L2TP VPN Error: "MPPE required but peer negotiation failed"
Clean Leopard Server install. Fairly clean Leopard client, too. Tried to setup an L2TP VPN service, and connect to it from the client machine, and I get this in the client's log:
11/6/07 2007-11-06 T 20:23:52 (PST) pppd[374] IPSec connection established
11/6/07 2007-11-06 T 20:23:52 (PST) pppd[374] L2TP connection established.
11/6/07 2007-11-06 T 20:23:52 (PST) pppd[374] Connect: ppp0 <--> socket[34:18]
11/6/07 2007-11-06 T 20:23:53 (PST) pppd[374] MPPE required but peer negotiation failed
11/6/07 2007-11-06 T 20:23:53 (PST) pppd[374] Connection terminated.
As far as I can tell from searching the web, MPPE should not even be involved (but I really don't know the protocol). If I setup a PPTP VPN on the same pair of machines all is well.
I really think this is a bug in either Leopard or Leopard Server. Anyone else bumping into this wall?
regards,
Bill.
I have the exact same problem. Hopefully Apple will fix this soon. I'm trying to connect to a Linux Box with OpenSwan and L2tpd.
My Logs:
Leopard:
Dec 2 14:43:44 MRiedel-PB-G4 pppd[18603]: L2TP connecting to server XXXXXXXX...
Dec 2 14:43:47 MRiedel-PB-G4 pppd[18603]: IPSec connection started
Dec 2 14:43:48 MRiedel-PB-G4 pppd[18603]: IPSec connection established
Dec 2 14:43:51 MRiedel-PB-G4 pppd[18603]: L2TP connection established.
Dec 2 14:43:51 MRiedel-PB-G4 pppd[18603]: Connect: ppp0 <--> socket[34:18]
Dec 2 14:43:51 MRiedel-PB-G4 pppd[18603]: MPPE required but peer negotiation failed
Dec 2 14:43:52 MRiedel-PB-G4 pppd[18603]: Connection terminated.
Dec 2 14:43:52 MRiedel-PB-G4 pppd[18603]: L2TP disconnecting...
Dec 2 14:43:52 MRiedel-PB-G4 pppd[18603]: L2TP disconnected
And on the Linux Box:
Dec 2 23:43:47 bt-server pluto[2941]: "L2TP-PSK"[9] 63.231.xxx.xxx #16: STATEQUICKR2: IPsec SA established {ESP=>0x09c22235 <0x8522bdef xfrm=AES128-HMACSHA1 NATD=63.231.52.188:4500 DPD=none}
Dec 2 23:43:49 bt-server l2tpd[6376]: control_finish: Peer requested tunnel 8 twice, ignoring second one.
Dec 2 23:43:49 bt-server l2tpd[6376]: Connection established to 63.231.xxx.xxx, 56177. Local: 51805, Remote: 8. LNS session is 'default'
Dec 2 23:43:49 bt-server l2tpd[6376]: Call established with 63.231.xxx.xxx, Local: 56732, Remote: 18603, Serial: 1
Dec 2 23:43:49 bt-server pppd[7541]: pppd 2.4.3 started by root, uid 0
Dec 2 23:43:49 bt-server pppd[7541]: using channel 2105
Dec 2 23:43:49 bt-server pppd[7541]: Using interface ppp2
Dec 2 23:43:49 bt-server pppd[7541]: Connect: ppp2 <--> /dev/pts/4
Dec 2 23:43:49 bt-server pppd[7541]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x6d3895f7> <pcomp> <accomp>]
Dec 2 23:43:49 bt-server pppd[7541]: rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x4d928d7a> <pcomp> <accomp>]
Dec 2 23:43:49 bt-server pppd[7541]: sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x4d928d7a> <pcomp> <accomp>]
Dec 2 23:43:49 bt-server pppd[7541]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x6d3895f7> <pcomp> <accomp>]
Dec 2 23:43:49 bt-server pppd[7541]: sent [LCP EchoReq id=0x0 magic=0x6d3895f7]
Dec 2 23:43:49 bt-server pppd[7541]: sent [CHAP Challenge id=0x12 <4885f2c708e0dbd85a3cf7cf60ed6b24>, name = "IPsecVPN"]
Dec 2 23:43:50 bt-server pppd[7541]: rcvd [LCP EchoReq id=0x0 magic=0x4d928d7a]
Dec 2 23:43:50 bt-server pppd[7541]: sent [LCP EchoRep id=0x0 magic=0x6d3895f7]
Dec 2 23:43:50 bt-server pppd[7541]: rcvd [LCP EchoRep id=0x0 magic=0x4d928d7a]
Dec 2 23:43:50 bt-server pppd[7541]: rcvd [CHAP Response id=0x12 <c574d7703411572a98de35e99f3d81ad00000000000000000b4906c55495f2727310659600c5c1 405145b06079ad9fbe00>, name = "xxx"]
Dec 2 23:43:50 bt-server pppd[7541]: sent [CHAP Success id=0x12 "S=2C78FC23BCE0D753988BB8A6AA9EB3EB22326318 M=Access granted"]
Dec 2 23:43:50 bt-server pppd[7541]: sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Dec 2 23:43:50 bt-server pppd[7541]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 192.168.184.2>]
Dec 2 23:43:50 bt-server pppd[7541]: rcvd [CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>]
Dec 2 23:43:50 bt-server pppd[7541]: sent [CCP ConfRej id=0x1 <mppe +H -M +S +L -D -C>]
Dec 2 23:43:50 bt-server pppd[7541]: rcvd [LCP TermReq id=0x2 "MPPE required but peer negotiation failed"]
Dec 2 23:43:50 bt-server pppd[7541]: LCP terminated by peer (MPPE required but peer negotiation failed)
Dec 2 23:43:50 bt-server pppd[7541]: sent [LCP TermAck id=0x2]
Dec 2 23:43:50 bt-server pppd[7541]: rcvd [CCP ConfRej id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Dec 2 23:43:50 bt-server pppd[7541]: Discarded non-LCP packet when LCP not open
Dec 2 23:43:50 bt-server l2tpd[6376]: control_finish: Connection closed to 63.231.xxx.xxx, serial 1 ()
Dec 2 23:43:50 bt-server pppd[7541]: Terminating on signal 15
Dec 2 23:43:50 bt-server pppd[7541]: Modem hangup
Dec 2 23:43:50 bt-server pppd[7541]: Connection terminated.
Dec 2 23:43:50 bt-server pppd[7541]: Connect time 0.1 minutes.
