ASA 5512-X Still no connection

Similar Messages

• Asa-5512-x no connectivity to internet

  I am going from a pix-515e to asa-5512-x.   I used the wizard for the initial setup.  I then set the interfaces the same, objects, nat rules, routes, ACLs the same as in the 515e (except for the outside interface ACL where you use the inside address now, rather than the outside...and you have a global deny rule for all interfaces) . 
  I take the cables from the inside / outside interface from the 515e, plug them into the 5512x and nada...
  Computers on the inside can't get out.   I see egress failures on the ASDM monitor from the inside to outside.  I don't see any traffic coming in on the outside interface to the inside as I do on the ASDM of the 515e.  
  ASA Version 9.1(5)  
  hostname ASA-5512-X
  domain-name mydomain.com
  interface GigabitEthernet0/0
   nameif outside
   security-level 0
   ip address 98.xxx.xxx.xxx 255.255.255.224  
  interface GigabitEthernet0/2
   nameif inside
   security-level 100
   ip address 10.0.1.242 255.255.252.0  
  interface Management0/0
   management-only
   nameif management
   security-level 100
   ip address 192.168.1.1 255.255.255.0  
  boot system disk0:/asa915-smp-k8.bin
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  dns domain-lookup inside
  dns server-group DefaultDNS
   name-server 10.0.3.42
   domain-name mydomain.com
  same-security-traffic permit intra-interface
  access-list inside_access_in extended permit ip any any  
  access-list outside_access_in extended permit tcp any object webserver-inside object-group web-ports  
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-716.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static webserver-inside webserver-outside unidirectional
  nat (inside,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 98.xxx.xxx.xxx 2  
  route inside 172.20.0.0 255.255.0.0 10.0.0.1 1  
  route inside 172.21.0.0 255.255.0.0 10.0.0.1 1  
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  http 10.0.0.0 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet 10.0.0.0 255.255.0.0 inside
  telnet 192.168.1.0 255.255.255.0 management
  telnet timeout 5
  console timeout 0
  management-access inside
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map  
    inspect ftp  
    inspect h323 h225  
    inspect h323 ras  
    inspect rsh  
    inspect rtsp  
    inspect esmtp  
    inspect sqlnet  
    inspect skinny   
    inspect sunrpc  
    inspect xdmcp  
    inspect sip   
    inspect netbios  
    inspect tftp  
    inspect ip-options  
  service-policy global_policy global
  prompt hostname context  
  call-home reporting anonymous

  At a quick glance the config looks pretty clean (please do use ssh and not telnet though)
  Since you replaced one box with another, have you checked that your upstream (Outside) device is reachable from the ASA itself? (i.e can you ping your default gateway at 98.xxx.xxx.xxx 2 )
  I've sometimes seen cases where we had to ask the ISP to clear their ARP cache when changing out firewalls.

• How to Configure Cisco ASA 5512 for multiple public IP interfaces

  Hi
  I have a new ASA 5512 that I would like to configure for multiple public IP support.  My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.
  Here is my concept.    We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access.  We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)
  I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections.  I have installed an add on license that allows multiple outside interfaces along with a number of other features.
  Outside Networks (I've changed the IPs for security purposes)
  Outside1 E 0/0 : 74.55.55.210  255.255.255.240 gateway 74.55.55.222
  Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222
  Inside1 : E 0/1 192.168.255.1 255.255.248.0
  Inside2 : E 0/3 172.16.255.1 255.255.248.0
  My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2.    The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.
  I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.   
  I can post my config up as needed.  I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app.  My ASA 5512 is at 9.1.   
  Thanks in advance for the suggestions/help

  I have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.
  I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>
  To the original poster
  It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.
  HTH
  Rick

