Cisco RV320 SSL Timeout
Hi,
I try to connect my laptop to RV320 by VPN SSL connection.
Every 8-15 minuets i get session expired, even when I am working. I tried to increase "Login Time" field to 9999 but without success
The problem also occurs on other computers.
Any ideas?
Thanks.
Thus you are modifying correct value. According related Cisco KB article the "Session Idle Time" value means "enter the time, in minutes, before the existing session terminates after the connection becomes idle".
> i get session expired, even when I am working
Isn't your public IP address changed during your work? Changed client IP address (from VPN Router point of view) is considered as good reason for breaking VPN connection.
Have you tried to use different browser and try to reproduce with same results?
Similar Messages
-
EasyVPN on RV320 + SSL-VPN + Mac IPSec
I just bought a Cisco RV320, and am trying to get it configured for providing VPN connectivity
Starting with the EasyVPN I have setup a full tunnel using the defaults, and it shows it created to the ip address 192.168.168.0/24 - which makes sense to me as that is the local LAN the device is connected to.
When I go the "Summary" page, it shows the Virtual IP Range as 172.16.100.100-100.129.
I've installed the EasyVPN client on my target (Windows) machine, I get a connect, and I am tunnelled through the VPN, I can get out to the internet, but I have no access to the 192.168.168.0/24 network which is the desired local LAN I want to connect to.
It would appear that I am missing a route from the virtual 172.16.100.0 network to the local LAN. Any suggestions on how to resolve this?
As a backup, I tried setting up the SSL-VPN, and while I authenticate and connect, every time I try to launch the VirtualPassage get an error that the "Port is in use", and the adapter fails to install.
I also have a Mac that I want to use with this device. The CD came with a client - vpnclient-darwin-4.9.01.0280-universal-k9.dmg - which installs, but gives an error saying it cannot talk to the VPN subsystem.
Is an EasyVPN an actual IPSec VPN, and will the native Mac Cisco IPSec VPN work as a client?
My priorities are:
1. Get the EasyVPN working in full tunnel mode on my Win-7 x32, and be able to connect to the target 192.168.168.0 network.
2. Get the VPN going on my Macbook (running Mavericks)
3. Get the SSL VPN working.
If anyone can help me with this it would be greatly appreciated.
One last question - the RV320 also allows the creation of a "Group VPN". What is the difference between it and the EasyVPN? It looks pretty similar except for the "Remote Client Domain Name" which can't be left empty. The remote client will be multiple laptops: what would one put for a Domain Name?
The EasyVPN is just that, but if I want a real IPSec VPN with a "shared secret", and be compatible with the Mac, what is the best way to configure the RV320?
As an aside, I know the Mac Cisco IPSec client works as I use it to connect to my work VPN which is an enterprise level ASA device.
Thanks for any help you can give.The short answer is , get rid of the RV320 and get a different router.
The RV320 VPN is buggy and Cisco apparently couldn't care less since the last firmware was released over 7 month ago.
I haven't been able to get mine to work consistently and found out that I'm not alone after searching the web for an answer.
You could give PPTP a try if you are not too concerned about security.
Good luck. -
Hello Friends,
Need ur help on cisco ACE SSL termination.
If i import the certificate and key (.PEM), where this files will be saved ?
can we able to download the .PEM file any time as we need(back-up)?
suppose if my .PEM is got hacked, hacker is sniffing the data packet which going through the web server, can it be possiable to deencrypt the packet and see the exact packet ?
Regards,
NarenNaren,
1. In order to import certs and keys, please see the following link to the command reference. To summarize, any time you import/export/delete keys/certs, you are doing so via commands in exec mode. Regarding how and where the ACE actually saves this information, I do not know this answer.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/execmds.html#wp1616651
2. You can import a key as non-exportable if you do not want it to be able to be exported. If you import it as exportable, you can always export it later for backups or what not.
3. You can decrypt captured HTTPS traffic if you have the private key. It is important to limit access to it. Please see this link for more info on using Wireshark to view decrypted HTTPS traffic: http://wiki.wireshark.org/SSL
Hope this helps!
Regards,
Matt -
Cisco RV320 with USB Dongle Quanta Computer - TELSEC TS-1K6 (TIM - Brazil)
Sorry for my bad English. I'm from Brazil.
Please, add support in the CISCO RV320 to USB Dongle Quanta Computer - TELSEC TS-1K6 (TIM - Brazil).
This dongle is very popular in Brazil.
Thanks
idVendor 0x0408 Quanta Computer, Inc.
idProduct 0xea49
bcdDevice 0.00
iManufacturer 1 QUANTA
iProduct 2 Mobile Broadband -
Cisco RV320 DUAL WAN router USB setup with Telstra 4G MF823
I am trying to setup Cisco RV320 DUAL WAN router to work with my prepaid Telstra 4G MF823 device. Could you please assist. My settings are as follows: InterfaceUSB2Connection Type:3G/4G PIN Code:Confirm PIN Code:USB Connection Status:3G/4G modem is not available.Access Point Name:telstra.internetDial Number:Username:Password:Enable DNSDNS Server (Required): 8.8.8.8DNS Server (Optional): 8.8.4.4MTU:AutoManualB
Hi oz000,
Unfortunately we don't have anyone here to assist with this particular issue. Our team here provides assistance for the device standalone, we ensure that the 4G device connects to the network and functions correctly on its own.
