Any failover abilities with ASA VPNCLIENT?

We continue to fight battles with ISPs on UDP issues when a local ASA configured with VPNCLIENT stops working with UDP.
The ISP will throttle UDP or else filter or it may even be getting dropped in the path, thus the VPN tunnel drops and won't rebuild.
But if we use TCP in the VPNCLIENT then we can get the same tunnel back up.
My question is this -
Can there be any failover statements built into an ASA VPNCLIENT configuration which could failover to TCP when UDP begins to have this ISP issues?

I do not think if this can be automated need to select manually.

Similar Messages

  • Any Luck Editing Actions on Events with ASA SSM

    W are running an ASA 5540 failover pair with SSM-40 modules.  When using the IME version 7.0.2 to manage the IPS we have not been successful in getting anything to work but "Deny Attacker Inline."  Nothing else works.  We have tried every option under the Actions and none work.  There are many signatures that we would like blocked, but only that signature.  ie. block Bittorrent but allow internet access.

    If you manage the device through ASDM or IME should not make a difference.
    What I would suggest is to test the action on a simple signature, like the ICMP ones (e.g. Sig 2004, you have to enable it first) and not a complex one like P2P etc.
    Also what is exactly happening with the other actions? Do you see the signature fire in IME with the 'action' listed? Or the action field is empty in the IME alerts? Or the signature does not fire at all?
    Regards
    Farrukh

  • Failover for Single ASA

    Hi All,
    I want to know what all fail-over I can build for single ASA. I am planning to connect as per the attached.
    Please let me know  all configuration that i can build. Do i need to assign 2 ip's for that 2 interfaces connected to inside,dmz and outside.
    Please let me know if you any other design.
    Regards,
    Satya.M

    Hi Satya, 
    You cannot assign IP's of the same subnet to two different interfaces of the ASA in the routed mode. So as per your diagram, you cannot connect Inside interface of the ASA to both the 6504E switches or to the DMZ switches as you have shown. If you want to do such a failover, you can use 2 ASA's with Active/Standby failover while connecting ASA-1 to 6504EGa and ASA-2 to 6504EGb. You can also do Active/Active failover.
    Also with 1 ASA, if you want to configure 2 ISP's on 2 interfaces, please remember policy based routing is not supported on ASA so at any gien time only 1-ISP will be active for all the traffic going out. You can have the failover configured so that everything fail's over to the secondary ISP when Primary goes down with tracks etc.
    I hope this helps. If not, can you please post your exact requirements for the failover so that we can suggest you better.
    Best, 
    Raghav

  • How Can i Use two Different Public IP Addresses no my DMZ with ASA Firewall.

    How To Using Two Different Public IP Address on My DMZ with ASA 5520
    Postado por jorge decimo decimo em 28/Jan/2013 5:51:28
    Hi everyone out there.
    can any one please help me regarding this situation that im looking for a solution
    My old range of public ip address are finished, i mean (the 41.x.x.0 range)
    So now i still need to have in my DMZ another two servers that will bring some new services.
    Remember that those two server, will need to be accessable both from inside and from outside users (Internet users) as well.
    So as i said, my old range of public ip address is finished and we asked the ISP to gives some additional public
    ip address to address the need of the two new servers on DMZ. and the ISP gave us the range of 197.216.1.24/29
    So my quation is, on reall time world (on the equipment) how can i Use two different public ip address on the same DMZ
    on Cisco ASA 5520 v8??
    How my configuration should look like?
    I was told about implementing static nat with Sub Interfaces on both Router and ASA interface
    Can someone please do give me a help with a practical config sample please. i can as well be reached at [email protected]
    attached is my network diagram for a better understanding
    I thank every body in advance
    Jorge

