ASA 5505 Logging Issue - Warning: Configured logging host interface conflicts with route table entry

Similar Messages

• Cisco ASA 5505 Failover issue..

  Hi,
   I am having two firewalls (cisco ASA 5505) which is configured as active/standby Mode.It was running smoothly for more than an year,but last week the secondary firewall got failed and It made my whole network down.then I just removed the connectivity of the secondary firewall and run only the primary one.when I login  by console i found out that the failover has been disabled .So again I connected  to the Network and enabled the firewall.After a couple of days same issue happen.This time I take down the Secondary firewall erased the Flash.Reloaded the IOS image.Configured the failover and connected to the primary for the replication of configs.It found out the Active Mate.Replicated the configs and got synced...But after sync the same thing happened,The whole network gone down .I juz done the same thing removed the secondary firewall.Network came up.I feel there is some thing with failover thing ,but couldnt fin out :( .And the firewalls are in Router Mode.

  Please find the logs...
  Secondary Firewall While Sync..
  cisco-asa(config)# sh failover 
  Failover On 
  Failover unit Secondary
  Failover LAN Interface: e0/7 Vlan3 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  Version: Ours 8.2(5), Mate 8.2(5)
  Last Failover at: 06:01:10 GMT Apr 29 2015
  This host: Secondary - Sync Config 
  Active time: 55 (sec)
  slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
   Interface outside (27.251.167.246): No Link (Waiting)
   Interface inside (10.11.0.20): No Link (Waiting)
   Interface mgmt (10.11.200.21): No Link (Waiting)
  slot 1: empty
  Other host: Primary - Active 
  Active time: 177303 (sec)
  slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
   Interface outside (27.251.167.247): Unknown (Waiting)
   Interface inside (10.11.0.21): Unknown (Waiting)
   Interface mgmt (10.11.200.22): Unknown (Waiting)
  slot 1: empty
  =======================================================================================
  Secondary Firewall Just after Sync ,Active (primary Firewall got rebootted)
  cisco-asa# sh failover 
  Failover On 
  Failover unit Secondary
  Failover LAN Interface: e0/7 Vlan3 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  Version: Ours 8.2(5), Mate Unknown
  Last Failover at: 06:06:12 GMT Apr 29 2015
  This host: Secondary - Active 
  Active time: 44 (sec)
  slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
   Interface outside (27.251.167.246): Normal (Waiting)
   Interface inside (10.11.0.20): No Link (Waiting)
   Interface mgmt (10.11.200.21): No Link (Waiting)
  slot 1: empty
  Other host: Primary - Not Detected 
  Active time: 0 (sec)
  slot 0: empty
   Interface outside (27.251.167.247): Unknown (Waiting)
   Interface inside (10.11.0.21): Unknown (Waiting)
   Interface mgmt (10.11.200.22): Unknown (Waiting)
  slot 1: empty
  ==========================================================================================
  After Active firewall got rebootted failover off,whole network gone down.
  cisco-asa# sh failover 
  Failover Off 
  Failover unit Secondary
  Failover LAN Interface: e0/7 Vlan3 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  ===========================================================================================
  Primary Firewall after rebootting
  cisco-asa# sh failover
  Failover On
  Failover unit Primary
  Failover LAN Interface: e0/7 Vlan3 (Failed - No Switchover)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  Version: Ours 8.2(5), Mate Unknown
  Last Failover at: 06:17:29 GMT Apr 29 2015
          This host: Primary - Active
                  Active time: 24707 (sec)
                  slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
                    Interface outside (27.251.167.246): Normal (Waiting)
                    Interface inside (10.11.0.20): Normal (Waiting)
                    Interface mgmt (10.11.200.21): Normal (Waiting)
                  slot 1: empty
          Other host: Secondary - Failed
                  Active time: 0 (sec)
                  slot 0: empty
                    Interface outside (27.251.167.247): Unknown (Waiting)
                    Interface inside (10.11.0.21): Unknown (Waiting)
                    Interface mgmt (10.11.200.22): Unknown (Waiting)
                  slot 1: empty
  cisco-asa# sh failover history
  ==========================================================================
  From State                 To State                   Reason
  ==========================================================================
  06:16:43 GMT Apr 29 2015
  Not Detected               Negotiation                No Error
  06:17:29 GMT Apr 29 2015
  Negotiation                Just Active                No Active unit found
  06:17:29 GMT Apr 29 2015
  Just Active                Active Drain               No Active unit found
  06:17:29 GMT Apr 29 2015
  Active Drain               Active Applying Config     No Active unit found
  06:17:29 GMT Apr 29 2015
  Active Applying Config     Active Config Applied      No Active unit found
  06:17:29 GMT Apr 29 2015
  Active Config Applied      Active                     No Active unit found
  ==========================================================================
  cisco-asa#
  cisco-asa# sh failover state
                 State          Last Failure Reason      Date/Time
  This host  -   Primary
                 Active         None
  Other host -   Secondary
                 Failed         Comm Failure             06:17:43 GMT Apr 29 2015
  ====Configuration State===
  ====Communication State===
  ==================================================================================
  Secondary Firewall
  cisc-asa# sh failover h
  ==========================================================================
  From State                 To State                   Reason
  ==========================================================================
  06:16:32 GMT Apr 29 2015
  Not Detected               Negotiation                No Error
  06:17:05 GMT Apr 29 2015
  Negotiation                Disabled                   Set by the config command
  ==========================================================================
  cisco-asa# sh failover
  Failover Off
  Failover unit Secondary
  Failover LAN Interface: e0/7 Vlan3 (down)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 23 maximum
  ecs-pune-fw-01# sh failover h
  ==========================================================================
  From State                 To State                   Reason
  ==========================================================================
  06:16:32 GMT Apr 29 2015
  Not Detected               Negotiation                No Error
  06:17:05 GMT Apr 29 2015
  Negotiation                Disabled                   Set by the config command
  ==========================================================================
  cisco-asa# sh failover state
                 State          Last Failure Reason      Date/Time
  This host  -   Secondary
                 Disabled       None
  Other host -   Primary
                 Not Detected   None
  ====Configuration State===
  ====Communication State===
  Thanks...