Dec 2 23:43:50 bt-server pppd[7541]: Sent 41 bytes, received 10 bytes.
Dec 2 23:43:50 bt-server pppd[7541]: Exit.
Even if I force MPPE on the linux side, I get the same error. Please fix!
Regards
Similar Messages
-
MPPE required but not available
Hi,
Seems like this issue is recurring on the discussion board.
I am running pptp-vpn on an osx server 10.5.7, which is also an OD master.
EDIT: Should add that I was using my OD accounts to VPN, not local accounts.
Until yesterday, the pptp-vpn worked. But today I get this error (I did some changes to the DNS server yesterday, and shutdown the OD replica, probably what caused it):
"MPPE required but not available."
Logs here:
#Start-Date: 2009-07-31 09:28:31 CEST
#Fields: date time s-comment
2009-07-31 09:28:31 CEST Loading plugin /System/Library/Extensions/PPTP.ppp
2009-07-31 09:28:31 CEST Listening for connections...
2009-07-31 09:28:54 CEST Incoming call... Address given to client = 10.3.10.1
Fri Jul 31 09:28:55 2009 : Directory Services Authentication plugin initialized
Fri Jul 31 09:28:55 2009 : Directory Services Authorization plugin initialized
Fri Jul 31 09:28:55 2009 : PPTP incoming call in progress from 'HEREWASMYCLIENTIP'...
Fri Jul 31 09:28:55 2009 : PPTP connection established.
Fri Jul 31 09:28:55 2009 : using link 0
Fri Jul 31 09:28:55 2009 : Using interface ppp0
Fri Jul 31 09:28:55 2009 : Connect: ppp0 <--> socket[34:17]
Fri Jul 31 09:28:55 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xfebd0071> <pcomp> <accomp>]
Fri Jul 31 09:28:55 2009 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xc1569522> <pcomp> <accomp>]
Fri Jul 31 09:28:55 2009 : lcp_reqci: returning CONFACK.
Fri Jul 31 09:28:55 2009 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xc1569522> <pcomp> <accomp>]
Fri Jul 31 09:28:55 2009 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xfebd0071> <pcomp> <accomp>]
Fri Jul 31 09:28:55 2009 : sent [LCP EchoReq id=0x0 magic=0xfebd0071]
Fri Jul 31 09:28:55 2009 : sent [CHAP Challenge id=0x87 <90748838ee766580e2607fe03aabb64d>, name = "MYSERVERHOSTNAMEHERE"]
Fri Jul 31 09:28:55 2009 : rcvd [LCP EchoReq id=0x0 magic=0xc1569522]
Fri Jul 31 09:28:55 2009 : sent [LCP EchoRep id=0x0 magic=0xfebd0071]
Fri Jul 31 09:28:55 2009 : rcvd [LCP EchoRep id=0x0 magic=0xc1569522]
Fri Jul 31 09:28:55 2009 : rcvd [CHAP Response id=0x87 <ed961c48a2d2bf4a740d5bc5c8fe52120000000000000000fad480211366fb8d7360a82a1cfe50 c9e994fe5f85c9166900>, name = "larsrohdin"]
Fri Jul 31 09:28:55 2009 : sent [CHAP Success id=0x87 "S=EB025BB4770A6FF010F57860F8B00FDE74FDDC00 M=Access granted"]
Fri Jul 31 09:28:55 2009 : CHAP peer authentication succeeded for larsrohdin
Fri Jul 31 09:28:55 2009 : DSAccessControl plugin: User 'larsrohdin' authorized for access
Fri Jul 31 09:28:55 2009 : MPPE required, but keys are not available. Possible plugin problem?
Fri Jul 31 09:28:55 2009 : sent [LCP TermReq id=0x2 "MPPE required but not available"]
Fri Jul 31 09:28:55 2009 : rcvd [CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>]
Fri Jul 31 09:28:55 2009 : rcvd [LCP TermAck id=0x2]
Fri Jul 31 09:28:55 2009 : Connection terminated.
Fri Jul 31 09:28:55 2009 : Connect time 0.0 minutes.
Fri Jul 31 09:28:55 2009 : Sent 0 bytes, received 0 bytes.
Fri Jul 31 09:28:55 2009 : PPTP disconnecting...
Fri Jul 31 09:28:55 2009 : PPTP disconnected
2009-07-31 09:28:55 CEST --> Client with address = 10.3.10.1 has hungup
I have tried everything in this thread:
http://discussions.apple.com/thread.jspa?threadID=1286988&tstart=0
and this one:
http://discussions.apple.com/thread.jspa?messageID=6560466
But no luck.
Any ideas? Anyone? Really do not want to reinstall my server again.
Or as another solution, is there any third party pptp-servers out there for osx server, as this one is really unreliable.
Best Regards,
Lars Rohdin
Message was edited by: larsrohdinTyghe got it right, HOWEVER, if your OD is munged for any reason OR there are more than one user, you many need to be more 'invasive' about cleaning up and then fixing this issue
If you run the command `vpnaddkeyagentuser /LDAPv3/<od servername>` and it just keeps prompting me like it isn't authenticating, you OD is probably either unstable or non functional. Probably needs an archive and demote-promote.
If you run the command and it runs without prompting me for any username or password and adds an entry into the system keychain but does not create a user on the OD server, it is probably similar to issue as above.
The way I would deal with this is to clear the keychain of EVERY entry, then open WGM, delete all the VPN MPPE users, and try the command again. There will only be one user that contain the 'secret' password for MPPE use, attached to VPN and the password is placed in to the keychain, all others are now dead.
Peter -
PPTP "MPPE required, but keys are not available"
Dear all
Since last reboot of my server I got following errormessage in VPN Logfile when user tries to connect to the server trough PPTP:
MPPE required, but keys are not available. Possible plugin problem?
Anyone have an idea, what could be wrong ?
May as another information: After restart of the server I had problem, that VPN Server was not started, because the L2TP definitions where not correct... Logfile told me. So I have redefined the PPTP and L2TP setting, but disabled the L2TP login, because I have definied this "only" for test purposes. All definitions where made with Server Administrator.
Before restart of Server Login trough PPTP was working quite well...
I forgott to say, that the Server (Leopard 10.5.1) is an OD Master, which is working quite well (until now). The authentication type for PPTP is set to MS-CHAP (Kerberos is grayed out, I don't know why)
Cheers Daniel
Message was edited by: Daniel LangHere I have now some logfiles from vpnd... may this helps to see the problem I have overseen:
Wed Dec 12 02:21:21 2007 : Directory Services Authentication plugin initialized
Wed Dec 12 02:21:21 2007 : Directory Services Authorization plugin initialized
Wed Dec 12 02:21:21 2007 : PPTP incoming call in progress from 'xxx.xxx.xxx.xxx'...
