Anyconnect: No address assigned
I am setting up an Any connect SSL VPN on my ASA 5510. I followed this documentation:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml
I have also created an alias, allowed the users to select this alias and a group url which is accessible.
The problem I am having is when I try to connect it tells me there is: "...security gateway: no assigned address"
Any help?
Another reason you may get this is because of the address assignment policy.
If the ASA is set to use an authentication server or an external DHCP then it will fail until you specify one in the connection profile.
The following line fixed this for me by forcing the router to default to a local assignment of addresses for the VPN:
ASA5510(config)# vpn-addr-assign local reuse-delay 5
Hope this helps anyone else that is looking.
Similar Messages
-
Cisco ASA 5505 VPN Anyconnect no address assignment
I have a problem with ip assigment via anyconnect. I always get the message no assigned address via anyconnect. I assigned to my profile for vpn a address pool, but it's still not working. Here is my config:
hostname firewall
domain-name ITTRIPP.local
enable password 8K8UeTZ9KV5Lvofo encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool 192.168.178.0 192.168.178.151-192.168.178.171 mask 255.255.255.255
ip local pool net-10 10.0.0.1-10.0.0.10 mask 255.255.255.0
ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
description Private Interface
nameif inside
security-level 100
ip address 192.168.178.10 255.255.255.0
ospf cost 10
interface Vlan2
description Public Interface
nameif outside
security-level 0
ip address 192.168.177.2 255.255.255.0
ospf cost 10
interface Vlan3
description DMZ-Interface
nameif dmz
security-level 0
ip address 10.10.10.2 255.255.255.0
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 192.168.178.3
name-server 192.168.177.1
domain-name ITTRIPP.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 192.168.178.x
subnet 192.168.178.0 255.255.255.0
object network NETWORK_OBJ_192.168.178.0_26
subnet 192.168.178.0 255.255.255.192
object service teamviewer
service tcp source eq 5938
object service smtp_tls
service tcp source eq 587
object service all_tcp
service tcp source range 1 65535
object service udp_all
service udp source range 1 65535
object network NETWORK_OBJ_192.168.178.128_26
subnet 192.168.178.128 255.255.255.192
object network NETWORK_OBJ_10.0.0.0_28
subnet 10.0.0.0 255.255.255.240
object-group service Internet-udp udp
description UDP Standard Internet Services
port-object eq domain
port-object eq ntp
port-object eq isakmp
port-object eq 4500
object-group service Internet-tcp tcp
description TCP Standard Internet Services
port-object eq www
port-object eq https
port-object eq smtp
port-object eq 465
port-object eq pop3
port-object eq 995
port-object eq ftp
port-object eq ftp-data
port-object eq domain
port-object eq ssh
port-object eq telnet
object-group user DM_INLINE_USER_1
user LOCAL\admin
user LOCAL\lukas
user LOCAL\sarah
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
object-group service 192.168.178.network tcp
port-object eq 5000
port-object eq 5001
object-group service DM_INLINE_SERVICE_1
service-object object smtp_tls
service-object tcp destination eq imap4
service-object object teamviewer
object-group service DM_INLINE_SERVICE_2
service-object object all_tcp
service-object object udp_all
object-group service DM_INLINE_SERVICE_3
service-object object all_tcp
service-object object smtp_tls
service-object object teamviewer
service-object object udp_all
service-object tcp destination eq imap4
object-group service vpn udp
port-object eq 1701
port-object eq 4500
port-object eq isakmp
object-group service openvpn udp
port-object eq 1194
access-list NAT-ACLs extended permit ip 192.168.178.0 255.255.255.0 any
access-list inside-in remark -=[Access Lists For Outgoing Packets from Inside in terface]=-
access-list inside-in extended permit udp 192.168.178.0 255.255.255.0 any object -group Internet-udp
access-list inside-in extended permit tcp 192.168.178.0 255.255.255.0 any object -group Internet-tcp
access-list inside-in extended permit icmp 192.168.178.0 255.255.255.0 any
access-list inside-in extended permit udp 192.168.178.0 255.255.255.0 any eq sip
access-list inside-in extended permit object-group DM_INLINE_SERVICE_1 192.168.1 78.0 255.255.255.0 any
access-list inside-in extended permit object-group DM_INLINE_SERVICE_2 192.168.1 78.0 255.255.255.0 any
access-list outside-in remark -=[Access Lists For Incoming Packets on OUTSIDE in terface]=-
access-list outside-in extended permit icmp any 192.168.178.0 255.255.255.0 echo -reply
access-list outside-in extended permit tcp object-group-user DM_INLINE_USER_1 an y host 192.168.178.95 object-group DM_INLINE_TCP_1
access-list outside-in extended permit tcp any host 192.168.178.95 object-group 192.168.178.network
access-list outside-in extended permit tcp any 192.168.178.0 255.255.255.0 eq si p
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0. 251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Nam e Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0. 252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbi os-ns
access-list dmz_access_in remark -=[Access Lists For Outgoing Packets from DMZ i nterface]=-