• ASA 5505 VPN can't access inside host

  I have setup remote VPN access on a ASA 5505 but cannot access the host or ASA when I login using the VPN. I can connect with the Cisco VPN client and the VPN light is on on the ASA and it shows that I'm connected. I have the correct Ip address but I cannot ping or connect to any of the internal addresses. I cannot find what I'm missing. I have the VPN bypassing the interface ACLs. Since I can login but not go anywhere I feel certian I missed something.
  part of config below
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.1.1.1 255.255.255.0
  ip local pool xxxx 10.1.1.50-10.1.1.55 mask 255.255.255.0
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 40 set pfs
  crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
  crypto dynamic-map inside_dyn_map 20 set pfs
  crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
  crypto map inside_map interface inside
  crypto isakmp enable inside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  service-policy global_policy global
  group-policy xxxxxxx internal
  group-policy xxxxxxx attributes
  banner value xxxxx Disaster Recovery Site
  wins-server none
  dns-server value 24.xxx.xxx.xx
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout 30
  vpn-session-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelall
  default-domain none
  secure-unit-authentication disable
  user-authentication disable
  user-authentication-idle-timeout none
  ip-phone-bypass disable
  leap-bypass disable
  nem disable
  nac disable
  nac-sq-period 300
  nac-reval-period 36000
  nac-default-acl none
  address-pools value xxxxxx
  smartcard-removal-disconnect enable
  client-firewall none
  webvpn
  functions url-entry
  vpn-nac-exempt none
  no vpn-addr-assign aaa
  no vpn-addr-assign dhcp
  tunnel-group xxxx type ipsec-ra
  tunnel-group xxxx general-attributes
  address-pool xxxx
  default-group-policy xxxx
  tunnel-group blountdr ipsec-attributes
  pre-shared-key *

  I get the banner and IP adress info...
  This is what the client log provides...
  1 13:45:32.942 05/30/08 Sev=Warning/2 CVPND/0xE3400013
  AddRoute failed to add a route: code 87
  Destination 172.20.255.255
  Netmask 255.255.255.255
  Gateway 10.1.2.1
  Interface 10.1.2.5
  2 13:45:32.942 05/30/08 Sev=Warning/2 CM/0xA3100024
  Unable to add route. Network: ac14ffff, Netmask: ffffffff, Interface: a010205, Gateway: a010201.

• ASA 5505 VPN Issue

  We have a Cisco 515 as a headend firewall with ~30 VPN connections to remote sites. The existing remote sites are using Cisco 506 firewalls and work fine. I am trying to setup an ASA 5505 as a rmote firewall as a future replacement for the PIX 506's. I am able to get the site to site tunnels up just fine. The issue is that once the tunnels are up I am not able to ping the inside interface of the remote ASA from the headend LAN. I am able to telnet to the ASA and run the ASDM but no ping. I am also not able to ping from the ASA to the headend LAN but I can ping from a device on the remote ASA LAN to the headend LAN. I have rebuilt the configs manually and with the ASDM with the same results. The remote Ipsec rules prtect the outside interface to headend LAN just like I do on the 506's. It is almost like the ASA will not build a tunnel from the outside interface to the remote LAN. Can anyone tell me what I am missing or what is different about the ASA over the PIX? Any help appreciated.

  Thanks for your reply. This is already set allong with the following.
  icmp permit any inside
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  When looking at the logs it looks like it builds an inbound connection and tears it down. On the PIX's it builds the inbound and outbound connection and then tears them down.
  When I do an inspect on the ping packets from the remote LAN I get an interesting result.
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: NP Identity Ifc
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (ipsec-spoof) IPSEC Spoof detected

• Cisco ASA 5505 performance issues on downloads - data into the ASA from the Internet

  I have having serious issues with performance on my ASA 5505s that I am testing with 9.2.3 code.
  I stripped the config and removed as much stuff as I could - no VPN etc. and I am ONLY getting about 30-40Mbps downloads from sites but 95Mbps uploads????  Anyone else seeing these problems?   If I remove the firewall my PC can hit 300/300Mbps to the same sites using the same switch and cable.
  I installed 1Gb of mem on the ASA 5505 but it made no difference. The ASA has a UL IP Security license but I am only using and inside and outside address for these tests, no other ports configured.
  Is anyone else seeing this performance problem with the 9.2.3 code?  I went to this from 8.2.5 to try to resolve QOS failure bugs that I found in the 8.2.5 code. I did not expect to have a performance hit though and it is only on downloads TO the ASA from the Internet from all speed test sites that I try. Uploading speeds seem fine. No access-lists on my interfaces either...barebones config.
  My FIOS and switch interfaces are fine...no errors on any interfaces and the same switch interface hits 300/300Mbps when my laptop is directly attached. 
  Anyone have a barebones config on their ASA 5505 that flies...I will try it on mine and see if some command somewhere (hidden) is causing the issue. I even cleared the config and started with a clean slate just in case I was missing some command from the older configs that may have impacted performance.

  After changing the switch with a high end switch my performance increased but I am still not happy with the throughput out of my ASA. I have about 50+ ASAs 5505s and a dozen 5510s. Most remote sites have 5505s. All my sites right now have 8.2.5-51 and I wanted to put 9.2.3 out there to solve issues I have uncovered on the 8.2.5 code with regards to QOS issues.
  I get much better results using the Cisco 3750X attached to the FIOS  (right around 300/300 with my laptop directly attached to the 3750x bypassing the ASA - my FIOS circuit rating is also 300/300).  Going through the ASA to the same test site I get download speeds of 35 to 75. Changes randomly which really bothers me. My uploads speeds are ALWAYS faster then my download speeds.  Example - best download I would ever get is 75Mb and my upload would usually hit 95Mb during the same test period.
  I may have to live with it but the inconsistency is what really bothers me.
  Here is the config I am currently using. Nothing going on during testing since only a single PC is attached. VPN tunnel to the main site can be up or down...doesn't seem to make any difference. PC does to site directly from outside interface of ASA...split tunneling. Even when I removed tunnels and tested with just the ASA as a firewall to the Internet I was still seeing the same inconsistencies.
  Anything obviously  missing - new command or anything?   Xlates causing issues?

• Cisco asa 5505 vpn issue

  I have a cisco asa 5505 that I am setting up VPN access too. I have multiple subnets all routed through  a layer 3 switch conected to my asa. My problem is I can ping everything on VLAN1 (192.168.100.0/24) but no other VLANS (10.141.152.0/23 etc.) 

