IAS and Cisco Concentrator 3000 series?
Is anyone authenticating their VPN users via Windows IAS, if so how. I would like them to be only to get on the network if they are in a particular Active Directory group (not local IAS users)
Thanks
Hi,
Yes , it works fine. For network access you need to set up group policy.
Regards,
~JG
Similar Messages
-
Cisco 4000 & 3000 series ip route & ip default gateway
Dear all ;
I have Enterprise Network Contain :
- Foundry Big Iron work on layer 3 , and Combination of 4000 and 3000 and 2000 cisco switches work on layer 2;
management network for the switches is 192.168.100.0
Foundry Big Iron is 192.168.100.1
i use ip default-gateway 192.168.100.1 on all cisco switches.
all other subnets route through the foundry.
but when i ping from any subnet (192.168.15.0) to any 3000 or 2000 switches series it replay and when i ping to 4000 series it don't replay.
when i use default route command on 4000 series it replay.
i need some explanation
Kind RegardsIn the original post it describes the Cisco switches as operating as layer 2 switches and I assume that in terms of how they are configured to forward traffic all the Cisco switches including the 4000 are configured only for layer 2 forwarding. But with IP routing enabled (as seems to have been the case on the 4000) the behavior of the switch becomes a bit different. In particular is the difference in how you identify the default route. For a switch that is layer 2 only you use the default-gateway command (which apparently worked fine for the 2000 and 3000 switches). But when you enable IP routing then the switch does not use the default-gateway to learn its default route and would look for some other mechanism to learn its default route. I am assuming that there was not any other mechanism and so the 4000 basically did not have a default route. When you configure no ip routing (which was good advice from Paul) then the 4000 stops working as layer 2 switch and at that point will use default-gateway to determine its default route.
HTH
Rick -
RedHat Enterprise Cluster and Cisco IGMP Snooping/Querying
Has anyone else had any experience with IGMP Snooping/Querying and RedHat Enterprise Cluster?
We have been experiencing a large amount of problems with this functionality.
We are running IGMP Querying in our environment and we recently set up a second querier.
Here's the steps we took
Existing querier: 192.168.3.248
Everything was running fine.
Added a new querier on a different switch: 192.168.3.247
At this point, all of our RedHat Enterprise Clusters fenced themselves and needed to be restarted in order to restore
access. In order to restart the RedHat Enterprise Clusters, the physical servers must be rebooted.
Are there any known issues with RedHat Enterprise Clustering and Cisco Switches (3750
series)? I would expect the querier change to be seamless, but it does not seem that this
is the case.Hi,
In our organizaiton we have Red Hat Cluster with 2 cisco switch (Model: cisco WS-C2960S-24TD-L, Version: "flash:/ c2960s-universalk9-mz.122-55.SE3/c2960s-universalk9-mz.122-55.SE3.bin").
- We are using HP Chassis c7000 and Server is on the chassis. There are 2 service IC & Med. Each server has one service primary and other secondary running.
- The two cluster switches are connected each other with Ether channer trunk (1+1) link. Also these 2 switches are connected to our Mgmt switch for Server Admin access to HP Chassis via OA port. The Red Hat system has cluster lan (pri & sec) & OA lan (01 & 02 of HP chassis) connected to Cluster switches. The Mgmt VLAN is 501 - 172.31.10.0/24.
Problem:
When the CluserSW01 goes down the cluser shifted to CluseterSW02 with Cluser_Secondary_LAN and OA2. But when the ClusterSW01 switch comes again than the communication breaks and cluster don come up.
I was thinking this is either STP or IGMP, well sure though. As these are production systems hence we also couldn't do much more test as well.
If you have face any such issue or have experience with it or know what the problem might be... kindly share with me.
Thanks,
Adnan -
3000 series concentrator and L2TP over IPSec
All,
Anyone have any wisdom they are willing to share regarding the establishment of a L2TP over IPSec tunnel between Mac OS X and a 3000 series concentrator? I believe that the concentrator is accepted the IKE SA proposal, but I can't get any further and I'm not able to get any useful information out of the logs on either side of the tunnel. The client side simply reports that "L2TP cannot connect to the server", the concentrator reports "Connection terminated for peer". It has clearly exchanged some valid information because the concentrator has assigned the traffic to the correct group (a non-default group I've set up specially to test this connection).
Looking at the packet dump I can see the two devices exchange some information, then the client starts sending ISAKMP packets (quick mode) that the concentrator seems to ignore.
