ASA5510 Error
Just wondering if anyone else has seen these two errors in Outlook after implementing an ASA w/CSC. I turned off ESMTP but to no avail.
Header Error:
Task 'Corporate - Receiving' reported error (0x80042107) : 'Your e-mail server does not support downloading headers.'
SMTP Error:
Task 'USERNAME - Sending' reported error (0x800CCC80) : 'None of the authentication methods supported by this client are supported by your server.'
Found this: CSCsg52277
Yes
Certain SMTP messages cannot be sent through ASA with 'inspect esmtp' on
Will be upgrading to 7.2.2 next week. I will post my results.
Similar Messages
-
%ASA-1-106021: Deny UDP reverse path check from 169.254.213.25 to 169.254.255.255 on interface Networkmgmt
I am wondering if anyone has any information for me beyond what the explanation that Cisco provides. I am sure this is an inside attack, as my outer layers have not picked up this IP. I am looking for a good way to track down what machine this IP belongs to.
Any info would help.
Thanks,
Adam FilkinsYou were probably looking for the security->firewall forum, you somehow ended up in the Wireless security forums. However, at a glance that address is an automatic private IP address. All that that means is that a client failed to get a DHCP address, and is trying work around it. A good description is at:
http://compnetworking.about.com/cs/protocolsdhcp/g/bldef_apipa.htm
The error you got is because the firewall knows that APIPA addresses are not valid on it's interface. I would not be concerned about this for security reasons, but you may need to figure out what client is not working. -
DEAR All
i have issue in SSL webvpn . I have 2 ASA (5520 and 5510 in 2 different locations in india)
1st ASA 5520 it is in my datacenter i have configure webvpn to access my web applications hosted in my datacenter.
As starter i have created a local account in ASA for webvpn access . i am able to access the webvpn using the local credentilas.
when i try to click the URL i get error " Internet Explorer cannot dispaly the webpage" .
Instead of error msg i should be prompted with usename and password for the websie . I have attached "afterloginscreen_5520&5510" scrren shot which shows the SSL-webvpn is working and the second screen shot " error_page_5520" shows the error when i click the URL .
2nd ASA 5510 it is in my another datacenter . i have configured the same and working fine ,i have no problem in accessing the website , i have attached the screen shot " working_5510_asking_for_username&password"
for ASA5520 webservers are native
for ASA5510 webserver are in remote
last month wen i tired using ASA 5520 it was working as charm , wen i now tired with both ASA enabled 5520 is not working ,
6|Oct 26 2012 14:37:39|725007: SSL session with client Outside:Internet IP /1631 terminated.
6|Oct 26 2012 14:37:40|725001: Starting SSL handshake with client Outside:Internet IP /1634 for TLSv1 session.
6|Oct 26 2012 14:37:40|725003: SSL client Outside:Internet IP /1634 request to resume previous session.
6|Oct 26 2012 14:37:40|725002: Device completed SSL handshake with client Outside:Internet IP/1634
6|Oct 26 2012 14:37:40|716003: Group <omsir VPN> User <omsir> IP <Internet IP> WebVPN access GRANTED: http://URL//
Please help me ;;;;;;;;;;;;;;;; Thanks in Advance .Hello all
I have solved this issue
My ASA licensed only for 3DES . once i tried AES trail version from cisco it worked like a charm ..
i know this is wired, but what to do this has solved the issue
Enjoy
Naresh -
Help open port on ASA5510 (version 8.3)
Hi all,
I configured ASA to open port 21, 3389, 5900 (outside access in) but when i check port just success : 21 and 3389, Error: 5900
If i configured with only one port 5900 or 3389, is't ok, i don't undesrtand what 's the problem?
