Connection dropped between ASA and router

Similar Messages

• How to use the private subnet between ASA and Router

  Guys,
  Here is the context:
  I am connecting to 2 ISPs for load sharing traffic coming from my private network.
  The 2 links from the ISPs terminate in the router which connects to an ASA via a private subnet, back to my private network.
  I have configured PBR in the router, to prefer ISP1 for trafic coming from my internal servers X, Y, Z  (public addresses, no need for the ASA to translate).  The router  should send any other traffic coming from the rest of my private address space, servers W, V, U  (after translation by ASA) to ISP2.
  So far so good.  The default route defined on ASA points to the internal LAN interface of the Router (private ip address). How can I route this subnet used between the ASA and Router? Being a private address I have to translate it to something (public) before the router can send it out. But translate to what?
  Alternatively I could use a public subnet. But I do not have any.How do I get aroung this?
  Regards
  Ndaungwe

  You have IP addresses on the direct interface links to the ISP's?? You ccould use those IP addresses with NAT overload.

• Connection dropped between DPM and Agent during consistency check, following DPM 2012 SP1 to DPM 2012 R2

  Recently I have updated a DPM 2012 SP1 standalone server to DPM 2012 R2. That it’s self was a challenge... Following the upgrade most of the protection groups required consistency checks. For some time I have been having problems performing these consistency
  checks on remote servers over a 10Meg link.
  On the DPM server I would kick off a ping to the remote host, then start a consistency check. Within a few seconds I would start to get dropped pings, and very large ping response times, 3000ms plus. Within 3 minutes the pings would time out completely and
  no connections can be made to the remote server, RDP etc. However any other server on the network can connect to the remote client. Eventually the DPM jobs times out and sometime later the pings also return.
  The resolution to this has taken some digging but this is what I have found. The DPM agent update does not seem to fully work and requires a reinstall. Here is my process:
  Logon to remote client server
  Install .net 4 (a raw install of the client requires this, may not be needed when done via DPM)
  Via Add Remove Programs, remove DPM agent
  Clean up Reg
  Delete "HKLM\SOFTWARE\Microsoft\Microsoft Data Protection Manager"
  Delete "HKLM\System\CurrentControlSet\Services\DPM**" (However this key is not there for me)
  Back onto DPM Server
  Modified protection groups as required to remove all instances of the client server
  Remove Agent for client server
  Install agent via DPM (watch for the glitch right at the end where it does a failed, then succeed…)
  REBOOT client server
  Add back into protection group
  Consistency check kicked off automatically
  This seems to have fixed the issue.

  Hi,
  The prerequisite required for DPM 2012 SP1 that must be installed is a re-rerelease of UR3 which is 4.1.3317.0 - please download and install the update specified. 
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT]
  This posting is provided "AS IS" with no warranties, and confers no rights.

• IPSec ikev2 between ASA and Cisco Router

  Hi,
  i try to do IPSec with ikev2 (SHA2) between ASA and Cisco Router, without success. Any one can help me ?
  - Remote site (Router) with dynamic public IP -> Dynamic crypto map on the ASA
  - Authentication with Certificats
  - integrity sha2
  I try a lot of configurations without success.
  Thanks for your help.
  Mic

  The more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):
  crypto ikev1 policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 28800
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 28800
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 43200
  The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.
  There are two (three) better options:
  Best option with very little needed configuration:
  Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
  Best option with a little stronger crypto but more configuration:
  Move to AnyConnect with IPsec/IKEv2. 
  Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.
  For option 1) and 2) there is an extra license needed, but thats not very expensive.

• (UIX XML) Sharing Connection objects between BC4J and custom java.

  If I have a UIX XML page that contains some BC4J application modules, then in the event handler I call [public static EventResult handleMyEventEvent (BajaContext context, Page page, PageEvent event..) ], which in turn calls some java classes I have written that take a java.sql.Connection object and access the database doing some updates/inserts with this Connection object (via JDBC)....HOW CAN I USE THE SAME TRANSACTION AS WAS USED IN THE BC4J APPLICATION MODULE...i.e. CAN I SHARE THE CONNECTION OBJECT BETWEEN BC4J AND MY OWN JAVA CLASSES THAT USE JDBC?
  What are the best ways to share such a transaction?
  Thanks,
  Paul.

