Connectivity Issues Cisco ASA 5515 in Transparent Mode
Hi,
we´re having problems with one transparent mode setup at one customer site. The ASA is equiped with a CX Module, but we´re not using it, so far in the service policy rules it was enabled and matched all traffic, but in "monitor only" mode. There is a global acl that allows any-any-IP.
Firewall-Info:
- ASA Version 9.1(2)
- Interfaces gi0/0 + gi0/2 without any interface errors
The ASA 5515x is configured as a "bump in the wire". In general our setup is working but with beginning of the installation of the firewall the customer faces following connection issues, without the firewall no problems:
- Connections to SAP-Servers behind the MPLS begin to drop, affected all users
- Incoming monitoring sessions (ping/snmp) from central management are facing ping timeouts, connection timeouts
- http downloads are stopping, Customer: it will stop responding and the download will fail.
In general the customer describes it this way: "We do not have the best connection here so once we connected the firewall all the problems are magnified"
I recognized, that we unconfigured the default inspection during initial setup and reconfigured this entry for the cx module. So the the default inspection with all the settings are not present any more... How important are these settings? One phenomen is, that I´ve seen a large numbers of concurrent connections that increased over time. And we already had that situation, that the firewall reached the max-conn count.
Should I try to reconfigure the default inspection, as it ships from factory? And whats the best way to check for problems? What can be the reason for the dropping connections?
I attached a network plan and the firewall config, hopefully, that somebody has an idea. Of course I can provide additional information...
Best Regards
Sebastian
Hi Vibhor,
thanks for your reply. Does this also affect the traffic, even the setting is set to "Monitor Only" ?
Is it recommend to configure the default-inspection rule as a default setting?
Further Question: I´ve read sth. about, that service policy rules must be "reloaded" to take effect, after they have been changed. Is that right and how do I reload them?
Here is an output from sh asp drop, do I have to care about certain values? This values result from two connected users doing some downloads over a 2Mbit connection.
ciscoasa# show asp drop
Frame drop:
Invalid encapsulation (invalid-encap) 10
First TCP packet not SYN (tcp-not-syn) 114
TCP failed 3 way handshake (tcp-3whs-failed) 3
TCP RST/FIN out of order (tcp-rstfin-ooo) 18
Dst MAC L2 Lookup Failed (dst-l2_lookup-fail) 33
L2 Src/Dst same LAN port (l2_same-lan-port) 260
FP L2 rule drop (l2_acl) 2958
Interface is down (interface-down) 9420
No management IP address configured for TFW (tfw-no-mgmt-ip-config) 117
Dropped pending packets in a closed socket (np-socket-closed) 66
Thanks
Sebastian
Similar Messages
-
ASA 5510 in Transparent Mode-Guidelines.
Dear all,
I need to convert routed mode to transparent mode on my ASA-5510 with inbuilt IPS.
let me know which of the following features configured on my firewall will have issue if converted to transparent mode:
1. static routes.
2. object-groups.
3. ACLS.
4. URL-filter (Websense).
5. IPS . ( i doubt this )
6. have 3 data and 1 Mgmt interfaces.
7. syslog.
8. SNMP
I'm sure point 5 and 6 will have issues, need to confirm.
need to confirm this by EOD,
( 5 hours more).
thanks in advance.
Shukla.Does not participate in routing protocols but can still pass routing protocol traffic through it. You can define static routes for the traffic originated by the ASA.
in transparante mode the devices dehind and infront of the firewall will be in the same ip subnet as the firewall will be a L2 device!!
ACLs can be configured normally
syslog as well
obgect groups as well
Address translation is inherent when a firewall is configured for routed mode. Beginning with
ASA 8.0, address translation can be used in transparent mode as well
Does not participate in multicast. However, it allows passing the multicast traffic through it using the ACLs.
Does not support QoS.
Inspects Layer 2 and higher packet headers
as long as u can use
policy-map global_policy
then u can integrate with IPS if u mean AIP-ssm modul
transparent also known as a Layer 2 firewall or a stealth firewall, because its
interfaces have no IP addresses and cannot be detected or manipulated. Only a single
management address can be configured on the firewall
In transparent mode, a firewall can support only two interfaces-the inside and the outside. If
your firewall supports more than two interfaces from a physical and licensing standpoint, you
can assign the inside and outside to two interfaces arbitrarily. As soon as those interfaces are
configured, the firewall does not permit a third interface to be configured.