ASA5510>
ASA5510> ena
Password: ***********************
ASA5510# show run
: Saved
ASA Version 8.3(1)
hostname ASA5510
domain-name lohoi.local
enable password *********************** encrypted
passwd *********************** encrypted
names
interface Ethernet0/0
description Connect_to_Modem
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.0
interface Ethernet0/1
description Connect_to_Router2911
nameif inside
security-level 100
ip address 172.16.17.2 255.255.255.240
interface Ethernet0/2
shutdown
no na
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
description Management
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
clock timezone ICT 7
dns server-group DefaultDNS
domain-name lohoi.local
object network obj-any
subnet 0.0.0.0 0.0.0.0
object network ftpserver
host 192.168.88.90
description FTP server
object network Remote_Desktop
host 192.168.100.29
object network VNC
host 192.168.100.4
access-list 101 extended permit icmp any any
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit tcp any any
access-list outside_access_in extended permit tcp any object ftpserver eq ftp
access-list outside_in extended permit tcp any host 192.168.100.29
access-list outside_in extended permit tcp any host 192.168.100.4
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst
asdm image disk0:/asdm-631.bin
asdm history enable
arp timeout 14400
object network obj-any
nat (inside,outside) dynamic interface
object network ftpserver
nat (inside,outside) static interface service tcp ftp ftp
object network Remote_Desktop
nat (inside,outside) static interface service tcp 3389 3389
object network VNC
nat (inside,outside) static interface service tcp 5900 5900
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
route inside 192.168.88.64 255.255.255.224 1
route inside 192.168.100.0 255.255.255.0 172.16.17.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http authentication-certificate inside
http authentication-certificate management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password *********************** encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:667cb3ec729681c78ccab9a57abd89df
: end
ASA5510#ASA5510# show run
: Saved
ASA Version 8.3(1)
hostname ASA5510
domain-name lohoi.local
enable password ****************** encrypted
passwd ****************** encrypted
names
interface Ethernet0/0
description Connect_to_Modem
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.0
interface Ethernet0/1
description Connect_to_Router2911
nameif inside
security-level 100
ip address 172.16.17.2 255.255.255.240
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
description Management
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
clock timezone ICT 7
dns server-group DefaultDNS
domain-name lohoi.local
object network obj-any
subnet 0.0.0.0 0.0.0.0
object network ftpserver
host 192.168.88.90
description FTP server
object network remote_desktop
host 192.168.100.2
object network remote_vnc
host 192.168.100.4
access-list 101 extended permit icmp any any
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit tcp any any
access-list outside_access_in extended permit tcp any object ftpserver eq ftp
access-list outside_access_in extended permit tcp any host 192.168.100.4 eq 5900
access-list outside_access_in extended permit tcp any host 192.168.100.2 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asd
asdm history enable
arp timeout 14400
object network obj-any
nat (inside,outside) dynamic interface
object network ftpserver
nat (inside,outside) static interface service tcp ftp ftp
object network remote_desktop
nat (inside,outside) static interface service tcp 3389 3389
object network remote_vnc
nat (inside,outside) static interface service tcp 5900 5900
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
route inside 192.168.88.64 255.255.255.224 172.16.17.1 1
route inside 192.168.100.0 255.255.255.0 172.16.17.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http authentication-certificate inside
http authentication-certificate management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password ****************** encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4f061a213185354518601f754e41494c
: end
ASA5510#
So i configured again, but i'm not to access to 5900 port -
How to validate SSL cert on ASA5510, before changing DNS?
I have recently installed an SSL certificate from a third party CA (GoDaddy) into an ASA5510 that I will be using as a VPN appliance for AnyConnect clients.
The ASA is going to replace our VPN server, which currently has the vpn.domain.com FDQN assigned to its IP address in public DNS.
Is there a way for me to properly valiadate that the SSL cert will work without any issues (i.e. no invalid error messages popping up on users' AnyConnect clients) from the Internet, before I cut over public DNS to point to the public facing interface on the ASA5510 which is where vpn.company.com will ultimately be pointing to?Put vpn.domain.com in your local PC hosts file with the new IP. Then try Anyconnect.
-
ASA5510 - Accessing Anyconnect via other local Interface
Hello - I hope someone can help.