-Matt W
-
How can I configure a CISCO RV320 to make of use of 5 IPs assigned from my ISP. I want to be able to use Network Port Address Translation to host services and translate these to my private IP Address space. For example, public IP addresss to private IP Address on port 443.
Hola,
Siento mucho que este teniendo problemas con su dispositivo.
Si le entiendo correctamente, usted menciona que esta usando el router para proveer direcciones IP en un parque. Me imagino que hay mucha gente usando dispositivos connectandose a su señal y es posible que testen usando muchas direcciones IP.
Ha usted revisado la tabla de DHCP para ver cuantas direcciones estan en uso? Es posible que el router haya llegado a la maxima capacidad de direciones que puede proveer y cuando usted lo reinicia, la tabla de DHCP se vacia y comienza el proceso de nuevo.
Quiza pueda cambiar el tiempo por el que cada direccion IP es asignada. El asignado por defecto es 440 minutos (24 Horas), a lo mejor lo puede cambiar a 60 minutes asi si alguien ya no esta usando la direcccion entonces esta queda disponible par ser reusada.
Para cambiar el tiempo del lease vaya a DHCP, DHCP setup y luego cambie el DHCP lease time a 60.
Por favor, dejenos saber si esto ayuda. -
Hi all,
I have purchased the product in the subject as I needed 2 WAN for the load balancing of 2 ADSL (at the moment only one active), before I used a NETGEAR with DD-WRT firmware.
Having gone through the wizard router set-up, I noticed random timeout issues popping up where even the router adminweb doesn't load (set on 192.168.2.1 without the various VPN as they wouldn't have allowed the set up of such IP.) With the NetGear I have never experienced such problems..
Do you have an idea of what it might be? Because it's practically useless in its current state.
This is a ping:
MacBook-Air-di-Luca:~ lucavasini$ ping www.google.com
PING www.google.com (149.3.176.22): 56 data bytes
64 bytes from 149.3.176.22: icmp_seq=0 ttl=56 time=44.115 ms
64 bytes from 149.3.176.22: icmp_seq=1 ttl=56 time=74.773 ms
64 bytes from 149.3.176.22: icmp_seq=2 ttl=56 time=58.397 ms
64 bytes from 149.3.176.22: icmp_seq=3 ttl=56 time=103.889 ms
64 bytes from 149.3.176.22: icmp_seq=4 ttl=56 time=216.906 ms
64 bytes from 149.3.176.22: icmp_seq=5 ttl=56 time=56.474 ms
64 bytes from 149.3.176.22: icmp_seq=6 ttl=56 time=207.755 ms
64 bytes from 149.3.176.22: icmp_seq=7 ttl=56 time=64.326 ms
64 bytes from 149.3.176.22: icmp_seq=8 ttl=56 time=52.341 ms
64 bytes from 149.3.176.22: icmp_seq=9 ttl=56 time=175.903 ms
64 bytes from 149.3.176.22: icmp_seq=10 ttl=56 time=227.868 ms
64 bytes from 149.3.176.22: icmp_seq=11 ttl=56 time=136.094 ms
64 bytes from 149.3.176.22: icmp_seq=12 ttl=56 time=75.252 ms
64 bytes from 149.3.176.22: icmp_seq=13 ttl=56 time=182.221 ms
64 bytes from 149.3.176.22: icmp_seq=14 ttl=56 time=448.326 ms
Request timeout for icmp_seq 15
64 bytes from 149.3.176.22: icmp_seq=16 ttl=56 time=48.658 ms
64 bytes from 149.3.176.22: icmp_seq=17 ttl=56 time=38.991 ms
^C
--- www.google.com ping statistics ---
18 packets transmitted, 17 packets received, 5.6% packet loss
round-trip min/avg/max/stddev = 38.991/130.135/448.326/102.688 ms
This is a traceroute to my website,
traceroute problem on 3 point?
