HTTP and SMB over Cisco LAN-to-LAN IPSec-VPN
we are connecting Cisco 887VA router with various other Non-Cisco routers.
VPN tunnels are up and we can ping devices on the remote network through the VPN.
However, we have a few devices (on the Cisco lan) that provide a web interface (NAS etc) and these are not accessible over the VPN, the connection seems to just hang like its waiting for a response but it never gets one and eventually the browser times out.
Strangely, if I request a page that does not exist from the NAS (eg. http://192.168.3.x/test) I will receive a 404 error so it is kind of working.
Similar problems with SMB, if I access \\192.168.3.x I can list the content (4 items) but if I go into one of those folders (containing 10+ items) it hangs and eventually gives up.
I have tried adjusting MTU and MSS with no change.
Any ideas cause I'm running out of hair
My config is attached, it is most likely a mess as this is my first Cisco device so please go easy
Hi,
i can get you a example VPN config (Cisco 1841) that works:
//192.168.49.0 INSIDE IP | 192.168.0.0/16 and 172.20.0.0/24 RemoteSite IP
access-list 102 permit ip 192.168.49.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 192.168.49.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 150 deny ip 192.168.49.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 150 deny ip 192.168.49.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 150 permit ip 192.168.49.0 0.0.0.255 any
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key CRYPTOKEYHERE address REMOTEWANIP
crypto isakmp keepalive 30
crypto ipsec transform-set SETNAME esp-aes esp-sha-hmac
crypto map B2B 10 ipsec-isakmp
description b2b-fw
set peer PEERWANIP
set security-association lifetime seconds 86400
set transform-set SETNAME
match address 102
interface FastEthernet0/0
description wan_primary
crypto map B2B
ip nat outside
interface FastEthernet0/1
ip nat inside
route-map nonat permit 10
match ip address 150
ip nat inside source route-map nonat interface FastEthernet0/0 overload
Regards
Markus
Similar Messages
-
Remote site redundancy IPSEC VPN between 2911 and ASA
We already have IPSEC VPN connectivity established between sites but would like to introduce some resilience/redundancy at a remote site.
Site A has an ASA with one internet circuit.
Site B has a Cisco 2911 with one internet circuit and we have established site-to-site IPSEC VPN connectivity between the 2911 and the ASA.
Prior to getting the new internet circuit, Site B had a Cisco 877 with an ADSL line which are still available but aren’t currently in use.
The internet circuit at Site B has dropped a few times recently so we would like to make use of the ADSL circuit (and potentially the 877 router too) as a backup.
What is the best way of achieving this?
We thought about running HSRP between the 877 and 2911 routers at Site B and, in the event of a failure of the router or internet circuit, traffic would failover to the 877 and ADSL.
However, how would Site A detect the failure? Can we simply rely on Dead Peer Detection and list the public IP address of the internet circuit at Site B first with the public IP address used on the ADSL line second in the list on the ASA? What would happen in a failover scenario and, just as important, when service was restored – I’m not sure DPD would handle that aspect correctly?
I’ve read briefly elsewhere that GRE might be best to use in this scenario – but I can’t use GRE on the ASA. I have an L3 switch behind the ASA which I may be able to make use of? But I don’t want to disrupt the existing IPSEC VPN connectivity already established between the ASA and the 2911. Can I keep IPSEC between the ASA and 2911 but then run GRE between the L3 switch and the 2911? If so, how would this best be achieved? And how could I also introduce the 877 and ADSL line into things to achieve the neccessary redundancy?
Any help/advice would be appreciated!Hello,
I don't think GRE tunnel that you could set up on the switch behind ASA would be really helpfull. Still site-2-site tunnel you want to establish between ASA and some routers, but still it is ASA which needs to make decision about which peer to connect to.
