Connectivity Issues Cisco ASA 5515 in Transparent Mode

Similar Messages

• ASA 5510 in Transparent Mode-Guidelines.

  Dear all,
  I need to convert routed mode to transparent mode on my ASA-5510 with inbuilt IPS.
  let me know which of the following features configured on my firewall will have issue if converted to transparent mode:
  1. static routes.
  2. object-groups.
  3. ACLS.
  4. URL-filter (Websense).
  5. IPS . ( i doubt this )
  6. have 3 data and 1 Mgmt interfaces.
  7. syslog.
  8. SNMP
  I'm sure point 5 and 6 will have issues, need to confirm.
  need to confirm this by EOD,
  ( 5 hours more).
  thanks in advance.
  Shukla.

  Does not participate in routing protocols but can still pass routing protocol traffic through it. You can define static routes for the traffic originated by the ASA.
  in transparante mode the devices dehind and infront of the firewall will be in the same ip subnet as the firewall will be a L2 device!!
  ACLs can be configured normally
  syslog as well
  obgect groups as well
  Address translation is inherent when a firewall is configured for routed mode. Beginning with
  ASA 8.0, address translation can be used in transparent mode as well
  Does not participate in multicast. However, it allows passing the multicast traffic through it using the ACLs.
  Does not support QoS.
  Inspects Layer 2 and higher packet headers
  as long as u can use
  policy-map global_policy
  then u can integrate with IPS if u mean AIP-ssm modul
  transparent also known as a Layer 2 firewall or a stealth firewall, because its
  interfaces have no IP addresses and cannot be detected or manipulated. Only a single
  management address can be configured on the firewall
  In transparent mode, a firewall can support only two interfaces-the inside and the outside. If
  your firewall supports more than two interfaces from a physical and licensing standpoint, you
  can assign the inside and outside to two interfaces arbitrarily. As soon as those interfaces are
  configured, the firewall does not permit a third interface to be configured.
  Some platforms also support a dedicated management interface, which can be used for all
  firewall management traffic. However, the management interface cannot be involved in
  accepting or inspecting user traffic
  Configure a management address:
  Firewall(config)# ip address ip_address subnet_mask
  The firewall can support only a single IP address for management purposes. The address is
  not bound to an interface, as in routed mode. Rather, it is assigned to the firewall itself,
  accessible from either of the bridged interfaces.
  The management address is used for all types of firewall management traffic, such as Telnet,
  SSH, HTTP, SNMP, Syslog, TFTP, FTP, and so on.
  A transparent firewall can also support multiple security contexts. In that case, interface IP
  addresses must be configured from the respective context. The system execution space uses
  the admin context interfaces and IP addresses for its management traffic
  You do not have to configure a static route for the subnet directly connected to the firewall
  interfaces. However, you should define one static route as a default route toward the outside
  public network
  i wish i covered all ur questions
  good luck
  if helpful Rate

• Trying to figure out whether I can use an ASA cluster in Transparent mode to facilitate VRF based network ??

  Hi Guys,
  I had to re-post this here because I did not get any comments earlier.. hopefully I'll get something here.. :)
  I'm investigating the ways that I can use 2 x ASA (5525x) to accommodate Multi-tenancy situation with overlapping addresses. Unfortunately in this particular scenario we have to stick with 5525x firewalls.
  The ASAs are going to be placed in north-south traffic path between 2 routers and these routers need to be configured with multiple VRFs to segregate the traffic for each tenant with overlapping IP subnets ( We are not looking at NAT as a workaround for the time being).
  As we know, this ASA model won't support VRFs so we can't use the ASA as a intermediary routing hop and therefore this is not an option.. and using security contexts per VRF seems not scale-able enough (correct me if I'm wrong). So my thinking is that, if we put the ASAs in to the transparent mode and just use the ASAs as a layer 2 interconnect (configured with different VLANs connecting VRFs served by top and bottom routers)  I should be able to go up to maximum of 50 VRFs (since 5525x only supports 200 VLANs).  
  I'm also planning to use the 2 ASAs in a cluster mode to aggregate the bandwidth of both ASAs for better throughput.
  So I need to clarify following with you guys.. 
  1) Can I actually do this or am I missing something.
  2) Are there any limitations that I might run in to with this setup
  3) Is there anyone out there who's doing the same thing or can you think of a better way to tackle this scenario (with same hardware and requirements)
  4) Instead of using clustering, can I use simple Active/Stanby pare and still configure transparent mode and use it that way ?
  Appreciate your input.
  Thanks
  Shamal 

