IPSEC VPN Connection

I have create a ipsec  vpn connection between asa router 500 and netgear vpn prosafe 318, the problwm I'm running into is , I have my separate from the above connection, Im only trying to give access to one sever, the other side can ping my ip, but I can not ping the other side at all, and when I do a tracert , it is not utilizing the vpn , it is using the internet. What is that Im missing or did wrong ?
This topic first appeared in the Spiceworks Community

On Spiceworks there's an article titled 10 signs SysAdmins are really superheroes - Yes, we mean you!http://community.spiceworks.com/topic/1099346-10-signs-sysadmins-are-really-superheroes-yes-we-mean-...and has a picture of an IT guy with the Superman S under his shirt. So I responded with Based on Man of Steel , I believe you have an anarachrinistic impression of Clark Kent.As we all know now... Pa Kent's paranoia regarding the alien-nature of Clark's being means that maintaining the secret of Clark's origins is the primary mission no matter what is happening in the environment. Thus Pa Kent's noble death saving a stupid dog from the path of a tornado.. making it clear to Clark to do nothing. Who wouldn't want a husband and father like that?

Similar Messages

  • ASA 5505 IPSEC VPN connected but can't access to LAN

    ASA : 8.2.5
    ASDM: 6.4.5
    LAN: 10.1.0.0/22
    VPN Pool: 172.16.10.0/24
    Hi, we purcahsed a new ASA 5505 and try to setup IPSEC VPN via ASDM; i just simply run the Wizards, setup vpnpool, split tunnelling,etc.
    I can connect to the ASA by using cisco VPN client and internet works fine on the local PC, but it cannot access to the LAN (can't ping. can't remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile i created worked fine.
    Below is my configure, do I mis-configure anything?
    ASA Version 8.2(5)
    hostname asatest
    domain-name XXX.com
    enable password 8Fw1QFqthX2n4uD3 encrypted
    passwd g9NiG6oUPjkYrHNt encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.1.1.253 255.255.252.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address XXX.XXX.XXX.XXX 255.255.255.240
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    dns server-group DefaultDNS
    domain-name vff.com
    access-list vpntest_splitTunnelAcl standard permit 10.1.0.0 255.255.252.0
    access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.252.0 172.16.10.0 255.255.255.0
    pager lines 24
    logging enable
    logging timestamp
    logging trap warnings
    logging asdm informational
    logging device-id hostname
    logging host inside 10.1.1.230
    mtu inside 1500
    mtu outside 1500
    ip local pool vpnpool 172.16.10.1-172.16.10.254 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server AD protocol nt
    aaa-server AD (inside) host 10.1.1.108
    nt-auth-domain-controller 10.1.1.108
    http server enable
    http 10.1.0.0 255.255.252.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 10.1.0.0 255.255.252.0 inside
    ssh timeout 20
    console timeout 0
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy vpntest internal
    group-policy vpntest attributes
    wins-server value 10.1.1.108
    dns-server value 10.1.1.108
    vpn-tunnel-protocol IPSec l2tp-ipsec
    password-storage disable
    ip-comp disable
    re-xauth disable
    pfs disable
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpntest_splitTunnelAcl
    default-domain value XXX.com
    split-tunnel-all-dns disable
    backup-servers keep-client-config
    address-pools value vpnpool
    username admin password WeiepwREwT66BhE9 encrypted privilege 15
    username user5 password yIWniWfceAUz1sUb encrypted privilege 5
    username user3 password umNHhJnO7McrLxNQ encrypted privilege 3
    tunnel-group vpntest type remote-access
    tunnel-group vpntest general-attributes
    address-pool vpnpool
    authentication-server-group AD
    authentication-server-group (inside) AD
    default-group-policy vpntest
    strip-realm
    tunnel-group vpntest ipsec-attributes
    pre-shared-key BEKey123456
    peer-id-validate nocheck
    privilege cmd level 3 mode exec command perfmon
    privilege cmd level 3 mode exec command ping
    privilege cmd level 3 mode exec command who
    privilege cmd level 3 mode exec command logging
    privilege cmd level 3 mode exec command failover
    privilege cmd level 3 mode exec command packet-tracer
    privilege show level 5 mode exec command import
    privilege show level 5 mode exec command running-config
    privilege show level 3 mode exec command reload
    privilege show level 3 mode exec command mode
    privilege show level 3 mode exec command firewall
    privilege show level 3 mode exec command asp
    privilege show level 3 mode exec command cpu
    privilege show level 3 mode exec command interface
    privilege show level 3 mode exec command clock
    privilege show level 3 mode exec command dns-hosts
    privilege show level 3 mode exec command access-list
    privilege show level 3 mode exec command logging