• Cisco ASA 5512 two interfaces

  i have an Cisco ASA 5512 working as Firewall
  We configure one ASA interface connecting to Cisco router 1700 with leasd line internet service without any problem.
  Now we have an extra internet connection ADSL 2MB connected to another ASA interface  
  I configure the ASA like this :
  1-    Enable interface 2 on ASA and connect it to ADSL router (interface ip 192.168.1.100 from the same ADSL router {192.168.1.1}range ) 
  2-    Create Access rule say source (My computer ip) destination  ADSL network range action accept
  3-    Create Nat Rule say source interface inside source ip (my ip) destination interface ADSL ip 192.168.1.100 destination source router ip 192.168.1.1
  4-    Add static route say ADSL interface source ip my ip gateway ADSL router
  This steps what I do but it doesn't work.
  Thanks in advance

  FYI for internet access I doubt this will work because if you configure two default route then ASA won't distribute traffic across two interface, first default route will be the one where ASA will send traffic. However from your description it is not very clear which IP address you are trying to ping and how exactly rules you have configured.
  Either attach your config or paste the relevant config in post.

• ASA 5512-X - VPN & local clients DHCP relaying (DHCP Proxy vs. DHCP Relay conflict)

  Hey all,
  I have ASA-5512-X serving as general firewall/router. It also serves as AnyConnect SSL VPN gateway (webvpn).
  It has ~10 VLANs connected over 1 trunk port. One of the VLANs has DHCP server that shall serve all the VLANs (192.168.16.2).
  I'm trying to have the ASA relay DHCP requests from all VLANs to the DHCP server and to also serve VPN clients.
  However, according to bug https://tools.cisco.com/bugsearch/bug/CSCsd22469 both DHCP Proxy (webvpn) and DHCP Relay (local interfaces) can't be enabled at the same time.
  As VPN clients connect to the same VLANs as local users (eg. VLAN 2 - 192.168.2.0/24) I want to have the very same DHCP server serving both, otherwise it's gonna become a mess.
  Note: if I configure DHCP Relay functionality and disable DHCP Proxy - local clients are served fine. If I configure DHCP Proxy (webvpn) and disable DHCP Relay VPN clients are served fine. I therefore consider setup to be correct, just the ASA limitation won't allow me to make it serve both.
  Can DHCP Relay also serve VPN clients (no DHCP Proxy enabled)? did I miss something?
  Thanks!

  Hi,
  The only workaround for this issue is to configure the ASA itself to act as DHCP server for vpn clients. You also have the flexibility of using local pool and AAA server. Why exactly do you want to use the same DHCP server for both?
  AM

• ASA 5512-X DHCP Backup ISP

  I installed a new ASA 5512-X over the weekend for a client.  Their backup ISP connection is DHCP based.  I need to use the 'dhcp client route track' command on the interface, but it is not available.  However according the all the documentation I am looking at and even the ASDM says it should be available. 
  This is the version of ASA and ASDM they are running:
  Cisco Adaptive Security Appliance Software Version 8.6(1)1
  Device Manager Version 6.6(1)
  I did upgrade to the latest ASA software, so has this command been removed?  If I do a '?' in the interface, there isn't a 'dchp' option. 
  Any help would be appreciated.  I really don't want to tell them they need to get a static IP address to resolve this issue.
  TIA,
  Dan

  Looks like you are hitting bugID: CSCtq78280
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtq78280
  Pls open a TAC case to get the fixed on version 8.6.1(x).

• ASA 5512 8.6(1) failover via Management0/0

  I am configuring a brand new pair of ASA 5512s running 8.6(1).  Traditionally we hae been using the Management port as the dedicated failover link, but that seems to not be possible on the 5512s.
  ASA (config-if)# no management-only
  ERROR: It is not allowed to make changes to this option for management interface on this platform.
  I have not been able to find anything in the official documentation mentioning this restriction. 
  Does anybody know if this is indeed the case or if I am just missing something?
  Thanks
  Joerg Grau

