Classless netmask in Cisco RV 120 W
I need to assign the mask 255.255.252.0 in the LAN interface but the web configurator does not allow it.
The web configurator only permit assign the 255.255.255.0 netmask.
My LAN segment is greater than 254 network devices and I cannot understand how a new Cisco device can have this kind of limitation.
I would like to know if the problem could be solved in a new firmware version or via command line tool.
thanks
Hi Victor,
The Small Business routers can only have a LAN netmask of 255.255.255.0. This is by design and is unlikely to change. You can add a second VLAN to provide more addresses (in another subnet), but if you have 254+ connected devices you may want to consider using an Enterprise class router.
Similar Messages
-
Configuration Cisco RV-120 Help
Hi,
i have a small big problem.
I have buy a new Cisco RV-120 for replace a old RV-110.
The network is configurated in this metod:
VLAN 01: Default 10.10.10.x
VLAN 02: Office 192.168.2.x
VLAN 03: Laboratory 192.168.3.x
P1 P2 P3 P4
Vlan1 U U U U
Vlan2 T E E E
Vlan3 E T E E
ADSL (192.168.1.1) -> WAN
I have some problem with configure the Cisco, in first step i can't go on the internet; in the maintenance tool, i try to ping a www.google.it and i didn't have response.
In the second step the Vlan are not working, i tried to move the network cable between a door and the other but i have always the same ip (i try to disable and enable the network interface every time i changed the door).
I can't explain what is the problem, when i configure the RV-110 i don't have these problems.
Can you help meThe RV120 supports dynamic DNS using DYNDNS.org, so if the SG300 firewall can connect by the dynndns.org DNS name you can make this work.
-
The wrong netmask was given for LogicalHostname resource.
We are running Sun Cluster Server 3.0 on Solaris 8. We have experienced the problems when switching between both machines. The /etc/netmasks has been setup properly and we have three resource groups configured on this cluster.
Some logical hostname are working fine except that two logical hostname are always using class A's netmask instead of classless netmask.
Does anyone know how to fix this problem?
JeffRunning ifconfig -a on both services
balrog#ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
lo0:1: flags=1008849<UP,LOOPBACK,RUNNING,MULTICAST,PRIVATE,IPv4> mtu 8232 index 1 inet 172.16.193.1 netmask ffffffff
bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 147.132.179.30 netmask ffffff80 broadcast 147.132.179.127
ether 0:3:ba:c1:d:d9
bge0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 147.132.179.27 netmask ffffff80 broadcast 147.132.179.127
bge1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 147.132.114.150 netmask ffffff80 broadcast 147.132.114.255
ether 0:3:ba:c1:d:d9
bge1:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 147.132.114.147 netmask ffffff80 broadcast 147.132.114.255
bge3: flags=1008843<UP,BROADCAST,RUNNING,MULTICAST,PRIVATE,IPv4> mtu 1500 index 4 inet 172.16.0.129 netmask ffffff80 broadcast 172.16.0.255
ether 0:3:ba:c1:d:d9
bge3:2: flags=1008843<UP,BROADCAST,RUNNING,MULTICAST,PRIVATE,IPv4> mtu 1500 index 4
inet 172.16.194.6 netmask fffffffc broadcast 172.16.194.7
bge2: flags=1008843<UP,BROADCAST,RUNNING,MULTICAST,PRIVATE,IPv4> mtu 1500 index 5 inet 172.16.1.1 netmask ffffff80 broadcast 172.16.1.127
ether 0:3:ba:c1:d:d9
alice#ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
lo0:1: flags=1008849<UP,LOOPBACK,RUNNING,MULTICAST,PRIVATE,IPv4> mtu 8232 index 1 inet 172.16.193.2 netmask ffffffff
bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 147.132.179.42 netmask ffffff80 broadcast 147.132.179.127
ether 0:3:ba:c0:59:4d
bge0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 147.132.179.13 netmask ffff0000 broadcast 147.132.255.255
bge1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 147.132.114.162 netmask ffffff80 broadcast 147.132.114.255
ether 0:3:ba:c0:59:4d
bge1:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 147.132.114.196 netmask ffff0000 broadcast 147.132.255.255
bge3: flags=1008843<UP,BROADCAST,RUNNING,MULTICAST,PRIVATE,IPv4> mtu 1500 index 4 inet 172.16.0.130 netmask ffffff80 broadcast 172.16.0.255
ether 0:3:ba:c0:59:4d
bge3:1: flags=1008843<UP,BROADCAST,RUNNING,MULTICAST,PRIVATE,IPv4> mtu 1500 index 4
inet 172.16.194.5 netmask fffffffc broadcast 172.16.194.7
bge2: flags=1008843<UP,BROADCAST,RUNNING,MULTICAST,PRIVATE,IPv4> mtu 1500 index 5 inet 172.16.1.2 netmask ffffff80 broadcast 172.16.1.127
ether 0:3:ba:c0:59:4d
With /etc/netmasks, both are same as below:
root # cat /etc/netmasks
# The netmasks file associates Internet Protocol (IP) address
# masks with IP network numbers.
# network-number netmask
# The term network-number refers to a number obtained from the Internet Network
# Information Center. Currently this number is restricted to being a class
# A, B, or C network number. In the future we should be able to support
# arbitrary network numbers per the Classless Internet Domain Routing
# guidelines.
# Both the network-number and the netmasks are specified in
# "decimal dot" notation, e.g:
# 128.32.0.0 255.255.255.0
147.132.0.0 255.255.255.128
I think both servers have the unique netmask for 147.132.0.0 networks.
However, when cluster servers created logical interfaces such as bge1:2 , bge0:2, it always considers it as a class B network -255.255.0.0.
BTW, for balrog, I have to update it using ifconfig so it looks fine. In fact, whenever we swap nodes, we are always having this problem.
Jeff -
How to change IP address permanently on Solaris 10
Hi Solaris Experts,
I would like to update an IP address permanently but believes ifconfig
only does it on the fly and will revert back once the Solaris 10 Sun Fire server
is rebooted:
( i ) # uname -a
SunOS angel 5.10 Generic_139556-08 i86pc i386 i86pc
( ii ) # ifconfig -a
bge0: flags=201000803<UP,BROADCAST,MULTICAST,IPv4,CoS> mtu 1500 index 2
inet 10.56.120.37 netmask fffffc00 broadcast 10.56.123.255
ether 0:1e:68:9b:30:33
nge0: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 4
inet 203.20.160.62 netmask ffffff00 broadcast 203.20.160.255
ether 0:1e:68:9b:30:35
nge0:1: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index4
inet 203.20.160.81 netmask ffffff00 broadcast 203.20.160.255
nge1: flags=201000803<UP,BROADCAST,MULTICAST,IPv4,CoS> mtu 1500 index 5
inet 10.56.120.40 netmask fffffc00 broadcast 10.56.123.255
ether 0:1e:68:9b:30:36
( iii ) # vi /etc/inet/hosts (/etc/inet/ipnodes is softlinked to /etc/inet/hosts)
#10.56.120.37 angel angel.apple.com loghost
203.20.160.91 angel angel.apple.com loghost
( iv ) # svcadm restart network/physical
( v ) # ifconfig -a
bge0: flags=201000803<UP,BROADCAST,MULTICAST,IPv4,CoS> mtu 1500 index 2
inet 203.20.160.91 netmask ff000000 broadcast 203.255.255.255
ether 0:1e:68:9b:30:33
nge0: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 4
inet 203.20.160.62 netmask ffffff00 broadcast 203.20.160.255
ether 0:1e:68:9b:30:35
nge0:1: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index4
inet 203.20.160.81 netmask ffffff00 broadcast 203.20.160.255
nge1: flags=201000803<UP,BROADCAST,MULTICAST,IPv4,CoS> mtu 1500 index 5
inet 10.56.120.40 netmask fffffc00 broadcast 10.56.123.255
ether 0:1e:68:9b:30:36
However, I want the correct netmask & broadcast are 255.255.255.0 & 203.20.160.255
respectively, the same as nge0: (203.20.160.62) & nge0:1 (203.20.160.81).
The following ifconfig command does update the IP address together with both correct netmask & broadcast
but don't believe that this change will stay after reboot:
#ifconfig bge0 inet 203.20.160.91 netmask 255.255.255.0 broadcast 192.168.1.255
The value in /etc/netmasks (softlinked to /etc/inet/netmasks) is:
10.56.120.0 255.255.252.0
The value in /etc/defaultrouter is:
203.20.160.1
In short, which other files also need to be updated to pickup the correct netmask (255.255.255.0)
& broadcast (203.20.160.255) permanently, without having to reboot the server?
Thanks in advance,
JackHi Nik,
Thanks for your advice once again but are you able to provide the reason behind your suggestion, so that I won't blindly making this change without knowing why?
I understand how IP and netmask are use in general but do not understand how to setup /etc/inet/netmasks to offset both 10.56.120.0 & 203.20.160.0 subnetworks as well as getting different broadcasts for each.
It is necessary to just as importing to learn from this exercise as much as making the change itself. This is a production server and I must be absolutely convinced that this change will work before applying it. Past attempt has not been successful which caused unnecessary downtime.
Many thanks again,
Jack -
am i right in saying rip 1 v1 you cant use vlsm ? but with rip 2 you can ? does this mean that when you add networks into rip v2 you put in a subnet mask after the network statement ?
Hello Neo,
in fact, RIpv1 and IGRP can simply not send routing updates for classless networks, that is, they can only send the classful networks 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
The 'ip classless' command actually doesn't influence the way the routing table is built, it merely influences the forwarding decision is made. To give you an example, let's say your routing table has an entry for network 192.168.1.0, and your router gets a packet for IP address 192.168.2.23, without the 'ip classless' command configured on your router, packets for that destination would be dropped. 'ip classless' makes sure that the packet would get forwarded to the longest match. Check the link below for a somewhat more detailed info, and a configuration example:
IP Classless
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094823.shtml#classless
Regards,
GNT -
I recently replaced a client's router with a Cisco RV 120W. The client employs a web-based application on an internal server that manages their business. Workers in the field use a handheld device power by WIndows Mobile to access a mobile version of the the web-based app. Data contained on the mobile app syncronizes with the server when workers choose a sync menu. Some workers perform this sync in the field, others wait till they return to the office and use the wireless provided by the router. Prior to changing the router, the synching worked fine either inside or outside the company network. The mobile app accesses the internal server via the router's public IP address. The router forwards the http requests to the internal server. But now the synching does not work internally. I assume it's because the Cisco RV 120 W does not support NAT Loopback, or I simply haven't figured out how to enable it. Does anyone know how to enable NAT Loopback on the RV 120 W so I can access the web-based app by through the router's external IP while on the private side of the LAN??
Hi,
There were an open bug for this issue on 1.0.1.3 but was fixed with 1.0.2.6, so i would make sure you're running latest firmware; after this has been verified or installed. If you're having trouble with hairpinning on latest firmware then please give SBSC a call @ 1-866-606-1866 and open a support case.
Jasbrayn -
Can the Cisco UCS 6120XP direct attach the EMC CX4-120 by fibre protocol ?
Hi all
I have two question for Cisco UCS
Q1: Can the Cisco UCS 6120XP direct attach the EMC CX4-120 by fibre protocol ?
Q2: I know the UCS 61XX Series support the Cisco SAN Switch(MDS).But we are only Brocade san switch ,
so UCS 61XX Series supoort Brocade san switch ?
Thanks , I really want to know the information .Q1: The 6120s run in NPV (N_Port Virtualization) mode which means it acts as a proxy for the blade vHBAs and doesn't participate in flogi (fabric logins). When a fabric switch runs in this mode it requires an uplink to a faber switch for flogi and zoning. Due to this you cannot direct attach the the 6120 to an array's front-end fiber ports.
Q2: Yes you can uplink the 6120 to a Brocade fabric as long as the Brocade supports NPIV. -
Hi!
I try to configure a Cisco 5508 Wireless controller and 25 Air-lap1041 to use as VoIP and data. I read documents, manuals, etc, but the AP doesn't charge the configuration, or not conect with the Wireless Controller, why? No Radius server present, only WPA security.howto, please...
I try to put a static ip in the LAP, with lwapp or capwap command, (LWAPP/CAPWAP ap ip address direccion mascara) and the AP returns "You should configure Domain and Name Server from controller CLI/GUI." and i can't change the name of the AP (Command is disabled).
Log from AP:
using ÿÿÿÿ ddr static values from serial eeprom
ddr init done
Running Normal Memtest...
Passed.
IOS Bootloader - Starting system.
FLASH CHIP: Numonyx P33
Checking for Over Erased blocks
Xmodem file system is available.
DDR values used from system serial eeprom.
WRDTR,CLKTR: 0x83000800, 0xc0000000
RQDC, RFDC : 0x80000037, 0x00000184
PCIE0: link is up.
PCIE0: VC0 is active
PCIE1: link is NOT up.
PCIE1 port 1 not initialize
PCIEx: initialization done
flashfs[0]: 6 files, 2 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 32385024
flashfs[0]: Bytes used: 2369024
flashfs[0]: Bytes available: 30016000
flashfs[0]: flashfs fsck took 21 seconds.
Reading cookie from system serial eeprom...Done
Base Ethernet MAC address: 44:2b:03:dc:09:25
Ethernet speed is 1000 Mb - FULL duplex
Loading "flash:/c1140-rcvk9w8-mx/c1140-rcvk9w8-mx"...###########################
File "flash:/c1140-rcvk9w8-mx/c1140-rcvk9w8-mx" uncompressed and installed, entr
y point: 0x4000
executing...
enet halted
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, C1040 Software (C1140-RCVK9W8-M), Version 12.4(23c)JA, RELEA
SE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 01-Jun-10 12:53 by prod_rel_team
Proceeding with system init
Proceeding to unmask interrupts
Initializing flashfs...
FLASH CHIP: Numonyx P33
Checking for Over Erased blocks
flashfs[1]: 6 files, 2 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 32126976
flashfs[1]: Bytes used: 2369024
flashfs[1]: Bytes available: 29757952
flashfs[1]: flashfs fsck took 7 seconds.
flashfs[1]: Initialization complete.
flashfs[2]: 0 files, 1 directories
flashfs[2]: 0 orphaned files, 0 orphaned directories
flashfs[2]: Total bytes: 11999232
flashfs[2]: Bytes used: 1024
flashfs[2]: Bytes available: 11998208
flashfs[2]: flashfs fsck took 1 seconds.
flashfs[2]: Initialization complete....done Initializing flashfs.
Ethernet speed is 1000 Mb - FULL duplex
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-LAP1041N-E-K9 (PowerPC405ex) processor (revision B0) with 98294K/32
768K bytes of memory.
Processor board ID FCZ1611W414
PowerPC405ex CPU at 333Mhz, revision number 0x147E
Last reset from reload
LWAPP image version 7.0.94.21
1 Gigabit Ethernet interface
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 44:2B:03:DC:09:25
Part Number : 73-14034-04
PCA Assembly Number : 800-34273-05
PCA Revision Number : A0
PCB Serial Number : FOC16075VZ3
Top Assembly Part Number : 800-34284-03
Top Assembly Serial Number : FCZ1611W414
Top Revision Number : A0
Product/Model Number : AIR-LAP1041N-E-K9
% Please define a domain-name first.
Press RETURN to get started!
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Mar 1 00:00:09.574: *** CRASH_LOG = YES
Base Ethernet MAC address: 44:2B:03:DC:09:25
*Mar 1 00:00:09.838: %LWAPP-3-CLIENTEVENTLOG: Read and initialized AP event log
(contains, 1024 messages)
*Mar 1 00:00:11.848: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state
to up
*Mar 1 00:00:11.892: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1040 Software (C1140-RCVK9W8-M), Version 12.4(23c)JA, RELEA
SE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 01-Jun-10 12:53 by prod_rel_team
*Mar 1 00:08:16.954: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEth
ernet0, changed state to up
logging facility kern
^
% Invalid input detected at '^' marker.
*Mar 1 00:08:28.047: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROL
LER
*Mar 1 00:08:28.049: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Mar 1 00:09:08.282: %CDP_PD-2-POWER_LOW: All radios disabled - LOW_POWER_CLASS
IC_NO_INJECTOR_CONFIGURED AIR-CT5508-K9 (c464.138f.9345)
*Mar 1 00:09:08.282: -Verify the required power-injector is installed on this
port: AIR-CT5508-K9(Gig 0/0/2).
*Mar 1 00:09:08.282: -If a power-injector is installed, issue the command:"pow
er inline negotiation injector installed"
*Mar 1 00:12:19.976: %CAPWAP-5-STATIC_TO_DHCP_IP: Could not discover WLC using
static IP. Forcing AP to use DHCP.
*Mar 1 00:12:29.993: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does
not have an Ip !!
*Mar 1 00:12:39.994: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does
not have an Ip !!
*Mar 1 00:12:49.993: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does
not have an Ip !!
*Mar 1 00:12:59.994: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does
not have an Ip !!
*Mar 1 00:13:09.993: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does
not have an Ip !!
Not in Bound state.
*Mar 1 00:13:19.993: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does
not have an Ip !!
*Mar 1 00:13:19.993: %CAPWAP-5-DHCP_RENEW: Could not discover WLC using DHCP IP
. Renewing DHCP IP.
logs from wireless controller:
(Cisco Controller) >show interface summary
Interface Name Port Vlan Id IP Address Type Ap Mgr Gu
est
ap-manager 2 untagged 209.165.200.231 Dynamic Yes No
management 1 untagged 209.165.200.230 Static Yes No
service-port N/A N/A 192.168.1.157 Static No No
virtual N/A N/A 1.1.1.1 Static No No
(Cisco Controller) >
i conect with service-port ok and the management port works, i think.
AP442b.03dc.0925>ping 209.165.200.230
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.230, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
AP442b.03dc.0925>
Help, please!
i write in spanish:
Hola:
Tengo que configurar un cisco 5508 wireless controller con 25 air-lap1041n, para usarlo como acceso de datos y voz. ¿Cómo lo hago? He leído manuales, y seguido las instrucciones, pero el punto de acceso parace que no es capaz de cargar el perfil. No hay servidor radius, solo la configuración de una clave wpa. Alguién me puede indicar pasos, GraciasHi!
I buy a gigabit switch. I connect the service-port to gigabit switch, and laptop to gigabit switch. I used 192.168.1.x ip address (192.168.1.157 to service-port and 192.168.1.233 to wired port on laptop, well, the laptop has two ip adress, 192.168.1.233 and 209.165.200.2, and the laptop works ok. Ping to 209.165.200.230 -ip address of management interface- and ping to 209.165.200.203 -ip address for AP, is assigned by DHCP of WLC. And i connect the ap to gigabit switch, and the wlc assigns well an ip direction.
I post the run-config and sysinfo log. The gigabit switch is tp-link model tl-sg1005d, no configuration.
Before the logs, I see this message from AP:
*Apr 19 23:10:20.211: %CAPWAP-3-ERRORLOG: This AP is not supported in controller
version 6.0.199.4 ---->What's mean that? Is it compatible the ap with the WLC? ¿Es compatible el AP con el WLC?
Hola:
He comprado un switch gigabit. Conecto el service-port al switch gigabit y el portátil también (por cable). Uso como direcciones ip el rango 192.168.1.x (192.168.1.157 asignado al service-port y 192, 168.1.233 al portátil, bueno, el portátil tiene dos direcciones, la dicha anteriormente y la 209.165.200.2) El portátil funciona bien, hace ping al 209.165.200.230 - la ip de la management interface, y a 209.165.200.203 - ip asignada al AP por el DHCP del WLC. He conectado el AP al swtich gigabit, y el dhcp del wlc asigna correctamente una dirección ip.
Añado a continuación los resultados de los comandos "show run-config" y "show sysinfo". El switch es un TP-LINK modelo TL-S1005D, sin necesidad de configuración.
Antes de mostrar los resultados de los comandos, he visto el siguiente mensaje en el log del AP:
*Apr 19 23:10:20.211: %CAPWAP-3-ERRORLOG: This AP is not supported in controller
version 6.0.199.4 ---->What's mean that? Is it compatible the ap with the WLC? ¿Es compatible el AP con el WLC?
Un saludo
Antonio R.
(Cisco Controller) >show run-config
Press Enter to continue...
System Inventory
NAME: "Chassis" , DESCR: "Cisco Wireless Controller"
PID: AIR-CT5508-K9, VID: V02, SN: FCW1608L05X
Burned-in MAC Address............................ C4:64:13:8F:93:40
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 25
Press Enter to continue or to abort
System Information
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 6.0.199.4
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console
1.27
Build Type....................................... DATA + WPS
System Name...................................... CISCO-CAPWAP-CONTROLLER
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
IP Address....................................... 209.165.200.230
Last Reset....................................... Power on reset
System Up Time................................... 0 days 0 hrs 17 mins 45 secs
System Timezone Location......................... (GMT +1:00) Amsterdam, Berlin,
Rome, Vienna
Current Boot License Level....................... base
Current Boot License Type........................ Permanent
Next Boot License Level.......................... base
Next Boot License Type........................... Permanent
Configured Country............................... ES - Spain
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +36 C
External Temperature............................. +23 C
Fan Status....................................... OK
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Disabled
Number of WLANs.................................. 1
3rd Party Access Point Support................... Disabled
Number of Active Clients......................... 0
Burned-in MAC Address............................ C4:64:13:8F:93:40
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 25
Press Enter to continue or to abort
Switch Configuration
802.3x Flow Control Mode......................... Disable
FIPS prerequisite features....................... Disabled
secret obfuscation............................... Enabled
Network Information
RF-Network Name............................. hosp
Web Mode.................................... Disable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Enable
Secure Shell (ssh).......................... Enable
Telnet...................................... Disable
Ethernet Multicast Forwarding............... Disable
Ethernet Broadcast Forwarding............... Disable
AP Multicast/Broadcast Mode................. Unicast
IGMP snooping............................... Disabled
IGMP timeout................................ 60 seconds
User Idle Timeout........................... 300 seconds
ARP Idle Timeout............................ 300 seconds
Cisco AP Default Master..................... Enabled
AP Join Priority............................ Disable
Mgmt Via Wireless Interface................. Disable
Mgmt Via Dynamic Interface.................. Disable
Bridge MAC filter Config.................... Enable
Bridge Security Mode........................ EAP
Mesh Full Sector DFS........................ Enable
--More or (q)uit current module or to abort
--More or (q)uit current module or to abort
AP Fallback ................................ Enable
Web Auth Redirect Ports .................... 80
Fast SSID Change ........................... Disabled
IP/MAC Addr Binding Check .................. Enabled
Press Enter to continue or to abort
Port Summary
STP Admin Physical Physical Link Link
Pr Type Stat Mode Mode Status Status Trap POE SFPType
1 Normal Forw Enable Auto 1000 Full Up Enable N/A 1000BaseTX
2 Normal Disa Enable Auto Auto Down Enable N/A Not Present
3 Normal Disa Enable Auto Auto Down Enable N/A Not Present
4 Normal Disa Enable Auto Auto Down Enable N/A Not Present
5 Normal Disa Enable Auto Auto Down Enable N/A Not Present
6 Normal Disa Enable Auto Auto Down Enable N/A Not Present
7 Normal Disa Enable Auto Auto Down Enable N/A Not Present
8 Normal Disa Enable Auto Auto Down Enable N/A Not Present
Press Enter to continue or to abort
AP Summary
Number of APs.................................... 0
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured
AP Name Slots AP Model Ethernet MAC Location
Port Country Priority
Press Enter to continue or to abort
Press Enter to continue or to abort
AP Location
Site Name........................................ default-group
Site Description.................................
