HTTP and SMB over Cisco LAN-to-LAN IPSec-VPN

Similar Messages

• Remote site redundancy IPSEC VPN between 2911 and ASA

  We already have IPSEC VPN connectivity established between sites but would like to introduce some resilience/redundancy at a remote site.
  Site A has an ASA with one internet circuit.
  Site B has a Cisco 2911 with one internet circuit and we have established site-to-site IPSEC VPN connectivity between the 2911 and the ASA.
  Prior to getting the new internet circuit, Site B had a Cisco 877 with an ADSL line which are still available but aren’t currently in use.
  The internet circuit at Site B has dropped a few times recently so we would like to make use of the ADSL circuit (and potentially the 877 router too) as a backup.
  What is the best way of achieving this?
  We thought about running HSRP between the 877 and 2911 routers at Site B and, in the event of a failure of the router or internet circuit, traffic would failover to the 877 and ADSL.
  However, how would Site A detect the failure? Can we simply rely on Dead Peer Detection and list the public IP address of the internet circuit at Site B first with the public IP address used on the ADSL line second in the list on the ASA? What would happen in a failover scenario and, just as important, when service was restored – I’m not sure DPD would handle that aspect correctly?
  I’ve read briefly elsewhere that GRE might be best to use in this scenario – but I can’t use GRE on the ASA. I have an L3 switch behind the ASA which I may be able to make use of? But I don’t want to disrupt the existing IPSEC VPN connectivity already established between the ASA and the 2911.   Can I keep IPSEC between the ASA and 2911 but then run GRE between the L3 switch and the 2911? If so, how would this best be achieved?  And how could I also introduce the 877 and ADSL line into things to achieve the neccessary redundancy?
  Any help/advice would be appreciated!

  Hello,
  I don't think GRE tunnel that you could set up on the switch  behind ASA would be really helpfull. Still site-2-site tunnel you want  to establish between ASA and some routers, but still it is ASA which needs to make decision about which peer to connect to.
  Possible solution would be to do HSRP between both routers on LAN side and with two independent tunnels/crypto maps (one on each of them). On ASA you would need to set up two hosts in set peer. Problem of this solution is that if one router at side B is going to go down and second ADSL line will take over ASA will not do preempt after you main Internet connection is up again. This would happen after ADSL Internet connection will be down.
  Solution to that would be to assign two different public IP addressess on two different interfaces of ASA. Then you attach two crypto maps to both interfaces and by using sla monitor (let's say icmp to main router, if it does not respond then you change routing for remote LAN to second interface) you are selecting which crypto map (with one peer this time) should be used.
  I hope what I wrote makes some sense.

• Cisco E900 ports 1990/tcp and 5916/tcp open on the LAN. Cannot close them.

  Hello,
  I just bought a Cisco Linksys E900 wireless router. Can someone explain to me why  the router (192.168.1.1 on my case) has ports 1990/tcp and 5916/tcp open on the LAN?? I cannot find a way to close those ports.
  Just do a simple:
  telnet 192.168.1.1 1990
  or
  telnet 192.168.1.1 5916
  and you'll see those ports are open.
  1990/tcp = Cisco STUN Priority 1 port
  5916/tcp = I have no idea
  Every client on the LAN (wired and wireless) can connect to those ports on the router. I do not want that to happen. It is unncessary and it is just not secure. I only want the router to have port 443 open on the LAN for the web mgmt interface. I do not want any other unncessary port open.
  It would be great to have a response from Cisco directly.
  Thank you for your time.

  JohnT66 wrote:
  Thank you for your response.
  The router is already updated to the latest firmware (1.0.04 Build 1).
  I had to do the update as soon as I opened the box because the default firmware had an incredible serious bug: after setting up the web management interface on the LAN to work over SSL, it was impossible to access the interface because of an SSL bug in the router. The bug is in the release notes of the firmware... that alone says a lot about the very very poor quality of this router.. you can't have that kind of bug in a finished product....
  I was able to close port 1990/tcp by disabling WPS in the router, although doing so was pure luck since the router's UI is terrible..
  5916/tcp is still open.. since I was able to close 1990/tcp I don't think this is a defective router.. I cannot return a router to the store just because it leaves a port open, the store, sadly, will not take it back... so please Cisco, can you help with this? this product is faulty, it doesn't work as expected, it's your responsability.. please help
  Reset the router manually then reconfigure the settings.

