ASA5510 Error

Just wondering if anyone else has seen these two errors in Outlook after implementing an ASA w/CSC. I turned off ESMTP but to no avail.
Header Error:
Task 'Corporate - Receiving' reported error (0x80042107) : 'Your e-mail server does not support downloading headers.'
SMTP Error:
Task 'USERNAME - Sending' reported error (0x800CCC80) : 'None of the authentication methods supported by this client are supported by your server.'

Found this: CSCsg52277
Yes
Certain SMTP messages cannot be sent through ASA with 'inspect esmtp' on
Will be upgrading to 7.2.2 next week. I will post my results.

Similar Messages

ASA5510 Error Message

%ASA-1-106021: Deny UDP reverse path check from 169.254.213.25 to 169.254.255.255 on interface Networkmgmt
I am wondering if anyone has any information for me beyond what the explanation that Cisco provides. I am sure this is an inside attack, as my outer layers have not picked up this IP. I am looking for a good way to track down what machine this IP belongs to.
Any info would help.
Thanks,
Adam Filkins

You were probably looking for the security->firewall forum, you somehow ended up in the Wireless security forums. However, at a glance that address is an automatic private IP address. All that that means is that a client failed to get a DHCP address, and is trying work around it. A good description is at:
http://compnetworking.about.com/cs/protocolsdhcp/g/bldef_apipa.htm
The error you got is because the firewall knows that APIPA addresses are not valid on it's interface. I would not be concerned about this for security reasons, but you may need to figure out what client is not working.

SSL webvpn ErroR

DEAR All
i have issue in SSL webvpn . I have 2 ASA (5520 and 5510 in 2 different locations in india)
1st ASA 5520 it is in my datacenter i have configure webvpn to access my web applications hosted in my datacenter.
As starter i have created a local account in ASA for webvpn access . i am able to access the webvpn using the local credentilas.
when i try to click the URL i get error " Internet Explorer cannot dispaly the webpage" .
Instead of error msg i should be prompted with usename and password for the websie . I have attached "afterloginscreen_5520&5510" scrren shot which shows the SSL-webvpn is working and the second screen shot " error_page_5520" shows the error when i click the URL .
2nd ASA 5510 it is in my another datacenter . i have configured the same and working fine ,i have no problem in accessing the website , i have attached the screen shot " working_5510_asking_for_username&password"
for ASA5520 webservers are native
for ASA5510 webserver are in remote
last month wen i tired using ASA 5520 it was working as charm , wen i now tired with both ASA enabled 5520 is not working ,
6|Oct 26 2012 14:37:39|725007: SSL session with client Outside:Internet IP /1631 terminated.
6|Oct 26 2012 14:37:40|725001: Starting SSL handshake with client Outside:Internet IP /1634 for TLSv1 session.
6|Oct 26 2012 14:37:40|725003: SSL client Outside:Internet IP /1634 request to resume previous session.
6|Oct 26 2012 14:37:40|725002: Device completed SSL handshake with client Outside:Internet IP/1634
6|Oct 26 2012 14:37:40|716003: Group <omsir VPN> User <omsir> IP <Internet IP> WebVPN access GRANTED: http://URL//
Please help me ;;;;;;;;;;;;;;;; Thanks in Advance .

Hello all
I have solved this issue
My ASA licensed only for 3DES . once i tried AES trail version from cisco it worked like a charm ..
i know this is wired, but what to do this has solved the issue
Enjoy
Naresh

Help open port on ASA5510 (version 8.3)