Possible solution would be to do HSRP between both routers on LAN side and with two independent tunnels/crypto maps (one on each of them). On ASA you would need to set up two hosts in set peer. Problem of this solution is that if one router at side B is going to go down and second ADSL line will take over ASA will not do preempt after you main Internet connection is up again. This would happen after ADSL Internet connection will be down.
Solution to that would be to assign two different public IP addressess on two different interfaces of ASA. Then you attach two crypto maps to both interfaces and by using sla monitor (let's say icmp to main router, if it does not respond then you change routing for remote LAN to second interface) you are selecting which crypto map (with one peer this time) should be used.
I hope what I wrote makes some sense. -
Cisco E900 ports 1990/tcp and 5916/tcp open on the LAN. Cannot close them.
Hello,
I just bought a Cisco Linksys E900 wireless router. Can someone explain to me why the router (192.168.1.1 on my case) has ports 1990/tcp and 5916/tcp open on the LAN?? I cannot find a way to close those ports.
Just do a simple:
telnet 192.168.1.1 1990
or
telnet 192.168.1.1 5916
and you'll see those ports are open.
1990/tcp = Cisco STUN Priority 1 port
5916/tcp = I have no idea
Every client on the LAN (wired and wireless) can connect to those ports on the router. I do not want that to happen. It is unncessary and it is just not secure. I only want the router to have port 443 open on the LAN for the web mgmt interface. I do not want any other unncessary port open.
It would be great to have a response from Cisco directly.
Thank you for your time.JohnT66 wrote:
Thank you for your response.
The router is already updated to the latest firmware (1.0.04 Build 1).
I had to do the update as soon as I opened the box because the default firmware had an incredible serious bug: after setting up the web management interface on the LAN to work over SSL, it was impossible to access the interface because of an SSL bug in the router. The bug is in the release notes of the firmware... that alone says a lot about the very very poor quality of this router.. you can't have that kind of bug in a finished product....
I was able to close port 1990/tcp by disabling WPS in the router, although doing so was pure luck since the router's UI is terrible..
5916/tcp is still open.. since I was able to close 1990/tcp I don't think this is a defective router.. I cannot return a router to the store just because it leaves a port open, the store, sadly, will not take it back... so please Cisco, can you help with this? this product is faulty, it doesn't work as expected, it's your responsability.. please help
Reset the router manually then reconfigure the settings. -
Cisco 4402 Guest lan and product lan DHCP assignment
I'm currently setting up a wirless lan with a Cisco 4402 Wireless Lan Controller and 1 cisco 1242AG Access points.
All the devices include:
Cisco catalyst 6505
Cisco 4402
D-Link broadband router
Connection between them:
6505 trunking with 4402 (dot1q and trunk vlan 1 and vlan 3, but i found that all vlan on the 6506 will trunk together), wlan 1 is production lan while vlan 3 is Guest lan)
6505 vlan 3 is connecting to D-Link broadband router as a guest lan
both vlan 1 and vlan 3 have DHCP server for production PC and guest notebook respectively.
On 4402, i have two interfaces and 2 WLAN. one interface for production lan pointing DHCP server to product DHCP address and the other interface for guest lan, which pointing to guest lan DHCP server.
when a notebook connec to guest lan, it will assign an address from guest DHCP server, while connecting to production lan, a production IP will be assigned last week. But the things change w/o changing the structure, when i connect to guest lan SSID, the ip suppose assign by the Guest lan DHCP, but it failed, the notebook got ip address from production lan.
Is it trunking makes those all Vlan "mixed", and get ip from the DHCP server with faster respone time?
How can i make sure when i connect to guest lan, the ip will be assigned from Guest Lan DHCP server and vice versa?
Many thanks!Here is the URL for the Cisco Guest Access Using the Cisco Wireless LAN Controller which will help you :
http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.0/GAccess.html -
For the last few days HTTP and HTTPS connections on one computer on my LAN usually time out or fail to load completely. This also affects Internet Explorer on the same machine, but email, FTP, etc. seem to be working normally. The URLs that do not load in the browsers ping normally, and load normally on another machine on the same LAN. Running Firefox in Safe Mode does not help.