I have a scenario where there is an ASA5510 configured as follows:
Interface0 = Outside
Interface1 = LAN
Interface2 = DMZ
Interface3 = unused
Running ASA version 8.2[1]
All network operations are fine, as are the IPSEC tunnels to other branch offices, and the incoming SSL VPN accessed via the IP address assigned to the external adapter.
My problem is that I have a device on the DMZ that needs to access the AnyConnect service hosted on the external adapter so that it can access LAN resources. When I try accessing it, I see the following errors appearing in the debug log:
3
Dec 03 2012
12:10:50
710003
[DMZ client address]
51031
[AnyConnect ExternalAddress]
443
TCP access denied by ACL from [DMZ client address]/51031 to DMZ:[AnyConnect ExternalAddress]/443
If you look closely, it suggests an ACL issue from the DMZ client to the external AnyConnect IP address BUT it suggests the Anyconnect IP address is on the DMZ interface.
Has anyone seen this before?
Thanks in advance for any help.In this scenario, you will have to enable Anyconnect on the DMZ interface for letting DMZ users to establish an Anyconnect tunnel and allow access of LAN resources since from DMZ or any other LAN interface you cannot directly VPN on External interface.
For reference, check https://supportforums.cisco.com/message/3801168#3801168 as similar discussion has happened in it as well.
Regards,
Anuj -
Hi,
I would like to change ASA5510 to ASA5515-X.
ASA5510 version is 9.1.1
Which is the best method to copy the configuration?
Downtime is acceptable.
I dont know if backup (with ASDM) ASA5510 configuration and restore on 5515 could work because of their difference (Ethernet, GigabitEthernet for example...)
Thanks for your help,
PatrickWhat I've done to copy ASA 5510 configuration to ASA 5515-X without error...
On ASA 5510 :
- backup configuration with ASDM --> backup.zip with password
- copy running-config in a file : backup.cfg
I modified few lines on backup.cfg:
- Ethernet to GigabitEthernet
- boot image
On ASA 5515-X
- I configured management interface then I copy many files (dap.xml, <allvpnprofiles>.xml, anyconnect.pkg, ASA, ASDM, backup.cfg)
- I configure "boot system" and "asdm image"
- on ASDM, I restored with the wizard and I select Certificate and VPN. (but VPN data was not restored)
- with CLI, I copied backup.cfg to running-config then write mem
- there was only few warnings and there was no error after reboot.
I didnt tried to connect in production but configuration seems correct.
Patrick -
CTM ERROR: ASA hardware accelerator init failed
Hi Guys, I have bought a refurbished firewall and upon reloading I see the following error from console. Is something that I can rectify?
Loading disk0:/asa904-k8.bin... Booting...
Platform ASA5510
Loading...
IO memory blocks requested from bigphys 32bit: 13264
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 104 files, 12459/63613 clusters
dosfsck(/dev/hda1) returned 0
Processor memory 864026624, Reserved memory: 62914560
Total SSMs found: 0
Total NICs found: 7
mcwa i82557 Ethernet at irq 11 MAC: d0d0.fd1d.5d57
mcwa i82557 Ethernet at irq 5 MAC: 0000.0001.0001
i82547GI rev00 Gigabit Ethernet @ irq11 dev 1 index 05 MAC: 0000.0001.0002
i82546GB rev03 Ethernet @ irq09 dev 2 index 03 MAC: d0d0.fd1d.5d5b
i82546GB rev03 Ethernet @ irq09 dev 2 index 02 MAC: d0d0.fd1d.5d5a
i82546GB rev03 Ethernet @ irq09 dev 3 index 01 MAC: d0d0.fd1d.5d59
i82546GB rev03 Ethernet @ irq09 dev 3 index 00 MAC: d0d0.fd1d.5d58
Verify the activation-key, it might take a while...
Running Permanent Activation Key: 0x6122cb5d 0xc06c1a74 0xec92a120 0xbd44e8e8 0x8e372a8a
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5510 Security Plus license.