Thoughts, suggestions, anecdotes etc. are all welcome.Try to adjust SA lifetime and the max connect time in VPN concentrator.
Refer these links:
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_tech_note09186a0080094eca.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_qanda_item09186a0080094cf4.shtml -
Hi All,
Our problem is, we have Cisco Works LMS 3.0.1. cannot archieve configuration for cisco 3000 series vpn concentrator.
Any help would be greatly appreciated.
Thanks in advance.
SamirMake sure you have filled out all of the HTTP/HTTPS credential data in DCR for these devices. RME will only use HTTPS to fetch VPN concentrator configurations.
-
SecureCopy & 3000-series Concentrator...
I have a requirement to have an open-source configuration management solution log into my concentrator & download its config for backup / version control purposes. Its name is "RANCID".
I've enabled SSH, and I can log into the Private Interface with PuTTY just fine. When I use WinSCP 4.04, I have a problem. I authenticate just fine, but then the connection is dropped after 30 seconds. WinSCP tells me, "Incompatable shell, BASH prefered...". The concentrator tells me that the "PShell" is shutting down.
question: Is this just an incompatability with WinSCP specifically? Do you think others would work? I know the 3000-series is old, and end-of-life. I'm using the next-to-latest build of OS for the Concentrator.Try to adjust SA lifetime and the max connect time in VPN concentrator.
Refer these links:
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_tech_note09186a0080094eca.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_qanda_item09186a0080094cf4.shtml -
Ask the Expert: Different Flavors and Design with vPC on Cisco Nexus 5000 Series Switches
Welcome to the Cisco® Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco® NX-OS.
The biggest limitation to a classic port channel communication is that the port channel operates only between two devices. To overcome this limitation, Cisco NX-OS has a technology called virtual port channel (vPC). A pair of switches acting as a vPC peer endpoint looks like a single logical entity to port channel attached devices. The two devices that act as the logical port channel endpoint are actually two separate devices. This setup has the benefits of hardware redundancy combined with the benefits offered by a port channel, for example, loop management.
vPC technology is the main factor for success of Cisco Nexus® data center switches such as the Cisco Nexus 5000 Series, Nexus 7000 Series, and Nexus 2000 Series Switches.
This event is focused on discussing all possible types of vPC along-with best practices, failure scenarios, Cisco Technical Assistance Center (TAC) recommendations and troubleshooting
Vishal Mehta is a customer support engineer for the Cisco Data Center Server Virtualization Technical Assistance Center (TAC) team based in San Jose, California. He has been working in TAC for the past 3 years with a primary focus on data center technologies, such as the Cisco Nexus 5000 Series Switches, Cisco Unified Computing System™ (Cisco UCS®), Cisco Nexus 1000V Switch, and virtualization. He presented at Cisco Live in Orlando 2013 and will present at Cisco Live Milan 2014 (BRKCOM-3003, BRKDCT-3444, and LABDCT-2333). He holds a master’s degree from Rutgers University in electrical and computer engineering and has CCIE® certification (number 37139) in routing and switching, and service provider.
Nimit Pathak is a customer support engineer for the Cisco Data Center Server Virtualization TAC team based in San Jose, California, with primary focus on data center technologies, such as Cisco UCS, the Cisco Nexus 1000v Switch, and virtualization. Nimit holds a master's degree in electrical engineering from Bridgeport University, has CCNA® and CCNP® Nimit is also working on a Cisco data center CCIE® certification While also pursuing an MBA degree from Santa Clara University.
Remember to use the rating system to let Vishal and Nimit know if you have received an adequate response.
Because of the volume expected during this event, Vishal and Nimit might not be able to answer every question. Remember that you can continue the conversation in the Network Infrastructure Community, under the subcommunity LAN, Switching & Routing, shortly after the event. This event lasts through August 29, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.Hello Gustavo
Please see my responses to your questions:
Yes almost all routing protocols use Multicast to establish adjacencies. We are dealing with two different type of traffic –Control Plane and Data Plane.
Control Plane: To establish Routing adjacency, the first packet (hello) is punted to CPU. So in the case of triangle routed VPC topology as specified on the Operations Guide Link, multicast for routing adjacencies will work. The hellos packets will be exchanged across all 3 routers and adjacency will be formed over VPC links
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/operations/n5k_L3_w_vpc_5500platform.html#wp999181
Now for Data Plane we have two types of traffic – Unicast and Multicast.