    Hi,
    So looking at your picture you have the original public IP address range configured on the OUTSIDE and its used for NAT for different servers behind the ASA firewall.
    Now you have gotten a new public IP address range from the ISP and want to get it into use.
    How do you want to use this IP address range? You want to configure the public IP addresses directly on the servers or NAT them at the ASA and have private IP addresses on the actual servers (like it seems to be for the current server)?
    To get the routing working naturally the only thing needed between your Router and Firewall would be to have a static route for the new public network range pointing towards your ASA OUTSIDE IP address. The routing between your Router and the ISP core could either be handled with Static Routing or Dynamic Routing.
    So you dont really need to change the interface configuration between the Router and ASA at all. You just need a Static route pointing the new public IP address towards the ASA outside IP address.
    Now when the routing is handled between the ISP - ISP/Your Router - Your Firewall, you can then consider how to use those IP addresses.
    Do you want to use the public IP addresses DIRECTLY on the HOSTS behind the firewall?This would require you to either configure a new physical interface with the new public IP address range OR create a new subinterface with the new public IP addresses range AND then configure the LAN devices correspondingly to the chosen method on the firewall
    Do you want to use the public IP addresses DIRECLTY on the ASA OUTSIDE as NAT IP addresses?This would require for you to only start configuring Static NAT for the new servers between the inside/dmz and outside interface of the ASA. The format would be no different from the previous NAT configuration other than for the different IP addresses ofcourse
    Of the above ways
    The first way is good because the actual hosts will have the public IP addresses. Therefore you wont run into problems with DNS when the LAN users are trying to access the server.
    The second way is the one requiring the least amount of configurations/changes on the ASA. In this case though you might run into problem with DNS (to which I refer above) as the server actually has a private IP address but the public DNS might reply to the LAN hosts with a public IP address and therefore connections from LAN could fail. This is because LAN users cant connect to the servers OUTSIDE NAT IP address (unless you NAT the server to public IP address towards LAN also)
    Hopefully the above was helpfull. Naturally ask more specific questions and I'll answer them. Hopefully I didnt miss something. But please ask more
    I'm currently at Cisco Live! 2013 London so in the "worst case" I might be able to answer on the weekend at earliest.
    - Jouni

  • Tacacs+ access issue with ASA firewall after integrating with RSA SecureID

    Hi,
    In my earlier post,  I raised the same question but let me rephrased it again. I have configured TACACS+ in cisco ASA firewall and able to access . But when I integrated it with RSA secure ID , I am not able to enter in enable mode. It is not accepting enable password nor RSA passcode. I have created enable_15 in ASA , ACS and RSA server but no luck.
    Did any one face similar issue with ASA access ?
    Rgds
    Siddhesh

    Hi Siddesh,
    In order to help you here, I need to know few things:
    1.] Show run | in aaa
    2.] When you enter enable password on ASA CLI, what error do you see on ACS > Monitoring and reports > AAA protocols > tacacs authentication > "look for the error message"
    3.] Turn on the debugs on ASA "debug tacacs" and "debug aaa authentication" before you duplicate the problem.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 HUB Router

    Hi Guys,
    I'm in a mess, I have  Cisco 877-K9 router which sits behind an ASA 5510 FW.
    The Design :
    Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB )
    ||
    ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL)
    ||
    Switch
    ||
    LAN
    Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa.
    I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not  able to ping any LAN IP at Spoke site nor am I able to ping my LAN from  any Spoke site.
    I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.
    Any help in this regards is highly appreciated. I really need this to work. Attached are the config files....
    Thanks,
    Aj.

    Thanks to both of you guys for replying. I should've been more descriptive in my initial post, but just thought of getting more ideas.
    All the troubleshooting was done before posting the problem, and to clearify the things, Please find below the results.
    1) what RProtocol r u using?
    a) It's OSPF
    2) if ur using OSPF, try show ip route on the hub and spoke to verify the hub/spoke routes are learned via OSPF
    a) I did the "show ip route" and bothe the HUB and Spokes get their routes defined
        (on the HUB if I used "network 192.9.201.0 255.255.255.0 area 0" I coudln't get routes advertised on spokes)
        (I changed to "redistribute static subnests" and I was able to get Hub routes advertised")
    3) are your tunnels config correctly? try show crypto ipsec sa
    a) They are as they should be and "show crypto ipsec sa" comes up with proper in/out encrypted data
    4) on your hub'spoke do a debug ip icmp
    a) Did that as well, and If I do a debug on a Spoke and ping from my HUB to that spoke on the tunnel IP, I get proper src/dest results, but If I ping from HUB to Spoke on a client IP behind the Spoke, It pings but does not show any result on the Spoke debug.
    I'm able to ping all the Spoke's Tunnel IPs and clients behind the Spokes from the HUB router, but not from either the ASA nor the clients on my LAN.
    Additional to the info above, Please also note :
    I did notice something that, from my HUB router, which is also my DSL Modem, I'm unable to ping any clients behind the ASA.
    So I guess I'm stuck on the point that My Cisco HUB is unable to talk to  my LAN, If I can get the HUB to talk to the internal LAN, I would be  able to ping clients on LAN from any Spoke or clients behind Spokes.
    From HUB router I'm able to ping clients behind Spokes.
    Does that give any Ideas ?
    Thanks in Advance.
    Aj.