  There is a limitation on how many context you can have, which depends on the license you have.  This is quite possible with ASA multi routed mode and even with multi transparent mode.  You can have overlapping ip in each context without the need of using nat as long as you have unique mac address for each sub interface.
  Thanks

• Cisco 2960S Configured in Transparent mode

  I have a Cisco 2960S gig switch configured in transparent mode with multiple vlans configured. I have printers that I can ping, the ports shows up but on the printer it says offline. Any idea what could be causing this?

  If your printer and your PCs are all in the same subnet and only the printer is not working then VTP mode Transparent has nothing to do with your issue. 
  I'd be keen to know if you have a firewall blocking anything from the IP address of the printer?  Maybe the IP subnet mask or default gateway of the printer is not working?  
  What do you get when you do a "sh mac-address interface <PRINTER port>"?

• ASA 55xx in transparent mode - switch ARP table?

  Guys,
  It's a basic question about how transparent mode firewalls communicate with the connecting switches.
  My understanding is that if I separate the LAN eg. 10.1.1.x with a transparent firewall than it will only "snoop" the traffic and will not change anything in the Ethernet header.
  Is it correct or still will replace the MAC address with the firewall physical interface address to send the frame to the connecting switch?
  e.g.
  client--------->switch------->transparent 5510-------->switch---------->server
  10.1.1.1                                                                                              10.1.1.100
  When the client sends the ARP to look up the hardware address of the server then what will that received back?
  The MAC address of the transparent ASA, or the server?
  Thank you!

  Source MAC address is never changed if the traffic is passing through same IP subnet (vlan). Here the firewall is in transparent mode and if it alter the source mac address communication will not happen. This is a very fundamental network concept. However it may recreate the same frame with same souce/destination mac addresses.
   

• Single AIP-SSM in Cisco ASA Failover Active / Standby Mode

  Hi,
  I can add single AIP-SSM on Cisco ASA in failover active / standby mode?

  No, both units need the same hardware, that includes the installed modules.
  Sent from Cisco Technical Support iPad App

• Disabling Any connect in Cisco ASA's

  what is the best way to disable anyconnect in the Cisco ASA's.
  Thanks

  The quickest way to disable a remote access SSL VPN (the most common type by far when using Anyconnect clients) is to turn off webvpn ("no webvpn") in configure mode.

• ASA 8.4 transparent mode active/active questions

  Hi, currently i'm trying to create network design which uses two 5585-X in transparent mode with active/active load balancing (with states), but i have some questions:
  1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
  2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
  3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
  Thanks for your replies

  Hello,
  1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
  You only need to configure ASR groups if your routing environment would match the scenario you outlined (a return packet arrives at the unit running the Standby context).
  2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
  You can configure up to 8 bridge groups per context to achieve this.
  3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
  Active/Active failover is only possible in multiple context mode.
  Hope that helps.
  -Mike

• Connectivity Issue between ASA 5520 firewall and Cisco Call Manager

  Recently i have installed ASA 5520 firewall, Below is the detail for my network
  ASA 5520 inside ip: 10.12.10.2/24
  Cisco Switch 3560 IP: 10.12.10.1/24 for Data and 10.12.110.2/24 for Voice
  Cisco Call Manager 3825 IP: 10.12.110.2/24
  The users and the IP phone are getting IP from the DHCP server which configured on cisco 3560 Switch.
  the Default Gateway for Data user is 10.12.10.2/24 and
  for the voice users is 10.12.110.2/24
  now the problem is that the users is not able to ping 10.12.110.2 call manager. please if somebody can help in this regard. i will appreciate the prompt response against this issues.