Wed Dec 12 02:21:21 2007 : PPTP connection established.
Wed Dec 12 02:21:21 2007 : using link 0
Wed Dec 12 02:21:21 2007 : Using interface ppp0
Wed Dec 12 02:21:21 2007 : Connect: ppp0 <--> socket[34:17]
Wed Dec 12 02:21:21 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5045e9f1> <pcomp> <accomp>]
Wed Dec 12 02:21:21 2007 : rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0xfb9005f> <pcomp> <accomp> <callback CBCP>]
Wed Dec 12 02:21:21 2007 : lcp_reqci: rcvd unknown option 13
Wed Dec 12 02:21:21 2007 : lcp_reqci: returning CONFREJ.
Wed Dec 12 02:21:21 2007 : sent [LCP ConfRej id=0x0 <callback CBCP>]
Wed Dec 12 02:21:21 2007 : rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0xfb9005f> <pcomp> <accomp>]
Wed Dec 12 02:21:21 2007 : lcp_reqci: returning CONFACK.
Wed Dec 12 02:21:21 2007 : sent [LCP ConfAck id=0x1 <mru 1400> <magic 0xfb9005f> <pcomp> <accomp>]
Wed Dec 12 02:21:24 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5045e9f1> <pcomp> <accomp>]
Wed Dec 12 02:21:24 2007 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5045e9f1> <pcomp> <accomp>]
Wed Dec 12 02:21:24 2007 : sent [LCP EchoReq id=0x0 magic=0x5045e9f1]
Wed Dec 12 02:21:24 2007 : sent [CHAP Challenge id=0x82 <ea8c6372a227309685ab6c0a36d64aec>, name = "server.anywhere.com"]
Wed Dec 12 02:21:24 2007 : rcvd [LCP code=0xc id=0x2 0f b9 00 5f 4d 53 52 41 53 56 35 2e 31 30]
Wed Dec 12 02:21:24 2007 : sent [LCP CodeRej id=0x2 0c 02 00 12 0f b9 00 5f 4d 53 52 41 53 56 35 2e 31 30]
Wed Dec 12 02:21:24 2007 : rcvd [LCP code=0xc id=0x3 0f b9 00 5f 4d 53 52 41 53 2d 30 2d 50 43 31 36 37]
Wed Dec 12 02:21:24 2007 : sent [LCP CodeRej id=0x3 0c 03 00 15 0f b9 00 5f 4d 53 52 41 53 2d 30 2d 50 43 31 36 37]
Wed Dec 12 02:21:24 2007 : rcvd [LCP EchoRep id=0x0 magic=0xfb9005f]
Wed Dec 12 02:21:24 2007 : rcvd [CHAP Response id=0x82 <41....0>, name = "testuser"]
Wed Dec 12 02:21:24 2007 : DSAuth plugin: Could not retrieve key agent account information.
Wed Dec 12 02:21:24 2007 : sent [CHAP Success id=0x82 "S=4020C83B....A M=Access granted"]
Wed Dec 12 02:21:24 2007 : CHAP peer authentication succeeded for testuser
Wed Dec 12 02:21:24 2007 : DSAccessControl plugin: User 'testuser' authorized for access
Wed Dec 12 02:21:24 2007 : MPPE required, but keys are not available. Possible plugin problem?
Wed Dec 12 02:21:24 2007 : sent [LCP TermReq id=0x4 "MPPE required but not available"]
Wed Dec 12 02:21:24 2007 : rcvd [CCP ConfReq id=0x4 <mppe +H +M +S +L -D +C>]
Wed Dec 12 02:21:24 2007 : rcvd [IPCP ConfReq id=0x5 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins1 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins3 0.0.0.0>]
Wed Dec 12 02:21:24 2007 : rcvd [LCP TermAck id=0x4 "MPPE required but not available"]
Wed Dec 12 02:21:24 2007 : Connection terminated.
Wed Dec 12 02:21:24 2007 : Connect time 0.1 minutes.
Wed Dec 12 02:21:24 2007 : Sent 0 bytes, received 0 bytes.
Wed Dec 12 02:21:25 2007 : PPTP disconnecting...
Wed Dec 12 02:21:25 2007 : PPTP disconnected
2007-12-12 02:21:25 CET --> Client with address = 192.168.yyy.yyy has hungup -
MPPE required, but keys are not available.
I am trying connect my home computer to my office(MAcOS x Server)
error on MacOS X Server Log
Tue Sep 26 20:16:59 2006 : sent [CHAP Success id=0x1e "S=A1ED1D0E3ABF7A4187D8F43458C7C0C5F487B9AE M=Access granted"]
Tue Sep 26 20:16:59 2006 : DSAccessControl plugin: User 'ppina' authorized for access
Tue Sep 26 20:16:59 2006 : MPPE required, but keys are not available. Possible plugin problem?
Tue Sep 26 20:16:59 2006 : sent [LCP TermReq id=0x2 "MPPE required but not available"]
Tue Sep 26 20:16:59 2006 : rcvd [CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>]
Tue Sep 26 20:17:00 2006 : rcvd [LCP TermAck id=0x2]
Tue Sep 26 20:17:00 2006 : Connection terminated.
Tue Sep 26 20:17:00 2006 : Connect time 0.0 minutes.
Tue Sep 26 20:17:00 2006 : Sent 0 bytes, received 0 bytes.
Tue Sep 26 20:17:00 2006 : PPTP disconnecting...
Tue Sep 26 20:17:00 2006 : PPTP disconnected
2006-09-26 20:17:00 WEST --> Client with address = 172.16.12.119 has hunguprun this
code:
sudo vpnaddkeyagentuser
authenticate as your admin and then if it does not give an error you should be all set.
See this http://docs.info.apple.com/article.html?artnum=107915 for more info (it talks about an LDAP server but when I tried to add that 'user' to my LDAP server it did not help, so I added it locally (which is what the above command does) and then viola!)
Peter
PowerMac G5 Dual 2.5Ghz Mac OS X (10.4.6) Server -
IPSec timeout: "ERROR Hybrid auth negotiated but peer did not succeed Xauth
I'm using the Cisco IPSec VPN client on the iPad to connect a Linux server running racoon.
Initially the connection works fine but after a while it stalls completely due to a timeout.