WLAN ID Interface Network Admission Control
1 management Disabled
AP Name Slots AP Model Ethernet MAC Location
Port Country Priority GroupName
Press Enter to continue or to abort
AP Config
Press Enter to continue or to abort
Press Enter to continue or to abort
AP Airewave Director Configuration
Press Enter to continue or to abort
802.11a Configuration
802.11a Network.................................. Disabled
11nSupport....................................... Enabled
802.11a Low Band........................... Enabled
802.11a Mid Band........................... Enabled
802.11a High Band.......................... Enabled
802.11a Operational Rates
802.11a 6M Rate.............................. Mandatory
802.11a 9M Rate.............................. Supported
802.11a 12M Rate............................. Mandatory
802.11a 18M Rate............................. Supported
802.11a 24M Rate............................. Mandatory
802.11a 36M Rate............................. Supported
802.11a 48M Rate............................. Supported
802.11a 54M Rate............................. Supported
802.11n MCS Settings:
MCS 0........................................ Supported
MCS 1........................................ Supported
MCS 2........................................ Supported
MCS 3........................................ Supported
MCS 4........................................ Supported
MCS 5........................................ Supported
MCS 6........................................ Supported
--More or (q)uit current module or to abort
--More or (q)uit current module or to abort
MCS 7........................................ Supported
MCS 8........................................ Supported
MCS 9........................................ Supported
MCS 10....................................... Supported
MCS 11....................................... Supported
MCS 12....................................... Supported
MCS 13....................................... Supported
MCS 14....................................... Supported
MCS 15....................................... Supported
802.11n Status:
A-MPDU Tx:
Priority 0............................... Enabled
Priority 1............................... Disabled
Priority 2............................... Disabled
Priority 3............................... Disabled
Priority 4............................... Disabled
Priority 5............................... Disabled
Priority 6............................... Disabled
Priority 7............................... Disabled
Beacon Interval.................................. 100
CF Pollable mandatory............................ Disabled
CF Poll Request mandatory........................ Disabled
CFP Period....................................... 4
--More or (q)uit current module or to abort
--More or (q)uit current module or to abort
CFP Maximum Duration............................. 60
Default Channel.................................. 36
Default Tx Power Level........................... 0
DTPC Status..................................... Enabled
Fragmentation Threshold.......................... 2346
TI Threshold..................................... -50
Legacy Tx Beamforming setting.................... Disabled
Traffic Stream Metrics Status.................... Disabled
Expedited BW Request Status...................... Disabled
World Mode....................................... Enabled
EDCA profile type................................ default-wmm
Voice MAC optimization status.................... Disabled
Call Admision Control (CAC) configuration
Voice AC:
Voice AC - Admission control (ACM)............ Disabled
Voice max RF bandwidth........................ 75
Voice reserved roaming bandwidth.............. 6
Voice load-based CAC mode..................... Disabled
Voice tspec inactivity timeout................ Disabled
Voice Stream-Size............................. 84000
Voice Max-Streams............................. 2
Video AC:
Video AC - Admission control (ACM)............ Disabled
--More or (q)uit current module or to abort
--More or (q)uit current module or to abort
Video max RF bandwidth........................ Infinite
Video reserved roaming bandwidth.............. 0
Press Enter to continue or to abort
802.11a Advanced Configuration
Press Enter to continue or to abort
802.11a Airewave Director Configuration
RF Event and Performance Logging
Channel Update Logging......................... Off
Coverage Profile Logging....................... Off
Foreign Profile Logging........................ Off
Load Profile Logging........................... Off
Noise Profile Logging.......................... Off
Performance Profile Logging.................... Off
TxPower Update Logging......................... Off
Default 802.11a AP performance profiles
802.11a Global Interference threshold.......... 10 %
802.11a Global noise threshold................. -70 dBm
802.11a Global RF utilization threshold........ 80 %
802.11a Global throughput threshold............ 1000000 bps
802.11a Global clients threshold............... 12 clients
Default 802.11a AP monitoring
802.11a Monitor Mode........................... enable
802.11a Monitor Mode for Mesh AP Backhaul...... disable
802.11a Monitor Channels....................... Country channels
802.11a AP Coverage Interval................... 180 seconds
802.11a AP Load Interval....................... 60 seconds
802.11a AP Noise Interval...................... 180 seconds
--More or (q)uit current module or to abort
--More or (q)uit current module or to abort
802.11a AP Signal Strength Interval............ 60 seconds
Automatic Transmit Power Assignment
Transmit Power Assignment Mode................. AUTO
Transmit Power Update Interval................. 600 seconds
Transmit Power Threshold....................... -70 dBm
Transmit Power Neighbor Count.................. 3 APs
Min Transmit Power............................. -10 dBm
Max Transmit Power............................. 30 dBm
Transmit Power Update Contribution............. SNI.
Transmit Power Assignment Leader............... c4:64:13:8f:93:40
Last Run....................................... 75 seconds ago
Coverage Hole Detection
802.11a Coverage Hole Detection Mode........... Enabled
802.11a Coverage Voice Packet Count............ 100 packets
802.11a Coverage Voice Packet Percentage....... 50%
802.11a Coverage Voice RSSI Threshold.......... -80 dBm
802.11a Coverage Data Packet Count............. 50 packets
802.11a Coverage Data Packet Percentage........ 50%
802.11a Coverage Data RSSI Threshold........... -80 dBm
802.11a Global coverage exception level........ 25 %
802.11a Global client minimum exception lev.... 3 clients
Automatic Channel Assignment
Channel Assignment Mode........................ AUTO
--More or (q)uit current module or to abort
Channel Update Interval........................ 600 seconds [startup]
Anchor time (Hour of the day).................. 0
Channel Update Contribution.................... SNI.
Channel Assignment Leader...................... c4:64:13:8f:93:40
Last Run....................................... 75 seconds ago
DCA Sensitivity Level.......................... STARTUP (5 dB)
DCA 802.11n Channel Width...................... 20 MHz
DCA Minimum Energy Limit....................... -95 dBm
Channel Energy Levels
Minimum...................................... unknown
Average...................................... unknown
Maximum...................................... unknown
Channel Dwell Times
Minimum...................................... unknown
Average...................................... unknown
Maximum...................................... unknown
802.11a 5 GHz Auto-RF Channel List
Allowed Channel List......................... 36,40,44,48,52,56,60,64
Unused Channel List.......................... 100,104,108,112,116,120,124,
128,132,136,140
DCA Outdoor AP option.......................... Disabled
Radio RF Grouping
802.11a Group Mode............................. AUTO
--More or (q)uit current module or to abort
802.11a Group Update Interval.................. 600 seconds
802.11a Group Leader........................... c4:64:13:8f:93:40
802.11a Group Member......................... c4:64:13:8f:93:40
802.11a Last Run............................... 75 seconds ago
802.11b Configuration
802.11b Network.................................. Enabled
11gSupport....................................... Enabled
11nSupport....................................... Enabled
802.11b/g Operational Rates
802.11b/g 1M Rate............................ Mandatory
802.11b/g 2M Rate............................ Mandatory
802.11b/g 5.5M Rate.......................... Mandatory
802.11b/g 11M Rate........................... Mandatory
802.11g 6M Rate.............................. Supported
802.11g 9M Rate.............................. Supported
802.11g 12M Rate............................. Supported
802.11g 18M Rate............................. Supported
802.11g 24M Rate............................. Supported
802.11g 36M Rate............................. Supported
802.11g 48M Rate............................. Supported
802.11g 54M Rate............................. Supported
802.11n MCS Settings:
MCS 0........................................ Supported
MCS 1........................................ Supported
MCS 2........................................ Supported
MCS 3........................................ Supported
MCS 4........................................ Supported
--More or (q)uit current module or to abort
MCS 5........................................ Supported
MCS 6........................................ Supported
MCS 7........................................ Supported
MCS 8........................................ Supported
MCS 9........................................ Supported
MCS 10....................................... Supported
MCS 11....................................... Supported
MCS 12....................................... Supported
MCS 13....................................... Supported
MCS 14....................................... Supported
MCS 15....................................... Supported
802.11n Status:
A-MPDU Tx:
Priority 0............................... Enabled
Priority 1............................... Disabled
Priority 2............................... Disabled
Priority 3............................... Disabled
Priority 4............................... Disabled
Priority 5............................... Disabled
Priority 6............................... Disabled
Priority 7............................... Disabled
Beacon Interval.................................. 100
CF Pollable mode................................. Disabled
--More or (q)uit current module or to abort
CF Poll Request mandatory........................ Disabled
CFP Period....................................... 4
CFP Maximum Duration............................. 60
Default Channel.................................. 1
Default Tx Power Level........................... 0
DTPC Status..................................... Enabled
Call Admission Limit ........................... 105
G711 CU Quantum ................................. 15
ED Threshold..................................... -50
Fragmentation Threshold.......................... 2346
PBCC mandatory................................... Disabled
RTS Threshold.................................... 2347
Short Preamble mandatory......................... Enabled
Short Retry Limit................................ 7
Legacy Tx Beamforming setting.................... Enabled
Traffic Stream Metrics Status.................... Disabled
Expedited BW Request Status...................... Disabled
World Mode....................................... Enabled
Faster Carrier Tracking Loop..................... Disabled
EDCA profile type................................ default-wmm
Voice MAC optimization status.................... Disabled
Call Admision Control (CAC) configuration
Voice AC - Admission control (ACM)............ Disabled
--More or (q)uit current module or to abort
Voice Stream-Size............................. 84000
Voice Max-Streams............................. 2
Voice max RF bandwidth........................ 75
Voice reserved roaming bandwidth.............. 6
Voice load-based CAC mode..................... Disabled
Voice tspec inactivity timeout................ Disabled
Video AC - Admission control (ACM)............ Disabled
Video max RF bandwidth........................ 50
Video reserved roaming bandwidth.............. 0
802.11b Advanced Configuration
Press Enter to continue or to abort
802.11b Airewave Director Configuration
RF Event and Performance Logging
Channel Update Logging......................... Off
Coverage Profile Logging....................... Off
Foreign Profile Logging........................ Off
Load Profile Logging........................... Off
Noise Profile Logging.......................... Off
Performance Profile Logging.................... Off
Transmit Power Update Logging.................. Off
Default 802.11b AP performance profiles
802.11b Global Interference threshold.......... 10 %
802.11b Global noise threshold................. -70 dBm
802.11b Global RF utilization threshold........ 80 %
802.11b Global throughput threshold............ 1000000 bps
802.11b Global clients threshold............... 12 clients
Default 802.11b AP monitoring
802.11b Monitor Mode........................... enable
802.11b Monitor Channels....................... Country channels
802.11b AP Coverage Interval................... 180 seconds
802.11b AP Load Interval....................... 60 seconds
802.11b AP Noise Interval...................... 180 seconds
802.11b AP Signal Strength Interval............ 60 seconds
Automatic Transmit Power Assignment
Transmit Power Assignment Mode................. AUTO
Transmit Power Update Interval................. 600 seconds
Transmit Power Threshold....................... -70 dBm
Transmit Power Neighbor Count.................. 3 APs
Min Transmit Power............................. -10 dBm
Max Transmit Power............................. 30 dBm
Transmit Power Update Contribution............. SNI.
Transmit Power Assignment Leader............... c4:64:13:8f:93:40
Last Run....................................... 213 seconds ago
Coverage Hole Detection
802.11b Coverage Hole Detection Mode........... Enabled
802.11b Coverage Voice Packet Count............ 100 packets
802.11b Coverage Voice Packet Percentage....... 50%
802.11b Coverage Voice RSSI Threshold.......... -80 dBm
802.11b Coverage Data Packet Count............. 50 packets
802.11b Coverage Data Packet Percentage........ 50%
802.11b Coverage Data RSSI Threshold........... -80 dBm
802.11b Global coverage exception level........ 25 %
802.11b Global client minimum exception lev.... 3 clients
Automatic Channel Assignment
Channel Assignment Mode........................ AUTO
Channel Update Interval........................ 600 seconds [startup]
Anchor time (Hour of the day).................. 0
Channel Update Contribution.................... SNI.
Channel Assignment Leader...................... c4:64:13:8f:93:40
Last Run....................................... 213 seconds ago
DCA Sensitivity Level: ...................... STARTUP (5 dB)
DCA Minimum Energy Limit....................... -95 dBm
Channel Energy Levels
Minimum...................................... unknown
Average...................................... unknown
Maximum...................................... unknown
Channel Dwell Times
Minimum...................................... unknown
Average...................................... unknown
Maximum...................................... unknown
802.11b Auto-RF Allowed Channel List........... 1,6,11
Auto-RF Unused Channel List.................... 2,3,4,5,7,8,9,10,12,13
Radio RF Grouping
802.11b Group Mode............................. AUTO
802.11b Group Update Interval.................. 600 seconds
802.11b Group Leader........................... c4:64:13:8f:93:40
802.11b Group Member......................... c4:64:13:8f:93:40
802.11b Last Run............................... 213 seconds ago
Mobility Configuration
Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... hosp
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x97e2
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 1
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast
IP Status
c4:64:13:8f:93:40 209.165.200.230 hosp 0.0.0.0
Up
Advanced Configuration
Probe request filtering.......................... Enabled
Probes fwd to controller per client per radio.... 0
Probe request rate-limiting interval............. 500 msec
EAP-Identity-Request Timeout (seconds)........... 30
EAP-Identity-Request Max Retries................. 2
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request Max Retries.......................... 2
EAPOL-Key Timeout (milliseconds)................. 1000
EAPOL-Key Max Retries............................ 2
dot11-padding.................................... Disabled
Authentication Response Timeout (seconds)........ 10
Rogue Entry Timeout (seconds).................... 1200
AP Heart Beat Timeout (seconds).................. 30
AP Discovery Timeout (seconds)................... 10
AP Local mode Fast Heartbeat (seconds)........... disable
AP Hreap mode Fast Heartbeat (seconds)........... disable
AP Primary Discovery Timeout (seconds)........... 120
AP Primed Join Timeout (seconds)................. 0
Packet Forwarding watchdog timer (seconds)....... 240 (enable)
Location Configuration
RFID Tag data Collection......................... Enabled
RFID timeout.................................... 1200 seconds
RFID mobility.................................... Oui:00:14:7e : Vendor:pango S
tate:Disabled
Interface Configuration
Interface Name................................... management
MAC Address...................................... c4:64:13:8f:93:40
IP Address....................................... 209.165.200.230
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 209.165.200.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 192.168.1.1
VLAN............................................. untagged
Quarantine-vlan.................................. 0
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 209.165.200.230
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. No
Interface Name................................... service-port
MAC Address...................................... c4:64:13:8f:93:41
IP Address....................................... 192.168.1.157
IP Netmask....................................... 255.255.255.0
DHCP Option 82................................... Disabled
DHCP Protocol.................................... Disabled
AP Manager....................................... No
Guest Interface.................................. No
Interface Name................................... virtual
MAC Address...................................... c4:64:13:8f:93:40
IP Address....................................... 1.1.1.1
DHCP Option 82................................... Disabled
Virtual DNS Host Name............................ Disabled
AP Manager....................................... No
Guest Interface.................................. No
WLAN Configuration
WLAN Identifier.................................. 1
Profile Name..................................... HOSP3C
Network Name (SSID).............................. HOSP3C
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
NAC-State...................................... Disabled
Quarantine VLAN................................ 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
WLAN ACL......................................... unconfigured
DHCP Server...................................... 209.165.200.230
DHCP Address Assignment Required................. Enabled
Quality of Service............................... Platinum (voice)
Scan Defer Priority.............................. 5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... 802.11b and 802.11g only
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Disabled
Accounting.................................... Disabled
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Enabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Enabled
CCKM.................................... Disabled
FT(802.11r)............................. Disabled
FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Enabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Learn IP Address....................... Enabled
Infrastructure MFP protection................. Enabled
Client MFP.................................... Optional
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Band Select...................................... Enabled
Load Balancing................................... Enabled
Mobility Anchor List
WLAN ID IP Address Status
Press Enter to continue or to abort
Press Enter to continue or to abort
ACL Configuration
Press Enter to continue or to abort
CPU ACL Configuration
CPU Acl Name................................ NOT CONFIGURED
Wireless Traffic............................ Disabled
Wired Traffic............................... Disabled
RADIUS Configuration
Vendor Id Backward Compatibility................. Disabled
Call Station Id Case............................. lower
Call Station Id Type............................. IP Address
Aggressive Failover.............................. Enabled
Keywrap.......................................... Disabled
Fallback Test:
Test Mode.................................... Off
Probe User Name.............................. cisco-probe
Interval (in seconds)........................ 300
MAC Delimiter for Authentication Messages........ hyphen
MAC Delimiter for Accounting Messages............ hyphen
Authentication Servers
Idx Type Server Address Port State Tout RFC3576 IPSec - AuthMode/P
hase1/Group/Lifetime/Auth/Encr
Accounting Servers
Idx Type Server Address Port State Tout RFC3576 IPSec - AuthMode/P
hase1/Group/Lifetime/Auth/Encr
--More or (q)uit current module or to abort
TACACS Configuration
Authentication Servers
Idx Server Address Port State Tout
Authorization Servers
Idx Server Address Port State Tout
Accounting Servers
Idx Server Address Port State Tout
LDAP Configuration
Press Enter to continue or to abort
Local EAP Configuration
User credentials database search order:
Primary ..................................... Local DB
Timer:
Active timeout .............................. 300
Configured EAP profiles:
EAP Method configuration:
EAP-FAST:
Server key ................................
TTL for the PAC ........................... 10
Anonymous provision allowed ............... Yes
Authority ID .............................. 436973636f00000000000000000000
00
Authority Information ..................... Cisco A-ID
Press Enter to continue or to abort
HREAP Group Summary
HREAP Group Summary: Count: 0
Group Name # Aps
Press Enter to continue or to abort
HREAP Group Detail
Press Enter to continue or to abort
Route Info
Number of Routes................................. 0
Destination Network Netmask Gateway
Press Enter to continue or to abort
Qos Queue Length Info
Platinum queue length............................ 100
Gold queue length................................ 75
Silver queue length.............................. 50
Bronze queue length.............................. 25
Press Enter to continue or to abort
Mac Filter Info
Press Enter to continue or to abort
Authorization List
Authorize MIC APs against AAA ................... disabled
Authorize LSC APs against Auth-List ............. disabled
Allow APs with MIC - Manufactured Installed C.... disabled
Allow APs with SSC - Self-Signed Certificate..... disabled
Allow APs with LSC - Locally Significant Cert.... disabled
Load Balancing Info
Aggressive Load Balancing........................ Disabled
Aggressive Load Balancing Window................. 5 clients
Aggressive Load Balancing Denial Count........... 3
Statistics
Total Denied Count............................... 0 clients
Total Denial Sent................................ 0 messages
Exceeded Denial Max Limit Count.................. 0 times
None 5G Candidate Count.......................... 0 times
None 2.4G Candidate Count........................ 0 times
Press Enter to continue or to abort
Dhcp Scope Info
Scope: PUNTOSAP
Enabled.......................................... Yes
Lease Time....................................... 86400 (1 day )
Pool Start....................................... 209.165.200.201
Pool End......................................... 209.165.200.229
Network.......................................... 209.165.200.0
Netmask.......................................... 255.255.255.0
Default Routers.................................. 0.0.0.0 0.0.0.0 0.0.0.0
DNS Domain.......................................
DNS.............................................. 0.0.0.0 0.0.0.0 0.0.0.0
Netbios Name Servers............................. 0.0.0.0 0.0.0.0 0.0.0.0
Press Enter to continue or to abort
Exclusion List ConfigurationUnable to retrieve exclusion-list entry
Press Enter to continue or to abort
CDP Configuration
Press Enter to continue or to abort
Country Channels Configuration
Configured Country............................. ES - Spain
KEY: * = Channel is legal in this country and may be configured manually.
A = Channel is the Auto-RF default in this country.
. = Channel is not legal in this country.
C = Channel has been configured for use by Auto-RF.
x = Channel is available to be configured for use by Auto-RF.
(-,-) = (indoor, outdoor) regulatory doamin allowed by this country.
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-
802.11bg :
Channels : 1 1 1 1 1
: 1 2 3 4 5 6 7 8 9 0 1 2 3 4
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-
ES (-E ,-E ): A * * * * A * * * * A * * .
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
802.11a : 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
Channels : 3 3 3 4 4 4 4 4 5 5 6 6 0 0 0 1 1 2 2 2 3 3 4 4 5 5 6 6
: 4 6 8 0 2 4 6 8 2 6 0 4 0 4 8 2 6 0 4 8 2 6 0 9 3 7 1 5
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
ES (-E ,-E ): . A . A . A . A A A A A * * * * * * * * * * * . . . . .