A possible cause is security software (firewall) that blocks or restricts Firefox without informing you about that, possibly after detecting changes (update) to the Firefox program.
Remove all rules for Firefox from the permissions list in the firewall and let your firewall ask again for permission to get full unrestricted access to internet for Firefox.
See [[Server not found]] and [[Firewalls]] and http://kb.mozillazine.org/Firewalls -
Share iTunes library between Leopard and Vista, over LAN
Hi,
I would like to share my iTunes library on my Mac, so that our other Vista computer can access it.
I have ticked 'Look for shared libraries' on both the Mac and PC. We use a LAN setup with a firewalled router. I am able to access the Mac's public folder from the Vista PC and vice versa.
Except, the Mac library is not present in iTunes on PC. I used the latest iTunes on both computers.
Is there something that I am missing, maybe a port that I have to forward or anything else? Also, do I have to enable another kind of sharing on the Mac, except Sharing in iTunes?
Can someone please give me some advice?
RegardsJust for your info, Vista ***** whatever you try to do. I'm stuck with Vista on a pre-installed laptop. All experience I have from Vista is bad, don't buy Vista or a computer with preinstalled Vista if you can avoid it.
We have three computers in a home network, one Macbook Pro, one PC with Windows XP, and the Vista laptop. All are using iTunes-8, downloaded and installed last week.
Sharing iTunes libraries using the option to share libraries on a local network works fine between Mac and Windows-XP. The sharing also works fine between the XP and the Vista PC.
But the Vista PC can't access the Mac iTunes library. When trying to open the Mac library, iTunes on the Vista computer says something like "Fetching library info from...". It's the same problem when trying to access the Vista library from the Mac.
We had a similar problem when trying to access shared folders on the local network. Thanks to a tip on this forum how to tweak the Vista registry, the shared folder problem was solved.
I'm think some registry setting in Vista might solve iTunes shared library problems. Maybe some Windows freak knows how to patch the registry to solve this issue.
Otherwise the solution is to trash Vista, and install Windows-XP. -
LAN Lite, LAN Base, IP Base, and IP Service Image of Switching.
Dear all,
Please kindly help me what is differenct between LAN Lite, LAN Base, IP Base, and IP Service Image of Switching.
Hope see all of your feedback soon.Thanks!
KIND Regards,
SirenHere is a white paper on difference between LAN base, IP base and IP services. Note that LAN lite switches have different hardware and can't be upgraded to a more capable image.
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/white_paper_c11-579326_ps10745_Products_White_Paper.html
This paper compares LAN lite vs LAN base for 2960:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/prod_presentation_c97-494780.pdf
Daniel Dib
CCIE #37149 -
CWWLSE-1030-K9 Cisco WLSE Wireless LAN Solution EE 2.13 with AP 1242
Dear all, my customer has CWWLSE-1030-K9 Cisco WLSE Wireless LAN Solution EE 2.13 with 12 AP1242 (a/b/g) Radio 802.11g in place. Now he will buy additional AP what type of AP can i use because AP 12xx is EOS.
Hello Dirk,
AP 1200 is EOS, and customers were encouraged to migrate to 1240 Series (which is also EOS now)
http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1200-series/eol_c51-506611.html
Therefore it is recommended to migrate to Cisco Aironet 1600 or Cisco Aironet 2600 Series.
http://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/unified-ip-phone-7900-series/end_of_life_notice_c51-726425.html -
Software Version Upgrade for Cisco 4402 Wireless Lan Controller
Hi,
We have Cisco 4402 Wireless Lan Controller with Software Version 3.2.171.6 and we want to upgrade it to latest version.
So can anyone please let me know the latest version to upgrade the WLC?
Also since WLC is running on very lower version is it possible to upgrade to the latest version directly or we have to move it step by step to upgrade this to latest version?