MacBook-Air-di-Luca:~ lucavasini$ traceroute www.lucavasini.it
traceroute to www.lucavasini.it (188.226.190.148), 64 hops max, 52 byte packets
1 192.168.1.1 (192.168.1.1) 1.925 ms 1.519 ms 1.399 ms
2 192.168.2.1 (192.168.2.1) 3.282 ms 2.212 ms 2.051 ms
3 * * *
4 host153-230-static.44-88-b.business.telecomitalia.it (88.44.230.153) 26.062 ms 28.702 ms 24.144 ms
5 80.17.209.141 (80.17.209.141) 25.597 ms 26.954 ms 24.408 ms
6 172.19.242.58 (172.19.242.58) 37.581 ms 39.646 ms 41.300 ms
7 pos2-8-0-0.milano50.mil.seabone.net (93.186.128.126) 39.033 ms 37.901 ms 42.055 ms
8 xe-2-3-0.milano51.mil.seabone.net (195.22.192.103) 35.717 ms 36.261 ms *
9 ntt-verio.milano51.mil.seabone.net (93.186.128.157) 77.357 ms 58.782 ms *
10 ae-20.r03.amstnl02.nl.bb.gin.ntt.net (129.250.4.169) 67.833 ms 68.055 ms 68.245 ms
11 83.231.213.2 (83.231.213.2) 62.632 ms 62.776 ms 63.491 ms
12 95.85.0.238 (95.85.0.238) 69.742 ms 62.714 ms 62.955 ms
13 srv1.lucavasini.it (188.226.190.148) 74.270 ms 73.730 ms 73.891 ms
MacBook-Air-di-Luca:~ lucavasini$
ping to my website
MacBook-Air-di-Luca:~ lucavasini$ ping www.lucavasini.it
PING www.lucavasini.it (188.226.190.148): 56 data bytes
64 bytes from 188.226.190.148: icmp_seq=0 ttl=51 time=79.104 ms
64 bytes from 188.226.190.148: icmp_seq=1 ttl=51 time=86.076 ms
64 bytes from 188.226.190.148: icmp_seq=2 ttl=51 time=153.377 ms
64 bytes from 188.226.190.148: icmp_seq=3 ttl=51 time=87.232 ms
64 bytes from 188.226.190.148: icmp_seq=4 ttl=51 time=76.080 ms
64 bytes from 188.226.190.148: icmp_seq=5 ttl=51 time=67.852 ms
64 bytes from 188.226.190.148: icmp_seq=6 ttl=51 time=73.136 ms
Request timeout for icmp_seq 7
64 bytes from 188.226.190.148: icmp_seq=7 ttl=51 time=1006.756 ms
64 bytes from 188.226.190.148: icmp_seq=8 ttl=51 time=69.359 ms
64 bytes from 188.226.190.148: icmp_seq=9 ttl=51 time=86.434 ms
64 bytes from 188.226.190.148: icmp_seq=10 ttl=51 time=90.863 ms
64 bytes from 188.226.190.148: icmp_seq=11 ttl=51 time=97.732 ms
64 bytes from 188.226.190.148: icmp_seq=12 ttl=51 time=82.909 ms
64 bytes from 188.226.190.148: icmp_seq=13 ttl=51 time=101.086 ms
Request timeout for icmp_seq 15
64 bytes from 188.226.190.148: icmp_seq=16 ttl=51 time=78.514 ms
64 bytes from 188.226.190.148: icmp_seq=17 ttl=51 time=67.852 ms
64 bytes from 188.226.190.148: icmp_seq=18 ttl=51 time=88.371 ms
64 bytes from 188.226.190.148: icmp_seq=19 ttl=51 time=103.850 ms
64 bytes from 188.226.190.148: icmp_seq=20 ttl=51 time=97.550 ms
64 bytes from 188.226.190.148: icmp_seq=21 ttl=51 time=66.642 ms
^C
--- www.lucavasini.it ping statistics ---
22 packets transmitted, 20 packets received, 9.1% packet loss
round-trip min/avg/max/stddev = 66.642/133.039/1006.756/201.322 ms
[EDIT] now line don't working
MacBook-Air-di-Luca:~ lucavasini$ ping www.google.com
PING www.google.com (149.3.177.54): 56 data bytes
64 bytes from 149.3.177.54: icmp_seq=0 ttl=56 time=36.093 ms
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
Request timeout for icmp_seq 6
Request timeout for icmp_seq 7
Request timeout for icmp_seq 8
Request timeout for icmp_seq 9
Request timeout for icmp_seq 10
Request timeout for icmp_seq 11
^XRequest timeout for icmp_seq 12
^C
--- www.google.com ping statistics ---
14 packets transmitted, 1 packets received, 92.9% packet loss
round-trip min/avg/max/stddev = 36.093/36.093/36.093/0.000 ms
LOG ROUTER:
2023-09-13, 19:21:32
Kernel
kernel: i2c i2c-0: Failed to register i2c client rs5c372b at 0x32 (-16)
2023-09-13, 19:21:32
Kernel
kernel: i2c i2c-0: Can't create device at 0x32
2023-09-13, 19:21:32
Kernel
kernel: gre: can't add protocol
2014-06-05, 01:57:56
Kernel
kernel: i2c i2c-0: Failed to register i2c client rs5c372b at 0x32 (-16)
2014-06-05, 01:57:56
Kernel
kernel: i2c i2c-0: Can't create device at 0x32
2014-06-05, 01:57:56
Kernel
kernel: gre: can't add protocol
2014-06-05, 13:26:09
Kernel
kernel: i2c i2c-0: Failed to register i2c client rs5c372b at 0x32 (-16)
2014-06-05, 13:26:09
Kernel
kernel: i2c i2c-0: Can't create device at 0x32
2014-06-05, 13:26:09
Kernel
kernel: gre: can't add protocol
2014-06-05, 15:36:26
Kernel
kernel: i2c i2c-0: Failed to register i2c client rs5c372b at 0x32 (-16)
2014-06-05, 15:36:26
Kernel
kernel: i2c i2c-0: Can't create device at 0x32
2014-06-05, 15:36:26
Kernel
kernel: gre: can't add protocol
2014-06-08, 09:54:15
Kernel
kernel: i2c i2c-0: Failed to register i2c client rs5c372b at 0x32 (-16)
2014-06-08, 09:54:15
Kernel
kernel: i2c i2c-0: Can't create device at 0x32
2014-06-08, 09:54:15
Kernel
kernel: gre: can't add protocol
2014-06-07, 23:56:35
Kernel
kernel: i2c i2c-0: Failed to register i2c client rs5c372b at 0x32 (-16)
2014-06-07, 23:56:35
Kernel
kernel: i2c i2c-0: Can't create device at 0x32
2014-06-07, 23:56:35
Kernel
kernel: gre: can't add protocol
2014-06-08, 00:18:01
Kernel
kernel: i2c i2c-0: Failed to register i2c client rs5c372b at 0x32 (-16)
2014-06-08, 00:18:01
Kernel
kernel: i2c i2c-0: Can't create device at 0x32
2014-06-08, 00:18:01
Kernel
kernel: gre: can't add protocol
I have attached a few screenshots.