CTM ERROR: ASA hardware accelerator init failed, cause: boot_init completion timeout, ctm_nlite_boot_init:2284
CTM ERROR: ASA hardware accelerator init failed, cause: boot initialization failure, ctm_nlite_download:3342
CRYPTO ERROR: Microcode download failure, boot instance 0
Cisco Adaptive Security Appliance Software Version 9.0(4)
Thanks in advanceHi Mike,
Thanks for your reply. Considering it was at an early stage I had asked the supplier to replace it.
Regards
Stefan -
Hello,
I have problem with my IPS module in ASA5510. After central power failure the module stopped work.
Status of module is "Unresponsive" (over show module command). All attempts to get it live ended with this status.
I tried "hw-module module 1 reset", "hw-module module 1 recover", replace and insert module with reload of appliance, but no success.
During this tests I set "debug cplane 255" and saw this messages:
cp_connect: Connecting to card 1, socket 7, port 7000
cp_connect: Error - cp_connect() returned -1
cp_check_connection: handle -1, conflicts with connection 1 (-1)
cp_check_connection: handle -1, conflicts with connection 2 (-1)
cp_check_connection: handle -1, conflicts with connection 3 (-1)
cp_update_connection: Error updating connection_id 0
Do you know anybody what it means? I tried to find any information on the web about it, but no success
Unfortunately, this device isn't already under contract, so I cannot open the case.
I cannot reconcile with the idea that it is a hardware failure and module is dead.
Thanks for any advice.
RadekEither your module is sick or the backplane on your 5510 has problems.
Do you have another 5500 chassis to put this module into to test?
- Bob -
Hi,
I am trying to access Cisco ASA5510 using ASDM but not successful. The running config file is attached herewith. I have tried to debug ASDM and HTTP and got following error...
HTTP: processing handoff to legacy admin server [/admin]
HTTP: session verified = [0]
HTTP: processing GET URL '/admin' from host 6.6.6.10
HTTP: redirecting to: /admin/public/index.html
HTTP: session verified = [0]
HTTP: processing GET URL '/admin/public/index.html' from host 6.6.6.10
HTTP: authentication not required
HTTP: file not found: public/index.html
HTTP: processing handoff to legacy admin server [/favicon.ico]
HTTP: session verified = [0]
HTTP: processing GET URL '/favicon.ico' from host 6.6.6.10
HTTP: authentication required, no authentication information was provided
I have tried my best to troubleshoot but not successful. Please help to resolve the issue.
ArshiHi Arshi,
The problem should be related to the asdm version compatibility, you are using an incompatibile asdm version with your ASA ios version. ASA 8.2(1) requires asdm version 6.2(1) or later, and the recommended version would be the 7.3(1).
Regards,
Aref -
We are using ASA5510 as our VPN gateway and MS IAS 2003 for RADIUS & AAA. Using Cisco VPN client it is not able to authnticate. I get the following error in Event Viewer:
Policy-Name = Dialup Group
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.I just dealt with this. Go into your IAS console and select properties for your remote access policy 'Dialup Group.' Click ;Edit Profile' and then the 'Authentication' tab. Enable 'PAP'. That should do it!
-
Replacement of primary unit failed! (ASA5510 active/standby)
Hi all,
I have an issue bringing up my RMA'd primary ASA unit.
So what happened so far:
1. primary unit failed
2. secondary took over and is now secondary - active (as per sh fail)
2. requested RMA at Cisco
3. got ASA and checked that Lic (SSL), OS (8.2.2) and ASDM are at the same level as the secondary
4. issued wr erase and reloaded
5. copied the following commands to the new (RMA) primary unit:
failover lan unit primary
failover lan interface Failover Ethernet3
failover interface ip Failover 172.x.x.9 255.255.255.248 standby 172.x.x.10
int eth3
no shut
failover
wr mem
6. installed primary unit into rack
7. plugged-in all cables (network, failover, console and power)
8. fired up the primary unit
9. expected that the unit shows:
Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.