The Unicast traffic will not have any forwarding issues, but because the Layer 3 ECMP and port channel run independent hash calculations there is a possibility that when the Layer 3 ECMP chooses N5k-1 as the Layer 3 next hop for a destination address while the port channel hashing chooses the physical link toward N5k-2. In this scenario,N5k-2 receives packets from R with the N5k-1 MAC as the destination MAC.
Sending traffic over the peer-link to the correct gateway is acceptable for data forwarding, but it is suboptimal because it makes traffic cross the peer link when the traffic could be routed directly.
For that topology, Multicast Traffic might have complete traffic loss due to the fact that when a PIM router is connected to Cisco Nexus 5500 Platform switches in a vPC topology, the PIM join messages are received only by one switch. The multicast data might be received by the other switch.
The Loop avoidance works little different across Nexus 5000 and Nexus 7000.
Similarity: For both products, loop avoidance is possible due to VSL bit
The VSL bit is set in the DBUS header internal to the Nexus.
It is not something that is set in the ethernet packet that can be identified. The VSL bit is set on the port asic for the port used for the vPC peer link, so if you have Nexus A and Nexus B configured for vPC and a packet leaves Nexus A towards Nexus B, Nexus B will set the VSL bit on the ingress port ASIC. This is not something that would traverse the peer link.
This mechanism is used for loop prevention within the chassis.
The idea being that if the port came in the peer link from the vPC peer, the system makes the assumption that the vPC peer would have forwarded this packet out the vPC-enabled port-channels towards the end device, so the egress vpc interface's port-asic will filter the packet on egress.
Differences: In Nexus 5000 when it has to do L3-to-L2 lookup for forwarding traffic, the VSL bit is cleared and so the traffic is not dropped as compared to Nexus 7000 and Nexus 3000.
It still does loop prevention but the L3-to-L2 lookup is different in Nexus 5000 and Nexus 7000.
For more details please see below presentation:
https://supportforums.cisco.com/sites/default/files/session_14-_nexus.pdf
DCI Scenario: If 2 pairs are of Nexus 5000 then separation of L3/L2 links is not needed.
But in most scenarios I have seen pair of Nexus 5000 with pair of Nexus 7000 over DCI or 2 pairs of Nexus 7000 over DCI. If Nexus 7000 are used then L3 and L2 links are required for sure as mentioned on above presentation link.
Let us know if you have further questions.
Thanks,
Vishal -
Maximum number of local users on a Cisco VPN 3000 Concentrator
Hi,
Do you know if there is a specific maximum number of local users that can be created on a Cisco VPN 3000 Concentrator? If possible, we would like to know the number for the different models.
Thanks in advance for your help!
HarryHi Harry,
Please see table 13-1 for that information, and read Authentication Server Limits paragraph
http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/Usermgt.html#wp1685274
Pls rate any helpful posts
Bst Rgds
Jorge -
With Xander Thuijs
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn how to Cisco ASR 9000 Series Aggregation Services Routers with Cisco expert Xander Thuijs. The Cisco ASR 9000 Series Aggregation Services Routers product family offers a significant added value compared to the prior generations of carrier Ethernet routing offerings. The Cisco ASR 9000 Series is an operationally simple, future-optimized platform using next-generation hardware and software. The ASR 9000 platform family is composed of the Cisco ASR 9010 Router, the Cisco ASR 9006 Router, the Cisco ASR 9922 Router, Cisco ASR 9001 Router and the Cisco ASR 9000v Router.
This is a continuation of the live Webcast.
Xander Thuijs is a principal engineer for the Cisco ASR 9000 Series and Cisco IOS-XR product family at Cisco. He is an expert and advisor in many technology areas, including IP routing, WAN, WAN switching, MPLS, multicast, BNG, ISDN, VoIP, Carrier Ethernet, System Architecture, network design and many others. He has more than 20 years of industry experience in carrier Ethernet, carrier routing, and network access technologies. Xander holds a dual CCIE certification (number 6775) in service provider and voice technologies. He has a master of science degree in electrical engineering from Hogeschool van University in Amsterdam.
Remember to use the rating system to let Xander know if you have received an adequate response.
