Dual Remote VPN Connection
Hello Guys
i created three different Remote VPN connections with three different networks . i can make them one but for some reasons i don't mix all.
and iam using Cisco asa 5505 with Shrew Soft VPN software , so my problem is
- i connected Shrew soft remote vpn , if i try to connected another remote vpn connection this will not accept the second connection , so please can any one give me a remote vpn connection software that accepts more than one connection
Hi,
Since you mention the ASA and the VPN I presume you are trying to connect by VPN Client to the same ASA?
Why would you want to have several VPN client connections at the same time? (Though I think that isnt even possible)
What are you trying to accomplish by these 3 different VPN Client configurations configured on the same ASA?
Isnt it just possible to configure one VPN Client connection to the ASA that would handle all the traffic of these 3 VPN Client connections?
- Jouni
Similar Messages
-
Traffic not returning to remote VPN connections
I've successfully setup remote VPN connections to my ASA using vpnc as the client and everything behaves as expected. I'm trying to test the official Cisco client and I'm unable to make the same SSH connections across the VPN as I was using vpnc.
The ASA shows connections the IKE and IPSec connections forming, and shows connections being built for the SSH traffic across the VPN.
tcpdump shows the host listening on SSH behind the ASA receiving the traffic and sending ACKs in reply. They don't appear to be arriving back
at the remote client though, and SSH connections timeout without connecting.
Any idea what might be stopping the return traffic? I thought it might be some policy the ASA is pushing out to the Cisco client but not to vpnc but I can't spot anything obvious.Is the internal SSH host you are connecting to sending ACKS (as you've stated), or SYN/ACKs?
It might be nice to know if the TCP three way handshake is being completed, and subsequent packets are the issue, or if it's the initial TCP setup that is the issue.
Perhaps there would be some benefit in confirming whether these packets are making it through the IPSec tunnel, though the ASA un-encapsulated, or not through the ASA at all.
You could use Wireshark to look for un-encapsulated packets exiting the ASA.
You could use Wireshark to capture the "pre-encapsulated" traffic being sent to the far side, and the "post-decapsulation" traffic returning from the far side, by capturing on the Cisco VPN Client virtual interface (Windows installation).
Perhaps examine IPSec SA details on the ASA and look for errors.
Perhaps logging on the internal interface ACL (log any packets denied) to identify whether the returning packets are being dropped. -
Asa 5505 Remote VPN Can't access with my local network
Hello Guys ,, i have a problem with my asa 5505 Remote VPN Connection with local network access , the VPn is working fine and connected , but the problem is i can't reach my inside network connection of 192.168.30.x , here is my configuration , please can you help me
ASA Version 8.2(1)
interface Vlan1
nameif inside
security-level 100
ip address 192.168.30.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 155.155.155.10 255.255.255.0
interface Vlan5
no nameif
no security-level
no ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.240
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn-Pool 192.168.100.1-192.168.100.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy mull internal
group-policy mull attributes
vpn-tunnel-protocol IPSec
username xxx password eKJj9owsQwAIk6Cw encrypted privilege 0
vpn-group-policy Mull
tunnel-group mull type remote-access
tunnel-group mull general-attributes
address-pool vpn-Pool
default-group-policy mull
tunnel-group mull ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname contextHey Jennifer i did every thing you mention it , but still i can't reach my inside network (LOCAL network) iam using Shrew Soft VPN Access Manager for my vpn connection
here is my cry ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 155.155.155.1
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.1/255.255.255.255/0/0)
current_peer:155.155.155.1, username: Thomas
dynamic allocated peer ip: 192.168.100.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 155.155.155.1/4500, remote crypto endpt.: 155.155.155.20/4500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 73FFAB96
inbound esp sas:
spi: 0x1B5FFBF1 (459275249)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 2894
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x73FFAB96 (1946135446)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 2873
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001 -
Remoe VPN client cannot get across L2L (site-to-site) tunnel after making connection.
Topology:
[remote]->[ASA1]-><L2L}->[ASA2]->LAN2
The problem is at the remote client, which is using Cisco VPN client.
Remote client connection is made fine to [ASA1].
Problem is that remote client does not know route to network LAN2 and dumps traffic off to its default gateway rather than directing it to [ASA1] for forwarding to [ASA2]. ([ASA1] and [ASA2], of course, know about each other.)