  Actually i don't wana to insert new subnet and complicate the nework. i need a simple way to solve the problem. below is the details for the asa 5520 config.
  ASA Version 8.2(1)
  name x.x.x.x Mobily
  interface GigabitEthernet0/0
   nameif inside
   security-level 99
   ip address 10.12.10.2 255.255.255.0
  interface GigabitEthernet0/1
   nameif outside
   security-level 0
   ip address x.x.x.x 255.255.255.252
  object-group service DM_INLINE_SERVICE_1
   service-object tcp-udp
   service-object ip
   service-object icmp
   service-object udp
   service-object tcp eq ftp
   service-object tcp eq www
   service-object tcp eq https
   service-object tcp eq ssh
   service-object tcp eq telnet
  access-list RA_VPN_splitTunnelAcl_1 standard permit Inside-Network 255.255.255.0
  access-list RA_VPN_splitTunnelAcl standard permit Inside-Network 255.255.255.0
  access-list inside_nat0_outbound extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
  access-list inside_nat0_outbound extended permit object-group DM_INLINE_SERVICE_1 10.12.10.16 255.255.255.240 Inside-Network 255.255.255.0
  access-list inside_nat0_outbound_1 extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu mgmt 1500
  ip local pool VPN-Pool 172.16.1.1-172.16.1.30 mask 255.255.255.0
  ip local pool VPN-Users 10.12.10.21-10.12.10.30 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-641.bin
  asdm history enable
  arp timeout 14400
  global (inside) 2 interface
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound_1
  nat (inside) 1 Inside-Network 255.255.255.0
  route outside 0.0.0.0 0.0.0.0 Mobily 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http Mgmt-Network 255.255.255.0 mgmt
  http Inside-Network 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto isakmp policy 30
   authentication pre-share
   encryption 3des
   hash md5
   group 2
   lifetime 86400
  telnet Inside-Network 255.255.255.0 inside
  telnet timeout 5
  ssh Inside-Network 255.255.255.255 inside
  <--- More --->              ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy RA_VPN internal
  group-policy RA_VPN attributes
   dns-server value 86.51.34.17 8.8.8.8
   vpn-tunnel-protocol IPSec
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value RA_VPN_splitTunnelAcl
  username admin password LPtK/u1LnvHTA2vO encrypted privilege 15
  tunnel-group RA_VPN type remote-access
  tunnel-group RA_VPN general-attributes
   address-pool VPN-Users
   default-group-policy RA_VPN
  tunnel-group RA_VPN ipsec-attributes
   pre-shared-key *
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:e5a64fa92ae465cd7dabd01ce605307d
  : end

• ASA Routed or Transparent mode

                     Hi ,
  I am planning to deploy ASA as internal Firewall ... as all the Inside and Outside zones will be having same Ip range . I am confused about its deployment . Can any1  help me on deciding on deploying it as Routed mode or transparent mode

  Transparent.
  Just the intro of the following file will answer your question:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

• Cisco ASA 5515 - Anyconnect users can't ping other Anyconnect users. How can I allow icmp traffic between Anyconnect users?