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_3 10.10 .10.0 255.255.255.0 any
access-list dmz_access_in extended permit icmp 10.10.10.0 255.255.255.0 any
access-list dmz_access_in extended permit tcp 10.10.10.0 255.255.255.0 any objec t-group Internet-tcp
access-list dmz_access_in extended permit udp 10.10.10.0 255.255.255.0 any objec t-group Internet-udp
pager lines 24
logging enable
logging buffer-size 30000
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.16 8.178.0_26 NETWORK_OBJ_192.168.178.0_26 no-proxy-arp route-lookup
nat (dmz,outside) source static any any destination static NETWORK_OBJ_192.168.1 78.0_26 NETWORK_OBJ_192.168.178.0_26 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.16 8.178.128_26 NETWORK_OBJ_192.168.178.128_26 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.0 .0_28 NETWORK_OBJ_10.0.0.0_28 no-proxy-arp route-lookup
object network 192.168.178.x
nat (inside,outside) dynamic interface
nat (dmz,outside) after-auto source dynamic 192.168.178.x interface
access-group inside-in in interface inside
access-group outside-in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.177.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ITTRIPP protocol ldap
aaa-server ITTRIPP (inside) host 192.168.178.3
ldap-base-dn CN=Users,DC=ITTRIPP,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,DC=ITTRIPP,DC=local
server-type microsoft
user-identity default-domain LOCAL
eou allow none
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.178.0 255.255.255.0 inside
http redirect outside 80
http redirect inside 80
http redirect dmz 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-A ES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-A ES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES2 56 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map dmz_map interface dmz
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=firewall
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
fqdn l1u.dyndns.org
email [email protected]
subject-name CN=l1u.dyndns.org,OU=VPN Services,O=ITTRIPP,C=DE,St=NRW,L=PLBG,EA= [email protected]
serial-number
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 6a871953
308201cf 30820138 a0030201 0202046a 87195330 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130866 69726577 616c6c31 17301506 092a8648
86f70d01 09021608 66697265 77616c6c 301e170d 31343033 30373039 31303034
5a170d32 34303330 34303931 3030345a 302c3111 300f0603 55040313 08666972
6577616c 6c311730 1506092a 864886f7 0d010902 16086669 72657761 6c6c3081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c0 8f17fa6c
2f227dd9 9d2856e1 b1f8193b 13c61cfe 2d6cbf94 62373535 71db9ac7 5f4ad79f
7594cfef 1360d88d ad3c69c1 6e617071 c6629bfa 3c77c2d2 a59b1ce1 39ae7a44
3f8c852d f51d03c1 d9924f7c 24747bbb bf79af9a 68365ed8 7f56e58c a37c7036
4db983e0 414d1b5e a8a2226f 7c76f50d d14ca714 252f7fbb d4a23d02 03010001
300d0609 2a864886 f70d0101 05050003 81810019 0d0bbce4 31d9342c 3965eb56
4dde42e0 5ea57cbb a79b3542 4897521a 8a6859c6 daf5e356 9526346d f13fb344
260f3fc8 fca6143e 25b08f3d d6780448 3e0fdf6a c1fe5379 1b9227b1 cee01a20
aa252698 6b29954e ea8bb250 4310ff96 f6c6f0dc 6c7c6021 3c72c756 f7b2e6a1
1416d222 0e11ca4a 0f0b840a 49489303 b76632
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate 580c1e53
308202ff 30820268 a0030201 02020458 0c1e5330 0d06092a 864886f7 0d010105
05003081 c3312230 2006092a 864886f7 0d010901 16136d61 696c406c 31752e64
796e646e 732e6f72 67310d30 0b060355 04071304 504c4247 310c300a 06035504
0813034e 5257310b 30090603 55040613 02444531 10300e06 0355040a 13074954
54524950 50311530 13060355 040b130c 56504e20 53657276 69636573 31173015
06035504 03130e6c 31752e64 796e646e 732e6f72 67313130 12060355 0405130b
4a4d5831 3533345a 30575430 1b06092a 864886f7 0d010902 160e6c31 752e6479
6e646e73 2e6f7267 301e170d 31343033 31353036 35303535 5a170d32 34303331
32303635 3035355a 3081c331 22302006 092a8648 86f70d01 09011613 6d61696c
406c3175 2e64796e 646e732e 6f726731 0d300b06 03550407 1304504c 4247310c
300a0603 55040813 034e5257 310b3009 06035504 06130244 45311030 0e060355
040a1307 49545452 49505031 15301306 0355040b 130c5650 4e205365 72766963
65733117 30150603 55040313 0e6c3175 2e64796e 646e732e 6f726731 31301206
03550405 130b4a4d 58313533 345a3057 54301b06 092a8648 86f70d01 0902160e
6c31752e 64796e64 6e732e6f 72673081 9f300d06 092a8648 86f70d01 01010500
03818d00 30818902 818100c0 8f17fa6c 2f227dd9 9d2856e1 b1f8193b 13c61cfe
2d6cbf94 62373535 71db9ac7 5f4ad79f 7594cfef 1360d88d ad3c69c1 6e617071
c6629bfa 3c77c2d2 a59b1ce1 39ae7a44 3f8c852d f51d03c1 d9924f7c 24747bbb
bf79af9a 68365ed8 7f56e58c a37c7036 4db983e0 414d1b5e a8a2226f 7c76f50d
d14ca714 252f7fbb d4a23d02 03010001 300d0609 2a864886 f70d0101 05050003
81810087 8aca9c2b 40c9a326 4951c666 44c311b6 5f3914d5 69fcbe0a 13985b51
336e3c1b ae29c922 c6c1c29d 161fd855 984b6148 c6cbd50f ff3dde66 a71473c4
ea949f87 b4aca243 8151acd8 a4a426d1 7a434fbd 1a14bd90 0abe5736 4cd0f21b
d194b3d6 9ae45fab 2436ccbf d59d6ba9 509580a0 ad8f4131 39e6ccf1 1b7a125d
d50e4e
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable inside client-services port 443
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable dmz client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.178.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.178.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign local
