sides of the traffic but the return traffic is going from your UC540 direct to the PC. The firewall essentially kills the traffic.
  I would recommend disabling TCP state checking on the ASA and see if it works. Otherwise, you will need to stub route the UC540 as a separate VLAN off the ASA which needs to route through the ASA to reach the PC.
  Here is a info page on the TCP State Bypass:
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111986-asa-tcp-bypass-00.html
  Please let me know how it works out.

• WAP4410N issues with Macbooks/Apple computers

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  History:
  I have 4 WAP4410N Access Points setup in a sorority house, one for each floor. The access points they had before were D-Link 2.4GHz POE APs. The reason for changing the access points was a lack of wireless coverage in the house. About 2 weeks ago I had a complaint that ALL apple computer users were only able to get to a webpage and if they tried to click a link they would get nothing, so they would have to disconnect and then reconnect to the SSID in order to get to another page. I contacted Cisco SB support and asked if they were aware of any issues with apple. The tech said yes and that I should update to 2.0.2.1 firmware, I was currently running 2.0.1.0. The tech also said that after upgrading the firmware reset the access point and reconfigure it, so I did this. I updated the firmware on all 4 APs and had one of the girls click a few links thinking that it was fixed since it worked. Well I have heard tonight that there still is an issue. I am having complaints for ALL apple computer users that after viewing 3 -5 pages/links they have to disconnect and reconnect to the SSID, then after so many more pages they have to do it all over again.
  Question:
  I noticed that there is another firmware update released for the WAP4410N, will this firmware (2.0.3.3) fix the issue I am having?
       If so, should I upgrade the firmware and reset the AP's again and reconfigure them, or can I just update them and not re-configure them?
       If not, should I change some of my settings? Any other suggestions?
  Config:
  Here is a brief of the config on the AP’s: (If my memory is correct)
  Host Name: AP1, 2, 3, 4
  Device Name: WAP4410N_AP1, 2, 3, 4
  IP Settings: Static IP
  IP Address: 192.168.1.2, 3, 4, 5
  IPV6: Disabled
  Force Lan Port Speed 100M: Disabled
  Discovery (By Bonjour): Enabled
  802.1X Supplicant: Disabled
  Wireless Network Mode: B/G/N-Mixed
  Wireless Channel: 1, 4, 8, 11
  Wireless Isolation(between SSID) Disabled
  Security Mode: WPA-Personal
  WPA Algorithm: AES
  Key Renewal: 3600
  Serial #: SER141903**
  Serial #: SER141900**
  Serial #: SER141903**
  Serial #: SER141903**
  Other equipment in the setup:
  ASA 5505 firewall
  Cisco Small Business SD208P Switch with PoE
  Thanks for the help.
  Regards,
  Travis

  Did you try the firmware upgrade and reconfiguring the wap4410ns travis?  As a rule of thumb, I always factory reset and reconfigure the device just incase there is any glitches.
  Also are you running all the access points through the unmanaged switch?  If so, try to take it out of the mix and plug directly into the ASA.  Try to eliminate all extra pieces in the mix so you can better understand where the failure is.  Your connecting wirelessly and able to browse, your getting intermittent connectivity.  Also approximately how many users are connecting to the access points at one time?  Try to isolate one wap4410n and a mac and test browsing with it and see what happens.

• Routing issues on ASA 5525X running version 8.6(1)2

  Hello ,
  I am migration from PIX 515E to ASA 5525X  running version 8.6(1)2 .
  The company uses pix as its Internet GW to the ISP ,behind the PIX there's a Cisco 3845 (C3845-ADVENTERPRISEK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3) 
  Both devices are running NAT and PAT .
  PIX 515
  WAN ip   41.x.x.x
  LAN ip  192.168.5.1
  gw ip  41.x.x.x
  Cisco 3845
  WAN ip  192.168.5.2
  Gig 0/0.1  158.29.x.x
  GIG 0/0.2  172.16.0.1
  gw ip  192.168.5.1
  Mail server 158.29.x.x
  With the current setup they working ok and the pix can route to the the 158.29.X.X  and forward smtp traffic to the mail server .
  now my issue is the ASA cant route to 158.29.X.X  addresses internally . I have route inside 172.16.0.0 /24 192.168.5.2 and I can reach all the devices with 172 series ip  .if I add route inside 158.29.X.X /24  or  /16 their whole class 192.168.5.2 ..I cant cant even ping the 158 ip on the router interface  .I tried running eigrp btwn the router and ASA and had same issues with 158 series .
  What could be the problem or what am I missing thanks a lot in advance