Press Enter to continue or to abort
WPS Configuration Summary
Auto-Immune
Auto-Immune.................................... Disabled
Client Exclusion Policy
Excessive 802.11-association failures.......... Enabled
Excessive 802.11-authentication failures....... Enabled
Excessive 802.1x-authentication................ Enabled
IP-theft....................................... Enabled
Excessive Web authentication failure........... Enabled
Signature Policy
Signature Processing........................... Enabled
Press Enter to continue or to abort
Custom Web Configuration
Radius Authentication Method..................... PAP
Cisco Logo....................................... Enabled
CustomLogo....................................... None
Custom Title..................................... None
Custom Message................................... None
Custom Redirect URL.............................. None
Web Authentication Type.......................... Internal Default
External Web Authentication URL.................. None
Configuration Per Profile:
Rogue AP Configuration
Rogue Location Discovery Protocol................ Disabled
Rogue on wire Auto-Contain....................... Disabled
Rogue using our SSID Auto-Contain................ Disabled
Valid client on rogue AP Auto-Contain............ Disabled
Rogue AP timeout................................. 1200
MAC Address Classification # APs # Clients Last Heard
Adhoc Rogue Configuration
Detect and report Ad-Hoc Networks................ Enabled
Auto-Contain Ad-Hoc Networks..................... Disabled
Client MAC Address Adhoc BSSID State # APs Last Heard
Rogue Client Configuration
Validate rogue clients against AAA............... Disabled
Rogue Client Configuration
Validate rogue clients against AAA............... Disabled
--More-- or (q)uit
MAC Address State # APs Last Heard
Ignore List Configuration
MAC Address
Rogue Rule Configuration
Priority Rule Name State Type Match Hit Count
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 6.0.199.4
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console
1.27
Build Type....................................... DATA + WPS
System Name...................................... CISCO-CAPWAP-CONTROLLER
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
IP Address....................................... 209.165.200.230
Last Reset....................................... Power on reset
System Up Time................................... 0 days 0 hrs 41 mins 2 secs
System Timezone Location......................... (GMT +1:00) Amsterdam, Berlin,
Rome, Vienna
Current Boot License Level....................... base
Current Boot License Type........................ Permanent
Next Boot License Level.......................... base
Next Boot License Type........................... Permanent
Configured Country............................... ES - Spain
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +39 C
External Temperature............................. +23 C
Fan Status....................................... OK
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Disabled
Number of WLANs.................................. 1
3rd Party Access Point Support................... Disabled
Number of Active Clients......................... 0
Burned-in MAC Address............................ C4:64:13:8F:93:40
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 25
(Cisco Controller) >
The AP log
AP442b.03dc.0925>
*Apr 19 23:10:18.428: %CAPWAP-3-ERRORLOG: Selected MWAR 'CISCO-CAPWAP-CONTROLLER
'(index 0).
*Apr 19 23:10:18.428: %CAPWAP-3-ERRORLOG: Go join a capwap controller
logging facility kern
^
% Invalid input detected at '^' marker.
logging facility kern
^
% Invalid input detected at '^' marker.
*Apr 19 23:10:19.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_i
p: 209.165.200.230 peer_port: 5246
*Apr 19 23:10:19.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Apr 19 23:10:20.200: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully
peer_ip: 209.165.200.230 peer_port: 5246
*Apr 19 23:10:20.201: %CAPWAP-5-SENDJOIN: sending Join Request to 209.165.200.23
0
*Apr 19 23:10:20.201: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Apr 19 23:10:20.211: %CAPWAP-3-ERRORLOG: This AP is not supported in controller
version 6.0.199.4 ---->What's mean that? Is it compatible the ap with the WLC? ¿Es compatible el AP con el WLC?
*Apr 19 23:10:20.354: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*Apr 19 23:10:20.355: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 209
.165.200.230:5246
*Apr 19 23:10:20.356: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Apr 19 23:10:20.356: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Apr 19 23:10:20.412: %CAPWAP-3-ERRORLOG: Dropping dtls packet since session is
not established -
Cisco ASA 5505 Blocking LAN Domain Queries
Hi guys,
Okay my scenario, datacentre hosted system with 4 servers connected to a CISCO ASA5505, everything was working fine with 4x windows server 2003 machines but since pulling 2 out and replacing them with windows server 2008 machines i get a flood of the error below and it blocks communications back to the IP listed which is the domain controller so naturally this makes the 2 new servers unusable.
1: they are all connected to the inside VLAN directly via the ASA's switch ports.
2: the are all in the same 255.255.255.0 subnet including the ASA inside interface
3: removing the gateway on the affected machines makes no difference the ASA continues to block it which indicates whether or not the machines use the asa as a gateway its inspecting the traffic and blocking
I have posted the error below and my config, its strange its only affecting the new server 2008 machines and im hoping you can offer suggestions.
Errors:
2 Dec 08 2012 12:02:41 106007 10.50.15.117 55068 DNS Deny inbound UDP from 10.50.15.117/55068 to 10.50.15.5/53 due to DNS Query
Result of the command: "show run"
: Saved
ASA Version 8.2(1)
hostname xxxxx-ASA5505
domain-name xxx.local
enable password
passwd
names
name 10.50.17.0 Hobart description Hobart
name 10.50.16.0 Launceston description Launceston
name 10.50.18.0 Burnie description Burnie
name 10.50.24.0 Devonport description Devonport
name 10.50.23.0 burniewilmot description burniewilmot
name 10.50.35.0 Warrnamboolmain description warrnamboolmain
name 10.50.30.0 hamilton description hamilton
name 10.50.20.0 Portland description Portland
name 10.50.31.0 Camperdown description Camperdown
name 10.50.32.0 wboolsh description wboolsh
name 10.50.33.0 wblthy description wblthy
dns-guard
interface Vlan1
nameif inside
security-level 100
ip address 10.50.15.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 111.223.228.154 255.255.255.248
interface Vlan5
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
domain-name xxx.local
object-group service IpPrinting tcp
port-object eq 9100
object-group icmp-type icmp
icmp-object alternate-address
icmp-object conversion-error
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object unreachable
object-group network dns_servers
network-object host 10.50.15.5
object-group service domain udp
port-object eq domain
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq domain
access-list inside_access_in extended permit udp any any object-group domain
access-list outside_access_in extended permit ip any any inactive
access-list outside_access_in extended permit tcp any 111.223.228.152 255.255.255.248 eq smtp
access-list outside_access_in extended permit tcp any 111.223.228.152 255.255.255.248 eq www
access-list vpnusers_splitTunnelAcl standard permit 111.223.231.120 255.255.255.248
access-list inside_nat0_outbound extended permit ip 111.223.231.120 255.255.255.248 14.0.0.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 111.223.231.120 255.255.255.248 111.223.228.152 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 111.223.228.152 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Hobart 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Warrnamboolmain 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Launceston 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 14.0.0.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Burnie 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Devonport 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 burniewilmot 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 hamilton 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Portland 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Camperdown 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 wboolsh 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 wblthy 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Hobart 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 10.50.15.0 255.255.255.0 Launceston 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Burnie 255.255.255.0
access-list outside_3_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Hobart 255.255.255.0
access-list outside_4_cryptomap extended permit ip 10.50.15.0 255.255.255.0 burniewilmot 255.255.255.0
access-list outside_5_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Warrnamboolmain 255.255.255.0
access-list outside_6_cryptomap extended permit ip 10.50.15.0 255.255.255.0 hamilton 255.255.255.0
access-list outside_7_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Portland 255.255.255.0
access-list outside_8_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Camperdown 255.255.255.0
access-list outside_9_cryptomap extended permit ip 10.50.15.0 255.255.255.0 wboolsh 255.255.255.0
access-list outside_10_cryptomap extended permit ip 10.50.15.0 255.255.255.0 wblthy 255.255.255.0
access-list dmz_access_in extended permit tcp any interface outside eq www inactive
access-list dmz_access_in extended permit tcp any 111.223.228.152 255.255.255.248 eq smtp
pager lines 24
logging enable
logging asdm warnings
mtu inside 1300
mtu outside 1300
mtu dmz 1500
ip local pool vpnclient 14.0.0.1-14.0.0.15 mask 255.0.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.50.15.0 255.255.255.0
static (outside,inside) tcp 10.50.15.5 www 0.0.0.0 www netmask 255.255.255.255
static (inside,outside) tcp interface www 10.50.15.5 www netmask 255.255.255.255 dns
static (inside,outside) tcp interface smtp 10.50.15.5 smtp netmask 255.255.255.255 dns
static (inside,inside) 10.50.15.0 255.255.255.0 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 111.223.228.153 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
rd DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.50.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set esp-des-sha esp-des esp-sha-hmac
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 58.96.86.56
crypto map outside_map 1 set transform-set esp-des-sha
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map0 1 match address outside_1_cryptomap_1
crypto map outside_map0 1 set peer 59.167.207.106
crypto map outside_map0 1 set transform-set ESP-3DES-SHA
crypto map outside_map0 2 match address outside_2_cryptomap
crypto map outside_map0 2 set peer 59.167.204.53
crypto map outside_map0 2 set transform-set ESP-3DES-SHA
crypto map outside_map0 3 match address outside_3_cryptomap
crypto map outside_map0 3 set pfs
crypto map outside_map0 3 set peer 203.45.159.34
crypto map outside_map0 3 set transform-set ESP-3DES-SHA
crypto map outside_map0 4 match address outside_4_cryptomap
crypto map outside_map0 4 set peer 203.45.134.39
crypto map outside_map0 4 set transform-set ESP-3DES-SHA
crypto map outside_map0 5 match address outside_5_cryptomap
crypto map outside_map0 5 set peer 58.96.75.47
crypto map outside_map0 5 set transform-set ESP-3DES-SHA
crypto map outside_map0 6 match address outside_6_cryptomap
crypto map outside_map0 6 set peer 58.96.85.151
crypto map outside_map0 6 set transform-set ESP-3DES-SHA
crypto map outside_map0 7 match address outside_7_cryptomap
crypto map outside_map0 7 set peer 58.96.78.238
crypto map outside_map0 7 set transform-set ESP-3DES-SHA
crypto map outside_map0 8 match address outside_8_cryptomap
crypto map outside_map0 8 set peer 58.96.69.82
crypto map outside_map0 8 set transform-set ESP-3DES-SHA
crypto map outside_map0 9 match address outside_9_cryptomap
crypto map outside_map0 9 set peer 58.96.83.244
crypto map outside_map0 9 set transform-set ESP-3DES-SHA
crypto map outside_map0 10 match address outside_10_cryptomap
crypto map outside_map0 10 set peer 58.96.80.122
crypto map outside_map0 10 set transform-set ESP-3DES-SHA
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.50.15.50-10.50.15.55 inside
dhcpd dns 10.50.15.5 interface inside
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 130.194.10.150
webvpn
group-policy xxx internal
group-policy xxx attributes
dns-server value 10.50.15.5
vpn-tunnel-protocol IPSec
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
dhcp-network-scope 14.0.0.0
vpn-tunnel-protocol IPSec webvpn
ipv6-address-pools none
group-policy vpnusers internal
group-policy vpnusers attributes
dns-server value 10.50.15.5 139.130.4.4
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnusers_splitTunnelAcl
username aspireremote password
username aspireremote attributes
service-type remote-access
username richard.lawes password
username netscreen password
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group TunnelGroup1 type remote-access
tunnel-group TunnelGroup1 general-attributes
address-pool (outside) vpnclient
address-pool vpnclient
default-group-policy GroupPolicy1
dhcp-server 192.168.0.5
tunnel-group TunnelGroup1 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group vpnusers type remote-access
tunnel-group vpnusers general-attributes
address-pool vpnclient
default-group-policy vpnusers
tunnel-group vpnusers ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 59.167.207.106 type ipsec-l2l
tunnel-group 59.167.207.106 ipsec-attributes
pre-shared-key *
tunnel-group aspirevpn type remote-access
tunnel-group aspirevpn general-attributes
address-pool vpnclient
default-group-policy xxxvpn
tunnel-group xxxvpn ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 59.167.204.53 type ipsec-l2l
tunnel-group 59.167.204.53 ipsec-attributes
pre-shared-key *
tunnel-group 203.45.159.34 type ipsec-l2l
tunnel-group 203.45.159.34 ipsec-attributes
pre-shared-key *
tunnel-group 203.45.134.39 type ipsec-l2l
tunnel-group 203.45.134.39 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 58.96.75.47 type ipsec-l2l
tunnel-group 58.96.75.47 ipsec-attributes
pre-shared-key *
tunnel-group 58.96.85.151 type ipsec-l2l
tunnel-group 58.96.85.151 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 58.96.78.238 type ipsec-l2l
tunnel-group 58.96.78.238 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 58.96.69.82 type ipsec-l2l
tunnel-group 58.96.69.82 ipsec-attributes
pre-shared-key *
tunnel-group 58.96.83.244 type ipsec-l2l
tunnel-group 58.96.83.244 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 58.96.80.122 type ipsec-l2l
tunnel-group 58.96.80.122 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
prompt hostname contextHello Richard,
My first though is why is the ASA receiving this traffic is this is traffic that should not reach the default-gateway.
Anyway try the following
same-security-traffic permit intra-interface
Let me know how it goes
Julio -
Site to Site VPN between ASA 5505 and Cisco 800 router
Evening all,
Hoping that someboy can see the error of my ways. It seems very like the problem that i read here: https://supportforums.cisco.com/thread/2016300
We have a cisco 800 in a remote site which we wanted to use for a site to site vpn. Went through the steps on the ASA 5505 and the 800 and have got to the stage were the tunnel is up and connected. Getting traffic through it is another matter. Remote network is 172.20.224.0/20 and the server network behind the ASA is 192.168.168.0/24. The tunnel does intiate when you send traffic from 172 ......to 192....... Both the ASA and 800 report the tunnel is up. If i look at the stats using ccp on the 800 i can see the encapsulation packets graph shooting up but nothing cominbg back. I did packet captures on the 5505 and could not see anything coming from the tunnel so i dont belive its making it to the ASA. Here is the config from the 800:
Building configuration...
Current configuration : 6488 bytes
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname hhp-sty-backup
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 4096
enable secret 5 $1$jI1i$/kZbRk2WHD5h0HtfuQVej1
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization auth-proxy default local
aaa session-id common
crypto pki trustpoint TP-self-signed-1347488939
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1347488939
revocation-check none
rsakeypair TP-self-signed-1347488939
crypto pki certificate chain TP-self-signed-1347488939
certificate self-signed 02
30820255 308201BE A0030201 02020102 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31333437 34383839 3339301E 170D3032 30333031 30313336
33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33343734
38383933 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E714 7B0ADB41 19F60528 A8A5C43B 5CD2D1CD DCCF2E08 8B38D444 36EAB9B7
0E93CEF7 660F979E E27915B9 E44812A5 794EA03D BA66752B FD0F7EBF D6342513
D6410E4E 098CE838 C3BADD0A 5F3505FE 22CA776F 89B19510 F0852225 3600F046
4D57D2E2 FE4AAD1E 8BE4BF80 7B27369E BFA65160 BC769BC9 00A13741 E336D0EA
8A810203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603
551D1104 21301F82 1D686870 2D737479 2D626163 6B75702E 796F7572 646F6D61
696E2E63 6F6D301F 0603551D 23041830 168014FA 4A8C4DF6 629638DE 87D7B60A
0F5BB40F EA6AED30 1D060355 1D0E0416 0414FA4A 8C4DF662 9638DE87 D7B60A0F
5BB40FEA 6AED300D 06092A86 4886F70D 01010405 00038181 00BBE577 6EF63FE7
789766D5 37841812 298D4885 1CD06D07 4C625369 C3403106 89EE1398 73495432
66C49CB1 36A5B2F8 D77A8C46 5AFE4112 EA5917D9 81542640 80EF2D36 54A85CC6
C3FFFFB8 39A648DD 2ABA2B13 4137BE07 760E46C0 74401DA7 482E3FA2 A64B70FF
447AA1B2 52E37240 29987085 532BBE3B C2E2E54A 54CA1D13 0E
quit
dot11 syslog
ip source-route
ip dhcp excluded-address 10.10.10.1
ip dhcp pool inside
ip dhcp pool lan_network
network 172.20.224.0 255.255.240.0
dns-server 8.8.8.8 8.8.4.4
default-router 172.20.224.1
lease 7
ip cef
no ip domain lookup
ip domain name yourdomain.com
password encryption aes
username pix privilege 15 secret 5 $1$Z.wA$lBmj36AJx/cbK1RjmfGJh1
username admin privilege 15 password 0 434Zaty
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key password address 217.36.32.222
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to217.36.32.222
set peer 217.36.32.222
set transform-set ESP-3DES-SHA
match address 100
archive
log config
hidekeys
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 172.20.224.1 255.255.240.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname B6*******.btclick.com
ppp chap password 0 H*******
crypto map SDM_CMAP_1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
access-list 1 remark CCP_ACL Category=16
access-list 1 permit 172.4.0.0 0.240.255.255
access-list 10 permit 195.12.1.35
access-list 10 permit 172.4.0.0 0.240.255.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.20.224.0 0.0.15.255 192.168.168.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.20.224.0 0.0.15.255 192.168.168.0 0.0.0.255
access-list 101 permit ip 172.4.0.0 0.240.255.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^C
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
line con 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 10 in
privilege level 15
password 434Zaty
transport input telnet ssh
scheduler max-task-time 5000
end
Any help will be most gratefully recieved.Rick,
Thanks for replying. Here is the output from the 800 Show Crypto command:
interface: Dialer0
Crypto map tag: SDM_CMAP_1, local addr 81.136.160.237
protected vrf: (none)
local ident (addr/mask/prot/port): (172.20.224.0/255.255.240.0/0/0)
remote ident (addr/mask/prot/port): (192.168.168.0/255.255.255.0/0/0)
current_peer 217.36.32.222 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10928, #pkts encrypt: 10928, #pkts digest: 10928
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 81.136.160.237, remote crypto endpt.: 217.36.32.222
path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access2
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access2
Crypto map tag: SDM_CMAP_1, local addr 81.136.160.237
protected vrf: (none)
local ident (addr/mask/prot/port): (172.20.224.0/255.255.240.0/0/0)
remote ident (addr/mask/prot/port): (192.168.168.0/255.255.255.0/0/0)
current_peer 217.36.32.222 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10928, #pkts encrypt: 10928, #pkts digest: 10928
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 81.136.160.237, remote crypto endpt.: 217.36.32.222
path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access2
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
and this is the running config frm our ASA at HQ:
Result of the command: "sh run"
: Saved
ASA Version 8.2(1)
hostname secure-access
domain-name hhp.com