  Post the config of your ASA and someone will be able to assist.

• [logging] Problems to configure logging rotation.

  Hi,
  I have an application .ear deployed in weblogic v10.3.1.0
  This application use java.util.logging to write a log file.
        fh = new FileHandler(logFileName,0,1,true);
        fh.setFormatter(new XMLFormatter());
        logger.addHandler(fh);
  FileHandler(String pattern, int limit, int count, boolean append)
  pattern - the pattern for naming the output file
  limit - the maximum number of bytes to write to any one file. If this is zero, then there is no limit. (Defaults to no limit).
  count - the number of files to use
  append - specifies append mode
  http://www.javadocexamples.com/java/util/logging/java.util.logging.FileHandler.html
  logFileName is dynamic with date formated like this yyyMMdd + ApplicationName + ".log"
  This file is created but I have also yyyyMMddSEC.log.1, yyyyMMddSEC.log.2, yyyyMMddSEC.log.3,...
  I DON'T WANT THESE FILES_, that's why I put limit to 0, count to 1 and append to true.
  This code works without jdev/weblogic but has not effect in weblogic.
  Q1. Why?
  So I go to Weblogic console: Domain Structure-> DefaultDomain->Logging
  Log file name: logs/DefaultDomain.log
  Rotation type: None
  NONE
  Messages accumulate in a single file.
  You must erase the contents of the file when the size is too large.
  Note that WebLogic Server sets a threshold size limit of 500 MB before it forces a hard rotation to prevent excessive log file growth.
  But it doesn't work, Weblogic continue to create log files like this *<filename>.log.<n>*
  Q2. Why?
  I have also created weblogic.xml in ViewControler/WEB-INF
  thanks to this documentation:
  http://download.oracle.com/docs/cd/E13222_01/wls/docs103/webapp/weblogic_xml.html#wp1063199
  but it doesn't work...again.
  Q3. Why?
  Q4. If I want applications manage themselves their log, how to deactivate the logging handler in weblogic (LogFileMBean?)
  Thanks for your help.

  You may want to ask in the WebLogic Server - Diagnostics / WLDF / SNMP forum. They own logging.

• ASA 5505 initial build - Failed to locate egress interface (Please help :-) )

  Hi, I have just purchased a ASA 5505 and have completed the initial setup via the wizard.  I am currently unable to access services on the outside of the ASA. 
  The error: 'Failed to locate egress interface for UDP from inside'....  appears when ever my DNS server attempts a lookup. 
  I have configured this several times from scratch using the wizard and I am unable to figure out the issue with the NAT / Routing config. 
  If I run the packet tracer I get the error: "(no-route) no route to host", however I do have a default route configured so I suspect it maybe my NAT configuration. 
  Overview, 192.168.10.0/24 inside the ASA, 192.168.1.0/24 outside the ASA, 192.168.1.1 is the gateway to the internet.  I ideally want the ASA to use PAT to mask the 192.168.10.0/24 network behind the ASAs 192.168.1.0/24 network address but still allow clients to gain internet access. 
  Full config follows, screen shots attached, any help would be very gratefully received. 
  Result of the command: "sh run"
  : Saved
  ASA Version 9.0(1)
  hostname firewall
  enable password (REMOVED) encrypted
  passwd (REMOVED) encrypted
  names
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.10.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 192.168.1.254 255.255.255.0
  interface Vlan5
   no nameif
   security-level 50
   ip address dhcp
  ftp mode passive
  object network obj_any
   subnet 0.0.0.0 0.0.0.0
  object network Server1
   host 192.168.10.10
  object network GoogleDNS1
   host 8.8.8.8
   description Google DNS Server
  object network GoogleDNS2
   host 8.8.4.4
   description Google DNS Server
  object network 192.168.10.x
   subnet 192.168.10.0 255.255.255.0
  object network InternetRouter
   host 192.168.1.1
  object-group network DM_INLINE_NETWORK_1
   network-object object GoogleDNS1
   network-object object GoogleDNS2
  object-group service DM_INLINE_TCP_1 tcp
   port-object eq www
   port-object eq https
  access-list inside_access_in remark External DNS Lookups
  access-list inside_access_in extended permit udp object Server1 object-group DM_INLINE_NETWORK_1 eq domain
  access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1
  access-list inside_access_in extended deny ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source dynamic any interface
  object network obj_any
   nat (inside,outside) dynamic interface
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 255.255.255.255 192.168.1.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.10.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh timeout 5
  ssh version 2
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:(REMOVED)
  : end

  Just to want to be sure, can you post output from show int ip brie and show route? And try to remove your ACL for testing purpose or at least don't applied it anywhere yet. 
  Once done, try do another packet-tracer to 8.8.8.8 using icmp packet instead of UDP paste the whole the output here. Before doing this, add icmp any any outside command on the ASA.
  I know this should have anything to do with your issue, because if ACL is the issue then you will see output being denied by ACL on the packet tracer output. Let us know the results.

• PI 7.0 - SMICM - Host Name - Conflict with other places

  Hi Friends,
  We have host name conflict in SMICM and in other places.
  For example, in SMICM it shows the host name 'A' for HTTP protocol and it is green, where as in other places like in RZ10 (Profiles in ABAP), Exchange Profiles (Connection Parameters, Host name), in SLD and in Visual Admin the host name is mentioned as 'B'.
  At present, the messages are failing in SXMB_MONI with the error "CLIENT_RECEIVE_FAILED 402 ICM_HTTP_TIMEOUT  ".
  When we checked the paramter "icm/host_name_full" in RZ11,it shows the empty value.
  This problem comes in our quality PI system, ABAP stack.
  Could you kindly clarify in SMICM for the HTTP service from where the host name is taken and displays here?
  Kind regards,
  Jegathees P.

  Connect to the operating system. Check this file (replace xxx with your SID and, if applicable, 00 with the correct instance):
  C:\usr\sap\xxx\SYS\profile\xxx_DVEBMGS00_ILBNKxxx
  Find this line:
  icm/host_name_full = hostname.company.corp
  Is this maybe empty / incorrect / incomplete?
  After changing this the server needs to be restarted.
  Sometimes we had strange behaviors after host name changes, which went away after going to sicf -> execute -> right-click on default host -> deactivate -> right-click again -> activate -> in the pop-up click the second activate button, which is for activating the system and all dependent entries.