Cisco VPN client has capability of being "told" subsequent routes (Status->statistics->Route details).
As I see it, the client must get this info from the ASA to which it makes its remote VPN connection.
The advice I am hoping for is the CLI or ASDM syntax I need to apply to get the ASA to provide this route information.
TIAAdam, thank you for the comprehensive reply ... unfortunately it's not working.
1. The statements you list above were already there to facilitate the L2L.
2. I turned-off split tunneling (or think I did) and ran a test ... no joy.
This took me back to my original premise that the remote client doesn't know how to send the traffic (bound for L2L) down the remote tunnel and dumps it of to its default gateway (to the WWW).
If you're willing to look at it, I have attached screen shots of the client ipconfig and the Cisco VPN client - showing its routes.
The ipconfig seems to say that the remote connection has its default gateway, and the tunnel has none.
The VPN client screen shows it knows a route (192.168.5.0/24) to the ASA, but nothing beyond. The ASA does, in fact, know about the network (10.64.0.0/16) at the other end of the L2L.
As I see it, if I can find a way to get the ASA to advertise this route to the VPN client, the problem might be solved. The client will then know to forward the traffic to the ASA instead of dumping it to the default gateway.
TIA -
IPad2, Verizon 3G, VPN Connectivity Issues
Greetings all. I am the systems administrator for my corporation and have seen an issue that I wish to present to the community for discussion.
For those enterprise users that have an iPad2 with Verizons 3G, are you experiencing connectivity issues while trying to connect to your VPNs from the 3G network? If so, have you found any work around to allow connectivity or does it work fine for you?
Here's a summary of my issues:
We have a VPN server built on Debian Linux that has been in operation for over four years. It handles remote VPN connections from Windows, Linux, Android, OS X, iOS, and from many different devices including multiple flavors of Apple products (iMacs, Minis, MacBooks, iPads, etc.). To date, it has performed flawlessly with assorted devices connecting to it through broadband and assorted 3G networks.
Recently I purchased an iPad2 with Verizon 3G. I was able to set up the VPN connection using PPTP and connect using a Wi-Fi connection. When I turned off the Wi-Fi and attempted the same connection via Verizon 3G, it fails. I then took an associates iPad1 using AT&T 3G, set up the same connection, and was able to connect. I don't have access to an iPad2 on AT&T 3G so, I can't speak for that.
Here's the logs from the VPN server while connecting from my iPad2:
Wi-Fi
Jul 27 05:20:43 localhost pppd[31694]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Jul 27 05:20:43 localhost pppd[31694]: pptpd-logwtmp: $Version$
Jul 27 05:20:43 localhost pppd[31694]: pppd 2.4.4 started by root, uid 0
Jul 27 05:20:43 localhost pppd[31694]: Using interface ppp2
Jul 27 05:20:43 localhost pppd[31694]: Connect: ppp2 <--> /dev/pts/4
Jul 27 05:20:46 localhost pppd[31694]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received
Jul 27 05:20:46 localhost pppd[31694]: found interface eth1 for proxy arp
Jul 27 05:20:46 localhost pppd[31694]: local IP address 192.168.1.69
Jul 27 05:20:46 localhost pppd[31694]: remote IP address 192.168.1.82
Jul 27 05:20:46 localhost pppd[31694]: pptpd-logwtmp.so ip-up ppp2 scott XXX.XXX.XXX.XXX (removed external IP for security reasons)
Quick connect, able to utilize VPN connection normally. No issues.
Verizon 3G
Jul 27 05:20:29 localhost pppd[31682]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Jul 27 05:20:29 localhost pppd[31682]: pptpd-logwtmp: $Version$
Jul 27 05:20:29 localhost pppd[31682]: pppd 2.4.4 started by root, uid 0
Jul 27 05:20:29 localhost pppd[31682]: Using interface ppp2
Jul 27 05:20:29 localhost pppd[31682]: Connect: ppp2 <--> /dev/pts/4
Jul 27 05:20:32 localhost pppd[31682]: peer refused to authenticate: terminating link
Jul 27 05:20:33 localhost pppd[31682]: Connection terminated.
Jul 27 05:20:33 localhost pppd[31682]: Exit.