  Hi,
  I think this is what you are looking for
  Management Port Configuration ChangesThe  ASA 5500-X Series introduced a shared management port for firewall and  IPS services.,There are certain caveats to follow during migration from  the ASA 5500 Series.•  The shared management port cannot be used as a data port. All  through-the-box traffic arriving at the management port will be dropped  implicitly. This cannot be disabled.• The shared management port cannot be used as a part of a high availability configuration.If  the ASA management port (M0/0) on the ASA 5500 Series appliance was  being used as a data port, the configuration associated with that port  should be moved to one of the gigabit data ports numbered above G0/3.
  Source:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps6120/guide_c07-727453.html
  Though I guess you have to take into consideration when we compare the old ASA5500 Series and the new ASA5500-X that the new series actually has 2 more physical interfaces than all previous corresponding models had.
  Though it still might feel a waste of a Gigabit interface in a sense.
  Hope this helps
  Please remember to mark the reply as the correct answer if it answered your question.
  - Jouni

• Unable to load admin page asa 5512

  Hi,
  I have a new ASA 5512-X, out-of-the-box, which I am unable to open the admin web page on.
  Laptop - Lenovo Windows 7 64 bit
  Browsers - Firefox 28 & IE 11
  Java is installed and correct vesrions
  ASDM on the 5512 - asdm-66114.bin
  ASA Ver - asa861-2-smp-k8.bin
  https is enabled and I'm using IP addresses that are allowed connectivity to the 5512
  When i browse to https://192.168.1.1/admin I am presented with a certificate error as expected, I accept the certificate, then the page hangs.  This happens on both Firefox and IE. 
  Wireshark shows the TCP 3-way handshake and the TLS/SSL negotiation which is then immediately followed by the 5512 sending SSL data then a FIN,PSH,ACK packet back to my PC.  then a load of TCP retransmits from both my PC and the 5512.
  Now, I tried a different PC (Dell), same OS, same ver of Firefox but IE ver.9, and did not have any problems being presented with the 'Run ASDM Wizard' page.
  Has anyone had a similar issue?  Has anyone please got any idea what config on my PC may be at fault?
  Many thanks for any suggestions and help.
  Cheers

  Please have a look at the ssl settings on the ASA: "show run | i ssl".
  You may not have strong ciphers enabled and the PC with the newer browser does not accept the default weak ciphers. I make it a habit to setup ASAs with:
  ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5
  Those are all strong ciphers.

• ASA is tearing down vpn connections aleatorily

  Cisco ASA5510 running 8.0.4 is tering down vpn connections aleatorily. The user close a vpn conection with ASA by Cisco or another client, browse a server and start a file tranfer. Aleatorily the file transfer stops, the vpn still up, the user still can browse the server, but the transfer stops with a network connection error. Some times is on beginning of file, sometimes is on midle or on final of file, sometimes it works. We tried many users and many servers, with the same behavior. Without vpn the transfer works fine. The log messages are like that
  Oct 25 2012 20:23:50 ciscoasa : %ASA-6-302014: Teardown TCP connection 6360702 for dmz_sp:10.120.7.56/58119 to inside:172.18.1.3/8800 duration 0:00:00 bytes 9389 TCP Reset-O (vpnbmb)
  Any idea about what is the problem? Could be ipsec packets out of sequence? How do I check the ipsec sequence number?                 

  Cisco ASA5510 running 8.0.4 is tering down vpn connections aleatorily. The user close a vpn conection with ASA by Cisco or another client, browse a server and start a file tranfer. Aleatorily the file transfer stops, the vpn still up, the user still can browse the server, but the transfer stops with a network connection error. Some times is on beginning of file, sometimes is on midle or on final of file, sometimes it works. We tried many users and many servers, with the same behavior. Without vpn the transfer works fine. The log messages are like that
  Oct 25 2012 20:23:50 ciscoasa : %ASA-6-302014: Teardown TCP connection 6360702 for dmz_sp:10.120.7.56/58119 to inside:172.18.1.3/8800 duration 0:00:00 bytes 9389 TCP Reset-O (vpnbmb)
  Any idea about what is the problem? Could be ipsec packets out of sequence? How do I check the ipsec sequence number?                 

• ASA - ASDM shows Red X Connection Disconnected.