• Cisco 4402 Guest lan and product lan DHCP assignment

  I'm currently setting up a wirless lan with a Cisco 4402 Wireless Lan Controller and 1 cisco 1242AG Access points.
  All the devices include:
  Cisco catalyst 6505
  Cisco 4402
  D-Link broadband router
  Connection between them:
  6505 trunking with 4402 (dot1q and trunk vlan 1 and vlan 3, but i found that all vlan on the 6506 will trunk together), wlan 1 is production lan while vlan 3 is Guest lan)
  6505 vlan 3 is connecting to D-Link broadband router as a guest lan
  both vlan 1 and vlan 3 have DHCP server for production PC and guest notebook respectively.
  On 4402, i have two interfaces and 2 WLAN. one interface for production lan pointing DHCP server to product DHCP address and the other interface for guest lan, which pointing to guest lan DHCP server.
  when a notebook connec to guest lan, it will assign an address from guest DHCP server, while connecting to production lan, a production IP will be assigned last week. But the things change w/o changing the structure, when i connect to guest lan SSID, the ip suppose assign by the Guest lan DHCP, but it failed, the notebook got ip address from production lan.
  Is it trunking makes those all Vlan "mixed", and get ip from the DHCP server with faster respone time?
  How can i make sure when i connect to guest lan, the ip will be assigned from Guest Lan DHCP server and vice versa?
  Many thanks!

  Here is the URL for the Cisco Guest Access Using the Cisco Wireless LAN Controller which will help you :
  http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.0/GAccess.html

• HTTP and HTTPS connections time out--only one computer on the LAN has this problem. Also affects Internet Explorer

  For the last few days HTTP and HTTPS connections on one computer on my LAN usually time out or fail to load completely. This also affects Internet Explorer on the same machine, but email, FTP, etc. seem to be working normally. The URLs that do not load in the browsers ping normally, and load normally on another machine on the same LAN. Running Firefox in Safe Mode does not help.

  A possible cause is security software (firewall) that blocks or restricts Firefox without informing you about that, possibly after detecting changes (update) to the Firefox program.
  Remove all rules for Firefox from the permissions list in the firewall and let your firewall ask again for permission to get full unrestricted access to internet for Firefox.
  See [[Server not found]] and [[Firewalls]] and http://kb.mozillazine.org/Firewalls

• Share iTunes library between Leopard and Vista, over LAN

  Hi,
  I would like to share my iTunes library on my Mac, so that our other Vista computer can access it.
  I have ticked 'Look for shared libraries' on both the Mac and PC. We use a LAN setup with a firewalled router. I am able to access the Mac's public folder from the Vista PC and vice versa.
  Except, the Mac library is not present in iTunes on PC. I used the latest iTunes on both computers.
  Is there something that I am missing, maybe a port that I have to forward or anything else? Also, do I have to enable another kind of sharing on the Mac, except Sharing in iTunes?
  Can someone please give me some advice?
  Regards

  Just for your info, Vista ***** whatever you try to do. I'm stuck with Vista on a pre-installed laptop. All experience I have from Vista is bad, don't buy Vista or a computer with preinstalled Vista if you can avoid it.
  We have three computers in a home network, one Macbook Pro, one PC with Windows XP, and the Vista laptop. All are using iTunes-8, downloaded and installed last week.
  Sharing iTunes libraries using the option to share libraries on a local network works fine between Mac and Windows-XP. The sharing also works fine between the XP and the Vista PC.
  But the Vista PC can't access the Mac iTunes library. When trying to open the Mac library, iTunes on the Vista computer says something like "Fetching library info from...". It's the same problem when trying to access the Vista library from the Mac.
  We had a similar problem when trying to access shared folders on the local network. Thanks to a tip on this forum how to tweak the Vista registry, the shared folder problem was solved.
  I'm think some registry setting in Vista might solve iTunes shared library problems. Maybe some Windows freak knows how to patch the registry to solve this issue.
  Otherwise the solution is to trash Vista, and install Windows-XP.