enable password UWWykvGjAPmxufUo encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.168.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group BT
ip address 217.36.32.222 255.255.255.255 pppoe
interface Vlan12
nameif DMZ
security-level 50
ip address 192.168.169.1 255.255.255.0
interface Vlan22
nameif Wireless_HHP
security-level 100
ip address 172.16.36.1 255.255.254.0
interface Vlan32
nameif CNES
security-level 100
ip address 187.187.168.1 255.255.0.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 12
interface Ethernet0/3
switchport access vlan 22
interface Ethernet0/4
switchport access vlan 32
interface Ethernet0/5
switchport access vlan 12
interface Ethernet0/6
switchport access vlan 12
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup DMZ
dns domain-lookup Wireless_HHP
dns domain-lookup CNES
dns server-group DefaultDNS
name-server 192.168.168.2
domain-name hhp.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network NET-cnes_HHP-Sty
network-object 172.20.224.0 255.255.240.0
object-group network NET-cnes_HHP-Balivanich
network-object 172.20.192.0 255.255.240.0
object-group network Oak-DC1
network-object 192.168.168.2 255.255.255.255
object-group network Maple-DC2
network-object 192.168.168.3 255.255.255.255
object-group network HHP_Domain_Controllers
group-object Oak-DC1
group-object Maple-DC2
object-group network PC-Support
network-object 187.187.60.1 255.255.255.255
network-object 187.187.60.2 255.255.255.254
network-object 187.187.60.4 255.255.255.254
network-object 187.187.60.6 255.255.255.255
object-group network ELM-ActiveH
network-object 192.168.168.6 255.255.255.255
object-group network Pine-GP
network-object 192.168.168.12 255.255.255.255
object-group network HHP_Application_Servers
group-object ELM-ActiveH
group-object Pine-GP
object-group network Fern-TS1
network-object 192.168.168.4 255.255.255.255
object-group network Fir-TS2
network-object 192.168.168.5 255.255.255.255
object-group network HHP_Terminal_Servers
group-object Fern-TS1
group-object Fir-TS2
object-group service Global_Catalog_LDAP
description (Generated by Cisco SM from Object "Global Catalog LDAP")
service-object tcp eq 3268
object-group service Global_Catalog_LDAP_SSL
description (Generated by Cisco SM from Object "Global Catalog LDAP SSL")
service-object tcp eq 3269
object-group service UDP-389
description UDP port for LDAP
service-object udp eq 389
object-group service TCP-88
description TCP Port 88
service-object tcp eq 88
object-group service TCP-445
description SMB
service-object tcp eq 445
object-group network John_-_Laptop
description John's Laptop
network-object 187.187.10.65 255.255.255.255
object-group network Graham_-_PC
description Graham Morrison's PC
network-object 187.187.10.90 255.255.255.255
object-group network john_test
network-object 187.187.40.7 255.255.255.255
object-group network Iain_PC
description Iain Macaulay IT
network-object 187.187.10.19 255.255.255.255
object-group network John_-_PC
description John MacPhail's PC
network-object 187.187.10.7 255.255.255.255
object-group network it-alahen-lap
network-object 187.187.10.230 255.255.255.255
object-group network Catriona_-_Laptop
description Catriona's Laptop
network-object 187.187.10.60 255.255.255.255
object-group network Graham_-_Laptop
network-object 187.186.10.120 255.255.255.255
object-group network it-innive-xp
description Innes MacIver's PC
network-object 187.187.10.14 255.255.255.255
object-group network it-alahen-xp
description Desktop
network-object 187.187.10.229 255.255.255.255
object-group network Cat_-_PC
description Catriona Macmillan's PC
network-object 187.187.10.4 255.255.255.255
object-group network it-davdon-xp
description Desktop
network-object 187.187.160.7 255.255.255.255
object-group network cat-laptop
description Catriona's Laptop addresses
network-object 187.187.77.81 255.255.255.255
network-object 187.187.77.82 255.255.255.255
object-group network Catriona_old_pc
network-object 187.187.10.44 255.255.255.255
object-group network cat-tablet
description Catriona's Tablet ip address's
network-object 187.187.77.78 255.255.255.254
object-group network DSO-SQLServer
description Task Database Server
network-object 187.187.1.33 255.255.255.255
object-group network it-finfernew-xp
description Findlay Ferguson PC
network-object 187.187.10.153 255.255.255.255
object-group network PC_Support
group-object John_-_Laptop
group-object Graham_-_PC
group-object john_test
group-object Iain_PC
group-object John_-_PC
group-object it-alahen-lap
group-object Catriona_-_Laptop
group-object Graham_-_Laptop
group-object it-alahen-xp
group-object Cat_-_PC
group-object it-davdon-xp
group-object cat-laptop
group-object Catriona_old_pc
group-object cat-tablet
group-object it-innive-xp
network-object 187.187.1.128 255.255.255.255
network-object 187.187.10.76 255.255.255.255
group-object DSO-SQLServer
network-object 187.187.15.234 255.255.255.255
network-object 187.187.4.60 255.255.255.255
network-object 187.187.10.134 255.255.255.255
network-object 172.18.194.22 255.255.255.255
group-object it-finfernew-xp
object-group network Entire_CNE
description Entire CNE range
network-object 187.0.0.0 255.0.0.0
object-group network NET-cnes_HHP-Sty-Staff
network-object 172.20.225.0 255.255.255.0
object-group network NET-cnes_HHP-Balivanich-staff
network-object 172.20.193.0 255.255.255.0
object-group network Alder-Intranet
network-object 192.168.168.13 255.255.255.255
object-group network Aspen-ISA
network-object 192.168.168.10 255.255.255.255
object-group service tcp-8080
description TCP Port 8080
service-object tcp eq 8080
object-group network Beech-External
network-object 217.36.32.210 255.255.255.255
object-group network it-csm
description cisco security manager
network-object 187.187.1.72 255.255.255.255
object-group network Juniper-External
description Internet Server
network-object 217.36.32.211 255.255.255.255
object-group network HHP_Server_Network
network-object 192.168.168.0 255.255.255.0
object-group network Messagelabs_Incoming_HHP
network-object 67.219.240.0 255.255.240.0
network-object 95.131.104.0 255.255.248.0
network-object 193.109.254.0 255.255.254.0
network-object 195.245.230.0 255.255.254.0
network-object 216.82.240.0 255.255.240.0
network-object 85.158.136.0 255.255.248.0
network-object 117.120.16.0 255.255.248.0
network-object 194.106.220.0 255.255.254.0
object-group network Angus-Maclean-PC
network-object 187.187.10.250 255.255.255.255
object-group service RDP
service-object tcp eq 3389
object-group network it-dbserver
description Database Server (Live)
network-object 187.187.1.65 255.255.255.255
object-group network it-sql-test
description Test SQL / database server
network-object 187.187.1.81 255.255.255.255
object-group service DNS-Resolving
description Domain Name Server
service-object tcp eq domain
service-object udp eq domain
object-group network Beech-Exchange
network-object 192.168.168.91 255.255.255.255
object-group network Messagelabs_-_Incoming
description List of MessageLab addresses that SMTP connections are accepted from
network-object 212.125.75.0 255.255.255.224
network-object 216.82.240.0 255.255.240.0
network-object 195.216.16.211 255.255.255.255
network-object 194.205.110.128 255.255.255.224
network-object 194.106.220.0 255.255.254.0
network-object 193.109.254.0 255.255.254.0
network-object 62.231.131.0 255.255.255.0
network-object 62.173.108.208 255.255.255.240
network-object 62.173.108.16 255.255.255.240
network-object 212.125.74.44 255.255.255.255
network-object 195.245.230.0 255.255.254.0
network-object 85.158.136.0 255.255.248.0
object-group network MIS_Support
network-object 192.168.168.250 255.255.255.254
object-group network it-donadon-xp
description Donald Macdonald's PC
network-object 187.187.10.13 255.255.255.255
object-group network Angela_PC
network-object 187.187.10.155 255.255.255.255
object-group network Katie_PC
network-object 187.187.10.151 255.255.255.255
object-group network Pauline_PC
network-object 187.187.10.12 255.255.255.255
object-group network it-paye-net
network-object 187.187.1.92 255.255.255.255
object-group network MessageLabs-Towers
description Message Labs IP Address ranges
network-object 216.82.240.0 255.255.240.0
network-object 67.219.240.0 255.255.240.0
network-object 85.158.136.0 255.255.248.0
network-object 95.131.104.0 255.255.248.0
network-object 117.120.16.0 255.255.248.0
network-object 193.109.254.0 255.255.254.0
network-object 194.106.220.0 255.255.254.0
network-object 195.245.230.0 255.255.254.0
network-object 62.231.131.0 255.255.255.0
network-object 212.125.75.16 255.255.255.240
object-group network NET_cnes-castlebay-staff
network-object 172.19.17.0 255.255.255.0
object-group network NET_cnes_tarbert_staff
description NET_cnes_tarbert_staff
network-object 172.19.33.0 255.255.255.0
object-group network Juniper
network-object 192.168.169.5 255.255.255.255
object-group network HHP_DMZ_Network
network-object 192.168.169.0 255.255.255.0
object-group network Ash
network-object 192.168.168.100 255.255.255.255
object-group service UDP-445
service-object udp eq 445
object-group service tcp-udp-135-139
service-object tcp-udp range 135 139
object-group network HHP-ELM
description HHP's ELM ActiveH server
network-object 187.187.1.203 255.255.255.255
object-group network CNES-Ext-GW
description CNES External Address
network-object 194.83.245.242 255.255.255.255
object-group service IPSEC
description IPSEC
service-object 57
service-object ah
service-object esp
service-object udp eq isakmp
object-group network Alamur-PC
network-object 187.187.10.15 255.255.255.255
object-group network Iain-Nicolson-PC
network-object 187.187.10.159 255.255.255.255
object-group network HHP_Remote_Access_Pool
network-object 192.168.168.200 255.255.255.248
network-object 192.168.168.208 255.255.255.240
network-object 192.168.168.224 255.255.255.252
network-object 192.168.168.228 255.255.255.254
object-group network Holly-AV
network-object 192.168.168.9 255.255.255.255
object-group service AVG_Ports
description For AVG server to HHP PCs
service-object tcp-udp eq 6150
service-object tcp-udp eq 6051
service-object tcp-udp eq 445
service-object tcp-udp eq 138
service-object tcp-udp eq 135
service-object tcp-udp eq 6054
service-object tcp-udp eq 4158
service-object tcp-udp eq 139
service-object tcp-udp eq 137
object-group network CNES_Access
network-object 192.168.168.230 255.255.255.254
network-object 192.168.168.232 255.255.255.248
network-object 192.168.168.240 255.255.255.248
network-object 192.168.168.248 255.255.255.254
object-group network HHP-068
description BACS PC
network-object 172.20.225.6 255.255.255.255
object-group network Banyan
network-object 192.168.168.105 255.255.255.255
object-group service TCP81
description TCP Port 81
service-object tcp eq 81
object-group network Gavin_-_new_PC
network-object 187.187.10.150 255.255.255.255
object-group network Secudoors
network-object 172.20.224.4 255.255.255.255
access-list outside_access_in remark Time sync to external ntp server
access-list outside_access_in extended permit udp host 192.108.114.23 object-group HHP_Domain_Controllers eq ntp
access-list outside_access_in extended permit tcp object-group MessageLabs-Towers object-group Beech-External eq smtp
access-list outside_access_in extended permit ip host 81.136.160.237 object-group HHP_Server_Network
access-list outside_access_in extended permit ip object-group CNES_Access object-group HHP_Server_Network
access-list outside_access_in extended permit ip object-group MIS_Support object-group HHP_Server_Network
access-list outside_access_in extended permit ip object-group HHP_Remote_Access_Pool object-group HHP_Server_Network
access-list outside_access_in extended permit tcp any object-group Juniper-External eq www
access-list outside_access_in extended permit tcp any object-group Juniper-External eq https
access-list outside_access_in extended deny ip any any
access-list outside_access_in_1 extended permit ip any any
access-list CSM_FW_ACL_Wireless_HHP extended permit ip object-group NET-cnes_HHP-Balivanich object-group HHP_Server_Network
access-list CSM_FW_ACL_Wireless_HHP extended permit ip object-group NET-cnes_HHP-Sty object-group HHP_Server_Network
access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group HHP-068 any eq www
access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group HHP-068 any eq domain
access-list CSM_FW_ACL_Wireless_HHP extended permit udp object-group HHP-068 any eq domain
access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group HHP-068 any eq https
access-list CSM_FW_ACL_Wireless_HHP extended permit object-group DNS-Resolving object-group HHP-068 any
access-list CSM_FW_ACL_Wireless_HHP extended permit object-group tcp-8080 object-group HHP-068 any
access-list CSM_FW_ACL_Wireless_HHP extended permit ip host 172.20.193.53 object-group CNES-Ext-GW
access-list CSM_FW_ACL_Wireless_HHP extended permit ip object-group Secudoors any
access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Server_Network object-group NET-cnes_HHP-Balivanich
access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Server_Network object-group NET-cnes_HHP-Sty
access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Application_Servers object-group PC_Support
access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Domain_Controllers object-group PC_Support
access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Terminal_Servers object-group PC_Support
access-list CSM_FW_ACL_inside extended permit tcp object-group Oak-DC1 any eq domain
access-list CSM_FW_ACL_inside extended permit udp object-group Oak-DC1 any eq domain
access-list CSM_FW_ACL_inside extended permit object-group DNS-Resolving object-group Oak-DC1 any
access-list CSM_FW_ACL_inside extended permit tcp object-group Maple-DC2 any eq domain
access-list CSM_FW_ACL_inside extended permit udp object-group Maple-DC2 any eq domain
access-list CSM_FW_ACL_inside extended permit object-group DNS-Resolving object-group Maple-DC2 any
access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA any eq www
access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA any eq domain
access-list CSM_FW_ACL_inside extended permit udp object-group Aspen-ISA any eq domain
access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA any eq https
access-list CSM_FW_ACL_inside extended permit object-group DNS-Resolving object-group Aspen-ISA any
access-list CSM_FW_ACL_inside extended permit object-group tcp-8080 object-group Aspen-ISA any
access-list CSM_FW_ACL_inside remark For Symantec Liveupdates
access-list CSM_FW_ACL_inside extended permit tcp object-group Banyan any eq ftp
access-list CSM_FW_ACL_inside extended permit tcp object-group Banyan any eq www
access-list CSM_FW_ACL_inside extended permit tcp object-group Banyan any eq https
access-list CSM_FW_ACL_inside remark IPSec VPN access from ELm to CNES
access-list CSM_FW_ACL_inside extended permit object-group IPSEC object-group ELM-ActiveH object-group CNES-Ext-GW
access-list CSM_FW_ACL_inside extended permit udp object-group ELM-ActiveH object-group CNES-Ext-GW eq 4500
access-list CSM_FW_ACL_inside extended permit tcp object-group ELM-ActiveH object-group CNES-Ext-GW eq 4500
access-list CSM_FW_ACL_inside extended permit icmp object-group HHP_Server_Network object-group HHP_DMZ_Network
access-list CSM_FW_ACL_inside remark Time sync to external ntp server
access-list CSM_FW_ACL_inside extended permit udp object-group HHP_Domain_Controllers host 192.108.114.23 eq ntp
access-list CSM_FW_ACL_inside extended permit tcp object-group Beech-Exchange object-group Messagelabs_-_Incoming eq smtp
access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA object-group Juniper eq www
access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA object-group Juniper eq https
access-list CSM_FW_ACL_inside extended permit ip object-group Holly-AV object-group Juniper
access-list CSM_FW_ACL_inside extended deny ip any any
access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group HHP_Server_Network
access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group HHP_DMZ_Network
access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group NET-cnes_HHP-Balivanich
access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group NET-cnes_HHP-Sty
access-list CSM_FW_ACL_CNES extended permit tcp object-group it-csm any eq ssh
access-list CSM_FW_ACL_CNES extended permit tcp object-group it-csm any eq www
access-list CSM_FW_ACL_CNES extended permit tcp object-group it-csm any eq https
access-list CSM_FW_ACL_CNES remark Aim's access to Active H server: DSO SQL
access-list CSM_FW_ACL_CNES remark server's access (Task)
access-list CSM_FW_ACL_CNES remark IT Ops - mapped drive for FTP transfer to and from E450/Elm of Entitlement Adjustments
access-list CSM_FW_ACL_CNES remark and Tenancy Changes
access-list CSM_FW_ACL_CNES extended permit ip object-group it-sql-test object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES extended permit ip object-group DSO-SQLServer object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES extended permit ip object-group it-paye-net object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES extended permit ip object-group Angela_PC object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES extended permit ip object-group Katie_PC object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES extended permit ip object-group Pauline_PC object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES remark donald and Findlay RDP access to Active H
access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-donadon-xp object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-donadon-xp object-group HHP_Terminal_Servers
access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-finfernew-xp object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-finfernew-xp object-group HHP_Terminal_Servers
access-list CSM_FW_ACL_CNES extended permit ip object-group Angus-Maclean-PC object-group Alder-Intranet
access-list CSM_FW_ACL_CNES extended permit ip object-group Angus-Maclean-PC host 192.168.168.17
access-list CSM_FW_ACL_CNES extended permit ip object-group Angus-Maclean-PC object-group Juniper
access-list CSM_FW_ACL_CNES extended permit ip object-group Iain-Nicolson-PC object-group Alder-Intranet
access-list CSM_FW_ACL_CNES extended permit ip object-group Iain-Nicolson-PC host 192.168.168.17
access-list CSM_FW_ACL_CNES extended permit ip object-group Iain-Nicolson-PC object-group Juniper
access-list CSM_FW_ACL_CNES extended permit ip object-group it-davdon-xp object-group Alder-Intranet
access-list CSM_FW_ACL_CNES extended permit ip object-group it-davdon-xp host 192.168.168.17
access-list CSM_FW_ACL_CNES extended permit ip object-group it-davdon-xp object-group Juniper
access-list CSM_FW_ACL_CNES extended permit ip object-group Alamur-PC object-group Alder-Intranet
access-list CSM_FW_ACL_CNES extended permit ip object-group Alamur-PC host 192.168.168.17
access-list CSM_FW_ACL_CNES extended permit ip object-group Alamur-PC object-group Juniper
access-list CSM_FW_ACL_CNES extended permit ip object-group Gavin_-_new_PC object-group Alder-Intranet
access-list CSM_FW_ACL_CNES extended permit ip object-group Gavin_-_new_PC host 192.168.168.17
access-list CSM_FW_ACL_CNES extended permit ip object-group Gavin_-_new_PC object-group Juniper
access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group NET_cnes-castlebay-staff object-group HHP_Server_Network
access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group NET_cnes_tarbert_staff object-group HHP_Server_Network
access-list MIS_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group HHP_Server_Network 192.168.168.250 255.255.255.254
access-list inside_nat0_outbound extended permit ip object-group HHP_Server_Network 192.168.168.224 255.255.255.224
access-list CSM_FW_ACL_DMZ extended permit ip object-group HHP_DMZ_Network object-group PC_Support
access-list CSM_FW_ACL_DMZ extended permit icmp object-group HHP_DMZ_Network object-group HHP_Server_Network
access-list CSM_FW_ACL_DMZ extended permit ip object-group Juniper object-group Angus-Maclean-PC
access-list CSM_FW_ACL_DMZ extended permit ip object-group Juniper object-group Holly-AV
access-list CSM_FW_ACL_DMZ extended permit tcp object-group Juniper object-group Beech-Exchange eq smtp
access-list CSM_FW_ACL_DMZ extended permit tcp object-group Juniper object-group HHP_Domain_Controllers eq domain
access-list CSM_FW_ACL_DMZ extended permit udp object-group Juniper object-group HHP_Domain_Controllers eq domain
access-list CSM_FW_ACL_DMZ remark for backups to USB drive on ASH
access-list CSM_FW_ACL_DMZ extended permit object-group TCP-445 object-group Juniper object-group Ash
access-list CSM_FW_ACL_DMZ extended permit object-group UDP-445 object-group Juniper object-group Ash
access-list CSM_FW_ACL_DMZ extended permit object-group tcp-udp-135-139 object-group Juniper object-group Ash
access-list CSM_FW_ACL_DMZ extended deny ip any any
access-list CNES_Support_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0
access-list RemoteAccess_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0