Thank you.
LucaLuca,
Please call in to the Small Business Support Center so we can look at your set up. We will be happy to make recommendations and provide a resolution. Please have your serial number handy and call us at 866-606-1866 during your normal business hours. -
RV320 SSL VPN ActiveX and Virtual Passage driver on Windows 7 64-bit
Hi,
My company has just purchased a new RV320 router and only afterwards found out from the release notes that there are issues with the SSL VPN in this unit and other small business routers. Is there any news on when these issues will be fixed?
1) ActiveX controls have expired certificate dated 24/9/14 - this prevents them from running unless without changing IE security settings to prompt or allow unsigned controls, which is a big security risk.
2) ActiveX controls do not work on Windows 64-bit. Release notes state Windows 7 IE10 and Windows 8.1 IE11, however they also fail on Windows 7 IE11. Even adding router to Trusted Sites to force 32-bit mode results in error message stating that IE is required for the controls.
3) Virtual Passage driver will not install - crashes IE10/IE11 with a BEX violation. From a dig around the web it appears that the Netgear SRX5308 uses the same Cavium chipset and a Virtual Passage driver that works with Windows 7 64-bit, and installs fine using IE10/11 (and if you install the Netgear driver it works with the Cisco RV routers too, proving that the driver is fully compatible...) - if Netgear can get this working, why can't Cisco?
I've only just started setting us this router and show stopper issues like this might end up with an RMA being requested as it appears to be unsuitable for purpose, already run into other issues with I've posted about. :(
EDIT: Got (2) sort of working on IE11 - seems that the Cisco interface is specifically looking for old style IE user agent strings, so using developer tools to set the user agent to IE9, and changing security settings in Trusted Sites to prompt for unsigned controls (due to issue (1)), allows the controls to install and load. These issues are pretty simple to fix, requiring just a string check change and updated signed controls. Fingers crossed these are fixed in the new firmware due soon, awaiting response from Cisco support to my open ticket.
Looks like (3) is prevented from working by (1), and also because the certificate has expired it is treated as software without a valid publisher which cannot be installed in Windows 7 without fiddling in the registry. Releasing an updated version with a certificate that isn't expired should solve that issue too.
These are ridiculously simple fixes to push out, I can't believe a major hardware vendor like Cisco hasn't already solved these issues.I've had a reply from Cisco support regarding this issue, and it's a bleak outlook. This is a copy from the email I received:
"Engineering has no plans to support SSL VPN on RV32x due to chipset limitations. Pretty much, it will work for old XP and Win7 32-bits."
So Cisco are falsely advertising that the RV320 has SSL VPN capabilities when there are no plans to update it so that it works with 64-bit Windows (which is now the major install base for Windows as most new systems are 64-bit based), and as the certificates have expired in the SSL VPN components they are not even useable on 32-bit systems without overriding a number of security settings.
Dan -
RV320 SSL VPN web service unable to connect port 56000 56001...
I have recently installed a RV320 dual WAN small business router in order to use the SSL VPN functionality to allow secure access to our intranet pages which are hosted on a server inside our network. I have the latest firmware installed on the router.
With the firewall feature of the RV320 disabled - After logging in to the router remotely via the HTTPS interface, I am able to use the web-based services such as SSH and NetworkPls. However, when using the HTTP and HTTPS services I receive a web browser unable to connect error on port 56000, 1, 2, 3 ... This is regardless of whether I enter a URL or IP address on the network behind the router or on the internet.
Enabling the firewall feature of the RV320 gives a different result - when any IP or URL is entered into the box in the second image below, the router log-in page is loaded instead of the required site. I have pasted an extract from the log at the bottom of this post although it doesn't seem to contain any relevant information. As a separate issue, you will also notice that users connecting to the router brings up [HACK] SynFlooding Attack in error.
