Authentication Speed
Hello,
I am trying to speed up the amount of time it take for a WLAN client using PEAP with OTP to authentication the WLAN.
Currently, it can take up to 2 minutes before a user is prompted to authenticate. Is there any way of speeding this up?
I know on the AP you can configure the Authentication server timeout and retries, is there a similar function that works for communication between the AP and client?
I have seen 'EAP retry limite reached for user X' appear. I think this happens because the PC is busy performing OS logon and scripts, so cannot respond to the network logon, hence this process times out.
Any ideas?
Many Thanks
Abdul
Thanks for the response...
I think your right, it is a combination of the problems...the windows boot up time is long, but we can live with that
The delayed authentication issues happen at boot up and when the PC is re-authentication after being out of range or coming out of suspend. So, even after the PC is fully booted, the association process is lengthy.
My aim is to package the solution so it can be used by 'end-users' with minimum clicks, and user intervention. As such an ideal solution would be:
A user boots up his/her machine (which may take and extra 30 seconds or so) then be prompted with a single logon box, which will allow the user to logon without timing out, and provide a diaglogue box back if an incorrect password has been entered. If a user roams into a WLAN coverage area, then again a box pops up straight away. When you used to not authenticating to the network (as with Ethernet) it is very frustrating to have to wait for 3 or 4 minutes to use the network. After all we are promoting mobility!
Similar Messages
-
Authentication Speed at a crawl
Two days ago when my users (hs students) log in (LDAP), it takes now over 5 minutes for their desktop/dock to appear. Also, Server Admin on the local box will not launch, and sometime Server Admin from my laptop will not connect to the server. We did install 10.5.5 a few days ago, but installed it elsewhere and not having problems in other buildings.
What things can I check or could be causing this authentication bog down? If I log in as a local admin usere, I can get all over the network/web just fine, it's when I attempt to log in as an LDAP user that I sit and wait.
Thanks!The first thing to check is DNS. You need working DNS (both forward and reverse) for your server and for the clients on the network.
If DNS isn't working properly it can cause all sorts of delays while the server tries to resolve the client IP address (and ultimately fails).
If that's not the problem, the second thing to check is a duplex mismatch on the server - check that the server's ethernet port and the switch it's connected to are set to the same mode (e.g. 1000-full). -
I have a ZCM Zone originally built with ZCM 10.2 and has been updated over the years to 11.2.3 and soon to be updated to 11.3.1
The Zone services 15,000 devices with over 30k users (school district). The network topology is central, each school has a 10GB fiber link to the data center. Entire Zone is build on a VMWare vSphere 5 platform.
Current design consists of 1 dedicated ZCC server, 1 dedicated Inventory server, 2 dedicated image servers, and 12 Authentication/Content/Config servers. Database is SQL 2008 R2 on it's own VM. Typical guest machine config uses 2 vCPU 8GB vRAM. All run on Windows 2008 R2 SP1 SQL server uses 2 vCPU and 24GB of vRAM. DB has grown to 43GB in size (gets up to 60+GB before DB maintenance operations are run).
In ZCM 10, the closest server rules were setup to split the user traffic among four selected servers for the site. When the closest server rules allowed for groups, it was enabled to get the round robin functionality. Was never able to get the needed data from my customer to fully implement Locations, so Locations Lite is in use. Pretty much set the default closest server rule to group all 12 Auth servers in a single group. It has worked to split the load quite well among the 12 Primary servers.
Only the ZCC server and Image servers had their entire VM memory reserved (per VMWare best practice for a Java app). Was unable to reserve memory for all guest machines since it would cause to much performance issues with other guests when doing so. Because of this, I am thinking of swapping out the 12 Primary servers for 12 Satellite servers .. but I am unsure of the sanity of doing such a change. The satellite servers would run in the same virtual environment as the Primary servers.
My hope in doing this change is to improve the authentication speed, and satellite servers seem to be faster in getting the job done. Also reduce the amount of work the database server is doing by reducing the amount of Primary servers talking to it.
The change almost seems pointless, so I wanted to see what other thought about doing such a change.
thank youWe definitely want all of the VMware Memory Reserved.
Consider Converting the 2 Dedicated Imaging Servers to Satellite Servers
with the Imaging Role. This will consume far fewer resources and they
memory for Satellite Servers is not required to be fully dedicated.
12 Auth/Content/Config servers is far more than what is necessary for
15,000 Devices. Especially with 8gb of RAM. As a Test, Remove a couple
of these servers from the "Server Group" and test performance.
You may also be able to reduce the RAM from 8GB to 6GB on the remaining
10 servers to allow for dedication.
The key is that assigning RAM above and beyond what is dedicated can
lead to stability issues and will not be fully dedicated.
It is quite common for servers to fail upgrading or crash after upgrades
when the RAM is not dedicated because the servers now start hitting and
trying to use the non-dedicated RAM that was previously not used.
Also Drop an Email to [email protected]
I want to email you a utility, but will need your email address.
Note: Location Lite is just fine.
On 7/15/2014 4:56 PM, Provogeek wrote:
>
> I have a ZCM Zone originally built with ZCM 10.2 and has been updated
> over the years to 11.2.3 and soon to be updated to 11.3.1
> The Zone services 15,000 devices with over 30k users (school district).
> The network topology is central, each school has a 10GB fiber link to
> the data center. Entire Zone is build on a VMWare vSphere 5 platform.
>
> Current design consists of 1 dedicated ZCC server, 1 dedicated Inventory
> server, 2 dedicated image servers, and 12 Authentication/Content/Config
> servers. Database is SQL 2008 R2 on it's own VM. Typical guest machine
> config uses 2 vCPU 8GB vRAM. All run on Windows 2008 R2 SP1 SQL
> server uses 2 vCPU and 24GB of vRAM. DB has grown to 43GB in size (gets
> up to 60+GB before DB maintenance operations are run).
>
> In ZCM 10, the closest server rules were setup to split the user traffic
> among four selected servers for the site. When the closest server rules
> allowed for groups, it was enabled to get the round robin functionality.
> Was never able to get the needed data from my customer to fully
> implement Locations, so Locations Lite is in use. Pretty much set the
> default closest server rule to group all 12 Auth servers in a single
> group. It has worked to split the load quite well among the 12 Primary
> servers.
>
> Only the ZCC server and Image servers had their entire VM memory
> reserved (per VMWare best practice for a Java app). Was unable to
> reserve memory for all guest machines since it would cause to much
> performance issues with other guests when doing so. Because of this, I
> am thinking of swapping out the 12 Primary servers for 12 Satellite
> servers .. but I am unsure of the sanity of doing such a change. The
> satellite servers would run in the same virtual environment as the
> Primary servers.
>
> My hope in doing this change is to improve the authentication speed, and
> satellite servers seem to be faster in getting the job done. Also
> reduce the amount of work the database server is doing by reducing the
> amount of Primary servers talking to it.
>
> The change almost seems pointless, so I wanted to see what other thought
> about doing such a change.
>
> thank you
>
>
Craig Wilson - MCNE, MCSE, CCNA
Novell Technical Support Engineer
Novell does not officially monitor these forums.
Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human. -
Long delay when logging in Network User
Hello,
We are running into a weird problem.
We have an XServe G5 2.0 GHz DP with 5 GB RAM, providing multiple services to a small school.
The Users have Network-based accounts, and are authenticated via OD on the same server.
Lately, Users have started experiencing a very long delay when logging in.
At the login prompt, if they input the wrong password, they get "the shake" right away, which indicates that the authentication speed is rather fast. If they do input the right credentials, nothing happens for 25 - 30 seconds, and then login proceeds as usual, fairly quickly. The machines are normally responsive from there on, i.e. it is not a network performance issue. Also, even if no one is on the server, the first one to log in runs into the same issue, i.e. it is not a server overload issue. Does anyone have an idea what is going on? Any suggestions for a solution will be appreciated.
Best regards,
Alain ChammasHi
This could be down to a time sync issue. Are Server and Clients all using the same Network Time Server? Do you see a similar delay when presenting the login window displaying a list of network users? If you did not know this is a computer list mananged preference. Anything unusual in the system.log?
Hope this helps, Tony -
I just updated my Macbook (2010) to Yosemite, and it's become very slow. After searching through this community, I downloaded and run EtreCheck, but don't understand what the report means. Please could you help me with what I should do to improve my computer's speed, aside from upgrading my RAM? Thank you so much.
The report:
Problem description:
my macbook is running very slowly after upgrading to yosemite.
EtreCheck version: 2.0.11 (98)
Report generated 12 November 2014 1:44:14 pm SGT
Hardware Information: ℹ️
MacBook (13-inch, Mid 2010) (Verified)
MacBook - model: MacBook7,1
1 2.4 GHz Intel Core 2 Duo CPU: 2-core
2 GB RAM Upgradeable
BANK 0/DIMM0
1 GB DDR3 1067 MHz ok
BANK 1/DIMM0
1 GB DDR3 1067 MHz ok
Bluetooth: Old - Handoff/Airdrop2 not supported
Wireless: en1: 802.11 a/b/g/n
Video Information: ℹ️
NVIDIA GeForce 320M - VRAM: 256 MB
Color LCD 1280 x 800
System Software: ℹ️
OS X 10.10 (14A389) - Uptime: 3:23:3
Disk Information: ℹ️
TOSHIBA MK2555GSXF disk0 : (250.06 GB)
S.M.A.R.T. Status: Verified
EFI (disk0s1) <not mounted> : 210 MB
Macintosh HD (disk0s2) / [Startup]: 249.20 GB (25.42 GB free)
Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB
HL-DT-ST DVDRW GS23N
USB Information: ℹ️
Western Digital My Passport 0748 1 TB
S.M.A.R.T. Status: Verified
EFI (disk1s1) <not mounted> : 210 MB
tansey (disk1s2) /Volumes/tansey : 999.83 GB (951.98 GB free)
Apple Inc. Built-in iSight
Apple Inc. BRCM2070 Hub
Apple Inc. Bluetooth USB Host Controller
Apple Inc. Apple Internal Keyboard / Trackpad
Configuration files: ℹ️
/etc/hosts - Count: 15
Gatekeeper: ℹ️
Mac App Store and identified developers
Kernel Extensions: ℹ️
/System/Library/Extensions
[not loaded] com.NovatelWireless.driver.NovatelWirelessUSBCDCECMControl (3.0.13) Support
[not loaded] com.NovatelWireless.driver.NovatelWirelessUSBCDCECMData (3.0.13) Support
[not loaded] com.ZTE.driver.ZTEUSBCDCACMData (1.3.8) Support
[not loaded] com.ZTE.driver.ZTEUSBMassStorageFilter (1.3.8) Support
[not loaded] com.novamedia.driver.IceraUSB_MSD_Bypass (1.3.0) Support