As you can see, the peer refuses to authenticate causing the link to be terminated while attempting to connect using Verizons network. This is with the same VPN connection settings on the iPad2 that just worked with WiFi connection from the same device.
Here's what I can verify with regards to 3G networks:
Older (<4) iPhones and iPad1 using AT&T can connect
Windows and OS X based laptops using Sprint 3G can connect
Android based smart phones using Sprint 3G can connect
I have not called Verizon or Apple Support yet but, that's next when I have the time. My initial conclusion is that there is something with Verizons 3G services that is causing the issue. It may be that Verizon is using some sort of data compression process that is problematic with VPN transmission. While the log shows an unsupported IPv6 protocol when connecting via Wi-Fi, it still negotiates a successful connection and I don't think that's the root cause for the disconnect. Thoughts?Hi Alexander,
I am running in to the exact same issue (although not with Linux). Did you ever find a fix for this? I have some support tickets open with my VAR's, but found your post and thought I would check. If I find anything I will post.
Thanks
Stu -
RV042 dual VPN connections between locations with load balance
We currently have three remote offices connected to the main office with gateway to gateway VPN's over DSL lines and everything is working fine. All offices have an RV042 with current firmware. We have added a second DSL line at every location and want to add a second VPN tunnel on WAN2 from the remote offices to the main office and load balance those. Load balance to the internet with the new lines works OK but the issue is that I can't create a second tunnel on WAN2 with the same network addresses as the existing tunnel on WAN1. It seems like this would be a pretty common thing with a dual WAN router but I'm not having much luck figuring it out. Does anybody know of a way to do what we're trying to do?
Hi,
WHile all the RV series Routers provide Dual WAN capability:
http://www.cisco.com/en/US/products/ps9923/products_qanda_item09186a0080a33b64.shtml
Only thr RV082 allows the backup tunnel. The implementation on the RV082 is not to create a new, separate tunnel using the backup WAN. Instead, the VPN GUI exposes an Advanced tab for the primary tunnel, and you complete the fields in the GUI using the backup WAN IP addresses. I am pretty sure this is not offered on the RV042. It wasnt last I check, but check your GUI for the above. If its not there, then you cant do it.
Steve DiStefano
Systems Engineer
US Field Channel Sales -
Cisco ASA 5505 Remote Access IP/Sec VPN Connectivity Issues
We have a Cisco ASA that we use just for Remote Access VPN. It uses UDP and was working fine for about 2 months. Recently clients have had intermittent issues when connecting from home. The following message is display by the Cisco VPN Client :
"Secure VPN connection terminated locally by the Client. Reason 412: The remote peer is no longer responding"
Upon looking at a client side packet capture, I notice that no response is being given back to the client for the udp packets sent to the ASA on udp 500. If I login to the ASA from the LAN and send a single ping FROM the ASA, then the client can connect without issue. I don't understand the significance of the needed outbound ping since ping is not used by the client to test if the ASA is alive.
Once again this is a remote access udp ip/sec VPN. I set most of it up with the VPN wizard and then backed up the config. The issue started happening at least a month after setup (maybe two) and I restored to the saved config just in-case, but the issue remains.
Any insight would be greatly appreciated.
I'm using IOS 831 and have tried 821 and 823 as one thread that I found recommended downgraded to 821.