Can anyone explain why this is happening? Alternatively, does anyone have a guide for setting up a IPSec VPN with this router? There seems to be very little literature available for this model.
Thanks in advance for your help.
Log extract
2013-11-02, 11:36:19
Connection Accepted
IN=eth1 OUT=eth0 SRC=178.239.83.183 DST=192.168.10.100 DMAC=e0:2f:6d:75:35:7d SMAC=d4:ca:6d:98:3e:55 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=57573 DF PROTO=TCP SPT=54925 DPT=993 WINDOW=5840 RES=0x00 SYN URGP=0
2013-11-02, 11:36:19
[HACK] SynFlooding Attack
IN=eth1 OUT=eth0 SRC=178.239.83.183 DST=192.168.10.100 DMAC=e0:2f:6d:75:35:7d SMAC=d4:ca:6d:98:3e:55 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=57573 DF PROTO=TCP SPT=54925 DPT=993 WINDOW=5840 RES=0x00 SYN URGP=0
2013-11-02, 11:31:53
Connection Accepted
IN=eth1 OUT=eth0 SRC=178.239.83.156 DST=192.168.10.100 DMAC=e0:2f:6d:75:35:7d SMAC=d4:ca:6d:98:3e:55 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=50721 DF PROTO=TCP SPT=55634 DPT=993 WINDOW=5840 RES=0x00 SYN URGP=0
2013-11-02, 11:31:53
[HACK] SynFlooding Attack
IN=eth1 OUT=eth0 SRC=178.239.83.156 DST=192.168.10.100 DMAC=e0:2f:6d:75:35:7d SMAC=d4:ca:6d:98:3e:55 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=50721 DF PROTO=TCP SPT=55634 DPT=993 WINDOW=5840 RES=0x00 SYN URGP=0
2013-11-02, 11:31:38
User Log
User cisco login success from 221.142.25.181
2013-11-02, 11:31:38
User Log
User cisco login success from 221.142.25.181
2013-11-02, 11:29:49
Kernel
kernel: upnp idx=83, ip=192.168.10.220, eport=59725, iport=59725
2013-11-02, 11:29:49
Kernel
kernel: wrong ip[0],not_list[0]
2013-11-02, 11:29:43
Connection Accepted
IN=eth1 OUT=eth0 SRC=176.251.102.32 DST=192.168.10.100 DMAC=e0:2f:6d:75:35:7d SMAC=d4:ca:6d:98:3e:55 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=44670 DF PROTO=TCP SPT=49423 DPT=143 WINDOW=65535 RES=0x00 SYN URGP=0
2013-11-02, 11:29:43
[HACK] SynFlooding Attack
IN=eth1 OUT=eth0 SRC=176.251.102.32 DST=192.168.10.100 DMAC=e0:2f:6d:75:35:7d SMAC=d4:ca:6d:98:3e:55 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=44670 DF PROTO=TCP SPT=49423 DPT=143 WINDOW=65535 RES=0x00 SYN URGP=0
2013-11-02, 11:29:12
Kernel
kernel: upnp idx=83, ip=192.168.10.220, eport=59725, iport=59725
2013-11-02, 11:29:12
Kernel
kernel: wrong ip[0],not_list[0]
2013-11-02, 11:29:12
SSL Log
User ben login success from 221.142.25.181After lots of trial and error, I was able to eliminate this problem. What I wound up doing is defining the XE service again in the listener.ora file:
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = XE)
(ORACLE_HOME = C:\ProgramData\oraclexe\app\oracle\product\11.2.0\server)
I know that typically you should not have to do this, especially since I already had defined DEFAULT_SERIVCE_LISTENER = (XE) at the bottom of the listener.ora file. Explicitly defining the XE service in the listener.ora file allows the listener to find it while the system is running under the Cisco AnyConnect VPN. The only hiccup I found by doing this is that the XE service is discovered twice by the listener when the system is NOT running under the Cisco AnyConnect VPN. It still works OK. The listener just seems to ignore the repeated definition of the XE service (see output below):
C:\ProgramData\oraclexe\app\oracle\product\11.2.0\server\bin>lsnrctl service
LSNRCTL for 32-bit Windows: Version 11.2.0.2.0 - Production on 13-JUN-2013 10:03:15
.......(omitted output).......
Service "XE" has 2 instance(s).
Instance "XE", status UNKNOWN, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0
LOCAL SERVER
Instance "xe", status READY, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0 state:ready
LOCAL SERVER
Service "XEXDB" has 1 instance(s).
Instance "xe", status READY, has 1 handler(s) for this service...
Handler(s):
"D000" established:0 refused:0 current:0 max:1022 state:ready
DISPATCHER <machine: DEV-M-137GF, pid: 5544>
(ADDRESS=(PROTOCOL=tcp)(HOST=DEV-M-137GF.paychex.com)(PORT=58257))
The command completed successfully
If anyone has a cleaner solution for this problem, please let me know. Otherwise, I am moving forward with what I did.