  ASA configuration is  below!
  ASA Version 9.1(1)
  hostname ASA
  domain-name xxx.xx
  names
  ip local pool VPN_CLIENT_POOL 192.168.12.1-192.168.12.254 mask 255.255.255.0
  interface GigabitEthernet0/0
  nameif inside
  security-level 100
  ip address 192.168.11.1 255.255.255.0
  interface GigabitEthernet0/1
  description Interface_to_VPN
  nameif outside
  security-level 0
  ip address 111.222.333.444 255.255.255.240
  interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  management-only
  nameif management
  security-level 100
  ip address 192.168.5.1 255.255.255.0
  ftp mode passive
  dns server-group DefaultDNS
  domain-name www.ww
  same-security-traffic permit intra-interface
  object network LAN
  subnet 192.168.11.0 255.255.255.0
  description LAN
  object network SSLVPN_POOL
  subnet 192.168.12.0 255.255.255.0
  access-list VPN_CLIENT_ACL standard permit 192.168.11.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu management 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-711.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (outside,inside) source static SSLVPN_POOL SSLVPN_POOL destination static LAN LAN
  route outside 0.0.0.0 0.0.0.0 111.222.333.443 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  webvpn
    url-list none
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  aaa authorization exec LOCAL
  http server enable
  http 192.168.5.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpoint ASDM_TrustPoint5
  enrollment terminal
  email [email protected]
  subject-name CN=ASA
  ip-address 111.222.333.444
  crl configure
  crypto ca trustpoint ASDM_TrustPoint6
  enrollment terminal
  fqdn vpn.domain.com
  email [email protected]
  subject-name CN=vpn.domain.com
  ip-address 111.222.333.444
  keypair sslvpn
  crl configure
  crypto ca trustpool policy
  crypto ca certificate chain ASDM_TrustPoint6
  telnet timeout 5
  ssh 192.168.11.0 255.255.255.0 inside
  ssh timeout 30
  console timeout 0
  no ipv6-vpn-addr-assign aaa
  no ipv6-vpn-addr-assign local
  dhcpd address 192.168.5.2-192.168.5.254 management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl trust-point ASDM_TrustPoint6 outside
  webvpn
  enable outside
  csd image disk0:/csd_3.5.2008-k9.pkg
  anyconnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1
  anyconnect enable
  tunnel-group-list enable
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
  group-policy VPN_CLIENT_POLICY internal
  group-policy VPN_CLIENT_POLICY attributes
  wins-server none
  dns-server value 192.168.11.198
  vpn-simultaneous-logins 5
  vpn-session-timeout 480
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value VPN_CLIENT_ACL
  default-domain value mycomp.local
  address-pools value VPN_CLIENT_POOL
  webvpn
    anyconnect ssl dtls enable
    anyconnect keep-installer installed
    anyconnect ssl keepalive 20
    anyconnect ssl rekey time 30
    anyconnect ssl rekey method ssl
    anyconnect dpd-interval client 30
    anyconnect dpd-interval gateway 30
    anyconnect dtls compression lzs
    anyconnect modules value vpngina
    customization value DfltCustomization
  group-policy IT_POLICY internal
  group-policy IT_POLICY attributes
  wins-server none
  dns-server value 192.168.11.198
  vpn-simultaneous-logins 3
  vpn-session-timeout 120
  vpn-tunnel-protocol ssl-client ssl-clientless
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value VPN_CLIENT_ACL
  default-domain value company.com
  address-pools value VPN_CLIENT_POOL
  webvpn
    anyconnect ssl dtls enable
    anyconnect keep-installer installed
    anyconnect ssl keepalive 20
    anyconnect dtls compression lzs
    customization value DfltCustomization
  username vpnuser password PA$$WORD encrypted
  username vpnuser attributes
  vpn-group-policy VPN_CLIENT_POLICY
  service-type remote-access
  username vpnuser2 password PA$$W encrypted
  username vpnuser2 attributes
  service-type remote-access
  username admin password ADMINPA$$ encrypted privilege 15
  tunnel-group VPN type remote-access
  tunnel-group VPN general-attributes
  address-pool VPN_CLIENT_POOL
  default-group-policy VPN_CLIENT_POLICY
  tunnel-group VPN webvpn-attributes
  authentication aaa certificate
  group-alias VPN_to_R enable
  tunnel-group IT_PROFILE type remote-access
  tunnel-group IT_PROFILE general-attributes
  address-pool VPN_CLIENT_POOL
  default-group-policy IT_POLICY
  tunnel-group IT_PROFILE webvpn-attributes
  authentication aaa certificate
  group-alias IT enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  : end

  Hi,
  here's what you need:
  same-security-traffic permit intra-interface
  access-list VPN_CLIENT_ACL standard permit 192.168.12.0 255.255.255.0
  nat (outside,outside) source static SSLVPN_POOL SSLVPN_POOL destination static SSLVPN_POOL SSLVPN_POOL
  Patrick

• TCP connections on Cisco ASA disconnects the database session every 30 Minutes

  Right after a firmware upgrade form 8.4.2 to 8.4.7   on our ASA 5540:
  the database app that makes a tcp connection with the database  loses connection to the database servers on the inside of the firewall
  -Nothing changed on the process servers.
  -Nothing but firmware version changed on the firewalls.
  -Rebooting did not help.
  -Connections don't always drop every 30 minutes, but it's still almost exactly at that time, with a 90% chance of it happening. And it reestablishes in about 52 second
  -The client is not willingly terminating the connections to the database servers on the inside. The connection is just going away.