Thanks much,
JustinJavier,
I logged into the ASA last time the VPN went down. I issued the following commands:
debug crypto isakmp 190
debug crypto ipsec 190
capture outside-cap interface outside match udp any any
I then used a remote access tool to access the client and tried to connect. I got absolutely nothing from debugging. So I issued the following command:
show capture outside | include 500
and also got nothing. So I issued the following command:
ping 4.2.2.2
Upon which my normal deug messaged began to showup, so I issued the show capture outside command again and recieved the expected output below:
1: 15:44:18.570160 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 868
2: 15:44:18.579269 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 444
3: 15:44:18.703866 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 172
4: 15:44:18.706567 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
5: 15:44:18.831499 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
6: 15:44:19.024061 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
7: 15:44:19.111963 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 60
8: 15:44:19.517185 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 204
9: 15:44:19.521350 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
10: 15:44:19.522723 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 252
11: 15:44:42.121957 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 868
12: 15:44:42.130822 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 444
13: 15:44:42.228397 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 172
14: 15:44:42.231036 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
15: 15:44:42.329557 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
16: 15:44:42.521091 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
17: 15:44:42.610167 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
18: 15:44:42.649258 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 204
19: 15:44:42.653790 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 252
20: 15:44:42.789342 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 1036
21: 15:44:42.792119 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
22: 15:44:42.800846 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 188
23: 15:44:42.892120 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
34: 15:44:54.446220 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
35: 15:44:54.447913 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
70: 15:45:01.825000 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 100
174: 15:45:03.417764 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 500
377: 15:45:07.881500 802.1Q vlan#2 P0 REMOTE_IP.10000 > OFFICE_IP.10000: udp 100 1: 15:44:18.570160 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 868
2: 15:44:18.579269 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 444
3: 15:44:18.703866 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 172
4: 15:44:18.706567 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
5: 15:44:18.831499 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
6: 15:44:19.024061 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
7: 15:44:19.111963 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 60
8: 15:44:19.517185 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 204
9: 15:44:19.521350 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
10: 15:44:19.522723 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 252
11: 15:44:42.121957 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 868
12: 15:44:42.130822 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 444
13: 15:44:42.228397 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 172
14: 15:44:42.231036 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
15: 15:44:42.329557 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
16: 15:44:42.521091 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
17: 15:44:42.610167 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
18: 15:44:42.649258 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 204
19: 15:44:42.653790 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 252
20: 15:44:42.789342 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 1036
21: 15:44:42.792119 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
22: 15:44:42.800846 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 188
23: 15:44:42.892120 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
34: 15:44:54.446220 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
35: 15:44:54.447913 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
70: 15:45:01.825000 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 100
174: 15:45:03.417764 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 500
377: 15:45:07.881500 802.1Q vlan#2 P0 REMOTE_IP.10000 > OFFICE_IP.10000: udp 100
It would seem as if no traffic reached the ASA until some outbound traffic to an arbitrary public IP. In this case I sent an echo request to a public DNS server. It seems almost like a state-table issue although I don't know how ICMP ties in.
Once again, any insight would be greatly appreciated.
Thanks,
Justin -
VPN and Remote Desktop Connection
I have a standalone windows 2012 server that runs a domain with a few workstations. I have successfully configured a PPTP VPN and can connect using a Windows 7 computer at home. Once connected to the VPN, I can Remote Desktop to the server - but not any
other computers. The computer I'm trying to connect to runs Windows 7 and has remote desktop connections enabled.
Under the Access Details in the Remote Access Management the VPN connection is shown correctly first to the router (x.x.x.1) then the server (x.x.x.2) under Protocol 17 and Port 53. Then the server is shown again under Protocol 17 and Port 3389, which must
be the Remote Desktop connection. And then the workstation on the domain (x.x.x.20) also shows a connection with Protocol 17 and Port 3389. However, the remote desktop connection fails everytime. I'm not sure where the issue exists since it appears the server
is seeing and acknowledging the remote desktop connection. On my router I have PPTP passthrough enabled and port forward 3389 to the server.
I have attempted to use the workstations internal IP address as well as the computer name (workstation and workstation.domain.local) when connecting.
Thanks for your help.
I just noticed these three event errors on the destination remote machine. Not sure why it's trying to use L2TP?
Failed to apply IP Security on port VPN2-1 because of error: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate.. No calls
will be accepted to this port.
A certificate could not be found. Connections that use the L2TP protocol over IPsec require the installation of a machine certificate, also known as a computer certificate. No L2TP calls will be accepted.
The Secure Socket Tunneling Protocol service either could not read the SHA256 certificate hash from the registry or the data is invalid. To be valid, the SHA256 certificate hash must be of type REG_BINARY and 32 bytes in length. SSTP might not be able to
retrieve the value from the registry due to some other system failure. The detailed error message is provided below. SSTP connections will not be accepted on this server. Correct the problem and try again.Morning Trent,
I don't know if this is still an issue for you, did you get it solved?
If not, check on the server whether the user credentials that you're using to RDP to the workstation are actually authorised server-side. If that checks out, on the VPN connection you can specify a protocol to use. Specify the protocol that your VPN is configured
to use on the server. -
Hello!