no ipv6-vpn-addr-assign aaa
dhcp-client update dns server both
dhcpd update dns both
dhcpd address 192.168.178.100-192.168.178.150 inside
dhcpd dns 192.168.178.3 192.168.177.1 interface inside
dhcpd wins 192.168.178.3 interface inside
dhcpd domain ITTRIPP.local interface inside
dhcpd update dns both interface inside
dhcpd option 3 ip 192.168.178.10 interface inside
dhcpd option 4 ip 192.168.178.3 interface inside
dhcpd option 6 ip 192.168.178.3 192.168.177.1 interface inside
dhcpd option 66 ip 192.168.178.95 interface inside
dhcpd enable inside
dhcpd address 192.168.177.100-192.168.177.150 outside
dhcpd dns 192.168.178.3 192.168.177.1 interface outside
dhcpd wins 192.168.178.3 interface outside
dhcpd domain ITTRIPP.local interface outside
dhcpd update dns both interface outside
dhcpd option 3 ip 192.168.177.2 interface outside
dhcpd option 4 ip 192.168.178.3 interface outside
dhcpd option 6 ip 192.168.178.3 interface outside
dhcpd enable outside
dhcpd address 10.10.10.100-10.10.10.150 dmz
dhcpd dns 192.168.178.3 192.168.177.1 interface dmz
dhcpd wins 192.168.178.3 interface dmz
dhcpd domain ITTRIPP.local interface dmz
dhcpd update dns both interface dmz
dhcpd option 3 ip 10.10.10.2 interface dmz
dhcpd option 4 ip 192.168.178.3 interface dmz
dhcpd option 6 ip 192.168.178.3 interface dmz
dhcpd enable dmz
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag e-rate 200
tftp-server inside 192.168.178.105 /volume1/data/tftp
ssl encryption 3des-sha1
ssl trust-point ASDM_TrustPoint0
ssl trust-point ASDM_TrustPoint1 outside
ssl trust-point ASDM_TrustPoint1 dmz
ssl trust-point ASDM_TrustPoint0 dmz vpnlb-ip
ssl trust-point ASDM_TrustPoint1 inside
ssl trust-point ASDM_TrustPoint0 inside vpnlb-ip
ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip
webvpn
enable inside
enable outside
enable dmz
file-encoding 192.168.178.105 big5
csd image disk0:/csd_3.5.2008-k9.pkg
anyconnect image disk0:/anyconnect-linux-3.1.03103-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 2
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 3
anyconnect profiles SSL-Profile_client_profile disk0:/SSL-Profile_client_profil e.xml
anyconnect enable
tunnel-group-list enable
mus password *****
group-policy DfltGrpPolicy attributes
wins-server value 192.168.178.3
dns-server value 192.168.178.3 192.168.177.1
dhcp-network-scope 192.168.178.0
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
default-domain value ITTRIPP.local
split-dns value ITTRIPP.local
webvpn
anyconnect firewall-rule client-interface public value outside-in
anyconnect firewall-rule client-interface private value inside-in
group-policy GroupPolicy_SSL-Profile internal
group-policy GroupPolicy_SSL-Profile attributes
wins-server value 192.168.178.3
dns-server value 192.168.178.3 192.168.177.1
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
default-domain value ITTRIPP.local
webvpn
anyconnect profiles value SSL-Profile_client_profile type user
username sarah password PRgJuqNTubRwqXtd encrypted
username admin password QkbxX5Qv0P59Hhrx encrypted privilege 15
username lukas password KGLLoTxH9mCvWzVI encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool SSL-POOL
secondary-authentication-server-group LOCAL
authorization-server-group LOCAL
tunnel-group DefaultWEBVPNGroup ipsec-attributes
ikev1 trust-point ASDM_TrustPoint0
ikev1 radius-sdi-xauth
tunnel-group SSL-Profile type remote-access
tunnel-group SSL-Profile general-attributes
address-pool SSL-POOL
default-group-policy GroupPolicy_SSL-Profile
tunnel-group SSL-Profile webvpn-attributes
group-alias SSL-Profile enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class-default
user-statistics accounting
service-policy global_policy global
mount FTP type ftp
server 192.168.178.105
path /volume1/data/install/microsoft/Cisco
username lukas
password ********
mode passive
status enable
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:998674b777e5fd1d3a131d93704ea0e1
Any idea why it's not working?You've got a lot going on there but I'd focus on the line "no vpn-addr-assign local". Per the command reference that tells the ASA NOT to use the local pool.
By the way, DHCP on the outside interface looks very counter-intutive, as does enabling VPN on all interfaces over every protocol. -
SSL VPN IP Address Assignment from IAS radius server
Can I use SSL VPN IP Address Assignment from IAS radius server?it can be done with acs server.are there some differ from the acs and IAS?
Hi,
I will suggest to setup a sniffer capture with ACS and look for the attribute that ACS sends for IP Address Assignment, once you know the attribute apply it on the IAS.
If you have any question do not hesitate to contact me. -
OK; have been trying to setup a test VM based RDS deployment for a few days now with no luck.
this error mentioned above:
"Server <server name> either does not have a virtual switch configured or none of the configured virtual switches have an IP address assigned" error is driving me nuts!
I have removed and re-added the RD Virtualization Host role numerous times, each time having the "create a virtual switch" checkbox selected, but it did NOT create any virtual switch.