ThanksTake a look at the compatibility matrix below:
http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html
7.0.235 is the latest that you can go to:
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_0_235_0.html
The release notes outline the upgrade process.
"Upgrade to 4.0.206.0 or later 4.0 release, then upgrade to 4.2.176.0, before upgrading to 7.0.235.0." -
How to replace the certificate of Cisco 2106 wireless LAN controller for CAPWAP ?
I have interested in CAPWAP feature and I download the open capwap project to make Access Controller (AC) and Wireless Terminal Point (WTP). I had built the AC which used PC and WTP which used Atheros AP. The CAPWAP feature work well when I enabled the CAPWAP that used my own AC and WTP. When I got the Cisco 2106 wireless LAN controller (Cisco WLC), I configured the Cisco WLC to instead my own AC but I got the authorize fail in Cisco WLC side. It seem the Cisco WLC could not recognize the CAPWAP message which sent form my own WTP. I think this issue just need to synchronize the certificate between Cisco WLC and WTP.So I need to replace the Cisco WLC's certificate manually. Does anyone know how to replace the certificate manually with Cisco WLC ?
Best Regards,
AlanUnfortunately this Support Community is for Cisco Small Business & Small Business Pro product offerings. The WLC2106 is a traditional Cisco product. You can find this type of support on the Cisco NetPro Forum for all traditional Cisco products.
Best Regards,
Glenn -
Pix 501 IPSec VPN no LAN access and no ping
Hello,
I am attempting to setup an IPSec VPN in a basic small business scenario. I am able to connect to my pix 501 via IPSec VPN and browse the internet but I am unable to ping or connect to any devices in the remote LAN. Here is my config
show config:
nterface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxx encrypted
passwd xxxxxx encrypted
hostname pixfirewall
domain-name domain.local
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 195.7.x.x BLR-Quadria
name 176.76.1.0 LAN-CEPIC
name 176.76.1.40 ADMIN
name 176.76.1.253 SRV-Linux
name 212.234.98.224 ADSL-Quadria
name 81.80.252.129 sylob
name 176.76.1.33 poste-pcanywhere
name 176.76.1.179 TEST
name 10.1.1.0 VPN_CLIENT
name 176.76.1.100 SRVSVG01
name 176.76.1.116 SRV-ERP01
name 176.76.1.50 SRV-ERP00
object-group network WAN-Quadria
network-object BLR-Quadria 255.255.255.248
network-object ADSL-Quadria 255.255.255.248
object-group network SRV-CEPIC
network-object SRV-Linux 255.255.255.255
network-object ADMIN 255.255.255.255
network-object SRVSVG01 255.255.255.255
network-object SRV-ERP00 255.255.255.255
network-object SRV-ERP01 255.255.255.255
object-group service TCP-Linux-Quadria tcp
port-object eq 1812
port-object eq 222
port-object eq 10000
object-group service TCP-TSE-Quadria tcp
port-object eq 3389
object-group service PCAnywhereUDP udp
port-object range pcanywhere-status pcanywhere-status
access-list outside_access_in permit tcp object-group WAN-Quadria host 195.7.x.x object-group TCP-Linux-Quadria
access-list outside_access_in permit tcp object-group WAN-Quadria interface outside object-group TCP-TSE-Quadria
access-list outside_access_in permit tcp any host 195.7.x.x eq pcanywhere-data
access-list outside_access_in permit udp any host 195.7.x.x object-group PCAnywhereUDP
access-list outside_access_in permit tcp any host 195.7.x.x eq smtp
access-list inside_outbound_nat0_acl permit ip LAN-CEPIC 255.255.255.0 VPN_CLIENT 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any VPN_CLIENT 255.255.255.224
access-list inside_access_in permit icmp LAN-CEPIC 255.255.255.0 any
access-list inside_access_in permit ip VPN_CLIENT 255.255.255.0 any
access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
access-list outside_cryptomap_dyn_40 permit ip any VPN_CLIENT 255.255.255.224
pager lines 24
logging on
logging console debugging
logging buffered debugging
logging trap debugging