Hi all,
I configured ASA to open port 21, 3389, 5900 (outside access in) but when i check port just success : 21 and 3389, Error: 5900
If i configured with only one port 5900 or 3389, is't ok, i don't undesrtand what 's the problem?
ASA5510>
ASA5510> ena
Password: ***********************
ASA5510# show run
: Saved
ASA Version 8.3(1)
hostname ASA5510
domain-name lohoi.local
enable password *********************** encrypted
passwd *********************** encrypted
names
interface Ethernet0/0
description Connect_to_Modem
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.0
interface Ethernet0/1
description Connect_to_Router2911
nameif inside
security-level 100
ip address 172.16.17.2 255.255.255.240
interface Ethernet0/2
shutdown
no na
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
description Management
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
clock timezone ICT 7
dns server-group DefaultDNS
domain-name lohoi.local
object network obj-any
subnet 0.0.0.0 0.0.0.0
object network ftpserver
host 192.168.88.90
description FTP server
object network Remote_Desktop
host 192.168.100.29
object network VNC
host 192.168.100.4
access-list 101 extended permit icmp any any
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit tcp any any
access-list outside_access_in extended permit tcp any object ftpserver eq ftp
access-list outside_in extended permit tcp any host 192.168.100.29
access-list outside_in extended permit tcp any host 192.168.100.4
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst
asdm image disk0:/asdm-631.bin
asdm history enable
arp timeout 14400
object network obj-any
nat (inside,outside) dynamic interface
object network ftpserver
nat (inside,outside) static interface service tcp ftp ftp
object network Remote_Desktop
nat (inside,outside) static interface service tcp 3389 3389
object network VNC
nat (inside,outside) static interface service tcp 5900 5900
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
route inside 192.168.88.64 255.255.255.224 1
route inside 192.168.100.0 255.255.255.0 172.16.17.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http authentication-certificate inside
http authentication-certificate management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password *********************** encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:667cb3ec729681c78ccab9a57abd89df
: end
ASA5510#

ASA5510# show run
: Saved
ASA Version 8.3(1)
hostname ASA5510
domain-name lohoi.local
enable password ****************** encrypted
passwd ****************** encrypted
names
interface Ethernet0/0
description Connect_to_Modem
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.0
interface Ethernet0/1
description Connect_to_Router2911
nameif inside
security-level 100
ip address 172.16.17.2 255.255.255.240
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
description Management
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
clock timezone ICT 7
dns server-group DefaultDNS
domain-name lohoi.local
object network obj-any
subnet 0.0.0.0 0.0.0.0
object network ftpserver
host 192.168.88.90
description FTP server
object network remote_desktop
host 192.168.100.2
object network remote_vnc
host 192.168.100.4
access-list 101 extended permit icmp any any
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit tcp any any
access-list outside_access_in extended permit tcp any object ftpserver eq ftp
access-list outside_access_in extended permit tcp any host 192.168.100.4 eq 5900
access-list outside_access_in extended permit tcp any host 192.168.100.2 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asd
asdm history enable
arp timeout 14400
object network obj-any
nat (inside,outside) dynamic interface
object network ftpserver
nat (inside,outside) static interface service tcp ftp ftp
object network remote_desktop
nat (inside,outside) static interface service tcp 3389 3389
object network remote_vnc
nat (inside,outside) static interface service tcp 5900 5900
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
route inside 192.168.88.64 255.255.255.224 172.16.17.1 1
route inside 192.168.100.0 255.255.255.0 172.16.17.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http authentication-certificate inside
http authentication-certificate management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password ****************** encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4f061a213185354518601f754e41494c
: end
ASA5510#
So i configured again, but i'm not to access to 5900 port

How to validate SSL cert on ASA5510, before changing DNS?

I have recently installed an SSL certificate from a third party CA (GoDaddy) into an ASA5510 that I will be using as a VPN appliance for AnyConnect clients.
The ASA is going to replace our VPN server, which currently has the vpn.domain.com FDQN assigned to its IP address in public DNS.
Is there a way for me to properly valiadate that the SSL cert will work without any issues (i.e. no invalid error messages popping up on users' AnyConnect clients) from the Internet, before I cut over public DNS to point to the public facing interface on the ASA5510 which is where vpn.company.com will ultimately be pointing to?

Put vpn.domain.com in your local PC hosts file with the new IP. Then try Anyconnect.