  Would it be easier to use a custom method on the bc4j Application module?
  Take this scenario...
  1. User opens UIX XML web page which opens a bc4j App Module..it has a VO based on all employees.
  2. User presses the add button and a new employee is created (using the bc4j App Module).
  (Notice: no commit yet!)
  3. User presses the submit button...fires event REVIEW_SALARY.
  4. This event is 'handled' in the event section of the UML XML...it calls:-
  public static EventResult handleREVIEW_SALARYEvent (BajaContext context, Page page, PageEvent event)...
  5. I now want to call a java class I wrote that computes an employees new salary and updates the employee record with this new salary. This update will fail unless it is part of the same transaction as the one used by the bc4j App Module (that inserted the new employee).
  How best to proceed from here?
  How about having a method on the bc4j App Mod's VO called 'reviewSalary'? Calling this would use the same transaction? I could then call my java class from within the VO's method? However do I still have the same problem in that my java class expects to be passed the connection object?
  The approach you suggested previously seems a touch dangerous....in that these are not 'publically exposed'...and a new release of JDev may break my code.
  Thanks,
  Paul.

• IPSEC b/w ASA and Router --- with nat stuff

  I need help regarding the following issue..
  An asa is connected to a router which is connected to the internet.
  A vpn must be established b/w ASA and a router that is over internet . The ASA is not directly connected to the internet. It is connected to a router which nat the Asa outside ip to a static global IP .
  All i need to know is that do need any special configs for this . or its the same as if ASA would have been directly connected to the internet

  In order to configure a LAN-to-LAN tunnel between a Cisco IOS? router and an Adaptive Security Appliance (ASA), these configurations are required on the ASA:
  Configure the crypto ipsec command in Phase 2.
  Configure the isakmp policy command.
  Configure the nat 0 command and the access-list command in order to bypass NATting.
  Configure the crypto-map command.
  Configure the tunnel-group DefaultL2LGroup command with group information

• Site-to-site ASA and Router IOS

  Hi everyone! I am trying to connect a site-to-site between an ASA and a router 3900 series. My question is what should I have to configure in the router site to protect my LAN from any external attack?
  Thanks

  Check the below posting...
  https://supportforums.cisco.com/thread/70943
  Also, make sure to allow site-to-site tunnel related ports from ASA IP only.
  hth
  MS

• Connection drops with arch64 and atheros wireless

  Hi, I've just installed arch64 on my desktop. I have a dlink dwa-556 wireless adapter, with atheros chipset. The card is seen correctly and has been configured. I started a kdemod install with pacman, went on for about an hour, and then it hung, the wireless connection dropped... I tried to start it up again, but only a reboot could help... now I started pacman again and after some minutes bang! connection dropped again...
  this is what iwconfig says
  wlan0 IEEE 802.11bgn ESSID:CUT
  Mode:Managed Frequency:2.432 GHz Access Point: Not Associated
  Tx-Power27dBm
  [cut]
  Link Quality:0 Signal level:0 Noise level:0
  [rest is all 0]
  iwlist says my router has a quality of 30-40/100 and a signal level of around -76dBm
  any help?
  edit: typo on title
  Last edited by sunriis (2009-02-19 18:45:04)

  I think I may be experiencing something similar. I'm also running Arch64 and have the exact same adapter (DWA-556) and every once in a while my wireless connection drops. It only happens once every few days or so, but whenever it happens on my system it seems to cause anything Xorg-related (mouse, keyboard, video) to respond slowly. If I move the mouse around it doesn't move smoothly - it kind of jerks and jumps around.
  Whenever the connection drops like this, I see the something like the following in /var/log/messages.log:
  Feb 16 17:07:26 blacktower dhcpcd[19326]: ath0: carrier lost
  The first couple of times this happened to me, I had to reboot to get the connection going again. I did find another way to get the connection working, though. What I did was unload the modules related to the wireless adapter, reload them, and then reconnect to the network. I wrote a quick shell script to do this for me, which looks like this:
  #!/bin/sh
  sudo rmmod ath_pci ath_rate_sample ath_hal
  sudo modprobe ath_pci
  sudo modprobe ath_hal
  sudo netcfg -d home
  sudo netcfg home
  I'm using the madwifi driver right now and as you can see, I use netcfg to connect to my wireless network here. I've tried the ath5k driver but I seem to have the same issue with that. I haven't really found a solution to this yet, but the workaround of removing the modules, reloading them, and then reconnecting has worked well enough so far. If I dig up anything else helpful on this, I'll be glad to post it here.