I want to create bat script to create several VPN connection.
There is powershell command to create vpn connection:
add-vpnconnection -name "Test VPN" -serveraddress "vpn.example.com" -splittunneling -tunneltype "pptp"
And I need to create VPN connection without the option "Use default gateway on remote network" option on VPN connection"
Or modify this option on existent VPN connection with command.
Please help me to find command option or other command to disable "Use default gateway on remote network" option on VPN connection" feature.http://technet.microsoft.com/nl-nl/library/ee431701%28v=ws.10%29.aspx RouteIPv4TrafficOverRAS True – Add a default gateway on the VPN connection False – Do not add default gateway on the VPN connection
-
Using the personal hotspot feature on the iPhone 5, I am able to connect to the internet. We also use Juniper NCP client to access our local system from a remote location. A VPN connection is created, but I am unable to access servers in our network. This same functionality works using my colleagues iPhone 4.
Both phones are running iOS 6.1.3. I tried to reset network settings, but still unable to ping servers in our network. This is a feature that our sales team relies heavily on when out of the office. Hoping someone has some suggestions on what is different between the 2 phones.Hi,
Generally, this issue should be related with something called split tunneling, since you’re using a F5 vpn client, you need to look for something related to split tunneling in the F5 VPN client's documentations.
Here is an example, share it with you as a reference.
http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm_config_10_2_0/apm_config_networkaccess.html
In addition, you can refer to the link below for more solution about this problem.
You Cannot Connect to the Internet After You Connect to a VPN Server
http://support.microsoft.com/kb/317025
NOTE
This
response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you.
Microsoft
does not control these sites and has not tested any software or information found on these sites.
Yolanda Zhu
TechNet Community Support -
Outlook 2007 intermitent loss of connection at remote VPN Site
We have some remote sites connected by IPSEC site-to-site VPN. Users run Outlook 2007 connected to Exchange 2007 at the main site.
It is common for Outlook to go through periods of losing and regaining connections: Outlook displays constantly connection messages. The error occurs on an intermittent basis and does not effect all users at the remote site, the problem usually
disappears after a day. Users can get access to e-mails through OWA and this does not have the same outage errors.
Not sure if it is related to other traffic running over VPN link but I cannot find any obvious cause.Hi,
The intermittent Outlook connection issue can be caused by the following factors:
1. Network issue.
2. Exchange Server performance issue.
3. Outlook client side issues.
What’s your Exchange environment? How many Exchange servers and Server Roles?
In Exchange 2007, Outlook directly connect to Mailbox Server. So, if you have multiple Mailbox Servers, please confirm whether the problematic users are all on the same Mailbox Server.
You can take a performance monitor to check whether the RPC request is too high:
http://blogs.technet.com/b/mikelag/archive/2008/05/02/perfwiz-replacement-for-exchange-2007.aspx
Thanks,
Simon Wu
TechNet Community Support -
Connecting two remote LANs through a VPN connection
1)
I am trying to interconnect
two LANs as you see below.
2)
The scenario is to interconnecting two LANs with a
single domain “domain.local” in order to have
two domain controllers backing up each other. We already have a Domain Controller “SRVDC1.domain.local” in our local network “LAN1” and another Server which is going to be as both our
secondary domain controller and VPN Server “SRVDC3.domain.local” in our remote network “LAN2” where is the
Netelligent Network. I am trying to make these two servers (our two LANs)
visible to each other by a MikroTik Cloud Router Switch solution.
3)
I am using a
MikroTik Router as a PPTP Client to VPN to our
Remote Server SRVDC3 (87.75.45.66/29).
4)
All the computers in
LAN1, including Server SRVDC1, have a gateway set on “192.168.10.1” which is a
Asus WiFi Router as a core switch which is connected to our Fiber Optic Translator. <o:p></o:p>
5)
To prevent and minimize any down-time risk during the configuration, I have isolated one computer “table2pc5.domain.local” as sample of the
whole network; by changing its gateway set to 192.168.10.6 (the
Ether3-Slave-Lacal-interface on the MikroTikRouter).
I am going to replace the “Asus WiFi Router” shown in the map, by the
MikroTik Router later, after making sure that everything would work properly, so, everything is going to be naturalized after.