Thanks.....Paul -
Hello. I am having a problem with timeouts when using ssl load balancing. The ssl termination point is on the webserver. I am hitting the VIP on port 443 and then balancing between 2 servers at the backend. The problem is that the users' sessions are timing out at random intervals. When one of the servers is powered down this issue does not happen. Could this be something to do with the content switch and flow timeouts?? I have added the line "sticky-inact-timeout 45" thinking that it might be that but it has not made a difference.
My config is as follows
service ugwprd01-ssl-2443
ip address 10.48.7.3
protocol tcp
port 2443
keepalive type ssl
redundant-index 210
active
service ugwprd02-ssl-2443
ip address 10.48.7.6
protocol tcp
port 2443
keepalive type ssl
redundant-index 220
active
owner x
content x
vip address 10.48.1.6
port 443
protocol tcp
application ssl
add service ugwprd01-ssl-2443
add service ugwprd02-ssl-2443
redundant-index 1210
advanced-balance ssl
sticky-inact-timeout 45
active
THANKS!You may be running into an IE issue whereby the SSL session id is changed every 2 minutes. This becomes a problem when using advanced-balance ssl and application ssl as this is l5 stickyness based on session id. After 2 minutes, this changes. With only one server you will not see this occur as you are on the same server to begin with.
The only solution here is to use some type of SSL temrination device that we offer such as an SCA. You may also want to back off the VIP to layer 4 and not use application ssl and advanced-balance ssl and have the content rule look like this:
content x
vip address 10.48.1.6
port 443
protocol tcp
add service ugwprd01-ssl-2443
add service ugwprd02-ssl-2443
redundant-index 1210
active
See if changing to L4 makes things work better.
Regards
Pete Knoops
Cisco Systems -
Cisco IOS SSL VPN Not Working - Internet Explorer
Hi All,
I seem to be having a strange SSL VPN issue. I have a Cisco 877 router with c870-advsecurityk9-mz.124-24.T4.bin and I cannot get the SSL VPN (Web VPN) working with Internet Explorer (tried both IE8 on XP and IE9 on Windows 7). Whenever I browse to https://x.x.x.x, I get "Internet Explorer Cannot Display The Webpage". It sort of works with Chrome (I can get the webpage and login, but I can't start the thin client, when I click on Start, nothing happens). It only seems to work with Firefox. It seems quite similar to this issue with the ASAs - http://www.infoworld.com/d/applications/cisco-asa-users-cant-use-ssl-vpns-ie-8-901
Below is the config snippet:
username vpntest password XXXXX
aaa authentication login default local
crypto pki trustpoint TP-self-signed-1873082433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1873082433
revocation-check none
rsakeypair TP-self-signed-1873082433
crypto pki certificate chain TP-self-signed-1873082433
certificate self-signed 01
--- omitted ---
quit
webvpn gateway SSLVPN
hostname Router
ip address X.X.X.X port 443
ssl encryption aes-sha1
ssl trustpoint TP-self-signed-1873082433
inservice
webvpn context SSLVPN
title "Blah Blah"
ssl authenticate verify all
login-message "Enter the magic words..."
port-forward "PortForwardList"
local-port 33389 remote-server "10.0.1.3" remote-port 3389 description "RDP"
policy group SSL-Policy
port-forward "PortForwardList" auto-download
default-group-policy SSL-Policy
gateway SSLVPN
max-users 3
inservice
I've tried:
*Enabling SSL 2.0 in IE
*Adding the site to the Trusted Sites in IE
*Adding it to the list of sites allowed to use Cookies
At a loss to figure this out. Has anyone else come across this before? Considering the Cisco website itself shows an example using IE (http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml), surely it should work in IE you'd think?
ThanksHi,
I would check where exactly it is failing, either in the ssl connection itself or something after that. The best way to do that is run a wireshark capture when you try to access the page using IE. You can compare this with the one with Mozilla too just to confirm the ssl is working fine.