I created the external virtual switch manually and tried to create the desktop collection again, no luck with the same error.
a few questions:
1. you don't assign IP to a switch! you assign IP to Network Interfaces. why does the error puts it like this?! it is technically wrong.(yeah yeah I know all about how you'd assign IP to managed switches in real world to telnet into them and manage them.
you know better than me that it is not the case here!)
2.the RDS Virtualization hosts are using their wifi card as the card for the virtual switch. could that be the reason? I even disabled their unplugged wired NIC just to make sure that the wifi is the only available option for the RDS wizard to use for the
virtual switch creation; but it didn't use it and it didn't create any virtual switch automatically.
3.if WIFI nic is indeed the reason, is it your suspension or an official documents is there somewhere stating so (that the WIFI NICS on a Virtualization hosts are not supported as the hub for a virtual switch).
4.what are the properties of the virtual switch the RDS requires? does it have to be external? why can't it work even with my manually created external switch?
5.how would I fix it?
P.S: the environment is made up of 2 laptops, having windows 2012 R2 trial installed on them, using their wifi to connect to the out world. no cable is plugged into their wired NIC card.Hi,
Thank you for posting in Windows Server Forum.
The simplest short term solution was to connect each computer to a small switch that had no other connectivity. This brought up the link light on the external NIC and allowed the creation of the collection to complete. You need to use an external switch. You
can create one external switch which might fix the problem.
Please check below article for information.
VDI Deployment Error About Virtual Switch
In addition please referthis article for information regarding virtual switch.
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support -
IP address Assignment for 802.1x Client
Working on a Wireless deployment using 802.1x and a question has come up regarding Address Assignment.
The design requires wireless vlan assignment based on username and Active Directory group assignment.
The simplest way to provide dynamic addressing would obviously be multiple DHCP Scopes on a server and use ip helper functionally to provide relay servers.
Another option (I think) would be to create IP address pools in the ACS server based on ACS group and have ACS pass it back as part of the authentication process. I'm wondering if this is even a valid option with 802.1x authentication. It seems to me that it would cut down on alot of the traffic assoiciated with a DHCP discovery/request/offer conversation as the number of wireless clients start to grow.Err, no. There is no provision in EAP-TLS, PEAP (CHAP), or even basic EAP to provide network information (eg IP address/mask/gateway/DNS/etc).
There is also no provision in Windows 2k or XP interface management software to accept IP details for interface configuration via any wireless authentication protocol.
peter -
Message on WCS/NCS: Attempted to use IP Address assigned to another device
Hi
i have two WLCs AIR-CT5508-K9, monitored by WCS (in retiring stage) and NCS.
All APs are grouped in HREAP groups based on their locations. The wireless users are getting ip from a dhcp pool running on routers located at each site. All dhcp commands on every routers are the identical. Eg. rtr1, located on site 1 has ip pool for wifi users 192.168.8.0/24. Rtr2 on site 2 has a ip pool for wifi users in range 192.168.8.0/24. Occasionally i am getting bellow message when some wifi users are unable to connect. After creating a HREAP group and associating APs to correct group, this message stops showing for a while but now i am getting them again.
The temp solution to get it all running is to clear ip dhcp pool on router located at affected site.
Any suggestions for a better solution?
Thanks
====================
NCS has detected one or more alarms of category Security and severity Minor in Virtual Domain ROOT-DOMAIN
for the following items:
1. Message: Client '14:5a:05:6c:75:37 (0.0.0.0)' which was associated with interface '802.11b/g/n' of AP 'STV-AP-7198' is excluded. The reason code is '3(Attempted to use IP Address assigned to another device)'. - Controller Name: GEORGE-WLC
===================endpoint,
You are locally switching your networks, yes, but even without HREAP and WLCs, they are still connected networks in your overall topology, correct? I would never have site A with a given network that overlaps with a network in site B. With few exceptions, they should be completely separate, unique, non-overlapping network spaces. HREAP doesn’t even come into it.
The problem you’re likely having is that the WLC is seeing clients coming in from two different sites and because you are duplicating your configurations from site to site, the WLC sees duplicate IP assignment.
That said, you can try to turn off client IP address learning on the WLAN Advanced tab to see if that helps.
Justin -
Can't get ipv6 address assigned correctly.
I use NetworkManager and dhclient for auto-configuration but it has some weird problems.
When I boot up my laptop, I only have chance to get access to ipv6 network, when I fail, I tried to delete the connection in Network Management Settings, and then added a new profile, disable and then enable the network again. Sometimes it works well, but sometimes it failed to auto-config.
If I use the command:
$ ip -6 rout
then I'll get the following message:
unreachable fe80::/64 dev lo proto kernel metric 256 error -101
fe80::/64 dev wlan0 proto kernel metric 256
default via fe80::2e0:2ff:fe54:59 dev wlan0 proto static metric 1
every time the default gateway is configured well, sometimes the address the address is missed , and if I do the following:
$ ping6 -I wlan0 -c 4 fe80::2e0:2ff:fe54:59
It responses normally.