Linux box logs:
13:18:00 Linux racoon: ERROR: Hybrid auth negotiated but peer did not succeed Xauth exchange
13:18:00 Linux racoon: ERROR: Attempt to start phase 2 whereas Xauth failed
13:18:03 Linux racoon: ERROR: Hybrid auth negotiated but peer did not succeed Xauth exchange
13:18:03 Linux racoon: ERROR: Attempt to start phase 2 whereas Xauth failed
iPad logs:
13:17:55 Pad racoon 719 <Info>: 719 INFO: initiate new phase 2 negotiation: 192.168.1.100[0]<=>x.x.x.x[0]
13:17:55 Pad racoon 719 <Info>: 719 INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->3).
13:18:25 Pad racoon 719 <Info>: 719 ERROR: x.x.x.x give up to get IPsec-SA due to time up to wait.
Server-side racoon config:
remote anonymous
passive on;
exchange_mode aggressive,main;
my_identifier fqdn "xxxxxxxxx.xxx";
generate_policy on;
nat_traversal on;
mode_cfg on;
xauth_login "ipsecvpn";
script "p1updown" phase1_up;
script "p1updown" phase1_down;
#dpd_delay 20;
#dpd_retry 5;
#dpd_maxfail 5;
#dpd_algorithm dpdblackholedetect;
initial_contact on;
lifetime time 24 hour;
proposal_check strict;
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
dh_group 2;
authentication_method xauthpskserver;
# authentication_method presharedkey;
mode_cfg
# auth_source pam;
auth_source system;
auth_throttle 3;
auth_source system;
save_passwd on;
conf_source local;
accounting system;
network4 10.8.1.2;
netmask4 255.255.255.0;
pool_size 255;
dns4 10.8.1.1;
# default_domain "xxxxxxxxx.xxx";
# split_network include 10.8.0.0/16;
# split_dns "xxxxxxxxx.xxx";
pfs_group 2;
sainfo anonymous
lifetime time 12 hour;
# lifetime byte 50 MB;
encryption_algorithm aes, blowfish;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
pfs_group 2;
# EOF
iPad fw: 3.2.1 (same problem also with 3.2.2)
Any ideas?Re-keying issue? I dunno. The manual mentions Phase 1, and your log points to Phase 2, but maybe it's worth a shot.
"Re-keying of Phase 1: Not currently supported. Recommend that re-keying times on
the server be set to approximately one hour."
Incidentally, how do you get logs off of the iPad? -
I am trying to download a free trial of photoshop for my macbook pro and it says there is an error and that the requirements for the new version is not supported for the mac I have. I have looked at the list of requirements but have no idea how to tell what I do and do not have?
Apple Menu --> About this Mac.
Mylenium -
Getting Error 789 When Trying to Connect to L2TP VPN
Can someone take a quick look at this config and let me know why the L2TP vpn is not working? I have been banging my head with no results.
Thanks so much if anyone can help me.
ASA Version 8.2(5)
hostname companyASA
domain-name *****.com
enable password encrypted
passwd encrypted
names
name 192.168.1.0 AppletonData description Appleton Data
name 172.16.0.0 AppletonVoice description Appleton Voice
name 172.16.16.0 Watertown description Watertown
name 10.0.0.0 anyInside description anyInside
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
switchport access vlan 209
interface Ethernet0/7
switchport access vlan 209
interface Vlan1
nameif inside
security-level 100
ip address 10.76.3.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 12.XXX.XXX.XXX 255.255.255.0
interface Vlan209
nameif IPOffice
security-level 50
ip address 10.10.109.1 255.255.255.0
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name *****.com
object-group network obj_any
object-group network Any10Address
description Data and Phone Networks Combined
object-group network AppletonData
description Appleton Data Network
object-group network AppletonPhone
description Appleton Phone Network
object-group network NETWORK_OBJ_10.76.3.0_24
object-group network Watertown
description Watertown Network
object-group network NETWORK_OBJ_10.10.109.0_24
object-group network Internal-Subnet
access-list Split-Tunnel-ACL standard permit 10.76.3.0 255.255.255.0
access-list outside_access_in extended permit icmp any any inactive
access-list outside_1_cryptomap extended permit ip 10.76.3.0 255.255.255.0 AppletonData 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.76.3.0 255.255.255.0 AppletonData 255.255.255.0
access-list inside_nat0_outbound extended permit ip anyInside 255.0.0.0 Watertown 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.76.3.0 255.255.255.0 192.168.50.0 255.255.255.192
access-list IPOffice_nat0_outbound extended permit ip 10.10.109.0 255.255.255.0 AppletonVoice 255.255.255.0
access-list IPOffice_nat0_outbound extended permit ip anyInside 255.0.0.0 Watertown 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.10.109.0 255.255.255.0 AppletonVoice 255.255.255.0
access-list outside_3_cryptomap extended permit ip anyInside 255.0.0.0 Watertown 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.76.3.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu IPOffice 1500
ip local pool VPN_Pool 192.168.50.10-192.168.50.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (IPOffice) 0 access-list IPOffice_nat0_outbound
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.133.127.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.76.3.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set l2tp-transform esp-3des esp-sha-hmac
crypto ipsec transform-set l2tp-transform mode transport
crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn-map 10 set transform-set l2tp-transform vpn-transform
crypto dynamic-map dyn-map 10 set reverse-route
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 99.6XX.XXX.XXX
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 99.1XX.XXX.XXX
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 24.XXX.XXX.XXX
crypto map L2TP-VPN-MAP 1 match address outside_1_cryptomap
crypto map L2TP-VPN-MAP 1 set pfs
crypto map L2TP-VPN-MAP 1 set peer 99.6XX.XXX.XXX
crypto map L2TP-VPN-MAP 1 set transform-set ESP-3DES-SHA
crypto map L2TP-VPN-MAP 2 match address outside_2_cryptomap
crypto map L2TP-VPN-MAP 2 set pfs
crypto map L2TP-VPN-MAP 2 set peer 99.1XX.XXX.XXX
crypto map L2TP-VPN-MAP 2 set transform-set ESP-3DES-SHA
crypto map L2TP-VPN-MAP 3 match address outside_3_cryptomap
crypto map L2TP-VPN-MAP 3 set pfs
crypto map L2TP-VPN-MAP 3 set peer 24.XXX.XXX.XXX
crypto map L2TP-VPN-MAP 3 set transform-set ESP-3DES-SHA
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto map vpn-map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.76.3.5-10.76.3.254 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd domain *****.com interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value *****.com