    privilege show level 3 mode exec command vlan
    privilege show level 3 mode exec command ip
    privilege show level 3 mode exec command ipv6
    privilege show level 3 mode exec command failover
    privilege show level 3 mode exec command asdm
    privilege show level 3 mode exec command arp
    privilege show level 3 mode exec command route
    privilege show level 3 mode exec command ospf
    privilege show level 3 mode exec command aaa-server
    privilege show level 3 mode exec command aaa
    privilege show level 3 mode exec command eigrp
    privilege show level 3 mode exec command crypto
    privilege show level 3 mode exec command vpn-sessiondb
    privilege show level 3 mode exec command ssh
    privilege show level 3 mode exec command dhcpd
    privilege show level 3 mode exec command vpnclient
    privilege show level 3 mode exec command vpn
    privilege show level 3 mode exec command blocks
    privilege show level 3 mode exec command wccp
    privilege show level 3 mode exec command dynamic-filter
    privilege show level 3 mode exec command webvpn
    privilege show level 3 mode exec command module
    privilege show level 3 mode exec command uauth
    privilege show level 3 mode exec command compression
    privilege show level 3 mode configure command interface
    privilege show level 3 mode configure command clock
    privilege show level 3 mode configure command access-list
    privilege show level 3 mode configure command logging
    privilege show level 3 mode configure command ip
    privilege show level 3 mode configure command failover
    privilege show level 5 mode configure command asdm
    privilege show level 3 mode configure command arp
    privilege show level 3 mode configure command route
    privilege show level 3 mode configure command aaa-server
    privilege show level 3 mode configure command aaa
    privilege show level 3 mode configure command crypto
    privilege show level 3 mode configure command ssh
    privilege show level 3 mode configure command dhcpd
    privilege show level 5 mode configure command privilege
    privilege clear level 3 mode exec command dns-hosts
    privilege clear level 3 mode exec command logging
    privilege clear level 3 mode exec command arp
    privilege clear level 3 mode exec command aaa-server
    privilege clear level 3 mode exec command crypto
    privilege clear level 3 mode exec command dynamic-filter
    privilege cmd level 3 mode configure command failover
    privilege clear level 3 mode configure command logging
    privilege clear level 3 mode configure command arp
    privilege clear level 3 mode configure command crypto
    privilege clear level 3 mode configure command aaa-server
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4
    : end

    I change  a Machine's gateway to this ASA and capture again, now we can see some reply.
    All ohter PCs and switches gateway are point to another ASA, maybe that's the reason why i didn't work?
    what's the recommanded way to make our LAN to have two 2 gateways(for load balance or backup router, etc)?
    add two gateways to all PCs and swtichwes?
    1: 18:15:48.307875 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       2: 18:15:49.777685 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       3: 18:15:51.377147 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       4: 18:15:57.445777 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       5: 18:15:58.856324 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       6: 18:16:00.395090 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       7: 18:16:06.483464 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       8: 18:16:08.082805 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       9: 18:16:09.542406 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
      10: 18:16:20.640424 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
      11: 18:16:20.642193 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
      12: 18:16:21.169607 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
      13: 18:16:21.171210 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
      14: 18:16:22.179556 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
      15: 18:16:22.181142 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
      16: 18:16:23.237673 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
      17: 18:16:23.239291 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
      18: 18:16:27.676402 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 50
      19: 18:16:29.246935 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 50
      20: 18:16:30.676921 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 50
      21: 18:16:49.539660 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
      22: 18:16:54.952602 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
      23: 18:17:04.511463 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request

