How to determine an initiator and responder in L2L - IPSEC VPN
Hi Guys,
One of the client im working on has requested me to change the inititator from site A to site B. Currently, Site A is the initiator and Site B is the responder. The reason is the client could not access any sub-client site from Site A. In case the tunnel goes down, they want Site B to initiate traffic to Site A. I am not sure how to change a VPN tunnel to be a initiator(site b) and responder(site a) accordingly or is this an automated process. I understand that it doesnt matter since however, it still nedds to negotiate SA and policies for tunnel establishment, but is there a manual way for doing it via ACL or ISAKMP policy? Or is there any parameters we can set to control this?
Both firewalls is ASA 5500 Series (5520).
Please help. Appreciate it.
Thank you.
Hey,
Thanks a ton for posting this out here. I am sure it will be helpful for people trying this out.
Regards,
Prapanch
Similar Messages
-
How to determine server host and server port
Dear Experts.
How to determine server host and server port where Webdynpro application is working.
If the url is following
http://sapr3dm:50500/webdynpro/dispatcher/local/ForecastingPowerProject2/NewObjectConnection?SAPtestId=6
How to receive sapr3dm and 50500Hi,
May be of use
WDProtocolAdapter.getProtocolAdapter().getRequestObject().getServerName();
WDProtocolAdapter.getProtocolAdapter().getRequestObject().getServerPort();
Regards
Ayyapparaj -
How to nat subnets before establishing site to site ipsec vpn tunnel?
Hello,
Coming across requirement which is new to me as I have not done this setup. Details as follows. Hope some1 can help.
Requirement: nat existing subnets to 192.168.50.0/24 subnet which is allowed at another firewall.
Existing device: Cisco 5510 where I need to do this NAT.
Existing scenario in short: I have created vlans on asa by creating sub interfaces.
Changes done: added new sub int for 192.168.50.0. Added new object as 192.168.50.0 . Now done with creation of acl where traffic from 192.168.50.0 to remote subnets allowed. In NAT object sections done nating 1 to 1 I.e. existing subnet to 192.168.50.0
Done ipsec vpn setup inc phase 1 & 2.
Now tried to ping remote hosts but not reachable.
Pls advice how to make it work.
I dont any router next to asa 5510. Asa is in routed mode. Next hop to asa is isp's mux.Hello. Pls find my answers inline
I first got the picture that the NAT network is 192.168.50.0/24 and some other networks should be NATed to this.
Answer: Thats correct.
Later on it seems that you have configured this to some interface on the ASA?
Answer: Yes as I have defined vlan's on ASA itself. i.e. other subnets too i.e. 10.x series & 192.168.222.x series. I used Ethernet 0/0 as main interface for all LAN networks and have created sub interfaces i.e. vlan's on it. Using 3COM switch down to ASA to terminate those vlan's & distribute to unmanaged switches. Due to port limitations on ASA I have configured vlans on ASA itself. Ethernet 0/2 is my WAN interfacei.e. ISP link terminates on Eth 0/2 port.
So are you attempting to NAT some other LAN networks to this single NAT network before the traffic heads to the L2L VPN connection on your ASA?
Answer: Yes thats right. Attempting to NAT multiple networks to single NAT before traffic head to L2L VPN connecting from my ASA 5510 to remote Citrix firewall.
Can you then mention what are the source networks and source interfaces for these networks? What is the destination network at the remote end of the L2L VPN connection?
Answer: Source networks = 10.100.x series & 192.168.222.x series / Destination networks are from 192.168.228.x , 192.168.229.x series. Remote admin wants us to NAT our multiple subnets to single subnet i.e. 192.168.50.0 and then traffic from this subnet is allowed at remote end.
Do you want to just do a NAT Pool of the 192.168.50.0/24 network for all your Internet users OR does the remote end also have to be able to connect to some of your sites hosts/servers?
Answer: Yes just want to NAT LAN subnets to 192.168.50.0/24 for all LAN users. 1 way access. I am going to access remote servers.
The new thing for me is how to NAT multiple subnets. I have existing ipsec vpn's where I have added multiple subnets which is traditional set up for me. This requirement is new to me. -
How to determine the Country and Organization from IP
Hi,
I would like to determine the Country and Organization from a given IP. I have to write a JSP, which when given the IP address gives the country and the organization to which the IP belongs. The organization may be the ISP, or a MNC or any other corporate/government body, or it may be of an individual. I have to do it progamitically from inside a JSP?
Any suggestions anybody
Thanks in Advance for your replyeven when tracking IP's, if it is static you can narrow it down pretty far - if it's dynamic, you can only narrow it down to a specific part of the country.
-
How to determine SMTP hostname, and port?