ASA5510 - Accessing Anyconnect via other local Interface

Hello - I hope someone can help.
I have a scenario where there is an ASA5510 configured as follows:
Interface0 = Outside
Interface1 = LAN
Interface2 = DMZ
Interface3 = unused
Running ASA version 8.2[1]
All network operations are fine, as are the IPSEC tunnels to other branch offices, and the incoming SSL VPN accessed via the IP address assigned to the external adapter.
My problem is that I have a device on the DMZ that needs to access the AnyConnect service hosted on the external adapter so that it can access LAN resources. When I try accessing it, I see the following errors appearing in the debug log:
3
Dec 03 2012
12:10:50
710003
[DMZ client address]
51031
[AnyConnect ExternalAddress]
443
TCP access denied by ACL from [DMZ client address]/51031 to DMZ:[AnyConnect ExternalAddress]/443
If you look closely, it suggests an ACL issue from the DMZ client to the external AnyConnect IP address BUT it suggests the Anyconnect IP address is on the DMZ interface.
Has anyone seen this before?
Thanks in advance for any help.

In this scenario, you will have to enable Anyconnect on the DMZ interface for letting DMZ users to establish an Anyconnect tunnel and allow access of LAN resources since from DMZ or any other LAN interface you cannot directly VPN on External interface.
For reference, check https://supportforums.cisco.com/message/3801168#3801168 as similar discussion has happened in it as well.
Regards,
Anuj

Change ASA5510 to ASA5515-X

Hi,
I would like to change ASA5510 to ASA5515-X.
ASA5510 version is 9.1.1
Which is the best method to copy the configuration?
Downtime is acceptable.
I dont know if backup (with ASDM) ASA5510 configuration and restore on 5515 could work because of their difference (Ethernet, GigabitEthernet for example...)
Thanks for your help,
Patrick

What I've done to copy ASA 5510 configuration to ASA 5515-X without error...
On ASA 5510 :
- backup configuration with ASDM --> backup.zip with password
- copy running-config in a file : backup.cfg
I modified few lines on backup.cfg:
- Ethernet to GigabitEthernet
- boot image
On ASA 5515-X
- I configured management interface then I copy many files (dap.xml, <allvpnprofiles>.xml, anyconnect.pkg, ASA, ASDM, backup.cfg)
- I configure "boot system" and "asdm image"
- on ASDM, I restored with the wizard and I select Certificate and VPN. (but VPN data was not restored)
- with CLI, I copied backup.cfg to running-config then write mem
- there was only few warnings and there was no error after reboot.
I didnt tried to connect in production but configuration seems correct.
Patrick

CTM ERROR: ASA hardware accelerator init failed

Hi Guys, I have bought a refurbished firewall and upon reloading I see the following error from console. Is something that I can rectify?
Loading disk0:/asa904-k8.bin... Booting...
Platform ASA5510
Loading...
IO memory blocks requested from bigphys 32bit: 13264
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 104 files, 12459/63613 clusters
dosfsck(/dev/hda1) returned 0
Processor memory 864026624, Reserved memory: 62914560
Total SSMs found: 0
Total NICs found: 7
mcwa i82557 Ethernet at irq 11 MAC: d0d0.fd1d.5d57
mcwa i82557 Ethernet at irq 5 MAC: 0000.0001.0001
i82547GI rev00 Gigabit Ethernet @ irq11 dev 1 index 05 MAC: 0000.0001.0002
i82546GB rev03 Ethernet @ irq09 dev 2 index 03 MAC: d0d0.fd1d.5d5b
i82546GB rev03 Ethernet @ irq09 dev 2 index 02 MAC: d0d0.fd1d.5d5a
i82546GB rev03 Ethernet @ irq09 dev 3 index 01 MAC: d0d0.fd1d.5d59
i82546GB rev03 Ethernet @ irq09 dev 3 index 00 MAC: d0d0.fd1d.5d58
Verify the activation-key, it might take a while...
Running Permanent Activation Key: 0x6122cb5d 0xc06c1a74 0xec92a120 0xbd44e8e8 0x8e372a8a
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5510 Security Plus license.
CTM ERROR: ASA hardware accelerator init failed, cause: boot_init completion timeout, ctm_nlite_boot_init:2284
CTM ERROR: ASA hardware accelerator init failed, cause: boot initialization failure, ctm_nlite_download:3342
CRYPTO ERROR: Microcode download failure, boot instance 0
Cisco Adaptive Security Appliance Software Version 9.0(4)
Thanks in advance