  • Is there a limit to the number of concurrent L2TP/IPSec VPN connections in Snow Leopard

    Hi,
    I'm currently running an L2TP/IPSec service from a Snow Leopard server VM running on the latest version of Lion Server ( Had loads of issues with Lion VPN connectivity from outside our network when I first upgraded the physical server to Lion. quickest way to get the service back was to run an S/L VM. I know that there have been some changes to Lion in the VPN area, but this works... sort of;;;)
    I've got an IP address pool of 20 addresses confgured as this is only for ICT staff members. Each user has a local userid/password on the S/L server. For me, things just work.
    iPhone, iPad, OS X lion client they all work and I've had about 3 simultaneous connections up and running.However, the majority of staff users use Windows 7 client machines and they're been reporting sporadic connection failures where one moment they can get connected and the next they can't.  I'm currently wondring if there is some concurrent limit setting they are hitting and are getting slung off because I've got other users using the service.  It would be a bit strange if S/L can only support 2 or 3 connections out of the box.
    Then again it might be VMWare Fusion (Vsn 4.1.1) thats the problem.
    Any help apppreciated
    Rgds
    Alex

    You have to count to have about 30GB at least free on the startup disk, after you have the library loaded.
    On the external you have space enough.
    As far as I know there is no limit for iPhoto, but I suggest to not let it grow too much, because everything will become sluggish, also making backups. It should be possible to split up in more libraries, one that is really actual and one that is the past. Physical splitting up I mean, not smart collections. You can switch libraries by holding the Alt(option) at startup of iPhoto.

  • How to reduce the IPSec VPN connection establishment time

    Hi,
    I set up an IPSec VPN with NAT-T between two cisco router 871. In particular one router acts as a SERVER and the other one as  a CLIENT. All the traffic coming from the hosts connected to the CLIENT-router is sent over the VPN (no split tunnel). Everything works perfectly.
    The only problem is the amount of time the VPN takes to establish the first connection between the two routers. In particular it takes about two minutes.
    Could anybody tell me if this amount of time can be reduced (with a partcular configuration instruction)?
    Or this is the minimum amount of time required for the first connection establishment?
    Thank you for your help.

    Sara,
    Two minutes sound like a lot of time even with a super slow Internet connection. Could you share your configs to see if there is anything on the VPN config that is adding such a huge delay? The connection stablishment shouldnt take more than a few seconds.
    Thanks,
    Raga

  • HT1424 IPSec VPN connection brings up login box but will not connect after entering password.  Have tried this on both IPAD and IPhone 4.  Can anyone help?  thanks

    IPSec VPN brings up login box but will not connect after entering password.  Have tried this on both IPAD and IPhone 4.  Can anyone help?

    Uggh, it's so frustrating! I've googled every search phrase I can think of and this seems to be the only thread describing this exact issue. I'm always automatically logged into Facebook on my MBP but just to be sure I logged out and back in and it worked fine.
    I gotta say, I wasn't a fan of the Droid I had preceding this iPhone, and from what I hear the iPhone app for FB is a thousand times better - not that I'd know personally because I can't log in!! - but I could always access my FB account on the droid. Just sayin...