access-list outside_cryptomap extended permit ip object-group HHP_Server_Network object-group NET-cnes_HHP-Sty
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1492
mtu DMZ 1500
mtu Wireless_HHP 1500
mtu CNES 1500
ip local pool CNES_Access 192.168.168.230-192.168.168.249
ip local pool MIS_Support 192.168.168.250-192.168.168.251
ip local pool OLM-VPN-Pool 192.168.168.252
ip local pool HHP_Remote_Access_Pool 192.168.168.200-192.168.168.229
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Wireless_HHP) 1 172.20.193.53 255.255.255.255
nat (Wireless_HHP) 1 172.20.225.0 255.255.255.0
static (inside,CNES) 192.168.168.0 192.168.168.0 netmask 255.255.255.0
static (CNES,inside) 187.187.0.0 255.255.0.0 netmask 255.255.0.0
static (Wireless_HHP,inside) 172.20.224.0 172.20.224.0 netmask 255.255.240.0
static (inside,Wireless_HHP) 192.168.168.0 192.168.168.0 netmask 255.255.255.0
static (CNES,Wireless_HHP) 187.187.0.0 187.187.0.0 netmask 255.255.0.0
static (inside,outside) 217.36.32.210 192.168.168.91 netmask 255.255.255.255
static (DMZ,outside) 217.36.32.211 192.168.169.5 netmask 255.255.255.255
static (inside,DMZ) 192.168.168.0 192.168.168.0 netmask 255.255.255.0
static (CNES,DMZ) 187.0.0.0 187.0.0.0 netmask 255.0.0.0
access-group CSM_FW_ACL_inside in interface inside
access-group outside_access_in_1 in interface outside control-plane
access-group outside_access_in in interface outside
access-group CSM_FW_ACL_DMZ in interface DMZ
access-group CSM_FW_ACL_Wireless_HHP in interface Wireless_HHP
access-group CSM_FW_ACL_CNES in interface CNES
route outside 0.0.0.0 0.0.0.0 81.148.0.157 1
route Wireless_HHP 172.20.192.0 255.255.240.0 172.16.36.3 1
route Wireless_HHP 172.20.224.0 255.255.240.0 172.16.36.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server HHP protocol ldap
aaa-server HHP (inside) host 192.168.168.2
timeout 5
ldap-base-dn dc=hhp,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=gramor,cn=users,dc=hhp,dc=com
server-type microsoft
aaa-server HHP_1 protocol ldap
aaa-server HHP_1 (inside) host 192.168.168.2
timeout 5
ldap-base-dn dc=hhp,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=administrator,cn=users,dc=hhp,dc=com
server-type microsoft
aaa-server HHP_3 protocol ldap
aaa-server HHP_3 (inside) host 192.168.168.2
timeout 5
ldap-base-dn dc=hhp,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=administrator,cn=users,dc=hhp,dc=com
server-type microsoft
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.168.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 194.83.245.242 255.255.255.255 outside
http 187.187.1.72 255.255.255.255 CNES
http 187.187.10.90 255.255.255.255 CNES
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map outside_map_dynamic 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 81.136.160.237
crypto map outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 30001 ipsec-isakmp dynamic outside_map_dynamic
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
fqdn none
subject-name O=Hebridean Housing Partnership Limited,CN=secure-access.hebrideanhousing.co.uk,L=Isle of Lewis,ST=Scotland,C=GB
keypair SSL_Certificate
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
fqdn none
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 0100000000012790a5c005
30820530 30820418 a0030201 02020b01 00000000 012790a5 c005300d 06092a86
4886f70d 01010505 00306a31 23302106 0355040b 131a4f72 67616e69 7a617469
6f6e2056 616c6964 6174696f 6e204341 31133011 06035504 0a130a47 6c6f6261
6c536967 6e312e30 2c060355 04031325 476c6f62 616c5369 676e204f 7267616e
697a6174 696f6e20 56616c69 64617469 6f6e2043 41301e17 0d313030 33323431
34313835 385a170d 31333033 32343134 31383534 5a308197 310b3009 06035504
06130247 42311130 0f060355 04081308 53636f74 6c616e64 31163014 06035504
07130d49 736c6520 6f66204c 65776973 312e302c 06035504 0a132548 65627269
6465616e 20486f75 73696e67 20506172 746e6572 73686970 204c696d 69746564
312d302b 06035504 03132473 65637572 652d6163 63657373 2e686562 72696465
616e686f 7573696e 672e636f 2e756b30 82012230 0d06092a 864886f7 0d010101
05000382 010f0030 82010a02 82010100 def181d9 c34c58a8 9abcc849 7d8ad0a9
3c64c77f f3126c81 30911f41 5903a92c 81fb374b 2fe2680e 10b26dce 81ca0c23
af2c9f9a 52295e8c d2223fa6 7c4c386d 51c6fb16 a47688e6 e47e2410 b0283503
fd72abd3 e59d3b02 cd47706e babf948c 4e0282a3 5f789ff7 8041b2db ceac64eb
3e163b38 3a8ecc25 0c4802a8 d17fecd9 f1a36288 29202df4 b20ae891 f95ce055
6e670559 3d075024 7f3ac7ef 26218154 a7f6a399 34c43c4a 97c2c88c c4588ee4
77cc2ad8 b1bd868d d55c2b9b 727e9904 66d0fb52 c212abd7 a06f28f1 ad2aa04b
3d7b3094 c59c00d4 cf51fefb d8bfa101 8ba9c4ba 5cf629ff c50716d3 71019a98
8fa55b83 6b158b6d 1043f092 646ef07d 02030100 01a38201 a7308201 a3301f06
03551d23 04183016 80147d6d 2aec66ab a75136ab 0269f170 8fc4590b 9a1f3049
06082b06 01050507 0101043d 303b3039 06082b06 01050507 3002862d 68747470
3a2f2f73 65637572 652e676c 6f62616c 7369676e 2e6e6574 2f636163 6572742f
6f726776 312e6372 74303f06 03551d1f 04383036 3034a032 a030862e 68747470
3a2f2f63 726c2e67 6c6f6261 6c736967 6e2e6e65 742f4f72 67616e69 7a617469
6f6e5661 6c312e63 726c301d 0603551d 0e041604 14d398d5 ddf29355 15b04750
baccc6b3 0f97a6c9 94302f06 03551d11 04283026 82247365 63757265 2d616363
6573732e 68656272 69646561 6e686f75 73696e67 2e636f2e 756b3009 0603551d
13040230 00300e06 03551d0f 0101ff04 04030205 a0302906 03551d25 04223020
06082b06 01050507 03010608 2b060105 05070302 060a2b06 01040182 370a0303
304b0603 551d2004 44304230 4006092b 06010401 a0320114 30333031 06082b06
01050507 02011625 68747470 3a2f2f77 77772e67 6c6f6261 6c736967 6e2e6e65
742f7265 706f7369 746f7279 2f301106 09608648 0186f842 01010404 030206c0
300d0609 2a864886 f70d0101 05050003 82010100 8af3be01 c4830d83 9b347355
de7496ef bd76b86c ee92f32f 1157ef11 6ad949b6 611537ad 81f06408 73ec6fe2
6466675c cf31a80f bead422d ec574f95 55fe0b7a 97e271e7 0220c7b1 53376843
ff7f7280 f9bfdee6 3584e123 00c37d9f 5004b766 9469ead5 f002744c fd50271c
6bcdb54c e5db85aa 9760a330 d72464a2 bc8ecdff d80bbc27 7551e97c ee9b7078
9207f9d6 b969a47a 6df722b6 14ce803d 8d4bb9e9 4695e8e6 d453950e 06506594
ec7652ea 365cdf94 90e2f7ee 855dadb5 c0459d73 bb6d01a8 3c076718 7f80de40
c5eb9e0e 17c93087 fd5c5fc1 fd6401fe 7e5038b1 3da1d250 01ccd8be 964d5557
b320c4c1 0015d1b7 daad7527 930b0c90 7711704f
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca 0400000000011e44a5f52a
30820467 3082034f a0030201 02020b04 00000000 011e44a5 f52a300d 06092a86
4886f70d 01010505 00305731 0b300906 03550406 13024245 31193017 06035504
0a131047 6c6f6261 6c536967 6e206e76 2d736131 10300e06 0355040b 1307526f
6f742043 41311b30 19060355 04031312 476c6f62 616c5369 676e2052 6f6f7420
4341301e 170d3037 30343131 31323030 30305a17 0d313730 34313131 32303030
305a306a 31233021 06035504 0b131a4f 7267616e 697a6174 696f6e20 56616c69
64617469 6f6e2043 41311330 11060355 040a130a 476c6f62 616c5369 676e312e
302c0603 55040313 25476c6f 62616c53 69676e20 4f726761 6e697a61 74696f6e
2056616c 69646174 696f6e20 43413082 0122300d 06092a86 4886f70d 01010105
00038201 0f003082 010a0282 010100a1 2fc4bcce 8703e967 c189c8e5 93fc7db4
ad9ef663 4e6ae89c 2c7389a2 01f48f21 f8fd259d 58166d86 f6ee4957 757e75ea
22117e3d fbc74241 dcfcc50c 9155807b eb64331d 9bf9ca38 e9abc625 43512540
f4e47e18 556aa98f 103a401e d65783ef 7f2f342f 2dd2f653 c2190db7 edc981f5
462cb423 425e9d13 0375ecea 6afc577c c936973b 98dc1313 ecec41fa 5d34eab9
93e71016 65cc9c92 fdf5c59d 3e4ab909 fce45f1e 695f4df4 567244b1 1d2303c8
36f66588 c8bf3916 458e1e26 6c5116c5 2a0038c5 a4136995 7dab013b a8c414b4
80daac1a 4420d5fe a9067b14 27afe030 21dd90f4 a9d52319 2e1e03e6 c1df9529
e4c19443 dd3e90aa cb4bc9be 8ad33902 03010001 a382011f 3082011b 300e0603
551d0f01 01ff0404 03020106 30120603 551d1301 01ff0408 30060101 ff020100
301d0603 551d0e04 1604147d 6d2aec66 aba75136 ab0269f1 708fc459 0b9a1f30
4b060355 1d200444 30423040 06092b06 010401a0 32011430 33303106 082b0601
05050702 01162568 7474703a 2f2f7777 772e676c 6f62616c 7369676e 2e6e6574
2f726570 6f736974 6f72792f 30330603 551d1f04 2c302a30 28a026a0 24862268
7474703a 2f2f6372 6c2e676c 6f62616c 7369676e 2e6e6574 2f726f6f 742e6372
6c301106 09608648 0186f842 01010404 03020204 30200603 551d2504 19301706
0a2b0601 04018237 0a030306 09608648 0186f842 0401301f 0603551d 23041830
16801460 7b661a45 0d97ca89 502f7d04 cd34a8ff fcfd4b30 0d06092a 864886f7
0d010105 05000382 01010079 47fc15d7 4c79df0f 7a9eced4 7c4b63c9 89b57b3f
9912e89c 8c9a492f e04e954a edc7bcbe f1a2db8e 931dba71 54aa4bd9 89222487
c504a8ac 8252a052 f8b8e14f a1276663 214a39e7 c7c54e5f b2d61d13 6d30e9ce
d7a21cbc 290a733c 5b2349fe d6ffcab0 4ff5f267 98c04711 f8b748a6 9009d642
beeab1b9 5342c39c 20c9fba1 5bb5566d 8781c860 acc4b972 270a8e1e a8b12ecd
32a27857 b09cf895 bb438e8c 31866e53 0dc61205 ba416ea8 35300918 1d0261ff
fdee35de 6ac33bd0 4d4b4e50 b256360c 445dda1a 652ae698 56a96333 2e04e7ae
e8f48eb7 b2da7dc0 c8e2aea6 282fe3c9 73bdfc07 4134b7aa 6eeea7db d1933ced
90ec3292 88d9c823 6c7421
quit
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 187.187.1.41 255.255.255.255 inside
ssh 187.187.1.72 255.255.255.255 inside
ssh 187.187.77.81 255.255.255.255 inside
ssh 187.187.10.19 255.255.255.255 inside
ssh 187.187.10.229 255.255.255.255 inside
ssh 187.187.160.7 255.255.255.255 inside
ssh 187.187.1.41 255.255.255.255 outside
ssh 187.187.1.72 255.255.255.255 outside
ssh 187.187.77.81 255.255.255.255 outside
ssh 187.187.10.19 255.255.255.255 outside
ssh 187.187.10.229 255.255.255.255 outside
ssh 187.187.160.7 255.255.255.255 outside
ssh timeout 15
console timeout 0
vpdn group BT request dialout pppoe
vpdn group BT localname B*******.btclick.com
vpdn group BT ppp authentication chap
vpdn username B*******@hg39.btclick.com password *********
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip
webvpn
enable inside
enable outside
group-policy HHP_Remote_Access_1 internal
group-policy HHP_Remote_Access_1 attributes
wins-server value 192.168.168.2 192.168.168.2
dns-server value 192.168.168.2 192.168.168.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CNES_Support_splitTunnelAcl
group-policy HHP_Remote_Access internal
group-policy HHP_Remote_Access attributes
wins-server value 192.168.168.2 192.168.168.2
dns-server value 192.168.168.2 192.168.168.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CNES_Support_splitTunnelAcl
group-policy Omfax internal
group-policy Omfax attributes
wins-server value 192.168.168.2 192.168.168.3
dns-server value 192.168.168.2 192.168.168.3
vpn-tunnel-protocol IPSec webvpn
webvpn
svc ask none default webvpn
group-policy MIS_1 internal
group-policy MIS_1 attributes
wins-server value 192.168.168.2 192.168.168.3
dns-server value 192.168.168.2 192.168.168.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MIS_splitTunnelAcl
default-domain value hhp.com
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
wins-server value 192.168.168.2 192.168.168.3
dns-server value 192.168.168.2 192.168.168.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
group-policy CNES_Access internal
group-policy CNES_Access attributes
wins-server value 192.168.168.2 192.168.168.3
dns-server value 192.168.168.2 192.168.168.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CNES_Support_splitTunnelAcl
group-policy HHP internal
group-policy HHP attributes
dhcp-network-scope none
vpn-access-hours none
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
split-tunnel-policy tunnelall
split-tunnel-network-list none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
webvpn
url-list value Severs
filter none
homepage none
port-forward disable
http-proxy disable
sso-server none
svc dtls none
svc keep-installer none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
svc modules none
svc profiles none
svc ask none default webvpn
customization none
http-comp none
user-storage none
storage-key none
hidden-shares none
smart-tunnel disable
activex-relay disable
file-entry disable
file-browsing disable
url-entry disable
deny-message none
group-policy MIS internal
group-policy MIS attributes
wins-server value 192.168.168.2 192.168.168.3
dns-server value 192.168.168.2 192.168.168.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MIS_splitTunnelAcl
username test password Kg/Rgy23do7gPGTv encrypted privilege 0
username test attributes
vpn-group-policy HHP_Remote_Access
username catneil password yOgiHCGobUNIkjcN encrypted privilege 0
username omfax password pvUaCLwilGmQVifd encrypted privilege 0
username backup password IHQbl.JAoESlM9Jv encrypted privilege 0
username misadmin password 8IZXmHa67HIJYHK1 encrypted
username misadmin attributes
service-type remote-access
username gramor password ne829U0rGFVEedhY encrypted privilege 15
username gramor attributes
vpn-group-policy HHP_Remote_Access
webvpn
url-list value Severs
username aim_user password 5OQaWCdB18qiHlOn encrypted privilege 0
username aim_user attributes
vpn-group-policy CNES_Support
username katask password 2WsX.HoqKXuiqkDk encrypted privilege 0
username katask attributes
vpn-group-policy CNES_Support
username janboyd password ZEUyykwzME6hII2i encrypted privilege 0
username marmor password C5n48AiRLXwxAeBQ encrypted privilege 0
username marste password amwTL584WdiT87Tb encrypted privilege 0
username helmah password RvU8c.3w0H3/MJz4 encrypted privilege 0
username anglea password wGlUJDBrmJI.uz./ encrypted privilege 0
username anglea attributes
vpn-group-policy CNES_Support
username fiobuc password 5Uispw90wqvDYerQ encrypted privilege 0
tunnel-group DefaultRAGroup general-attributes
authentication-server-group HHP_1
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group HHP_1
default-group-policy HHP
tunnel-group DefaultWEBVPNGroup webvpn-attributes
nbns-server 192.168.168.2 timeout 2 retry 2
nbns-server 192.168.168.3 timeout 2 retry 2
tunnel-group WebVPN type remote-access
tunnel-group WebVPN general-attributes
authentication-server-group HHP_3
default-group-policy HHP
username-from-certificate UID
tunnel-group CNES_Access -
Hi,
I'm trying to use the native VPN L2TP in Leopard to connect to a small, cheap CISCO 837 adsl router, to test IOS as a VPN appliance.
So I'm just trying to connect from the leopard in 192.168.1.10 to the cisco in 192.168.1.70 with this conf:
Current configuration : 9751 bytes
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname door
memory-size iomem 15
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5 $1$kI1f$BuT4.zkAIwccDS93oszF//
enable password 7 0459580A032A435C0C4B51
username dooruser password 7 15140E5D557A3C37203A257040
username dooradmin privilege 15 secret 5 $1$qo91$ZzsCF7Loo6BLqV7.YrGQQ1
username doortest password 7 03005404141B245F5A491416141A0A1C
aaa new-model
aaa authentication login local_auth local
aaa authentication login LOGIN local
aaa authorization network AUTORIZ local
aaa session-id common
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip domain name domain.com
no ip bootp server
ip cef
ip audit notify log
ip audit po max-events 100
ip ssh authentication-retries 5
no ftp-server write-enable
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group PRUEBA
key 0 cisco123
domain domain.com
pool VPNPOOL
acl 150
crypto ipsec transform-set MISET esp-3des esp-sha-hmac
mode transport
crypto dynamic-map DINAMICO 10
set transform-set MISET
reverse-route
crypto map CLIENTMAP local-address Ethernet0
crypto map CLIENTMAP client authentication list LOGIN
crypto map CLIENTMAP isakmp authorization list AUTORIZ
crypto map CLIENTMAP client configuration address initiate
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DINAMICO
interface Ethernet0
ip address 192.168.1.70 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
pppoe enable group PRUEBA
no cdp enable
crypto map CLIENTMAP
hold-queue 100 out
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
interface FastEthernet1
no ip address
speed auto
full-duplex
crypto map CLIENTMAP
interface FastEthernet2
no ip address
speed auto
half-duplex
interface FastEthernet3
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
ip local pool VPNPOOL 192.168.1.120 192.168.1.125
ip default-gateway 192.168.1.100
ip classless
ip default-network 198.168.1.0
ip route 0.0.0.0 0.0.0.0 192.168.1.100
ip route 192.168.1.0 255.255.255.0 192.168.1.100
ip http server
ip http authentication local
ip http secure-server
ip access-list extended autoseccompletebogon
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 7.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 36.0.0.0 0.255.255.255 any
deny ip 37.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 41.0.0.0 0.255.255.255 any
deny ip 42.0.0.0 0.255.255.255 any
deny ip 49.0.0.0 0.255.255.255 any
deny ip 50.0.0.0 0.255.255.255 any
deny ip 58.0.0.0 0.255.255.255 any
deny ip 59.0.0.0 0.255.255.255 any
deny ip 60.0.0.0 0.255.255.255 any
deny ip 70.0.0.0 0.255.255.255 any
deny ip 71.0.0.0 0.255.255.255 any
deny ip 72.0.0.0 0.255.255.255 any
deny ip 73.0.0.0 0.255.255.255 any
deny ip 74.0.0.0 0.255.255.255 any
deny ip 75.0.0.0 0.255.255.255 any
deny ip 76.0.0.0 0.255.255.255 any
deny ip 77.0.0.0 0.255.255.255 any
deny ip 78.0.0.0 0.255.255.255 any
deny ip 79.0.0.0 0.255.255.255 any
deny ip 83.0.0.0 0.255.255.255 any
deny ip 84.0.0.0 0.255.255.255 any
deny ip 85.0.0.0 0.255.255.255 any
deny ip 86.0.0.0 0.255.255.255 any
deny ip 87.0.0.0 0.255.255.255 any
deny ip 89.0.0.0 0.255.255.255 any
deny ip 90.0.0.0 0.255.255.255 any
deny ip 91.0.0.0 0.255.255.255 any
deny ip 92.0.0.0 0.255.255.255 any
deny ip 93.0.0.0 0.255.255.255 any
deny ip 94.0.0.0 0.255.255.255 any
deny ip 95.0.0.0 0.255.255.255 any
deny ip 96.0.0.0 0.255.255.255 any
deny ip 97.0.0.0 0.255.255.255 any
deny ip 98.0.0.0 0.255.255.255 any
deny ip 99.0.0.0 0.255.255.255 any
deny ip 100.0.0.0 0.255.255.255 any
deny ip 101.0.0.0 0.255.255.255 any
deny ip 102.0.0.0 0.255.255.255 any
deny ip 103.0.0.0 0.255.255.255 any
deny ip 104.0.0.0 0.255.255.255 any
deny ip 105.0.0.0 0.255.255.255 any
deny ip 106.0.0.0 0.255.255.255 any
deny ip 107.0.0.0 0.255.255.255 any
deny ip 108.0.0.0 0.255.255.255 any
deny ip 109.0.0.0 0.255.255.255 any
deny ip 110.0.0.0 0.255.255.255 any
deny ip 111.0.0.0 0.255.255.255 any
deny ip 112.0.0.0 0.255.255.255 any
deny ip 113.0.0.0 0.255.255.255 any
deny ip 114.0.0.0 0.255.255.255 any
deny ip 115.0.0.0 0.255.255.255 any
deny ip 116.0.0.0 0.255.255.255 any
deny ip 117.0.0.0 0.255.255.255 any
deny ip 118.0.0.0 0.255.255.255 any
deny ip 119.0.0.0 0.255.255.255 any
deny ip 120.0.0.0 0.255.255.255 any
deny ip 121.0.0.0 0.255.255.255 any
deny ip 122.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 124.0.0.0 0.255.255.255 any
deny ip 125.0.0.0 0.255.255.255 any
deny ip 126.0.0.0 0.255.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 15.255.255.255 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list
ip access-list extended autoseciana_reservedblock
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 7.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 36.0.0.0 0.255.255.255 any
deny ip 37.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 41.0.0.0 0.255.255.255 any
deny ip 42.0.0.0 0.255.255.255 any
deny ip 49.0.0.0 0.255.255.255 any
deny ip 50.0.0.0 0.255.255.255 any
deny ip 58.0.0.0 0.255.255.255 any
deny ip 59.0.0.0 0.255.255.255 any
deny ip 60.0.0.0 0.255.255.255 any
deny ip 70.0.0.0 0.255.255.255 any
deny ip 71.0.0.0 0.255.255.255 any
deny ip 72.0.0.0 0.255.255.255 any
deny ip 73.0.0.0 0.255.255.255 any
deny ip 74.0.0.0 0.255.255.255 any
deny ip 75.0.0.0 0.255.255.255 any
deny ip 76.0.0.0 0.255.255.255 any
deny ip 77.0.0.0 0.255.255.255 any
deny ip 78.0.0.0 0.255.255.255 any
deny ip 79.0.0.0 0.255.255.255 any
deny ip 83.0.0.0 0.255.255.255 any
deny ip 84.0.0.0 0.255.255.255 any
deny ip 85.0.0.0 0.255.255.255 any
deny ip 86.0.0.0 0.255.255.255 any
deny ip 87.0.0.0 0.255.255.255 any
deny ip 88.0.0.0 0.255.255.255 any
deny ip 89.0.0.0 0.255.255.255 any
deny ip 90.0.0.0 0.255.255.255 any
deny ip 91.0.0.0 0.255.255.255 any
deny ip 92.0.0.0 0.255.255.255 any
deny ip 93.0.0.0 0.255.255.255 any
deny ip 94.0.0.0 0.255.255.255 any
deny ip 95.0.0.0 0.255.255.255 any
deny ip 96.0.0.0 0.255.255.255 any
deny ip 97.0.0.0 0.255.255.255 any
deny ip 98.0.0.0 0.255.255.255 any
deny ip 99.0.0.0 0.255.255.255 any
deny ip 100.0.0.0 0.255.255.255 any
deny ip 101.0.0.0 0.255.255.255 any
deny ip 102.0.0.0 0.255.255.255 any
deny ip 103.0.0.0 0.255.255.255 any
deny ip 104.0.0.0 0.255.255.255 any
deny ip 105.0.0.0 0.255.255.255 any
deny ip 106.0.0.0 0.255.255.255 any
deny ip 107.0.0.0 0.255.255.255 any
deny ip 108.0.0.0 0.255.255.255 any
deny ip 109.0.0.0 0.255.255.255 any
deny ip 110.0.0.0 0.255.255.255 any
deny ip 111.0.0.0 0.255.255.255 any
deny ip 112.0.0.0 0.255.255.255 any
deny ip 113.0.0.0 0.255.255.255 any
deny ip 114.0.0.0 0.255.255.255 any
deny ip 115.0.0.0 0.255.255.255 any
deny ip 116.0.0.0 0.255.255.255 any
deny ip 117.0.0.0 0.255.255.255 any
deny ip 118.0.0.0 0.255.255.255 any
deny ip 119.0.0.0 0.255.255.255 any
deny ip 120.0.0.0 0.255.255.255 any
deny ip 121.0.0.0 0.255.255.255 any
deny ip 122.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 124.0.0.0 0.255.255.255 any
deny ip 125.0.0.0 0.255.255.255 any
deny ip 126.0.0.0 0.255.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