  • WLC With ASA as gateway

    Hi ALL,
    Has any one configured a WLC with ASA as the gateway, I have 3 interface 70, 80 and 90 ( 70 is the management vlan ) in the WLC, with all the gateway in the ASA. But I can ping only the gateway for vlan 70 from my wlc, none of the other gateway's are reachable.
    Let me know if any one have faced this issue before
    Thanks
    NikhiL

    Probably the other ASA interfaces are configured to be non pingable ? that's quite common.

  • Waas with asa

    we will deploy waas in branch with asa so we will make wccp redirect on asa as asa will terminate vpn with headoffice so we must use wccp on asa is there is any document of sample of configuration to configure wccp with asa

    hi,
    here is the link:
    http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094445
    hope it will help

  • 3 Node Failover Cluster With iSCSI

    Is there any information available on the steps to create a 3 node failover cluster with iSCSI storage?  Is there a step-by-step guide?  I looked around but couldn't find much.  Thanks!

    Hi SCPSTech,
    The 3 node cluster create steps same with 2 node, you can refer the following step by step white paper create the 2 node cluster then add the another node to cluster.
     Configuring Failover Clusters with Windows Storage Server 2008
    http://blogs.technet.com/b/storageserver/archive/2009/12/17/configuring-failover-clusters-with-windows-storage-server-2008.aspx
    Add a Server to a Failover Cluster
    http://technet.microsoft.com/en-us/library/cc730998.aspx
    More information:
    Add or Remove Nodes in a SQL Server Failover Cluster (Setup)
    http://msdn.microsoft.com/en-us/library/ms191545.aspx
    Hope this helps.
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • 6500 with ASA module

    Hello guys,
    I'm designing small-medium branch office (from 100 users scalable up to 500).
    My idea was to build this around a pair of 6506-E switches (as collapsed core, utilizing VSS), then at each floor (1 floor = 100 users) have a stack of 3750 switches.
    Now, to my question, I want a pair of security appliances, one per each breakout. I was looking at a possibility of putting ASA module into each 6500.
    Is it possible, to use 10G X2 module, which are build into 6500's SUP as WAN interface and direct everything it receives on those ports directly into ASA? (I want to have all traffic which will come to the 6500 via SUP's X2 modules to pass through ASA before any further action will be taken).
    As fair as I know in order to use VSS together with ASA modules in active/active mode (I will load balance through uplinks on both 6500) I need to use SUP 720-10G, am I right?
    Thanks in advance for you insights.
    Michal

    Thanks guys. Appreciate your feedback!
    I will most likely go  for the option "Existing ASA 5540 with IPS module" . I hope the IPS module does not limit any bandwidth capability or processing issue of the ASA. My current throughput is 250 Mbps bidirectional.
    After looking at the IPS option I am sloghly confused which one I need. Cisco website say:
    "...adding the broad range of intrusion prevention and advanced antiworm services delivered by the IPS modules via the AIP SSM and AIP SSC, or the comprehensive malware protection and content security services enabled by the CSC SSM."
    Do I need SSM only or both SSM and SSC or CSC SSM? How many module cana be installed on 5540?
    Fawad

  • Cisco UNITY Failover Configuration with no Computer Browser Service

    Hi,
    Actually i'm configuring a unity failover server with version 7, at this point i'm triyng to add the failover server thru the failover configuration wizard which should list the failover server, but in this customer as a domain policy the computer browser service is disabled, reason why the failover server does not appear on the list of computers.
    Does any one have any idea on how to deal with this issue?
    Thanks.

