3030 Concentrator Site to Site

Trying to setup L2L VPN. Once the L2L is enabled, does it attempt to connect immediately? Also, how can I view the logs to see what is successful/failing on this or any other VPN connection.
Thank you.

You need to generate traffic requiring crypto protection (defined by your crypto ACL) in order to initiate the negotiation of an ISAKMP SA, which will establish a secure channel through which IPSec SAs will be negotiated.
Don't have access to a 3030 Concentrator, but on an IOS system you'd check status with:
show crypto isakmp sa detail
show crypto ipsec sa detail
Perhaps, log crypto sessions in syslog with:
crypto logging session
... and perhaps:
deny ip any any log
... as the last ACE in interface ACLs to identify configuration errors, and the presence of traffic that violates security policy.

Similar Messages

  • 3030 Concentrator Setup

    Just installed a 3030 concentrator and cannot ping the router on the public interface. I can ping everything on the private interface. I have added the default gateway for the public interface but cannot ping it and cannot ping the public interface from the router. The status on the interface is up.

    By default the Public interface has the public filter assigned to it, which should allow ICMP packets in and out. If you've played around with the filters or rules under Config - Policy Mgmt - Traffic Mgmt, you might have inadvertantly removed the ICMP rules from the Public filter.
    Try removing the filter from the public interface and see if that allows you to ping. If so, then you need to add the ICMP In/Out rules to the Public filter.

  • VPN and Split-DNS problem connecting 851 to 3030 Concentrator

    I have configured a Cisco 851 (IOS 12.4(11)T) to connect to the Cisco 3000 Concentrator (v4.72G). I am having multiple problems:
    1. On the concentrator I have specified multiple domain names for split DNS "hq.portablesunlimited.com,hq.cellfonestore.com". However I see only the first name created for the dns views.
    2. We have a static WAN IP address with a fixed DNS Server name given by our ISP. I am using the same DNS name on the client PCs connected to the 851. I am able to resolve any external names for e.g. "www.google.com". When I try to resolve a DNS address (Split-DNS) for e.g. server.hq.portablesunlimited.com, it fails to resolve the address. I tried to specify the address of 815 (10.0.0.1) as the DNS server for the clients, in this case the clients do not resolve any address. However if I go to the 851 console and ping say "www.yahoo.com" it works and then I can resolve that address "www.yahoo.com" from the client PCs also.
    I don't have any firewall or NAT enabled on the 851.
    Here is the 851 config file:
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname firewall
    boot-start-marker
    boot-end-marker
    logging buffered 51200 warnings
    enable secret 5 xxxxxxxxxxxx
    no aaa new-model
    clock timezone PCTime -5
    clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.220.1.1 10.220.1.99
    ip dhcp excluded-address 10.220.1.201 10.220.1.254
    ip dhcp pool sdm-pool1
    import all
    network 10.220.1.0 255.255.255.0
    dns-server 129.x.x.80
    default-router 10.220.1.1
    ip cef
    ip domain name mydomain.com
    ip name-server 129.x.x.80
    crypto pki trustpoint TP-self-signed-3072999871
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-3072999871
    revocation-check none
    rsakeypair TP-self-signed-3072999871
    crypto ipsec client ezvpn VPN1
    connect auto
    group xyz key xyz
    mode network-extension
    peer x.x.x.x
    username xyz password xyz
    xauth userid mode local
    interface FastEthernet0
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    interface FastEthernet4
    description $FW_OUTSIDE$$ES_WAN$
    ip address 129.34.x.x.255.255.240
    duplex auto
    speed auto
    crypto ipsec client ezvpn VPN1
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
    ip address 10.220.1.1 255.255.255.0
    ip tcp adjust-mss 1452
    crypto ipsec client ezvpn VPN1 inside
    ip route 0.0.0.0 0.0.x.x.34.7.82
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip dns view ezvpn-internal-view
    domain name-server 10.128.1.10
    ip dns view-list ezvpn-internal-viewlist
    view ezvpn-internal-view 10
    restrict name-group 1
    view default 20
    ip dns name-list 1 permit HQ.PORTABLESUNLIMITED.COM
    ip dns server view-group ezvpn-internal-viewlist
    no cdp run
    end

    Someone please reply to the post as this issue is critical for us to decide the purchase of the above equipment for our 40 remote locations.
    Thanks
    Srikant

  • Concentrator 3030 unsecure ?

    Hi,
    we are using a Concentrator 3030 for Site to Site connection only. Now we heard roomors about Security issues. Is it a risk to use this device?
    Thank you for Answering!
    Gr Leif
    Here‘s the Version:
    VPN Concentrator Type: 3030
    Serial Number:
    Bootcode Rev: Cisco Systems, Inc./VPN 3000 Concentrator Series Version 2.5.Rel Jun 21 2000 18:57:52
    Software Rev: Cisco Systems, Inc./VPN 3000 Concentrator Version 4.7.2.P Jul 30 2008 15:10:24

    Minimum: 2900 series router (or even 2800 should be able to handle that amount ... as per specs). Newer is better of course.
    ISR generation 2 will require licenses - hsec-k9 would be the one for you AFAIR.
    http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf
    ASA 5540 is you want to go that way:
    http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~tab-b
    If you want only IPsec (IKEv1 or IKEv2) ISR G2 is the way to go.
    M.