[not loaded] com.novatelwireless.driver.3G (3.0.13) Support
[not loaded] com.novatelwireless.driver.DisableAutoInstall (3.0.13) Support
[not loaded] com.option.driver.Option72 (2.15.0) Support
[not loaded] com.option.driver.OptionHS (3.26.0) Support
[not loaded] com.option.driver.OptionMSD (1.21.0) Support
[not loaded] com.option.driver.OptionQC (1.11.0) Support
[not loaded] com.rim.driver.BlackBerryUSBDriverInt (0.0.39) Support
[not loaded] com.rim.driver.BlackBerryUSBDriverVSP (0.0.45) Support
[not loaded] com.vodafone.driver (3.0.9) Support
[not loaded] com.zte.driver.cdc_ecm_qmi (1.0.1) Support
[not loaded] com.zte.driver.cdc_usb_bus (1.0.1) Support
[not loaded] de.novamedia.driver.NMSamsung (0.0.2) Support
[not loaded] de.novamedia.driver.NMSmartplugSCSIDevice (1.0.1) Support
[not loaded] de.novamedia.oem.vodafone.vtp.huawei.cdc (0.0.2) Support
/System/Library/Extensions/NMHuaweiPhonesVTPCDC_106.kext/Contents/PlugIns
[not loaded] de.novamedia.driver.NMUSBCDCACMControl (3.2.12) Support
/System/Library/Extensions/NMSamsungDriver_106.kext/Contents/PlugIns
[not loaded] de.novamedia.driver.NMUSBCDCACMData (3.2.12) Support
/System/Library/Extensions/NovatelWireless3G.kext/Contents/PlugIns
[not loaded] com.novatelwireless.driver.3GData (3.0.13) Support
/System/Library/Extensions/Vodafone.kext/Contents/PlugIns
[not loaded] com.vodafone.driver.Data (3.0.9) Support
Startup Items: ℹ️
HP IO: Path: /Library/StartupItems/HP IO
HWNetMgr: Path: /Library/StartupItems/HWNetMgr
HWPortDetect: Path: /Library/StartupItems/HWPortDetect
Startup items are obsolete and will not work in future versions of OS X
Problem System Launch Agents: ℹ️
[failed] com.apple.accountsd.plist
[failed] com.apple.AirPlayUIAgent.plist
[failed] com.apple.bird.plist
[failed] com.apple.CallHistoryPluginHelper.plist
[failed] com.apple.CallHistorySyncHelper.plist
[failed] com.apple.cloudd.plist
[failed] com.apple.coreservices.appleid.authentication.plist
[failed] com.apple.coreservices.uiagent.plist
[failed] com.apple.EscrowSecurityAlert.plist
[failed] com.apple.icloud.fmfd.plist
[failed] com.apple.iconservices.iconservicesagent.plist
[failed] com.apple.nsurlsessiond.plist
[failed] com.apple.pluginkit.pkd.plist
[failed] com.apple.recentsd.plist
[failed] com.apple.security.cloudkeychainproxy.plist
[failed] com.apple.spindump_agent.plist
[failed] com.apple.telephonyutilities.callservicesd.plist
Problem System Launch Daemons: ℹ️
[failed] com.apple.awdd.plist
[failed] com.apple.cache_delete.plist
[failed] com.apple.coresymbolicationd.plist
[failed] com.apple.ctkd.plist
[failed] com.apple.diagnosticd.plist
[failed] com.apple.iconservices.iconservicesagent.plist
[failed] com.apple.iconservices.iconservicesd.plist
[failed] com.apple.ifdreader.plist
[failed] com.apple.installd.plist
[failed] com.apple.MobileFileIntegrity.plist
[failed] com.apple.nehelper.plist
[failed] com.apple.nsurlsessiond.plist
[failed] com.apple.sandboxd.plist
[failed] com.apple.softwareupdated.plist
[failed] com.apple.spindump.plist
[failed] com.apple.sysmond.plist
[failed] com.apple.tccd.system.plist
[failed] com.apple.wdhelper.plist
[failed] com.apple.xpc.smd.plist
[running] de.novamedia.nmnetmgrd.plist Support
Launch Agents: ℹ️
[not loaded] com.adobe.AAM.Updater-1.0.plist Support
[failed] com.adobe.CS5ServiceManager.plist Support
[loaded] com.google.keystone.agent.plist Support
[running] de.novamedia.VodafoneDeviceObserver.plist Support
[invalid?] SwapperUFi.plist Support
Launch Daemons: ℹ️
[loaded] com.adobe.fpsaud.plist Support
[invalid?] com.adobe.SwitchBoard.plist Support
[loaded] com.cloudpath.maccmd.plist Support
[loaded] com.google.keystone.daemon.plist Support
[loaded] com.microsoft.office.licensing.helper.plist Support
[invalid?] PPPMonitord.plist Support
User Launch Agents: ℹ️
[loaded] com.adobe.ARM.[...].plist Support
[invalid?] com.akamai.client.plist Support
[invalid?] com.divx.agent.postinstall.plist Support
[failed] com.facebook.videochat.[redacted].plist Support
User Login Items: ℹ️
Dropbox Application (/Applications/Dropbox.app)
SurplusMeterAgent UNKNOWN (missing value)
Google Chrome ApplicationHidden (/Applications/Google Chrome.app)
HP Scheduler Application (/Library/Application Support/Hewlett-Packard/Software Update/HP Scheduler.app)
Internet Plug-ins: ℹ️
o1dbrowserplugin: Version: 5.38.6.0 - SDK 10.8 Support
Google Earth Web Plug-in: Version: 7.1 Support
Default Browser: Version: 600 - SDK 10.10
OfficeLiveBrowserPlugin: Version: 12.2.6 Support
OVSHelper: Version: 1.1 Support
AdobePDFViewerNPAPI: Version: 10.1.12 Support
FlashPlayer-10.6: Version: 15.0.0.152 - SDK 10.6 Support
Silverlight: Version: 5.1.10411.0 - SDK 10.6 Support
Flash Player: Version: 15.0.0.152 - SDK 10.6 Mismatch! Adobe recommends 15.0.0.223
iPhotoPhotocast: Version: 7.0
googletalkbrowserplugin: Version: 5.38.6.0 - SDK 10.8 Support
QuickTime Plugin: Version: 7.7.3
AdobePDFViewer: Version: 10.1.12 Support
SharePointBrowserPlugin: Version: 14.0.0 Support
JavaAppletPlugin: Version: 15.0.0 - SDK 10.10 Check version
User Internet Plug-ins: ℹ️
OctoshapeWeb: Version: 1.0 Support
Safari Extensions: ℹ️
DivX Plus Web Player HTML5 <video>
3rd Party Preference Panes: ℹ️
DivX Support
Flash Player Support
Time Machine: ℹ️
Skip System Files: NO
Auto backup: NO - Auto backup turned off
Volumes being backed up:
Macintosh HD: Disk size: 249.20 GB Disk used: 223.78 GB
Destinations:
Time Machine Backups [Local]
Total size: 0 B
Total number of backups: 0
Oldest backup: -
Last backup: -
Size of backup disk: Too small
Backup size 0 B < (Disk used 223.78 GB X 3)
Top Processes by CPU: ℹ️
15% WindowServer
1% Dropbox
0% AppleSpell
0% Skype
0% imagent
Top Processes by Memory: ℹ️
60 MB Google Chrome
56 MB JavaApplicationStub
47 MB Skype
45 MB Finder
45 MB WindowServer
Virtual Memory Information: ℹ️
60 MB Free RAM
443 MB Active RAM
398 MB Inactive RAM
349 MB Wired RAM
16.91 GB Page-ins
633 MB Page-outsI advise to reply to the one you want to reply to.
You have had good information here. I will not repeat that here.
I would like to add:
you have incompatible software: start in SafeMode, read Woodmeister and see if it is free of issues.
Akamai is crap software needed or not, Huawei the same.
It is very possible that the keygenerator you used for generating a key for some softwares has infected your mac.
The non-regular software with the false key(s) are not compatible probably or generate malware. Luckily you can not update them automatically because the keygenerator blocked the software for contacting the developer... I propose to consider getting rid of those softwares by really good uninstalling.
You have a beautiful mac, don't degenerate it with crapped software. There are alternatives for expensive software, for example Adobe Photoshop has a free alternative (with a less beautiful interface) in GIMP. And so on.
Lex -
ASA 5505 Speed Issue - Help Requested if possible
Hi All,
I am wondering if anybody here can shed some light on any potential configuration issues with the configuration below (Sanitized). Current State:
1. SIte to Site VPN is up and running perfectly.
2. Client to Site VPNs work through L2PT/IPSEC and through mobile devices such as IPhone.
3. The outside interface is at line speed - approximately 5-6MBits per second.
4. When performing a download of a service pack from microsoft - Bit rate on the inside interface is approximately 1/3rd of the outside interface (A lot of loss). Interface shows no CRC errors and no input errors.
5. The outside interface shows CRC errors and INPUT errors but due to the line speed being optimal (as the client experienced via their WAN router direct (with the ASA out of the mix), have not looked in to this further. I suspect the device it is directly attached to does not auto negotiate correctly even though the interface is set to 100Mb Full Duplex.
6. Outside interface MTU is set to 1492, purposely set this way due to PPPOE over head (Please correct me if I am wrong). (Approx 8 bytes)
7. Inside Interface MTU is set to 1500, no drops or loss detected on that interface so have left it as is.
8. All inspection has been disabled on the ASA as I thought that scans on the traffic could have impaired performance.
Current Environment Traffic Flow:
1. All hosts on the network have there DNS pointed to external IP addresses currently as the DNS server is out of the mix. This usually points to DNS servers in the US. If the hosts use this, the DNS queries are performed over the site-to-site VPN but the internet traffic is routed around the VPN as the traffic is a seperate established session. Split tunneling is enabled on the ASA to only trust the internal hosts from accessing the US hosts. Everything else uses the default route.
2. The version of software on this ASA is 8.2(1). I have checked and there does not seem to be any underlying issues that would cause this type of behaviour.
3. Memory is stable at roughly 190Mb out of 512Mb
4. CPU is constant at approximately 12%.
5. WAN and INSIDE switch are Fast Ethernet and the ASA interfaces are all Ethernet - Potential compatibility issue between standards? I'm aware they should be compatible - any body that has experienced any issues regarding this would be greatly apprecaited.
Current Issues:
1. Speed on the inside interface is approximately 1/3rd of the WAN/Outside interface - download speeds are sitting at approximately 250 - 300kb (should be sitting at approximately 700-800kb).
2. Noticed that when the DC is pointed to the USA Root Domain Controller (Across the tunnel) latency is approximately 400ms average. (Performed using host name).
3. I ping the IP address of the exact same server and the latency is still 400ms.
4. Changing the DCs DNS address to 8.8.8.8, I perform the same ping to the same servers. Still 400ms.
5. I ping google.co.nz and I still get 400ms (You would expect it to route out the default gateway but session is still active for that IP on the ASA).
6. I ping 74.x.x.x (The IP from the resolution from step 5) and I get the same result.
7. I flush dns, same issue for 5/6.
8. I clear xlate on the ASA and the same issue persists.
9. I close command line, repen it, and perform the test again - latency is now back to 40 - 50ms as we would expect for non-vpn traffic.
I am currently out of ideas and would like some advice on what I have actually missed.
Things I suspect that I may need to do:
1. Upgrade IOS to latest version (Other than that - I'm out of ideas).
ASA Version 8.2(1)
hostname BLAH
enable password x.x.x.x encrypted
passwd x.x.x.x encrypted
names
name x.x.x.x BLAHPC
name 8.8.8.8 Google-DNS description Google-DNS
name 202.27.184.3 Telecom-Alien-Pri description Telecom-Alien-Pri
name 202.27.184.5 Telecom-Terminator-Sec description Telecom-Terminator-Sec
name 203.96.152.4 TelstraClearPri description TCL-PRI
name 203.96.152.12 TelstraClearSec description TCL-Sec
name x.x.x.x BLAH_Network description BLAH-Internal
name x.x.x.x DC description DC VPN Access
name x.x.x.x Management-Home description Allow RDP Access from home
name x.x.x.x SentDC description BLAHDC
name x.x.x.x Outside-Intf
dns-guard
interface Vlan1
nameif inside
security-level 100
ip address x.x.x.x 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group pppoex
ip address pppoe setroute
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
banner exec [BLAH MANAGED DEVICE] - IF YOU ARE UNAUTHORIZED TO USE THIS DEVICE, LEAVE NOW!!!
banner login If you are Unauthorized to use this device, leave now. Prosecution will follow if you are found to access this device without being Authorized.
banner asdm [BLAH MANAGED DEVICE] - IF YOU ARE UNAUTHORIZED TO USE THIS DEVICE, LEAVE NOW!!!