• LAN Lite, LAN Base, IP Base, and IP Service Image of Switching.

  Dear all,
  Please kindly help me what is differenct between LAN Lite, LAN Base, IP Base, and IP Service Image of Switching.
  Hope see all of your feedback soon.Thanks!
  KIND Regards,
  Siren

  Here is a white paper on difference between LAN base, IP base and IP services. Note that LAN lite switches have different hardware and can't be upgraded to a more capable image.
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/white_paper_c11-579326_ps10745_Products_White_Paper.html
  This paper compares LAN lite vs LAN base for 2960:
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/prod_presentation_c97-494780.pdf
  Daniel Dib
  CCIE #37149

• CWWLSE-1030-K9 Cisco WLSE Wireless LAN Solution EE 2.13 with AP 1242

  Dear all, my customer has CWWLSE-1030-K9 Cisco WLSE Wireless LAN Solution EE 2.13 with 12 AP1242 (a/b/g) Radio 802.11g in place. Now he will buy additional AP what type of AP can i use because AP 12xx is EOS.

  Hello Dirk,
  AP 1200 is EOS, and customers were encouraged to migrate to 1240 Series (which is also EOS now)
  http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1200-series/eol_c51-506611.html
  Therefore it is recommended to migrate to Cisco Aironet 1600 or Cisco Aironet 2600 Series.
  http://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/unified-ip-phone-7900-series/end_of_life_notice_c51-726425.html

• Software Version Upgrade for Cisco 4402 Wireless Lan Controller

  Hi,
  We have Cisco 4402 Wireless Lan Controller with Software Version 3.2.171.6 and we want to upgrade it to latest version.
  So can anyone please let me know the latest version to upgrade the WLC?
  Also since WLC is running on very lower version is it possible to upgrade to the latest version directly or we have to move it step by step to upgrade this to latest version?
  Thanks

  Take a look at the compatibility matrix below:
  http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html
  7.0.235 is the latest that you can go to:
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_0_235_0.html
  The release notes outline the upgrade process.
  "Upgrade to 4.0.206.0 or later 4.0 release, then upgrade to 4.2.176.0, before upgrading to 7.0.235.0."

• How to replace the certificate of Cisco 2106 wireless LAN controller for CAPWAP ?

  I have interested in CAPWAP feature and I download the open capwap project to make Access Controller (AC) and Wireless Terminal Point (WTP). I had built the AC which used PC and WTP which used Atheros AP. The CAPWAP feature work well when I enabled the CAPWAP that used my own AC  and WTP. When I got the Cisco 2106 wireless LAN controller (Cisco WLC), I configured the Cisco WLC to instead my own AC but I got the authorize fail in Cisco WLC side. It seem the Cisco WLC could not recognize the CAPWAP message which sent form my own WTP. I think this issue just need to synchronize the certificate between Cisco WLC and WTP.So I need to replace the Cisco WLC's certificate manually. Does anyone know how to replace the certificate manually with Cisco WLC ?
  Best Regards,
  Alan

  Unfortunately this Support Community is for Cisco Small Business & Small Business Pro product offerings.  The WLC2106 is a traditional Cisco product.  You can find this type of support on the Cisco NetPro Forum for all traditional Cisco products.
  Best Regards,
  Glenn