6)
My
solution simply can be explained as below:
a.
Providing
another interface in addition to “Netelligent Network” adapter.
b.
To
assign a LAN-based IP (in network range 192.168.10.0/24) to the added adapter (Microsoft Virtual Adapter)
c.
Configuring
SRVDC3 in Netelligent network “LAN2” as
a Remote Access Server (VPN Server).
d.
To provide a
MikroTik Router/Firewall on the Edge of the
LAN1 as VPN Client.
e.
Configure
MikroTik Router VPN PPTP connection to
SRVDC3 via the Internet.
f.
To have
two LANs connected through a permanent VPN connection.
7)
IP Addresses for the three EDGE-Devices (SRVDC1
ßàMikroTik
Router ßàSRVDC3)
are as below:
a.
SRVDC1:
Interface:
Local Area Connection
IP Address:
192.168.10.2/24
Gateway:
192.168.10.1/24
(Asus WiFi Router)
DHCP Server Pool:
192.168.10.1 – 192.168.10.254 (exclusions 10.1-10.50 , 10.50-10.99 , 10.200-10.254)
b.
MikroTikRouter:
Interface:
Local IP
IP Address: 192.168.88.1/24
Interface:
Ether1-gateway-master
IP Address: 192.168.0.1/24
Interface:
Ether2-master-local
IP Address: 192.168.88.1/24
Interface:
ether3-slave-local
IP Address: 192.168.10.6/24
DHCP Server Pool:
192.168.10.1 – 192.168.102.254
c.
SRVDC3:
Interface:
Netelligent Network
IP Address: 87.75.45.66/29
Gateway: 87.75.45.65/29
Interface:
Microsoft Network Adapter
IP Address: 192.168.10.50/24
Gateway: 192.168.11.1
Interface:
PPP Adapter RAS
IP Address: 192.168.11.1/24
gateway:
8)
The node “table7pc2.domain.local” is not able to see<o:p></o:p>
Now, I would ask you to help me to realise this solution by helping me to find the Bad-Routing problem, and letting me know how to fix it.
What NAT / Rout Paths or any configuration do I need to make this two LANs visible and recognizable to each other?
I would introduce you critical nodes which play important roles in this configuration. I have tried to colour-mark them in order to have a better recognition once you take a look at the “Ping Result” table.
The “Ping Result” table would give you an idea which nodes are able to see which others and where does problem hide itself?I got my own answer :D
1) I have to right-click on my "Routing and Remote Access" Server.
2) on IPv4 tab, I should define a static IP Pool. I had it done before; but since that I had chosen a wide range as 192.168.11.0/24, every time the router was taking a different IP address; so I should define a very small pool with two 2
nodes as 192.168.11.1 and 192.168.11.2. In this way, I'll have the local address (router) as 192.168.11.2 and the remote address (my remote server) as 192.168.11.1
3) After establishment of the PPTP connection successfully, I should add an static route to the "Netelligent Network" adapter. I had it done but in the RRAS routes, so that's why it didn't work. so:
C:\SRVDC3>_ route -p add 192.168.10.0 mask 255.255.255.0 192.168.11.2
[Enter]
Now, I would be able to ping all of the computers whose their gateways are set on 192.168.10 (router)
and If I wand to see all of the computers at the first LAN, I have to put my router at the edge of the network, instead of the ASUS WiFi Router, then change it's IP address to 192.168.10.1 or alternatively set all of the computers gateways on 192.168.10.6. -
No Remote Desktop connection without VPN
Not sure if this belongs here, my appoligies in advance. I have a remote user with an ASA 5505 device that shoyld be able to connecte to a Remote PC using RDP, but is only able to do so if she 1st connects to the Check point VPN client. I can't comment on the ASA config, but I have others with the same exact set up at home that don't need the VPN.
Any help is appreciated, ChetI sometimes suffer a similar problem, where my VPN connection works, but I can't Remote Desktop to some machines.
This usually turns out to be routing rules on my PC, or firewall settings.
Firstly, has anything changed on your PC? Upgrade, new software etc? Or the work network?
When connected on the VPN, can you ping your work PC by name or by IP address?
CharlieF -
Can I enable "Use default gateway on remote network" on VPN connection using Group Policy?
Hi,
First timer here so please bear with me!