PING fe80::2e0:2ff:fe54:59(fe80::2e0:2ff:fe54:59) from fe80::1034:56ff:fe78:9124 wlan0: 56 data bytes
64 bytes from fe80::2e0:2ff:fe54:59: icmp_seq=1 ttl=64 time=5.32 ms
64 bytes from fe80::2e0:2ff:fe54:59: icmp_seq=2 ttl=64 time=6.64 ms
64 bytes from fe80::2e0:2ff:fe54:59: icmp_seq=3 ttl=64 time=10.6 ms
64 bytes from fe80::2e0:2ff:fe54:59: icmp_seq=4 ttl=64 time=3.60 ms
--- fe80::2e0:2ff:fe54:59 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 3.603/6.546/10.617/2.587 ms
do the following:
$ ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:250:4400:d000::161/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::1034:56ff:fe78:9124/64 scope link
valid_lft forever preferred_lft forever
I found I just sometimes can get the ipv6 address start with 2001:
If the address is assigned, then:
$ ping6 ipv6.google.com
PING ipv6.google.com(ipv6.google.com) 56 data bytes
^C
--- ipv6.google.com ping statistics ---
11 packets transmitted, 0 received, 100% packet loss, time 10008ms
response nothing!
Then I switch into Windows 7, if something like above happened, then I managed to set the MAC address to a random value such as 12-34-56-78-91-23, soon, the problem will be corrected, I'll get a new ipv6 address assigned by DHCPv6 server. If I switch back to arch, set the MAC address in NetworkManager, it didn't have function at most time, and the ipv6 address even won't change!
Can anyone help me with this problem?
by the way, I never get ipv6 address when I use dhcpcd.bernarcher wrote:
Hello and welcome to the forums heliumhgy.
Just in case you are wondering where your post has been gone: The moderators board received this message from you:
I dont need tunnel to access to ipv6, My univ use dual-stack to get both ipv4 and v6 work around all campus.
This is because you inadvertently used the "Report" link. But don't worry this happens rather often.
Just cause I caught the glimpse of re-blabla, and mistaken it as reply
Last edited by heliumhgy (2012-11-29 03:16:11) -
AP not getting ip address assigned.
Hi all,
I have a problem with my AIR-AP1041N-E-K9, i do not seem to get an ip-address assigned after a reset to factory defaults.
I do see the AP with CDP:
Device-ID: ap
Advertisement version: 2
Platform: cisco AIR-AP1041N-E-K9
Capabilities: TransBridge IGMP
Interface: gi5, Port ID (outgoing port): GigabitEthernet0
Holdtime: 163
Version: Cisco IOS Software, C1040 Software (C1140-K9W7-M), Version 12.4(25d)JA1, RELEASE SOFTWARE (fc1)
Technical Support:
http://www.cisco.com/techsupport
Copyright
Duplex: full
Power drawn: 15000 milliwatts
SysObjectID: 0.0
Addresses:
unknown addres
So that should mean that layer 2 connectivity is fine.
I have the AP connected to a cisco SG300 switch,and assigned switchport trunk allowed vlan's: 1,3,4,8.
Can someone help me?
Regards,
Menno
Message was edited by: Menno Hogenbirk
I also noticed that when i connect to the AP via console-cable, i can see the AP boot up in the console session, but then i do not get a login prompt, but it seems like the AP is responding; if i shutdown the interconnecting link between the switch and the AP, i do see log messages appearing in the console-connection.
I have tried to debug on the Switch, but i need a password, so i can debug, which i do not have.,Hi, thanks for your reply,
I'm should be getting my ip via DHCP(as i believed that this is the way that the AP searches for an ip, when it has no config yet). The DHCP-server is configured on a cisco 871 router that is connected to the switch, as i found no option to configure it on my switch, which is in layer 3 mode. The DHCP-pool is assigned to the vlan(native) 1 address-range(in this case 192.168.0.x/24). I also have configured a range for my workstations, and here i do get Ip-addresses assigned.
The AP does not connect to a Wireless controller. Also i have checked my inter-vlan routing on my switch, and i have connectivity to all vlans, so i believe my AP should have connectivity to the DHCP-server configured on the router.
Ping-test from switch shows no issues:
Swouter#ping 192.168.0.1
Pinging 192.168.0.1 with 18 bytes of data:
18 bytes from 192.168.0.1: icmp_seq=1. time=0 ms
18 bytes from 192.168.0.1: icmp_seq=2. time=0 ms
18 bytes from 192.168.0.1: icmp_seq=3. time=0 ms
18 bytes from 192.168.0.1: icmp_seq=4. time=0 ms
----192.168.0.1 PING Statistics----
4 packets transmitted, 4 packets received, 0% packet loss
round-trip (ms) min/avg/max = 0/0/0
Message was edited by: Menno Hogenbirk
Problem has been resolved. -
Hi all
Problem:
Client gets excluded caused by "Identity Theft" (when looking in the controller) and "Attempted to use IP Address assigned to another device" (when looking in the WCS).
Setup:
Centrally placed WLAN Controller - The SSID and AP is in H-REAP mode, and the DHCP server locally is a ASA5505.
Client:
Samsung Galaxy Tap 10.1
Other clients on the same site do not apeer to have this problem.
The problem is peoridic.
Other info:
We have recently upgraded to 7.0.230 because the same type of client would get excluded with reason "unknown", and not be removed from the exclusion list - this apears to have been a bug in the WLC software.
Now we have the reason, and the client will get removed from the exlusion list after the default 60 seconds, but then get excluded again.
When doing a troupleshoot client from the WCS the following shows up:
04/16/2012 12:10:32 CEST INFO 10.1.33.13 DHCP offer received,dhcp server set.
04/16/2012 12:10:32 CEST ERROR 10.1.33.13 Received DHCP ACK, could not update client state.