• Pix 501 IPSec VPN no LAN access and no ping

  Hello,
  I am attempting to setup an IPSec VPN in a basic small business  scenario. I am able to connect to my pix 501 via IPSec VPN and browse  the internet but I am unable to ping or connect to any devices in the  remote LAN. Here is my config
  show config:
  nterface ethernet0 auto
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password xxxxx encrypted
  passwd xxxxxx encrypted
  hostname pixfirewall
  domain-name domain.local
  clock timezone CEST 1
  clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol ils 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  name 195.7.x.x BLR-Quadria
  name 176.76.1.0 LAN-CEPIC
  name 176.76.1.40 ADMIN
  name 176.76.1.253 SRV-Linux
  name 212.234.98.224 ADSL-Quadria
  name 81.80.252.129 sylob
  name 176.76.1.33 poste-pcanywhere
  name 176.76.1.179 TEST
  name 10.1.1.0 VPN_CLIENT
  name 176.76.1.100 SRVSVG01
  name 176.76.1.116 SRV-ERP01
  name 176.76.1.50 SRV-ERP00
  object-group network WAN-Quadria
    network-object BLR-Quadria 255.255.255.248
    network-object ADSL-Quadria 255.255.255.248
  object-group network SRV-CEPIC
    network-object SRV-Linux 255.255.255.255
    network-object ADMIN 255.255.255.255
    network-object SRVSVG01 255.255.255.255
    network-object SRV-ERP00 255.255.255.255
    network-object SRV-ERP01 255.255.255.255
  object-group service TCP-Linux-Quadria tcp
    port-object eq 1812
    port-object eq 222
    port-object eq 10000
  object-group service TCP-TSE-Quadria tcp
    port-object eq 3389
  object-group service PCAnywhereUDP udp
    port-object range pcanywhere-status pcanywhere-status
  access-list outside_access_in permit tcp object-group WAN-Quadria host 195.7.x.x object-group TCP-Linux-Quadria
  access-list outside_access_in permit tcp object-group WAN-Quadria interface outside object-group TCP-TSE-Quadria
  access-list outside_access_in permit tcp any host 195.7.x.x eq pcanywhere-data
  access-list outside_access_in permit udp any host 195.7.x.x object-group PCAnywhereUDP
  access-list outside_access_in permit tcp any host 195.7.x.x eq smtp
  access-list inside_outbound_nat0_acl permit ip LAN-CEPIC 255.255.255.0 VPN_CLIENT 255.255.255.224
  access-list outside_cryptomap_dyn_20 permit ip any VPN_CLIENT 255.255.255.224
  access-list inside_access_in permit icmp LAN-CEPIC 255.255.255.0 any
  access-list inside_access_in permit ip VPN_CLIENT 255.255.255.0 any
  access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
  access-list outside_cryptomap_dyn_40 permit ip any VPN_CLIENT 255.255.255.224
  pager lines 24
  logging on
  logging console debugging
  logging buffered debugging
  logging trap debugging
  mtu outside 1500
  mtu inside 1500
  ip address outside pppoe setroute
  ip address inside 176.76.1.254 255.255.255.0
  ip verify reverse-path interface outside
  ip verify reverse-path interface inside
  ip audit name attaque attack action alarm drop reset
  ip audit name info info action alarm drop reset
  ip audit interface outside info
  ip audit interface outside attaque
  ip audit interface inside info
  ip audit interface inside attaque
  ip audit info action alarm
  ip audit attack action alarm
  ip audit signature 2000 disable
  ip audit signature 2003 disable
  ip local pool VPN_POOL 10.1.1.10-10.1.1.20
  pdm location ADMIN 255.255.255.255 inside
  pdm location SRV-Linux 255.255.255.255 inside
  pdm location BLR-Quadria 255.255.255.248 outside
  pdm location ADSL-Quadria 255.255.255.248 outside
  pdm location LAN-CEPIC 255.255.255.0 inside
  pdm location poste-pcanywhere 255.255.255.255 inside
  pdm location sylob 255.255.255.255 outside
  pdm location TEST 255.255.255.255 inside
  pdm location 10.10.10.0 255.255.255.224 outside
  pdm location VPN_CLIENT 255.255.255.0 inside
  pdm location VPN_CLIENT 255.255.255.224 outside
  pdm location SRVSVG01 255.255.255.255 inside
  pdm location SRV-ERP00 255.255.255.255 inside
  pdm location SRV-ERP01 255.255.255.255 inside
  pdm group WAN-Quadria outside
  pdm group SRV-CEPIC inside
  pdm logging debugging 100
