Cluster IP address thru L2L tunnel

Similar Messages

• Ping IP addresses thru VPN Tunnel

  Is it possible to ping an address thru a VPN tunnel?  I have a Panasonic system with IP phones located at the far end of a tunnel  I cannot ping them or ping a computer at the far end uning the private address.

  Did you check any firewalls that might be hindering your connection both in your network and the remote network? I saw a link that has worked with a gateway topology for Quick VPN. Try to look go to this link: 
  http://forums.linksysbycisco.com/linksys/board/message?board.id=Wireless_Routers&message.id=97196&qu... 
  If that still didn’t work, please elaborate the network topology of your network and remote network to further understand the cause of the problem.

• Two separate L2L tunnels between same two ASA

  I have a large MPLS fully meshed network with two main locations, both of which have an ASA with internet access as well as the MPLS access.  I need to be able to provide a backup connection between the two main locations in the event one of the MPLS links to one or the other goes down.
  I am considering using a L2L IPSEC tunnel between the two ASA's but the interesting traffic for the tunnel is different depending on which of the links is down and there fore I would need two different tunnels.  I have my servers and remote desktop servers at one of the main sites and the other main site has another organization attached to it externally that the servers must be able to access.
  Is there a way of creating two separate L2L tunnels between the two ASA's?  Could I perhaps assign two public IP addresses to each of the ASA's and then create the tunnels between different endpoints on each ASA?
  Does anyone have another possible solution to the problem? 
  Gene

  You should be able to do what you want using IP SLA. Please see this excellent blog post which documents one way to accomplish it.
  Hope this helps.

• Oracle application having problem on PIX to ASA L2L tunnel.

  Hi ALL,
  My customer has performed a PIX migration to ASA5520 on last weekend. And the configuration on the new ASA5520 is almost the same as the original PIX515. There are several L2L vpn tunnel configuration on the ASA5520. After the migration, all VPN tunnel can establish without problem. But my customer found that their Oracle application running on one of the VPN tunnel has connectivity issue. This application did not have problem when in the original environment.
  This VPN tunnel is a L2L tunnel between remote and main office. In remote office, the VPN endpoint is a PIX515E w/ OS 7.0(5). In main office is an ASA5520 with 7.2(2). The original firewall in main office is a PIX 515 w/ 7.0(5). The IPSec match address list is an IP network to IP network access list without port definition.
  We found that the Oracle client on remote office can connect to the port opened on the Oracle server on main office. But after connected to the port on the server, the application will re-establish a new connection using random port between this client and server, and this new connection seems to not able to establish.
  Anyone can tell me that is it possible to impact the Oracle application on this IPSec tunnel? The ACL is an IP to IP acl. What can I do to troubleshoot this issue? Why the issue rise on the new ASA implementation?
  I'm looking forward to your reply! Please help!
  Jason

  Hi,
  Here is the end to end troubleshooting steps for L2L tunnel.
  Please check debug commands carefully you will get your key point where is troubble.
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
  Regards,
  Dharmesh Purohit

• Creating L2L Tunnel to IOS Endpoint

  Hey All,
  Quick questions. I've been reviewing the guides on Cisco and have yet to find an example of what I'm looking for. The scenario is that there will be a client device that uses DHCP on the WAN side. This device can authenticate using IPSec to a VPN termination device. On our hub end we want to use a Cisco IOS router to terminate the connection. My question is that this will not be exactly a L2L tunnel, the endpoint has a configuration to build in a username to authenticate with. So it appears the tunnel with authenticate using a username a pre-shared key, rather than PSK and configured remote IP address (since this is DHCP). I've found an example of this on Cisco here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800ae459.shtml. Unfortunately the example is from an IOS DHCP endpoint to a 3000-series concentrator. Anyone have a config example of what I'm looking for?
  -Mike
  http://cs-mars.blogspot.com

  Mike,
  When you say client device. Is it like a router or is it a PC.
  If it is a PC, take a look at this link
  Link:1
  http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml
  If it is a device like a router or so, you need to configure the router just like one in the link given above
  Link2:
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800945cf.shtml
  But the server part is like Link 1.
  Hope this helps.
  Here is a good link for configuration of VPN on Cisco devices.
  http://www.cisco.com/en/US/partner/tech/tk583/tk372/tech_configuration_examples_list.html
  Rate this post, if it helps.
  Thanks
  Gilbert

• Is it possible to allocate bandwidth to an application in an L2L tunnel?