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 176.76.1.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name attaque attack action alarm drop reset
ip audit name info info action alarm drop reset
ip audit interface outside info
ip audit interface outside attaque
ip audit interface inside info
ip audit interface inside attaque
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2000 disable
ip audit signature 2003 disable
ip local pool VPN_POOL 10.1.1.10-10.1.1.20
pdm location ADMIN 255.255.255.255 inside
pdm location SRV-Linux 255.255.255.255 inside
pdm location BLR-Quadria 255.255.255.248 outside
pdm location ADSL-Quadria 255.255.255.248 outside
pdm location LAN-CEPIC 255.255.255.0 inside
pdm location poste-pcanywhere 255.255.255.255 inside
pdm location sylob 255.255.255.255 outside
pdm location TEST 255.255.255.255 inside
pdm location 10.10.10.0 255.255.255.224 outside
pdm location VPN_CLIENT 255.255.255.0 inside
pdm location VPN_CLIENT 255.255.255.224 outside
pdm location SRVSVG01 255.255.255.255 inside
pdm location SRV-ERP00 255.255.255.255 inside
pdm location SRV-ERP01 255.255.255.255 inside
pdm group WAN-Quadria outside
pdm group SRV-CEPIC inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 195.7.x.x 81 SRV-Linux www netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 222 SRV-Linux ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 10000 SRV-Linux 10000 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 1812 SRV-Linux 1812 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 3389 ADMIN 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x smtp SRV-Linux smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x pcanywhere-data poste-pcanywhere pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp 195.7.x.x pcanywhere-status poste-pcanywhere pcanywhere-status netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
ntp server 193.55.130.2 source inside
ntp server 80.67.179.98 source outside
ntp server 194.2.0.28 source outside prefer
http server enable
http BLR-Quadria 255.255.255.248 outside
http ADSL-Quadria 255.255.255.248 outside
http ADMIN 255.255.255.255 inside
http LAN-CEPIC 255.255.255.0 inside
snmp-server host inside SRV-Linux
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp outside
sysopt noproxyarp inside
service resetinbound
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup CEPIC_VPN_CLIENT address-pool VPN_POOL
vpngroup CEPIC_VPN_CLIENT dns-server 176.76.1.2 ADMIN
vpngroup CEPIC_VPN_CLIENT wins-server ADMIN
vpngroup CEPIC_VPN_CLIENT default-domain domain.local
vpngroup CEPIC_VPN_CLIENT split-tunnel CEPIC_VPN_CLIENT_splitTunnelAcl
vpngroup CEPIC_VPN_CLIENT idle-time 1800
vpngroup CEPIC_VPN_CLIENT password ********
telnet timeout 5
ssh BLR-Quadria 255.255.255.248 outside
ssh ADSL-Quadria 255.255.255.248 outside
ssh LAN-CEPIC 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxx
vpdn group pppoe_group ppp authentication chap
vpdn username xxxx password xxxxx store-local
username vg_vpn password xxxxx encrypted privilege 3
username test password xxxxxx encrypted privilege 3
username quadria password xxxxx encrypted privilege 15
username jml_vpn password xxxxx encrypted privilege 3
username jr_vpn password xxxxx encrypted privilege 3
username js_vpn password xxxxx encrypted privilege 3
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:
I know this is a basic question but I would really appreaciate the help!
Thanks so much,Hi,
You could try to change the Split Tunnel ACL to Standard ACL
First removing it from the VPN configuration and then removing the ACL and creating it as Standard type ACL
Current
access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
New
access-list CEPIC_VPN_CLIENT_splitTunnelAcl standard permit LAN-CEPIC 255.255.255.0
You could also try adding
fixup protocol icmp
fixup protocol icmp error
Have you monitored the logs while you are attempting to connect to the LAN network?