  pdm history enable
  arp timeout 14400
  global (outside) 10 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  nat (inside) 10 0.0.0.0 0.0.0.0 0 0
  static (inside,outside) tcp 195.7.x.x 81 SRV-Linux www netmask 255.255.255.255 0 0
  static (inside,outside) tcp 195.7.x.x 222 SRV-Linux ssh netmask 255.255.255.255 0 0
  static (inside,outside) tcp 195.7.x.x 10000 SRV-Linux 10000 netmask 255.255.255.255 0 0
  static (inside,outside) tcp 195.7.x.x 1812 SRV-Linux 1812 netmask 255.255.255.255 0 0
  static (inside,outside) tcp 195.7.x.x 3389 ADMIN 3389 netmask 255.255.255.255 0 0
  static (inside,outside) tcp 195.7.x.x smtp SRV-Linux smtp netmask 255.255.255.255 0 0
  static (inside,outside) tcp 195.7.x.x pcanywhere-data poste-pcanywhere pcanywhere-data netmask 255.255.255.255 0 0
  static (inside,outside) udp 195.7.x.x pcanywhere-status poste-pcanywhere pcanywhere-status netmask 255.255.255.255 0 0
  access-group outside_access_in in interface outside
  access-group inside_access_in in interface inside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  aaa authentication enable console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  aaa authorization command LOCAL
  ntp server 193.55.130.2 source inside
  ntp server 80.67.179.98 source outside
  ntp server 194.2.0.28 source outside prefer
  http server enable
  http BLR-Quadria 255.255.255.248 outside
  http ADSL-Quadria 255.255.255.248 outside
  http ADMIN 255.255.255.255 inside
  http LAN-CEPIC 255.255.255.0 inside
  snmp-server host inside SRV-Linux
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  sysopt noproxyarp outside
  sysopt noproxyarp inside
  service resetinbound
  service resetoutside
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
  crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
  crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map client authentication LOCAL
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  vpngroup CEPIC_VPN_CLIENT address-pool VPN_POOL
  vpngroup CEPIC_VPN_CLIENT dns-server 176.76.1.2 ADMIN
  vpngroup CEPIC_VPN_CLIENT wins-server ADMIN
  vpngroup CEPIC_VPN_CLIENT default-domain domain.local
  vpngroup CEPIC_VPN_CLIENT split-tunnel CEPIC_VPN_CLIENT_splitTunnelAcl
  vpngroup CEPIC_VPN_CLIENT idle-time 1800
  vpngroup CEPIC_VPN_CLIENT password ********
  telnet timeout 5
  ssh BLR-Quadria 255.255.255.248 outside
  ssh ADSL-Quadria 255.255.255.248 outside
  ssh LAN-CEPIC 255.255.255.0 inside
  ssh timeout 5
  management-access inside
  console timeout 0
  vpdn group pppoe_group request dialout pppoe
  vpdn group pppoe_group localname xxxxx
  vpdn group pppoe_group ppp authentication chap
  vpdn username xxxx password xxxxx store-local
  username vg_vpn password xxxxx encrypted privilege 3
  username test password xxxxxx encrypted privilege 3
  username quadria password xxxxx encrypted privilege 15
  username jml_vpn password xxxxx encrypted privilege 3
  username jr_vpn password xxxxx encrypted privilege 3
  username js_vpn password xxxxx encrypted privilege 3
  privilege show level 0 command version
  privilege show level 0 command curpriv
  privilege show level 3 command pdm
  privilege show level 3 command blocks
  privilege show level 3 command ssh
  privilege configure level 3 command who
  privilege show level 3 command isakmp
  privilege show level 3 command ipsec
  privilege show level 3 command vpdn
  privilege show level 3 command local-host
  privilege show level 3 command interface
  privilege show level 3 command ip
  privilege configure level 3 command ping
  privilege show level 3 command uauth
  privilege configure level 5 mode enable command configure
  privilege show level 5 command running-config
  privilege show level 5 command privilege
  privilege show level 5 command clock
  privilege show level 5 command ntp
  privilege show level 5 mode configure command logging
  privilege show level 5 command fragment
  terminal width 80
  Cryptochecksum:
  I know this is a basic question but I would really appreaciate the help!
  Thanks so much,