I need create e-mail configure option in my application. And I have to determine what settings of e-mail is installed.
Regards Kostya!Hi Kostyal,
check out the interesting posting done by Jornica at http://jornica.blogspot.com/2007/01/apex-system-preferences.html
Patrick
Check out my APEX-blog: http://inside-apex.blogspot.com -
How to determine OS version and patch level?
I have oracle linux, and uname -a as following:
# uname -r
2.6.39-200.29.2.el6uek.x86_64
Exadata node:
# imageinfo
Kernel version: 2.6.18-274.18.1.0.1.el5 #1 SMP Thu Feb 9 19:07:16 EST 2012 x86_64
Image version: 11.2.3.1.1.120607
Image activated: 2012-08-07 11:51:55 -0400
Image status: success
System partition on device: /dev/mapper/VGExaDb-LVDbSys1
Thanks!
Edited by: 943714 on Feb 28, 2013 12:28 PM
Edited by: 943714 on Feb 28, 2013 12:45 PMYou might want to check http://www.oracle.com/us/technologies/027626.pdf
And also:
<pre>
# yum info oraclelinux-release enterprise-release
Loaded plugins: security
This system is not registered with ULN.
ULN support will be disabled.
Installed Packages
Name : enterprise-release
Arch : x86_64
Epoch : 6
Version : 5
Release : 8.0.3
Size : 57 k
Repo : installed
Summary : Enterprise Linux release file
License : GPL
Description: System release and information files
Name : oraclelinux-release
Arch : x86_64
Version : 5
Release : 8.0.2
Size : 32
Repo : installed
Summary : Oracle Linux release file
License : GPL
Description: System release file
</pre> -
In RV 042 How to determine Source IP and Destination IP?
Good day,
Sir is my configuration correct? for Source IP? for Destination IP? 192.168.0.1 is my router
im binding:
http
http secondary
https
to Wan1
Thank YOU..
-newbieHi Ian, thank you for using our forum, my name is Luis and I am part of the Small Business Support Community.
I will be more tan glad to assist you with your configuration, I found an article where you could get specific steps in order to configure the Protocol Binding. Please check the Link below.
Manage Protocol Binding
Please search Manage Protocol Binding in the article.
I hope you find this answer useful,
“Please rate useful posts so other users can benefit from it”
Greetings,
Luis Arias.
Cisco Network Support Engineer. -
How can I improve performance over a Branch Office IPsec vpn tunnel between and SA540 and an SA520
Hello,
I just deployed one Cisco SA540 and three SA520s.
The SA540 is at the Main Site.
The three SA520s are the the spoke sites.
Main Site:
Downstream Speed: 32 Mbps
Upstream Speed: 9.4 Mbps
Spoke Site#1:
Downstream Speed: 3.6 Mbps
Upstream Speed: 7.2 Mbps (yes, the US is faster than the DS at the time the speed test was taken).
The SA tunnels are "Established"
I see packets being tranmsitted and received.
Pinging across the tunnel has an average speed of 32 ms (which is good).
DNS resolves names to ip addresses flawlessly and quickly across the Inter-network.
But it takes from 10 to 15 minutes to log on to the domain from the Spoke Site#1 to the Main Site across the vpn tunnel.
It takes about 15 minutes to print across the vpn tunnel.
The remedy this, we have implemented Terminal Services across the Internet.
Printing takes about 1 minute over the Terminal Service Connection, while it takes about 15 minutes over the VPN.
Logging on to the network takes about 10 minutes over the vpn tunnel.
Using an LOB application takes about 2 minutes per transaction across the vpn tunnel; it takes seconds using Terminal Services.
I have used ASAs before in other implementation without any issues at all.
I am wondering if I replaced the SAs with ASAs, that they may fix my problem.
I wanted to go Small Business Pro, to take advantage of the promotions and because I am a Select Certified Partner, but from my experience, these SA vpn tunnels are unuseable.
I opened a case with Small Business Support on Friday evening, but they couldnt even figure out how to rename an IKE Policy Name (I figured out that you had to delete the IKE Policy; you cannot rename them once they are created).
Maybe the night weekend shift has a skeleton crew, and the best engineers are available at that time or something....i dont know.
I just know that my experience with the Cisco TAC has been great for the last 10 years.
My short experience with the Cisco Small Business Support Center has not been as great at all.
Bottom Line:
I am going to open another case with the Day Shift tomorrow and see if they can find a way to speed things up.
Now this is not just happening between the Main Site and Spoke Site #1 above. It is also happeninng between the Main Site and Spoke #2 (I think Spoke#2 has a Download Speed of about 3Mbps and and Upload Speed of about 0.5 Mbps.