Some platforms also support a dedicated management interface, which can be used for all
firewall management traffic. However, the management interface cannot be involved in
accepting or inspecting user traffic
Configure a management address:
Firewall(config)# ip address ip_address subnet_mask
The firewall can support only a single IP address for management purposes. The address is
not bound to an interface, as in routed mode. Rather, it is assigned to the firewall itself,
accessible from either of the bridged interfaces.
The management address is used for all types of firewall management traffic, such as Telnet,
SSH, HTTP, SNMP, Syslog, TFTP, FTP, and so on.
A transparent firewall can also support multiple security contexts. In that case, interface IP
addresses must be configured from the respective context. The system execution space uses
the admin context interfaces and IP addresses for its management traffic
You do not have to configure a static route for the subnet directly connected to the firewall
interfaces. However, you should define one static route as a default route toward the outside
public network
i wish i covered all ur questions
good luck
if helpful Rate -
Hi Guys,
I had to re-post this here because I did not get any comments earlier.. hopefully I'll get something here.. :)
I'm investigating the ways that I can use 2 x ASA (5525x) to accommodate Multi-tenancy situation with overlapping addresses. Unfortunately in this particular scenario we have to stick with 5525x firewalls.
The ASAs are going to be placed in north-south traffic path between 2 routers and these routers need to be configured with multiple VRFs to segregate the traffic for each tenant with overlapping IP subnets ( We are not looking at NAT as a workaround for the time being).
As we know, this ASA model won't support VRFs so we can't use the ASA as a intermediary routing hop and therefore this is not an option.. and using security contexts per VRF seems not scale-able enough (correct me if I'm wrong). So my thinking is that, if we put the ASAs in to the transparent mode and just use the ASAs as a layer 2 interconnect (configured with different VLANs connecting VRFs served by top and bottom routers) I should be able to go up to maximum of 50 VRFs (since 5525x only supports 200 VLANs).
I'm also planning to use the 2 ASAs in a cluster mode to aggregate the bandwidth of both ASAs for better throughput.
So I need to clarify following with you guys..
1) Can I actually do this or am I missing something.
2) Are there any limitations that I might run in to with this setup
3) Is there anyone out there who's doing the same thing or can you think of a better way to tackle this scenario (with same hardware and requirements)
4) Instead of using clustering, can I use simple Active/Stanby pare and still configure transparent mode and use it that way ?
Appreciate your input.
Thanks
ShamalThere is a limitation on how many context you can have, which depends on the license you have. This is quite possible with ASA multi routed mode and even with multi transparent mode. You can have overlapping ip in each context without the need of using nat as long as you have unique mac address for each sub interface.
Thanks -
Cisco 2960S Configured in Transparent mode
I have a Cisco 2960S gig switch configured in transparent mode with multiple vlans configured. I have printers that I can ping, the ports shows up but on the printer it says offline. Any idea what could be causing this?
If your printer and your PCs are all in the same subnet and only the printer is not working then VTP mode Transparent has nothing to do with your issue.
I'd be keen to know if you have a firewall blocking anything from the IP address of the printer? Maybe the IP subnet mask or default gateway of the printer is not working?
What do you get when you do a "sh mac-address interface <PRINTER port>"? -
ASA 55xx in transparent mode - switch ARP table?
Guys,
It's a basic question about how transparent mode firewalls communicate with the connecting switches.
My understanding is that if I separate the LAN eg. 10.1.1.x with a transparent firewall than it will only "snoop" the traffic and will not change anything in the Ethernet header.
Is it correct or still will replace the MAC address with the firewall physical interface address to send the frame to the connecting switch?
e.g.
client--------->switch------->transparent 5510-------->switch---------->server
10.1.1.1 10.1.1.100
When the client sends the ARP to look up the hardware address of the server then what will that received back?
The MAC address of the transparent ASA, or the server?
Thank you!Source MAC address is never changed if the traffic is passing through same IP subnet (vlan). Here the firewall is in transparent mode and if it alter the source mac address communication will not happen. This is a very fundamental network concept. However it may recreate the same frame with same souce/destination mac addresses.
-
Single AIP-SSM in Cisco ASA Failover Active / Standby Mode
Hi,
I can add single AIP-SSM on Cisco ASA in failover active / standby mode?No, both units need the same hardware, that includes the installed modules.