  • MAC: Uml290 & vzw access manager, IPSec VPN connections don't work

    So, my vpn connections work if I use my UML290 on windows using verizon access manager
    I am now using the new verizon access manager on my mac, and my VPN connections do NOT work. It tries to connect then immediately stops the attempt at connecting and fails (i can access other websites etc OK, I have connectivity!)
    This is a huge problem for me

    Hello,
    I have been having the same problems. When not connected to VPN, things work fine. When VPN connects, all traffic stops passing, even though there is a successful connection. When I disconnect VPN, all traffic resumes.
    I have gone through this with technical support even to the point of doing a trace during the problem and they confirm that the traffic drops, but do not feel it is a network issue. This problem does not happen with any other network adapter I use (Wi-Fi, T-mobile 4G laptop stick).
    I've put together links of articles I have found online describing this problem and probable cause - which I think is an IP address conflict in the 10.x.x.x space. No resolution has been offered to me. I hope these articles help others or if they are having the same experience they might post here.
    http://delicious.com/stacks/view/SL8rGb - "Verizon LTE problems with VPN using Pantech UML 290" - Link Stack
    If anyone comes across a resolution or knows if there will be an update of any kind to fix this, I would appreciate it, thank you.

  • Error with Ericsson h5321gw and IPSEC VPN-Connections

    There is an error in the Lenovo drivers [7.x] for the Ericsson h5321gw UMTS module.
    Symptoms on Windows 7 x64:
    UMTS is working fine. When you connect a vpn ipsec connection though the UMTS , the internet connection (and the vpn as well) gets unstable and has a packet loss of 30% to 50%.
    Solution:
    Install the UMTS drivers in the NDIS 5.0 mode on Windows 7. (The only problem is, that the system boot takes about 1 minute longer with the ndis 5 drivers).
    Further Reading: Message 5: http://forums.lenovo.com/t5/T400-T500-and-newer-T-series/Outlook-Exchange-connection-unstable-on-T52...
    Howto form the Lenovo Forum:
    Force the installation to install Ericsson's vista driver instead of win7 driver. Vista driver is NDIS 5. Installation can be done.
    -> extract the Ericsson drivers package but don't let it install the driver. There should be extracted a setup.exe file
    -> do the installation with command: setup.exe /zFORCEVISTA
    This helped for us.
    Tip:
    If you want to install the win7 driver back, it can be done with command: setup.exe /zFORCEWIN7
    Otherwise using the setup.exe will install the vista ndis 5 when since it once have been told to to install it by /zFORCEVISTA
    I hope, Lenovo can solve this issue quickly.
    Greetings

    I’m not sure this is the same issue you guys are running into, but I’m using the built-in Ericsson h5321gw and ATT SIM on an i7 X1 Carbon. I am required to use a Cisco VPN Client and after connecting successfully to my VPN endpoint via ATT WWAN, I could not get any data in/out the tunnel.
    I tried in both Windows 7 and Windows 8 OS, even trying the setup.exe /zFORCEWIN7 work around to no avail.
    After doing some searching, I came across a blog post describing the same issue I had.
    There is an update to Windows’ DNE that actually solved the issue for me using the standard Erricson W8 (and W7) drivers. (I also performed the h5321gw fireware update from Lenovo, but I did that before the DNEUpdate – that alone did _not_ fix it)
    DNEUpdate x64: ftp://files.citrix.com/dneupdate64.msi
    DNEUpdate x86: ftp://files.citrix.com/dneupdate.msi
    Hope this helps.
    Credit from: http://stenby.wordpress.com/2012/10/03/cisco-vpn-client-and-built-in-lenovo-h5321gw-3g-card/