  Hello Jeremiah,
  Routing speaking should be the same behavior,
  Is there a way that you could provide us the configuration from both devices this because I will need to see the Ip addresses, route statements and NAT configuration
  Also the show route from both boxes ,
  Check my blog at http:laguiadelnetworking.com for further information.
  Cheers,
  Julio Carvajal Segura

• Failover link in a C65K VSS with ASA-SM

  Hi
  Just experienced a coombined tcp flood/ udp flood attack, which caused both ASAs to go active :-(
  Active:
  01:56:05 ASA-SM1 : %ASA-1-105043: (Primary) Failover interface failed
  01:56:09 ASA-SM1 : %ASA-1-105042: (Primary) Failover interface OK
  01:56:32 ASA-SM1 : %ASA-1-103001: (Primary) No response from other firewall (reason code = 3).
  01:56:47 ASA-SM1 : %ASA-1-103001: (Primary) No response from other firewall (reason code = 4).
  The standby ASA said ' failover off' but a reload of the standby fixed the dual active problem:
  Standby:
  ASA-SM1# sh failo
  Failover Off
  Failover unit Secondary
  Failover LAN Interface: folink Vlan998 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  ASA-SM1# sh failo state
                      State          Last Failure Reason      Date/Time
  This host  -   Secondary
                       Disabled       None
  Other host -   Primary
                      Not Detected   Comm Failure      01:55:59
  'Service-policy in' on the uplink interface (was 512/10 before):
  embryonic-conn-max 256 per-client-embryonic-max 5
  Questions:
  1. possible causes for the com  failure (memory exhaust ?) Any good commands for checking ?
  2. The failover link:
  In an ASA appliance setup it is recomended to etasblish a dedicated physical failover link between til ASAs - What about ASA-SM in a VSS setup - does it make sense to establish a f.ex physical 1G link for failover, and if yes: won't there be a loop issue with this and the fo vlan on the VSL link ?
  3. What is "interface policy 1" in the 'sh failo' command output ?
  Thanks
  Jesper

  Hello Adrian,
  Don't know if this is the cause of your issue, but I was thinking about scenario in which after your ISP interface is doing DOWN and UP your IP address is being changed.
  IOS itself is not deleting isakmp SA because the interface on which you have crypto map attached is down, so the SA will be still up on IOS. On ASA itself since you have default configuration you have DPD (dead peer detection) turned on probably after 10 seconds crypto sa will go down since no DPD reply received.
  IOS will continue to send encrypted traffic towards ASA, but for ASA tunnel is dead and it will ignore these packets (there should be something in logs), but router will never know it since it has DPDs turned off.
  It could also happen if you are getting the same IP address from you ISP, but Internet outages are longer than 30seconds.
  Solution would be to turn on DPDs on IOS:
  crypto isakmp keepalives TIME_IN_SECONDS periodic
  Defailts about DPDs:
  https://supportforums.cisco.com/docs/DOC-8554
  Regards,

• WLC With ASA as gateway

  Hi ALL,
  Has any one configured a WLC with ASA as the gateway, I have 3 interface 70, 80 and 90 ( 70 is the management vlan ) in the WLC, with all the gateway in the ASA. But I can ping only the gateway for vlan 70 from my wlc, none of the other gateway's are reachable.
  Let me know if any one have faced this issue before
  Thanks
  NikhiL

  Probably the other ASA interfaces are configured to be non pingable ? that's quite common.