Xander might not be able to answer each question because of the volume expected during this event. Remember that you can continue the conversation on the Service Providers community XR OS And Platforms shortly after the event. This event lasts through Friday, May 24, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
Webcast related links:
Slides
Webcast Video Recording
FAQIs there a Cisco lab available for ASR 9000
we have "XR4U" stations coming available soon when XR 511 comes alive. The plan is for a downloadable play image like that. In the interim we have 2 demo systems available, and they can be booked via your account manager representative.
How will MOD160 perform with multiple 9000NVS?
very well. the mod 160 has 4 NPU's, 2 per bay. So if you have a 4x10 MPA to serve a satellite, you effectively have a single NPU per 20 1Gigs from the satellite. The pps performance will be stellar. However it might be price technically more ideal to connect satellite with a 36x10. Since the MOD-x has native MPA's with 1G also.
2. Is there a shortcut for a Bundle-EthernetX interface, such as port-channel interface (poX), in Cisco IOS® ?.
usability enhancement is there, we are trying to push this into a new reasonable release. follow CSCuh04526
3. What is the revolutions per minute (RPM) on these hard disk drives (HDDs) compared to the solid state drives (SDDs)? Will the spinning drives be slow?
depends on the type we had avaialble at time of production, you will see different sizes and disks on the RSP2. the rpm of the HD is not so much an issue as much as the buffered writing we used to do in XR. This is fixed up with XR43 where the disk writing performance is much better. the HD/SDD is used for logging storage only (and maybe your pictures) but other then that we're not that concerned with write perf of the HD.
regards
xander -
Oracle RAC and Cisco 7000 Series
Has anyone been successful with database 11.1.0.6 or 11.1.0.7 using a Cisco 7000 series router for the cache fusion interconnect.
A simple yes, if you have done so, will be very much appreciated.
We have a cluster that works with 5000 series switches and hangs with 7000 series ... trying multiple physical switches for the test.
Thank you.It should work properly. One correction it should be switch not router. We have used the same.
-
Cisco IE-3000-8TC switches and CNA
A colleague of mine has installed a set of 3 Cisco IE-3000-8TC switches which look like they have had a minimal amount of configuration applied to them, and I have now been asked to integrate them into a CNA community.
I can;
ping them and get replies
connect to them through telnet
connect to them with a web browser
I can create a community and the 3 switches are detected as shown in the attached file, CreateCommunity.png
However, when I try to connect to the newly created community CNA returns the error –1, as shown in the attached file, CommunityError.png
It then hangs at 83% Processing discovered devices…
Has anyone out there had experience of integrating these switches into CNA?
What do I need to do to them?A colleague of mine has installed a set of 3 Cisco IE-3000-8TC switches which look like they have had a minimal amount of configuration applied to them, and I have now been asked to integrate them into a CNA community.
I can;
ping them and get replies
connect to them through telnet
connect to them with a web browser
I can create a community and the 3 switches are detected as shown in the attached file, CreateCommunity.png
However, when I try to connect to the newly created community CNA returns the error –1, as shown in the attached file, CommunityError.png
It then hangs at 83% Processing discovered devices…
Has anyone out there had experience of integrating these switches into CNA?
What do I need to do to them? -
Migration cisco concentrator to ASA
Hi,
we want to migrate from concentrator to ASA.
I know that there was a cisco internal tool to adapt the concentrator configuration.
Is this tool still internal or could it be downloaded somewhere?
Thanks for your help.Hi Martin,
What version of Concentrator are you currently using? If you are using a VPNC 3000 series, you can view the recommended upgrade path to an ASA via the following link (see "Product Migration Options" at the bottom of the document)
http://www.cisco.com/en/US/partner/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html
Mike -
Cisco PIX 501 to Cisco Concentrator 3005 via Remote Access
Hello folks,
I need your help.
We got a Cisco PIX 501 in one location and this pix is configured for pppoe dial out. The pix connects itself to the internet via pppoe client. ping to an offical ip is running well.
So what I want to do is to establish a von tunnel between this pix and a cisco 3005 concentrator.
But I was not successull to establish it.
Here is the pix config. the acl?s are only for testing and will be replaced if it works.