  • Remote site redundancy IPSEC VPN between 2911 and ASA

    We already have IPSEC VPN connectivity established between sites but would like to introduce some resilience/redundancy at a remote site.
    Site A has an ASA with one internet circuit.
    Site B has a Cisco 2911 with one internet circuit and we have established site-to-site IPSEC VPN connectivity between the 2911 and the ASA.
    Prior to getting the new internet circuit, Site B had a Cisco 877 with an ADSL line which are still available but aren’t currently in use.
    The internet circuit at Site B has dropped a few times recently so we would like to make use of the ADSL circuit (and potentially the 877 router too) as a backup.
    What is the best way of achieving this?
    We thought about running HSRP between the 877 and 2911 routers at Site B and, in the event of a failure of the router or internet circuit, traffic would failover to the 877 and ADSL.
    However, how would Site A detect the failure? Can we simply rely on Dead Peer Detection and list the public IP address of the internet circuit at Site B first with the public IP address used on the ADSL line second in the list on the ASA? What would happen in a failover scenario and, just as important, when service was restored – I’m not sure DPD would handle that aspect correctly?
    I’ve read briefly elsewhere that GRE might be best to use in this scenario – but I can’t use GRE on the ASA. I have an L3 switch behind the ASA which I may be able to make use of? But I don’t want to disrupt the existing IPSEC VPN connectivity already established between the ASA and the 2911.   Can I keep IPSEC between the ASA and 2911 but then run GRE between the L3 switch and the 2911? If so, how would this best be achieved?  And how could I also introduce the 877 and ADSL line into things to achieve the neccessary redundancy?
    Any help/advice would be appreciated!

    Hello,
    I don't think GRE tunnel that you could set up on the switch  behind ASA would be really helpfull. Still site-2-site tunnel you want  to establish between ASA and some routers, but still it is ASA which needs to make decision about which peer to connect to.
    Possible solution would be to do HSRP between both routers on LAN side and with two independent tunnels/crypto maps (one on each of them). On ASA you would need to set up two hosts in set peer. Problem of this solution is that if one router at side B is going to go down and second ADSL line will take over ASA will not do preempt after you main Internet connection is up again. This would happen after ADSL Internet connection will be down.
    Solution to that would be to assign two different public IP addressess on two different interfaces of ASA. Then you attach two crypto maps to both interfaces and by using sla monitor (let's say icmp to main router, if it does not respond then you change routing for remote LAN to second interface) you are selecting which crypto map (with one peer this time) should be used.
    I hope what I wrote makes some sense.

  • Why does my L2TP VPN connection never really contact the server?

    To be clear, this configuration is not on my own Mac, but on one belonging to someone I serve with technical support.
    I am configuring an L2TP over IPSec VPN connection on a MacBook Pro. This connection is to a ZyXEL USG 300 and works successfully from my iPad. (I do not have my own OS X device from which I can test the connection.)
    To the best of my knowledge, I have entered all of the information that is needed for the connection. Yet when I try to connect, all I receive is an indication that the server did not respond. In the USG logs, there is no indication at all of there being even a connection attempt. In a Terminal session on the Mac (verbose logging is enabled), I read:
    L2TP connecting to server 'xx.xx.xxx.xx' (xx.xx.xxx.xx)...
    IPSec connection started
    IPSec connection failed
    It appears to me as if the connection never leaves the Mac and is prevented or stopped by some fault in the system. The firewall is turned off.
    What suggestions do you have for identifying the problem?

    That's weird but you should be able to manually install the update like this:
    #Download a fresh copy from [http://www.mozilla.org/en-US/firefox/all/ here] - direct link (https://download.mozilla.org/?product=firefox-28.0-SSL&os=osx&lang=en-US)
    #Install the new version. For details, see [[How to download and install Firefox on Mac]]
    Usually this fixes this issue with automatic updates. There will be new version available starting next Tuesday. The automatic update will happen sometime over the following week or so.
    Let me know how it goes.<br>
    Thanks,<br>
    Michael

  • Very slow Windows domain login over IPSec VPN

    Hi
    I'm experiencing very slow Windows domain logins over an IPSec VPN connection. The AD is in Site 1, some users are in Site 2. Two Cisco ASA firewalls connect both sites by an IPSec VPN over the Internet.
    I made some registery changes on the Windows XP client on site2 to let Kerberos communicate over TCP instead of UDP. Still the logins take extremely long (45 minutes). Profiles are very small, so there had to be a problem with Kerberos, MTU sizes or somethin like that. I already changed the clients MTU settings to 1000 byes, but login is still very slow. I made some sniffer logs...
    Does anybody know what the problem can be ?
    Regards
    Remco