• ASA 5505 Speed Issue - Help Requested if possible

  Hi All,
  I am wondering if anybody here can shed some light on any potential configuration issues with the configuration below (Sanitized). Current State:
  1.     SIte to Site VPN is up and running perfectly.
  2.     Client to Site VPNs work through L2PT/IPSEC and through mobile devices such as IPhone.
  3.     The outside interface is at line speed - approximately 5-6MBits per second.
  4.     When performing a download of a service pack from microsoft - Bit rate on the inside interface is approximately 1/3rd of the outside interface (A lot of loss). Interface shows no CRC errors and no input errors.
  5.     The outside interface shows CRC errors and INPUT errors but due to the line speed being optimal (as the client experienced via their WAN router direct (with the ASA out of the mix), have not looked in to this further. I suspect the device it is directly attached to does not auto negotiate correctly even though the interface is set to 100Mb Full Duplex.
  6.     Outside interface MTU is set to 1492, purposely set this way due to PPPOE over head (Please correct me if I am wrong). (Approx 8 bytes)
  7.     Inside Interface MTU is set to 1500, no drops or loss detected on that interface so have left it as is.
  8.     All inspection has been disabled on the ASA as I thought that scans on the traffic could have impaired performance.
  Current Environment Traffic Flow:   
  1.     All hosts on the network have there DNS pointed to external IP addresses currently as the DNS server is out of the mix. This usually points to DNS servers in the US. If the hosts use this, the DNS queries are performed over the site-to-site VPN but the internet traffic is routed around the VPN as the traffic is a seperate established session. Split tunneling is enabled on the ASA to only trust the internal hosts from accessing the US hosts. Everything else uses the default route.
  2.     The version of software on this ASA is 8.2(1). I have checked and there does not seem to be any underlying issues that would cause this type of behaviour.
  3.     Memory is stable at roughly 190Mb out of 512Mb
  4.     CPU is constant at approximately 12%.
  5.     WAN and INSIDE switch are Fast Ethernet and the ASA interfaces are all Ethernet - Potential compatibility issue between standards? I'm aware they should be compatible - any body that has experienced any issues regarding this would be greatly apprecaited.
  Current Issues:
  1.     Speed on the inside interface is approximately 1/3rd of the WAN/Outside interface - download speeds are sitting at approximately 250 - 300kb (should be sitting at approximately 700-800kb).
  2.     Noticed that when the DC is pointed to the USA Root Domain Controller (Across the tunnel) latency is approximately 400ms average. (Performed using host name).
  3.     I ping the IP address of the exact same server and the latency is still 400ms.
  4.     Changing the DCs DNS address to 8.8.8.8, I perform the same ping to the same servers. Still 400ms.
  5.     I ping google.co.nz and I still get 400ms (You would expect it to route out the default gateway but session is still active for that IP on the ASA).
  6.     I ping 74.x.x.x (The IP from the resolution from step 5) and I get the same result.
  7.     I flush dns, same issue for 5/6.
  8.     I clear xlate on the ASA and the same issue persists.
  9.     I close command line, repen it, and perform the test again - latency is now back to 40 - 50ms as we would expect for non-vpn traffic.
  I am currently out of ideas and would like some advice on what I have actually missed.
  Things I suspect that I may need to do:
  1.     Upgrade IOS to latest version (Other than that - I'm out of ideas).
  ASA Version 8.2(1)
  hostname BLAH
  enable password x.x.x.x encrypted
  passwd x.x.x.x encrypted
  names
  name x.x.x.x BLAHPC
  name 8.8.8.8 Google-DNS description Google-DNS
  name 202.27.184.3 Telecom-Alien-Pri description Telecom-Alien-Pri
  name 202.27.184.5 Telecom-Terminator-Sec description Telecom-Terminator-Sec
  name 203.96.152.4 TelstraClearPri description TCL-PRI
  name 203.96.152.12 TelstraClearSec description TCL-Sec
  name x.x.x.x BLAH_Network description BLAH-Internal
  name x.x.x.x DC description DC VPN Access
  name x.x.x.x Management-Home description Allow RDP Access from home
  name x.x.x.x SentDC description BLAHDC
  name x.x.x.x Outside-Intf
  dns-guard
  interface Vlan1
  nameif inside
  security-level 100
  ip address x.x.x.x 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group pppoex
  ip address pppoe setroute
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  banner exec [BLAH MANAGED DEVICE] - IF YOU ARE UNAUTHORIZED TO USE THIS DEVICE, LEAVE NOW!!!
  banner login If you are Unauthorized to use this device, leave now. Prosecution will follow if you are found to access this device without being Authorized.
  banner asdm [BLAH MANAGED DEVICE] - IF YOU ARE UNAUTHORIZED TO USE THIS DEVICE, LEAVE NOW!!!
  ftp mode passive
  clock timezone WFT 12
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server Google-DNS
  name-server Telecom-Alien-Pri
  name-server Telecom-Terminator-Sec
  name-server TelstraClearPri
  name-server TelstraClearSec
  object-group service RDP tcp
  description RDP
  port-object eq 3389
  object-group network BLAH-US
  network-object x.x.x.x 255.255.255.0
  network-object x.x.x.x 255.255.255.0
  object-group network x.x.x.x
  network-object x.x.x.x 255.255.255.0
  network-object  x.x.x.x 255.255.255.0
  network-object x.x.x.x 255.255.255.0
  network-object x.x.x.x 255.255.255.0
  network-object x.x.x.x 255.255.255.0
  network-object x.x.x.x 255.255.255.0
  network-object x.x.x.x 255.255.255.0
  network-object x.x.x.x 255.255.255.0
  network-object x.x.x.x 255.255.255.0
  network-object x.x.x.x 255.255.255.0
  network-object x.x.x.x 255.255.255.0
  network-object x.x.x.x 255.255.255.0
  network-object x.x.x.x 255.255.255.0
  network-object x.x.x.x 255.255.255.0
  network-object x.x.x.x 255.255.255.0
  network-object x.x.x.x 255.255.255.0
  object-group service Management_Access_Secure
  description Management Access - SECURE
  service-object tcp eq https
  service-object tcp eq ssh
  service-object tcp eq 4434
  object-group service FileTransfer tcp
  description Allow File Transfer
  port-object eq ftp
  port-object eq ssh
  object-group service WebAccess tcp
  description Allow Web Access
  port-object eq www
  port-object eq https
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service AD_Access udp
  description Allow Active Directory AD ports - UDP Only
  port-object eq 389
  port-object eq 445
  port-object eq netbios-ns
  port-object eq 636
  port-object eq netbios-dgm
  port-object eq domain
  port-object eq kerberos
  object-group network DM_INLINE_NETWORK_2
  group-object x.x.x.x
  group-object x.x.x.x
  object-group network DM_INLINE_NETWORK_3
  group-object x.x.x.x
  group-object x.x.x.x
  object-group network BLAH_DNS
  description External DNS Servers
  network-object host Telecom-Alien-Pri
  network-object host Telecom-Terminator-Sec
  network-object host TelstraClearSec
  network-object host TelstraClearPri
  network-object host Google-DNS
  object-group service AD_Access_TCP tcp
  description Active Directory TCP protocols
  port-object eq 445
  port-object eq ldap
  port-object eq ldaps
  port-object eq netbios-ssn
  port-object eq domain
  port-object eq kerberos
  port-object eq 88
  object-group network DM_INLINE_NETWORK_4
  network-object x.x.x.x 255.255.255.0
  network-object x.x.x.x 255.255.255.0
  object-group network DM_INLINE_NETWORK_5
  network-object x.x.x.x 255.255.255.0
  network-object x.x.x.x 255.255.255.0
  object-group network DM_INLINE_NETWORK_6
  group-object x.x.x.x
  group-object x.x.x.x
  object-group network DM_INLINE_NETWORK_1
  group-object x.x.x.x
  group-object x.x.x.x
  access-list inside_access_in remark Allow Internal ICMP from BLAH
  access-list inside_access_in extended permit icmp Sentinel_Network 255.255.255.0 object-group DM_INLINE_NETWORK_2
  access-list inside_access_in remark Allow Internal ICMP to BLAH
  access-list inside_access_in extended permit icmp object-group DM_INLINE_NETWORK_3 BLAH 255.255.255.0
  access-list inside_access_in remark External DNS
  access-list inside_access_in extended permit object-group TCPUDP BLAH 255.255.255.0 object-group BLAH_DNS eq domain
  access-list inside_access_in remark Allows Web Access
  access-list inside_access_in extended permit tcp BLAH 255.255.255.0 any object-group WebAccess
  access-list inside_access_in remark Allow Remote Desktop Connections to the Internet