Hi Mike,
Thanks for your reply. Considering it was at an early stage I had asked the supplier to replace it.
Regards
Stefan

Aip-ssm-10 cplane error

Hello,
I have problem with my IPS module in ASA5510. After central power failure the module stopped work.
Status of module is "Unresponsive" (over show module command). All attempts to get it live ended with this status.
I tried "hw-module module 1 reset", "hw-module module 1 recover", replace and insert module with reload of appliance, but no success.
During this tests I set "debug cplane 255" and saw this messages:
cp_connect: Connecting to card 1, socket 7, port 7000
cp_connect: Error - cp_connect() returned -1
cp_check_connection: handle -1, conflicts with connection 1 (-1)
cp_check_connection: handle -1, conflicts with connection 2 (-1)
cp_check_connection: handle -1, conflicts with connection 3 (-1)
cp_update_connection: Error updating connection_id 0
Do you know anybody what it means? I tried to find any information on the web about it, but no success
Unfortunately, this device isn't already under contract, so I cannot open the case.
I cannot reconcile with the idea that it is a hardware failure and module is dead.
Thanks for any advice.
Radek

Either your module is sick or the backplane on your 5510 has problems.
Do you have another 5500 chassis to put this module into to test?
- Bob

ASDM problem on ASA5510

Hi,
I am trying to access Cisco ASA5510 using ASDM but not successful. The running config file is attached herewith. I have tried to debug ASDM and HTTP and got following error...
HTTP: processing handoff to legacy admin server [/admin]
HTTP: session verified = [0]
HTTP: processing GET URL '/admin' from host 6.6.6.10
HTTP: redirecting to: /admin/public/index.html
HTTP: session verified = [0]
HTTP: processing GET URL '/admin/public/index.html' from host 6.6.6.10
HTTP: authentication not required
HTTP: file not found: public/index.html
HTTP: processing handoff to legacy admin server [/favicon.ico]
HTTP: session verified = [0]
HTTP: processing GET URL '/favicon.ico' from host 6.6.6.10
HTTP: authentication required, no authentication information was provided
I have tried my best to troubleshoot but not successful. Please help to resolve the issue.
Arshi

Hi Arshi,
The problem should be related to the asdm version compatibility, you are using an incompatibile asdm version with your ASA ios version. ASA 8.2(1) requires asdm version 6.2(1) or later, and the recommended version would be the 7.3(1).
Regards,
Aref

IAS 2003 and ASA5510

We are using ASA5510 as our VPN gateway and MS IAS 2003 for RADIUS & AAA. Using Cisco VPN client it is not able to authnticate. I get the following error in Event Viewer:
Policy-Name = Dialup Group
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

I just dealt with this. Go into your IAS console and select properties for your remote access policy 'Dialup Group.' Click ;Edit Profile' and then the 'Authentication' tab. Enable 'PAP'. That should do it!