ftp mode passive
clock timezone WFT 12
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server Google-DNS
name-server Telecom-Alien-Pri
name-server Telecom-Terminator-Sec
name-server TelstraClearPri
name-server TelstraClearSec
object-group service RDP tcp
description RDP
port-object eq 3389
object-group network BLAH-US
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
object-group network x.x.x.x
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
object-group service Management_Access_Secure
description Management Access - SECURE
service-object tcp eq https
service-object tcp eq ssh
service-object tcp eq 4434
object-group service FileTransfer tcp
description Allow File Transfer
port-object eq ftp
port-object eq ssh
object-group service WebAccess tcp
description Allow Web Access
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service AD_Access udp
description Allow Active Directory AD ports - UDP Only
port-object eq 389
port-object eq 445
port-object eq netbios-ns
port-object eq 636
port-object eq netbios-dgm
port-object eq domain
port-object eq kerberos
object-group network DM_INLINE_NETWORK_2
group-object x.x.x.x
group-object x.x.x.x
object-group network DM_INLINE_NETWORK_3
group-object x.x.x.x
group-object x.x.x.x
object-group network BLAH_DNS
description External DNS Servers
network-object host Telecom-Alien-Pri
network-object host Telecom-Terminator-Sec
network-object host TelstraClearSec
network-object host TelstraClearPri
network-object host Google-DNS
object-group service AD_Access_TCP tcp
description Active Directory TCP protocols
port-object eq 445
port-object eq ldap
port-object eq ldaps
port-object eq netbios-ssn
port-object eq domain
port-object eq kerberos
port-object eq 88
object-group network DM_INLINE_NETWORK_4
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
object-group network DM_INLINE_NETWORK_6
group-object x.x.x.x
group-object x.x.x.x
object-group network DM_INLINE_NETWORK_1
group-object x.x.x.x
group-object x.x.x.x
access-list inside_access_in remark Allow Internal ICMP from BLAH
access-list inside_access_in extended permit icmp Sentinel_Network 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list inside_access_in remark Allow Internal ICMP to BLAH
access-list inside_access_in extended permit icmp object-group DM_INLINE_NETWORK_3 BLAH 255.255.255.0
access-list inside_access_in remark External DNS
access-list inside_access_in extended permit object-group TCPUDP BLAH 255.255.255.0 object-group BLAH_DNS eq domain
access-list inside_access_in remark Allows Web Access
access-list inside_access_in extended permit tcp BLAH 255.255.255.0 any object-group WebAccess
access-list inside_access_in remark Allow Remote Desktop Connections to the Internet
access-list inside_access_in extended permit tcp BLAH 255.255.255.0 any object-group RDP
access-list inside_access_in remark Allow File Transfer Internet
access-list inside_access_in extended permit tcp BLAH 255.255.255.0 any object-group FileTransfer
access-list inside_access_in remark ldap, 445, 137, 636, dns, kerberos
access-list inside_access_in extended permit udp BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_4 object-group AD_Access
access-list inside_access_in remark ldap, 445, 137, 636, dns, kerberos
access-list inside_access_in extended permit tcp BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_5 object-group AD_Access_TCP
access-list inside_access_in extended permit ip any any
access-list outside_cryptomap_65535.1 extended permit ip BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_6
access-list nonat extended permit ip BLAH 255.255.255.0 object-group BLAH-US
access-list nonat extended permit ip BLAH 255.255.255.0 object-group BLAH-USA
access-list nonat extended permit ip BLAH 255.255.255.0 x.x.x.x 255.255.255.0
access-list tekvpn extended permit ip BLAH 255.255.255.0 object-group BLAH-US
access-list tekvpn extended permit ip BLAH 255.255.255.0 object-group BLAH-USA
access-list tekvpn extended permit ip BLAH 255.255.255.0 x.x.x.x 255.255.255.0
access-list inbound extended permit icmp any any
access-list inside_nat0_outbound extended permit ip BLAH 255.255.255.0 10.1.118.192 255.255.255.224
access-list inside_nat0_outbound extended permit ip BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list outside_1_cryptomap extended permit ip BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list outside_access_in extended permit icmp any any
pager lines 24
logging enable
logging monitor informational
logging buffered notifications
logging trap informational
logging asdm informational
logging class auth monitor informational trap informational asdm informational
mtu inside 1500
mtu outside 1492
ip local pool ipsec_pool x.x.x.x-x.x.x.x mask 255.255.255.0
ip local pool Remote-Access-DHCP x.x.x.x-x.x.x.x mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 BLAH 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec authentication-server
http server enable RANDOM PORT
http 0.0.0.0 0.0.0.0 outside
http x.x.x.x x.x.x.x inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1428
sysopt connection tcpmss minimum 48
auth-prompt prompt You are now authenticated. All actions are monitored! if you are Unauthorized, Leave now!!!
auth-prompt accept Accepted
auth-prompt reject Denied
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 1 set transform-set TRANS_ESP_3DES_SHA TRANS_ESP_3DES_MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh x.x.x.x 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname **************
vpdn group pppoex ppp authentication pap
vpdn username ************** password PPPOE PASSPHRASE HERE
dhcpd auto_config outside
dhcpd address x.x.x.x/x inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server x.x.x.x source outside prefer
tftp-server outside x.x.x.x /HOSTNAME
webvpn
group-policy DfltGrpPolicy attributes
banner value Testing ONE TWO THREE
vpn-idle-timeout 300
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value outside_cryptomap_65535.1
user-authentication enable
nem enable
address-pools value Remote-Access-DHCP
webvpn
svc keepalive none
svc dpd-interval client none
USER CREDENTIALS HERE
vpn-tunnel-protocol l2tp-ipsec
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key SITETOSITE PSK
peer-id-validate nocheck
tunnel-group DefaultRAGroup general-attributes
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key CLIENTTOSITE PSK
peer-id-validate nocheck
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
authentication eap-proxy
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
class-map inspect_default
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:894474af5fe446eeff5bd9e7f629fc4f
: endHi all, this post can be officially closed. The issue had nothing to do with the ASA but required a firmware upgrade on the WAN router which boosted the throughput on the external interface on the ASA to 10Mbps and the inside throughput naturally corrected itself to what was expected.
Thanks to everybody who looked at this issue.
Andrew -
Slow transfer speed over VPN connection
Hello,
Recently I setup an SSL VPN to connect to my parent's home network. I have some computers there, and want to try to transfer files between my computer and the one at my parent's. Over the VPN connection, I only get 128kb/s. On both ends, they are 15Mbps connections, and can support internal copies of 4 megs/s. I feel like I should get a better speed than that. I looked around, and people suggested changing the MTU. I have changed the MTU around, and not noticed any increase in the network speed over the VPN. Currently the MTU is at 1500. Below is a copy of my running config. Any thing I'm overlooking, or is this speed normal? Sorry, still relatively new to the ASA 5505.
ASA Version 8.2(5)
hostname HardmanASA
enable password #####
passwd ###### encrypted
names
interface Ethernet0/0
switchport access vlan 20
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
switchport access vlan 10
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
switchport access vlan 10
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan10
nameif inside
security-level 100
ip address 192.168.250.1 255.255.255.0
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
access-list nat_0 extended permit ip 192.168.250.0 255.255.255.0 192.168.251.0 255.255.255.0
access-list split_tunnel standard permit 192.168.250.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 192.168.251.100-192.168.251.101 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nat_0
nat (inside) 10 192.168.250.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.250.0 255.255.255.0 inside
http 192.168.251.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.250.0 255.255.255.0 inside
ssh 192.168.251.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd dns 8.8.8.8
dhcpd address 192.168.250.20-192.168.250.50 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
username ###### password ###### encrypted
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPN_Pool
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:74fc2287573841a837e97887840a2d91
: endHi,
Another option is the use of the compression command, this is usually enabled by default but maybe you can enter it due to is not showed in the running config, the command is compression svc.
Note: The command helps when we have low bandwitdh connections, the command reduces the size if the packets, for broadband connections this can decrease regular performance
Regards,
Sent from Cisco Technical Support iPhone App -
Download Speed on PIX 515E is Pretty Slow
Hello, I have a PIX 515E set up between our office switch and our Comcast Business Router and the download speeds are not as fast as they should be. We are paying for 30 down 30 up but it's more like 10 down 30 up. I plugged in a computer directly into the router and got 30/30 so I know its not a comcast issue. I think it might be the low amount of memory on the PIX because its running at 109 out of a total 128mb. The PIX has a site-to-site VPN tunnel with a remote ASA 5520 firewall. The inside/outside ports are both auto/auto. The running config is only 161 lines.
Here's some information about the PIX 515E...
Version 8.0(4)
ASDM 6.1(3)
Memory 128MB
Here is the running config..
Result of the command: "show running-config"
: Saved
PIX Version 8.0(4)
hostname --------------------
domain-name -----------------
enable password -------------------------
passwd --------------- encrypted
names
name 1.1.1.1 Data-Center-Firewall #### Outside Address Changed
name 10.0.0.0 Data-Center-Subnet
dns-guard
interface Ethernet0
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.0 standby 10.10.1.254
interface Ethernet1
nameif outside
security-level 0
ip address 2.2.2.1 255.255.255.252 #### Outside Address Changed
interface Ethernet2
description LAN/STATE Failover Interface
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name -------------
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service http8080 tcp
description http8080
port-object eq 8080
object-group service DM_INLINE_TCP_1 tcp
port-object range 50000 50100
port-object eq 990
access-list outside_access_in remark ip, tcp/990
access-list outside_access_in extended permit tcp host 1.1.1.1 host 2.2.2.5 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit icmp any any
access-list ACL-VPN extended permit ip 10.10.1.0 255.255.255.0 Data-Center-Subnet 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface failover Ethernet2
failover lan enable
failover key *****
failover replication http
failover mac address Ethernet0 001e.f732.008f 000d.28f9.628f
failover mac address Ethernet1 001e.f732.0090 000d.28f9.6290
failover link failover Ethernet2
failover interface ip failover 10.10.10.10 255.255.255.252 standby 10.10.10.20
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image flash:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list ACL-VPN
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 2.2.2.5 10.10.1.102 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
route inside 10.10.0.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.0.0 255.255.255.0 inside
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map MAP-VPN 1 match address ACL-VPN
crypto map MAP-VPN 1 set pfs
crypto map MAP-VPN 1 set peer Data-Center-Firewall
crypto map MAP-VPN 1 set transform-set ESP-3DES-SHA
crypto map MAP-VPN 1 set security-association lifetime seconds 28800
crypto map MAP-VPN 1 set security-association lifetime kilobytes 4608000
crypto map MAP-VPN interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.10.1.0 255.255.255.0 inside
telnet 10.10.0.0 255.255.255.0 inside
telnet timeout 5
ssh 10.10.0.0 255.255.255.0 inside
ssh 10.10.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
class-map class_ftp
match port tcp eq ftp-data
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class class_ftp
inspect ftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:b795d4f5f5da3d8283d452ba857d5534
: endPlease check on the speed and duplex settings whether the downstream and upstream links are fine and healthy.
Inside/outside are both set to auto/auto at
Check for the processes usage of the cpu of the pix.