- Jouni -
I'm not exactly sure which forum heading this should go under so if this isn't correct please let me know or move it on my behalf.
So I am trying to setup Internet Based Client Management in SCCM 2012 R2 and have come across a few articles on how to do so. I think I have mostly gotten it to work but I seem to be having a client issue when deploying new machines. My already
deployed servers seem to have picked up the PKI setting no problem. In the past when I would deploy a new windows client everything would be fine. When i converted over to PKI in my test environment I am now having issues when I go to deploy a
new windows client. I don't get all of the Actions listed in the Configuration Manager control panel. All I have are Discovery Data Collection, Machine Policy Retrieval and Eval, User Policy Retrieval and Eval, and Windows Installer Source list Update
Cycles, before all of them would populate no problem. I have let this machine sit here for several hours and nothing has changed yet. It does say PKI for client certificate. Sometimes when I would deploy new machines it would say NONE for
Client certificate. In my production environment it says self-signed. I have found if i uninstall the client and re-install the client it does populate all of the cycles but I don't understand why it is not working on deployment.
Ok so maybe not all the time that when i reinstall the client it fixes it. I just did an uninstall and reinstall on a test client and all it has under actions are machine and user policy cycles.
Does anyone have any ideas?Hi,
I think SCCM client installed before the GPO applied, so you don't a certificate available when it is required.
You can export and import the certificate by using MDT integration, try this blog for PKI part:
How To: Build and Capture in Configuration Manager 2012 using HTTPS
And in addition, you can upload the log to your onedrive so you can share with us.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
E3000 questions. Cisco Connect with https and turn off wireless?
My old router died this weekend after 10 years and I have been wanting to get a faster router for a while anyways.
I picked up a E3000 and set it up yesterday.
The firmware is 1.0.03
I have two main questions
I changed the router settings so you can only browser manage the router through https and turned off http access to the router.
Cisco Connect now doesn't work. Will Cisco Connect work with HTTPS? Do I have to do something to get it to work?
I also didn't see a version number on Cisco Connect am I just not noticing it?
I'd really like to shut off wireless on most days when I'm not home. I want the router to still be working since my desktop computers are directly connected to the router and I remote into them. Is there an easy way to shutoff the wireless and then easily turn it back on when I get home?
thanks
mikeMine works the same. It's probably designed that way for the manual way of logging into the setup page of the router.
No, it seems no updates yet or see the need to have one.
No, it doesn't have that option unfortunately.
"The war between heaven and hell depends on the choices we make, and those choices require sacrifice. That's the test" -
Hey just wanted to know what is the reason i would connect my external hardrive to the extreme and what is the difference between LAN and WAN ehternet. I know one is local and other is wide but can someone explain in simpler terms.
Connecting a hard drive to the Airport Extreme makes it available to be shared across all the computers on your network.
WAN (Wide Area Network) is your connection to the internet
LAN (Local Area Network) is your internal (or local) ethernet connections (computers, printers, etc...)
AirPort Base Station: About the WAN and LAN Ports -
Performance problems with DFSN, ABE and SMB
Hello,
We have identified a problem with DFS-Namespace (DFSN), Access Based Enumeration (ABE) and SMB File Service.
Currently we have two Windows Server 2008 R2 servers providing the domain-based DFSN in functional level Windows Server 2008 R2 with activated ABE.
The DFSN servers have the most current hotfixes for DFSN and SMB installed, according to http://support.microsoft.com/kb/968429/en-us and http://support.microsoft.com/kb/2473205/en-us
We have only one AD-site and don't use DFS-Replication.
Servers have 2 Intel X5550 4 Core CPUs and 32 GB Ram.
Network is a LAN.
Our DFSN looks like this:
\\contoso.com\home
Contains 10.000 Links
Drive mapping on clients to subfolder \\contoso.com\home\username
\\contoso.com\group
Contains 2500 Links
Drive mapping on clients directly to \\contoso.com\group
On \\contoso.com\group we serve different folders for teams, projects and other groups with different access permissions based on AD groups.