Replacement of primary unit failed! (ASA5510 active/standby)

Hi all,
I have an issue bringing up my RMA'd primary ASA unit.
So what happened so far:
1. primary unit failed
2. secondary took over and is now secondary - active (as per sh fail)
2. requested RMA at Cisco
3. got ASA and checked that Lic (SSL), OS (8.2.2) and ASDM are at the same level as the secondary
4. issued wr erase and reloaded
5. copied the following commands to the new (RMA) primary unit:
failover lan unit primary
failover lan interface Failover Ethernet3
failover interface ip Failover 172.x.x.9 255.255.255.248 standby 172.x.x.10
int eth3
no shut
failover
wr mem
6. installed primary unit into rack
7. plugged-in all cables (network, failover, console and power)
8. fired up the primary unit
9. expected that the unit shows:
Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.
10. but nothing happened on primary unit
So can anyone give me assistance on what is a valid and viable approach in replacing a failed primary unit? Is there a missing step that hinders me to successfully replicate the secondary - active config to the primary - standby unit.
I was looking for help on the net but unfortunately I was not able to find anything related to ASA55xx primary unit replacement with a clear guideline or step by step instructions.
Any comments or suggestions are appreciated, and might help others who are in the same situation.
Thanks,
Nico

Hi Varun,
Thanks for catching-up this thread.
Here you go:
sh run fail on secondary - active:
failover
failover lan unit secondary
failover lan interface Failover Ethernet0/3
failover key *****
failover link Failover Ethernet0/3
failover interface ip Failover 172.x.x.9 255.255.255.248 standby 172.x.x.10
sh fail hist on secondary - active:
asa1# sh fail hist
==========================================================================
From State                 To State                   Reason
==========================================================================
23:47:15 CEST Feb 19 2011
Not Detected               Negotiation                No Error
23:47:19 CEST Feb 19 2011
Negotiation                Cold Standby               Detected an Active mate
23:47:21 CEST Feb 19 2011
Cold Standby               Sync Config                Detected an Active mate
23:47:36 CEST Feb 19 2011
Sync Config                Sync File System           Detected an Active mate
23:47:36 CEST Feb 19 2011
Sync File System           Bulk Sync                  Detected an Active mate
23:47:50 CEST Feb 19 2011
Bulk Sync                  Standby Ready              Detected an Active mate
10:34:09 CEDT Sep 3 2011
Standby Ready              Just Active                HELLO not heard from mate
10:34:09 CEDT Sep 3 2011
Just Active                Active Drain               HELLO not heard from mate
10:34:09 CEDT Sep 3 2011
Active Drain               Active Applying Config     HELLO not heard from mate
10:34:09 CEDT Sep 3 2011
Active Applying Config     Active Config Applied      HELLO not heard from mate
10:34:09 CEDT Sep 3 2011
Active Config Applied      Active                     HELLO not heard from mate
==========================================================================
sh fail on secondary - active
asa1# show fail
Failover On
Failover unit Secondary
Failover LAN Interface: Failover Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 10:34:09 CEDT Sep 3 2011
        This host: Secondary - Active
                Active time: 441832 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                  Interface Outside (x.x.x.14): Normal (Waiting)
                  Interface Inside (x.x.x.11): Normal (Waiting)
                slot 1: empty
        Other host: Primary - Failed
                Active time: 40497504 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/8.2(2)) status (Unknown/Unknown)
                  Interface Outside (x.x.x.15): Unknown
                  Interface Inside (x.x.x.12): Unknown
                slot 1: empty
Stateful Failover Logical Update Statistics
        Link : Failover Ethernet0/3 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         2250212    0          64800624   309
        sys cmd         2250212    0          2249932    0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        0          0          46402635   309
        UDP conn        0          0          21248      0
        ARP tbl         0          0          15921639   0
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     0          0          0          0
        VPN IKE upd     0          0          96977      0
        VPN IPSEC upd   0          0          108174     0
        VPN CTCP upd    0          0          19         0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          0          0
        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       17      203259096
        Xmit Q:         0       1       2250212
show ver on secondary - active
asa1# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)53
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
asa1 up 200 days 12 hours
failover cluster up 1 year 108 days
Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 64MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0         : address is 0022.55cf.7420, irq 9
1: Ext: Ethernet0/1         : address is 0022.55cf.7421, irq 9
2: Ext: Ethernet0/2         : address is 0022.55cf.7422, irq 9
3: Ext: Ethernet0/3         : address is 0022.55cf.7423, irq 9
4: Ext: Management0/0       : address is 0022.55cf.741f, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5
Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 100
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 10
Total VPN Peers                : 250
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled
This platform has an ASA 5510 Security Plus license.
Serial Number: xxx
Running Activation Key:xxxx
Configuration register is 0x1
Configuration last modified by enable_1 at 10:05:32.149 CEDT Fri Jul 15 2011