  Hi,
  You could try to change the Split Tunnel ACL to Standard ACL
  First removing it from the VPN configuration and then removing the ACL and creating it as Standard type ACL
  Current
  access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
  New
  access-list CEPIC_VPN_CLIENT_splitTunnelAcl standard permit LAN-CEPIC 255.255.255.0
  You could also try adding
  fixup protocol icmp
  fixup protocol icmp error
  Have you monitored the logs while you are attempting to connect to the LAN network?
  - Jouni

• When converting over to HTTPS and PKI for clients, not all actions are available in configuration manager cpl

  I'm not exactly sure which forum heading this should go under so if this isn't correct please let me know or move it on my behalf.  
  So I am trying to setup Internet Based Client Management in SCCM 2012 R2 and have come across a few articles on how to do so.   I think I have mostly gotten it to work but I seem to be having a client issue when deploying new machines.  My already
  deployed servers seem to have picked up the PKI setting no problem.  In the past when I would deploy a new windows client everything would be fine.  When i converted over to PKI in my test environment I am now having issues when I go to deploy a
  new windows client. I don't get all of the Actions listed in the Configuration Manager control panel.  All I have are Discovery Data Collection, Machine Policy Retrieval and Eval, User Policy Retrieval and Eval, and Windows Installer Source list Update
  Cycles, before all of them would populate no problem.  I have let this machine sit here for several hours and nothing has changed yet.  It does say PKI for client certificate.  Sometimes when I would deploy new machines it would say NONE for
  Client certificate.  In my production environment it says self-signed.  I have found if i uninstall the client and re-install the client it does populate all of the cycles but I don't understand why it is not working on deployment.
  Ok so maybe not all the time that when i reinstall the client it fixes it.  I just did an uninstall and reinstall on a test client and all it has under actions are machine and user policy cycles.
  Does anyone have any ideas?

  Hi,
  I think SCCM client installed before the GPO applied, so you don't a certificate available when it is required.
  You can export and import the certificate by using MDT integration, try this blog for PKI part:
  How To: Build and Capture in Configuration Manager 2012 using HTTPS
  And in addition, you can upload the log to your onedrive so you can share with us.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• E3000 questions. Cisco Connect with https and turn off wireless?

  My old router died this weekend after 10 years and I have been wanting to get a faster router for a while anyways.
  I picked up a E3000 and set it up yesterday.
  The firmware is 1.0.03
  I have two main questions
  I changed the router settings so you can only browser manage the router through https and turned off http access to the router.
  Cisco Connect now doesn't work. Will Cisco Connect work with HTTPS? Do I have to do something to get it to work?
  I also didn't see a version number on Cisco Connect am I just not noticing it?
  I'd really like to shut off wireless on most days when I'm not home. I want the router to still be working since my desktop computers are directly connected to the router and I remote into them. Is there an easy way to shutoff the wireless and then easily turn it back on when I get home?
  thanks
  mike

  Mine works the same. It's probably designed that way for the manual way of logging into the setup page of the router.
  No, it seems no updates yet or see the need to have one.
  No, it doesn't have that option unfortunately.
  "The war between heaven and hell depends on the choices we make, and those choices require sacrifice. That's the test"

• Why would i connect a external hardrive to the airport extreme and what is the difference between LAN and WAN gigabit ethernet?

  Hey just wanted to know what is the reason i would connect my external hardrive to the extreme and what is the difference between LAN and WAN ehternet. I know one is local and other is wide but can someone explain in simpler terms.