  Hi,
  In an L2L tunnel, we wanted to allocate bandwidth for all users in Site A when accessing applications (Web-based and thick) in a server in Site B. The responses for both applications are not acceptable.
  The same VPN link between the two sites is also used by other applications i.e. DC replication, etc. and the Internet link used for VPN is also used for SMTP and Lotus Notes.
  In Site A, the tunnel is terminated outside of the PIX 7.2(2) and Site B is terminated outside of ASA 5510 7.2(2). The routers infront of these firewalls have PBR such that PAT?ed address from the firewall is routed to the ADSL instead of the serial interface.
  If we?ll upgrade the Internet line, I have to make sure that it will resolve the issue.
  Thanks in advance.
  Regards,
  Archie

  Hi,
  Thanks.
  - The first challenge is where to apply QoS i.e. do traffic policing/allocate bandwidth for IPSec use. My guess is on the router but I'm not 100% sure.
  -If on the router, what's the command?
  - Once the first challenge is done, can I do traffic policing on applications inside VPN which are terminated on PIX and ASA?
  Regards,
  Archie

• ASA - ICMP works on a L2L tunnel but TCP fails.

  All,
  I have just started to work with the ASA's and I have a couple of problems with two 5510 8.4(1) ASA's supporting a L2L tunnel.
  Problem-1:
  Below  is the topology and currently the only config on these ASA's is what is  required to get the LAN2LAN tunnel setup and nothing more. ASA01 and ASA02 are the tunnel termination devices.
  LAN A->Routing device->ASA-01 ----->Internet<------------ASA-02<-Routing device<-LAN2
  Below is what is working
  - Tunnel is established between the ASA's.
  - I can ping from LAN A to LAN B and viceversa.
  Below is not what is working
  - I cannot RDP from a device in LAN A to LAN B and vice versa.
  What we found in troubleshooting when we initiate a RDP session from a server in LAN-A to Server in LAN-B.
  - The packet capture on  ASA - A shows that the SYN leaves the ingress(LAN interface).
  -  The packet capture on ASA - B shows that the SYN is leaving the LAN interface.
  -  Dont see a SYN-ACK on ASA-B. First we thought there might be a  different reason(detailed below as problem-2) but we dont see the  syn-ack on ASA-A either.
  - Doing a asp-drop capture on ASA-B we saw that the SYN,ACK from server in LAN-B is being dropped with the following message
  Drop-reason: (tcp-not-syn) First TCP packet not SYN
  Any ideas on why ASA-B doesnt treat this is as a established tcp session?
  Problem -2
  On the packet capture wizard in ASDM if I do a  capture on the LAN interface of the ASA02 I can only see packets  leaving the ASA towards the LAN but I do not see anything coming back  into the interface from the LAN interface. This works the same whether I  do a ICMP or a TCP session(RDP).
  For example - Ping from a server on LAN A to LAN B
  - On ASA01
  The packet capture wizard shows both icmp-echo from LAN-A and icmp-reply from LAN-B
  - On ASA02
  The packet capture wizard shows icmp-echo from LAN-A both not the icmp-reply from LAN-B.
  I am not sure what the reason for both the problems above and the reasons might just be that my skill level with ASA's are just not there yet. Any guidance will be great appreciated.
  Thanks,
  Vishnu

  Hello Vishnu,
  Any ideas on why ASA-B doesnt treat this is as a established tcp session?
  This is happening because the ASA is not seeing the entire 3 way hanshake, Are you sure all the packets are going across the ASA??? I would recommend you to do captures on both inside interfaces just for RDP traffic and attach them to this post so I can correlate to determine if indeed the ASA is receving what it needs.
  On the packet capture wizard in ASDM if I do a  capture on the LAN interface of the ASA02 I can only see packets  leaving the ASA towards the LAN but I do not see anything coming back  into the interface from the LAN interface. This works the same whether I  do a ICMP or a TCP session(RDP).
  That's exactly the reason of why this problem is happening, Good job correlating the facts,
  Resolution of the issues:
  I would say the problem is on the Routing device between ASA-2 and the LAN-2...
  Make sure the Routing device knows that in order to reach the LAN-1 it needs to send the traffic back to the ASA-2 as somehow this traffic is not making it on the right interface,
  Remember to rate all of the helpful posts. That's as important as a Thanks.
  Julio Carvajal Segura

• I am setting up up my new ipad 2. On the email icon I set up my work address thru Microsoft Exchange once I did that it did does noy give me an opportunity to see the other mail venues such as AOL or Gmail it automatically opens to my work address.

  I am setting up my new ipad 2. On the mail icon I set up my work address thru Microsoft Exchange once I did that the mail icon automatically goes to my work address and it does not give me the choice of the mail icon again how do I get that back?

  If you mean when you are reading email in the mail app.....
  Tap on the word "Mailboxes" in the upper left corner of the mail app - next to the name of your Exchange email account. That will take you back to the list of all of the Mailboxes on your iPad.
  The mail app will always go back to where you were when you left the app. So if you were reading mail in your Exchange account and then you leave the app (without quitting the app) it will take you back to that email that you were reading when you come back.