• Having issues with Simple FTP configuration

                     I am attempting to set up FTP behind this new CISCO ASA 5510 we just bought. I haven't configured a cisco device in 5 years, so I am having issues., i think i am close, but need a little help to get me over the hump. If I FTP from outside (fixed) IP it connects and takes the password but hangs on PASV and gives no data connection below is my configuration.  Can anyone help? I am hoping it is simple since I seem to have the connection inside correct. and yes you can connect to the FTP server from inside without issue.
  ASA Version 8.2(5)
  hostnameASA1
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  nameif External
  security-level 0
  ip address y.y.y.y 255.255.255.0
  interface Ethernet0/1
  nameif Internal
  security-level 100
  ip address x.x.x.x. 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  ftp mode passive
  dns domain-lookup External
  dns server-group DefaultDNS
  name-serverg.g.g.g.g.
  name-server h.h.h.h.
  access-list 100 extended permit tcp any host y.y.y.y eq ftp
  access-list 100 extended permit tcp any host y.y.y.y eq ftp-data
  pager lines 24
  logging enable
  logging asdm informational
  mtu External 1500
  mtu Internal 1500
  mtu management 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (External) 101 interface
  nat (Internal) 101 0.0.0.0 0.0.0.0
  static (Internal,External) tcp interface ftp-data 192.168.0.69 ftp-data netmask 255.255.255.255
  static (Internal,External) tcp interface ftp 192.168.0.69 ftp netmask 255.255.255.255
  access-group 100 in interface External
  route External 0.0.0.0 0.0.0.0 L.L.L.L 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 management
  http 192.168.0.0 255.255.255.0 Internal
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca
    quit
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  class-map INSPECTION_DEFAULT
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous
  Cryptochecksum:9c15122a54bf6b87ce5ab8be0f23e9d5
  : end

  First of all Thanks! So I pulled those commands off. 
  I am hitting the FTP server behind the firewall as you can see from my first log... It dies on PASV which is why I thought I needed that FTP-Data.
  000018)1/25/2013 11:48:21 AM - (not logged in) (72.90.68.10)> 220-FileZilla Server version 0.9.41 beta
  (000018)1/25/2013 11:48:21 AM - (not logged in) (72.90.68.10)> 220-written by Tim Kosse ([email protected])
  (000018)1/25/2013 11:48:21 AM - (not logged in) (72.90.68.10)> 220 Please visit http://sourceforge.net/projects/filezilla/(000018)1/25/2013 11:48:21 AM - (not logged in) (72.90.68.10)> USER administrator(000018)1/25/2013 11:48:21 AM - (not logged in) (72.90.68.10)> 331 Password required for administrator(000018)1/25/2013 11:48:21 AM - (not logged in) (72.90.68.10)> PASS *****(000018)1/25/2013 11:48:21 AM - administrator (72.90.68.10)> 230 Logged on(000018)1/25/2013 11:48:21 AM - administrator (72.90.68.10)> CWD /(000018)1/25/2013 11:48:21 AM - administrator (72.90.68.10)> 250 CWD successful. "/" is current directory.(000018)1/25/2013 11:48:21 AM - administrator (72.90.68.10)> TYPE A(000018)1/25/2013 11:48:21 AM - administrator (72.90.68.10)> 200 Type set to A(000018)1/25/2013 11:48:21 AM - administrator (72.90.68.10)> PASV(000018)1/25/2013 11:48:21 AM - administrator (ip.ip.ip.ip.ip)> 227 Entering Passive Mode (72,90,69,2,10,125)
  Here's what the Log shows when I hit the FTP server from the outside...
  6
  Jan 25 2013
  08:48:52
  72.90.68.10
  39185
  72.90.69.2
  21
  Deny TCP (no connection) from ip.ip.ip.ip/39185 to outsideinterfaceip/21 flags PSH ACK on interface External
  Does that help?
  Thanks again? Cyclist eh? Nice, that's my latest passion and it will probably send me to the poor house with the amount of times I crash.

• Strange issue with VPN

  Hello,  I have a strange issue with a VPN we have on our ASA 5520.  We have 2 subnets my side of the VPN that can get to 27 subnets on the other side of the VPN.  However the last remote subnet which I will call 28 I find only 1 of my 2 subnets can get too.  When I reset the tunnel I find that my subnet cannot bring the IPSec tunnel up but the othe side of the tunnel can.  When I view my VPN tunnel Rx always has a value but Tx is always zero, which suggests the traffic isnt even getting there, but this subnet is all the same rules as the other subnets that work.  Any debug commands or tracing you can suggest? I've had others look at the issue and the cant see an issue.  Thanks

  Looks like you have a OD server setup for user authentication so you need to run this
  vpnaddkeyagentuser /LDAPv3/127.0.0.1
  that will add the correct record to OD and it will authenticate.
  Peter