Please help.
I would hate to dismiss SA5xx series without making sure it is not just a simple configuration setting.Hi Anthony,
I agree!. My partner wants to just replace the SA5xxs with ASAs, as we have never had problems with ASA vpn performance.
But I want to know WHY this is happening too.
I will definitely run a sniffer trace to see what is happening.
Here are some other things I have learned from the Cisco Small Business Support Center (except for Item 1 which I learned from you!)
1. Upgrade the SA540 at the Main Site to 2.1.45.
2a. For cable connections, use the standard MTU of 1500 bytes.
2.b For DSL, use the following command to determine the largets MTU that will be sent without packet fragmentation:
ping -f -l packetsize
Perform the items below to see if this increases performance:
I was told by the Cisco Small Business Support Center that setting up a Manual Policy is not recommended; I am not sure why they stated this.
3a. Lower the IKE encryption algorithm from "AES-128" to DES.
3b. Lower the IKE authentication algorithm to MD5
3c. Also do the above for the VPN Policy
Any input is welcome! -
hi everyone,
If IPSEC VPN is running between two sites how can we tell which site was IKE initiator and responder?
If both sites are big sites.
Thanks
MaheshHello Mahesh,
First answer was how to check who is initiator on ASA.
In case of router
You can do "sh cry isa sa"
R2#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.10.10.2 10.10.10.1 QM_IDLE 7018 ACTIVE
10.10.10.1 10.10.10.2 MM_NO_STATE 7017 ACTIVE (deleted)
Owner of ip address in the column src is initiator
Best Regards,
Eugene -
How to determine the field size
I am going to make a multiplatform application that hopefully
will run on linux and windows 2000.If the os is 2000, then I will use
vb.net/aspx else I'll use java servlets. I make the connection
to the web server ( through HTTP) not directly to database server.
So, the resultset will be stored in the String object. The columns
will be separated by delimeter. Our problem is how to determine
the size and type of the fields of mssql,oracle and postgres database
so that we can include it in the String object.
Ex.
String sResultSet=new String();
ResultSet rs=statement.executeQuery(sSQL);
while(rs.next()){
sResultset=sResultSet + rs.getString(field1) + "||" + rs.getString(field2) + "||";
vertical bars acts as delimeter
supposedly this is the code:
sResultset=sResultSet + rs.getString(field1) +"_" + rs.getFieldType() + "_"+
rs.getFieldSize() + "||" + rs.getString(field2) +"_" + rs.getFieldType() + "_"+
rs.getFieldSize() + "||";
supposedly this is the code if rs.getFieldType() and rs.getFieldSize() methods are existing
Anyone can give me an idea how to get the field type and field size of the database?
thanks in advanceYes, but I dont know how to do it.
Can you give me an example of using it.
Thanks in advance -
Determination the Direction and Borders problem
hi all
I Have Problem in How to determination the Direction And the neighbor For polygon As in the picture.
picture in (http://www.4shared.com/photo/CQhYa1LV/1_online.html?)
I Want determination :
From north : polygon with object Id=.....
From south : streets with object Id=.....
From east :streets with object Id=.....
From west : polygon with object Id=.....
I have Started and I Identified the Directions I get line of land with line 29 meters is the North
and line with 25.4 is south ......
Now how I can Determination the border of land ?
manes :
north ... land with number 2
south ... street with 15 meters width
Can eny one Help Or have Good idea ?Some real data (ie the sdo_geometry of the polygon in the image) would be useful.
The main issue here is not so much the writing of the bearings and distances against the line segments,
but determining which segments should be so labelled.
I have dealt with the basics of extracting and marking polygon segments in in articles like this http://www.spatialdbadvisor.com/oracle_spatial_tips_tricks/74/spatial-pipelining before.
But this is roughly how I would go about removing those shared boundary segments so that I only had those segments that front a street:
select T_Vector(va.vector_id, va.element_id, va.subelement_id, va.startCoord, va.endCoord).AsSdoGeometry(null) as geom,
codesys.Cogo.DD2DMS(
codesys.Cogo.Bearing (va.startCoord.x,va.startCoord.y,va.endCoord.x,va.endCoord.y) * (180/codesys.Constants.PI) ) AS bearing,
ROUND(codesys.Cogo.Distance(va.startCoord.x,va.startCoord.y,va.endCoord.x,va.endCoord.y),2) AS distance
from source_table a,
table(ST_Vectorize(a.geom)) va,
source_table b
where a.<primary key> = <value>
and sdo_covers(c.geom,
T_Vector(va.vector_id, va.element_id, va.subelement_id, va.startCoord, va.endCoord).AsSdoGeometry(null)) = 'TRUE'
and c.<primary key> <> a.<primary key>;The COGO and GEOM package and the T_Vector object are available for download from my website.