• Getting Error: cluster ip address not added to tcpip properties

  I have 2 2008 R2 physical servers on the same subnet and they have been using NLB for the past 1.5 years.  We had a firewall issue and I took one of the servers out of the cluster to do testing, while the other main server (priority 1) was left serving
  up the virtual IPs. The main server continues to work properly.
  The servers have 2 NICs, one for NLB and one just for regular traffic.  The NICs also have their own IP addresses and then there is a cluster IP and 2 virtual IPs.
  Error:
  When I try and add the second server to the cluster, I first connect to existing cluster which works fine.  Then I do a Add Host to Cluster, and type the name of the server and select the NLB NIC.  It sees the other server and it seems to start
  the process, however soon after the NLB NIC goes to having internet access to a "enabled" state and the gateway gets taken out of the settings.  I try to add it back, but as soon as I get out of the settings it disappears again.  NLB manager
  tells me: cluster ip address (192.#.#.#) not added to tcpip properties.  It lists this error 4 times, once for each IP (2 virtual, 1 cluster, and then once for the dedicated NLB NIC IP).  I have also tried adding all virtual IPs to the NLB NIC's
  settings and still same exact error.  Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces    -even reg looks good.
  Any help would be appreciated.  If I can't get any resolution my next step is going to be to delete the NLB cluster on the main server and recreate it....but this requires downtime and got to make sure it comes back up!

  Hi,
  You can find out the log of the event, then refer the following KB to future troubleshoot.
  Network Adapter Functionality
  http://technet.microsoft.com/en-us/library/cc726411.aspx
  More information:
  Dual-NIC NLB Configuration with Windows Server 2008 NLB Clusters
  http://blogs.technet.com/b/networking/archive/2008/11/20/balancing-act-dual-nic-configuration-with-windows-server-2008-nlb-clusters.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• DAG 2010 Cluster IP address resource 'Cluster IP Address' cannot be brought online because the cluster network replication

  Hello,
  DAG Exchange 2010 SP3 RU6 with MAPI network and Replication network. All works correctly.
  But, when the DAG member restarts , the cluster goes offline and i can't bring it online.
  The message error:
  Cluster IP address resource 'Cluster IP Address' cannot be brought online because the cluster network 'Cluster Network 1' is not configured to allow client access.
  Cluster Network 1 is the replication network and it is normal that allow client access is unchecked
  I already tried to check, apply then uncheck apply. it does anything.
  Could you please help me to figure out the issue ?
  Best regards

  Hi,
  Check below link.
  http://forums.msexchange.org/Cluster_network_name_is_not_online/m_1800552315/tm.htm
  I was able to resolve the issue without taking down any resources.
  First, I noticed that the Failover Cluster Manager "Cluster Name" had the IP address of the replication network only..
  After going back through the guide @
  http://technet.microsoft.com/en-us/library/dd638104.aspx I changed the properties on the NICs for file sharing, etc..I then adjusted windows firewall rules to block traffic from my MAPI network destined for the replication network. 
  I then removed the IP from the replication network on the DAG leaving only the 1 MAPI network IP.
  After an hour or so, I ran Get-DatabaseAvailabilityGroupNetwork and seen that the MAPIAccess property was finally set to true on my MAPI network. I went back to Failover Cluster Manager and my Cluster Core Resource Cluster Name dropped the IP address that was
  associated (IP from the replication network) I added a new IP from my Mapi network range, updated the DAG IP in Exchange and the DNS record for the DAG and my cluster resource came online.

• Long shot question about L2L tunnel

  I have a Cisco 5540 that terminates one end of a L2L tunnel, the remote end is a Sonicwall TZ100.  The tunnel is in place to carry voice traffic and I have a need to decrypt the traffic that's been captured in .cap file using Wireshark 1.8.5.
  Anyone have any thoughts on how to go about getting the session keys from either device?

  Hi,
  Nice find and interesting read. Might have to take a look at this at some point
  Are you capturing traffic on the ASA "outside" interface?
  I guess there must be a specific reason that you didnt capture the traffic before/after the tunnel on the "inside" interface of the ASA? Maybe see that the same traffic/data was passed on to the L2L VPN after the ASA had encrypted/encapsulated the traffic?
  - Jouni

• Reassign Peers ina VPN L2L tunnel

  Curiosity question... I have 2 new ASA5515's that I am setting up for an equipment upgrade. IN the time before I swap them out I am using them as a sort of make-shift lab to get the L2L VPN setup going. I did not want to use current IP addresses for the test environment so I used bogus numbers.
  My question is: Can I go back in and change the peer IP address and the local/remote address's without having to tear them down to factory specs again?
  - Do I just reissue the Tunnel-Group X.X.X.X type IPsec-l2l command with the correct IP's?
   I know there are a few other area's that I will have to change the peer IP as well, but the just of my question is can I do it or do I have to start over?
  -Jon