Also can you try with different SSL ciphers as one difference between browsers is the ciphers they use. 3des should be a good option to try. -
Cisco 1841 SSL VPN and Anyconnect Help
I am pretty new to Cisco programming and am trying to get an SSL VPN set up for remote access using a web browser and using Anyconnect version 3.1.04509. If I try to connect via a web browser I get an error telling me the security certificate is not secure. If I try to connect via Anyconnect I get an error saying "Untrusted VPN Server Blocked." If I change the Anyconnect settings to allow connections to untrusted servers, I get two errors that say"Certificate does not match the server name" and "Certificate is malformed." Below is the running config in the router at this time. There is another Site-to-Site VPN tunnel that is up and working properly on this device. Any help would be greatly appreciated. Thanks
Current configuration : 7741 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname buchanan1841
boot-start-marker
boot-end-marker
logging message-counter syslog
no logging buffered
enable secret 5 XXXXXXX
enable password XXXX
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
crypto pki trustpoint buchanan_Certificate
enrollment selfsigned
revocation-check crl
rsakeypair buchanan_rsakey_pairname
crypto pki certificate chain buchanan_Certificate
certificate self-signed 01
30820197 30820141 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
1D311B30 1906092A 864886F7 0D010902 160C6275 6368616E 616E3138 3431301E
170D3133 30373038 32323330 33335A17 0D323030 31303130 30303030 305A301D
311B3019 06092A86 4886F70D 01090216 0C627563 68616E61 6E313834 31305C30
0D06092A 864886F7 0D010101 0500034B 00304802 4100C76B D94BABC2 6D7FB1F1
AF9AA76F E631B841 7CFEA806 1F52420B 9C83D754 D58393B1 EC02FCA8 BFBE82D6
79645A32 4ECEDB43 8AEB1590 9CCC309E 17E70061 86150203 010001A3 6C306A30
0F060355 1D130101 FF040530 030101FF 30170603 551D1104 10300E82 0C627563
68616E61 6E313834 31301F06 03551D23 04183016 8014AF2E 3FCF66AF C8A43F5F
97DFABA9 C74371FD 127A301D 0603551D 0E041604 14AF2E3F CF66AFC8 A43F5F97
DFABA9C7 4371FD12 7A300D06 092A8648 86F70D01 01040500 034100C1 47D2E8B0
4AC15F69 E8CBE141 E8EE96C5 7BF1EE51 102278B8 ED525185 9F112FA6 0D51F7A6
3382DB09 8692EEE7 200471B3 BF12FBD0 223EB549 4A352049 513F4B
quit
dot11 syslog
ip source-route
ip cef
no ipv6 cef
multilink bundle-name authenticated
username buchanan privilege 15 password 0 XXXXX
username cybera password 0 cybera
username skapple privilege 15 secret 5 XXXXXXXXXX
username buckys secret 5 XXXXXXXXXXX
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key p2uprEswaspus address XXXXXX
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set cybera esp-3des esp-md5-hmac
crypto ipsec profile cybera
set transform-set cybera
archive
log config
hidekeys
ip ssh version 1
interface Tunnel0
description Cybera WAN - IPSEC Tunnel
ip address x.x.x.x 255.255.255.252
ip virtual-reassembly
tunnel source x.x.x.x
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile cybera
interface FastEthernet0/0
description LAN Connection
ip address 192.168.1.254 255.255.255.0
ip helper-address 192.168.1.2
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1
description WAN Connection
ip address x.x.x.x 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface ATM0/0/0
no ip address
shutdown
atm restart timer 300
no atm ilmi-keepalive
interface Virtual-Template2
ip unnumbered FastEthernet0/0
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.254
ip local pool LAN_POOL 192.168.1.50 192.168.1.99
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 4.71.21.0 255.255.255.224 x.x.x.x
ip route 10.4.0.0 255.255.0.0 x.x.x.x
ip route 10.5.0.0 255.255.0.0 x.x.x.x
ip route x.x.x.x 255.255.240.0 x.x.x.x
ip route x.x.x.x 255.255.255.255 x.x.x.x
ip route x.x.x.x 255.255.255.255 x.x.x.x
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.201 22 x.x.x.x 22 extendable
ip nat inside source static tcp 192.168.1.202 23 x.x.x.x 23 extendable
access-list 1 permit 192.168.1.0 0.0.0.255
control-plane
line con 0
line aux 0
line vty 0 4
password xxxxx
transport input telnet ssh
scheduler allocate 20000 1000
webvpn gateway gateway_1
ip address x.x.x.x port 443
http-redirect port 80
ssl trustpoint buchanan_Certificate
inservice
webvpn install svc flash:/webvpn/anyconnect-w
in-3.1.04059-k9.pkg sequence 1
webvpn context employees
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
policy group policy_1
functions svc-enabled
svc address-pool "LAN_POOL"
svc default-domain "buchanan.local"
svc keep-client-installed
svc dns-server primary 192.168.1.2
svc wins-server primary 192.168.1.2
virtual-template 2
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_2
gateway gateway_1
max-users 10
inservice
endbuchanan1841#Perhaps you have changed the host-/domainname after the certificate was created?
I'd generate a new one ...
Michael
Please rate all helpful posts -
Cisco AnyConnect SSL VPN no split tunnel and no hairpinning internet access
Greetings,
I am looking to configure a Cisco ASA 5515X for Cisco AnyConnect Essentials SSL VPN where ALL SSL-VPN traffic is tunneled, no split tunneling or hairpinning on the outside interface. However users require internet access. I need to route traffic out the "trusted" or "inside" interface to another device that performs content-filtering and inspection which then egresses out to the internet from there. Typically this could be done using a route-map (which ASA's do not support) or with a VRF (again, not an option on the ASA). The default route points to the outside interface toward the internet.
Is there no other method to force all my SSL-VPN traffic out the inside interface toward LAN subnets as needed and have another default route point toward the filtering device?
OR
Am I forced to put the ASA behind the filtering device somehow?Hi Jim,
You can use tunnel default route for vpn traffic:
ASA(config)# route inside 0.0.0.0 0.0.0.0 <inside hop> tunneled
configure mode commands/options:
<1-255> Distance metric for this route, default is 1
track Install route depending on tracked item
tunneled Enable the default tunnel gateway option, metric is set to 255
This route is applicable for only vpn traffic.