    Javier,
    You can follow the steps here:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsy40909
    Hope that helps,
    Brad

  • Problem with ASA 5505 VPN config

    Hi to all,
    I have a problem with ASA 5505 remote access vpn. I have site-to-site VPN and I need that my VPN clients can access IP subnets that I have behind site-to-site VPN. All that I have tried I get and error to my log “Flow is a loopback”.
    So what I need : for example I need that vpn client with ip 10.0.0.1 can go to 192.168.1.2
    My config:
    access-list Test_splitTunnelAcl standard permit host 10.0.2.3
    access-list Test_splitTunnelAcl standard permit host 10.0.2.4
    access-list Test_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
    access-list nonat_outside extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
    ip local pool VPN_Client_Pool2 10.0.0.1-10.0.0.200 mask 255.255.255.0
    nat (outside) 0 access-list nonat_outside
    nat (outside) 1 10.0.0.0 255.255.255.0
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Test_splitTunnelAcl
    Site-to-Site:
    crypto map outside_map 3 set peer 195.233.x.x
    access-list outside_3_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_4
    object-group network DM_INLINE_NETWORK_2
    network-object 10.0.2.0 255.255.255.0
    network-object 10.0.3.0 255.255.255.0
    object-group network DM_INLINE_NETWORK_4
    network-object host 192.168.2.70
    network-object host 192.168.3.55
    network-object 192.168.1.0 255.255.255.0
    I hope that someone can post an answer and solve my problem

    A few things are required:
    1) You don't need the following 2 lines, so it can be removed:
    nat (outside) 0 access-list nonat_outside
    nat (outside) 1 10.0.0.0 255.255.255.0
    2) On the ASA, you need to configure:
    same-security-traffic permit intra-interface
    3) Object group: DM_INLINE_NETWORK_2 needs to include 10.0.0.0/24
    4) On the remote lan-to-lan end, the crypto ACL also needs to include 10.0.0.0/24 as the destination subnet.
    5) The NAT exemption (NONAT) on the remote lan-to-lan end also needs to include 10.0.0.0/24 as the destination subnet.
    Hope that will resolve your problem.

  • Remote access VPN with ASA 5510 using DHCP server

    Hi,
    Can someone please share your knowledge to help me find why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?
    I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
    ASA Version 8.2(5)
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 10.6.0.12 255.255.254.0
    ip local pool testpool 10.6.240.150-10.6.240.159 mask 255.255.248.0 !(worked with this)
    route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
    crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map dyn1 1 set transform-set FirstSet
    crypto map mymap 1 ipsec-isakmp dynamic dyn1
    crypto map mymap interface inside
    crypto isakmp enable inside
    crypto isakmp policy 1
      authentication pre-share
      encryption 3des
      hash sha
      group 2
      lifetime 43200
    vpn-addr-assign aaa
    vpn-addr-assign dhcp
    group-policy testgroup internal
    group-policy testgroup attributes
    dhcp-network-scope 10.6.192.1
    ipsec-udp enable
    ipsec-udp-port 10000
    username testlay password *********** encrypted
    tunnel-group testgroup type remote-access
    tunnel-group testgroup general-attributes
    default-group-policy testgroup
    dhcp-server 10.6.20.3
    tunnel-group testgroup ipsec-attributes
    pre-shared-key *****
    I got following output when I test connect to ASA with Cisco VPN client 5.0
    Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDO
    4024 bytesR copied in 3.41 0 secs (1341 by(tes/sec)13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 853
    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing SA payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ISA_KE payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing nonce payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ID payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received xauth V6 VID
    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received DPD VID
    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Fragmentation VID
    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received NAT-Traversal ver 02 VID
    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Cisco Unity client VID
    Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, Connection landed on tunnel_group testgroup
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing IKE SA payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA Proposal # 1, Transform # 9 acceptable  Matches global IKE entry # 1
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ISAKMP SA payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ke payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing nonce payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for Responder...
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ID payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing hash payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Cisco Unity VID payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing xauth V6 VID payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing dpd vid payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Traversal VID ver 02 payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Fragmentation VID + extended capabilities payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing VID payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
    Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
    Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Received Cisco Unity client VID
    Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
    [OK]
    kens-mgmt-012# P = 10.15.200.108, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing blank hash payload
    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing qm hash payload
    Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
    Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 87
    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): Enter!
    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing MODE_CFG Reply attributes.
    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = cleared
    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = cleared
    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary WINS = cleared
    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary WINS = cleared
    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: IP Compression = disabled
    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling Policy = Disabled
    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Setting = no-modify
    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
    Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, User (testlay) authenticated.
    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
    Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
    Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg ACK attributes
    Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=49ae1bb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 182
    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg Request attributes
    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 address!
    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 net mask!
    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DNS server address!
    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for WINS server address!
    Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Received unsupported transaction mode attribute: 5
    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Banner!
    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Save PW setting!
    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Default Domain Name!
    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split Tunnel List!
    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split DNS!
    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for PFS setting!
    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Browser Proxy Setting!
    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for backup ip-sec peer list!
    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Application Version!
    Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Client Type: WinNT  Client Application Version: 5.0.07.0440
    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for FWTYPE!
    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DHCP hostname for DDNS is: DEC20128!
    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for UDP Port!
    Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected.  No last packet to retransmit.
    Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=b04e830f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
    Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
    Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected.  No last packet to retransmit.
    Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE received response of type [] to a request from the IP address utility
    Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Cannot obtain an IP address for remote peer
    Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE TM V6 FSM error history (struct &0xd8030048)  <state>, <event>:  TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
    Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE AM Responder FSM error history (struct &0xd82b6740)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
    Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b terminating:  flags 0x0945c001, refcnt 0, tuncnt 0
    Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending delete/delete with reason message
    Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
    Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing IKE delete payload
    Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
    Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=9de30522) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
    Regards,
    Lay