Sent from Cisco Technical Support iPad App -
Disabling Any connect in Cisco ASA's
what is the best way to disable anyconnect in the Cisco ASA's.
ThanksThe quickest way to disable a remote access SSL VPN (the most common type by far when using Anyconnect clients) is to turn off webvpn ("no webvpn") in configure mode.
-
ASA 8.4 transparent mode active/active questions
Hi, currently i'm trying to create network design which uses two 5585-X in transparent mode with active/active load balancing (with states), but i have some questions:
1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
Thanks for your repliesHello,
1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
You only need to configure ASR groups if your routing environment would match the scenario you outlined (a return packet arrives at the unit running the Standby context).
2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
You can configure up to 8 bridge groups per context to achieve this.
3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
Active/Active failover is only possible in multiple context mode.
Hope that helps.
-Mike -
Connectivity Issue between ASA 5520 firewall and Cisco Call Manager
Recently i have installed ASA 5520 firewall, Below is the detail for my network
ASA 5520 inside ip: 10.12.10.2/24
Cisco Switch 3560 IP: 10.12.10.1/24 for Data and 10.12.110.2/24 for Voice
Cisco Call Manager 3825 IP: 10.12.110.2/24
The users and the IP phone are getting IP from the DHCP server which configured on cisco 3560 Switch.
the Default Gateway for Data user is 10.12.10.2/24 and
for the voice users is 10.12.110.2/24
now the problem is that the users is not able to ping 10.12.110.2 call manager. please if somebody can help in this regard. i will appreciate the prompt response against this issues.Actually i don't wana to insert new subnet and complicate the nework. i need a simple way to solve the problem. below is the details for the asa 5520 config.
ASA Version 8.2(1)
name x.x.x.x Mobily
interface GigabitEthernet0/0
nameif inside
security-level 99
ip address 10.12.10.2 255.255.255.0
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp
service-object ip
service-object icmp
service-object udp
service-object tcp eq ftp
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ssh
service-object tcp eq telnet
access-list RA_VPN_splitTunnelAcl_1 standard permit Inside-Network 255.255.255.0
access-list RA_VPN_splitTunnelAcl standard permit Inside-Network 255.255.255.0
access-list inside_nat0_outbound extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
access-list inside_nat0_outbound extended permit object-group DM_INLINE_SERVICE_1 10.12.10.16 255.255.255.240 Inside-Network 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu mgmt 1500
ip local pool VPN-Pool 172.16.1.1-172.16.1.30 mask 255.255.255.0
ip local pool VPN-Users 10.12.10.21-10.12.10.30 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 Inside-Network 255.255.255.0
route outside 0.0.0.0 0.0.0.0 Mobily 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Mgmt-Network 255.255.255.0 mgmt
http Inside-Network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet Inside-Network 255.255.255.0 inside
telnet timeout 5
ssh Inside-Network 255.255.255.255 inside
<--- More ---> ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RA_VPN internal
group-policy RA_VPN attributes
dns-server value 86.51.34.17 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_VPN_splitTunnelAcl
username admin password LPtK/u1LnvHTA2vO encrypted privilege 15
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
address-pool VPN-Users
default-group-policy RA_VPN
tunnel-group RA_VPN ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:e5a64fa92ae465cd7dabd01ce605307d
: end -
ASA Routed or Transparent mode
Hi ,
I am planning to deploy ASA as internal Firewall ... as all the Inside and Outside zones will be having same Ip range . I am confused about its deployment . Can any1 help me on deciding on deploying it as Routed mode or transparent modeTransparent.
Just the intro of the following file will answer your question:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml -
ASA configuration is below!