04/16/2012 12:10:32 CEST INFO 10.1.33.13 Received DHCP request, error processing packet.
04/16/2012 12:10:42 CEST ERROR 10.1.33.13 De-authentication sent to client. slot 0 (claller apf_ms.c:5113)
The question right now is:
The "could not update client state" - is this the WLC not being able to update the client or is it the DHCP server ?As i tried to explain before, we have local switching at the remote site, not centralized for this SSID.
And the DHCP server is on the same local VLAN.
It works fine, but all of a sudden a client will get "stuck" in this error.
If anyone wants to look, I have this debug output from the WLC.
The debug starts from right after I have removed the client from the exclusion list.
I can see in the ASA that the clients lease time in the DHCP server will get renewed duing this process to the default 3600 seconds.
The clients MAC is :8c:77:12:ac:8c:3b
The ASA inside interface is: 192.168.2.1 /24
Any suggestions will be greatly appreciated.
(WiSM-slot2-1) >*emWeb: Apr 17 10:09:31.613: 8c:77:12:ac:8c:3b apfMsDeleteByMscb Scheduling mobile for deletion with deleteReason 6, reasonCode 1
*emWeb: Apr 17 10:09:31.613: 8c:77:12:ac:8c:3b Scheduling deletion of Mobile Station: (callerId: 30) in 1 seconds
*osapiBsnTimer: Apr 17 10:09:32.612: 8c:77:12:ac:8c:3b apfMsExpireCallback (apf_ms.c:609) Expiring Mobile!
*apfReceiveTask: Apr 17 10:09:32.622: 8c:77:12:ac:8c:3b apfMsAssoStateDec
*apfReceiveTask: Apr 17 10:09:32.622: 8c:77:12:ac:8c:3b apfMs1xStateDec
*apfReceiveTask: Apr 17 10:09:32.622: 8c:77:12:ac:8c:3b Deleting mobile on AP 00:1d:a2:87:02:30(0)
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b Adding mobile on LWAPP AP 00:1d:a2:87:02:30(0)
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b Association received from mobile on AP 00:1d:a2:87:02:30
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b Applying site-specific IPv6 override for station 8c:77:12:ac:8c:3b - vapId 3, site 'PDA-GST-KNS-MED-ITV', interface 'dummy-itv-105'
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b Applying IPv6 Interface Policy for station 8c:77:12:ac:8c:3b - vlan 199, interface id 13, interface 'dummy-itv-105'
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b Applying site-specific override for station 8c:77:12:ac:8c:3b - vapId 3, site 'PDA-GST-KNS-MED-ITV', interface 'dummy-itv-105'
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b STA - rates (8): 130 132 139 150 36 48 72 108 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b STA - rates (12): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b Processing RSN IE type 48, length 20 for mobile 8c:77:12:ac:8c:3b
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 00:1d:a2:87:02:30 vapId 3 apVapId 3for this client
*apfMsConnTask_0: Apr 17 10:09:36.655: 8c:77:12:ac:8c:3b Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Apr 17 10:09:36.656: 8c:77:12:ac:8c:3b 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:1d:a2:87:02:30 vapId 3 apVapId 3
*apfMsConnTask_0: Apr 17 10:09:36.656: 8c:77:12:ac:8c:3b apfMsAssoStateInc
*apfMsConnTask_0: Apr 17 10:09:36.656: 8c:77:12:ac:8c:3b apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 8c:77:12:ac:8c:3b on AP 00:1d:a2:87:02:30 from Idle to Associated
*apfMsConnTask_0: Apr 17 10:09:36.656: 8c:77:12:ac:8c:3b Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Apr 17 10:09:36.656: 8c:77:12:ac:8c:3b Sending Assoc Response to station on BSSID 00:1d:a2:87:02:30 (status 0) ApVapId 3 Slot 0
*apfMsConnTask_0: Apr 17 10:09:36.656: 8c:77:12:ac:8c:3b apfProcessAssocReq (apf_80211.c:5272) Changing state for mobile 8c:77:12:ac:8c:3b on AP 00:1d:a2:87:02:30 from Associated to Associated
*apfMsConnTask_0: Apr 17 10:09:36.658: 8c:77:12:ac:8c:3b Updating AID for REAP AP Client 00:1d:a2:87:02:30 - AID ===> 2
*dot1xMsgTask: Apr 17 10:09:36.660: 8c:77:12:ac:8c:3b Creating a PKC PMKID Cache entry for station 8c:77:12:ac:8c:3b (RSN 2)
*dot1xMsgTask: Apr 17 10:09:36.660: 8c:77:12:ac:8c:3b Adding BSSID 00:1d:a2:87:02:32 to PMKID cache for station 8c:77:12:ac:8c:3b
*dot1xMsgTask: Apr 17 10:09:36.661: New PMKID: (16)
*dot1xMsgTask: Apr 17 10:09:36.661: [0000] 1b 92 b6 05 89 09 d5 c7 45 82 72 72 6a f2 b6 7e
*dot1xMsgTask: Apr 17 10:09:36.661: 8c:77:12:ac:8c:3b Initiating RSN PSK to mobile 8c:77:12:ac:8c:3b
*dot1xMsgTask: Apr 17 10:09:36.661: 8c:77:12:ac:8c:3b dot1x - moving mobile 8c:77:12:ac:8c:3b into Force Auth state
*dot1xMsgTask: Apr 17 10:09:36.661: 8c:77:12:ac:8c:3b Skipping EAP-Success to mobile 8c:77:12:ac:8c:3b
*dot1xMsgTask: Apr 17 10:09:36.661: Including PMKID in M1 (16)
*dot1xMsgTask: Apr 17 10:09:36.661: [0000] 1b 92 b6 05 89 09 d5 c7 45 82 72 72 6a f2 b6 7e
*dot1xMsgTask: Apr 17 10:09:36.661: 8c:77:12:ac:8c:3b Starting key exchange to mobile 8c:77:12:ac:8c:3b, data packets will be dropped
*dot1xMsgTask: Apr 17 10:09:36.661: 8c:77:12:ac:8c:3b Sending EAPOL-Key Message to mobile 8c:77:12:ac:8c:3b
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.674: 8c:77:12:ac:8c:3b Received EAPOL-Key from mobile 8c:77:12:ac:8c:3b
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.674: 8c:77:12:ac:8c:3b Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 8c:77:12:ac:8c:3b