• RV110W issues with VOIP service

  Hi
  I'm new to the forum and tearing my hair out here. We have an RV110W with a mix of computers and VOIP handsets.
  Strange thing is that after 16 minutes of a VOIP call, the port seems to get swapped and the call hangs.
  The VOIP provider, who is pretty worthless by the way - don't use Vivo Telecommunications - has decided that the problem resides at the firewall, They say:
  The port swapping will be caused by the firewall, there are 1 of 2 causes: SIP Awareness; there are several things that can affect this most firewalls have SIP Alg but it can be disabled, also the NAT refresh time needs to be set correctly.
  They have suggested some commands to apply -
  Cisco PIX firewall – run the command “no fixup protocol sip 5060”
  Cisco ASA 7.2+ – run the command “no inspect sip”
  Has anyone else seen this issue?
  If so and you think these commands might work, can someone point me to the correct way to do that? I am really only used to dealing with the web-based UI to configure the firewall.
  Thanks
  Stephen

  Stephen
  The router has no settings for that. Make sure you have the latest firmware installed, there may have been an issue with the older firmware(s).
  If the router is causing the issue then it has a bug. If you have another router, try it and see if you get the same result. If not, connect a VoIP handset directly to the ISP and make a call. If it breaks after 16 minutes, you know that the issue is with the ISP or VoIP provider, not the router. Another option is to disconnect everything from the RV110W (for security) except for a VoIP handset. Turn the firewall off on the router and try a call.
  If you find that the problem is in fact caused by the RV110W, please open a case:
  www.cisco.com/go/sbsc
  - Marty

• 6500 with ASA module

  Hello guys,
  I'm designing small-medium branch office (from 100 users scalable up to 500).
  My idea was to build this around a pair of 6506-E switches (as collapsed core, utilizing VSS), then at each floor (1 floor = 100 users) have a stack of 3750 switches.
  Now, to my question, I want a pair of security appliances, one per each breakout. I was looking at a possibility of putting ASA module into each 6500.
  Is it possible, to use 10G X2 module, which are build into 6500's SUP as WAN interface and direct everything it receives on those ports directly into ASA? (I want to have all traffic which will come to the 6500 via SUP's X2 modules to pass through ASA before any further action will be taken).
  As fair as I know in order to use VSS together with ASA modules in active/active mode (I will load balance through uplinks on both 6500) I need to use SUP 720-10G, am I right?
  Thanks in advance for you insights.
  Michal

  Thanks guys. Appreciate your feedback!
  I will most likely go  for the option "Existing ASA 5540 with IPS module" . I hope the IPS module does not limit any bandwidth capability or processing issue of the ASA. My current throughput is 250 Mbps bidirectional.
  After looking at the IPS option I am sloghly confused which one I need. Cisco website say:
  "...adding the broad range of intrusion prevention and advanced antiworm services delivered by the IPS modules via the AIP SSM and AIP SSC, or the comprehensive malware protection and content security services enabled by the CSC SSM."
  Do I need SSM only or both SSM and SSC or CSC SSM? How many module cana be installed on 5540?
  Fawad

• ARP issue with Cisco 5505

  Hi there,
  We have an issue with our current ASA 5505 set up and I hope someone can help.  Here is the setup
  ISP Handoff -> L2 Switch -> VLAN 1 of ASA
                                        -> VLAN 2 of ASA
  The ISP handoff is a single ethernet cable but the ISP router is acting as the gateway for 2x seperate public address spaces.  ISP cable plugs into a L2 switch.  The two VLANS of the ASA are then plugged into the same switch, one VLAN configured for public space 1 and the other for public space 2, now the issue is when the firewall ARPs for the gateways VLAN2's gateway shows up on VLAN 1 and VLAN 2 which obviously causes issues.

  From your description of the symptoms I would guess that the layer 2 switch has both ASA ports in the same VLAN (which leads me to wonder if the layer 2 switch is doing any VLANs or are all ports in the native VLAN?). Can you provide details of how the layer 2 switch is configured?
  It also would help to know how the ISP is set up. You tell us that it is an Ethernet handoff. But you do not tell us whether the ISP  is handling that as a trunk with multiple VLANs or whether the ISP is treating it as an access port with a single VLAN. Can you clarify this?
  Knowing how the ISP is set up and how the layer 2 switch is configured will be critical in finding a solution that works for your ASA.
  HTH
  Rick