  access-list inside_access_in extended permit tcp BLAH 255.255.255.0 any object-group RDP
  access-list inside_access_in remark Allow File Transfer Internet
  access-list inside_access_in extended permit tcp BLAH 255.255.255.0 any object-group FileTransfer
  access-list inside_access_in remark ldap, 445, 137, 636, dns, kerberos
  access-list inside_access_in extended permit udp BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_4 object-group AD_Access
  access-list inside_access_in remark ldap, 445, 137, 636, dns, kerberos
  access-list inside_access_in extended permit tcp BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_5 object-group AD_Access_TCP
  access-list inside_access_in extended permit ip any any
  access-list outside_cryptomap_65535.1 extended permit ip BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_6
  access-list nonat extended permit ip BLAH 255.255.255.0 object-group BLAH-US
  access-list nonat extended permit ip BLAH 255.255.255.0 object-group BLAH-USA
  access-list nonat extended permit ip BLAH 255.255.255.0 x.x.x.x 255.255.255.0
  access-list tekvpn extended permit ip BLAH 255.255.255.0 object-group BLAH-US
  access-list tekvpn extended permit ip BLAH 255.255.255.0 object-group BLAH-USA
  access-list tekvpn extended permit ip BLAH 255.255.255.0 x.x.x.x 255.255.255.0
  access-list inbound extended permit icmp any any
  access-list inside_nat0_outbound extended permit ip BLAH 255.255.255.0 10.1.118.192 255.255.255.224
  access-list inside_nat0_outbound extended permit ip BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_1
  access-list outside_1_cryptomap extended permit ip BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_1
  access-list outside_access_in extended permit icmp any any
  pager lines 24
  logging enable
  logging monitor informational
  logging buffered notifications
  logging trap informational
  logging asdm informational
  logging class auth monitor informational trap informational asdm informational
  mtu inside 1500
  mtu outside 1492
  ip local pool ipsec_pool x.x.x.x-x.x.x.x mask 255.255.255.0
  ip local pool Remote-Access-DHCP x.x.x.x-x.x.x.x mask 255.255.255.0
  ip verify reverse-path interface outside
  icmp unreachable rate-limit 1 burst-size 1
  asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 BLAH 255.255.255.0
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  nac-policy DfltGrpPolicy-nac-framework-create nac-framework
  reval-period 36000
  sq-period 300
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication enable console LOCAL
  aaa authorization command LOCAL
  aaa authorization exec authentication-server
  http server enable RANDOM PORT
  http 0.0.0.0 0.0.0.0 outside
  http x.x.x.x x.x.x.x inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sysopt connection tcpmss 1428
  sysopt connection tcpmss minimum 48
  auth-prompt prompt You are now authenticated. All actions are monitored! if you are Unauthorized, Leave now!!!
  auth-prompt accept Accepted
  auth-prompt reject Denied
  service resetoutside
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map outside_dyn_map 1 set transform-set TRANS_ESP_3DES_SHA TRANS_ESP_3DES_MD5
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer x.x.x.x
  crypto map outside_map 1 set transform-set ESP-3DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 2
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  client-update enable
  telnet timeout 5
  ssh x.x.x.x 255.255.255.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 5
  ssh version 2
  console timeout 0
  management-access inside
  vpdn group pppoex request dialout pppoe
  vpdn group pppoex localname **************
  vpdn group pppoex ppp authentication pap
  vpdn username ************** password PPPOE PASSPHRASE HERE
  dhcpd auto_config outside
  dhcpd address x.x.x.x/x inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server x.x.x.x source outside prefer
  tftp-server outside x.x.x.x /HOSTNAME
  webvpn
  group-policy DfltGrpPolicy attributes
  banner value Testing ONE TWO THREE
  vpn-idle-timeout 300
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  ipsec-udp enable
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value outside_cryptomap_65535.1
  user-authentication enable
  nem enable
  address-pools value Remote-Access-DHCP
  webvpn
    svc keepalive none
    svc dpd-interval client none
  USER CREDENTIALS HERE
  vpn-tunnel-protocol l2tp-ipsec
  tunnel-group DefaultL2LGroup ipsec-attributes
  pre-shared-key SITETOSITE PSK
  peer-id-validate nocheck
  tunnel-group DefaultRAGroup general-attributes
  authorization-server-group LOCAL
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key CLIENTTOSITE PSK
  peer-id-validate nocheck
  isakmp keepalive disable
  tunnel-group DefaultRAGroup ppp-attributes
  authentication pap
  no authentication chap
  no authentication ms-chap-v1
  authentication ms-chap-v2
  authentication eap-proxy
  tunnel-group x.x.x.x type ipsec-l2l
  tunnel-group x.x.x.x ipsec-attributes
  pre-shared-key *
  tunnel-group-map default-group DefaultL2LGroup
  class-map inspect_default
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  privilege cmd level 3 mode exec command perfmon
  privilege cmd level 3 mode exec command ping
  privilege cmd level 3 mode exec command who
  privilege cmd level 3 mode exec command logging
  privilege cmd level 3 mode exec command failover
  privilege show level 5 mode exec command import
  privilege show level 5 mode exec command running-config
  privilege show level 3 mode exec command reload
  privilege show level 3 mode exec command mode
  privilege show level 3 mode exec command firewall
  privilege show level 3 mode exec command asp
  privilege show level 3 mode exec command cpu
  privilege show level 3 mode exec command interface
  privilege show level 3 mode exec command clock
  privilege show level 3 mode exec command dns-hosts
  privilege show level 3 mode exec command access-list
  privilege show level 3 mode exec command logging
  privilege show level 3 mode exec command vlan
  privilege show level 3 mode exec command ip
  privilege show level 3 mode exec command ipv6
  privilege show level 3 mode exec command failover
  privilege show level 3 mode exec command asdm
  privilege show level 3 mode exec command arp
  privilege show level 3 mode exec command route
  privilege show level 3 mode exec command ospf
  privilege show level 3 mode exec command aaa-server
  privilege show level 3 mode exec command aaa
  privilege show level 3 mode exec command eigrp
  privilege show level 3 mode exec command crypto
  privilege show level 3 mode exec command vpn-sessiondb
  privilege show level 3 mode exec command ssh
  privilege show level 3 mode exec command dhcpd
  privilege show level 3 mode exec command vpnclient
  privilege show level 3 mode exec command vpn
  privilege show level 3 mode exec command blocks
  privilege show level 3 mode exec command wccp
  privilege show level 3 mode exec command dynamic-filter
  privilege show level 3 mode exec command webvpn
  privilege show level 3 mode exec command module
  privilege show level 3 mode exec command uauth
  privilege show level 3 mode exec command compression
  privilege show level 3 mode configure command interface
  privilege show level 3 mode configure command clock
  privilege show level 3 mode configure command access-list
  privilege show level 3 mode configure command logging
  privilege show level 3 mode configure command ip
  privilege show level 3 mode configure command failover
  privilege show level 5 mode configure command asdm
  privilege show level 3 mode configure command arp
  privilege show level 3 mode configure command route
  privilege show level 3 mode configure command aaa-server
  privilege show level 3 mode configure command aaa
  privilege show level 3 mode configure command crypto
  privilege show level 3 mode configure command ssh
  privilege show level 3 mode configure command dhcpd
  privilege show level 5 mode configure command privilege
  privilege clear level 3 mode exec command dns-hosts
  privilege clear level 3 mode exec command logging
  privilege clear level 3 mode exec command arp
  privilege clear level 3 mode exec command aaa-server
  privilege clear level 3 mode exec command crypto
  privilege clear level 3 mode exec command dynamic-filter
  privilege cmd level 3 mode configure command failover
  privilege clear level 3 mode configure command logging
  privilege clear level 3 mode configure command arp
  privilege clear level 3 mode configure command crypto
  privilege clear level 3 mode configure command aaa-server
  prompt hostname context
  Cryptochecksum:894474af5fe446eeff5bd9e7f629fc4f
  : end