  I am not seeing any error in the logs in ASA but in our client we see:
  Latest from PROD (times are in UTC):
  Sun Apr 13 10:22:10 2014 - ERR: Read from the server failed (err[36],sev[78],state[0],line[0],server[],proc[],sql[exec sp_events_insupd :p1,:p2,:p3,:p4,:p5,:p6,:p7,:p8,:p9,:p10,:p11,:p12,:p13,:p14,:p15,:p16,:p17],err_type[client])
  Sun Apr 13 11:47:09 2014 - ERR: Read from the server failed (err[36],sev[78],state[0],line[0],server[],proc[],sql[exec sp_events_insupd :p1,:p2,:p3,:p4,:p5,:p6,:p7,:p8,:p9,:p10,:p11,:p12,:p13,:p14,:p15,:p16,:p17],err_type[client])

• Connection issues on Public Hotspot - Single App mode (MDM)

  My iPad is connected permanently to a public hotspot. The connection sometimes is interrupted by a planned maintenance on the AP.
  It happens from time to time that the iPad can't recover it's Wifi connection by itself.
  Going to the settings> Wifi seems to be enough to reconnect.
  Problem is that the device is working in An MDM Single App profile, and so the settings are not meant to be reachable.
  Restarting the device is required to reconnect to the public AP.
  I know that IOS sometimes turns down WIFI after a certain period of non-use, but in Single App, the iPad stays on, day and night.
  It is running in IOS 7.1.
  Is this a know issue?

  anyone know how to set a correct task id?

• AnyConnect: No Address Available for SVC Connection on Cisco ASA 5505

  Get Error
  The secure gateway has rejected the connection attempt.   A new connection attempt to the same or another secure gateway is needed, which requires re-authentication.   The follow message was received from the secure gateway:    No address available for SVC connection.
  ip local pool VPN 192.168.250.50-192.168.250.60 mask 255.255.255.0
  tunnel-group SSL type remote-access
  tunnel-group SSL general-attributes
  address-pool VPN
  tunnel-group Any-Connect type remote-access
  tunnel-group Any-Connect general-attributes
  address-pool VPN
  I have a VPN pool
  I can make a clientless SSL connection

  Hi,
  Maybe you are not falling into that tunnel-group SSL? By default, you will fall into the DefaultWebvpnGroup unless you choose the TG via a dropdown or directly access the group via a groupurl.
  Example: When no 'tunnel-group-list' or 'group-url' is configured:
  Accessing https:// will take you to DefaultWebvpnGroup.
  When 'tunnel-group-list enable' is configured under webvpn, you will get a dropdown of tunnel-groups to choose from [provided you have an alias defined for the group]
  When group-url is configured for a particular TG, say https:///test , on accessing that URL, you are taken to that group directly.
  So basically, you would need to check which group you are hitting. Running 'debug webvpn 255' should also show you this.
  Thanks
  Rahul

• Cisco ASA 55XX Transparent mode VLAN traversing

  Hello Cisco Forum Team!
      In a scenario where the Cisco ASA is in Transparent mode, is it possible to transmit L2 traffic from other VLANs different than the native VLAN the management IP of the firewall resides?
  The switches on the outside and inside interfaces of the ASA are in trunk mode and I am trying to pass L2 VLAN ttraffic from inside to outside and vice-versa using filters on the switches (switchport trunk allowed vlan). 
  Thanks in advanced for your support and comments!

  Yes it is possible but you will be limited to 8 VLANs, or more accurately, 8 BVI interfaces so this is not a scalable solution.  The catch is that you will need to have different VLANs for the same subnet at either end of the ASA. 
  To clarify this, lets say you are using interface Gig0/1 and Gig0/2.  On Gig0/1 you would have configured subinterfaces with VLANs 2, 3, and 4.  Now if you try to configure these same VLANs on Gig0/2 you will get an error saying something like this VLAN is already configured on another interface...I don't remember the exact error. 
  So to get this working you would need to configure Gig0/2 with subinterfaces for VLANs...lets say...5, 6, and 7.  you would then associate VLANs 2 and 5 with BVI 1, VLANs 3 and 6 with BVI 2, and VLANs 4 and 7 with BVI 3.  Each BVI interface would have its own IP address for the subnet that is being bridged across the ASA.
  Please remember to select a correct answer and rate helpful posts