  Jon
  You shouldn't have to reconfigure them from scratch if that is what you are asking.
  You just need to modify the peer IPs wherever they appear in your configuration.
  Jon

• Full L2L Tunnel

  Hello,
  I am curious to know if there is a way to make a full tunnel for a L2L option. I need to have all Internet traffic go through a trusted Internet connection. I know I can do this doing GRE over IPSec but was hoping for an alternative solution.
  Thanks in advance
  -Chris           

  Hi Cristopher,
  When you create a LAN-to-LAN tunnel you define protected traffic in the crypto ACL, so if you would like to send all the traffic across the LAN-to-LAN tunnel, then do the following:
  hostname(config)# access-list l2l_list extended permit ip 192.168.0.0 255.255.0.0 any
  hostname(config)# crypto map abcmap 1 match address l2l_list
  Where 192.168.0.0/16 is your LAN.
  HTH.
  Portu.
  Please rate any helpful posts

• SSL Cert for 2008 R2 Reporting Services that is installed on a Failover Cluster - server address mismatch?

  I utilized the idea from
  http://www.mssqltips.com/sqlservertip/2778/how-to-add-reporting-services-to-an-existing-sql-server-clustered-instance/ to install 2008 R2 Reporting Services on a new Clustered SQL instance.  In short, create the new Clustered SQL instance on Node1,
  installing Reporting Services with it.  Then on Node2, Add a Failover Cluster Node (without choosing Reporting Services); following that up with starting the SQL setup.exe with a cmd to bypass a check so that I can then install the Reporting Services
  feature on Node2.  It points out using the SQL Cluster Network name for connecting to Reporting Services.
  I verified upon failover that I could still access the Reports and ReportServer URLs.  However, when wanting to add an SSL certificate to the RS configuration, I run into the warning of "mismatched address - the security certificate presented by
  this website was issued for a different website's address", where I can continue and get to the Reports or ReportManager URLs.
  I played with different certs (internal CA created) and SANs and other things, but I still get this error with the cert.  The Reports URL, for example, is <a href="https:///Reports">https://<SQLClusterNetworkName>/Reports, and the
  cert has a CN and Friendly Name of SQLClusterNetworkName (with SAN of DNS: SQLClusterNetworkName.<domain>), but the error still happens.
  What am I missing to eliminate the mismatched address warning when using the SQLClusterNetworkName as the base of the URLs?

  I got it working by using the FQDN as the common name on the SSL cert, with FQDN in RS URLs.

• Jconsole - remote connection thru ssh-tunnel

  Hi all,
  I need to start jconsole on my windows-box and connect to a remote tomcat-server thru an ssh-tunnel.
  I have walked thru various posts and blogs, but finally couldn't get it running.
  On the linux-server, I have set the following JAVA_OPTS:
  export JAVA_OPTS='-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=8888 -Dcom.sun.management.jmxremote.ssl=false -Djava.rmi.server.useLocalHostname=true -Dcom.sun.management.jmxremote.authenticate=false -Djava.rmi.server.hostname=myserver'myserver is the server-name that is resolved by the hostname-command. I also tried using localhost instead.
  On the client I run the following ssh-command to create the tunnel:
  ssh tomcat@myserver -L8888:myserver:8888 -N -vWhen I try to create a remote connection with jconsole using localhost:8888, I see the following output by ssh:
  debug1: Connection to port 8888 forwarding to myserver port 8888 requested.
  debug1: channel 1: new [direct-tcpip]
  debug1: channel 1: free: direct-tcpip: listening port 8888 for myserver port 8888, connect from 127.0.0.1 port 1618, nchannels 2It looks not too bad to me, but unfortunately, jconsole runs into a timeout after about 2 mins.
  On the server I see the following using netstat:
  tcp        0    168 myserver:ssh    mywindowsbox:3381  VERBUNDEN  
  tcp        0      0 myserver:ssh    mywindowsbox:1317  VERBUNDEN  
  tcp        0      0 myserver:44625  myserver:8888   TIME_WAIT  
  tcp        0      0 *:8888                      *:*                         LISTENIt appears to me that the tomcat-server is listening correctly on port 8888 for all incoming hosts (although localhost should be enough).
  Furthermore, it seems that the ssh-tunnel has been establised.
  Why the hell, jconsole still can't connect?

  Hiya.
  JMX connections use two ports. You need the RMI Registry and the RMI Stub. This first one you bound to port 8888, but the other one is probably still bound to a random port. You need to be able to access that one through SSH as well.
  Trouble is that the second port uses a random port and most application servers can't statically configure this one. See this article for possible solutions (be sure to read the follow ups as well) : http://blogs.sun.com/jmxetc/entry/connecting_through_firewall_using_jmx
  Cheers,
  Hugp