Can't connect to a customer when I'm connected to my ASA5510 VPN.

Hi.
I need to connect to a remote customer from home via the office's vpn.
When I am physically at the office, I can connect no problem to my customer's securised gateway using my Internet Explorer browser (https://...).
(NB - when I go to the site speedtest.net, it indicated that my source IP address is our office's Internet Supplier - Bell.ca 67.70.xxx.x - which is correct).
When I am home, I connect VPN (with Cisco VPN Client) to my offices' cisco asa5510 . I then open my Internet Explorer browser and enter my customer's https:// address, unfortunately I get the error message saying I am not authorised to connet to the site.
I go to the site speedtest.net, and my source IP address is my home's Internet supplier (Videotron.ca 24.200.162.27).
My customer will only allow me in if the source ip is from Bell.ca 67.70.xxx.x (office) not Videotron.ca 24.200.162.27 (home).
How can I resolve my problem? Created a seperate group policy, tried different Split Tunnel Policy, actually tried all I can think of !!
I was certain it had to do with the Split Tunnel Policy in the Group Policy but not sure anymore .
Any suggestions?
Thanks

Your VPN would have to DISALLOW split tunnel, making all your Internet traffic come from the office network when you are VPN-connected.

ASA5510 %ASA-2-106001 connection denied

Hi,
I am having issues for one service to connect to a monitor on the inside of my ASA firewall. I am getting %ASA-2-106001 as the log error and there is a inbound TCP connection denied from 172.X.X.X (source behind firewall) to the monitor at my HQ side on the inside interface.
I have the following NAT allowed:
global (outside) 1 interface
nat (inside) 0 access-list vpn
nat (inside) 1 0.0.0.0 0.0.0.0
I do not have an ACL going inside. The basic connection is as follows:
[Monitor] ---- [Main Core Switch] ------ [Router to COLO] ----- [ASA5510] --- Off inside interface device.
Regular traffic is able to pass through, but on port 2300 I am seeing the block.
Thank you,

Hi,
I think this might be generaic detail for isolating this issue. I would request you to post the relevant configuration and run a packet trace on the ASA device for the traffic direction which is not working and see what action is seen in the output.
Refer:-
https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer
Thanks and Regards,
Vibhor Amrodia

ASA5510 Site2Site Wizard

I am trying to connect our site to a remote site using the Site2Site VPN wizard. I got the IPSEC tunnel connected without issues..
The problem is that I can't ping from one network to the other...
This is out layout..
10.10.x.x/16 - - ASA5510(site1) <==> ASA5510(site2) - - 10.50.x.x/16
When I ping from the nearest switch to the ASA on 10.10.x.x network to 10.50.x.x, the ASDM syslog output says..
3 Feb 21 2012 20:51:56 10.10.x.x 10.50.x.x Deny inbound icmp src inside:10.10.x.x dst inside:10.50.x.x (type 8, code 0)
Any advice is greatly appreciated..
Thanks!!!

I am guessing you have a route on your ASA5510 that routes 10.0.0.0/8 to the inside. What you will need to do is add a static route for 10.50.0.0/16 and point it toward your ISP. The error message you are seeing is saying that (as far as it knows) traffic is going from 'inside' to 'inside' which really isn't possible without some out of the ordinary configuration on the ASA.
Hope this helps.
Matt

ASA5510 Error

Similar Messages

Maybe you are looking for