ASA Version 9.1(1)
hostname ASA
domain-name xxx.xx
names
ip local pool VPN_CLIENT_POOL 192.168.12.1-192.168.12.254 mask 255.255.255.0
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.11.1 255.255.255.0
interface GigabitEthernet0/1
description Interface_to_VPN
nameif outside
security-level 0
ip address 111.222.333.444 255.255.255.240
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.5.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name www.ww
same-security-traffic permit intra-interface
object network LAN
subnet 192.168.11.0 255.255.255.0
description LAN
object network SSLVPN_POOL
subnet 192.168.12.0 255.255.255.0
access-list VPN_CLIENT_ACL standard permit 192.168.11.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,inside) source static SSLVPN_POOL SSLVPN_POOL destination static LAN LAN
route outside 0.0.0.0 0.0.0.0 111.222.333.443 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
url-list none
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.5.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint5
enrollment terminal
email [email protected]
subject-name CN=ASA
ip-address 111.222.333.444
crl configure
crypto ca trustpoint ASDM_TrustPoint6
enrollment terminal
fqdn vpn.domain.com
email [email protected]
subject-name CN=vpn.domain.com
ip-address 111.222.333.444
keypair sslvpn
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint6
telnet timeout 5
ssh 192.168.11.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
dhcpd address 192.168.5.2-192.168.5.254 management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint6 outside
webvpn
enable outside
csd image disk0:/csd_3.5.2008-k9.pkg
anyconnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy VPN_CLIENT_POLICY internal
group-policy VPN_CLIENT_POLICY attributes
wins-server none
dns-server value 192.168.11.198
vpn-simultaneous-logins 5
vpn-session-timeout 480
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_CLIENT_ACL
default-domain value mycomp.local
address-pools value VPN_CLIENT_POOL
webvpn
anyconnect ssl dtls enable
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect dtls compression lzs
anyconnect modules value vpngina
customization value DfltCustomization
group-policy IT_POLICY internal
group-policy IT_POLICY attributes
wins-server none
dns-server value 192.168.11.198
vpn-simultaneous-logins 3
vpn-session-timeout 120
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_CLIENT_ACL
default-domain value company.com
address-pools value VPN_CLIENT_POOL
webvpn
anyconnect ssl dtls enable
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect dtls compression lzs
customization value DfltCustomization
username vpnuser password PA$$WORD encrypted
username vpnuser attributes
vpn-group-policy VPN_CLIENT_POLICY
service-type remote-access
username vpnuser2 password PA$$W encrypted
username vpnuser2 attributes
service-type remote-access
username admin password ADMINPA$$ encrypted privilege 15
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool VPN_CLIENT_POOL
default-group-policy VPN_CLIENT_POLICY
tunnel-group VPN webvpn-attributes
authentication aaa certificate
group-alias VPN_to_R enable
tunnel-group IT_PROFILE type remote-access
tunnel-group IT_PROFILE general-attributes
address-pool VPN_CLIENT_POOL
default-group-policy IT_POLICY
tunnel-group IT_PROFILE webvpn-attributes
authentication aaa certificate
group-alias IT enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: endHi,
here's what you need:
same-security-traffic permit intra-interface
access-list VPN_CLIENT_ACL standard permit 192.168.12.0 255.255.255.0
nat (outside,outside) source static SSLVPN_POOL SSLVPN_POOL destination static SSLVPN_POOL SSLVPN_POOL
Patrick -
TCP connections on Cisco ASA disconnects the database session every 30 Minutes
Right after a firmware upgrade form 8.4.2 to 8.4.7 on our ASA 5540:
the database app that makes a tcp connection with the database loses connection to the database servers on the inside of the firewall
-Nothing changed on the process servers.
-Nothing but firmware version changed on the firewalls.
-Rebooting did not help.
-Connections don't always drop every 30 minutes, but it's still almost exactly at that time, with a 90% chance of it happening. And it reestablishes in about 52 second
-The client is not willingly terminating the connections to the database servers on the inside. The connection is just going away.I am not seeing any error in the logs in ASA but in our client we see:
Latest from PROD (times are in UTC):
Sun Apr 13 10:22:10 2014 - ERR: Read from the server failed (err[36],sev[78],state[0],line[0],server[],proc[],sql[exec sp_events_insupd :p1,:p2,:p3,:p4,:p5,:p6,:p7,:p8,:p9,:p10,:p11,:p12,:p13,:p14,:p15,:p16,:p17],err_type[client])
Sun Apr 13 11:47:09 2014 - ERR: Read from the server failed (err[36],sev[78],state[0],line[0],server[],proc[],sql[exec sp_events_insupd :p1,:p2,:p3,:p4,:p5,:p6,:p7,:p8,:p9,:p10,:p11,:p12,:p13,:p14,:p15,:p16,:p17],err_type[client]) -
Connection issues on Public Hotspot - Single App mode (MDM)
My iPad is connected permanently to a public hotspot. The connection sometimes is interrupted by a planned maintenance on the AP.