permit ip any any
remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list
ip access-list extended autosecprivateblock
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit ip any any
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
access-list 150 permit ip host 0.0.0.0 any
dialer-list 1 protocol ip permit
no cdp run
line con 0
exec-timeout 5 0
login authentication local_auth
no modem enable
transport output telnet
deny ip 121.0.0.0 0.255.255.255 any
deny ip 122.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 124.0.0.0 0.255.255.255 any
deny ip 125.0.0.0 0.255.255.255 any
deny ip 126.0.0.0 0.255.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
permit ip any any
remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list
ip access-list extended autosecprivateblock
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit ip any any
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
access-list 150 permit ip host 0.0.0.0 any
dialer-list 1 protocol ip permit
no cdp run
line con 0
exec-timeout 5 0
login authentication local_auth
no modem enable
transport output telnet
line aux 0
login authentication local_auth
transport output telnet
line vty 0 4
password 7 15045A081325242F7B626C74
login authentication local_auth
transport input telnet ssh
scheduler max-task-time 5000
end
and the DEBUG in the cisco is:
015933: *Mar 2 05:13:34.748 UTC: %SYS-5-CONFIG_I: Configured from console by dooruser on vty0 (192.168.1.10)
door#
door#
015934: *Mar 2 05:14:18.096 UTC: ISAKMP (0:0): received packet from 192.168.1.10 dport 500 sport 500 Global (N) NEW SA
015935: *Mar 2 05:14:18.096 UTC: ISAKMP: Created a peer struct for 192.168.1.10, peer port 500
015936: *Mar 2 05:14:18.096 UTC: ISAKMP: Locking peer struct 0x816C55CC, IKE refcount 1 for cryptoikmp_config_initializesa
015937: *Mar 2 05:14:18.096 UTC: ISAKMP (0:0): Setting client config settings 813B63E8
015938: *Mar 2 05:14:18.096 UTC: ISAKMP (0:0): (Re)Setting client xauth list and state
015939: *Mar 2 05:14:18.096 UTC: ISAKMP: local port 500, remote port 500
015940: *Mar 2 05:14:18.100 UTC: ISAKMP: insert sa successfully sa = 815825EC
015941: *Mar 2 05:14:18.100 UTC: ISAKMP (0:1): processing SA payload. message ID = 0
015942: *Mar 2 05:14:18.100 UTC: ISAKMP (0:1): processing ID payload. message ID = 0
015943: *Mar 2 05:14:18.100 UTC: ISAKMP (0:1): peer matches none of the profiles
015944: *Mar 2 05:14:18.100 UTC: ISAKMP (0:1): processing vendor id payload
015945: *Mar 2 05:14:18.100 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 69 mismatch
015946: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): processing vendor id payload
015947: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 198 mismatch
015948: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): processing vendor id payload
015949: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 29 mismatch
015950: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): processing vendor id payload
015951: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 245 mismatch
015952: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): processing vendor id payload
015953: *Mar 2 05:14:18.104 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 114 mismatch
015954: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): processing vendor id payload
015955: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 227 mismatch
015956: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): processing vendor id payload
015957: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 250 mismatch
015958: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): processing vendor id payload
015959: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
015960: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): vendor ID is NAT-T v3
015961: *Mar 2 05:14:18.108 UTC: ISAKMP (0:1): processing vendor id payload
015962: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 164 mismatch
015963: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1): processing vendor id payload
015964: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 123 mismatch
015965: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1): vendor ID is NAT-T v2
015966: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1): processing vendor id payload
015967: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1): vendor ID is DPD
015968: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1) Authentication by xauth preshared
015969: *Mar 2 05:14:18.112 UTC: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
015970: *Mar 2 05:14:18.112 UTC: ISAKMP: life type in seconds
015971: *Mar 2 05:14:18.116 UTC: ISAKMP: life duration (basic) of 3600
015972: *Mar 2 05:14:18.116 UTC: ISAKMP: encryption 3DES-CBC
015973: *Mar 2 05:14:18.116 UTC: ISAKMP: auth pre-share
015974: *Mar 2 05:14:18.116 UTC: ISAKMP: hash SHA
015975: *Mar 2 05:14:18.116 UTC: ISAKMP: default group 2
015976: *Mar 2 05:14:18.116 UTC: ISAKMP (0:1): atts are acceptable. Next payload is 0
015977: *Mar 2 05:14:18.328 UTC: ISAKMP (0:1): processing KE payload. message ID = 0
015978: *Mar 2 05:14:18.596 UTC: ISAKMP (0:1): processing NONCE payload. message ID = 0
015979: *Mar 2 05:14:18.600 UTC: ISAKMP (0:1): processing vendor id payload
015980: *Mar 2 05:14:18.600 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 69 mismatch
015981: *Mar 2 05:14:18.600 UTC: ISAKMP (0:1): processing vendor id payload
015982: *Mar 2 05:14:18.600 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 198 mismatch
015983: *Mar 2 05:14:18.600 UTC: ISAKMP (0:1): processing vendor id payload
015984: *Mar 2 05:14:18.600 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 29 mismatch
015985: *Mar 2 05:14:18.604 UTC: ISAKMP (0:1): processing vendor id payload
015986: *Mar 2 05:14:18.604 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 245 mismatch
015987: *Mar 2 05:14:18.604 UTC: ISAKMP (0:1): processing vendor id payload
015988: *Mar 2 05:14:18.604 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 114 mismatch
015989: *Mar 2 05:14:18.604 UTC: ISAKMP (0:1): processing vendor id payload
015990: *Mar 2 05:14:18.604 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 227 mismatch
015991: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): processing vendor id payload
015992: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 250 mismatch
015993: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): processing vendor id payload
015994: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
015995: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): vendor ID is NAT-T v3
015996: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): processing vendor id payload
015997: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 164 mismatch
015998: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): processing vendor id payload
015999: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): vendor ID seems Unity/DPD but major 123 mismatch
016000: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): vendor ID is NAT-T v2
016001: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): processing vendor id payload
016002: *Mar 2 05:14:18.608 UTC: ISAKMP (0:1): vendor ID is DPD
016003: *Mar 2 05:14:18.608 UTC: AAA: parse name=ISAKMP500 idb type=-1 tty=-1
016004: *Mar 2 05:14:18.612 UTC: AAA: name=ISAKMP500 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=500 channel=0
016005: *Mar 2 05:14:18.612 UTC: AAA: parse name=<no string> idb type=-1 tty=-1
016006: *Mar 2 05:14:18.612 UTC: AAA/MEMORY: create_user (0x81582C78) user='PRUEBA' ruser='NULL' ds0=0 port='ISAKMP500' rem_addr='192.168.1.10' authen_type=NONE service=LOGIN priv=0 initialtaskid='0', vrf= (id=0)
016007: *Mar 2 05:14:18.612 UTC: ISAKMP (0:1): Input = IKEMESG_FROMPEER, IKEAMEXCH
016008: *Mar 2 05:14:18.612 UTC: ISAKMP (0:1): Old State = IKE_READY New State = IKER_AM_AAAAWAIT
016009: *Mar 2 05:14:18.612 UTC: ISAKMP500 AAA/AUTHOR/CRYPTO AAA(1432144417): Port='ISAKMP500' list='AUTORIZ' service=NET
016010: *Mar 2 05:14:18.616 UTC: AAA/AUTHOR/CRYPTO AAA: ISAKMP500(1432144417) user='PRUEBA'
016011: *Mar 2 05:14:18.616 UTC: ISAKMP500 AAA/AUTHOR/CRYPTO AAA(1432144417): send AV service=ike
016012: *Mar 2 05:14:18.616 UTC: ISAKMP500 AAA/AUTHOR/CRYPTO AAA(1432144417): send AV protocol=ipsec
016013: *Mar 2 05:14:18.616 UTC: ISAKMP500 AAA/AUTHOR/CRYPTO AAA(1432144417): found list "AUTORIZ"
016014: *Mar 2 05:14:18.616 UTC: ISAKMP500 AAA/AUTHOR/CRYPTO AAA(1432144417): Method=LOCAL
016015: *Mar 2 05:14:18.620 UTC: AAA/AUTHOR (1432144417): Post authorization status = PASS_ADD
016016: *Mar 2 05:14:18.620 UTC: ISAKMP: got callback 1
016017: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV service=ike
016018: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV protocol=ipsec
016019: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV tunnel-password=cisco123
016020: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV default-domain*domain.com
016021: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV addr-pool*VPNPOOL
016022: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV key-exchange=ike
016023: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV firewall*0
016024: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV group-lock*0
016025: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV include-local-lan*0
016026: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV timeout*0
016027: *Mar 2 05:14:18.624 UTC:
AAA/AUTHOR/IKE: Processing AV idletime*0
016028: *Mar 2 05:14:18.628 UTC:
AAA/AUTHOR/IKE: Processing AV inacl*150
016029: *Mar 2 05:14:18.628 UTC:
AAA/AUTHOR/IKE: Processing AV dns-servers*0.0.0.0 0.0.0.0
016030: *Mar 2 05:14:18.628 UTC:
AAA/AUTHOR/IKE: Processing AV wins-servers*0.0.0.0 0.0.0.0
016031: *Mar 2 05:14:18.628 UTC:
AAA/AUTHOR/IKE: Processing AV save-password*0
016032: *Mar 2 05:14:18.632 UTC: ISAKMP (0:1): SKEYID state generated
016033: *Mar 2 05:14:18.636 UTC: ISAKMP (0:1): constructed NAT-T vendor-03 ID
016034: *Mar 2 05:14:18.636 UTC: ISAKMP (0:1): SA is doing pre-shared key authentication using id type IDIPV4ADDR
016035: *Mar 2 05:14:18.636 UTC: ISAKMP (1): ID payload
next-payload : 10
type : 1
addr : 192.168.1.70
protocol : 17
port : 0
length : 8
016036: *Mar 2 05:14:18.636 UTC: ISAKMP (1): Total payload length: 12
016037: *Mar 2 05:14:18.636 UTC: ISAKMP (0:1): constructed HIS NAT-D
016038: *Mar 2 05:14:18.636 UTC: ISAKMP (0:1): constructed MINE NAT-D
016039: *Mar 2 05:14:18.640 UTC: ISAKMP (0:1): sending packet to 192.168.1.10 my_port 500 peer_port 500 (R) AGINITEXCH
016040: *Mar 2 05:14:18.640 UTC: ISAKMP (0:1): Input = IKEMESG_FROMAAA, PRESHAREDKEYREPLY
016041: *Mar 2 05:14:18.640 UTC: ISAKMP (0:1): Old State = IKER_AM_AAAAWAIT New State = IKERAM2
016042: *Mar 2 05:14:18.640 UTC: AAA/MEMORY: free_user (0x81582C78) user='PRUEBA' ruser='NULL' port='ISAKMP500' rem_addr='192.168.1.10' authen_type=NONE service=LOGIN priv=0 vrf= (id=0)
016043: *Mar 2 05:14:18.792 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) AGINITEXCH
016044: *Mar 2 05:14:18.792 UTC: ISAKMP (0:1): processing HASH payload. message ID = 0
016045: *Mar 2 05:14:18.792 UTC: ISAKMP:received payload type 17
016046: *Mar 2 05:14:18.796 UTC: ISAKMP (0:1): Detected NAT-D payload
016047: *Mar 2 05:14:18.796 UTC: ISAKMP (0:1): recalc my hash for NAT-D
016048: *Mar 2 05:14:18.796 UTC: ISAKMP (0:1): NAT match MINE hash
016049: *Mar 2 05:14:18.796 UTC: ISAKMP:received payload type 17
016050: *Mar 2 05:14:18.796 UTC: ISAKMP (0:1): Detected NAT-D payload
016051: *Mar 2 05:14:18.796 UTC: ISAKMP (0:1): recalc his hash for NAT-D
016052: *Mar 2 05:14:18.796 UTC: ISAKMP (0:1): NAT match HIS hash
016053: *Mar 2 05:14:18.796 UTC: ISAKMP (0:1): SA has been authenticated with 192.168.1.10
016054: *Mar 2 05:14:18.796 UTC: ISAKMP: Trying to insert a peer 192.168.1.70/192.168.1.10/500/, and inserted successfully.
016055: *Mar 2 05:14:18.800 UTC: ISAKMP (0:1): peer matches none of the profiles
016056: *Mar 2 05:14:18.800 UTC: ISAKMP (0:1): Input = IKEMESG_FROMPEER, IKEAMEXCH
016057: *Mar 2 05:14:18.800 UTC: ISAKMP (0:1): Old State = IKERAM2 New State = IKEP1COMPLETE
016058: *Mar 2 05:14:18.800 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) QM_IDLE
016059: *Mar 2 05:14:18.800 UTC: ISAKMP: set new node -499921571 to CONF_XAUTH
016060: *Mar 2 05:14:18.804 UTC: ISAKMP (0:1): processing HASH payload. message ID = -499921571
016061: *Mar 2 05:14:18.804 UTC: ISAKMP (0:1): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = -499921571, sa = 815825EC
016062: *Mar 2 05:14:18.804 UTC: ISAKMP (0:1): Process initial contact,
bring down existing phase 1 and 2 SA's with local 192.168.1.70 remote 192.168.1.10 remote port 500
016063: *Mar 2 05:14:18.804 UTC: ISAKMP (0:1): returning IP addr to the address pool
016064: *Mar 2 05:14:18.808 UTC: IPSEC(key_engine): got a queue event with 1 kei messages
016065: *Mar 2 05:14:18.808 UTC: ISAKMP (0:1): deleting node -499921571 error FALSE reason "informational (in) state 1"
016066: *Mar 2 05:14:18.808 UTC: ISAKMP (0:1): Input = IKEMESG_FROMPEER, IKEINFONOTIFY
016067: *Mar 2 05:14:18.808 UTC: ISAKMP (0:1): Old State = IKEP1COMPLETE New State = IKEP1COMPLETE
016068: *Mar 2 05:14:18.808 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) QM_IDLE
016069: *Mar 2 05:14:18.812 UTC: ISAKMP: set new node -326994436 to CONF_XAUTH
016070: *Mar 2 05:14:18.812 UTC: ISAKMP (0:1): Need XAUTH
016071: *Mar 2 05:14:18.816 UTC: AAA: parse name=ISAKMP500 idb type=-1 tty=-1
016072: *Mar 2 05:14:18.816 UTC: AAA: name=ISAKMP500 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=500 channel=0
016073: *Mar 2 05:14:18.816 UTC: AAA: parse name=<no string> idb type=-1 tty=-1
016074: *Mar 2 05:14:18.816 UTC: AAA/MEMORY: create_user (0x816C2654) user='NULL' ruser='NULL' ds0=0 port='ISAKMP500' rem_addr='192.168.1.10' authen_type=ASCII service=LOGIN priv=0 initialtaskid='0', vrf= (id=0)
016075: *Mar 2 05:14:18.816 UTC: ISAKMP (0:1): Input = IKEMESGINTERNAL, IKEPHASE1COMPLETE
016076: *Mar 2 05:14:18.816 UTC: ISAKMP (0:1): Old State = IKEP1COMPLETE New State = IKEXAUTH_AAA_START_LOGINAWAIT
016077: *Mar 2 05:14:18.820 UTC: AAA/AUTHEN/START (687144130): port='ISAKMP500' list='LOGIN' action=LOGIN service=LOGIN
016078: *Mar 2 05:14:18.820 UTC: AAA/AUTHEN/START (687144130): found list LOGIN
016079: *Mar 2 05:14:18.820 UTC: AAA/AUTHEN/START (687144130): Method=LOCAL
016080: *Mar 2 05:14:18.820 UTC: AAA/AUTHEN(687144130): Status=GETUSER
016081: *Mar 2 05:14:18.820 UTC: ISAKMP (0:1): Unknown Input: state = IKEXAUTH_AAA_START_LOGINAWAIT, major, minor = IKEMESGINTERNAL, IKEPHASE1COMPLETE
016082: *Mar 2 05:14:18.820 UTC: ISAKMP: got callback 1
016083: *Mar 2 05:14:18.820 UTC: ISAKMP: set new node 1267078368 to CONF_XAUTH
016084: *Mar 2 05:14:18.824 UTC: ISAKMP/xauth: request attribute XAUTH_TYPE
016085: *Mar 2 05:14:18.824 UTC: ISAKMP/xauth: request attribute XAUTH_MESSAGE
016086: *Mar 2 05:14:18.824 UTC: ISAKMP/xauth: request attribute XAUTHUSERNAME
016087: *Mar 2 05:14:18.824 UTC: ISAKMP/xauth: request attribute XAUTHUSERPASSWORD
016088: *Mar 2 05:14:18.824 UTC: ISAKMP (0:1): initiating peer config to 192.168.1.10. ID = 1267078368
016089: *Mar 2 05:14:18.828 UTC: ISAKMP (0:1): sending packet to 192.168.1.10 my_port 500 peer_port 500 (R) CONF_XAUTH
016090: *Mar 2 05:14:18.828 UTC: ISAKMP (0:1): Input = IKEMESG_FROMAAA, IKEAAA_STARTLOGIN
016091: *Mar 2 05:14:18.828 UTC: ISAKMP (0:1): Old State = IKEXAUTH_AAA_START_LOGINAWAIT New State = IKEXAUTH_REQSENT
016092: *Mar 2 05:14:18.836 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) CONF_XAUTH
016093: *Mar 2 05:14:18.836 UTC: ISAKMP (0:1): processing transaction payload from 192.168.1.10. message ID = 1267078368
016094: *Mar 2 05:14:18.840 UTC: ISAKMP: Config payload REPLY
016095: *Mar 2 05:14:18.840 UTC: ISAKMP/xauth: Expected attribute XAUTH_TYPE not received
016096: *Mar 2 05:14:18.840 UTC: AAA/MEMORY: free_user (0x816C2654) user='NULL' ruser='NULL' port='ISAKMP500' rem_addr='192.168.1.10' authen_type=ASCII service=LOGIN priv=0 vrf= (id=0)
016097: *Mar 2 05:14:18.840 UTC: AAA: parse name=ISAKMP500 idb type=-1 tty=-1
016098: *Mar 2 05:14:18.840 UTC: AAA: name=ISAKMP500 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=500 channel=0
016099: *Mar 2 05:14:18.840 UTC: AAA: parse name=<no string> idb type=-1 tty=-1
016100: *Mar 2 05:14:18.840 UTC: AAA/MEMORY: create_user (0x816C2654) user='NULL' ruser='NULL' ds0=0 port='ISAKMP500' rem_addr='192.168.1.10' authen_type=ASCII service=LOGIN priv=0 initialtaskid='0', vrf= (id=0)
016101: *Mar 2 05:14:18.844 UTC: ISAKMP (0:1): Input = IKEMESG_FROMPEER, IKECFGREPLY
016102: *Mar 2 05:14:18.844 UTC: ISAKMP (0:1): Old State = IKEXAUTH_REQSENT New State = IKEXAUTH_AAA_START_LOGINAWAIT
016103: *Mar 2 05:14:18.844 UTC: AAA/AUTHEN/START (741762202): port='ISAKMP500' list='LOGIN' action=LOGIN service=LOGIN
016104: *Mar 2 05:14:18.844 UTC: AAA/AUTHEN/START (741762202): found list LOGIN
016105: *Mar 2 05:14:18.844 UTC: AAA/AUTHEN/START (741762202): Method=LOCAL
016106: *Mar 2 05:14:18.844 UTC: AAA/AUTHEN(741762202): Status=GETUSER
016107: *Mar 2 05:14:18.848 UTC: ISAKMP: got callback 1
016108: *Mar 2 05:14:18.848 UTC: ISAKMP: set new node -623612407 to CONF_XAUTH
016109: *Mar 2 05:14:18.848 UTC: ISAKMP/xauth: request attribute XAUTH_TYPE
016110: *Mar 2 05:14:18.848 UTC: ISAKMP/xauth: request attribute XAUTH_MESSAGE
016111: *Mar 2 05:14:18.848 UTC: ISAKMP/xauth: request attribute XAUTHUSERNAME
016112: *Mar 2 05:14:18.848 UTC: ISAKMP/xauth: request attribute XAUTHUSERPASSWORD
016113: *Mar 2 05:14:18.852 UTC: ISAKMP (0:1): initiating peer config to 192.168.1.10. ID = -623612407
016114: *Mar 2 05:14:18.852 UTC: ISAKMP (0:1): sending packet to 192.168.1.10 my_port 500 peer_port 500 (R) CONF_XAUTH
016115: *Mar 2 05:14:18.852 UTC: ISAKMP (0:1): Input = IKEMESG_FROMAAA, IKEAAA_STARTLOGIN
016116: *Mar 2 05:14:18.852 UTC: ISAKMP (0:1): Old State = IKEXAUTH_AAA_START_LOGINAWAIT New State = IKEXAUTH_REQSENT
016117: *Mar 2 05:14:19.036 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) CONF_XAUTH
016118: *Mar 2 05:14:19.040 UTC: ISAKMP (0:1): processing transaction payload from 192.168.1.10. message ID = -623612407
016119: *Mar 2 05:14:19.040 UTC: ISAKMP: Config payload REPLY
016120: *Mar 2 05:14:19.040 UTC: ISAKMP/xauth: Expected attribute XAUTH_TYPE not received
016121: *Mar 2 05:14:19.040 UTC: AAA/MEMORY: free_user (0x816C2654) user='NULL' ruser='NULL' port='ISAKMP500' rem_addr='192.168.1.10' authen_type=ASCII service=LOGIN priv=0 vrf= (id=0)
016122: *Mar 2 05:14:19.040 UTC: AAA: parse name=ISAKMP500 idb type=-1 tty=-1
016123: *Mar 2 05:14:19.044 UTC: AAA: name=ISAKMP500 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=500 channel=0
016124: *Mar 2 05:14:19.044 UTC: AAA: parse name=<no string> idb type=-1 tty=-1
016125: *Mar 2 05:14:19.044 UTC: AAA/MEMORY: create_user (0x8156DB1C) user='NULL' ruser='NULL' ds0=0 port='ISAKMP500' rem_addr='192.168.1.10' authen_type=ASCII service=LOGIN priv=0 initialtaskid='0', vrf= (id=0)
016126: *Mar 2 05:14:19.044 UTC: ISAKMP (0:1): Input = IKEMESG_FROMPEER, IKECFGREPLY
016127: *Mar 2 05:14:19.044 UTC: ISAKMP (0:1): Old State = IKEXAUTH_REQSENT New State = IKEXAUTH_AAA_START_LOGINAWAIT
016128: *Mar 2 05:14:19.044 UTC: AAA/AUTHEN/START (3918303509): port='ISAKMP500' list='LOGIN' action=LOGIN service=LOGIN
016129: *Mar 2 05:14:19.044 UTC: AAA/AUTHEN/START (3918303509): found list LOGIN
016130: *Mar 2 05:14:19.048 UTC: AAA/AUTHEN/START (3918303509): Method=LOCAL
016131: *Mar 2 05:14:19.048 UTC: AAA/AUTHEN(3918303509): Status=GETUSER
016132: *Mar 2 05:14:19.048 UTC: ISAKMP: got callback 1
016133: *Mar 2 05:14:19.048 UTC: ISAKMP: set new node 1898470555 to CONF_XAUTH
016134: *Mar 2 05:14:19.048 UTC: ISAKMP/xauth: request attribute XAUTH_TYPE
016135: *Mar 2 05:14:19.048 UTC: ISAKMP/xauth: request attribute XAUTH_MESSAGE
016136: *Mar 2 05:14:19.048 UTC: ISAKMP/xauth: request attribute XAUTHUSERNAME
016137: *Mar 2 05:14:19.052 UTC: ISAKMP/xauth: request attribute XAUTHUSERPASSWORD
016138: *Mar 2 05:14:19.052 UTC: ISAKMP (0:1): initiating peer config to 192.168.1.10. ID = 1898470555
016139: *Mar 2 05:14:19.052 UTC: ISAKMP (0:1): sending packet to 192.168.1.10 my_port 500 peer_port 500 (R) CONF_XAUTH
016140: *Mar 2 05:14:19.056 UTC: ISAKMP (0:1): Input = IKEMESG_FROMAAA, IKEAAA_STARTLOGIN
016141: *Mar 2 05:14:19.056 UTC: ISAKMP (0:1): Old State = IKEXAUTH_AAA_START_LOGINAWAIT New State = IKEXAUTH_REQSENT
016142: *Mar 2 05:14:19.056 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) CONF_XAUTH
016143: *Mar 2 05:14:19.064 UTC: ISAKMP (0:1): processing transaction payload from 192.168.1.10. message ID = 1898470555
016144: *Mar 2 05:14:19.064 UTC: ISAKMP: Config payload REPLY
016145: *Mar 2 05:14:19.064 UTC: ISAKMP/xauth: Expected attribute XAUTH_TYPE not received
016146: *Mar 2 05:14:19.064 UTC: AAA/MEMORY: free_user (0x8156DB1C) user='NULL' ruser='NULL' port='ISAKMP500' rem_addr='192.168.1.10' authen_type=ASCII service=LOGIN priv=0 vrf= (id=0)
016147: *Mar 2 05:14:19.068 UTC: ISAKMP (0:1): peer does not do paranoid keepalives.