    Hi Remco,
    The most common issue with slowness over VPN is going to be fragementation. In general below are the recommendations to avoid fragmentation
    1. For TCP traffic, use "ip tcp adjust-mss 1360" on the Internal LAN Interface on the Router. If you are using GRE then configure "ip mtu 1400" under the Tunnel Interface.
    If you are not using GRE then the value of "ip tcp adjust-mss" depends on the type of transform-set being used E.g. AES\3DES etc, so you can increase the value of TCP adjust command from 1360 to a higher value. Though I will start from 1360 first for testing.
    Also take a look at the below article for MTU Issues
    http://www.cisco.com/en/US/customer/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
    Thanks,
    Naman

  • [Mac OS X] Problems setting up L2TP VPN Connection

    I recently moved from Windows to Mac OS X (10.6.6). Unfortunately this move was not so smoothly as I hoped for and I am currently facing some issues with the VPN-connection to the company I work for. As with many companies they do not have a Mac-guide and I am trying to solve this issue, but so far unsuccesful.
    To access my data on the company’s server (MS TS Environment) I need to establish a L2TP-IPsec VPN connection. I used Mac OS X built in network tool and filled out all the necessary information such as vpn address, shared secret/key, password and accountname. I even double checked the information various times so no spelling errors occurred. After some seconds I receive the message that the L2TP-VPN-server does not respond.
    I checked other posts already and I checked the box that sents all traffic via this VPN-connection but without any results. For a moment I doubted that the cause of this issue might be my home-network: MBA <-> Timecapsule <-> Thomson TG789 … however when I make a L2TP VPN connection using a Windows XP or Vista pc this can be done without problems (using the same network structure) so I guess it is a mac-related problem either with my MBA (Mac OSX) or with the companies servers…
    I found out that using the console.app can provide me with some more information about the connection process:
    - L2TP connecting to server
    - IPSec connection started
    - IKE Packet: transmit success.
    - IKE Packet: receive success.
    After a couple of attemps from the 6th message it suddenly shows:
    - IKE Packet: receive failed.
    - IKE Packet: transmit success.
    - IKE Packet: receive failed.
    -IKEv1 Phase1: maximum retransmits.
    -IKE Packets Receive Failure-Rate Statistic.
    And this finally results in ' IPSec connection failed'
    Does anyone has an idea of what the problem might be (e.g. the settings of the MAC or the settings of the companies VPN or ???) and maybe a solution for this problem?
    Many thanks from a newbie but satisfied Mac-user!

    Hi, I have the same problem with the establishing VPN connection using L2TP without IPsec.

  • Cisco Jabber Client for Windows 9.7 Can't Connect to Other IPSec VPN Clients Over Clustered ASAs

    Environment:
    2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
    Both ASAs are at version 8.4(5)6
    IPSec VPN Client version: 5.0.07.440 (64-bit)
    Jabber for Windows v9.7.0 build 18474
    Issue:
      If I am an IPSec VPN user…
       I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
       I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
    In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

    Portu,
    Thanks for your quick reply.
    Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above.  I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
    I can, though, do whatever you want on the Linux router.  Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
    As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this.  (But I might need a bit of handholding if I need to set up a  wireshark andor tcpdump.)
    Thanks again.

  • Cisco Jabber Client for Windows 9.7 Can't Connect IPSec VPN Clients over two ASAs

    Environment:
    2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
    Both ASAs are at version 8.4(5)6
    IPSec VPN Client version: 5.0.07.440 (64-bit)
    Jabber for Windows v9.7.0 build 18474
    Issue:
      If I am an IPSec VPN user…
       I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
       I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
    In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

    Portu,
    Thanks for your quick reply.
    Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above.  I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
    I can, though, do whatever you want on the Linux router.  Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
    As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this.  (But I might need a bit of handholding if I need to set up a  wireshark andor tcpdump.)
    Thanks again.