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec
group-policy GroupPolicy_99.6XX.XXX.XXX internal
group-policy GroupPolicy_99.6XX.XXX.XXX attributes
vpn-tunnel-protocol IPSec
group-policy GroupPolicy_24.XXX.XXX.XXX internal
group-policy GroupPolicy_24.XXX.XXX.XXX attributes
vpn-tunnel-protocol IPSec
group-policy GroupPolicy_99.1XX.XXX.XXX internal
group-policy GroupPolicy_99.1XX.XXX.XXX attributes
vpn-tunnel-protocol IPSec
group-policy vpn-policy internal
group-policy vpn-policy attributes
vpn-tunnel-protocol IPSec
username support password encrypted privilege 15
username lmk1 password nt-encrypted
username admin password encrypted privilege 15
username drm1 password nt-encrypted
username jms1 password nt-encrypted
username tcb1 password nt-encrypted
username jmb1 password nt-encrypted
username enm1 password nt-encrypted
username jason password nt-encrypted
username amw1 password nt-encrypted
username alp1 password nt-encrypted
username lab1 password nt-encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_Pool
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
authentication ms-chap-v2
tunnel-group 99.6XX.XXX.XXX type ipsec-l2l
tunnel-group 99.6XX.XXX.XXX general-attributes
default-group-policy GroupPolicy_99.6XX.XXX.XXX
tunnel-group 99.6XX.XXX.XXX ipsec-attributes
pre-shared-key *****
tunnel-group 99.1XX.XXX.XXX type ipsec-l2l
tunnel-group 99.1XX.XXX.XXX general-attributes
default-group-policy GroupPolicy_99.1XX.XXX.XXX
tunnel-group 99.1XX.XXX.XXX ipsec-attributes
pre-shared-key *****
tunnel-group 24.XXX.XXX.XXX type ipsec-l2l
tunnel-group 24.XXX.XXX.XXX general-attributes
default-group-policy GroupPolicy_24.XXX.XXX.XXX
tunnel-group 24.XXX.XXX.XXX ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymousWhat is the version of Contribute and also the Mac OS ?
Can you try clearing the Preferences this would be like launching Contribute freshly? -
Tried loading the latest version of itunes but the download would not complete. Now when I connect my phone to a usb i get an error stating required files are missing, reinstall itunes. I tried that but the reinstall keeps timing out?
For general advice see Troubleshooting issues with iTunes for Windows updates.
The steps in the second box are a guide to removing everything related to iTunes and then rebuilding it which is often a good starting point unless the symptoms indicate a more specific approach. Review the other boxes and the list of support documents further down the page in case one of them applies.
The further information area has direct links to the current and recent builds in case you have problems downloading, need to revert to an older version or want to try the iTunes for Windows (64-bit - for older video cards) release as a workaround for performance issues or compatibility with QuickTime or third party software.
Your library should be unaffected by these steps but there are also links to backup and recovery advice should it be needed.
tt2 -
Help please! I downloaded mavericks but the install failed. The message stated there was an error with the disk which required repairing. Using disk utility repair disk is not available ( greyed out) and verify disk stops and says disc requires repairing. So the online support page suggests I erase the disc and reinstall then back up from time machine ( I have a recent backup). But when I try to erase the Macintosh HD I get the message volume erase failed with the error couldn't unmount disk.
I'd be very grateful for any help anyone can give me.
I have a macbook pro 17" mid 2009- running on snow leopard 10.6.8 ... I lost the snow leopard disk so I don't know what to do from there ... I tried restarting by clicking SHIFT (safe mode) after the chime comes up, but It doesnt seem to make any difference ... please help !!
thank you sooo much
many many thanks for your hep guys !!Whenever you install a new version of OS X being installed, the disk is checked just as if you were using Disk Utility checks the disk to see if the disk is damaged. And,, from what you report, your disk is damaged and needs to be replaced. This isn't a fault with Mavericks - your disk may have been failing for years.
It's a very good thing that you've a recent backup as you're going to need it. I would suggest that you evaluate what functionality that you need in a new disk and go shopping at OWC for a new drive - HGST (or any Hitachi), Seagate SSHDs or Toshiba drives are all good. Be sure that you buy an enclosure for the 'new' drive so that you can format it using Disk Utility before installing it into your machine - you can get one of those from OWC as well.
Good luck - call back with any questions...
Clinton -
Cannot connect to RV110w VPN error 619
Hello,
I'm having problems logging into my RV110w using either quickvpn or a windows pptp client connection....
I've been following the guide here but I just can't connect....I can connect via remote management however....
https://supportforums.cisco.com/document/124251/remote-vpn-tunnel
So :
IPSec, PPTP and L2Tp enabled.
RV110w firewall enabled
Block WAN Request enabled
Remote Management enabled - port 443
MPEE Encryption Enabled
Netbios over VPN Enabled
2 Clients created one for quickvpn and one for pptp.
Win 7 firewall enabled at remote end with rull to allow inbound ICMP Echo.
Exported Certificate and copied to the quickvpn install folder.
Disabled all other network adapters
QuickVPN tries to connect then shows a message listing possible reasons for a failed connection....
The quickvpn log shows:
2015/02/01 12:14:58 [STATUS]OS Version: Windows 7
2015/02/01 12:14:58 [STATUS]Windows Firewall Domain Profile Settings: ON
2015/02/01 12:14:58 [STATUS]Windows Firewall Private Profile Settings: ON
2015/02/01 12:14:58 [STATUS]Windows Firewall Private Profile Settings: ON
2015/02/01 12:14:58 [STATUS]One network interface detected with IP address 192.168.1.79
2015/02/01 12:14:58 [STATUS]Connecting...
2015/02/01 12:14:58 [DEBUG]Input VPN Server Address = 90.2.30.86
2015/02/01 12:14:58 [STATUS]Connecting to remote gateway with IP address: 90.2.30.86
2015/02/01 12:14:59 [STATUS]Remote gateway was reached by https ...
2015/02/01 12:14:59 [WARNING]Remote gateway wasn't reached...
2015/02/01 12:14:59 [WARNING]Failed to connect.
2015/02/01 12:15:20 [WARNING]Remote gateway wasn't reached...
2015/02/01 12:15:20 [WARNING]Failed to connect.
2015/02/01 12:15:20 [WARNING]Failed to connect!
The RV110w doesn't seem to log anything...?