We have to use ABE, so that users see only accessible Links (folders)
We encounter sometimes multiple times a day enterprise-wide performance problems for 30 seconds when accessing our Namespaces.
After six weeks of researching and analyzing we were able to identify the exact problem.
Administrators create a new DFS-Link in our Namespace \\contoso.com\group with correct permissions using the following command line:
dfsutil.exe link \\contoso.com\group\project123 \\fileserver1\share\project123
dfsutil.exe property sd grant \\contoso.com\group\project123 CONTOSO\group-project123:RX protect replace
This is done a few times a day.
There is no possibility to create the folder and set the permissions in one step.
DFSN process on our DFSN-servers create the new link and the corresponding folder in C:\DFSRoots.
At this time, we have for example 2000+ clients having an active session to the root of the namespace \\contoso.com\group.
Active session means a Windows Explorer opened to the mapped drive or to any subfolder.
The file server process (Lanmanserver) sends a change notification (SMB-Protocol) to each client with an active session \\contoso.com\group.
All the clients which were getting the notification now start to refresh the folder listing of \\contoso.com\group
This was identified by an network trace on our DFSN-servers and different clients.
Due to ABE the servers have to compute the folder listing for each request.
DFS-Service on the servers doen't respond for propably 30 seconds to any additional requests. CPU usage increases significantly over this period and went back to normal afterwards. On our hardware from about 5% to 50%.
Users can't access all DFS-Namespaces during this time and applications using data from DFS-Namespace stop responding.
Side effect: Windows reports on clients a slow-link detection for \\contoso.com\home, which can be offline available for users (described here for WAN-connections: http://blogs.technet.com/b/askds/archive/2011/12/14/slow-link-with-windows-7-and-dfs-namespaces.aspx)
Problem doesn't occure when creating a link in \\contoso.com\home, because users have only a mapping to subfolders.
Currently, the problem doesn't occure also for \\contoso.com\app, because users usually don't use Windows Explorer accessing this mapping.
Disabling ABE reduces the DFSN freeze time, but doesn't solve the problem.
Problem also occurs with Windows Server 2012 R2 as DFSN-server.
There is a registry key available for clients to avoid the reponse to the change notification (NoRemoteChangeNotify, see http://support.microsoft.com/kb/812669/en-us)
This might fix the problem with DFSN, but results in other problems for the users. For example, they have to press F5 for refreshing every remote directory on change.
Is there a possibility to disable the SMB change notification on server side ?
TIA and regards,
Ralf GaudesHi,
Thanks for posting in Microsoft Technet Forums.
I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
Thank you for your understanding and support.
Regards.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.
Maybe you are looking for
-
I don't see my iCloud Drive files in Finder
When I click on iCloud Drive in the Finder I don't see my files. In other folders (Dropbox, Downloads, Applications, Google Drive etc. everything is OK).
-
Selection-screen problem only when in SE80
Hi Folks, I am getting the following information message when the the element SCREENS is double clicked in the SE80's container. Element %_R1_%_APP_%-TEXT touches or overlaps other element The program is running fine without any error.I want to know
-
External Link Solution...
I am building an online directory which requires me to have a ton of external links pointing away from my site. I know that many people (including myself) are easily annoyed by new windows loading, so I want to avoid that. However, my hope is to make
-
Hi there Noticing a problem with both Single App Mode and Guided Access Mode since iOS 8 upgrade, and not fixed by 8.0.2. Every time a link is pressed within a web view or any external URL request, the notice "Guided Access Enabled, triple tap the ho
-
Font style of pdf files changes when it is opened with adobe reader 10.1.2 version
The font style of pdf files changes if opened with adobe reader 10.1.2 version. Plz suggest wht to do.... Following is the screenshot from adobe reader view: 75 % zoom in adobe reader (issue) view: 75 % zoom in foxit reader (no issue) Thanks, Neha