  • Cisco 3030 with Linksys BEFVP41 VPN

    I have 3030 concentrator, currently iam using Cisco 806 router for site to site tunnel and its working fine. is it possible to use BEFVP41 linksys box to configure tunnel? If yes, can i have more details?

    Though I haven't worked on the same myself, the answer is yes, it is possible. The reason for that is that IPSec is an open standard and supported by both the boxes in question. Some minor issue do crop up such as the system message "Failure during phase 1 rekeying attempt due to collision" followed by a quick disconnect and reconnect of the tunnel. Even these issues can be sorted out using simple steps such as setting the rekeying interval. You'll need to be careful about these issues.

  • Load Balance/Share two SDSL lines into one 3030

    Hi ...
    I am trying to find out if anyone knows the answer to the following.
    I have two 2800's each connected to separate SDSL lines tunnelling through to a 3030 concentrator.
    I would like both routers to load balance/load share and be on the same network. I thought of setting up GLBP but cannot get my head around how the traffic will come back from the 3030 concentrator.
    many thanks....

    I think you can use 3030 concentrator to balance/share the load on per session basis.
    Following link may help you regarding GLBP
    http://www.cisco.com/en/US/products/ps6600/products_data_sheet0900aecd803a546c.html

  • A few people with activation problems is an understatment

    After calling att around 12 times and still no activation. The pay as you go plan is a crock. Att says you have to come into the store to set up a pay as you go plan because you may have to place a deposit.Hmm, lets see. I buy the phone. I would have to pay upfront for minutes used each month. If I don't pay then I don't get minutes.So what's up with att saying I might have to pay a deposit. The whole point of a pay as you go plan is to not have to do a credit check and sign a contract. Att dug up an old dispute that's about 4 years old. The dispute went out to collections and nothing ever happened. Am I correct to say that Att sells off the amount in dispute to a collection agency. If the collection agency can't collect then Att could buy the disputed amount back at an even lower rate. So the question is, "Did Att buy a lot of these disputed no pays back before the release of the iPhone". Is that shady or what.

    I haven't played in the ASAs yet. The client side router is just the Comcast device? Does the client side have a second internet router such a linksys, netgear, d-link? Linksys devices have a common IPSEC pass-through option. I would be concern about making changes at the host end since 98 connections are functioning just fine for you. When you moved the pc to the DMZ port what port forwarding options did you enable? Have you attempted to change your transport on the Client to UDP(This would require enabling UDP configurations on the ASA)? Also, it is important to provide the CIDR info on the IPs. What IP are you assigning the Client when it connects? I manage over 1000 sites and 1200 clients to a load-balanced VPN 3030 concentrator and swear I have seen everything. Most of the time the issues are on the client. If you can answer my questions then I might be able ask more question or even point to something of interest.

  • VPN Bandwidth Utilization

    I have site to site Configuration of VPN 3030 Concentrator ( one At HQ) and VPN 3005 Concentrator ( 14 At Branch Office). I want to measure the Bandwidth Utilization of VPN 3030 Concentrator at HQ.
    Is there any command,network management software tool or utility available so I can measure the Bandwidth ?
    Dinesh

    Hi!
    Opensystems Private I syslog software collects, alerts, reports, and archives VPN (and other syslog) log data.
    Private I can detail the activity going through your VPNs, as well as tell you how much of the network users are using.
    -Collects thousands of messages per second from a variety of network devices
    -Real time alert notification via audio, visual, email, SNMP, or pager
    -Powerful ad-hoc query capability
    -Over 100 canned reports and graphs
    -Easy customization and creation of new reports
    -Scheduled report engine for timely output
    -Offloading aged data for easy access
    Check http://www.opensystems.com
    Br Juha

  • Client user ID

    I am using the 5.0 version of the VPN client. We are connecting to a 3030 concentrator. Once the client has connected is there any way to determine the user name that was used to log in?

    Refer to Configuration Information for an Administrator of VPN client configuration guide for more details
    http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administration_guide_chapter09186a008015cfd8.html#1130777
    Use the Configuration | User Management | Users | Add or Modify screen to configure a VPN Client user:
    Step 1 Enter a User Name, Password, and Verify Password. VPN Client users need a user name and password to authenticate when they connect to the VPN Concentrator; see "Gathering Information You Need" in Chapter 2 of the VPN Client User Guide for your platform.
    Step 2 Under Group, select the group name you configured under the section "Creating an IPSec Group."
    Step 3 Carefully review and configure other attributes under General and IPSec. Note that if you are adding a user, the Inherit? checkboxes refer to base-group attributes; if you are modifying a user, the checkboxes refer to the user's assigned-group attributes.
    Step 4 Click Add or Apply, and save the configuration.