    For RADIUS you need a aaa-server-definition:
    aaa-server NPS-RADIUS protocol radius
    aaa-server NPS-RADIUS (inside) host 10.10.18.12
      key *****   
      authentication-port 1812
      accounting-port 1813
    and tell your tunnel-group to ask that server:
    tunnel-group VPN general-attributes
      authentication-server-group NPS-RADIUS LOCAL
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

  • Are there any free apps with the same app iPhoto?

    Are there any free apps with the same app iPhoto?

    Do you want to get iPhoto for free, or are you looking for supplemental apps that are working well with iPhoto?
    I do not know of any free third party replacement for iPhoto. For add-ons browse the Store - there are some nice camera apps, image editors,  and panorama stitchers, some are free (cam wow, pic collage, Photo splash, pixlr-o-matic).

  • After Mavericks OS upgrade, can no longer make any HTTP requests with the OPTIONS verb

    My machine can no longer make any HTTP requests with the OPTIONS verb. This happens whether I try it curl, postman, or ajax.
    curl -i -X OPTIONS http://www.google.com returns curl: (52) Empty reply from server
    It should return a long string containing a 405 error code.
    I suspect that this is related to the Mavericks upgrade I did earlier this week. I only have one mac (my dev machine) with Mavericks. Other macs are Mountain Lion and they don't have this problem.
    Can anyone else with Mavericks confirm whether or not they have this problem too?
    If this is Mavericks related, anyone know of a fix or workaround?

    Turns out that it wasn't Mavericks related at all. Cisco AnyConnect has a security module running behind the scenes even when you're not VPNed into anything. It was blocking my OPTIONS verb requests. I was able to make these calls after uninstalling.
    Re-installing with Web Security turned off should prevent it from happening. While I was uninstalling I did notice that there was a web security uninstall script in /opt/cisco/vpn/bin but I already committed to taking the whole app off my machine. Simply running that script could have done it too.
    I must give credit to Ben Nadel. It was his blog post that helped me fix this issue.
    http://www.bennadel.com/blog/2559-Cisco-AnyConnect-VPN-Client-May-Block-CORS-AJA X-OPTIONS-Requests.htm?&_=0.10495476494543254#comments_44093

Maybe you are looking for

  • Texts in report painter

    Hi All, Do someone know if it's possible to call budget text with report painter ? Many thanks for your answer

  • Media Encoder Problem CS4

    Recently got CS4 master edition, every time I open Adobe Media Encoder from Flash or otherwise it gives me an error,  [..\..\Src\Init.cpp-42] then it closes and sends error report. Any ideas what the problem is? I am hoping its a bad install but I re

  • Hp pavilion a6400f no video

    I lend my desktop for 5 months, and now I have no video on the monitor, anyone can give me any suggestions what I should do. Thanks

  • Restoring calender from iTunes backup

    Hi, I recently replaced my iPhone 4S with a new one at the Apple store. I was using iOS6 in the old phone. I backed up using iTunes on my computer before taking it to the apple store. When I connected the new phone, it asked me to update to iOS7. I d

  • After latest update 1 feb 2014 error msvcr80.dll was not found

    after latest update 1 feb 2014 on both my desk top running vista and my lap top running xp both crashed and now itunes wont open i just get failed to star because msvcr80.dll was not found obviously i tunes has a serious bug Help huve uninstalled fro