CPU is running at 2%
Process: tmatch compile thread, PROC_PC_TOTAL: 2, MAXHOG: 8, LASTHOG: 8
LASTHOG At: 19:01:15 EST Dec 31 1992
PC: 26b616 (suspend)
Process: tmatch compile thread, NUMHOG: 2, MAXHOG: 8, LASTHOG: 8
LASTHOG At: 19:01:15 EST Dec 31 1992
PC: 26b616 (suspend)
Traceback: 26b616 26bdb9 26ec89 1182b3
Process: Dispatch Unit, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5
LASTHOG At: 09:25:12 EDT Jul 18 2012
PC: 130114b (interrupt)
Traceback: 100178 12edd0c 9771e5 8c0e66 927164 928996 8ec3f5
8ec7ed 79d35e 2780c3 1182b3
Process: Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5
LASTHOG At: 12:27:25 EDT Jul 18 2012
PC: 130114b (interrupt)
Traceback: 100178 d870cb 13016b3 15cf68 e91a6f e9118b abfcea
a7cb2e a7daeb 18d800 5ae9a9 5a6aa0 5a7272 5a75e5
Process: Unicorn Admin Handler, PROC_PC_TOTAL: 4, MAXHOG: 7, LASTHOG: 7
LASTHOG At: 12:34:10 EDT Jul 18 2012
PC: 5ae903 (suspend)
Process: Unicorn Admin Handler, NUMHOG: 4, MAXHOG: 7, LASTHOG: 7
LASTHOG At: 12:34:10 EDT Jul 18 2012
PC: 5ae903 (suspend)
Traceback: 5ae903 5a6aa0 5a7272 5a75e5 5ad3d5 1182b3
Process: Unicorn Admin Handler, PROC_PC_TOTAL: 4, MAXHOG: 5, LASTHOG: 5
LASTHOG At: 12:37:47 EDT Jul 18 2012
PC: f4078b (suspend)
Process: Unicorn Admin Handler, NUMHOG: 4, MAXHOG: 5, LASTHOG: 5
LASTHOG At: 12:37:47 EDT Jul 18 2012
PC: f4078b (suspend)
Traceback: f40be2 130f41e aab54d aac3b0 5a6c2e 5a7272 5a75e5
5ad3d5 1182b3
Process: IKE Daemon, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5
LASTHOG At: 23:07:40 EDT Jul 19 2012
PC: 1b6dd0 (interrupt)
Traceback: 100178 1b8a31 1baaeb 6438d7 12efc6f 64250b 653fe9
654b78 1182b3
Process: IKE Daemon, PROC_PC_TOTAL: 347, MAXHOG: 31, LASTHOG: 30
LASTHOG At: 16:01:55 EDT Jul 23 2012
PC: 654bab (suspend)
Process: CTM message handler, PROC_PC_TOTAL: 346, MAXHOG: 27, LASTHOG: 27
LASTHOG At: 16:01:55 EDT Jul 23 2012
PC: 2087ec (suspend)
Process: IKE Daemon, NUMHOG: 693, MAXHOG: 31, LASTHOG: 27
LASTHOG At: 16:01:55 EDT Jul 23 2012
PC: 654bab (suspend)
Traceback: 1182b3
Process: Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5
LASTHOG At: 17:23:30 EDT Jul 23 2012
PC: 130003b (interrupt)
Traceback: 100178 13008b8 f5a0cd f5ac32 f5ae40 f60828 f617c1
d38a0d aab50b aac14a 5a6c2e 5a7272 5a75e5 5ad3d5
Process: Dispatch Unit, PROC_PC_TOTAL: 227, MAXHOG: 432, LASTHOG: 35
LASTHOG At: 17:37:03 EDT Jul 23 2012
PC: 278207 (suspend)
Process: Dispatch Unit, NUMHOG: 227, MAXHOG: 432, LASTHOG: 35
LASTHOG At: 17:37:03 EDT Jul 23 2012
PC: 278207 (suspend)
Traceback: 278207 1182b3
Process: Unicorn Admin Handler, PROC_PC_TOTAL: 1901, MAXHOG: 8, LASTHOG: 7
LASTHOG At: 17:44:20 EDT Jul 23 2012
PC: 118ed5 (suspend)
Process: Unicorn Admin Handler, NUMHOG: 1901, MAXHOG: 8, LASTHOG: 7
LASTHOG At: 17:44:20 EDT Jul 23 2012
PC: 118ed5 (suspend)
Traceback: 118ed5 b2d032 f5a80d f5ac0a f5ae40 f607e5 f617c1
d38a0d aab50b aac14a 5a6c2e 5a7272 5a75e5 5ad3d5
CPU hog threshold (msec): 5.120
Last cleared: None
Check on the inetrface whetehr u get any crc/input/overrun errors. Please check with the physical connectivity.
Interface Ethernet0 "inside", is up, line protocol is up
Hardware is i82559, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address __________, MTU 1500
IP address 10.10.1.1, subnet mask 255.255.255.0
60862937 packets input, 29025667892 bytes, 0 no buffer
Received 1371 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
68515603 packets output, 44084404472 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/1) software (0/47)
output queue (curr/max packets): hardware (0/67) software (0/1)
Traffic Statistics for "inside":
60997029 packets input, 28080179952 bytes
68553614 packets output, 43104566708 bytes
29544 packets dropped
1 minute input rate 63 pkts/sec, 30371 bytes/sec
1 minute output rate 64 pkts/sec, 16557 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 91 pkts/sec, 45254 bytes/sec
5 minute output rate 93 pkts/sec, 56181 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Ethernet1 "outside", is up, line protocol is up
Hardware is i82559, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address ___________, MTU 1500
IP address ___________, subnet mask 255.255.255.252
67730933 packets input, 44248541375 bytes, 0 no buffer
Received 4493 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
60418640 packets output, 29310509840 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/1) software (0/39)
output queue (curr/max packets): hardware (0/42) software (0/1)
Traffic Statistics for "outside":
67782987 packets input, 43276611710 bytes
60562287 packets output, 28342787997 bytes
206651 packets dropped
1 minute input rate 57 pkts/sec, 14273 bytes/sec
1 minute output rate 61 pkts/sec, 30258 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 89 pkts/sec, 54426 bytes/sec
5 minute output rate 87 pkts/sec, 45115 bytes/sec
5 minute drop rate, 0 pkts/sec
enable flowcontrol recieve on on the firewall interfaces and switch/router interfaces connected to the firewall.
Not sure how to do that. -
ASA 5520 intervlan routing at low speed
I have ASA 5520 and SSM-10 module. During copy between vlans, connected to gigabit port of asa the speed is up to 6,5 Mbyte/sec. Network cards and trunked switch are gigabit. I've temporarily disabled SSM but it didn't help. Here is my config. Also I found out, that putting SSM into bypass mode solves the problem. But I don't send any traffic to IPS...
ASA Version 8.4(2)
hostname ***
domain-name ***
enable password *** encrypted
passwd *** encrypted
multicast-routing
names
dns-guard
interface GigabitEthernet0/0
nameif DMZ
security-level 50
ip address 10.2.5.1 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
no ip address
interface GigabitEthernet0/1.100
vlan 100
nameif Devices
security-level 100
ip address 10.2.0.1 255.255.255.0
interface GigabitEthernet0/1.101
vlan 101
nameif Common
security-level 100
ip address 10.2.1.1 255.255.255.0
interface GigabitEthernet0/1.102
vlan 102
nameif Design
security-level 100
ip address 10.2.2.1 255.255.255.0
interface GigabitEthernet0/1.103
vlan 103
nameif Ruhlamat
security-level 90
ip address 10.2.3.1 255.255.255.0
interface GigabitEthernet0/2
no nameif
security-level 100
no ip address
interface GigabitEthernet0/2.10
vlan 10
nameif HOLOGR
security-level 40
ip address 10.1.2.4 255.255.0.0
interface GigabitEthernet0/3
nameif outside
security-level 0
ip address ***
interface Management0/0
nameif management
security-level 100
ip address 172.16.1.1 255.255.255.0
management-only
boot system disk0:/asa842-k8.bin
no ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name ***
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network WWW
host 10.2.1.6
object network MAIL
host 10.2.5.5
object network TEST
host 10.2.1.85
object-group network DM_INLINE_NETWORK_1
network-object host 10.1.0.88
network-object host 10.1.6.1
network-object host 10.1.6.5
network-object host 10.1.0.57
network-object 10.2.0.0 255.255.255.0
network-object host 10.1.6.4
network-object host 10.1.1.57
object-group service DM_INLINE_TCP_1 tcp
port-object eq 2080
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_6
network-object host 10.1.4.42
network-object host 10.1.4.234
network-object host 10.1.4.175
network-object host 10.1.4.217
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_3
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.6
network-object host 10.2.1.14
network-object host 10.2.1.91
object-group network DM_INLINE_NETWORK_4
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.6
object-group service DM_INLINE_TCP_2 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_5
network-object host 10.2.1.14
network-object host 10.2.1.39
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.6
network-object host 10.2.1.85
network-object host 10.2.1.31
network-object host 10.2.1.32
network-object host 10.2.1.40
network-object host 10.2.1.55
network-object host 10.2.1.35
network-object host 10.2.1.3
network-object host 10.2.1.2
object-group service DM_INLINE_TCP_3 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_7
network-object host 10.2.1.4
network-object host 10.2.1.5
object-group network DM_INLINE_NETWORK_9
network-object host 10.2.1.4
network-object host 10.2.1.3
object-group network DM_INLINE_NETWORK_2
network-object host 10.1.1.101
network-object host 10.1.6.1
network-object host 10.1.6.4
network-object host 10.1.6.5
network-object host 10.1.0.57
network-object host 10.1.1.57
object-group network DM_INLINE_NETWORK_10
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.3
network-object host 10.2.1.2
object-group service DM_INLINE_TCP_4 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_12
network-object host 10.2.0.11
network-object host 10.2.0.14
object-group service DM_INLINE_TCP_5 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_13
network-object host 10.2.1.4
network-object host 10.2.1.5
object-group network DM_INLINE_NETWORK_14
network-object host 8.8.4.4
network-object host 8.8.8.8
network-object host 10.1.1.1
object-group network DM_INLINE_NETWORK_15
network-object host 10.2.1.39
network-object host 10.2.1.57
object-group network DM_INLINE_NETWORK_16
network-object host 10.2.1.14
network-object host 10.2.1.6
access-list outside_access_in extended permit tcp any 10.2.5.0 255.255.255.0 eq smtp
access-list outside_access_in extended permit tcp host *** host 10.2.1.85 eq ***
access-list outside_access_in extended permit tcp host *** host 10.2.1.6 eq ***
access-list Common_access_in extended permit icmp any any
access-list Common_access_in extended permit ip host 10.2.1.76 host ***
access-list Common_access_in extended permit ip host 10.2.1.6 any log disable inactive
access-list Common_access_in extended permit tcp host 10.2.1.6 host *** eq ***
access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_1 6 host 10.2.5.5
access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_3 10.2.2.0 255.255.255.0
access-list Common_access_in extended permit udp object-group DM_INLINE_NETWORK_7 any eq ntp log disable
access-list Common_access_in extended permit object-group DM_INLINE_PROTOCOL_5 object-group DM_INLINE_NETWORK_13 object-group DM_INLINE_NETWORK_14 eq domain
access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_5 host 10.2.3.3
access-list Common_access_in extended permit tcp object-group DM_INLINE_NETWORK_15 host 10.1.1.1 object-group DM_INLINE_TCP_3
access-list Common_access_in extended permit ip 10.2.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list Common_access_in extended permit tcp 10.2.1.0 255.255.255.0 host 10.2.5.5 object-group DM_INLINE_TCP_1
access-list Design_access_in extended permit tcp 10.2.2.0 255.255.255.0 host 10.2.5.5 object-group DM_INLINE_TCP_2
access-list Design_access_in extended permit ip 10.2.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_4 log disable
access-list HOLOGR_access_in extended permit icmp any any log disable
access-list HOLOGR_access_in extended permit tcp host 10.1.1.1 host 10.2.5.5 object-group DM_INLINE_TCP_4
access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_9
access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_2 10.2.1.0 255.255.255.0
access-list HOLOGR_access_in extended permit ip host 10.1.4.214 object-group DM_INLINE_NETWORK_12
access-list Ruhlamat_access_in extended permit ip host 10.2.3.3 object-group DM_INLINE_NETWORK_10
access-list Ruhlamat_access_in extended permit tcp host 10.2.3.3 host 10.2.5.5 object-group DM_INLINE_TCP_5
access-list test extended permit tcp any host 10.2.5.1 eq telnet
access-list test extended permit tcp any host 10.2.5.1 eq https
access-list test extended permit tcp host 10.2.5.1 any eq https
access-list test extended permit tcp host 10.2.5.1 any eq telnet
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging buffered critical
logging trap warnings
logging asdm informational
logging from-address ***
logging recipient-address *** level critical
logging host Common 10.2.1.2
logging flash-bufferwrap
logging flash-maximum-allocation 8192
logging permit-hostdown
no logging message 106014
no logging message 313005
no logging message 313001
no logging message 106023
no logging message 305006
no logging message 733101
no logging message 733100
no logging message 304001
logging message 313001 level critical
logging message 106023 level errors
mtu DMZ 1500
mtu inside 1500
mtu Devices 1500
mtu Common 1500
mtu Design 1500
mtu Ruhlamat 1500
mtu HOLOGR 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any DMZ
icmp permit any Common
icmp permit any HOLOGR
icmp permit any outside
asdm image disk0:/asdm-645-206.bin
asdm history enable
arp timeout 14400
object network WWW
nat (Common,outside) static interface service tcp *** ***
object network MAIL
nat (DMZ,outside) static interface service tcp smtp smtp
nat (DMZ,outside) after-auto source dynamic any interface
nat (Common,outside) after-auto source dynamic any interface
nat (Devices,outside) after-auto source dynamic any interface
access-group Common_access_in in interface Common
access-group Design_access_in in interface Design
access-group Ruhlamat_access_in in interface Ruhlamat
access-group HOLOGR_access_in in interface HOLOGR
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 *** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
http server enable
http 10.2.1.6 255.255.255.255 Common
snmp-server host Common 10.2.1.6 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp DMZ
sysopt noproxyarp inside
sysopt noproxyarp Devices
sysopt noproxyarp Common
sysopt noproxyarp Design
sysopt noproxyarp Ruhlamat
sysopt noproxyarp HOLOGR
sysopt noproxyarp outside
sysopt noproxyarp management
service resetoutside
telnet 10.2.1.0 255.255.255.0 Common
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Common
dhcprelay setroute Common
threat-detection basic-threat
threat-detection scanning-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.2.1.4 source Common prefer
webvpn
smtp-server 10.2.5.5
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ad02ecbd84a727e4a26699915feca3a5
: endHi Philip,
I don't see any features configured that would affect the throughput of the data transfer. Do you see any CRC errors or overruns increasing on the interfaces during the transfer? If not, I would suggest setting up captures on the ingress and egress interfaces of the ASA so you can understand exactly why the connection is slowing down and see if the ASA is inducing the delay:
https://supportforums.cisco.com/docs/DOC-1222
-Mike -
Hello, as the title states, I have an ASA 5505 at one facility that is only getting around 16mb down on a 100mb circuit. No errors on either interface, and we've tried manually setting port speed and duplex, and auto, (both sides show it negotiating at 100 / full).