If I try to connect using a windows pptp vpn connection I get an error 619 straight away and the RV110w log shows:
1
2015-02-01 12:20:14 AM
info
pptpd[22775]: CTRL: Client 123.150.210.162 control connection finished
2
2015-02-01 12:20:14 AM
debug
pptpd[22775]: CTRL: Reaping child PPP[22780]
3
2015-02-01 12:20:14 AM
err
pptpd[22775]: CTRL: PTY read or GRE write failed (pty,gre)=(12,13)
4
2015-02-01 12:20:14 AM
err
pptpd[22775]: GRE: read(fd=12,buffer=451c4c,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
5
2015-02-01 12:20:14 AM
err
pppd[22780]: but I couldn't find any suitable secret (password) for it to use to do so.
6
2015-02-01 12:20:14 AM
err
pppd[22780]: The remote system is required to authenticate itself
7
2015-02-01 12:20:14 AM
info
pptpd[22775]: CTRL: Starting call (launching pppd, opening GRE)
8
2015-02-01 12:20:14 AM
info
pptpd[22775]: CTRL: Client 123.150.210.162 control connection started
This is all behind a talktalk fibre router, they say it's transparent and doesn't block anything but they won't support me any further than that. Ports 443 and 1723 do seem to be open when I scan so as far as I can see the talktalk router is transparent.
Do I need to create any rules on the RV110w firewall to get this working? or forward any ports to the router itself?
Thanks for any help, KevinI believe the problem is in iOS, as I am experiencing the same issue.
I have a Yosemite Server running L2TP VPN server and my Mac connects flawless, while neither the iPhone nor the iPad (both 8.2) are able to connect.
The error is the same "The L2TP-VPN server did not respond" and by looking at the server's log it seems iOS didn't even try to connect.
I have tried changing the server address in iOS with the corresponding IP, but the results it's the same.
Maybe a network setting reset? -
OS X Server / VPN /The L2TP-VPN server did not respond...HELP!
I am very new to OS X Server and my goal is to setup DNS & VPN! I would like to have this setup to be able to connect into my apple computer from work or friends house. I am using an Apple Airport Extreme router and im also using the latest version OS X Mountain Lion with OS X Server installed. I have started an account with dyndns website for user host name (using a [email protected] address). I assume this would be used as an alternate way of being able to connect without starting a personal website. I also signed up for another site (no-ip) and I now have a different IP address (not sure if that was necessary). I then followed instructions on youtube (instructional videos by todd for OS X Server Mountain Lion) which seemed to be very easy to understand. But after setting up my VPN on the client side (network setting in system preferences), i tried to connect VPN (L2TP) and i receive this error message "The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.". When I open Consol in the utilities folder, I am seeing part of the following message below;
racoon[117]: IKE Packet: transmit success. (Phase1 Retransmit).
racoon[117]: IKE Packet: receive failed. (malformed or unexpected cookie).
pppd[490]: IPSec connection failed
Does anyone know what's happening or what I need to do to fix this? Or can someone tell me the basic requirements to setting things up correctly?Im using Comcast for my ISP and from the wall I have a Motorola Surfboard 6120 cable modem (not sure how to access my setting on the modem). So basically I have my 6120 cable modem connected to the Apple AirportExtreme router and is then wirelessly connected to my macbook pro. im providing screen shots of my apple router settings, OS X Server settings and firewall (which is turned off) settings. Any suggestion on how i should set things up or if you can tell me step by step would be greatly appreciated.
-
VPN Problems - The L2TP-VPN server did not respond
Okay, so I read quite a few threads about this and can't really figure it out. Would be great if I can get some handholding.
I'm a complete newbie, trying to set up Server for home use. The VPN service seems to be running fine, but I just can't connect from the clients, it just keeps saying "The L2TP-VPN server did not respond". Here is a glimpse at my settings:
- I have opened up all the relevant ports for UDP (500,1701,4500) and TCP (1723). But this is only required for the Server, right?
- I don't have a domain name yet so just using my external IP. This is what I put in under VPN Host name in the Server and Client settings.
- I login with username and password credentials for one of my network users as created in the Server. Format is [email protected] and the password is the same as the login password.
** I seem to get a 'authentication failed' error if I just use my local IP address... Not sure whats happening their, but before that I need to be able to connect to Server with the external IP!
Am I missing something? Why won't my client connect and that too when I'm at home?To run a public VPN server behind an NAT gateway, you need to do the following:
1. Give the gateway either a static external address or a dynamic DNS name. The latter must be a DNS record on a public DNS registrar, not on the server itself. Also in the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.
2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)
3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.
If your router is an Apple device, select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked
Allow incoming IPSec authentication
if it's not already checked, and save the change.
With a third-party router, there may be a similar setting.
4. Configure any firewall in use to pass this traffic.
5. Each client must have an address on a netblock that doesn't overlap the one assigned by the VPN endpoint. For example, if the endpoint assigns addresses in the 10.0.0.0/24 range, and the client has an address on a local network in the 10.0.1.0/24 range, that's OK, but if the local network is 10.0.1.0/16, there will be a conflict. To lessen the chance of such conflicts, it's best to assign addresses in a random sub-block of 10.0.0.0./0 with a 24-bit netmask.
6. "Back to My Mac" on the server is incompatible with the VPN service.
If the server is directly connected to the Internet, see this blog post. -
Server L2TP VPN will not connect after OS X restart
I have configured a L2TP VPN service in Server v4.1 running in Yosemite v10.10.3 on an OWC 480 GB SSD in a MB Mini late 2012. After any OS X restart the VPN service starts up normally but the client on my iOS8 phone, or clients on my three other devices, iMac, MB Air or MB Pro (all running the latest Yosemite) cannot connect to it. They report service unavailable. However, if I turn the service off and then on again in the Server app, everything works as planned and continues to work until the next restart. All the other Server services configured (Website, Caching and Time Machine) work without having perform the off then back on switch after Server app starts up.
This is generally not a problem but if I am abroad and the Mini reboots itself following a power cut, I lose my VPN service until I can either get someone to do the off then on switch or attempt it myself with Team Viewer VNC. Has anyone any idea how I can force the VPN service to work straight after the Server app starts?
Thanks1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.
The test works on OS X 10.7 ("Lion") and later. I don't recommend running it on older versions of OS X. It will do no harm, but it won't do much good either.
Don't be put off by the complexity of these instructions. The process is much less complicated than the description. You do harder tasks with the computer all the time.
2. If you don't already have a current backup, back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.
There are ways to back up a computer that isn't fully functional. Ask if you need guidance.
3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.
You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.
In this case, however, there are a couple of ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone with the necessary skill can verify what it does.