016148: *Mar 2 05:14:19.068 UTC: ISAKMP (0:1): deleting SA reason "XAuthenticate fail" state (R) CONF_XAUTH (peer 192.168.1.10) input queue 0
016149: *Mar 2 05:14:19.068 UTC: ISAKMP: Unlocking IKE struct 0x816C55CC for isadbmark_sadeleted(), count 0
016150: *Mar 2 05:14:19.068 UTC: ISAKMP: Deleting peer node by peer_reap for 192.168.1.10: 816C55CC
016151: *Mar 2 05:14:19.068 UTC: ISAKMP: set new node -1893737389 to QM_IDLE
016152: *Mar 2 05:14:19.072 UTC: ISAKMP (0:1): sending packet to 192.168.1.10 my_port 500 peer_port 500 (R) MMNOSTATE
016153: *Mar 2 05:14:19.072 UTC: ISAKMP (0:1): purging node -1893737389
016154: *Mar 2 05:14:19.072 UTC: ISAKMP (0:1): deleting node -326994436 error FALSE reason "XAuthenticate fail"
016155: *Mar 2 05:14:19.072 UTC: ISAKMP (0:1): deleting node 1267078368 error FALSE reason "XAuthenticate fail"
016156: *Mar 2 05:14:19.076 UTC: ISAKMP (0:1): deleting node -623612407 error FALSE reason "XAuthenticate fail"
016157: *Mar 2 05:14:19.076 UTC: ISAKMP (0:1): deleting node 1898470555 error FALSE reason "XAuthenticate fail"
016158: *Mar 2 05:14:19.076 UTC: ISAKMP (0:1): Input = IKEMESG_FROMPEER, IKECFGREPLY
016159: *Mar 2 05:14:19.076 UTC: ISAKMP (0:1): Old State = IKEXAUTH_REQSENT New State = IKEDESTSA
016160: *Mar 2 05:14:19.076 UTC: IPSEC(key_engine): got a queue event with 1 kei messages
016161: *Mar 2 05:14:19.076 UTC: IPSEC(keyengine_deletesas): rec'd delete notify from ISAKMP
016162: *Mar 2 05:14:19.076 UTC: IPSEC(keyengine_deletesas): delete all SAs shared with peer 192.168.1.10
016163: *Mar 2 05:14:28.368 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) MMNOSTATE
016164: *Mar 2 05:14:38.368 UTC: ISAKMP (0:1): received packet from 192.168.1.10 dport 500 sport 500 Global (R) MMNOSTATE
016165: *Mar 2 05:15:08.808 UTC: ISAKMP (0:1): purging node -499921571
016166: *Mar 2 05:15:09.072 UTC: ISAKMP (0:1): purging node -326994436
016167: *Mar 2 05:15:09.076 UTC: ISAKMP (0:1): purging node 1267078368
016168: *Mar 2 05:15:09.076 UTC: ISAKMP (0:1): purging node -623612407
016169: *Mar 2 05:15:09.076 UTC: ISAKMP (0:1): purging node 1898470555
016170: *Mar 2 05:15:19.076 UTC: ISAKMP (0:1): purging SA., sa=815825EC, delme=815825EC
In leopard I used the doortest user (created with mschap), shared sectret cisco123, group PRUEBA.
Any CISCO CCNA out there, please?
It should work following this: http://www.macosxhints.com/article.php?story=20070827135109248
Thanks, guys.
PD: the cisco...
Cisco Internetwork Operating System Software
IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.3(1.6)T
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Thu 04-Mar-04 01:13 by ealyon
Image text-base: 0x800131E8, data-base: 0x80B93040
ROM: System Bootstrap, Version 12.2(11r)YV1, RELEASE SOFTWARE (fc1)
ROM: C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
door uptime is 1 day, 5 hours, 27 minutes
System returned to ROM by power-on
System image file is "flash:c837-k9o3y6-mz.123-2.XC2.bin"Nobody using VPNs out there?
Are CISCO VPN concentrators old fashioned?
C'mon! -
Cisco ISE 1.2 & Cisco WLC 5508 v7.6
Hi all,
we are planning to upgrade our WLC to 7.6 to fix a bug with FlexConnect Client ACLs but I have just seen on the Cisco ISE Compatibility table that the it only recommends up to v7.5 of the WLC 5508...
Cisco have told me to steer clear of 7.5 as it is in a defferred status, so does anyone know, or have running in a lab or production, ISE1.2 with a 5508 WLC v7.6 NAD ?
I would much rather know of any issues people are experiencing before hand than to have to go through a software upgrade and then rollback.
Thanks all
Mario De RosaHi Neno,
right I have this almost working now.
I have simplified the setup. I am not going to do any client provisioning at the moment.
So I can connect to the corporate SSID using EAP-TLS and I can successfully push the branch data VLAN upon successful authorisation.
Now I am trying to introduce the posture element & per user ACLs.
I have defined the redirect ACL & Flex ACL on the vWLC however the NAC agent will not pop-up. The client is in the right VLAN and the redirect ACL seems to be getting applied as the client does get an IP through DHCP. However, the client cannot ping the ISE or access the guest portal when I open the browser.
DNS resolution seems to be working fine.
VLAN220 is my datacentre VLAN which the Management Interface on the controller is plugged in to.
VLAN10 is the branch DATA VLAN.
below is some output to give you some more details...
(Cisco Controller) >show client detail 00:24:d6:97:b3:be
Client MAC Address............................... 00:24:d6:97:b3:be
Client Username ................................. [email protected]
AP MAC Address................................... 18:33:9d:f0:21:80
AP Name.......................................... test-flex-ap
AP radio slot Id................................. 0
Client State..................................... Associated
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 2
Hotspot (802.11u)................................ Not Supported
BSSID............................................ 18:33:9d:f0:21:81
Connected For ................................... 128 secs
Channel.......................................... 6
IP Address....................................... 10.130.130.120
Gateway Address.................................. 10.130.130.1
Netmask.......................................... 255.255.255.0
IPv6 Address..................................... fe80::f524:1910:69f0:9482
Association Id................................... 1
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Status Code...................................... 0
Client CCX version............................... 4
Client E2E version............................... 1
--More-- or (q)uit
Re-Authentication Timeout........................ 1651
QoS Level........................................ Silver
Avg data Rate.................................... 0
Burst data Rate.................................. 0
Avg Real time data Rate.......................... 0
Burst Real Time data Rate........................ 0
802.1P Priority Tag.............................. disabled
CTS Security Group Tag........................... Not Applicable
KTS CAC Capability............................... No
WMM Support...................................... Enabled
APSD ACs....................................... BK BE VI VO
Power Save....................................... OFF
Current Rate..................................... m13
Supported Rates.................................. 1.0,2.0,5.5,11.0,6.0,9.0,
............................................. 12.0,18.0,24.0,36.0,48.0,
............................................. 54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ No
Policy Manager State............................. POSTURE_REQD
Policy Manager Rule Created...................... Yes
AAA Override ACL Name............................ POSTURE_REDIRECT_ACL
AAA Override ACL Applied Status.................. Yes
--More-- or (q)uit
AAA Override Flex ACL Name....................... POSTURE_REDIRECT_ACL
AAA Override Flex ACL Applied Status............. Yes
AAA URL redirect................................. https://pdc-ise-man01.kier.group:8443/guestportal/gateway?sessionId=c8dc800a00000005b3e7e953&action=cpp
Audit Session ID................................. c8dc800a00000005b3e7e953
AAA Role Type.................................... none
Local Policy Applied............................. none
IPv4 ACL Name.................................... none
FlexConnect ACL Applied Status................... Yes
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Layer2 ACL Name.................................. none
Layer2 ACL Applied Status........................ Unavailable
mDNS Status...................................... Disabled
mDNS Profile Name................................ none
No. of mDNS Services Advertised.................. 0
Policy Type...................................... WPA2
Authentication Key Management.................... 802.1x
Encryption Cipher................................ CCMP (AES)
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... EAP-TLS
FlexConnect Data Switching....................... Local
--More-- or (q)uit
FlexConnect Dhcp Status.......................... Local
FlexConnect Vlan Based Central Switching......... No
FlexConnect Authentication....................... Central
Quarantine VLAN.................................. 0
Access VLAN...................................... 220
Client Capabilities:
CF Pollable................................ Not implemented
CF Poll Request............................ Not implemented
Short Preamble............................. Implemented
PBCC....................................... Not implemented
Channel Agility............................ Not implemented
Listen Interval............................ 10
Fast BSS Transition........................ Not implemented
Client Wifi Direct Capabilities:
WFD capable................................ No
Manged WFD capable......................... No
Cross Connection Capable................... No
Support Concurrent Operation............... No
Fast BSS Transition Details:
Client Statistics:
Number of Bytes Received................... 33698
Number of Bytes Sent....................... 19397
Total Number of Bytes Sent................. 19397
--More-- or (q)uit
Total Number of Bytes Recv................. 33698
Number of Bytes Sent (last 90s)............ 19397
Number of Bytes Recv (last 90s)............ 33698
Number of Packets Received................. 283
Number of Packets Sent..................... 147
Number of Interim-Update Sent.............. 0
Number of EAP Id Request Msg Timeouts...... 0
Number of EAP Id Request Msg Failures...... 0
Number of EAP Request Msg Timeouts......... 0
Number of EAP Request Msg Failures......... 0
Number of EAP Key Msg Timeouts............. 0
Number of EAP Key Msg Failures............. 0
Number of Data Retries..................... 53
Number of RTS Retries...................... 0
Number of Duplicate Received Packets....... 2
Number of Decrypt Failed Packets........... 0
Number of Mic Failured Packets............. 0
Number of Mic Missing Packets.............. 0
Number of RA Packets Dropped............... 0
Number of Policy Errors.................... 0
Radio Signal Strength Indicator............ -42 dBm
Signal to Noise Ratio...................... 41 dB
Client Rate Limiting Statistics:
--More-- or (q)uit
Number of Data Packets Recieved............ 0
Number of Data Rx Packets Dropped.......... 0
Number of Data Bytes Recieved.............. 0
Number of Data Rx Bytes Dropped............ 0
Number of Realtime Packets Recieved........ 0
Number of Realtime Rx Packets Dropped...... 0
Number of Realtime Bytes Recieved.......... 0
Number of Realtime Rx Bytes Dropped........ 0
Number of Data Packets Sent................ 0
Number of Data Tx Packets Dropped.......... 0
Number of Data Bytes Sent.................. 0
Number of Data Tx Bytes Dropped............ 0
Number of Realtime Packets Sent............ 0
Number of Realtime Tx Packets Dropped...... 0
Number of Realtime Bytes Sent.............. 0
Number of Realtime Tx Bytes Dropped........ 0
Nearby AP Statistics:
test-flex-ap(slot 0)
antenna0: 14 secs ago.................... -51 dBm
antenna1: 14 secs ago.................... -37 dBm
test-flex-ap(slot 1)
antenna0: 14 secs ago.................... -51 dBm
antenna1: 14 secs ago.................... -54 dBm
--More-- or (q)uit
DNS Server details:
DNS server IP ............................. 10.0.17.31
DNS server IP ............................. 10.0.17.43
Assisted Roaming Prediction List details:
Client Dhcp Required: False
Allowed (URL)IP Addresses
(Cisco Controller) >
(Cisco Controller) >show wlan 2
WLAN Identifier.................................. 2
Profile Name..................................... Demo1x
Network Name (SSID).............................. Demo1x
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Enabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Enabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
--More-- or (q)uit
Number of Active Clients......................... 1
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 12 hours
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... mario-test-flex-vwlc
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
--More-- or (q)uit
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
--More-- or (q)uit
Radius Servers
Authentication................................ 10.0.16.111 1812
Accounting.................................... 10.131.16.111 1813
Interim Update............................. Disabled
Framed IPv6 Acct AVP ...................... Prefix
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Enabled
PSK..................................... Disabled
CCKM.................................... Disabled
--More-- or (q)uit
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
WAPI.......................................... Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
--More-- or (q)uit
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Split Tunnel (Printers).......................... Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Disabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
--More-- or (q)uit
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Mobility Anchor List
WLAN ID IP Address Status
802.11u........................................ Disabled
MSAP Services.................................. Disabled
Local Policy
Priority Policy Name
(Cisco Controller) >
when debugging the client during redirect, this is the output and I cannot spot anything wrong here...
(Cisco Controller) >*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Adding mobile on LWAPP AP 18:33:9d:f0:21:80(1)
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Association received from mobile on BSSID 18:33:9d:f0:21:8e
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Global 200 Clients are allowed to AP radio
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Max Client Trap Threshold: 0 cur: 0
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Rf profile 600 Clients are allowed to AP wlan
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be override for default ap group, marking intgrp NULL
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Re-applying interface policy for client
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2219)
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2240)
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be In processSsidIE:4850 setting Central switched to FALSE
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Applying site-specific Local Bridging override for station 00:24:d6:97:b3:be - vapId 2, site 'default-group', interface 'management'
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Applying Local Bridging Interface Policy for station 00:24:d6:97:b3:be - vlan 220, interface id 0, interface 'management'
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Processing RSN IE type 48, length 22 for mobile 00:24:d6:97:b3:be
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Received RSN IE with 0 PMKIDs from mobile 00:24:d6:97:b3:be
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Setting active key cache index 8 ---> 8
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be unsetting PmkIdValidatedByAp
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Updating AID for REAP AP Client 18:33:9d:f0:21:80 - AID ===> 1
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Central switch is FALSE
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be 0.0.0.0 8021X_REQD (3) DHCP required on AP 18:33:9d:f0:21:80 vapId 2 apVapId 2for this client
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Not Using WMM Compliance code qosCap 00
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 18:33:9d:f0:21:80 vapId 2 apVapId 2 flex-acl-name:
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be apfMsAssoStateInc
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:24:d6:97:b3:be on AP 18:33:9d:f0:21:80 from Idle to Associated
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be apfPemAddUser2:session timeout forstation 00:24:d6:97:b3:be - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is 0
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Sending Assoc Response to station on BSSID 18:33:9d:f0:21:8e (status 0) ApVapId 2 Slot 1
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be apfProcessAssocReq (apf_80211.c:8294) Changing state for mobile 00:24:d6:97:b3:be on AP 18:33:9d:f0:21:80 from Associated to Associated
*spamApTask6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be Sent 1x initiate message to multi thread task for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be EAP-PARAM Debug - eap-params for Wlan-Id :2 is disabled - applying Global eap timers and retries
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be Station 00:24:d6:97:b3:be setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be dot1x - moving mobile 00:24:d6:97:b3:be into Connecting state
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be Sending EAP-Request/Identity to mobile 00:24:d6:97:b3:be (EAP Id 1)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.083: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.083: 00:24:d6:97:b3:be Received Identity Response (count=1) from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.083: 00:24:d6:97:b3:be Resetting reauth count 1 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.083: 00:24:d6:97:b3:be EAP State update from Connecting to Authenticating for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.083: 00:24:d6:97:b3:be dot1x - moving mobile 00:24:d6:97:b3:be into Authenticating state
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.083: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=214) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be WARNING: updated EAP-Identifier 1 ===> 214 for STA 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 214)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be Allocating EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.090: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.090: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 214, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.090: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.090: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=215) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 215)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.095: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.095: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 215, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.095: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.095: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=216) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 216)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.100: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.100: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 216, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.100: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.100: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=217) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 217)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.105: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.105: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 217, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.105: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.105: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=218) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 218)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.110: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.110: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 218, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.110: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.110: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=219) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 219)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.115: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.115: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 219, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.115: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.115: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=220) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 220)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.352: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.352: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 220, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.352: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.352: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=221) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 221)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.359: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.359: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 221, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.359: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.359: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=222) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 222)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.365: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.365: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 222, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.365: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.365: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=223) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 223)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.371: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.371: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 223, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.371: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.371: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=224) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 224)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.375: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.375: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 224, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.375: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.375: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=225) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 225)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.391: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.391: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 225, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.391: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.391: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Processing Access-Accept for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Resetting web IPv4 acl from 255 to 255
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Resetting web IPv4 Flex acl from 65535 to 65535
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Username entry ([email protected]) created for mobile, length = 253
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Username entry ([email protected]) created in mscb for mobile, length = 253
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be override for default ap group, marking intgrp NULL
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 220
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Re-applying interface policy for client
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2219)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2240)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 1 on mobile
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Inserting AAA Override struct for mobile
MAC: 00:24:d6:97:b3:be, source 4
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Setting re-auth timeout to 1800 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Station 00:24:d6:97:b3:be setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Creating a PKC PMKID Cache entry for station 00:24:d6:97:b3:be (RSN 2)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Resetting MSCB PMK Cache Entry 0 for station 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Setting active key cache index 8 ---> 8
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Setting active key cache index 8 ---> 0
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Adding BSSID 18:33:9d:f0:21:8e to PMKID cache at index 0 for station 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: New PMKID: (16)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: [0000] 6f d1 ce 84 08 74 41 a5 06 6b 89 02 c9 e9 f8 c8
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Disabling re-auth since PMK lifetime can take care of same.
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be unsetting PmkIdValidatedByAp
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Client in Posture Reqd state. PMK cache not updated.
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Sending EAP-Success to mobile 00:24:d6:97:b3:be (EAP Id 225)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Freeing AAACB from Dot1xCB as AAA auth is done for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be EAPOL Header:
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00000000: 02 03 5f 00 .._.
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Found an cache entry for BSSID 18:33:9d:f0:21:8e in PMKID cache at index 0 of station 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Found an cache entry for BSSID 18:33:9d:f0:21:8e in PMKID cache at index 0 of station 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: Including PMKID in M1 (16)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: [0000] 6f d1 ce 84 08 74 41 a5 06 6b 89 02 c9 e9 f8 c8
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Starting key exchange to mobile 00:24:d6:97:b3:be, data packets will be dropped
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Sending EAPOL-Key Message to mobile 00:24:d6:97:b3:be
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Sending EAPOL-Key Message to mobile 00:24:d6:97:b3:be
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Entering Backend Auth Success state (id=225) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Received Auth Success while in Authenticating state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be dot1x - moving mobile 00:24:d6:97:b3:be into Authenticated state
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be Received EAPOL-Key from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be Received EAPOL-key in PTK_START state (message 2) from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be PMK: Sending cache add
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be Stopping retransmission timer for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be EAPOL Header:
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00000000: 02 03 5f 00 .._.
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be Sending EAPOL-Key Message to mobile 00:24:d6:97:b3:be
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be Sending EAPOL-Key Message to mobile 00:24:d6:97:b3:be
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Received EAPOL-Key from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Stopping retransmission timer for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Freeing EAP Retransmit Bufer for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be apfMs1xStateInc
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state 8021X_REQD (3)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Central switch is FALSE
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Sending the Central Auth Info
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Central Auth Info Allocated PMKLen = 32
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: EapolReplayCounter: 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: EapolReplayCounter: 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be PMK: pmkActiveIndex = 0
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be EapolReplayCounter: 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be msAssocTypeFlagsMsb = 0 msAssocTypeFlagsLsb = 2
apfMsEntryType = 0 apfMsEapType = 13
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 L2AUTHCOMPLETE (4) DHCP required on AP 18:33:9d:f0:21:80 vapId 2 apVapId 2for this client
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Not Using WMM Compliance code qosCap 00
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 18:33:9d:f0:21:80 vapId 2 apVapId 2 flex-acl-name:POSTURE_REDIRECT_ACL
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 6166, Adding TMP rule
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 18:33:9d:f0:21:80, slot 1, interface = 1, QOS = 0
IPv4 ACL ID = 255, IPv
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 64206 Local Bridging Vlan = 220, Local Bridging intf id = 0
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*apfReceiveTask: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*apfReceiveTask: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 5761, Adding TMP rule
*apfReceiveTask: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
type = Airespace AP - Learn IP address
on AP 18:33:9d:f0:21:80, slot 1, interface = 1, QOS = 0
IPv4 ACL ID = 255,
*apfReceiveTask: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 64206 Local Bridging Vlan = 220, Local Bridging intf id = 0
*apfReceiveTask: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*pemReceiveTask: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*pemReceiveTask: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*spamApTask6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be spamEncodeCentralAuthInoMsPayload: msAssocTypeFlagsMsb = 0 msAssocTypeFlagsLsb = 2
apfMsEntryType = 0 pmkLen = 32
*DHCP Socket Task: Aug 12 10:58:24.546: 00:24:d6:97:b3:be DHCP received op BOOTREPLY (2) (len 325,vlan 220, port 1, encap 0xec03)
*DHCP Socket Task: Aug 12 10:58:24.546: 00:24:d6:97:b3:be DHCP setting server from ACK (server 10.0.17.85, yiaddr 10.130.130.120)
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be 10.130.130.120 DHCP_REQD (7) Change state to WEBAUTH_REQD (8) last state DHCP_REQD (7)
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be 10.130.130.120 WEBAUTH_REQD (8) pemAdvanceState2 6671, Adding TMP rule
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be 10.130.130.120 WEBAUTH_REQD (8) Replacing Fast Path rule
type = Airespace AP Client - ACL passthru
on AP 18:33:9d:f0:21:80, slot 1, interface = 1, QOS = 0
IPv4 A
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be 10.130.130.120 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 64206 Local Bridging Vlan = 220, Local Bridging intf id = 0
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be 10.130.130.120 WEBAUTH_REQD (8) Successfully plumbed mobile rule (IPv4 ACL ID 1, IPv6 ACL ID 255, L2 ACL ID 255)
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be Plumbing web-auth redirect rule due to user logout
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be Assigning Address 10.130.130.120 to mobile
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be DHCP success event for client. Clearing dhcp failure count for interface management.