Here is the sanitized config:
: Saved
: Written by mlsysadmin at 05:43:12.139 CST Fri Mar 6 2015
ASA Version 8.2(5)
hostname fw01
domain-name domain.com
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
names
name x.x.x.x WindStream-External-3100
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.5.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address WindStream-External-3100 255.255.255.248
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name materialogic.com
same-security-traffic permit intra-interface
object-group network obj-SrcNet
object-group network obj-amzn
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit tcp 172.16.5.0 255.255.255.0 172.17.5.0 255.255.255.0
access-list outside_access_in extended permit ip x.x.x.x 255.255.255.248 172.16.5.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip 10.10.200.0 255.255.255.0 172.16.5.0 255.255.255.0
access-list outside_access_in extended permit icmp 10.10.0.0 255.255.0.0 172.16.5.0 255.255.255.0
access-list outside_access_in extended permit tcp 172.16.5.0 255.255.255.0 172.17.5.0 255.255.255.0
access-list outside_access_in extended permit tcp interface outside 172.16.5.0 255.255.255.0
access-list acl-amzn extended permit ip any 10.10.0.0 255.255.0.0
access-list acl-amzn extended permit ip 172.16.5.0 255.255.255.0 172.16.3.0 255.255.255.0
access-list acl-amzn extended permit ip 172.16.5.0 255.255.255.0 172.16.4.0 255.255.255.0
access-list acl-amzn extended permit ip 172.16.3.0 255.255.255.0 172.16.5.0 255.255.255.0
access-list acl-amzn extended permit ip 172.16.4.0 255.255.255.0 172.16.5.0 255.255.255.0
access-list acl-amzn extended permit ip 172.16.2.0 255.255.255.0 172.16.5.0 255.255.255.0
access-list acl-amzn extended permit ip 172.16.5.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list amzn-filter extended permit ip 10.10.0.0 255.255.0.0 172.16.5.0 255.255.255.0
access-list amzn-filter extended permit icmp 10.10.0.0 255.255.0.0 172.16.5.0 255.255.255.0
access-list amzn-filter extended permit ip any any
access-list <outside_access_in> extended permit ip host 54.240.217.164 host WindStream-External-3100
access-list <outside_access_in> extended permit ip host 72.21.209.193 host WindStream-External-3100
access-list inside_mpc extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list NORAND extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip any 10.10.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip 172.16.5.0 255.255.255.0 172.16.4.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.16.4.0 255.255.255.0 172.16.5.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.16.3.0 255.255.255.0 172.16.5.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.16.5.0 255.255.255.0 172.16.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.5.0 255.255.255.0 172.17.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.5.0 255.255.255.0 172.16.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit tcp 172.17.5.0 255.255.255.0 172.16.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit tcp 172.16.5.0 255.255.255.0 172.17.5.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list acl-amzn
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 40.139.91.233 1
route inside 172.16.2.0 255.255.255.0 172.16.5.1 1
route inside 172.16.3.0 255.255.255.0 172.16.5.1 1
route inside 172.16.4.0 255.255.255.0 172.16.5.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http server idle-timeout 1440
http 192.168.1.0 255.255.255.0 inside
http 172.16.0.0 255.255.0.0 inside
http 216.43.24.82 255.255.255.255 outside
http 64.199.141.26 255.255.255.255 outside
snmp-server host inside 10.10.10.20 community mlogic
snmp-server location 3100 Communications room
no snmp-server contact
snmp-server community mlogic
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
sysopt connection tcpmss 1387
sla monitor 1
type echo protocol ipIcmpEcho 10.10.0.1 interface outside
frequency 5
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 128
crypto ipsec df-bit clear-df outside
crypto map amzn_vpn_map 1 match address acl-amzn
crypto map amzn_vpn_map 1 set pfs
crypto map amzn_vpn_map 1 set peer 54.240.217.164 72.21.209.193
crypto map <amzn_vpn_map> 1 match address acl-amzn
crypto map <amzn_vpn_map> 1 set pfs
crypto map <amzn_vpn_map> 1 set peer 54.240.217.164 72.21.209.193
crypto map <amzn_vpn_map> 1 set transform-set transform-amzn
crypto map <amzn_vpn_map> interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 201
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh 172.16.0.0 255.255.0.0 inside
ssh x.x.x.x 255.255.255.255 outside
ssh x.x.x.x 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 216.171.120.36 source outside
webvpn
group-policy filter internal
group-policy filter attributes
vpn-filter value amzn-filter
username mlsysadmin password E9OpTNVP3nVbSPSb encrypted privilege 15
username mlsysadmin attributes
vpn-group-policy DfltGrpPolicy
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec svc
password-storage disable
group-lock none
tunnel-group 54.240.217.164 type ipsec-l2l
tunnel-group 54.240.217.164 general-attributes
default-group-policy filter
tunnel-group 54.240.217.164 ipsec-attributes
pre-shared-key IySxccNmUch6G3dVSgEwBjjGX7bOAcO3
isakmp keepalive threshold 10 retry 3
tunnel-group 72.21.209.193 type ipsec-l2l
tunnel-group 72.21.209.193 general-attributes
default-group-policy filter
tunnel-group 72.21.209.193 ipsec-attributes
pre-shared-key vy.pOkCV01pEtmxe.QNk96xK6Uo_2tD.
isakmp keepalive threshold 10 retry 3
class-map NORAND
match access-list inside_mpc
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map NORAND
class NORAND
set connection random-sequence-number disable
set connection advanced-options tcp-state-bypass
policy-map TRAFFIC_SHAPING
class class-default
shape average 100000000
service-policy global_policy global
service-policy NORAND interface inside
service-policy TRAFFIC_SHAPING interface outside
smtp-server 206.225.164.242
prompt hostname context
no call-home reporting anonymous
: end
Here are show interface command outputs:
fw01# show interface ethernet 0/0
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address fc5b.397f.dbd5, MTU not set
IP address unassigned
23888810 packets input, 6278082364 bytes, 0 no buffer
Received 7728 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
35886 switch ingress policy drops
42947220 packets output, 57958727970 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
fw01# show interface ethernet 0/1
Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address fc5b.397f.dbd6, MTU not set
IP address unassigned
59448427 packets input, 58925402473 bytes, 0 no buffer
Received 547758 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
58718 switch ingress policy drops
37419921 packets output, 8188660665 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
When we connect a laptop to the router directly, we are able to get the expected speeds. When we connect through the ASA, download speed is topping out around 16mb, while upload is a consistent 75mb+Have you tried running without the "service-policy TRAFFIC_SHAPING interface outside" ? Just to check.
-
Hulu and Verizon Authentication Is No Longer Working
I want to say that this process has been working flawlessly until the beginning of the month with coincides with the new release of the Verizon website redesign. The feature I am specifically talking about is the authentication that Hulu has to do with providers so that Hulu users can watch Fox shows. You can read more about it here:
http://www.hulu.com/support/article/20362238
As I mentioned previously this authentication that needs to happen, before Fox content can be watched, has been working flawlessly until a recent change on the Verizon side has broken it. Here is the message that I receive back from Verizon when using my credentails to authenticate. (the same credentials I use to login to the forum and view my account information)
The problem with this message is that I am a Hulu subscriber, because I wouldn't be able to get to this authentication window if I wasn't. And why would Verizon care if I am a Hulu subscriber or not, the job of this form is to authenticate me so that I can watch Fox, not authenticate me as a Hulu user, that is Hulu's job. In addition, I am a long time Prime subscriber for my TV package.
When I call Hulu they say it is Verizon's problem, which I believe is the case given the formatting of the response message, the logo, and the copy right. When I call Verizon support they have no idea what Hulu is, and I have to explain it to them, which obviously doesn't start the conversation off well. And they say it isn't their problem, because they can't find the issue in their support database. I have had a couple calls and web chats with the same exact result of them not being able to help me, because they can't find anything about Hulu in their system.
I am stuck and reaching out to the forum in hopes that there is a Verizon rep which can help me track this down. Because I am not the only user experiencing this issue.
http://forums.verizon.com/t5/General-Residential-Products-and/Hulu-Plus-and-Verizon-and-failures-oh-...
If you can me track this error message down I will be truly grateful.
To continue, you will need to become a HULU subscriber. HULU is available as part of the FiOS TV Prime package. Please upgrade to this package now.
Here is my plan info:
FiOS TV Prime HD
FiOS Internet Speeds Up to 25 Mbps/25 Mbps
FiOS Digital Voice - Unlimited Plan
Thanks and please feel free to contact me if you want more information.Hi zigamorph,
Please go to your profile page for the forum by clicking on your name, and look down the middle towards the bottom where you will find an area titled "My Private Support Cases".
There you will find a link to the private board where you and the agent may exchange information. This should be checked on a frequent basis as the agent may be waiting for information from you before they can proceed with any actions. Please keep all correspondence regarding your issue in the private support portal.
Regards,
AnnieS -
IOS 6.0.1 - Problems with certificate based authentication on wireless access point
Hi all
We are using iPad 2 as order terminals in our shops for about 5 months. Some of the iPads (the first who entered the field) started to cause problems now. These iPads are no longer able to keep long-term connection to the wireless access point in our stores. After selecting the SSID a successful authentication using the stored EAP-TLS certificate is performed (this can be seen in the log files of our wireless controller and by the IP adress that is given by DHCP). But within seconds the affected iPads opening up a captive portal page (empty, without contents) and separates the connection to the SSID after a short time again.
Affected are currently only iPads 2 with iOS 6.0.1, which were staged about 5 months ago. The newer devices with iOS 6.1+ connect without problems and open no captive portal page. The first cases occurred on the last Wednesday. Before that everything worked without difficulty. No modifications took place on the security structure. The numbers of affected devices increased until all iOS 6.0.1 were affected.
Access to other SSIDs (without use of certificates, by entering a key) for the devices is still possible (the devices does not open an captive portal page). The DHCP scope is not used up, so there are enough IP addresses available.
"Newer iPads" with an iOS of 6.1+ are are showing no problems on the same wireless access point, where the older devices are rejected. New and old devices use the same certificates and authentication mechanisms.
In the analysis of the issue, it turned out that the problem can be solved by an update to iOS 6.1.3. Subsequently, the iPads will be able to rebuild a connection with the access point, without a captive portal page.
Since the bandwidth is very narrow dimensioned in our stores, the communication of the iPads was severely restricted. Thus, the iPads are for exampleare accessible for the APNS but can not find iOS updates or check for their availability.
A comprehensive update to iOS 6.1.3 is currently excluded.
Does anyone knows this issue? What else can be done (except from updating)?I will answer my own question in case it helps anyone else.
It would "seem" the ios 6 devices try the proxy and if that is not working they resort to the def gateway.
To Fix I did the following:
Brocade WIFI network has IPS and Advanced Firewall rules that seemed to be tthwarting some traffic, the iphones would then try the default gateway and be blocked at the FW.
I disabled the IPS and the Advanced Firewall Settings on the wifi as they are redundant to our main IPS and firewall that all traffic flows through anyway. I will tune it later, but when the CEO is demanding a fix "**** the security, full speed ahead"
Created some rues on the firewall to allow...