  • ASA 5505 Site to Site IPSec VPN WILL NOT CONNECT

    I've spent 2 days already trying to get 2 ASA 5505's to connect using an IPSec vpn tunnel. I cannot seem to figure out what im doing wrong, im using 192.168.97.0 and 192.168.100.0 as my internal networks that i'm trying to connect over a directly connected link on the outside interfaces with 50.1.1.1 and 50.1.1.2 as the addresses (all /24). I also tried with and currently without NAT enabled. Here are the configs for both ASA's, the vpn config was done by the ASDM, however i have also tried the command line apporach with no success. I have followed various guides to the letter online, starting from an empty config and from factory default. I have also tried the 8.4 IOS.
    ASA 1 Config
    ASA Version 8.3(2)
    hostname VIC
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.97.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 50.1.1.1 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    shutdown
    interface Ethernet0/3
    shutdown
    interface Ethernet0/4
    shutdown
    interface Ethernet0/5
    shutdown
    interface Ethernet0/6
    shutdown
    interface Ethernet0/7
    shutdown
    boot system disk0:/asa832-k8.bin
    ftp mode passive
    pager lines 24
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.97.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:4745f7cd76c82340ba1e7920dbfd2395
    ASA2 Config
    ASA Version 8.3(2)
    hostname QLD
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.100.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 50.1.1.2 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    shutdown
    interface Ethernet0/3
    shutdown
    interface Ethernet0/4
    shutdown
    interface Ethernet0/5
    shutdown
    interface Ethernet0/6
    shutdown
    interface Ethernet0/7
    shutdown
    ftp mode passive
    object network SITEA
    subnet 192.168.97.0 255.255.255.0
    object network NETWORK_OBJ_192.168.100.0_24
    subnet 192.168.100.0 255.255.255.0
    access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object SITEA
    pager lines 24
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static SITEA SITEA
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.100.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group1
    crypto map outside_map 1 set peer 50.1.1.1
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    tunnel-group 50.1.1.1 type ipsec-l2l
    tunnel-group 50.1.1.1 ipsec-attributes
    pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:d987f3446fe780ab5fbb9d4213b3adff
    : end

    Hello Mitchell,
    Thank you for letting us know the resolution of this topic.
    Please answer the question as answered so future users can learn from this topic.
    Regards,
    Julio

  • Cisco ASA 5505 Ipsec VPN and random connection dropping issues.