It happens from time to time that the iPad can't recover it's Wifi connection by itself.
Going to the settings> Wifi seems to be enough to reconnect.
Problem is that the device is working in An MDM Single App profile, and so the settings are not meant to be reachable.
Restarting the device is required to reconnect to the public AP.
I know that IOS sometimes turns down WIFI after a certain period of non-use, but in Single App, the iPad stays on, day and night.
It is running in IOS 7.1.
Is this a know issue?anyone know how to set a correct task id?
-
AnyConnect: No Address Available for SVC Connection on Cisco ASA 5505
Get Error
The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The follow message was received from the secure gateway: No address available for SVC connection.
ip local pool VPN 192.168.250.50-192.168.250.60 mask 255.255.255.0
tunnel-group SSL type remote-access
tunnel-group SSL general-attributes
address-pool VPN
tunnel-group Any-Connect type remote-access
tunnel-group Any-Connect general-attributes
address-pool VPN
I have a VPN pool
I can make a clientless SSL connectionHi,
Maybe you are not falling into that tunnel-group SSL? By default, you will fall into the DefaultWebvpnGroup unless you choose the TG via a dropdown or directly access the group via a groupurl.
Example: When no 'tunnel-group-list' or 'group-url' is configured:
Accessing https:// will take you to DefaultWebvpnGroup.
When 'tunnel-group-list enable' is configured under webvpn, you will get a dropdown of tunnel-groups to choose from [provided you have an alias defined for the group]
When group-url is configured for a particular TG, say https:///test , on accessing that URL, you are taken to that group directly.
So basically, you would need to check which group you are hitting. Running 'debug webvpn 255' should also show you this.
Thanks
Rahul -
Cisco ASA 55XX Transparent mode VLAN traversing
Hello Cisco Forum Team!
In a scenario where the Cisco ASA is in Transparent mode, is it possible to transmit L2 traffic from other VLANs different than the native VLAN the management IP of the firewall resides?
The switches on the outside and inside interfaces of the ASA are in trunk mode and I am trying to pass L2 VLAN ttraffic from inside to outside and vice-versa using filters on the switches (switchport trunk allowed vlan).
Thanks in advanced for your support and comments!Yes it is possible but you will be limited to 8 VLANs, or more accurately, 8 BVI interfaces so this is not a scalable solution. The catch is that you will need to have different VLANs for the same subnet at either end of the ASA.
To clarify this, lets say you are using interface Gig0/1 and Gig0/2. On Gig0/1 you would have configured subinterfaces with VLANs 2, 3, and 4. Now if you try to configure these same VLANs on Gig0/2 you will get an error saying something like this VLAN is already configured on another interface...I don't remember the exact error.
So to get this working you would need to configure Gig0/2 with subinterfaces for VLANs...lets say...5, 6, and 7. you would then associate VLANs 2 and 5 with BVI 1, VLANs 3 and 6 with BVI 2, and VLANs 4 and 7 with BVI 3. Each BVI interface would have its own IP address for the subnet that is being bridged across the ASA.
Please remember to select a correct answer and rate helpful posts
Maybe you are looking for
-
Adobe Acrobat X Version 10.1.9 - looking to find out why my form fields, comments, or type that we add to our pdf's are not appearing when we send to our clients?
-
How to avoid the SAP video in SBO2005
I want to acces via Terminal Server to a SAP server, and the presentation video of SAP takes many time to see the first screen, so i want to quit this video temporaly. In SBO2004 there was an avi file so i can do this changing its name, but in 2005 i
-
Hello, In CVI2013 there was a bug (bug id 433769) when changing the uir file: the change did not show up, one needed to rebuild the project, this seems to have been fixed, but now there is something else... I have a project with several source files
-
Error resending messages with system-error in Adapter Engine
Hi all, We got an error when trying to resend all messages in error in runtime workbench, message monitoring, adapter engine, database (overview), clicking on a sender service with messages in error state, and clicking on "repeat" button to resend th
-
*** Security Sandbox Violation *** problem
Dear All, I having the Security problem My Scinarion I have an Exe (With SWISH Studio) / Swf file which is on Local Machine calles a swf file which on Server and that Swf file call a XML file which is on a Same Server While Compiling the SWF file giv