- IMAP-SSL (port993) outbound
- SMTPS (port 465) to yahoo servers outbound
- tcp port 587 to yahoo servers outbound
- https to akamai servers
Most http and https goes through the proxy as it should, BUT...
It seems that the akamai traffic allways ignores the wifi proxy settings and just heads straight for the default gateway. I suspect there is a bug in the icloud app?
Hope this helps someone else.
-Bo -
Some 6 weeks ago I had an issue with losing my internet connection completly, and eventually after a long session with the help desk I magaged to reconnect using the direct port on the main phone socket. However since then I have had a speed issue and Ive been only getting speeds in the order of 2.3Mb.
However running the BT speed test tells me that the connection to my Home Hub 3 is running at 8.13Mb, but the connection to my computer is running at 2.18Mb.
I have tried every thing I can think of. Followed all the advice to improve the connection but nothing works. Reseting the Home Hub, reseting the factory defaults. I've closed down every program running in the background, disconnected the rest of the hardwired network, fitted a new shorter cat 6 cable. All to no avail. The speed still stays firmly at 2.18 to 2.15. down and 0.37 up.
Could their be a fault with my Home Hub?
Thaks for any advice.
Roy
Solved!
Go to Solution.23:38:00, 29 Jul.
( 5932.320000) CWMP: Session start now. Event code(s): '4 VALUE CHANGE'
23:37:29, 29 Jul.
( 5901.890000) CWMP: session closed due to error: No response
23:37:28, 29 Jul.
( 5900.920000) CWMP: Server URL: https://pbthdm.bt.mo; Connecting as user: ACS username
23:37:28, 29 Jul.
( 5900.910000) CWMP: Session start now. Event code(s): '4 VALUE CHANGE'
23:37:28, 29 Jul.
( 5900.480000) CWMP: Initializing transaction for event code 4 VALUE CHANGE
23:37:24, 29 Jul.
( 5896.840000) DSL is down after 2 minutes uptime
23:37:24, 29 Jul.
( 5896.840000) ETHoA is down after 2 minutes uptime
23:37:24, 29 Jul.
( 5896.200000) PPPoA is down after 2 minutes uptime [Waiting for Underlying Connection (WAN DSL - Up)]
23:37:20, 29 Jul.
( 5892.820000) PPP LCP Send Termination Request [User request]
23:36:35, 29 Jul.
( 5847.820000) CWMP: session completed successfully
23:36:34, 29 Jul.
( 5846.940000) CWMP: HTTP authentication success from https://pbthdm.bt.mo
23:36:32, 29 Jul.
IN: BLOCK [16] Remote administration (TCP [116.10.191.167]:6000->[81.154.29.9]:22 on ppp0)
23:36:32, 29 Jul.
( 5844.670000) CWMP: Server URL: https://pbthdm.bt.mo; Connecting as user: ACS username
23:36:32, 29 Jul.
( 5844.660000) CWMP: Session start now. Event code(s): '6 CONNECTION REQUEST,4 VALUE CHANGE'
23:36:32, 29 Jul.
( 5844.050000) CWMP: Initializing transaction for event code 6 CONNECTION REQUEST
23:35:08, 29 Jul.
( 5760.150000) CWMP: session completed successfully
23:35:07, 29 Jul.
( 5759.850000) CWMP: HTTP authentication success from https://pbthdm.bt.mo
23:34:55, 29 Jul.
( 5746.980000) CWMP: Server URL: https://pbthdm.bt.mo; Connecting as user: ACS username
23:34:55, 29 Jul.
( 5746.970000) CWMP: Session start now. Event code(s): '4 VALUE CHANGE'
23:34:48, 29 Jul.
( 5740.780000) PPP IPCP Receive Configuration ACK
23:34:48, 29 Jul.
( 5740.580000) PPP IPCP Send Configuration ACK
23:34:48, 29 Jul.
( 5740.580000) PPP IPCP Receive Configuration Request
23:34:48, 29 Jul.
( 5740.290000) PPP IPCP Send Configuration Request
23:34:48, 29 Jul.
( 5740.290000) PPP IPCP Receive Configuration NAK
23:34:47, 29 Jul.
( 5739.870000) PPP IPCP Send Configuration ACK
23:34:47, 29 Jul.
( 5739.870000) PPP IPCP Receive Configuration Request
23:34:47, 29 Jul.
( 5738.990000) PPP IPCP Send Configuration ACK
23:34:47, 29 Jul.
( 5738.990000) PPP IPCP Receive Configuration Request
23:34:45, 29 Jul.
( 5737.420000) PPP IPCP Send Configuration Request
23:34:45, 29 Jul.
( 5737.410000) WAN operating mode is DSL
23:34:45, 29 Jul.
( 5737.410000) Last WAN operating mode was DSL
23:34:43, 29 Jul.
( 5735.310000) PPPoA is up - VPI: 0, VCI:38
23:34:43, 29 Jul.
( 5735.290000) CHAP authentication successful
23:34:43, 29 Jul.
( 5735.260000) CHAP Receive Challenge
23:34:43, 29 Jul.
( 5735.250000) Starting CHAP authentication with peer
23:34:43, 29 Jul.
( 5735.250000) PPP LCP Receive Configuration ACK
23:34:43, 29 Jul.
( 5735.240000) PPP LCP Send Configuration Request
23:34:42, 29 Jul.
( 5734.110000) PPP LCP Send Configuration ACK
23:34:42, 29 Jul.
( 5734.110000) PPP LCP Receive Configuration Request
23:34:40, 29 Jul.
( 5732.210000) PPP LCP Send Configuration ACK
23:34:40, 29 Jul.
( 5732.210000) PPP LCP Receive Configuration Request
23:34:40, 29 Jul.
( 5732.090000) PPP LCP Send Configuration Request
23:34:37, 29 Jul.
( 5729.230000) ETHoA is up - VPI: 0, VCI:35
23:34:37, 29 Jul.
( 5729.230000) DSL is up
23:34:36, 29 Jul.
( 5728.350000) DSL noise margin: 21.00 dB upstream, 10.90 dB downstream
23:34:36, 29 Jul.
( 5728.280000) DSL line rate: 448 Kbps upstream, 8128 Kbps downstream
23:34:12, 29 Jul.
( 5704.670000) CWMP: session closed due to error: No response
23:34:12, 29 Jul.
( 5704.640000) CWMP: Server URL: https://pbthdm.bt.mo; Connecting as user: ACS username
23:34:12, 29 Jul.
( 5704.630000) CWMP: Session start now. Event code(s): '4 VALUE CHANGE'
23:33:42, 29 Jul.
( 5674.150000) CWMP: session closed due to error: No response
23:33:41, 29 Jul.
( 5673.000000) CWMP: Server URL: https://pbthdm.bt.mo; Connecting as user: ACS username
23:33:41, 29 Jul.
( 5672.990000) CWMP: Session start now. Event code(s): '4 VALUE CHANGE'
23:33:40, 29 Jul.
( 5672.560000) CWMP: Initializing transaction for event code 4 VALUE CHANGE
23:33:36, 29 Jul.
( 5668.110000) DSL is down after 92 minutes uptime
23:33:36, 29 Jul.
( 5668.100000) ETHoA is down after 92 minutes uptime
23:33:35, 29 Jul.
( 5667.670000) PPPoA is down after 92 minutes uptime [Waiting for Underlying Connection (WAN DSL - Up)]
23:33:32, 29 Jul.
( 5664.200000) PPP LCP Send Termination Request [User request]
23:29:51, 29 Jul.
OUT: BLOCK [7] ICMP replay (ICMP type 3 code 1 81.153.31.203->69.171.248.65 on ppp0)
23:28:50, 29 Jul.
( 5382.020000) CWMP: session completed successfully
23:28:48, 29 Jul.
( 5380.950000) CWMP: HTTP authentication success from https://pbthdm.bt.mo
23:28:46, 29 Jul.
( 5378.860000) CWMP: Server URL: https://pbthdm.bt.mo; Connecting as user: ACS username
23:28:46, 29 Jul.
( 5378.850000) CWMP: Session start now. Event code(s): '6 CONNECTION REQUEST,4 VALUE CHANGE'
23:28:46, 29 Jul.
( 5378.230000) CWMP: Initializing transaction for event code 6 CONNECTION REQUEST
23:26:03, 29 Jul.
( 5215.090000) CWMP: session completed successfully
23:26:02, 29 Jul.
This is some of the event log. -
My MacBook Pro is running slowly. I run Mountain Lion on it. I received the following report from Etrecheck. Can someone help me decipher it and provide me with steps to fix the slow speed?
Problem description:
slow computer
EtreCheck version: 2.0.11 (98)
Report generated November 15, 2014 2:57:16 PM EST
Hardware Information: ℹ️
MacBook Pro (15-inch, Mid 2012) (Verified)
MacBook Pro - model: MacBookPro9,1
1 2.3 GHz Intel Core i7 CPU: 4-core
4 GB RAM
BANK 0/DIMM0
2 GB DDR3 1600 MHz ok
BANK 1/DIMM0
2 GB DDR3 1600 MHz ok
Bluetooth: Good - Handoff/Airdrop2 supported
Wireless: en1: 802.11 a/b/g/n
Video Information: ℹ️
Intel HD Graphics 4000 - VRAM: 384 MB
NVIDIA GeForce GT 650M - VRAM: 512 MB
Color LCD 1440 x 900
System Software: ℹ️
OS X 10.8.5 (12F45) - Uptime: 6 days 7:45:47
Disk Information: ℹ️
TOSHIBA MK5065GSXF disk0 : (500.11 GB)
S.M.A.R.T. Status: Verified
disk0s1 (disk0s1) <not mounted> : 210 MB
Macintosh HD (disk0s2) / [Startup]: 499.25 GB (25.67 GB free)
Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB
HL-DT-ST DVDRW GS31N
USB Information: ℹ️
Apple Inc. FaceTime HD Camera (Built-in)
Apple Inc. BRCM20702 Hub
Apple Inc. Bluetooth USB Host Controller
Apple Computer, Inc. IR Receiver
Apple Inc. Apple Internal Keyboard / Trackpad
Thunderbolt Information: ℹ️
Apple Inc. thunderbolt_bus
Gatekeeper: ℹ️
Mac App Store and identified developers
Kernel Extensions: ℹ️
/Applications/Rowmote Helper.app
[loaded] com.regularrateandrhythm.driver.RowmoteIREmu (1.0 - SDK 10.8) Support
/System/Library/Extensions
[not loaded] com.smarttech.iokit.SMARTBoard (11) Support
[not loaded] com.tectona.driver.PL2303 (1.3.0) Support
[loaded] com.webroot.driver.WebrootSecureAnywhere (54 - SDK 10.7) Support
Problem System Launch Agents: ℹ️
[failed] com.apple.accountsd.plist
[failed] com.apple.AirPlayUIAgent.plist
[failed] com.apple.coreservices.appleid.authentication.plist
[failed] com.apple.lookupd.plist
[failed] com.apple.printtool.agent.plist
[failed] com.apple.scopedbookmarkagent.xpc.plist
Problem System Launch Daemons: ℹ️
[failed] com.apple.coresymbolicationd.plist
[failed] com.apple.wdhelper.plist
Launch Agents: ℹ️
[loaded] com.oracle.java.Java-Updater.plist Support
[running] com.smarttech.boardservice.plist Support
[running] com.smarttech.floatingtools.plist Support
[running] com.smarttech.ink.plist Support
[running] com.smarttech.SBWDKService.plist Support
[running] com.smarttech.smartnotification.plist Support
[running] com.smarttech.systemtrayicon.plist Support
[running] com.webroot.WRMacApp.plist Support
[running] com.webroot.WRMacBackNSync.plist Support
Launch Daemons: ℹ️
[loaded] com.adobe.fpsaud.plist Support
[loaded] com.microsoft.office.licensing.helper.plist Support
[loaded] com.oracle.java.Helper-Tool.plist Support
[running] com.regularrateandrhythm.rowmotehelperaide.plist Support
[running] com.webroot.security.mac.plist Support
[running] com.webroot.webfilter.mac.plist Support
User Launch Agents: ℹ️
[loaded] com.google.keystone.agent.plist Support
[running] com.spotify.webhelper.plist Support
User Login Items: ℹ️
Garmin Express Service UNKNOWN (missing value)
iTunesHelper ApplicationHidden (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)
Dropbox Application (/Applications/Dropbox.app)
Spotify Application (/Applications/Spotify.app)
Google Chrome ApplicationHidden (/Applications/Google Chrome.app)
Rowmote Helper Application (/Applications/Rowmote Helper.app)
Internet Plug-ins: ℹ️
Flip4Mac WMV Plugin: Version: 3.2.0.16 - SDK 10.8 Support
FlashPlayer-10.6: Version: 15.0.0.223 - SDK 10.6 Support
npwebroot: Version: 2.0.15 Support
AdobePDFViewerNPAPI: Version: 11.0.06 - SDK 10.6 Support
Flash Player: Version: 15.0.0.223 - SDK 10.6 Support
AdobePDFViewer: Version: 11.0.06 - SDK 10.6 Support
QuickTime Plugin: Version: 7.7.1
SharePointBrowserPlugin: Version: 14.4.5 - SDK 10.6 Support
Unity Web Player: Version: UnityPlayer version 4.5.1f3 - SDK 10.6 Support
Silverlight: Version: 5.1.20513.0 - SDK 10.6 Support
JavaAppletPlugin: Version: Java 7 Update 51 Check version
Safari Extensions: ℹ️
Password Manager
webfilter
3rd Party Preference Panes: ℹ️
Flash Player Support
Flip4Mac WMV Support
Java Support
SMART Board Support
Time Machine: ℹ️
Time Machine not configured!