                     Hi everyone,
  I have ASDM connection to ASA.
  On the bottom  i see Red X  with two computers that says
  ASA Syslog connection
  Status is UP
  ASA Monitoring Connection disconnected????????
  I still have connection to ASDM need to know what does it mean by connection disconnected?
  Thanks
  Mahesh

  Hi Andrew,
  Many thanks for useful link.
  Regards
  Mahesh

• Configuring "Guest Wi-Fi" VLAN on ASA 5512

  I'm attempting to setup a new vlan on my Cisco ASA 5512 running version 8.6(1)2.  This vlan will provide access for wireless "guest" AP's in my network.  I have the guest vlan setup through to my switches, I'm able to dedicate a switch port to VLAN 40 and aquire an IP address in the 10.40.10.0/24 network.  Below is excerpt of what I think is the relevent config information.  I'm trying to route guest traffic out my "outside" interface.
  Obvious to me I'm missing another command in here.  Any help would be greatling appreciated. If more the running-config is needed please advise.  Thanks in advance!
  interface GigabitEthernet0/1.40
  description Guest Wireless Network
  vlan 40
  nameif guestwireless
  security-level 50
  ip address 10.40.10.5 255.255.255.0
  route outside 0.0.0.0 0.0.0.0 X.X.X.X 1  (public IP at X.X.X.X)
  access-list guestwireless_access_in extended permit ip 10.40.10.0 255.255.255.0 interface outside
  mtu guestwireless 1500
  access-group guestwireless_access_in in interface guestwireless
  dhcpd address 10.40.10.50-10.40.10.250 guestwireless
  dhcpd dns 8.8.8.8 interface guestwireless
  dhcpd enable guestwireless

  Stripped out some config pertaining to crypto and credentials
  --------------Config Below-----------------------------------
  : Saved
  ASA Version 8.6(1)2
  hostname ASA
  domain-name company.local
  names
  interface GigabitEthernet0/0
  description ISP Interface
  nameif outside
  security-level 100
  ip address ##.##.###.### 255.255.255.248
  interface GigabitEthernet0/1
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/1.40
  description Guest Wireless Network
  vlan 40
  nameif guestwireless
  security-level 50
  ip address 10.40.10.5 255.255.255.0
  interface GigabitEthernet0/2
  nameif inside-tempnet
  security-level 0
  ip address 172.29.0.252 255.255.255.0
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  shutdown
  nameif management
  security-level 100
  no ip address
  management-only
  boot system disk0:/asa861-2-smp-k8.bin
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  dns server-group DefaultDNS
  domain-name company.local
  same-security-traffic permit inter-interface
  object network NETWORK_OBJ_10.100.10.0_24
  subnet 10.100.10.0 255.255.255.0
  access-list outside_access_in extended permit ip object NETWORK_OBJ_10.100.10.0_24 any
  access-list inside-tempnet_access_in extended permit ip 172.29.0.0 255.255.255.0 object NETWORK_OBJ_10.100.10.0_24
  access-list Split_Tunnel_List standard permit 172.29.0.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu outside 1500
  mtu guestwireless 1500
  mtu inside-tempnet 1500
  mtu management 1500
  ip local pool ClientVPN-DHCP-Pool 10.100.10.50-10.100.10.250 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-66114.bin
  asdm history enable
  arp timeout 14400
  nat (inside-tempnet,outside) source static any any destination static NETWORK_OBJ_10.100.10.0_24 NETWORK_OBJ_10.100.10.0_24 no-proxy-arp route-lookup
  nat (guestwireless,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  access-group inside-tempnet_access_in in interface inside-tempnet
  route outside 0.0.0.0 0.0.0.0 ##.##.###.### 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  http server enable
  http 0.0.0.0 0.0.0.0 inside-tempnet
  http 172.29.0.0 255.255.255.0 inside-tempnet
  http redirect inside-tempnet 80
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  dhcpd address 10.40.10.50-10.40.10.250 guestwireless
  dhcpd dns 8.8.8.8 interface guestwireless
  dhcpd enable guestwireless
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl encryption aes256-sha1 aes128-sha1 3des-sha1
  ssl trust-point ASDM_TrustPoint0 outside
  ssl trust-point ASDM_TrustPoint0 inside-tempnet
  webvpn
  enable outside
  anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
  anyconnect profiles VPNConnect disk0:/vpnconnect.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy "GroupPolicy_VPN Connect" internal
  group-policy "GroupPolicy_VPN Connect" attributes
  wins-server none
  dns-server value #.#.#.#
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Split_Tunnel_List
  default-domain value company.local
  webvpn
    anyconnect profiles value VPNConnect type user
  tunnel-group "VPN Connect" type remote-access
  tunnel-group "VPN Connect" general-attributes
  address-pool ClientVPN-DHCP-Pool
  authentication-server-group compnay.LOCAL LOCAL
  default-group-policy "GroupPolicy_VPN Connect"
  tunnel-group "VPN Connect" webvpn-attributes
  group-alias "VPN Connect" enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  : end