• Auto-Signon issue with RADIUS authentication

  Hi all, i post again a question Posted by ronin2307 on Nov 27, 2007, 9:40am PST
  I HAVE THE SAME ISSUE WITH 8.0.3 release!
  Hi,
  we have a fairly simple configuration running on our ASA and try to make use of the webvpn on occasion. The feature used to work great with 7.2, but after we upgraded to 8.0 we started having problems.
  Basically an user (network admin) can log in through the webvpn interface (authenticated by a RADIUS server) and see the links to network shares we provide, click on them and at that point the user is promptedfor credentials again. upon entering them then message comes up that the access to the resources has been blocked due to security reasons.
  Now to me that makes no sense whatsoever. I have already run the following command:
  auto-signon allow ip 192.168.1.0 255.255.255.0 auth-type ntlm
  to try to prevent the second credentials prompt but to doesn't do anything.
  I also tried to capture the webvpn traffic, according to the user manual, but now i have a zip file that contains bunch of files, I cannot read (except notepad, but that doesn't help a lot). Ethereal will not open the files. I couldn't get to display the capture in the browser as described in the manual.
  can anybody give me an idea on what to do to troubleshoot this problem? Thank you very much.

  For single sign on using NTLM on a webVPN set up, you need to ensure you configure it through the command line. Did you use the ASDM for this single sign on? To configure auto-signon for all WebVPN users to servers with IP addresses ranging from
  10.1.1.0 to 10.1.1.255 using NTLM authentication, for example, enter the following
  commands:
  hostname(config)# webvpn
  hostname(config-webvpn)# auto-signon allow ip 10.1.1.1 255.255.255.0 auth-type ntlm
  http://www.cisco.com/en/US/docs/security/asa/asa71/asdm51/selected_procedures/asdmsso.html

• Issues with Creative Cloud for teams deployment workflow

  The Adobe Creative Cloud for teams IT Deployment Guide lists out steps for IT admins to deploy the CS6 applications and then have their end-users license the trial software with their Adobe IDs once they have been invited to the team. There are two major issues with this document.
  First, the media that is on the FTP is not for North American English. We are working to get that posted on the FTP site ASAP. In the meantime, you can find the CS6 MC media from: http://www.adobe.com/downloads/
  [Note: Getting media from that page requires the use of the Adobe Download Assistant which is very consumer focused. Sorry about that.]
  Second, in order to have the ability to login properly with a Creative Cloud for Teams account the system needs to have the latest copy of Adobe Application Manager installed. If you do not do this step the end user will be prompted for a serial number.
  Unfortunately the Adobe Application Manager can’t be packaged with AAMEE nor is it a native installer. I know, I know! Here are the links to the Adobe Application Manager installers:
  Windows: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4773
  Mac: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4774
  It can be installed from command line by:
  Win: <Path to Setup.exe>Set-up.exe –mode=silent –action=install
  Mac: <path to ASU> /ASU/Install.app/Contents/MacOS/Install –mode=silent –action=install
  Jody Rodgers | Sr. Product Manager | Creative Cloud for Enterprise | Adobe Systems

  Hi Boncker,
  I see that you have an active Subscription under your account . Please launch any of the installed product and when you get the trial prompt , please click on License this software and then Enter the Adobe Id & Password for the account that you have accepted the invite .
  Please do let us know if that worked for you or not .
  Cheers,
  Kartikay Sharma

• Issue with magsafe/charging (blinks green, amber, off)

  Having a quirky issue with my mid-2009 Macbook Pro.
  A month or so ago, I began having an issue with my macbook charging. When the computer is up and running and I plug in the magsafe it will say "Calculating..." and then say "Not Charging" and then switch to battery use. It constantly does this as long as the magsafe is connected. The lights on the magsafe will constantly cycle from green to amber to no light.
  At first, it would do it a few times then it would start charging. Now it constantly does this without ever stopping. I was editing video the other day for a while and it never stopped the cycle.
  Thinking it was the battery, I took it into the Apple Store last week and got a new battery because it had been saying "Service battery" for a while and the battery would only last about 20 minutes on a charge. So I just thought the battery finally refused to charge.
  But the problem still exists.
  The magsafe is new (only 3 months old) and here's the quirky thing: the computer will charge if it's asleep (lid closed) or shut down completely. No blinking lights at all. It will charge as long as it's asleep or shut down. So I don't think it's the charger. But as soon as you hit the power button to starting booting up, it will blink.
  I have reset the SMC a couple times actually, but no change.
  Is there something software/firmware related that I haven't tried? Any insight or suggestions would be greatly appreciated before I take it back to the Apple Store (which is about an hour away).
  Thanks!

  Try resetting the system management controller
  http://support.apple.com/kb/HT3964?viewlocale=en_US
  If that did nothing for you,  try resetting the NVRAM
  https://support.apple.com/kb/HT1379