• Packet Loss between ASA and 871

  We are running a Cisco ASA 5505 and remote clients are 871's. We currently use a EasyVPN configuration between the single ASA and our 13 871's.
  Today (1) out of the (13) tunnels is experiencing packet loss. I have power cycles the broadband router on the 871 end and the 871 and the situation still exists.
  Does anyone know what would cause this and how to troubleshoot it?
  Thanks,
  Jason

  Have you contact broadband provider on the 871 side to rule out any issues on the link? what broadband ADSLAM pppoa? start first rulling out physical issues WAN interface, LAN interface stats and work your way up, is this is something that suddenly developped? from what you post indicates it seems this tunnel have been fine, it could be broadband link issues but fist investigate with provider to go the next step.
  what do you see in 871 router logs in terms of links, turn on logging informational before staring debugg proceedures.
  HTH
  Jorge

• Connectivity loss between PLC and Kepware

  Hi Experts,
  I m working on SAP PCo and PLC connectivity using Kepware.
  I m trying to find out ways to find connectivity loss between
  1) PLC and kepware
  2) kepware and PCo
  For 2nd approch,if connectivity loss is there then PCo instance will go in error state and using remote monitoring we can get alert.
  But m not able to find any way for 1st approch.
  If PLC connection lost then only tag quality in kepware is bad.
  Is there any way in PCo expression editor to check tag quality so that i can trigger MII transaction?
  Thanks in advance.
  Regards,
  Neha

  To add to Hubrisnsx's comment ... are you provisioned Ethernet or MoCA for the WAN connection?
  Edit: Never mind, I see in the first post you said MoCA.   So, if the MoCA channel is staying up, then it sounds like it might be something inside the ONT. 
  Keep in mind that while some Verizon folks do drop by these forums from time to time, that this is primarily are user to user forum where customers can help one another.

• Connection failures between iMac and Macbook Pro

  I'm experiencing frequent connection failures over my wi-fi network between my iMac and Macbook Pro on an otherwise strong, stable network. I can connect both of my computers to the Airport Time Capsule that I use as my wireless router without a problem, but for some reason I get connection failures between the computers say, 50% of the time. Sometimes it works fine, others it just hangs before giving me an error message. Any suggestions?
  OS 10.9.3 on both machines
  Apple Airport Extreme Time Capsule
  iMac, 3.06GHz i3 (2010)
  Macbook Pro Retina, 2.4 GHz i7 (1st Gen)

  Hi jt in nyc,
  Some checks:
  Use Airport Utility on one of the machines
  - Click on the Time Capsule ( enter password if prompted )
  - Click on the Edit button
  Under Airport Utility -> Wireless -> Wireless Options
  Are the Time Capsule Wireless options set correctly?
  - Country -> you know this, change if it is not
  - 2.4GHz and 5GHz Channel set to Automatic
  - Click on Cancel button to return to the Airport Utility graphic diagram.
  - Click on the Time Capsule
  - Click on your machines listed beside wireless clients
  Are the machines reporting an excellent quality at different distances from the Time Machine?

• Connecting routers. ASA and 2921

  Here is a link to the previous post to explain where we were. https://supportforums.cisco.com/message/4133793#4133793
  OK..
  I have an ASA 5510 and a 2921.
  The ASA is used and vpn/firewall and and internet,
  The 2921 is used for inter-vlan routing..
  My  primary scenario, take a look at the image . https://supportforums.cisco.com/servlet/JiveServlet/download/4096848-15371310/router_net.gif
  My data network  is 10.20.60.0
  My Voice network is 192.168.2.0
  The problem; with this setup, I cannot get the 192.168.2.0 network to browse the web. And I cannot get to access my VOICE mail server unless I use a 192 address.
  The solution:
  Roger
  so remember the plan was to remove the 2921 interface and use 10.10.10.2 on the inter with 10.20.60.2...
  1) shutdown the 2921 interface on the ASA and remove the address from the config.
  2) remove the cable from the inside interface of the ASA that i think still connects to a switch.
  3) take the cable that is in the 2921 interface on the ASA and connect it to the inside interface of the ASA.
  Now the 2921 router physical connection runs from gi0/2 on the router to the inside interface of the ASA.
  4) remove the 10.20.60.2 address from the inside interface on the ASA and add the 10.10.10.2 address that was previously on the 2921 ASA interface.
  5) these routes on the ASA need changing  -
  a) remove these -
  no route 2921 10.20.30.0 255.255.254.0 10.10.10.1 1
  no route 2921 192.168.2.0 255.255.255.0 10.10.10.1 1
  b) add these
  route inside 10.20.30.0 255.255.254.0 10.10.10.1 1
  route inside 192.168.2.0 255.255.255.0 10.10.10.1 1
  6) add this route to the 2921
  ip route 0.0.0.0 0.0.0.0 10.10.10.2
  That should do it. As i say you will need downtime but once done all internal vlans should route via the 2921 and the ASA should only be used for internet. The ASA NAT statements reference the inside interface so it should just work.
  And Still no connection.. If you follow the thread post on top you will get a better Idea..
  Basically I want to be able to get the 10.20.60.0 network  and use the asa for vpn and internet while use the 2921 for routing.