  • Keep tunnel up

    What is the preferred method to keep a l2l tunnel up between a 3030 concentrator and a asa 5505? Is just sending pings through the tunnel enough or are there keepalives I can configure?

    look into enabling isakmp Keepalives, go over this link.
    http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#intro
    Rgds
    Jorge

  • ASA 5520 Mac OSX performance lag

    I have a newly installed 5520 to be used soley as a vpn device.  It iis replacing a 3030 concentrator.  Now configured, my clients coming from 64bit OSX native clients have very slow connection rates.  My Win7 laptop only shows lag when downloading a 1gb file from the internal fileshare.  Half of my clients are mac users.  Does this seem like a client issue or an ASA issue?

    I've posted a similar question yesterday evening..
    By removing the preferences and starting new.. you solve the problem.. but please do me a favour.. and enable 'RULERS'... because this is DISABLED when starting new..
    As soon as you enable RULERS.. the lag starts again.. (at my end anyway)
    Disabling RULERS removes the lag.. so it must be related..
    Please would you try this? to see if you have the same issue?
    Thanks,
    Roel
    CC2014 OSX and Wacom Tablet 'Show Rulers' issue when painting

  • Idle timeout with VPN remote users coming into a COncentrator 3030

    I have a VPN Concentrator 3030, which my remote users connect to from home. The idle timeout is set to 30 minutes, however, I do not see anyone disconnected due to lack of activity, even if they are connected for over 24 hours. I assume that they are keeping MS Outlook open and that emails will pop up in their Inbox while connected. I'm sure that Exchange & Outlook are communicating back and forth, and this this is probably the traffic that is keeping the connection "active".
    How do I enforce the "Inactive" policy. Can I exclude certain types of traffic?

    Microsoft Internet Explorer (MSIE) users add the VPN Concentrator 3000 to the list of trusted sites. Doing so enables the ActiveX control to install with minimal interaction from the user. This is particularly important for users of Windows XP SP2 with enhanced security. Refer to the following sections for instructions.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_release_note09186a0080405b6c.html

  • Help! My main content has moved outside of my page and ruined every other page in the site....

    I am new at using dw and building sites and now I came accross a problem that I can't figure out. I was going to add new content to one of my pages in my site and this happened above. I quickly exited before saving and when I reopened the file it remained in the same place. Now along with this page being like this, the rest of my site was affected in the same manner. If anyone has any solutions to this problem or reasons for this to happen please let me know asap. Thank you.

    Altruistic Gramps wrote:
    I feel that 2013 is the year to concentrate on RWD, there are many screen sizes available at this moment with many more to come. Excluding any of these users from comfortably viewing the site, immediately depreciates the value of the site.
    I feel you are probably correct but personally I don't like reponsive design. (It's clever but it has its drawbacks) I don't know how other people browse around the net but for me I'm contantly adjusting the width of my browser window and it becomes very annoying when elements are popping up and disappearing from view all the time. I find it disorientating on a personal level and quite annoying, a bit like I do when an unexpected pop up window suddenly launches itself on you.
    I prefer to see sites that have a dedicted 'alternative' for smaller devices BUT I appreciate that I'm probably going to be proved wrong on this one.
    RWD is not something I'm concentrating on at the moment, especially if the site is rather big or has a complex layout, which could have several different templates to accomodate the design structure. A few pages using the same design structure is pretty easy to manage so its something I would maybe think about in those circumsatnces.
    Having said that I see Murray has made a splendid job at a pretty complex and big site he has produced recently. I don't see him around here to often any longer because I wanted to ask him what sort of a nightmare it was to manage, or not.

  • When FTPing an HTML doc up to a site it becomes scrambled using Adobe Dreamweaver v11

    I have two systems and while one works fine, the other corrupts my html documents that I upload to the site. I have searched all over and made sure that my configurations are identical and that I am FTP'ing using ASCII.  When using my laptop running Windows 7 32bit the entire HTML file uploaded ends up looking like this:  "x Ü[ksâ8 ýÌT͸ãÔ·©v È›@ªòêéNw²Tšíljj> [`-"
    What am I doing wrong?
    Thanks...Art 

    From my laptop I have been using a Sprint Smartview 3G mobile access card to connect to the internet.  I went under <Tools> to the <Acceleration> tab and turned of "Acceleration".  Ran another test and bada bing! It works.  I was concentrating so much on FTp that I never thought about my Wireless access card.  Thanks so much.
    Art

  • Remote site communication

    I have a host and two remote sites. The remotes have site-to-site VPNs to the host. The two remotes can communicate just fine to the host, however the remotes cannot communicate with each other. I do not want to establish a site-to-site between the two remotes. How do I configure the host site to enable the two remotes to communicate?
    At the host site I have a PIX 515e and the remotes have 1760s.
    Thanks

    you cannot. a pix will not do this. configure a site to site between the 1760s, or replace the pix with a IOS router or a 3000 series concentrator.

Maybe you are looking for