Top Processes by CPU: ℹ️
3% WindowServer
2% iPhoto
2% mds
2% mdworker
1% Google Chrome
Top Processes by Memory: ℹ️
382 MB Mail
275 MB WebProcess
107 MB Google Chrome
103 MB WindowServer
99 MB Google Chrome Helper
Virtual Memory Information: ℹ️
270 MB Free RAM
1.50 GB Active RAM
1.30 GB Inactive RAM
1.22 GB Wired RAM
20.97 GB Page-ins
8.64 GB Page-outsHi Linc
I hope this is what you were after. Looking forward to hearing your feedback.
Thanks, Susanna.
11/16/14 12:36:02.738 PM com.apple.XType.FontHelper[91728]: FontHelper: message received. (<dictionary: 0x7fbb9b606ce0> { count = 2, contents =
"query" => <string: 0x7fbb9b605720> { length = 109, contents = "com_apple_ats_name_postscript == "Roboto-Regular" && kMDItemContentTypeTree != com.adobe.postscript-lwfn-font" }
"restricted" => <bool: 0x7fff7912f320>: true
11/16/14 12:36:02.738 PM com.apple.XType.FontHelper[91728]: AutoActivation: scopes (
"/Library/Application Support/Apple/Fonts"
11/16/14 12:36:02.878 PM com.apple.XType.FontHelper[91728]: FontHelper: message received. (<dictionary: 0x7fbb9a41d950> { count = 2, contents =
"query" => <string: 0x7fbb9a41d2e0> { length = 108, contents = "com_apple_ats_name_postscript == "Roboto-Medium" && kMDItemContentTypeTree != com.adobe.postscript-lwfn-font" }
"restricted" => <bool: 0x7fff7912f320>: true
11/16/14 12:36:02.878 PM com.apple.XType.FontHelper[91728]: AutoActivation: scopes (
"/Library/Application Support/Apple/Fonts"
11/16/14 12:36:02.889 PM com.apple.XType.FontHelper[91728]: FontHelper: message received. (<dictionary: 0x7fbb9b102580> { count = 2, contents =
"query" => <string: 0x7fbb9b100580> { length = 107, contents = "com_apple_ats_name_postscript == "Roboto-Light" && kMDItemContentTypeTree != com.adobe.postscript-lwfn-font" }
"restricted" => <bool: 0x7fff7912f320>: true
11/16/14 12:36:02.889 PM com.apple.XType.FontHelper[91728]: AutoActivation: scopes (
"/Library/Application Support/Apple/Fonts"
11/16/14 12:36:02.898 PM com.apple.XType.FontHelper[91728]: FontHelper: message received. (<dictionary: 0x7fbb9a41d1d0> { count = 2, contents =
"query" => <string: 0x7fbb9a41d2e0> { length = 106, contents = "com_apple_ats_name_postscript == "Roboto-Bold" && kMDItemContentTypeTree != com.adobe.postscript-lwfn-font" }
"restricted" => <bool: 0x7fff7912f320>: true
11/16/14 12:36:02.898 PM com.apple.XType.FontHelper[91728]: AutoActivation: scopes (
"/Library/Application Support/Apple/Fonts"
11/16/14 12:36:03.000 PM kernel[0]: memorystatus_thread: idle exiting pid 91723 [cfprefsd]
11/16/14 12:36:03.784 PM com.apple.launchd[1]: (com.apple.sleepservicesd[91721]) Exited: Killed: 9
11/16/14 12:36:03.000 PM kernel[0]: memorystatus_thread: idle exiting pid 91721 [SleepServicesD]
11/16/14 12:36:08.471 PM com.apple.launchd.peruser.501[159]: (com.apple.tccd[91730]) Exited: Killed: 9
11/16/14 12:36:08.000 PM kernel[0]: memorystatus_thread: idle exiting pid 91730 [tccd]
11/16/14 12:36:09.592 PM com.apple.launchd[1]: (com.apple.xpcd.F5010000-0000-0000-0000-000000000000[91727]) Exited: Killed: 9
11/16/14 12:36:09.000 PM kernel[0]: memorystatus_thread: idle exiting pid 91727 [xpcd]
11/16/14 12:36:13.129 PM com.apple.launchd[1]: (com.apple.XType.FontHelper[91728]) Exited: Killed: 9
11/16/14 12:36:13.000 PM kernel[0]: memorystatus_thread: idle exiting pid 91728 [XType.FontHelper]
11/16/14 12:36:14.996 PM com.apple.launchd[1]: (com.apple.sleepservicesd[91739]) Exited: Killed: 9
11/16/14 12:36:14.000 PM kernel[0]: memorystatus_thread: idle exiting pid 91739 [SleepServicesD]
11/16/14 12:36:20.120 PM com.apple.launchd[1]: (com.apple.cfprefsd.xpc.daemon[76618]) Exited: Killed: 9
11/16/14 12:36:20.000 PM kernel[0]: memorystatus_thread: idle exiting pid 76618 [cfprefsd]
11/16/14 12:36:23.433 PM com.apple.launchd.peruser.501[159]: (com.apple.cfprefsd.xpc.agent[76616]) Exited: Killed: 9
11/16/14 12:36:23.000 PM kernel[0]: memorystatus_thread: idle exiting pid 76616 [cfprefsd]
11/16/14 12:36:26.261 PM com.apple.launchd[1]: (com.apple.sleepservicesd[91752]) Exited: Killed: 9
11/16/14 12:36:26.000 PM kernel[0]: memorystatus_thread: idle exiting pid 91752 [SleepServicesD]
11/16/14 12:36:37.691 PM com.apple.launchd[1]: (com.apple.sleepservicesd[91764]) Exited: Killed: 9
11/16/14 12:36:38.000 PM kernel[0]: memorystatus_thread: idle exiting pid 91764 [SleepServicesD]
11/16/14 12:36:48.938 PM com.apple.launchd[1]: (com.apple.sleepservicesd[91777]) Exited: Killed: 9
11/16/14 12:36:49.000 PM kernel[0]: memorystatus_thread: idle exiting pid 91777 [SleepServicesD]
11/16/14 12:37:01.000 PM kernel[0]: memorystatus_thread: idle exiting pid 91788 [SleepServicesD]
11/16/14 12:37:00.821 PM com.apple.launchd[1]: (com.apple.sleepservicesd[91788]) Exited: Killed: 9
11/16/14 12:37:04.000 PM kernel[0]: memorystatus_thread: idle exiting pid 91706 [distnoted]
11/16/14 12:37:15.656 PM com.apple.launchd[1]: (com.apple.sleepservicesd[91795]) Exited: Killed: 9
11/16/14 12:37:15.000 PM kernel[0]: memorystatus_thread: idle exiting pid 91795 [SleepServicesD]
11/16/14 12:37:27.016 PM ReportCrash[91819]: Failed to create CSSymbolicatorRef for Webroot SecureAnywhere[264]
11/16/14 12:37:27.125 PM ReportCrash[91819]: Failed to create dSYM-less CSSymbolicatorRef for Webroot SecureAnywhere[264]
11/16/14 12:37:27.487 PM com.apple.launchd.peruser.501[159]: (com.webroot.WRMacApp[264]) Job appears to have crashed: Segmentation fault: 11
11/16/14 12:37:30.336 PM com.apple.launchd[1]: (WSDaemon[61]) Exited abnormally: Broken pipe: 13
11/16/14 12:37:34.295 PM WindowServer[79]: CGXDisableUpdate: UI updates were forcibly disabled by application "iPhoto" for over 1.00 seconds. Server has re-enabled them.
11/16/14 12:37:34.594 PM WindowServer[79]: reenable_update_for_connection: UI updates were finally reenabled by application "iPhoto" after 1.30 seconds (server forcibly re-enabled them after 1.00 seconds)
11/16/14 12:37:37.648 PM ReportCrash[91819]: Saved crash report for Webroot SecureAnywhere[264] version 8.0.7.78 (8.0.7.78) to /Users/landerson/Library/Logs/DiagnosticReports/Webroot SecureAnywhere_2014-11-16-123737_lukes-MacBook-Pro.crash
11/16/14 12:37:42.660 PM WindowServer[79]: CGXDisableUpdate: UI updates were forcibly disabled by application "iPhoto" for over 1.00 seconds. Server has re-enabled them.
11/16/14 12:37:43.632 PM WindowServer[79]: reenable_update_for_connection: UI updates were finally reenabled by application "iPhoto" after 1.97 seconds (server forcibly re-enabled them after 1.00 seconds)
11/16/14 12:37:50.783 PM WSDaemon[91822]: CGSRegisterConnectionNotifyProc called with invalid connection
11/16/14 12:38:09.909 PM Problem Reporter[91853]: launch_msg returned m -
Machine authentication in Aironet
i'm trying to authenticate laptops to Active directory before joining wireless AP (aironet 1240A)
i'm using EAP in AP
and PEAP with certificates in NPS
i'm forcing laptops to use "computer authentication" through a GPO
certificates already deployed to All machines
policy is configured in NPS with "machine group" condition
the problem i'm facing that their is some laptops are authenticated successfully while the others are not
all machines are using windows 7 and located in the same Active Directory OU (same GPO applied)
here is what i saw in AP after enabling debug radius authentication
the working machines
*Mar 4 20:25:34.125: RADIUS/ENCODE(00000009):Orig. component type = DOT11
*Mar 4 20:25:34.125: RADIUS: AAA Unsupported Attr: ssid [265] 9
*Mar 4 20:25:34.126: RADIUS: 63 6F 72 70 6F 72 61 [corpora]
*Mar 4 20:25:34.126: RADIUS: AAA Unsupported Attr: interface [157] 3
*Mar 4 20:25:34.126: RADIUS: 32 [2]
*Mar 4 20:25:34.126: RADIUS(00000009): Config NAS IP: X.Y.64.229
*Mar 4 20:25:34.126: RADIUS/ENCODE(00000009): acct_session_id: 8
*Mar 4 20:25:34.126: RADIUS(00000009): Config NAS IP: X.Y.64.229
*Mar 4 20:25:34.126: RADIUS(00000009): sending
*Mar 4 20:25:34.127: RADIUS(00000009): Send Access-Request to X.Y.64.30:1812 id 1645/8, len 160
*Mar 4 20:25:34.127: RADIUS: authenticator AC E6 88 FF CD B5 F3 CE - EA 56 67 37 2F 72 B5 C5
*Mar 4 20:25:34.127: RADIUS: User-Name [1] 23 "host/FADI-LT.domain.com"
*Mar 4 20:25:34.127: RADIUS: Framed-MTU [12] 6 1400
*Mar 4 20:25:34.128: RADIUS: Called-Station-Id [30] 16 "0027.0c68.1dc0"
*Mar 4 20:25:34.128: RADIUS: Calling-Station-Id [31] 16 "0811.9699.ba30"
*Mar 4 20:25:34.128: RADIUS: Service-Type [6] 6 Login [1]
*Mar 4 20:25:34.128: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:25:34.128: RADIUS: 1C 45 ED 5A 5D 1E DA 88 73 E5 D3 16 9F A2 62 A9 [?E?Z]???s?????b?]