  Hi all, this post can be officially closed. The issue had nothing to do with the ASA but required a firmware upgrade on the WAN router which boosted the throughput on the external interface on the ASA to 10Mbps and the inside throughput naturally corrected itself to what was expected.
  Thanks to everybody who looked at this issue.
  Andrew

• ASA 5505 VPN can't access inside hosts

  I have configured VPN on the 5505 using ASDM and I'm able to connect to the 5505 and the client is also getting an IP-address from the configured pool.
  The Cisco VPN client shows an error in the log: AddRoute failed to add a route: code 87
  Cisco

  No I can't ping anything.
  And here is the route -print after connection
  ===========================================================================
  Interface List
  0x1 ........................... MS TCP Loopback interface
  0x10003 ...00 0c 29 48 d4 50 ...... VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
  0x10004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Scheduler Miniport
  ===========================================================================
  ===========================================================================
  Active Routes:
  Network Destination Netmask Gateway Interface Metric
  0.0.0.0 0.0.0.0 192.168.222.101 192.168.222.100 1
  85.82.25.170 255.255.255.255 192.168.129.2 192.168.129.130 1
  127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
  192.168.129.0 255.255.255.0 192.168.129.130 192.168.129.130 10
  192.168.129.0 255.255.255.0 192.168.222.101 192.168.222.100 10
  192.168.129.130 255.255.255.255 127.0.0.1 127.0.0.1 10
  192.168.129.254 255.255.255.255 192.168.129.130 192.168.129.130 1
  192.168.129.255 255.255.255.255 192.168.129.130 192.168.129.130 10
  192.168.222.100 255.255.255.255 127.0.0.1 127.0.0.1 10
  192.168.222.255 255.255.255.255 192.168.222.100 192.168.222.100 10
  224.0.0.0 240.0.0.0 192.168.129.130 192.168.129.130 10
  224.0.0.0 240.0.0.0 192.168.222.100 192.168.222.100 10
  255.255.255.255 255.255.255.255 192.168.129.130 192.168.129.130 1
  255.255.255.255 255.255.255.255 192.168.222.100 192.168.222.100 1
  Default Gateway: 192.168.222.101
  ===========================================================================
  Persistent Routes:
  None