You may not be able to understand the script yourself. But variations of it have been posted on this website thousands of times over a period of years. The site is hosted by Apple, which does not allow it to be used to distribute harmful software. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message. See, for example, this discussion.
Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.
4. Here's a general summary of what you need to do, if you choose to proceed:
☞ Copy a particular line of text to the Clipboard.
☞ Paste into the window of another application.
☞ Wait for the test to run. It usually takes a few minutes.
☞ Paste the results, which will have been copied automatically, back into a reply on this page.
These are not specific instructions; just an overview. The details are in parts 7 and 8 of this comment. The sequence is: copy, paste, wait, paste again. You don't need to copy a second time.
5. Try to test under conditions that reproduce the problem, as far as possible. For example, if the computer is sometimes, but not always, slow, run the test during a slowdown.
You may have started up in safe mode. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual. If you can only test in safe mode, do that.
6. If you have more than one user, and the one affected by the problem is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.
7. Load this linked web page (on the website "Pastebin.") The title of the page is "Diagnostic Test." Below the title is a text box headed by three small icons. The one on the right represents a clipboard. Click that icon to select the text, then copy it to the Clipboard on your computer by pressing the key combination command-C.
If the text doesn't highlight when you click the icon, select it by triple-clicking anywhere inside the box. Don't select the whole page, just the text in the box.
8. Launch the built-in Terminal application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad and start typing the name.
Click anywhere in the Terminal window to activate it. Paste from the Clipboard into the window by pressing command-V, then press return. The text you pasted should vanish immediately.
9. If you see an error message in the Terminal window such as "Syntax error" or "Event not found," enter
exec bash
and press return. Then paste the script again.
10. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. If you don't know the password, or if you prefer not to enter it, just press return three times at the password prompt. Again, the script will still run.
If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.
11. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, a series of lines will appear in the Terminal window like this:
[Process started]
Part 1 of 8 done at … sec
Part 8 of 8 done at … sec
The test results are on the Clipboard.
Please close this window.
[Process completed]
The intervals between parts won't be exactly equal, but they give a rough indication of progress. The total number of parts may be different from what's shown here.
Wait for the final message "Process completed" to appear. If you don't see it within about ten minutes, the test probably won't complete in a reasonable time. In that case, press the key combination control-C or command-period to stop it and go to the next step. You'll have incomplete results, but still something.
12. When the test is complete, or if you stopped it because it was taking too long, quit Terminal. The results will have been copied to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.
At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "Process completed" message to appear in the Terminal window. Please wait for it and try again.
If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.
13. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "The message contains invalid characters." That's a bug in the forum software. Please post the test results on Pastebin, then post a link here to the page you created.
14. This is a public forum, and others may give you advice based on the results of the test. They speak for themselves, not for me. The test itself is harmless, but whatever else you're told to do may not be. For others who choose to run it, I don't recommend that you post the test results on this website unless I asked you to.
Copyright © 2014, 2015 by Linc Davis. As the sole author of this work (including the referenced "Diagnostic Test"), I reserve all rights to it except as provided in the Use Agreement for the Apple Support Communities website ("ASC"). Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed. -
Cisco 5505 VPN assistance - Resending P1 and Peer to Peer List No match
Hello and thanks in advance to anyone that can help me with the IPSec connection. the VPN were working when i first created them but now they wont connect. Here is the error on the primary (local) firewall: (yes i know the time isnt set yet on the firewall)
4|May 17 2007|13:51:55|713903|||||IP = X.X.X.X, Error: Unable to remove PeerTblEntry
3|May 17 2007|13:51:55|713902|||||IP = X.X.X.X, Removing peer from peer table failed, no match!
6|May 17 2007|13:51:55|713905|||||IP = X.X.X.X, P1 Retransmit msg dispatched to MM FSM
5|May 17 2007|13:51:55|713201|||||IP = X.X.X.X, Duplicate Phase 1 packet detected. Retransmitting last packet.
6|May 17 2007|13:51:47|713905|||||IP = X.X.X.X, P1 Retransmit msg dispatched to MM FSM
5|May 17 2007|13:51:47|713201|||||IP = X.X.X.X, Duplicate Phase 1 packet detected. Retransmitting last packet.
The local firewall has one VPN configured and the remote has 2 (1 working and the other not): Local Firewall is Base licensing with 3DES. As far as I can tell they have the same VPN parameters but maybe the remote has pfs1 turned on? Ive played with various settings and cant seem to get it to work. The cryptomap has the same firewall rules in it (obviously reversed on remote). Any help much appreciated! I Have a third site doing exactly the same thing (once again also works on another site to site but not this one). It's weird because I used the IPSec wizard and got it to work and rebooted the ASA and tunnel came up yet again but now my debug log is just full of this info and tunnels never come up.....the only time it was up was for a few hours then wont come up anymore...odd..