  Connecting a hard drive to the Airport Extreme makes it available to be shared across all the computers on your network.
  WAN (Wide Area Network) is your connection to the internet
  LAN (Local Area Network) is your internal (or local) ethernet connections (computers, printers, etc...)
  AirPort Base Station: About the WAN and LAN Ports

• Performance problems with DFSN, ABE and SMB

  Hello,
  We have identified a problem with DFS-Namespace (DFSN), Access Based Enumeration (ABE) and SMB File Service.
  Currently we have two Windows Server 2008 R2 servers providing the domain-based DFSN in functional level Windows Server 2008 R2 with activated ABE.
  The DFSN servers have the most current hotfixes for DFSN and SMB installed, according to http://support.microsoft.com/kb/968429/en-us and http://support.microsoft.com/kb/2473205/en-us
  We have only one AD-site and don't use DFS-Replication.
  Servers have 2 Intel X5550 4 Core CPUs and 32 GB Ram.
  Network is a LAN.
  Our DFSN looks like this:
  \\contoso.com\home
      Contains 10.000 Links
      Drive mapping on clients to subfolder \\contoso.com\home\username
  \\contoso.com\group
      Contains 2500 Links
      Drive mapping on clients directly to \\contoso.com\group
  On \\contoso.com\group we serve different folders for teams, projects and other groups with different access permissions based on AD groups.
  We have to use ABE, so that users see only accessible Links (folders)
  We encounter sometimes multiple times a day enterprise-wide performance problems for 30 seconds when accessing our Namespaces.
  After six weeks of researching and analyzing we were able to identify the exact problem.
  Administrators create a new DFS-Link in our Namespace \\contoso.com\group with correct permissions using the following command line:
  dfsutil.exe link \\contoso.com\group\project123 \\fileserver1\share\project123
  dfsutil.exe property sd grant \\contoso.com\group\project123 CONTOSO\group-project123:RX protect replace
  This is done a few times a day.
  There is no possibility to create the folder and set the permissions in one step.
  DFSN process on our DFSN-servers create the new link and the corresponding folder in C:\DFSRoots.
  At this time, we have for example 2000+ clients having an active session to the root of the namespace \\contoso.com\group.
  Active session means a Windows Explorer opened to the mapped drive or to any subfolder.
  The file server process (Lanmanserver) sends a change notification (SMB-Protocol) to each client with an active session \\contoso.com\group.
  All the clients which were getting the notification now start to refresh the folder listing of \\contoso.com\group
  This was identified by an network trace on our DFSN-servers and different clients.
  Due to ABE the servers have to compute the folder listing for each request.
  DFS-Service on the servers doen't respond for propably 30 seconds to any additional requests. CPU usage increases significantly over this period and went back to normal afterwards. On our hardware from about 5% to 50%.
  Users can't access all DFS-Namespaces during this time and applications using data from DFS-Namespace stop responding.
  Side effect: Windows reports on clients a slow-link detection for \\contoso.com\home, which can be offline available for users (described here for WAN-connections: http://blogs.technet.com/b/askds/archive/2011/12/14/slow-link-with-windows-7-and-dfs-namespaces.aspx)
  Problem doesn't occure when creating a link in \\contoso.com\home, because users have only a mapping to subfolders.
  Currently, the problem doesn't occure also for \\contoso.com\app, because users usually don't use Windows Explorer accessing this mapping.
  Disabling ABE reduces the DFSN freeze time, but doesn't solve the problem.
  Problem also occurs with Windows Server 2012 R2 as DFSN-server.
  There is a registry key available for clients to avoid the reponse to the change notification (NoRemoteChangeNotify, see http://support.microsoft.com/kb/812669/en-us)
  This might fix the problem with DFSN, but results in other problems for the users. For example, they have to press F5 for refreshing every remote directory on change.
  Is there a possibility to disable the SMB change notification on server side ?
  TIA and regards,
  Ralf Gaudes

  Hi,
  Thanks for posting in Microsoft Technet Forums.
  I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
  Thank you for your understanding and support.
  Regards.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.