10. but nothing happened on primary unit
So can anyone give me assistance on what is a valid and viable approach in replacing a failed primary unit? Is there a missing step that hinders me to successfully replicate the secondary - active config to the primary - standby unit.
I was looking for help on the net but unfortunately I was not able to find anything related to ASA55xx primary unit replacement with a clear guideline or step by step instructions.
Any comments or suggestions are appreciated, and might help others who are in the same situation.
Thanks,
NicoHi Varun,
Thanks for catching-up this thread.
Here you go:
sh run fail on secondary - active:
failover
failover lan unit secondary
failover lan interface Failover Ethernet0/3
failover key *****
failover link Failover Ethernet0/3
failover interface ip Failover 172.x.x.9 255.255.255.248 standby 172.x.x.10
sh fail hist on secondary - active:
asa1# sh fail hist
==========================================================================
From State To State Reason
==========================================================================
23:47:15 CEST Feb 19 2011
Not Detected Negotiation No Error
23:47:19 CEST Feb 19 2011
Negotiation Cold Standby Detected an Active mate
23:47:21 CEST Feb 19 2011
Cold Standby Sync Config Detected an Active mate
23:47:36 CEST Feb 19 2011
Sync Config Sync File System Detected an Active mate
23:47:36 CEST Feb 19 2011
Sync File System Bulk Sync Detected an Active mate
23:47:50 CEST Feb 19 2011
Bulk Sync Standby Ready Detected an Active mate
10:34:09 CEDT Sep 3 2011
Standby Ready Just Active HELLO not heard from mate
10:34:09 CEDT Sep 3 2011
Just Active Active Drain HELLO not heard from mate
10:34:09 CEDT Sep 3 2011
Active Drain Active Applying Config HELLO not heard from mate
10:34:09 CEDT Sep 3 2011
Active Applying Config Active Config Applied HELLO not heard from mate
10:34:09 CEDT Sep 3 2011
Active Config Applied Active HELLO not heard from mate
==========================================================================
sh fail on secondary - active
asa1# show fail
Failover On
Failover unit Secondary
Failover LAN Interface: Failover Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 10:34:09 CEDT Sep 3 2011
This host: Secondary - Active
Active time: 441832 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Outside (x.x.x.14): Normal (Waiting)
Interface Inside (x.x.x.11): Normal (Waiting)
slot 1: empty
Other host: Primary - Failed
Active time: 40497504 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.2(2)) status (Unknown/Unknown)
Interface Outside (x.x.x.15): Unknown
Interface Inside (x.x.x.12): Unknown
slot 1: empty
Stateful Failover Logical Update Statistics
Link : Failover Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 2250212 0 64800624 309
sys cmd 2250212 0 2249932 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 46402635 309
UDP conn 0 0 21248 0
ARP tbl 0 0 15921639 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 0 0 96977 0
VPN IPSEC upd 0 0 108174 0
VPN CTCP upd 0 0 19 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 17 203259096
Xmit Q: 0 1 2250212
show ver on secondary - active
asa1# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)53
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
asa1 up 200 days 12 hours
failover cluster up 1 year 108 days
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 64MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 0022.55cf.7420, irq 9
1: Ext: Ethernet0/1 : address is 0022.55cf.7421, irq 9
2: Ext: Ethernet0/2 : address is 0022.55cf.7422, irq 9
3: Ext: Ethernet0/3 : address is 0022.55cf.7423, irq 9
4: Ext: Management0/0 : address is 0022.55cf.741f, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 10
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5510 Security Plus license.
Serial Number: xxx
Running Activation Key:xxxx
Configuration register is 0x1
Configuration last modified by enable_1 at 10:05:32.149 CEDT Fri Jul 15 2011 -
Can't connect to a customer when I'm connected to my ASA5510 VPN.
Hi.
I need to connect to a remote customer from home via the office's vpn.
When I am physically at the office, I can connect no problem to my customer's securised gateway using my Internet Explorer browser (https://...).
(NB - when I go to the site speedtest.net, it indicated that my source IP address is our office's Internet Supplier - Bell.ca 67.70.xxx.x - which is correct).