In short you:
1. Take the base polygon;
2. Break it into 2 vertex segments;
3. Use each segment to find a polygon in the original table it lies on;
4. Ensure that the found polygon is not the same as the source of the segments;
5. Generate the bearing and distance.
regards
Simon -
Receiving and responding to xml post
Hi there,
I have a project where I have to receive certain parameters in a Post using an XML document, and then respond with a XML response document.
My application is a standalone java app.
I have created the sockets, and can receive and send on them, I just don't quite understand yet how to receive the document and respond.
any help will really be appreciated.
Thanks
BrendaBrenda,
Tomcat is a J2EE container (well a Java web container without EJB support) it does supply javax.servlet classes.
In answer to you other question, I have a web application that uses xerces within a servelet and it's fine. A web container like Tomcat will support just about any code as long as it can load the classes.
You need to look into War (web archive) files for production use, but to get started, just consider the file locations:
C:\tomcat\webapps\ROOT\WEB-INF\classes
This is where the root context loads its class files from
C:\tomcat\webapps\ROOT\WEB-INF\lib
This is where it loads jarred class files (e.g. xerces.jar)
Also you'll need to create a servelet entry in your
C:\tomcat\webapps\acuo\WEB-INF\web.xml
file:
<servlet id="Servlet_2">
<servlet-name>name</servlet-name>
<description>Your description</description>
<servlet-class>com.package.Classname</servlet-class>
</servlet>
So, it's all straightforward enough once you know where to put everything. There are also tools around that make the war file creation easier.
So, best of luck,
Dom. -
Inbuilt cisco IPSEC vpn client and KeyLife Timeout setting...
Hi Guys
I am having issues with the in built cisco vpn client on the mac, I am currrently using Mac OSx 10.7.4
I have a Fortigate 200B device and have setup the IPSec VPN settings to have a keylife of 86400 seconds.
However the expereince I am having with the mac clients is that after about 50 minutes the users are being asked to re-authencate to the VPN...
When checkin the debug logs I can see that the peer (mac client) is setting the phase 2 tunnel key lifetime to 3600 seconds which is 1 Hour...
Usually in IPSec a re-negeotiation process takes place about 10 minutes or so before the key expires..
My question is where are the VPN settings kept in the Mac... I know it uses Racoon for the IPSec exchange of key and so I would like to tweak the VPN profiles so that the mac sets the lifetime of the key to 86400 instead of 3600 by default...
Also want to be able to set logging to debug mode for the Racoon application on mac clients.
Your help is much appreciated
Kind Regards
MohamedHi Tony,
to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
CSCsw31922 Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
You may want to try and ask in the AAA forum if there is anything you can do on ACS...
hth
Herbert -
in app store some applications are of very small size like 15-20 Mb and after installing them they become more than 100 mb. how to determine their actual size???
The app store size is probably just the software, while the size on your iPhone includes data.
You can determine the size on your iPhone by looking at Settings > General > Usage. -
How to determine height and width of a JScrollPane client
Hi,
I wish to display a webpage in a JScrollPane and wish to determine the height and width of the HTML content so that I can use the information to generate PDF and control the content on each page. Can anybody let me know how I can do this?
Thanks in advance
Prashant BajJEditorPane and getSize()?
Maybe you are looking for
-
Win 7 upgrade causes intermitte​nt IE 8 "Cannot display the webpage" errors
I upgraded my Touchsmart IQ846t from Vista Home Prem 64-bit to Win 7 Home prem 64-bit last week, 9/20/10. After the upgrade there were about 40 - 50 Windows Updates that I also installed. About 2 days later I began having my problem. When I first b
-
Interactive ALV list Report Using OOPS
Hi Experts!! I would like create secondary list using ABAP OPPS (Events). Anybody can give me idea how to do that . On clicking of perticurar row + column. Secondary list should be displayed. Please do not suggest ALV Grid. I know how to do it with A
-
hi, how do i get to read a subnode from context dynamically? Regards, Ronita
-
Black at the start of one iPhoto09 slideshow, green discoloration on a 2nd
I have created and exported a number of slideshows successfully, both on mpeg-4 and .mov formats. I created one that runs fine but starts with a black screen, as if the first picture is a blank. The music plays during the black and everything else is
-
93 degrees celsius CPU TEMP!! and performance is degrading
Hey Guys. I have had my MacBook Pro for about 10 months and now my battery is at 60% health one day and then will fluctuate to 89% health the next. Recently too, a lot of software has been hanging up and I get the rotating beach ball of doom. The mac