Environment: Domain Windows 2003, Clients: Windows 7 and Windows XP (with Client Side Extensions pushed out)
When creating a VPN connection on a client machine manually with default settings the "Use default gateway on remote network" found in [Connection Properties - Networking - IPv4 - Advanced] is enabled, which is good as we don't allow split-tunneling.
I have a test GPO that creates a new VPN Connection [Computer Config - Preferences - Control Panel - Network Options], but the above setting is unticked.
Am I missing something on the options for the GP preference to set this automtically?
I can write a script to directly change the C:\Users\All Users\Microsoft\Network\Connections\Pbk\rasphone.pbk file but would prefer if I could sort it all out using Group Policy.
Any help would be greatly appreciated!
Thanks a lot!
DavidShane,
There is actually a way to set the "Use default gateway on remote network" through Group Policy Preferences. And this may even be a better way to do it, because you may change this flag without touching any other settings, or other VPN connections.
(All VPN connections are stored in the same .pbk file.)
Here's the trick: Opening the .pbk file in notepad, I realized that this is actually an oldstyle ini-structured file. And Group Policy Preferences can update ini files! In the .pbk file the section names are the VPN connections names, like [My VPN],
and the property IpPrioritizeRemote is the flag "Use default gateway on remote network".
So, in Group Policy Management Editor, go to Preferences / Windows Settings / Ini Files.
Create a new object with Action = Update, and File Path =
C:\ProgramData\Microsoft\Network\Connections\pbk\rasphone.pbk
(If this is where your file is located, I guess it is in c:\users if the VPN connection is made for a single user.)
Section Name should be the display name of your VPN connection, without the brackets.
Property Name = IpPrioritizeRemote
Property Value = 1
Peter, www.skov.com, Denmark
Peter :-)
This is great, but just one question. I also want to append a list of DNS Sufixes in order (when viewing a VPN properties, this is buried in
"Networking --> IPv4/6 --> Advanced --> DNS --> Append these DNS Suffixes (in order)". However, for the VPNs I have manually created with this list populated, I can't see any entries in the rasphone.pbk. Does anyone know
where these are stored?
Cheers. -
Dual Simultaneous Site to Site VPN connections
My goal is to have an 891 router at a branch office with two, always active VPN tunnels where the routing would switch to the secondary tunnel within the 891. On the Hub side there would be two ISPs connected into the same MPLS cloud which has internet access. Is this possible? Which device should I terminate the VPNs on. Typically used ASAs in the past.
Remote Site
I
891
I
Cable/DSL
I
MPLS
I
ISP1 ISP2
I I
R1 R2
I |
ASA ASA
I I
Core SW1 SW2 Core
Server
To take it even further I would like to configure the branch office with two ISPs but have a VPN connection over both.HI ,
As far I know, you cant create two IPSec VPN tunnel from same source to same destination in single router. For this you may can consider DMVPN but ASA doesnt support this yet. You would typically need a ISR router to do this.
Maybe you are looking for
-
15" MacBook Pro (Retina, late-2013) and Microsoft Office 2011
Is there a known issue with Microsoft Office 2011 and the 15" MacBook Pro (Retina, late-2013)? Specifically, is there an issue with how MS Office (e.g., MS Word) displays one the Retina screen? Thank you.
-
Null Pointer Exception with BufferedWriter
Hi Guys, When I try to run this code I get a NullPointer Exception, and I can't work out why. At first I thought it was to do with scope, as it looks like it can't find the out object, but after fiddling with the code it didn't make any difference. C
-
How can i upload file from ftp server to DMS content server. i have try with BAPI_DOCUMENT_CREATE2 it working ok if i am give source path of my local pc file. but if i use ftp path than it is giving errer " E26 253Error while checkin
-
hi all, I am making a BDC program, for tcode MM01 I have done the recording, and generated the program. I have a txt file on my desktop, and i am filling the internal table declared in the program from that txt file. Its working fine uptill now. Can
-
Can Logic do this? (Recompression Tool, PT)
If you have a midi drum at 8th notes, you can select the region>re-compress and make it 16th even 32 notes. Can we do this? e.g. you lay down a 130 beat 8th note, then want to add a really tight electronic fill of 32 beats. This example can be seen o