When I am home, I connect VPN (with Cisco VPN Client) to my offices' cisco asa5510 . I then open my Internet Explorer browser and enter my customer's https:// address, unfortunately I get the error message saying I am not authorised to connet to the site.
I go to the site speedtest.net, and my source IP address is my home's Internet supplier (Videotron.ca 24.200.162.27).
My customer will only allow me in if the source ip is from Bell.ca 67.70.xxx.x (office) not Videotron.ca 24.200.162.27 (home).
How can I resolve my problem? Created a seperate group policy, tried different Split Tunnel Policy, actually tried all I can think of !!
I was certain it had to do with the Split Tunnel Policy in the Group Policy but not sure anymore .
Any suggestions?
ThanksYour VPN would have to DISALLOW split tunnel, making all your Internet traffic come from the office network when you are VPN-connected.
-
ASA5510 %ASA-2-106001 connection denied
Hi,
I am having issues for one service to connect to a monitor on the inside of my ASA firewall. I am getting %ASA-2-106001 as the log error and there is a inbound TCP connection denied from 172.X.X.X (source behind firewall) to the monitor at my HQ side on the inside interface.
I have the following NAT allowed:
global (outside) 1 interface
nat (inside) 0 access-list vpn
nat (inside) 1 0.0.0.0 0.0.0.0
I do not have an ACL going inside. The basic connection is as follows:
[Monitor] ---- [Main Core Switch] ------ [Router to COLO] ----- [ASA5510] --- Off inside interface device.
Regular traffic is able to pass through, but on port 2300 I am seeing the block.
Thank you,Hi,
I think this might be generaic detail for isolating this issue. I would request you to post the relevant configuration and run a packet trace on the ASA device for the traffic direction which is not working and see what action is seen in the output.
Refer:-
https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer
Thanks and Regards,
Vibhor Amrodia -
I am trying to connect our site to a remote site using the Site2Site VPN wizard. I got the IPSEC tunnel connected without issues..
The problem is that I can't ping from one network to the other...
This is out layout..
10.10.x.x/16 - - ASA5510(site1) <==> ASA5510(site2) - - 10.50.x.x/16
When I ping from the nearest switch to the ASA on 10.10.x.x network to 10.50.x.x, the ASDM syslog output says..
3 Feb 21 2012 20:51:56 10.10.x.x 10.50.x.x Deny inbound icmp src inside:10.10.x.x dst inside:10.50.x.x (type 8, code 0)
Any advice is greatly appreciated..
Thanks!!!I am guessing you have a route on your ASA5510 that routes 10.0.0.0/8 to the inside. What you will need to do is add a static route for 10.50.0.0/16 and point it toward your ISP. The error message you are seeing is saying that (as far as it knows) traffic is going from 'inside' to 'inside' which really isn't possible without some out of the ordinary configuration on the ASA.
Hope this helps.
Matt
Maybe you are looking for
-
How can I get my icloud keychain to my ipod if I no longer have my iphone 5c
-
Grey screen on safari when trying to open pdf files
Yesterday I was reading a pdf file in my safari 3.0.4 web browser when safari froze unexpectedly and crashed. When I re-opened safari, I am now no longer able to view pdf files in the browser or at all. It opens up, starts loading and stays at a grey
-
How to import multiple files linked to swf into captivate?
Hi all I am trying to import a flash swf animation into captivate 5.5. I figured it should be straight forward by going Insert > Animation, but the animation doesn't do what it is meant to. I think this is because the swf file is associated with a nu
-
ITunes not reading iPod Classic?
Hello, it's me again. This time, I plugged my iPod in. iTunes is working this time. However, it's not reading my iPod. My computer recognizes it, my iPod recognizes my computer but iTunes isn't picking it up. Any ideas?
-
I am on XP using PS CS4. Please see the photograph below. I would like to change the color of the shirt/apron of this lady & I was wondering what the best way is to do that. I know if I try replace color, the white bowls change color as well. In the