  Roger
  Okay, i though it might be an issue with the cable ie. straight thru vs cross over.
  When you tried to browse the web did you check that the interfaces on the 2921 and the ASA were both up ?
  As long as the routes were adding ie, the default route on the 2921 to the ASA inside interface and routes on the ASA pointing back to the 2921 then it should have worked.
  If it is not the cable then the only other things i can think of are -
  1) the default gateway on the PCs is not set correctly but then the PC in different vlans would not be able to talk to each other.
  In your diagram you say the gateway for the internet is now 10.10.10.2. But that is only on the router ie. the default route. The PCs should have their default gateways set to the respective subinterface IP on the 2921 - is this how you did it ?
  2) some misconfiguration on your ASA.
  In addition you say you cannot get to the voice server unless you use a 192.168.x.x address. What subnet is the voice server on ?
  Did you manage to save the configs when you did the upgrade or are you back to where you were before without the configs ?
  Jon

• Issue bringing up VPN between ASA and Checkpoint - HELP

  Hi all
  We are having major issues bringing up a vpn between our ASA and third party checkpoint, it seems if the checkpoint initiates the connection it works, but if we initiate it from the ASA it doesnt come up.
  on the ASA I see the following
  any ideas what this is ?
  7
  Jan 30 2014
  11:52:03
  715065
  IP = 159.50.93.1, IKE MM Initiator FSM error history (struct &0x79c4bb68) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

  Phase 2 failures means several things:
  Encryption domain (interesting traffics) fail to match.  Checkpoint tends to supper net network together, by design,
  Phase 2 parameters such as ESP, PFS and seconds timeouts do not match.
  Why don't you put in relevance configuration on the ASA and if possible, ask the checkpoint firewall guy to do the following on the firewall:
  - output of "uname -a" and "fw ver"
  - is this Nokia, Windows or Secureplatform Checkpoint?
  - run the following commands on the firewall:  "debug ike off", "debug ike trunc"  and send you the ike.elg file.  That file can be decoded with the IKEView.exe and it will tell you exactly where things are wrong. 
  Disable/turn OFF kilobytes timeouts is not the solution. 

• Transfer files between ASA and a host across a VPN

  Hello Guys,
  I have a Remote Access VPN between an ASA and a Windows PC, the issue that I'm seeing is that I can't transfer files between the ASA and my PC across the VPN.
  The first time I thought that because the size of the file and some issue with my ADSL service bandwidth could be the problem. However, I tried to copy the running config of the ASA to my PC and is also impossible. I received this error:
  ASA# copy running-config tftp:
  Source filename [running-config]?
  Address or name of remote host []? 10.10.10.2   ----> This is the address of my PC over the VPN tunnel
  Destination filename [running-config]? ASA-Config04032014
  Cryptochecksum: f5a9f8cb 9f63b2e5 e8c99e36 9498cb50
  %Error writing tftp://10.10.10.2/ASA-Config04032014 (Timed out attempting to connect)
  Does anybody had this kind of problem before?
  Thanks in advance,

  I was wondering if I transfer files between a PC and Mac via Ethernet cable can I reverse the transfer from a Mac to a Pc?
  Yes. Start Windows File Sharing on the Mac and then access it on the PC.
  (47464)

• Switching between ap# and router#

  Hi
  I have configured my Cisco 887VAMW with ADSL and Wifi but the only way I can configure the ap and router separately is to be connected to the router by ssh and the ap via console cable.
  When at the ap# prompt, how do I get back to the router#?
  I have tried the instructions on cisco.com:
  Closing the Session
  To close the session between the wireless device and the router’s console, perform both of the following steps.
  Wireless Device
  1. Control-Shift-6 x
  Router
  2. disconnect
  3. Press Enter twice.
  But it doesnt work....help!!!
  Thanks

  When you are in router# mode in order to enter ap# mode:
  cmd: #service-module wlan-ap 0 session  -of course Im sure you have convered this
  from ap# to router#
  PRESS: CTRL+SHIFT+6, let go, then just press X
  -A line should appear on the cmd you did
  -Press enter once!