• Issues while configuring java application using JDO with MS JDBC Driver 1.0

  We are in the process of configuring our java application with the production version of SQL Server 2005 Java Database Connectivity (JDBC) Driver 1.0. We are facing issues getting it to work with Sun App Server using JDO concept.
  After creating the data store, adding the JDBC driver to the application server classpath through console and also copying the driver into the lib directory, we are still getting the below error.
  Following is the stack trace encountered while running the application
  [#|2006-02-15T10:21:25.493+0530|WARNING|sun-appserver-pe8.1_02|javax.enterprise.system.container.ejb.entity.finder|_ThreadID=30;|JDO74010: Bean 'InventoryEJB' method ejbFindAllInventoryItems: problems running JDOQL query.
  com.sun.jdo.api.persistence.support.JDOFatalInternalException: JDO76519: Failed to identify vendor type for the data store.
  NestedException: java.sql.SQLException: Error in allocating a connection. Cause: javax.transaction.SystemException
       at com.sun.jdo.spi.persistence.support.sqlstore.impl.SQLPersistenceManagerFactory.initializeSQLStoreManager(SQLPersistenceManagerFactory.java:870)
       at com.sun.jdo.spi.persistence.support.sqlstore.impl.SQLPersistenceManagerFactory.getFromPool(SQLPersistenceManagerFactory.java:786)
       at com.sun.jdo.spi.persistence.support.sqlstore.impl.SQLPersistenceManagerFactory.getPersistenceManager(SQLPersistenceManagerFactory.java:673)
       at com.sun.jdo.spi.persistence.support.sqlstore.impl.PersistenceManagerFactoryImpl.getPersistenceManager(PersistenceManagerFactoryImpl.java:849)
       at com.sun.jdo.spi.persistence.support.sqlstore.impl.PersistenceManagerFactoryImpl.getPersistenceManager(PersistenceManagerFactoryImpl.java:681)
       at com.sun.j2ee.blueprints.supplier.inventory.ejb.InventoryEJB1142755294_ConcreteImpl.jdoGetPersistenceManager(InventoryEJB1142755294_ConcreteImpl.java:530)
       at com.sun.j2ee.blueprints.supplier.inventory.ejb.InventoryEJB1142755294_ConcreteImpl.ejbFindAllInventoryItems(InventoryEJB1142755294_ConcreteImpl.java:146)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at com.sun.enterprise.security.SecurityUtil.invoke(SecurityUtil.java:147)
       at com.sun.ejb.containers.EJBLocalHomeInvocationHandler.invoke(EJBLocalHomeInvocationHandler.java:185)
       at $Proxy164.findAllInventoryItems(Unknown Source)
       at com.sun.j2ee.blueprints.supplier.inventory.web.DisplayInventoryBean.getInventory(Unknown Source)
       at org.apache.jsp.displayinventory_jsp._jspService(displayinventory_jsp.java:119)
       at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:105)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
       at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:336)
       at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:301)
       at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:251)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:249)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
       at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:282)
       at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:165)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:257)
       at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
       at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
       at java.security.AccessController.doPrivileged(Native Method)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
       at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:723)
       at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:482)
       at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:417)
       at org.apache.catalina.core.ApplicationDispatcher.access$000(ApplicationDispatcher.java:80)
       at org.apache.catalina.core.ApplicationDispatcher$PrivilegedForward.run(ApplicationDispatcher.java:95)
       at java.security.AccessController.doPrivileged(Native Method)
       at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:313)
       at com.sun.j2ee.blueprints.supplier.inventory.web.RcvrRequestProcessor.doPost(Unknown Source)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:767)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:249)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
       at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:282)
       at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:165)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:257)
       at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
       at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
       at java.security.AccessController.doPrivileged(Native Method)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
       at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:173)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:132)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
       at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:933)
       at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:185)
       at com.sun.enterprise.web.connector.grizzly.ProcessorTask.process(ProcessorTask.java:653)
       at com.sun.enterprise.web.connector.grizzly.ProcessorTask.process(ProcessorTask.java:534)
       at com.sun.enterprise.web.connector.grizzly.ProcessorTask.doTask(ProcessorTask.java:403)
       at com.sun.enterprise.web.connector.grizzly.WorkerThread.run(WorkerThread.java:55)
  Can anyone help me on this issue?
  Regards,
  Bindu

  I have already tried this before and this not work too, but strange that even if I use JDBC:ODBC bridge driver, the return value for output parameters are not correct, that is, only return the value that I input but not the value after executed in the procedure....
  The code that I used with JDBC:ODBC bridge is as follow:
  public static void main(String[] args) {
  String url = "jdbc:odbc:;DRIVER=SQL Server;Persist Security Info=False;database=db;Server=sql;uid=sa;pwd=pwd";
            Connection con;
            ResultSet rs = null;
  CallableStatement callS = null;
            try {
                 Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
            } catch(java.lang.ClassNotFoundException e) {
                 System.err.print("ClassNotFoundException: ");
                 System.err.println(e.getMessage());
            try {
                 con=DriverManager.getConnection(url);
  callS = con.prepareCall("{ call dbo.CpJavaTest (?)}");
  callS.registerOutParameter(1, Types.INTEGER);
  callS.execute();
  rs=callS.getResultSet();
  int ret = callS.getInt(1);
  System.out.println("return value : " + ret);
                 while (rs.next()) {
                      String f1 = rs.getString(4);
                      String f2 = rs.getString(5);
                      System.out.println(f1 + " " + f2);
            } catch(SQLException ex) {
                 System.out.println("SQLException: " + ex.getMessage());
  The value of the output parameter is same as what I inputed! Hope any one can teach me how to correct it...
  Thank you very much!

• New Asa 5505... Anyway to set up behind home router with no internal DNS?

  Since the home router is the DNS server, the Asa has no internal DNS which is probably the cause of no internet. Is there any way around this?