• I cannot update my ipad2 to ios5.  Updating through iTunes on pc Windows Vista, Error message reads "cannot connect to iPad Software Update Server.  Tried resetting network settings, still not connecting.  Tried updating iTunes, still not connecting.

  I cannot update my ipad2 to ios5.  Updating through iTunes on pc Windows Vista, Error message reads "cannot connect to iPad Software Update Server.  Tried resetting network settings, still not connecting.  Tried updating iTunes, still not connecting.

  Look at iOS Troubleshooting Wi-Fi networks and connections  http://support.apple.com/kb/TS1398
  Additional things to try.
  Try this first. Turn Off your iPad. Then turn Off (disconnect power cord) the wireless router & then back On. Now boot your iPad. Hopefully it will see the WiFi.
  Change the channel on your wireless router. Instructions at http://macintoshhowto.com/advanced/how-to-get-a-good-range-on-your-wireless-netw ork.html
  How to Quickly Fix iPad 3 Wi-Fi Reception Problems
  http://osxdaily.com/2012/03/21/fix-new-ipad-3-wi-fi-reception-problems/
  If none of the above suggestions work, look at this link.
  iPad Wi-Fi Problems: Comprehensive List of Fixes
  http://appletoolbox.com/2010/04/ipad-wi-fi-problems-comprehensive-list-of-fixes/
   Cheers, Tom

• ASA 5505 configured for WebVPN connecting to Citrix Web Interface

  ASA 5505 configured for WebVPN connecting to Citrix Web Interface.
  i have a ASA 5505 that I am attempting to configure for WebVPN with passthrough into Web Interface .  The user authenticates into WebVPN OK and gets the option to click on the Citrix Link (which is i add bookmark  citrix server http:// 172.30.40.5.) i enter the citrix and then for example  i want to open to outlook it can not open. (when i want to open some application no application is open)).there is no alarm at asa. how i solve this issue?
  thanks.

  Teymur,
  Can you confim that after disabling the ssl/tls on the Citrix server (secure connectivity) that you are getting exactly the same error.  It is possible that it is generating a different error.
  The bug where we have see the existing error was CSCtf06303 but that has been fixed in 8.4.1.  Can you confirm the exact version of code you are running on the ASA.
  If you have confirmed the above two notes it may be adventageous to open a TAC case as we may need to do some live additional troubleshooting.
  Thanks
  -Jay

• I can't get FaceTime or iMessage to connect, I enter valid password (tested and works for Apple account) and it won't connect. I have checked all settings, upgrades iOS to 8.3 rebooted, changed Apple acount PW still wont connect. My internet connecti

  I can't get FaceTime or iMessage to connect, I enter valid password (tested and works for Apple account) and it won't connect. I have checked all settings, upgrades iOS to 8.3 rebooted, changed Apple acount PW still wont connect. My internet connection is fine Safari works and I can access all sites. I have an iPad 2. Any help on this will be greatly appreciate.  iPad 2, iOS 8.3

  This is an ongoing problem as you will see by searching the forum. 
  Out of curiosity, do you have 2 step verification enabled?  It was recently extended to include iMessage & FaceTime & I'm wondering if it might be causing some of the issues that some users are experiencing.