*Mar 4 20:25:34.128: RADIUS: EAP-Message [79] 28
*Mar 4 20:25:34.128: RADIUS: 02 02 00 1A 01 68 6F 73 74 2F 46 41 44 49 2D 4C [?????host/FADI-L]
*Mar 4 20:25:34.129: RADIUS: 54 2E 61 64 61 73 69 2E 61 65 [T.domain.com]
*Mar 4 20:25:34.129: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*Mar 4 20:25:34.129: RADIUS: NAS-Port [5] 6 263
*Mar 4 20:25:34.129: RADIUS: NAS-Port-Id [87] 5 "263"
*Mar 4 20:25:34.129: RADIUS: NAS-IP-Address [4] 6 10.10.64.229
*Mar 4 20:25:34.129: RADIUS: Nas-Identifier [32] 4 "AP"
*Mar 4 20:25:34.166: RADIUS: Received from id 1645/8 10.10.64.30:1812, Access-Challenge, len 90
*Mar 4 20:25:34.167: RADIUS: authenticator 36 94 18 74 91 6F AA 0E - D4 D7 DC 48 A8 53 43 68
*Mar 4 20:25:34.167: RADIUS: Session-Timeout [27] 6 30
*Mar 4 20:25:34.167: RADIUS: EAP-Message [79] 8
*Mar 4 20:25:34.167: RADIUS: 01 03 00 06 0D 20 [????? ]
*Mar 4 20:25:34.167: RADIUS: State [24] 38
the non working machines
*Mar 4 20:26:18.949: RADIUS/ENCODE(0000000A):Orig. component type = DOT11
*Mar 4 20:26:18.949: RADIUS: AAA Unsupported Attr: ssid [265] 9
*Mar 4 20:26:18.949: RADIUS: 63 6F 72 70 6F 72 61 [corpora]
*Mar 4 20:26:18.949: RADIUS: AAA Unsupported Attr: interface [157] 3
*Mar 4 20:26:18.949: RADIUS: 32 [2]
*Mar 4 20:26:18.949: RADIUS(0000000A): Config NAS IP: X.Y.64.229
*Mar 4 20:26:18.950: RADIUS/ENCODE(0000000A): acct_session_id: 9
*Mar 4 20:26:18.950: RADIUS(0000000A): Config NAS IP: X.Y.64.229
*Mar 4 20:26:18.950: RADIUS(0000000A): sending
*Mar 4 20:26:18.950: RADIUS(0000000A): Send Access-Request to X.Y.64.30:1812 id 1645/11, len 150
*Mar 4 20:26:18.951: RADIUS: authenticator 17 64 A0 78 8E 49 12 7C - 79 8A 55 17 79 1F D5 A1
*Mar 4 20:26:18.951: RADIUS: User-Name [1] 18 "domain\username"
*Mar 4 20:26:18.951: RADIUS: Framed-MTU [12] 6 1400
*Mar 4 20:26:18.951: RADIUS: Called-Station-Id [30] 16 "0027.0c68.1dc0"
*Mar 4 20:26:18.951: RADIUS: Calling-Station-Id [31] 16 "0022.faf1.9258"
*Mar 4 20:26:18.951: RADIUS: Service-Type [6] 6 Login [1]
*Mar 4 20:26:18.951: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:26:18.951: RADIUS: 06 FC 55 89 6D 45 AA E5 8A 73 73 2C 82 87 28 BA [??U?mE???ss,??(?]
*Mar 4 20:26:18.952: RADIUS: EAP-Message [79] 23
*Mar 4 20:26:18.952: RADIUS: 02 02 00 15 01 41 44 41 53 49 5C 66 61 64 69 2E [?????domain\user]
*Mar 4 20:26:18.952: RADIUS: 61 64 6D 69 6E [name]
*Mar 4 20:26:18.952: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*Mar 4 20:26:18.952: RADIUS: NAS-Port [5] 6 264
*Mar 4 20:26:18.952: RADIUS: NAS-Port-Id [87] 5 "264"
*Mar 4 20:26:18.952: RADIUS: NAS-IP-Address [4] 6 X.Y.64.229
*Mar 4 20:26:18.953: RADIUS: Nas-Identifier [32] 4 "AP"
*Mar 4 20:26:18.980: RADIUS: Received from id 1645/11 X.Y.64.30:1812, Access-Challenge, len 90
*Mar 4 20:26:18.980: RADIUS: authenticator 54 84 DD 91 72 03 E9 08 - EA 61 C0 B3 B5 D6 9A 42
*Mar 4 20:26:18.981: RADIUS: Session-Timeout [27] 6 30
*Mar 4 20:26:18.981: RADIUS: EAP-Message [79] 8
*Mar 4 20:26:18.981: RADIUS: 01 03 00 06 0D 20 [????? ]
*Mar 4 20:26:18.981: RADIUS: State [24] 38
*Mar 4 20:26:18.981: RADIUS: 15 D3 02 D9 00 00 01 37 00 01 02 00 0A 0A 40 1E [???????7??????@?]
*Mar 4 20:26:18.982: RADIUS: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 [????????????????]
*Mar 4 20:26:18.982: RADIUS: 55 9E B9 77 [U??w]
*Mar 4 20:26:18.982: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:26:18.982: RADIUS: 1A EC 06 E6 E0 46 C4 06 15 87 E9 26 30 49 63 47 [?????F?????&0IcG]
*Mar 4 20:26:18.983: RADIUS(0000000A): Received from id 1645/11
*Mar 4 20:26:18.983: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
*Mar 4 20:26:18.986: RADIUS/ENCODE(0000000A):Orig. component type = DOT11
*Mar 4 20:26:18.986: RADIUS: AAA Unsupported Attr: ssid [265] 9
*Mar 4 20:26:18.986: RADIUS: 63 6F 72 70 6F 72 61 [corpora]
*Mar 4 20:26:18.987: RADIUS: AAA Unsupported Attr: interface [157] 3
*Mar 4 20:26:18.987: RADIUS: 32 [2]
*Mar 4 20:26:18.987: RADIUS(0000000A): Config NAS IP: X.Y..64.229
*Mar 4 20:26:18.987: RADIUS/ENCODE(0000000A): acct_session_id: 9
*Mar 4 20:26:18.987: RADIUS(0000000A): Config NAS IP: X.Y..64.229
*Mar 4 20:26:18.987: RADIUS(0000000A): sending
*Mar 4 20:26:18.988: RADIUS(0000000A): Send Access-Request to 10.10.64.30:1812 id 1645/12, len 173
*Mar 4 20:26:18.988: RADIUS: authenticator 37 26 0B EC 12 5D 6A E5 - 22 1A 27 4A B0 5B E2 AA
*Mar 4 20:26:18.988: RADIUS: User-Name [1] 18 "domain\username"
*Mar 4 20:26:18.988: RADIUS: Framed-MTU [12] 6 1400
*Mar 4 20:26:18.988: RADIUS: Called-Station-Id [30] 16 "0027.0c68.1dc0"
*Mar 4 20:26:18.988: RADIUS: Calling-Station-Id [31] 16 "0022.faf1.9258"
*Mar 4 20:26:18.988: RADIUS: Service-Type [6] 6 Login [1]
*Mar 4 20:26:18.988: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:26:18.989: RADIUS: 3D 11 05 D8 6E DF 92 2B 51 EC BA BA FB C4 10 5F [=???n??+Q??????_]
*Mar 4 20:26:18.989: RADIUS: EAP-Message [79] 8
*Mar 4 20:26:18.989: RADIUS: 02 03 00 06 03 19 [??????]
*Mar 4 20:26:18.989: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*Mar 4 20:26:18.989: RADIUS: NAS-Port [5] 6 264
*Mar 4 20:26:18.989: RADIUS: NAS-Port-Id [87] 5 "264"
*Mar 4 20:26:18.989: RADIUS: State [24] 38
*Mar 4 20:26:18.990: RADIUS: 15 D3 02 D9 00 00 01 37 00 01 02 00 0A 0A 40 1E [???????7??????@?]
*Mar 4 20:26:18.990: RADIUS: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 [????????????????]
*Mar 4 20:26:18.990: RADIUS: 55 9E B9 77 [U??w]
*Mar 4 20:26:18.990: RADIUS: NAS-IP-Address [4] 6 X.Y.64.229
*Mar 4 20:26:18.990: RADIUS: Nas-Identifier [32] 4 "AP"
*Mar 4 20:26:18.992: RADIUS: Received from id 1645/12 10.10.64.30:1812, Access-Reject, len 44
*Mar 4 20:26:18.992: RADIUS: authenticator 76 30 DF F4 7A 36 AC E7 - 20 AA 83 C1 05 8B 62 EC
*Mar 4 20:26:18.992: RADIUS: EAP-Message [79] 6
*Mar 4 20:26:18.993: RADIUS: 04 03 00 04 [????]
*Mar 4 20:26:18.993: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:26:18.993: RADIUS: FD 21 74 AF A8 7F A1 A5 9E CE 3A 35 45 DA EA C9 [?!t???????:5E???]
*Mar 4 20:26:18.993: RADIUS(0000000A): Received from id 1645/12
*Mar 4 20:26:18.994: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
*Mar 4 20:26:18.994: %DOT11-7-AUTH_FAILED: Station 0022.faf1.9258 Authentication failed
obviously the machine who send machine name (host\machinename) will be authenticated successfully
and machines who send username (domain\username) will not be authenticated successfully
now
i tested those unsuccessful machines in a wired dot1x switch using the same NPS policy and they were sending their machine names instead of usernames and they were authenticated successfully
i suspected that this is maybe because of the AP config
here it is
Current configuration : 2662 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP
enable secret 5 $1$gtul$Uhe4qVAC8GN0drownggAb0
aaa new-model
aaa group server radius rad_eap
server X.Y.64.30 auth-port 1812 acct-port 1813
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
ip domain name domain
dot11 ssid corporate
vlan 64
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
mbssid guest-mode
dot11 network-map
power inline negotiation prestandard source
username Cisco password 7 13261E010803
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
encryption vlan 64 mode ciphers aes-ccm
ssid corporate
mbssid
station-role root
interface Dot11Radio0.64
encapsulation dot1Q 64 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
interface FastEthernet0.64
encapsulation dot1Q 64 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address X.Y.64.229 255.255.255.0
no ip route-cache
ip default-gateway X.Y.64.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
snmp-server community cable RO
snmp-server enable traps tty
radius-server attribute 32 include-in-access-req format %h
radius-server host X.Y.64.30 auth-port 1812 acct-port 1813 key 7 104F0D18161E2D1E0D071538212B213036
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 5 15
endHi,
You will need o be more specific so we can help you.
What exactly is happening/not working?
Please keep in mind that with MAR, the PC needs to do machine authentication prior to user login, as the ACS will only allow users to login from previously authenticated machines.
Is your PC doing machine authentication?
HTH,
Tiag
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
Maybe you are looking for
-
I often insert .swf files in my html pages however, lately I have been trying to insert flash movies in the middle of a bunch of text. I do something similar with and then, using the property inspector's align dialog box, I either set the image to be
-
Can I delete USR,share,private files?
Searching for causes of lost space, running app WhatSize, I found that several files were pretty large. All the "USR" files come to 400MB, the "private" (var etc) come to 75MB, followed by "dev" "bin", "mach kernel" and "sbin". Is it at all safe to d
-
IPhoto 08 won't let me buy a book
I keep getting a message telling me that there are frames without photos, even though all frames and text boxes are full. Help - I need to order asap for Xmas.
-
How do I adjust the color of a glow/drop shadow in a title?
Some of the preset styles for text/titles have drop shadows or glow effects in various colors. How do you adjust the color? Say if I wanted the Bell Gothic Ice 26 style, but with a orange glow instead of teal?
-
Hi, I'new in HR Reporting, and I need to make a query to output Chief Position, with Personnel Number and e-mail I need to join HRP1001, P0001, P0002 and P0105. When I run the query data from OM it's ok but data from PA is wrong. Which is the right f