Local Fire Wall:
hostname ciscoasa
names
name 172.25.42.0 MASALan
name 172.25.7.0 FHR
name 172.25.43.0 MR
interface Vlan1
nameif inside
security-level 100
ip address 172.25.6.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.30 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network inside-network
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object igmp
protocol-object gre
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object igmp
protocol-object gre
object-group network DM_INLINE_NETWORK_4
network-object MASALan 255.255.255.0
network-object MR 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object 172.25.6.0 255.255.255.0
network-object FHR 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object igmp
protocol-object gre
object-group network DM_INLINE_NETWORK_3
network-object 172.25.6.0 255.255.255.0
network-object FHR 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object MASALan 255.255.255.0
network-object MR 255.255.255.0
access-list outside_2_cryptomap extended permit ip 172.25.6.0 255.255.255.0 MASALan 255.255.255.0
access-list NONAT extended permit ip any 172.25.4.0 255.255.255.0
access-list NONAT extended permit ip 172.25.6.0 255.255.255.0 MASALan 255.255.255.0
access-list NONAT extended permit ip FHR 255.255.255.0 MR 255.255.255.0
access-list NONAT extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_5
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_6
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemotePool 172.25.4.1-172.25.4.2 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
route inside 172.25.1.0 255.255.255.0 172.25.6.2 1
route inside 172.25.2.0 255.255.255.0 172.25.6.2 1
route inside 172.25.8.0 255.255.255.0 172.25.6.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.25.0.0 255.255.0.0 outside
http 172.25.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 216.183.157.158
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 172.25.0.0 255.255.0.0 inside
ssh 172.25.6.0 255.255.255.0 inside
ssh 172.25.0.0 255.255.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-filter none
vpn-tunnel-protocol IPSec
tunnel-group osfdremote ipsec-attributes
pre-shared-key *
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy1
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
REMOTE FIREWALL
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group CHN
ip address pppoe setroute
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object 172.25.42.0 255.255.255.0
network-object RFN 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object RHQASAnet 255.255.255.0
network-object RHQNet 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object gre
protocol-object tcp
object-group network DM_INLINE_NETWORK_3
network-object 172.25.42.0 255.255.255.0
network-object RFN 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object FHData 255.255.255.0
network-object FHR 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object gre
protocol-object tcp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq www
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 RHQASAnet 255.255.255.0
access-list inside_nat0_outbound extended permit ip RFN 255.255.255.0 RHQNet 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.25.42.0 255.255.255.0 RHQASAnet 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 172.25.42.0 255.255.255.0 FHData 255.255.255.0
access-list inside_nat0_outbound extended permit ip RFN 255.255.255.0 FHR 255.255.255.0
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any object-group DM_INLINE_NETWORK_2
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any object-group DM_INLINE_NETWORK_4
access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_3 FHData 255.255.255.0
no pager
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
ip local pool 192.168.5.1 192.168.5.1-192.168.5.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.110.10.1 1
route inside RFN 255.255.255.0 172.25.42.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.25.0.0 255.255.0.0 inside
http 10.7.72.0 255.255.255.0 inside
http 192.168.5.0 255.255.255.0 inside
http 192.168.5.0 255.255.255.0 outside
http RHQNet 255.255.255.0 inside
http RHQASAnet 255.255.255.0 inside
http RHQASAnet 255.255.255.0 outside
http RHQNet 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 2 match address outside_cryptomap_1
crypto map outside_map0 2 set peer Y.Y.Y.Y
crypto map outside_map0 2 set transform-set ESP-AES-128-SHA
crypto map outside_map0 2 set security-association lifetime seconds 28800
crypto map outside_map0 2 set security-association lifetime kilobytes 4608000
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.255.255 inside
telnet 172.25.0.0 255.255.0.0 inside
telnet 192.168.5.0 255.255.255.0 inside
telnet 192.168.5.0 255.255.255.0 outside
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 inside
ssh 192.168.5.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec
group-policy remotevpn internal
group-policy remotevpn attributes
vpn-tunnel-protocol IPSec
vpn-group-policy remotevpn
tunnel-group Y.Y.Y.Y type ipsec-l2l
tunnel-group Y.Y.Y.Y general-attributes
default-group-policy GroupPolicy1
tunnel-group Y.Y.Y.Y ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map global-policy
class inspection_default
inspect pptp
service-policy global_policy global
prompt hostname contextMay 18 08:13:03 [IKEv1 DEBUG]: IP = X.X.X.X, IKE MM Responder FSM error hi story (struct &0xd578cda0) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2 , EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_W AIT_MSG3, NullEvent
May 18 08:13:03 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA MM:8e338e16 terminatin g: flags 0x01000002, refcnt 0, tuncnt 0
May 18 08:13:03 [IKEv1 DEBUG]: IP = X.X.X.X, sending delete/delete with re ason message
May 18 08:13:03 [IKEv1]: IP = X.X.X.X, Removing peer from peer table faile d, no match!
May 18 08:13:03 [IKEv1]: IP = X.X.X.X, Error: Unable to remove PeerTblEntr
Is the result and then it repeats =) -
L2TP VPN Server only accepts one client at a time
We have an ISA570 on Site 1 with the following Network Config:
192.168.100.XXX
255.255.255.0
192.168.100.254 (GW)
ISA570
ISP Modem in Bridge Mode
So let us call my location right now as site 2. Although the network setup does not matter, let me just state it.
192.168.101.XXX
255.255.255.0
192.168.101.254 (GW)
Cisco RV042
ISP Modem in Bridge Mode
L2TP Client Network Pool:
192.168.103.100 - 192.168.100.200
255.255.255.0
DNS1 192.168.100.254
=======================================================================================
So here comes the situation
Client 1 with IP address of 192.168.101.24 connects to Site 1 via L2TP. He uses this VPN Tunnel for a desktop application which is hosted at site 1.
Client 2 with IP address of 192.168.101.17 connects to Site 1 via L2TP but is unsuccessful. Screen1.jpg below shows the Windows VPN Error.
Screen1.jpg
I can not post my configs as of now because the WAN1 of site 1 is very congested. For now I will post the guides which I followed.
http://www.cisco.com/en/US/docs/security/small_business_security/isa500/administration/guide/ISA500_VPN.html#wp1393916
http://www.cisco.com/en/US/docs/security/small_business_security/isa500/administration/guide/ISA500_VPN.html#wp1479596
What am I missing here?Hi Dan,
The site-to-site VPN tunnel should still work with those settings. For the IPSec VPN Client, we have the Cisco VPN Client that should work. There should be a copy of it on the CD that came with the ISA500.
Here is a link that has information on setting up the Remote Access VPN on the ISA500:
http://www.cisco.com/en/US/docs/security/small_business_security/isa500/technical_reference/vpn/Configuring_VPN_with_Cisco_ISA500_Series_Security_Appliances.pdf
The section 'Configuration Examples of EzVPN, SSLVPN and Site-to-Site Between Cisco ISA500 Appliances' has an example at the beginning.
Let me know if that helps.
Thanks,
Brandon
Maybe you are looking for
-
Blocking sale Order using concept Backgroung events
Hi, Requirement: In our Business logic, there should be only on delivery for one sale order. So whenever partial delivery happens(i.e when delivery created), then i need to close Sale order, by assigning reason for rejection. Blocking Saleorder can b
-
Advice on buying a 13" MacBook Pro
Hey everybody! I am currently getting ready to buy my wife and I our first Mac. But I need some advice in making sure I'm picking the right one. I'll give you the rundown: I'm looking at the 13" MacBook Pro because I'm double majoring in communicatio
-
Check character in a list of string
Can anyone help me if i want to check, e.g. a string 1343431234avbasdf, whether there is character exists. please help. null
-
When trying to burn a cd in itunes, why does it says cd burner software not found?
When trying to burn a cd, itunes says cd burner software not found.
-
Dell E7240 BIOS Problem. How can I downgrade??
Hi, I have a Dell E7240 i7 vPro touch FHD computer. I got it with bios A04 installed. (win 8 pro) everything works fine. After when I update to A14 and install win 8.1 pro problems comes. No any screen until windows booted when computer docked (no de