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname PIX-AU
domain-name araukraine.ua
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit ip any any
access-list inside_access_in permit ip any any
pager lines 24
logging on
logging monitor warnings
logging buffered warnings
mtu outside 1456
mtu inside 1456
ip address outside pppoe setroute
ip address inside 192.168.x.x 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.x.x 255.255.255.224 inside
pdm logging warnings 500
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.x.x 255.255.x.x inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.x.x 255.255.x.x inside
telnet timeout 5
ssh 194.39.97.0 255.255.255.0 outside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname [email protected]
vpdn group pppoe_group ppp authentication pap
vpdn username [email protected] password *********
encrypted privilege 15
vpnclient server 212.xx.xx.xx
vpnclient mode network-extension-mode
vpnclient vpngroup vpntest password ********
vpnclient username pixtest password ********
terminal width 80
on the concentrator I created a user pixtest, a group vpntest and I?ve created rules for the network e.g. to which server the users behind the pix will be able to access.
And that?s all.
I could not send you the output either of the pix or concentrator because I did not get an error or a message that the tunnel will be established.
What can be wrong ?
Thanks for the repliesThis sample configuration demonstrates how to form an IPsec tunnel from a PC that runs the Cisco VPN Client (4.x and later) to a Cisco VPN 3000 Concentrator to enable the user to securely access the network inside the VPN Concentrator.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml -
hi all,
can a cisco 2960s connect to asa with multiple vlans and still route to DMZ and internet?
thanks for any comment you may add.Hi,
I have pretty much lost the track on the Cisco Switch and Router products but to my understanding all the 2900 series Switches are usually just L2 devices which dont usually handle routing. But as I said I dont know if there has been some changes regarding their abilities. To my understanding its always been the 3000 Series switches that handle L3 operation also.
I am also not sure if I understood your question correctly.
You can naturally trunk your 2960 Vlans to the ASA and let it handle the routing.
But as I said I dont quite know if I understood what you are after. Maybe you would want to expand on your question a bit more?
- Jouni -
Help remove Vulnerability on Cisco concentrator
Hi, our last security scan, came back with this vulnerability, anyone know how to reduce the threat?
Cisco Internet Key Exchange Denial of Service Vulnerability
THREAT:
Cisco Internet Key Exchange (IKE) is exposed to a denial of service issue. This issue affects devices implementing IKE Version 1, and is due to resource exhaustion when handling a high rate of IKE requests. An attack of 10 packets per second at 122 bytes each is sufficient to cause denial of service conditions.
Cisco is tracking these issues with the following Bug IDs:
* CSCse70811 for Cisco IOS software
* CSCse89808 for Cisco VPN 3000 Concentrators
* CSCsb51032 for Cisco PIX firewalls
IMPACT:
A successful attack may lead to denial of service to legitimate users.
SOLUTION:
Cisco has information on a mitigation technique only for Cisco IOS software affected by this issue. Refer to Cisco Security Response 70810 for further details.
COMPLIANCE:
Not Applicable
RESULT:
Detected service isakmp and os Cisco VPN 3000 Concentrator
http://www.cisco.com/warp/public/707/cisco-sr-20060726-ike.shtmlYou can turn it off so that no tunnel can ever negotiate to use it, but you can't disable it entirely. You can deactivate all IKE proposals that have DES encryption specified, leaving only the IKE proposals that have 3DES or AES. Go to: Configuration | Tunneling and Security | IPSec | IKE Proposals
and deactivate any and all IKE Proposals that reference DES.
Maybe you are looking for
-
Error in Workflow For Role Approval
Hello , While i am approving the request i am getting the following error: Error processing your request, Request no: 2 in stage : ERM_STAGE What could be the cause for this error? Logs are pasted for your reference: 2009-08-19 14:31:40,244 [SAPEngin
-
Recommendations for new mobo using AMD processor
I am still successfully using my current computer built in 2008 with a K9A2 Platinum mobo. It has been a remarkably reliable mobo with literally no major problems over the years and the mobo has been easily expandable to whatever desktop hardware I h
-
Cant get into windows with bootcamp
I don't why this is happen but when i start bootcamp windows xp. It says it was not shut down properly and tells me how to restart it. (safe mode,Normal, etc..)after i select it, it reboots the macbook into mac os and i have to hold down the option k
-
Partner function not determined if not made mandatory in customizing
Hi! I have never come across this issue before so maybe it is standard system behaviour. My client is on a ECC 5.0 system and has the need to set upp an new partner function on the ship-to-party which should be derived on the delivery. I have set up
-
Design Objects with some common attribute/behavior. Is inheritance correct?
Hi, In an application I am working on the domain/business layer has lots of domain objects. many of these domin objects aggregate to form other domain objects. Also in the application we have a class "User" that has the user information and privilege