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.674: 8c:77:12:ac:8c:3b Received EAPOL-key in PTK_START state (message 2) from mobile 8c:77:12:ac:8c:3b
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.674: 8c:77:12:ac:8c:3b Stopping retransmission timer for mobile 8c:77:12:ac:8c:3b
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.675: 8c:77:12:ac:8c:3b Sending EAPOL-Key Message to mobile 8c:77:12:ac:8c:3b
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.681: 8c:77:12:ac:8c:3b Received EAPOL-Key from mobile 8c:77:12:ac:8c:3b
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.681: 8c:77:12:ac:8c:3b Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 8c:77:12:ac:8c:3b
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.681: 8c:77:12:ac:8c:3b Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 8c:77:12:ac:8c:3b
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.681: 8c:77:12:ac:8c:3b apfMs1xStateInc
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.681: 8c:77:12:ac:8c:3b 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.682: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.682: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 00:1d:a2:87:02:30 vapId 3 apVapId 3for this client
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.682: 8c:77:12:ac:8c:3b Not Using WMM Compliance code qosCap 00
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.683: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:1d:a2:87:02:30 vapId 3 apVapId 3
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.683: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) pemAdvanceState2 4817, Adding TMP rule
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.683: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:1d:a2:87:02:30, slot 0, interface = 29, QOS = 0
ACL Id = 255, Ju
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.683: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006 IPv6 Vlan = 199, IPv6 intf id = 13
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.683: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) Successfully plumbed mobile rule (ACL ID 255)
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.683: 8c:77:12:ac:8c:3b 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.683: 8c:77:12:ac:8c:3b 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4833, Adding TMP rule
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.028: 8c:77:12:ac:8c:3b 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:1d:a2:87:02:30, slot 0, interface = 29, QOS = 0
ACL Id = 255, Jumb
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.684: 8c:77:12:ac:8c:3b 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006 IPv6 Vlan = 199, IPv6 intf id = 13
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.684: 8c:77:12:ac:8c:3b 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Dot1x_NW_MsgTask_0: Apr 17 10:09:36.684: 8c:77:12:ac:8c:3b Stopping retransmission timer for mobile 8c:77:12:ac:8c:3b
*pemReceiveTask: Apr 17 10:09:36.689: 8c:77:12:ac:8c:3b 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*pemReceiveTask: Apr 17 10:09:36.695: 8c:77:12:ac:8c:3b 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*DHCP Proxy DTL Recv Task: Apr 17 10:09:36.831: 8c:77:12:ac:8c:3b DHCP received op BOOTREPLY (2) (len 325,vlan 0, port 29, encap 0xec03)
*DHCP Proxy DTL Recv Task: Apr 17 10:09:36.831: 8c:77:12:ac:8c:3b DHCP setting server from ACK (server 192.168.2.1, yiaddr 192.168.2.13)
*DHCP Proxy DTL Recv Task: Apr 17 10:09:36.853: 8c:77:12:ac:8c:3b apfBlacklistMobileStationEntry2 (apf_ms.c:4296) Changing state for mobile 8c:77:12:ac:8c:3b on AP 00:1d:a2:87:02:30 from Associated to Exclusion-list (1)
*DHCP Proxy DTL Recv Task: Apr 17 10:09:36.853: 8c:77:12:ac:8c:3b Scheduling deletion of Mobile Station: (callerId: 44) in 10 seconds
*DHCP Proxy DTL Recv Task: Apr 17 10:09:36.854: 8c:77:12:ac:8c:3b DHCP failed to register IP 192.168.2.13 - dropping ACK -
Ip address assignment from IP Pool to common Username
Hello
Does anyone know if it is possible to assign IP addresses from an IP Address pool to a common username connected to the same NAS device multiple times?
The scenario is that there are multiple GPRS devices with a "common" configuration connecting to the network using a common username. The IP address assignment is being done via IP Address Pools.
It looks like the same IP address is being assigned each time the common user logs in, causing routing issues.
Thanks
MarkWith CiscoSecure GRS, the ISP can assign the IP address. When the ISP assigns the IP address, the IP address is the same regardless of the NAS into which the user dials.
-
Cisco UCS Management IP Address assigned twice?
I have a blade chassis with 8 servers, and a pool of management addresses assigned to a service profile template. All 8 servers are built from this template. There are 8 addresses in the pool.
I am finding that 4 servers in I have exhausted all 8 addresses from the management pool. Upon further investigation, it looks like all servers have taken 2 addresses from this pool. One address is the address assigned to org-root/service-profile-name/ipv4-pooled-addr. Another address (same server) is assigned to sys/chassis-number/blade-number/mgmt/ipv4-pooled-addr.