HTH,
Shetty -
I am having a problem logging on using SSL, the server displays the
following message
Thu Dec 21 11:31:11 GMT+00:00 2000:<W> <SSLListenThread> Connection
rejected: 'L ogin timed out after: '100000' ms on socket:
'Socket[addr=localhost/127.0.0.1,port=3017,localport=7002}''
And the browser window shows the standard "The page cannot be displayed"
message.
The natural assumption is that there is a timeout after 100 seconds of
trying to logon, fair enough, but this seems strange as, although our logon
process is fairly hefty, without SSL there is never any problem logging on
within the default 5 seconds (I know HTTPS is slower than HTTP, but over 20
times slower seems excessive), does anyone have any idea what could be
slowing things down so much? Or of some other problem which could spuriously
give this error message (unlikely I know).
Set-up windows NT, weblogic 5.1 sp5, using the SSL certificates given with
SP7 (I haven't installed SP7 yet, because I heard that it breaks SSL), the
server is held on the same PC as the client (so IE is calling localhost)
the relevant part of my weblogic.properties is
weblogic.login.readTimeoutMillis=5000
weblogic.login.readTimeoutMillisSSL=600000
weblogic.system.SSLListenPort=7002
weblogic.security.ssl.enable=true
weblogic.security.key.server=demokey.pem
weblogic.security.certificate.server=democert.pem
weblogic.security.certificate.authority=ca.pemI have similar problem.
Although I am able to hit the page using browser
I'm not able to do so using an applet (I get the same error as you do).
Cheers,
Antoan
"Terry" <[email protected]> wrote:
I am having a problem logging on using SSL, the server displays the
following message
Thu Dec 21 11:31:11 GMT+00:00 2000:<W> <SSLListenThread> Connection
rejected: 'L ogin timed out after: '100000' ms on socket:
'Socket[addr=localhost/127.0.0.1,port=3017,localport=7002}''
And the browser window shows the standard "The page cannot be displayed"
message.
The natural assumption is that there is a timeout after 100 seconds of
trying to logon, fair enough, but this seems strange as, although our logon
process is fairly hefty, without SSL there is never any problem logging on
within the default 5 seconds (I know HTTPS is slower than HTTP, but over 20
times slower seems excessive), does anyone have any idea what could be
slowing things down so much? Or of some other problem which could spuriously
give this error message (unlikely I know).
Set-up windows NT, weblogic 5.1 sp5, using the SSL certificates given with
SP7 (I haven't installed SP7 yet, because I heard that it breaks SSL), the
server is held on the same PC as the client (so IE is calling localhost)
the relevant part of my weblogic.properties is
weblogic.login.readTimeoutMillis=5000
weblogic.login.readTimeoutMillisSSL=600000
weblogic.system.SSLListenPort=7002
weblogic.security.ssl.enable=true
weblogic.security.key.server=demokey.pem
weblogic.security.certificate.server=democert.pem
weblogic.security.certificate.authority=ca.pem -
SSL timeout with HttpURLConnection
I'm using an HttpURLConnection to connect to a URL (in my case, an https URL). The readtimeout on the HttpURLConnection has not been set, so it's the default of no timeout. The HttpURLConnection is able to connect immediately, but getting a response back can take some time (the URL points to a servlet that does some work that can take a little while). When it's less than 10 minutes, this works fine. When it takes more than 10 minutes, HttpURLConnection.getContentType() throws a SocketException:
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:168)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:284)
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:319)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:720)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:677)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:256)
at java.io.BufferedInputStream.read(BufferedInputStream.java:313)
at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:606)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:554)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:571)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:928)
at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:1850)
at java.net.URLConnection.getContentType(URLConnection.java:479)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getContentType(HttpsURLConnectionImpl.java:382)
It appears that there is some sort of underlying SSL-related timeout that, in this case, is set to 10 minutes. Does anyone know what might be causing this and how I can change it programmatically?
Thanks,
vlb514The server is resetting the connection.
Maybe you are looking for
-
Copy a page from one page group to another
Hi Is it possible to copy a page from one page group to another? Regards, Lene
-
Which ports and ACL ( servers) need to be opened for Jabber Video
Hi All, We are Cisco partners ( ODC at Aricent New Delhi India) working for multiple Cisco projects. We want to use Jabber Video for communication but as partners ACL ( Server/ports ) need to be opened to access the Jabber video servers. Can somebod
-
Why does it say "an error occurred during activation" when i activate my facetime on my ipod?
my facetime and imessages was working but now its not. everytime i go to activate it says there was an error. please someone help. thanks.
-
When viewing websites or iTunes my iPad sometimes goes to the home screen.
My iPad sometimes jumps back to the home page when on iTunes searching music or on safari searching websites does anyone else have this issue?
-
Hi Folks, I need a help regarding Screen Exit for LT12 Tcod.My requirement is to add a screen for Serial Number Keyin for a material and confirm the TO.I try to find an Exit and a Badi where i can put my Custom logic which updats the Serial Number