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be DHCP success event for client. Clearing dhcp failure count for interface management.
*pemReceiveTask: Aug 12 10:58:24.548: 00:24:d6:97:b3:be 10.130.130.120 Added NPU entry of type 2, dtlFlags 0x0
*IPv6_Msg_Task: Aug 12 10:58:25.330: 00:24:d6:97:b3:be Pushing IPv6 Vlan Intf ID 0: fe80:0000:0000:0000:f524:1910:69f0:9482 , and MAC: 00:24:D6:97:B3:BE , Binding to Data Plane. SUCCESS !! dhcpv6bitmap 0
*IPv6_Msg_Task: Aug 12 10:58:25.330: 00:24:d6:97:b3:be Link Local address fe80::f524:1910:69f0:9482 updated to mscb. Not Advancing pem state.Current state: mscb in apfMsMmInitial mobility state and client state APF_MS_STATE_A
*DHCP Socket Task: Aug 12 10:58:28.581: 00:24:d6:97:b3:be DHCP received op BOOTREPLY (2) (len 308,vlan 220, port 1, encap 0xec03)
*DHCP Socket Task: Aug 12 10:58:28.589: 00:24:d6:97:b3:be DHCP received op BOOTREPLY (2) (len 308,vlan 220, port 1, encap 0xec03)
*DHCP Socket Task: Aug 12 11:00:07.959: 00:24:d6:97:b3:be DHCP received op BOOTREPLY (2) (len 308,vlan 220, port 1, encap 0xec03)
*DHCP Socket Task: Aug 12 11:00:07.967: 00:24:d6:97:b3:be DHCP received op BOOTREPLY (2) (len 308,vlan 220, port 1, encap 0xec03)
*DHCP Socket Task: Aug 12 11:01:59.153: 00:24:d6:97:b3:be DHCP received op BOOTREPLY (2) (len 308,vlan 220, port 1, encap 0xec03)
Can you see any obvious reason why the NAC agent wont pop up?
Thanks
Mario -
Greetings. First, let me start by saying I am an idiot, I know I am an idiot, and I apologize for wasting everyone's time. I have actually RTFM, many RTFMs, in fact, and I still have not found a resolution.
Second, I am trying to set up a RADIUS server in my test network. I have installed ClearBox RADIUS on a Windows 2000 system. I have the following configuration on my Cisco 2611 router:
Using 2297 out of 29688 bytes
! Last configuration change at 17:20:27 PDT Tue May 20 2008
! NVRAM config last updated at 17:20:29 PDT Tue May 20 2008
version 12.1
no service single-slot-reload-enable
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname Tester
logging buffered 10000 debugging
aaa new-model
aaa group server radius RadiusServers
server 172.26.0.2 auth-port 1812 acct-port 1813
aaa authentication login default group RadiusServers local
aaa authentication login localauth local
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa processes 6
enable secret xxx
username test password xxx
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
no ip domain-lookup
no ip bootp server
interface Loopback0
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/0
description To Main Network
ip address X.X.X.X 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
full-duplex
no cdp enable
interface Ethernet0/1
description To Internal Network
ip address 172.26.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
load-interval 30
full-duplex
no cdp enable
ip nat pool test X.X.X.X X.X.X.X netmask 255.255.255.128
ip nat inside source list 3 pool test overload
ip nat inside destination list 3 pool test
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.X.X
no ip http server
ip radius source-interface Ethernet0/1
access-list 3 permit 172.26.0.0 0.0.0.255
no cdp run
snmp-server community public RO 15
radius-server host 172.26.0.2 auth-port 1812 acct-port 1813 key secret
radius-server retransmit 3
radius-server key secret
line con 0
password xxx
logging synchronous
line aux 0
line vty 0 4
access-class 10 in
password 7 1234567890
logging synchronous
ntp clock-period 17208108
ntp server 192.43.244.18
end
My RADIUS server is up and responding to requests, but my router does not appear to be forwarding authentication requests to it. In fact, when I log into the router using HyperTerm, it times out, and I end up authenticating locally.
I really don't care whether my Cisco equipment authenticates against the RADIUS server, but I do need to get it set up to authenticate my users so I can track their time online. What have I missed in my router configuration? Why isn't it forwarding user authentication requests to the RADIUS server.
Thank you for any assistance you may be able to provide.I have found that if I am in the middle of composing a response, and I open the thread in another browser window (to refer to it), when I go to submit my response, it doesn't get posted. Perhaps you are running into the same thing.
The command I shared:
aaa authentication enable default group radius local
... was erroneous. The keyword should have been "enable", as you have discovered.
Therefore use:
aaa authentication enable default group radius enable
When I view a Wireshark trace I see the following:
AVP: l=18 t=User-Password(2): Decrypted: "user-PWD\000\000\000\000\000\000\000\000"
Like you, I see the user password appended with the group of \000 grouping's.
Note the word "Decrypted" which confirms that the password entered in Wireshark is a match with that entered on the AAA client (for what that's worth).
I'm not sure if I suggested that this would confirm that the server and client were using the same shared secret. If I did, I miss-spoke. I think we would have to gauge the server's response to the attributes we see passed by the client.
The Wireshark decryption is much more dramatic with TACACS+ because the whole payload is encrypted.
My issue with your PPPoE is that I saw no "interface" on the router that is configured to perform such authentication. I do seem to recall a global authentication command with the PPP keyword perhaps. I have not attempted to do this, and am not sure whether the interfaces in your router will support this method. Perhaps someone else will weigh in with an opinion.
However, there are other mainstream authentication methods that I think you should investigate as well.
You could implement 802.1x on a switch so that a host has to authenticate before it can gain Layer 3 access to the LAN. Depending on the platform, you can download VLAN assignments and ACLs.
I believe the router also supports 802.1x, but that may determine whether a host can get "through" the router. I have not had cause to investigate 802.1x on the router. I may do so in the future to authorize access to IPsec tunnels.
The router is also likely to support Authentication Proxy. This feature intercepts a user's attempt to browse resources on the other side of the router. User specific ACLs can be downloaded to the router (from RADIUS) to control what resources a user can access.
I think you should:
1. Resolve the issue(s) with AAA logins on the router. It'll establish a baseline of functionality, and give you some short term joy.
2. Investigate whether PPPoE support exists on your router's interfaces.
3. Read up on 802.x and Authentication Proxy (docs on Cisco web site).
4. Decide which methods appeals to you.
5. Dive in.
I'd lose the self-deprecation. I don't think it will serve you well. If you're treated badly, move to a newsgroup where the participants display a higher level of emotional maturity. I don't think you will have an issue on the Cisco forums. Others would probably step in.
I'm going to be absent for several days, so if you don't receive any response, it will be for said reason.
Good luck. -
Hi All,
I am trying to forward incoming external traffic from the internet on ports 25 and 433 to internal IP 10.10.10.29, but it's not working, any ideas what I've done wrong?
I've replaced some of the config with "x"'s
Config:
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Router
boot-start-marker
boot-end-marker
logging buffered 51200
logging console critical
enable secret 5 xxxx
aaa new-model
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
memory-size iomem 10
clock timezone PCTime 10 0
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-704284261
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-704284261
revocation-check none
rsakeypair TP-self-signed-704284261
crypto pki certificate chain TP-self-signed-704284261
certificate self-signed 01
xxx
quit
no ip source-route
ip cef
no ip bootp server
ip domain name
ip name-server 10.10.10.31
ip port-map user-Intranet port tcp 8080 list 3 description Intranet
ip port-map user-5610 port tcp 5610 description 5610
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 ldap
no ipv6 cef
license udi pid CISCO881-K9 sn FGL164227LM
username admin privilege 15 secret 5 xx
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group xxx.remote
key xxx
dns 10.10.10.1 10.10.10.4
wins 10.10.10.1 10.10.10.4
domain xxx.local
pool SDM_POOL_1
acl 102
split-dns xxx.local
max-users 10
netmask 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec df-bit clear
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 3600
set transform-set ESP-3DES-MD5
reverse-route
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description WAN Interface$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
ip address 125.7.x.x 255.255.255.252
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip inspect DEFAULT100 in
ip inspect DEFAULT100 out
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
crypto map SDM_CMAP_1
interface Vlan1
description Internal Interface$FW_INSIDE$$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.3 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip inspect DEFAULT100 in
ip inspect DEFAULT100 out
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip local pool SDM_POOL_1 10.10.20.100 10.10.20.120
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 20
sort-by bytes
ip nat inside source static tcp 10.10.10.29 25 interface FastEthernet4 25
ip nat inside source static tcp 10.10.10.29 443 interface FastEthernet4 443
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 125.7.x.x
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.10.10.51
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 10.10.10.5
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 10.10.10.31 eq domain any
access-list 100 remark SEP Cloud 1
access-list 100 permit ip any host 67.134.208.160
access-list 100 permit udp host 10.10.10.4 eq domain any
access-list 100 remark MYOB File Confirmation
access-list 100 permit ip any host 203.34.100.26
access-list 100 remark Ansarada Dataroom
access-list 100 permit ip any host 125.7.67.133
access-list 100 remark ClassSuper
access-list 100 permit tcp any host 125.7.68.130 eq 443
access-list 100 remark Mercury Connective
access-list 100 permit tcp any host 150.207.147.152 eq 2099
access-list 100 remark AE Tax Lodgement 2
access-list 100 permit tcp any any eq 7586
access-list 100 remark AE Tax Lodgement
access-list 100 permit tcp any any eq 10000
access-list 100 remark Corporate Compliance
access-list 100 permit tcp any any eq 5610
access-list 100 remark GRE
access-list 100 permit gre any any
access-list 100 remark PPTP
access-list 100 permit tcp any any eq 1723
access-list 100 remark RDP
access-list 100 permit tcp any any eq 3389
access-list 100 remark Remote VMs
access-list 100 permit tcp any eq 3389 10.10.20.0 0.0.0.255
access-list 100 remark GetBusi to HTTP
access-list 100 permit tcp host 10.10.10.18 any eq www
access-list 100 remark GetBusi FILTERING
access-list 100 permit tcp host 10.10.10.18 any eq 3436
access-list 100 remark GetBusi NTP
access-list 100 permit tcp host 10.10.10.18 any eq 123
access-list 100 remark GetBusi RSYNC
access-list 100 permit tcp host 10.10.10.18 any eq 873
access-list 100 remark GetBusi DNS
access-list 100 permit tcp host 10.10.10.18 any eq domain
access-list 100 remark GetBusi SSH
access-list 100 permit tcp host 10.10.10.18 any eq 22
access-list 100 remark GetBusi FTP
access-list 100 permit tcp host 10.10.10.18 any eq ftp
access-list 100 remark GetBusi SSL
access-list 100 permit tcp host 10.10.10.18 any eq 443
access-list 100 remark Icarus
access-list 100 permit ip host 10.10.10.99 any
access-list 100 remark BlackHawk
access-list 100 permit ip host 10.10.10.28 any
access-list 100 remark Bane
access-list 100 permit ip host 10.10.10.24 any
access-list 100 remark Buffy
access-list 100 permit ip host 10.10.10.31 any
access-list 100 remark Skype TV Cam FTR
access-list 100 permit ip host 10.10.10.173 any
access-list 100 remark Pyro
access-list 100 permit ip host 10.10.10.26 any
access-list 100 remark TV in FTR
access-list 100 permit ip host 10.10.10.32 any
access-list 100 remark Quorra
access-list 100 permit ip host 10.10.10.29 any
access-list 100 remark Gambit
access-list 100 permit ip host 10.10.10.12 any
access-list 100 remark THOR
access-list 100 permit ip host 10.10.10.21 any
access-list 100 remark QBO Remote VM
access-list 100 permit ip host 10.10.10.47 any
access-list 100 remark VIZ
access-list 100 permit ip host 10.10.10.5 any
access-list 100 remark vCenter
access-list 100 permit ip host 10.10.10.25 10.10.20.0 0.0.0.255
access-list 100 remark WISE
access-list 100 permit ip host 10.10.10.4 any
access-list 100 remark Email - Lotus Domino
access-list 100 permit ip host 10.10.10.1 any
access-list 100 remark TQ's PC1
access-list 100 permit ip host 10.10.10.124 any
access-list 100 remark Thrace
access-list 100 permit ip host 10.10.10.22 any
access-list 100 remark TQ's PC2
access-list 100 permit ip host 10.10.10.97 any
access-list 100 remark TQ's PC2 UDP
access-list 100 permit udp host 10.10.10.97 any
access-list 100 deny ip 203.47.157.0 0.0.0.255 any log
access-list 100 deny ip host 255.255.255.255 any log
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 remark Block Port 25
access-list 100 deny tcp any eq smtp any eq smtp log
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark CCP_ACL Category=1
access-list 101 remark Auto generated by CCP for NTP (123) 212.12.50.232
access-list 101 permit udp host 212.12.50.232 eq ntp host 125.7.x.x eq ntp
access-list 101 permit ahp any host 125.7.x.x
access-list 101 permit esp any host 125.7.x.x
access-list 101 permit udp any host 125.7.x.x eq isakmp
access-list 101 permit udp any host 125.7.x.x eq non500-isakmp
access-list 101 permit ip host 10.10.20.100 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.101 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.102 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.103 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.104 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.105 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.106 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.107 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.108 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.109 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.110 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.111 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.112 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.113 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.114 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.115 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.116 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.117 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.118 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.119 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.120 10.10.10.0 0.0.0.255
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 deny udp any any eq 603
access-list 101 deny tcp any any eq 603
access-list 101 permit tcp any any eq smtp
access-list 101 remark Secure Inbound HTTPS
access-list 101 permit tcp any any eq 443
access-list 101 remark Allow remote ISW access to router
access-list 101 permit tcp 203.33.128.0 0.0.0.255 any
access-list 101 remark PPTP access to completekitchensolutions
access-list 101 permit gre host 202.170.194.141 any
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 103 remark SDM_ACL Category=2
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.100
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.101
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.102
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.103
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.104
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.105
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.106
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.107
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.108
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.109
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.110
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.111
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.112
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.113
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.114
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.115
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.116
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.117
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.118
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.119
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.120
access-list 103 permit ip 10.10.10.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=2
access-list 104 remark SDM_ACL Category=2
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.100
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.101
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.102
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.103
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.104
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.105
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.106
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.107
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.108
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.109
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.110
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.111
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.112
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.113
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.114
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.115
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.116
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.117
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.118
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.119
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.120
access-list 104 permit ip 10.10.10.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=2
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 103
route-map SDM_RMAP_2 permit 1
match ip address 104
snmp-server community public RO
banner login ^CCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
scheduler max-task-time 5000 4000 1000
scheduler interval 500
ntp server 212.12.50.232 source FastEthernet4
endI decided it might be easier to factory restore, setup, enter the NAT setting and setup the firewall using the wizard, but still it is not working.
Updated config: (some info replaced with "xx")
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable secret 4 xx
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-84280098
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-84280098
revocation-check none
rsakeypair TP-self-signed-84280098
crypto pki certificate chain TP-self-signed-84280098
certificate self-signed 01
xx
quit
ip source-route
ip cef
ip name-server 8.8.8.8
no ipv6 cef
license udi pid CISCO881-K9 sn FGL164227LM
username admin privilege 15 secret 4
xx
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-nat-https-1
match access-group 102
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-https-1
inspect
class type inspect CCP_PPTP
pass
class class-default
drop log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description $ETH-WAN$$FW_OUTSIDE$
ip address 125.7.xx.xx 255.255.255.252
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
interface Vlan1
description $FW_INSIDE$
ip address 10.10.10.3 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.10.29 443 interface FastEthernet4 443
ip route 0.0.0.0 0.0.0.0 125.7.xx.xx
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 125.7.xx.xx 0.0.0.3 any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 10.10.10.29
line con 0
exec-timeout 5 30
password xx
login
line aux 0
line vty 0 4
privilege level 15
password xx
login local
transport input telnet ssh
end -
Cisco 3945 Policy Base Routing
I have a Cisco 3945, it has on it two DS3 lines which I like to treat independent from each other.
I can ping both Serial interfaces from the internet, and I can ping only GIG 0/0 from the internet. but since the router is configured with one static route, GIG 0/1 can't be ping from the outside
Any help would be greatly appreciated
This is my current config:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname MOVLABT3-CA-ES
boot-start-marker
boot-end-marker
card type t3 1
card type t3 2
enable secret 4 oMCBqgRTCeX5XeEW3HsBW6zI763Fibuq/UrLhF/91Rs
no aaa new-model
no ipv6 cef
ip source-route
ip cef
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1015775704
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1015775704
revocation-check none
rsakeypair TP-self-signed-1015775704
crypto pki certificate chain TP-self-signed-1015775704
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303135 37373537 3034301E 170D3132 30393237 31383132
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30313537
37353730 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
810097B2 EE9BF6EF F19DDD93 71CA6D5B D672A749 6997BB7E 81256BFA A2BE8B0F
E8EC5D36 F8618878 88C7016D D8998B95 293DE6F3 C0BB5CFE F2356AFD 26645A29
F3BB69C9 46B6959B 98F35193 9729499A 8C9097FE BD0A80A4 727C87F8 963200CE
E852DD3E 1F9F3B97 1DA1902D 7B352FAE 4FA08D32 95362373 887C6D02 6209152F
73850203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14BCCEA0 AF8EBDF2 05F01968 14CAE720 A41AE8FE EA301D06
03551D0E 04160414 BCCEA0AF 8EBDF205 F0196814 CAE720A4 1AE8FEEA 300D0609
2A864886 F70D0101 05050003 81810066 18505A9D 0D3C4C8F 0C90108D F0606014
0EAE4129 2908928E D4DA7FDC 17D2A21A 4B2689F3 AF6CA062 82A5E7EF 1A0EDA37
297AE79B 65F7182E ED4A57D7 081EC729 A85F2AFB 5A46136A F0F91853 46C89FA7
A1D9F67F 83961EFF E92D7363 D2862517 D1214501 84D675A0 8561891F 4E791F32
6E67990A 9A7B49F9 8D1A8CA0 51AAF2
quit
license udi pid C3900-SPE150/K9 sn FOC16313DE8
hw-module sm 1
hw-module sm 2
controller T3 1/0
cablelength 75
controller T3 2/0
cablelength 75
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 207.168.4.49 255.255.255.240
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 206.135.120.114 255.255.255.240
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface Serial1/0
ip address 206.135.100.202 255.255.255.252
ip nat outside
ip virtual-reassembly in
dsu bandwidth 44210
interface Serial2/0
ip address 205.214.40.6 255.255.255.252
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dsu bandwidth 44210
no ip classless
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 206.135.100.201
access-list 1 permit 10.0.0.0 0.0.0.255
snmp-server community RO-N1mS0ft RO
control-plane
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
scheduler allocate 20000 1000
endThis is what it looks like now, and I still can't ping gig 0/1 from the internet
interface GigabitEthernet0/0
ip address 207.168.4.49 255.255.255.240
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 206.135.120.114 255.255.255.240
ip virtual-reassembly in
ip policy route-map pbr
duplex auto
speed auto
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface Serial1/0
ip address 206.135.100.202 255.255.255.252
ip virtual-reassembly in
dsu bandwidth 44210
interface Serial2/0
ip address 205.214.40.6 255.255.255.252
ip virtual-reassembly in
encapsulation ppp
dsu bandwidth 44210
ip local policy route-map PBR
no ip classless
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 206.135.100.201
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 101 permit ip 206.135.120.112 0.0.0.15 any
route-map pbr permit 10
match ip address 101
set ip next-hop 205.214.40.5
snmp-server community RO-N1mS0ft RO
control-plane
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
scheduler allocate 20000 1000
end
Maybe you are looking for
-
FFmpeg crash when recording desktop
I'm using x264-git and ffmpeg-svn from AUR. I am attempting to record usage of xcalc as an example of using FFmpeg to capture a specific application on the desktop. However, FFmpeg will always crash at certain resolutions, but it will encode if I
-
Hi Gurus, Recently upgraded HFM system in distributed environment from version 11.1.2.1 to 11.1.2.2 on MS Win 2008 R2 platform and Oracle 11g database. There are two servers as follows: Machine 1: Foundation
-
Does apple account sync automatically with the person name and number saved in contact list.
I have a contact saved in my phone only contact number is saved.. Does iPhone automatically synchronizes the email id related to that contact if that contact person is having an apple id??
-
Is there any successful example of USRP RIO with PCIe adapter?
Hi All, Can I ask who has ever had successful experience of achieving high IQ rate using USRP RIO with PCIe adapter? If so, what PC were you using? I am working on the USRP RIO. I tried to run the LabVIEW code for the USRP-2920 on the U
-
Installing itunes removed my DVD drive??
I downloaded iTunes just to try it out, and uninstalled it later. After removing it I realized that my DVD drive was gone too. Seems like itunes removed the drivers while uninstalling itself, but I'm not exactly sure when the drive was uninstalled. T