What am I doing wrong?It is my understanding that this is the correct / default behaviour. When you created a mgmt pool, physical hardware automatically picks up an address after discovery. When you create a template, you do not necessarily need to assign the pool to the template as when you accociate a profile with hardware then you can access the KVM to the profile via the address assigned to the hardware. The upside of assigning a pool to the template / profile is the fact that that address will always live with the profile (server) as opposed to an address on the hardware which could have different profiles assigned at different times. So, if you assign to the template / profile you will use 2 x the addresses from the pool.
-
T40 Wireless Issue - No IP Address Assigned
I am using a T40 in wireless mode and am unable to get automatic assignment of the IP address. Connection to the wireless access point is confirmed but there is no internet connectivity because the IP address assignment is not being completed. The wireless network is working because I have a second laptop which attaches with no issues. This laptop was working but my son was visiting over the holidays and he could not get his laptop to linkup. To make a long story short some wireless setup adjustments were made to my unit to try to determine the problem with his. I don't know what they were. Now neither laptop works. I am confident this is a setup issue but I can't seem to find the setup adjustment that needs to be made. Does anyone have some ideas where I can start?
Hi Dsnyder5516,
Welcome to the forum!
I suggest using System Restore in Windows to the point where your wireless was working fine.
I hope it helps.
Maliha (I don't work for lenovo)
ThinkPads:- T400[Win 7], T60[Win 7], IBM 240[Win XP]
IdeaPad: U350
Apple:- Macbook Air [Snow Leopard]
Did someone help you today? Compliment them with a Kudos!
Was your question answered today? Mark it as an Accepted Solution!
Lenovo Deutsche Community Lenovo Comunidad en Español
Visit my YouTube Channel -
Error:wwnn address assignment failed for a vhba
Hello,
We are trying to create a service profile but get this message for the vhba:
wwnn address assignment failed for a vhba
Currently the Storage is not connect yet to the 6200.
Can someone please help ?
Regards,Full error is:
wwnn address assignment failed for a VHBA, possibilty illegal WWNN address or no available WWN in the pool
Yes this is happning when I try to assign from the WWNN pool. -
How to manage IP address assignment for laptops?
Dear All,
I'm looking for an efficient way to manage IP address assignment for laptops.
I have a DHCP server with reservation for all my devices.
Laptops usually have 2 NICs: LAN and WiFi card.
So, how can I manage the IP assignment for these devices?
If I make a DHCP reservetion with two different IP addresses, I can have problems with DNS round-robin.
Should I enable the DNS secure dynamic update for domain members and then reserve two different IP addresses on DHCP?
I don't want that user needs to manually change their NIC configuration.
What you suggest?
ThanksThe best way to manage it would be to "not" manage it. DHCP by definition is supposed to be "dynamic". DHCP Reservations are great for a few devices that live under "special circumstances" but you never want to set Reservations for everything,...if
you do that then just don't have DHCP to start with and statically assign everything.
The combination of DHCP with dynamically updated DNS in AD means you never have to know or ever care what the IP# is. Everything is referred to by it's hostname.
Some things to keep in mind:
Every interfaces has a different MAC,...meaning the Laptops have two MACs. Therefore it is impossible to reserve the same IP# for both. So they end up with a different IP# depending on which Nic they use. Running two laptop nics on the same LAN at
the same time is always bad. Either always use the wireless,...or always turn off the wireless nic when laptops are local within your facility and can use the physical nic. In other words pick one,...or the other,...never allow both to work
at the same time. This is a responsibility and education issue of the user,...you can't do this for them.
User can not change their own network IP Specs unless they are Local Administrators on their machines,...and they should never be allowed to be Local Administrators. -
Old IP Address Assigned to en0
Where in the boot process are the IP addresses assigned to interfaces?
I have an old static IP address being assigned as the primary IP address for en0 whenever I reboot my Mac Pro 3,1.
I can use ipconfig to delete the erroneous address but would like to find where the address is being stored and remove it so that it doesn't appear in the future.It's not. System Preferences > Network displays the correct IP address for Ethernet 1: 192.168.1.10.
This is being assigned to en0 during boot as the secondary IP address. The primary IP address is 192.168.2.1.
This is the reason that I'm interested in finding which files are used for configuring the network during start up.
Maybe you are looking for
-
Data model: single quote in default parameter value
Hello, when I assign a default value to a parameter in my Data model, which includes a single quote (i.e. "It's a default value"), then the single quote is escaped with a backslash (i.e. "It\'s a default value") when I open the report associated with
-
I am trying to clear up space on my hard drive, so I'm interested in archiving photos by using the "Copy/Move Offline" feature. I no longer want to have full versions on my hard drive, just the thumbnail references, and I'm hoping to minimize the dif
-
Trying to change text in a movie clip
i'm trying to replace text in a dynamic text field within a movie clip, and it seems as if it's treating it like static text. Is there a way around this? theBtn1.addEventListener(MouseEvent.CLICK, adjustText1); theBtn2.addEventListener(MouseEvent.CLI
-
Hi Friends, We are currently mapping the Scenario of "KIT Item Sales " in our SAP System. Can you give the processes involved in this and the steps used ios with the revelent SAP T-codes. Thanks in advance for your help. Umesh Karane. SAP SD consult
-
Can you sync ATV over the internet?
Is it possible to sync ATV over the internet? If so how do you accomplish this?