  Can you not simply use the ASA as the DHCP server and include the DNS server in your DHCP configuration ?
  Jon

• Cisco ASA 5505 VPN Routing/Networking Question

  I have a very basic question about Cisco ASA 5505 IPsec Site to Site VPNs.  I want to install a Cisco ASA 5505 at a Data Center, in a LAN subnet that utilizes publicly routable IP addresses.  I would like to install a second Cisco ASA 5505 in a remote branch office as its peer. 
  Regardless of whether I use publicly routable IPs at the branch office in the "inside" network or non-routable IPs, how would the devices and servers at the Data Center know to route IP packets destined for the branch office back through the Cisco ASA instead of through the default gateway at the Data Center?  I can see accomplishing this if every single device at the Data Center is configured with routing table entries, but that isn't feasible.  It also isn't feasible to use the Cisco ASA 5505 as the default gateway for all of the devices as the Data Center, allowing it to decide where the traffic should go.
  What am I missing?  Is the solution to try to map branch office IPs to IP addresses within the Data Center's LAN subnet so that all of the traffic is on the same subnet?

  You can do it in several different ways.
  One way is to tell the server that if it has traffic to network x then it needs to go to the ASA all other traffic is to head for the default gateway.
  In windows this is done via the route command
  do not forget to make it "persistent" otherwise the route will disapear when your reboot the server.
  in unix/linux
  It is also the route command
  Or you can tell your "default gateway" to route that network to the ASA
  Good luck
  HTH

• Cisco ASA 5505 Configurations. Help... Beyond Frustrated

  Hello All,
  I'm fairly new to Cisco products and Network management in general. At my place of employment, I was hired as an IT Tech- Repair and Building computers, most aspects of Physical networking, and software refresh/upgrades as well as solving compatibility issues among a plethora of other things. I've configured APs, a couple Catalyst switches, a router or two, and that is about the breadth of my Cisco knowledge. I was kind of thrown into a project which is to update the current inventory of computers which all run Windows XP Professional. We are making a capital purchase of 20 Laptops and 40 Desktops all of which will run Windows 7. This means the outdated PIX they were using is now useless. I purchased a Cisco ASA 5505 (Version 8.2(1)) because it is compatible with Windows XP and Windows 7. I have spent several days and sleepless nights trying to figure out how to configure this thing. I was hoping to use SSL for the VPN. I did some basic configurations just to get started but like I said, I have no real experience with Adaptive Security Appliances and I am so frustrated right now. I tried using the Wizard to no avail. I did a write erase using CLI and tried to configure that way but I'm doing something wrong as far as I can tell. The configurations were mostly pulled from here, the Cisco Community, and a couple other web sites.
  I’m connecting the ASA 5505 to a cable modem (gateway 24.39.245.33) and to our Netvanta for VPN purposes. Here are the commands/what I have configured so far:
  hostname AMDASA
  domain-name asa.(mydomain).com
  enable password (encrypted)
  passwd (encrypted)
  interface Ethernet0/0
  description TWCoutside
  switchport access vlan 2
  no shutdown
  write mem
  exit
  interface Ethernet0/1
  description Port1inside
  switchport access vlan 1
  no shutdown
  write mem
  exit
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.0.250 255.255.255.0
  write mem
  exit
  interface Vlan2
  nameif outside
  security-level 0
  ip address 24.39.245.36 255.255.255.240
  write mem
  exit
  object-group icmp-type DefaultICMP
  description Default ICMP Types permitted
  icmp-object echo-reply
  icmp-object unreachable
  icmp-object time-exceeded
  write mem
  exit
  ftp mode passive
  write mem
  clock timezone EST -5
  clock summer-time EDT recurring
  write mem
  exit
  dns server-group DefaultDNS
  domain-name asa.adcmotors.com
  write mem
  exit
  access-list acl_outside extended permit icmp any any object-group DefaultICMP
  access-group acl_outside in interface outside
  access-list acl_inside extended permit icmp any any object-group DefaultICMP
  access-group acl_inside in interface inside
  write mem
  exit
  write mem
  That is the extent of the configurations I made via CLI. I don't know how to set the DNS lookup from a static port and I have no idea what else I'm supposed to do after the above configurations I have done. Is there a place to actually obtain ALL of the configurations needed to VPN in? Is there an easier way to make this thing work? I've seriously grown a patch of gray hair because of this device. Please help me if you can!!!!!!

  Hi our desperate friend .
  First I would suggest to use the Cisco VPN client instead of SSL VPN (AnyConnect). The configuration is a bit simpler and for the SSL VPN you would need to install the client on the ASA and purchase additional license if you plan to have more than 2 clients. The VPN Client usually comes with the ASA. If you dont have it or dont have access to download it from cisco.com go to the person from which you purchased your ASA and ask him how to get it.
  That said, I also think that your ASA lacks of some basic configuration as of now.  If you are planning to use this in replacement for your current PIX. You would need to configure a default route and some basic NAT:
  route outside 0.0.0.0 0.0.0.0 24.39.245.33
  global (outside) 1 interface
  nat (inside) 1 192.168.0.0  255.255.255.0
  Now regarding the VPN Client configuration you would need to something like this:
  Create an isakmp policy:
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha    
  group 2
  lifetime 86400
  Create a couple of ACLs that we will use later:
  access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list split_tun standard permit 192.168.0.0 255.255.255.0
  Create a Pool for the VPN Clients to use:
  ip local pool TestPool 192.168.100.1-192.168.100.20 mask 255.255.255.0
  Create a Group Policy:
  group-policy TEST internal
  group-policy TEST attributes
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split_tun
  Create a group:
  tunnel-group TEST type ipsec-ra
  tunnel-group TEST general-attributes
  address-pool TestPool
  authentication-server-group ABTVPN
  default-group-policy TEST
  tunnel-group TEST ipsec-attributes
  pre-shared-key cisco123
  Create crypto map and do a NAT 0:
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA
  crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
  crypto map Outside_map interface outside
  nat (inside) 0 access-l nonat
  Finally create a user that you will use to connect:
  username test password test123
  Then you would need to configure your VPN Client to connect with the ASA.
  Here is a config Example of VPN clients to the ASA. It uses an external server for the authentication but just skip those parts. For the initial config you might want to keep the authentication local.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml
  I hope this helps. Feel free to ask if you have any questions. Also it would very usefull if you could upload the current config (show run) of the ASA in case you need to ask something else.
  Have fun.
  Raga