    Hello,
    We are currently having issues with a ASA 5505 Ipsec VPN. It was configured about 7-8 months ago and has been running very well..up until the last few weeks.  For some reason, the VPN tends to randomly disconnect any user clients connected a lot.  Furthermore, sometimes it actually connects; however does not put us on the local network for some reason and unable to browse file server.  We have tried rebooting the ASA a few times and our ISP Time Warner informed us there are no signs of packet loss but still unable to pinpoint the problem.  Sometimes users close out of VPN client completely, reopen several times and then it works.  However it's never really consistent enough and hasn't been the last few weeks.  No configuration changes have been made to ASA at all.  Furthermore, the Cisco Ipsec VPN client version is: 5.0.70
    Directly below is our current running config (modded for public).  Any help or ideas would be greatly appreciated.  Otherwise, if everything looks good...then I will defer back to our ISP Time Warner:
    : Saved
    ASA Version 8.4(2)
    hostname domainasa
    domain-name adomain.local
    enable password cTfsR84pqF5Xohw. encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 205.101.1.240 255.255.255.248
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 192.168.2.60
    domain-name adomain.local
    same-security-traffic permit intra-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network SBS_2011
    host 192.168.2.60
    object network NETWORK_OBJ_192.168.2.0_24
    subnet 192.168.2.0 255.255.255.0
    object network NETWORK_OBJ_192.168.5.192_
    27
    subnet 192.168.5.192 255.255.255.224
    object network Https_Access
    host 192.168.2.90
    description Spam Hero
    object-group network DM_INLINE_NETWORK_1
    network-object object SPAM1
    network-object object SPAM2
    network-object object SPAM3
    network-object object SPAM4
    network-object object SPAM5
    network-object object SPAM6
    network-object object SPAM7
    network-object object SPAM8
    object-group service RDP tcp
    description Microsoft RDP
    port-object eq 3389
    access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object SBS_2011 eq smtp
    access-list outside_access_in extended permit tcp any object SBS_2011 eq https
    access-list outside_access_in extended permit icmp any interface outside
    access-list outside_access_in remark External RDP Access
    access-list outside_access_in extended permit tcp any object SBS_2011 object-group RDP
    access-list domain_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool test 192.168.10.1-192.168.10.5 mask 255.255.255.0
    ip local pool VPN_Users 192.168.5.194-192.168.5.22
    0 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24
    NETWORK_OBJ_192.168.2.0_24
    destination static NETWORK_OBJ_192.168.5.192_
    27 NETWORK_OBJ_192.168.5.192_
    27 no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    object network SBS_2011
    nat (inside,outside) static interface service tcp smtp smtp
    object network Https_Access
    nat (inside,outside) static interface service tcp https https
    nat (inside,outside) after-auto source dynamic any interface
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 205.101.1.239 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-reco
    rd DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.2.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.2.160-192.168.2.19
    9 inside
    dhcpd dns 192.168.2.60 24.29.99.36 interface inside
    dhcpd wins 192.168.2.60 24.29.99.36 interface inside
    dhcpd domain adomain interface inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy domain internal
    group-policy domain attributes
    wins-server value 192.168.2.60
    dns-server value 192.168.2.60
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value domain_splitTunnelAcl
    default-domain value adomain.local
    username ben password zWCAaitV3CB.GA87 encrypted privilege 0
    username ben attributes
    vpn-group-policy domain
    username sdomain password FATqd4I1ZoqyQ/MN encrypted
    username sdomain attributes
    vpn-group-policy domain
    username adomain password V5.hvhZU4S8NwGg/ encrypted
    username adomain attributes
    vpn-group-policy domain
    service-type admin
    username jdomain password uODal3Mlensb8d.t encrypted privilege 0
    username jdomain attributes
    vpn-group-policy domain
    service-type admin
    tunnel-group domain type remote-access
    tunnel-group domain general-attributes
    address-pool VPN_Users
    default-group-policy domain
    tunnel-group domain ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:e2466a5b754
    eebcdb0cef
    f051bef91d
    9
    : end
    no asdm history enable
    Thanks again

    Hello Belnet,
    What do the logs show from the ASA.
    Can you post them ??
    Any other question..Sure..Just remember to rate all of the community answers.
    Julio

Maybe you are looking for

  • Multiple users on the same call

    After a recent skype session I went back to the history and it showed the user I was skyping with along with 4 other usernames. Were the other 4 also on the call?

  • I keep getting an error when trying to receive the new update iOS7 on iPhone5.  Any suggestions?

    I keep getting an error when trying to receive the new update iOS7 on iPhone5.  Any suggestions?

  • What are these applications?

    Hello, I've bought a used phone, and don't know which of these applications are there by default, and which I can safely uninstall. Please advise: - Client Platform - Contacts Group DS Plugin - Media DS Plugin - MMS DS Plugin - Nokia Ovi Provisioner

  • Photoshop refuses to load images.

    So upon getting a new hard drive for my Powerbook (the old one on which Photoshop ran well enough) I have reinstalled the Adobe Creative Suite 2. Everything seems to work, except for Photoshop which, despite any attempt, refuses to load any image fil

  • A problem with Tomcat (Can't run tomcat as a service.).

    Hi May be you can help me (please). I do the following steps, as described in many documents I've found. 1. Downloaded the jk_nt_service.exe and put it into jdk1.3.1jre\bin\classic 2. configured wrapper.properties: wrapper.tomcat_home=C:\tomcat324 wr