• I - STILL - Cannot connect to the Itunes Store

  I am unable to connect to the Itunes store, I could connect to the radio stations, I checked the SSL and TSL setting under Internet Explorer Options, Not using proxy or any Computer based firewall, and on my router firewall I tried opening up ports 53, 5353, 443 and 3689, and even tried DMZ the box, but for no use... I still cannot connect to the store, and frankly, it is getting ridiculous. Can anyone help? maybe the neededs ports or something...
  Here is the check log... and thanks in advance.
  Microsoft Windows XP Professional Service Pack 2 (Build 2600)
  Dell Inc. Dimension XPS
  iTunes 7.6.1.9
  QuickTime 7.4.1
  CD Driver 2.0.6.1
  CD Driver DLL 2.0.6.2
  Apple Mobile Device 1.1.4.7
  Bonjour 1.0.4.12 (118.4)
  iTunes Serial Number 3A48AA7B3CB9DD57
  Current user is an administrator.
  The current local date and time is 2008-03-08 21:11:11.
  iTunes is not running in safe mode.
  Video Display Information
  NVIDIA GeForce 6800
  External Plug-ins Information **
  No external plug-ins installed.
  Network Connectivity Tests **
  Network Adapter Information
  Adapter Name: {686274E4-CF42-4229-98AE-678EE8BF1331}
  Description: Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
  IP Address: 10.10.0.10
  Subnet Mask: 255.255.255.0
  Default Gateway: 10.10.0.1
  DHCP Enabled: No
  DHCP Server: 255.255.255.255
  Lease Obtained: Wed Dec 31 20:00:00 1969
  Lease Expires: Wed Dec 31 20:00:00 1969
  DNS Servers: 10.10.0.1
  10.10.0.1
  Adapter Name: {C7089E37-5C18-4224-812A-541BFED730B6}
  Description: VMware Virtual Ethernet Adapter for VMnet1
  IP Address: 192.168.181.1
  Subnet Mask: 255.255.255.0
  Default Gateway:
  DHCP Enabled: No
  DHCP Server: 255.255.255.255
  Lease Obtained: Wed Dec 31 20:00:00 1969
  Lease Expires: Wed Dec 31 20:00:00 1969
  DNS Servers:
  Adapter Name: {F5345F4B-2E32-4D97-BB78-741CFE4A155C}
  Description: VMware Virtual Ethernet Adapter for VMnet8
  IP Address: 192.168.92.1
  Subnet Mask: 255.255.255.0
  Default Gateway:
  DHCP Enabled: No
  DHCP Server: 255.255.255.255
  Lease Obtained: Wed Dec 31 20:00:00 1969
  Lease Expires: Wed Dec 31 20:00:00 1969
  DNS Servers:
  Active Connection: LAN Connection
  Connected: Yes
  Online: Yes
  Using Modem: No
  Using LAN: Yes
  Using Proxy: No
  SSL 3.0 Support: Enabled
  TLS 1.0 Support: Enabled
  Firewall Information
  Windows Firewall is off.
  Connection attempt to Apple web site was successful.
  Connection attempt to iTunes Store was successful.
  Secure connection attempt to iTunes Store was successful.
  Secure connection attempt to iPhone activation server was successful.
  iTunes has never successfully accessed iTunes store.

  I don't think it is a firewall issue as the connection attempts were not blocked according to the network connectivity report.
  These ones have been tricky to solve.
  As a first stab, one thing you could try is to create a new Windows account and see if you can connect from there.
  P.S. I noticed that the date on the report is not the same as the date of your post. This may just be when your ran the report, but it is worth checking your computer's date and time are correct.
  You could also check the Advanced tab in your Internet options. If "Check for server certificate revocation" is checked. If it is, try unchecking it.
  Message was edited by: polydorus