Lan connection timeout after ASA reload

Similar Messages

• Connection Timeout after updating to 10.6.6

  Dear Friends
  I've got Macbook Pro mid 2010, when I was on 10.6.5 there was no problem connecting to Wi-Fi but after the magic update, I always got "Connection Timeout". another thing to add, I can connect to any network via windows 7 I installed on my macbook.
  Message was edited by: mutant59

  My two cents is that I have had some type of network problem since install Snow Leopard. I even went back wiped drive and did clean install. Seems their is a problem but not sure if its multiple problems or just one. Safari seems to load pages at a crawl at times. I did several speed tests and found the WIFI connection noticeably slower (about half) compared to my Windows Vista computers running WIFI. Even though my MacBook has N version connection and the Vista ones G.
  I have tried different DNS servers and nothing seems to help. The router is the second one I tried. I had a Linksys wrt54 then bought a Belkin F5d8236-4 and both have no effect on the problem. Even a different browser did not help. I have simply determined that Apple needs to fix something in Snow leopard.

• Connection timeout after 7.6.4

  I recently updated my time capsule to version 7.6.4.  Immediately after that my MacBook would not connect to my network and constantly says connection timeout.  I have reset the SMC have rebooted everything at least twice.  I have reset the settings in the time capsule and created a new network.  I have also downgraded back to 7.6.3.  All to no avail.  The MacBook is a 2.4 Ghz intel core 2 duo.  The time capsule is about 3 years old. I should also mention that my ipad and iPhones will connect to the time capsule. 
  I have also purchased a new time capsule and the MacBook connects to it flawlessly.  I am at a loss as to what to do.  Any help would be appreciated.
  Thanks

  Do the setup in full isolation from the network.. using ethernet.
  Start with downgrading to 7.6.1  which really is better than either of the later firmware as far as wireless was concerned.
  Factory reset the TC. This is important to completely remove the old setup.
  Setup wireless but I am not sure how you are mixing wireless here.. if you have a new TC.. are you roaming or extending the network.. or using two entirely different wireless setups??
  I would ensure that your wireless is simply working on a channel different to the new TC.. and the only way to do that is for you to set it manually.. Auto can mess this up by selecting adjacent channels. It does not work perfectly.
  Use wireless names that are short, no spaces and pure alphanumeric. Different to your previous setup if you were already following this rule.
  Set up a different name for 5ghz so you can control both 100%
  Set wireless channels .. for 2.4ghz try 11, 6, 1 in turn.
  For 5ghz set to say 40 and again 150.. a few channels either side of that.. but recognise the new AC will use a lot of channels .. you need to be very far  away from the channels it is using .. 80mhz is used by AC.
  The Apple website is much worse after Maintenance than before.. it now says it has failed to post and try again.. voila.. two posts.. sorry.. this is entirely Apple's idea of a fix.

• Connection timeout after upgrade to 10.6

  Hi!
  I am unable to connect to any wireless network via airport after i upgraded to 10.6. (both open and WEP ones).
  When trying to connect i immediately get "connection timeout". By trying again i see airport trying to connect, after 5 secs i get "connection timeout again".
  I have tried the following:
  - delete all preferred networks from the list
  - delete all airport passwords from keychains
  - turn off/on airport
  - restart computer
  Nothing worked so far for me. However when i went to a friends place today i experienced the same problem. I deleted the keychain entry, did a restart and all of a sudden i was connected.
  Having tried all of the above in different combinations i still have no clue.
  thanks for your help,
  dawandeh
  ps: currently i use an external usb wlanadapter which connects without any problems to all the networks i tested.

  My two cents is that I have had some type of network problem since install Snow Leopard. I even went back wiped drive and did clean install. Seems their is a problem but not sure if its multiple problems or just one. Safari seems to load pages at a crawl at times. I did several speed tests and found the WIFI connection noticeably slower (about half) compared to my Windows Vista computers running WIFI. Even though my MacBook has N version connection and the Vista ones G.
  I have tried different DNS servers and nothing seems to help. The router is the second one I tried. I had a Linksys wrt54 then bought a Belkin F5d8236-4 and both have no effect on the problem. Even a different browser did not help. I have simply determined that Apple needs to fix something in Snow leopard.

• Tcp Connection timeout on ASA for vpn traffic

  Hello All
  I need an answer please.
  I wanted to give tcp conenction timeout as unlimited for some IPs coming through VPN.
  So, I created an access-list defining the traffic for which I want this tcp timeout.
  Then a class map, policy map, entered set timeout to '0'
  Applied it under default service-policy, which is applied as global (by default).
  My doubt is should I apply the service policy on the interface or the global will work.
  Just a silly doubt
  Thanks in advance.

  Hi,
  I think it should work just fine if you attach it to the default "policy-map" configuration that you have attached globally on the ASA.
  You might want to configure the timeout value as something long rather than setting it as unlimited.
  - Jouni

• Re: Can't Connect: Connection Timeout?

  What could be the possible reason for getting "connection timeout" after failing to connect to the internet? After going to Network Prefs, clicking on my network, being prompted for my WPA security password and getting the message "connection failed, " this is replaced with connection timeout?
  Reset my modem and AEBS (unplugged and plugged back in), and was able to connect.
  Any relation to whether or not, under the Airport tab of Network Prefs, "Disconnect from wireless networks when logging out" is checked or not? I don't have it checked, and don't remember having it checked, but someone on the Airport Discussion boards said it should be checked?
  What other possible reasons fro getting a connection timeout? MY ISP says there is nothing from their side that would timeout my connection.

  After reading this entire thread, I conclude that I am having the same problems. Here's what I'm seeing:
  * The problem only happens when using WPA; switching my WAP to WEP or no security makes all my Mac's consistently connect just fine.
  * When the problem occurs, I am prompted for the WPA password; when I type in the password and click "connect", it alternates between "Connection timeout" and "Invalid password" (I'm positive that the password is correct; it's short, simple, and I'm using the "show password" checkbox to verify that it's correct).
  * My Intel 10.5.2 MBP usually connects ok (airport card -- 802.11b/g).
  * My PPC 10.5.2 iMac usually connects ok (airport card -- 802.11b/g, sometimes it asks for the WPA password once even though it's stored in my keychain).
  * My Intel 10.5.2 24" iMac rarely connects ok (airport extreme card -- 802.11b/g/n, with the symptoms above).
  * Windows laptops connect just fine.
  * There seem to be several different WAPs discussed on this thread; I'm wondering if there is some kind of WPA protocol issue in 10.5.2 because I can consistently WPA connect just fine to a Linksys WRT54GL, but I see the symptoms described above with Cisco Aironet 1131AG's.
  To reiterate: the problem most consistently occurs on an Intel iMac with an airport extreme card with OS X 10.5.2 when connecting to my Cisco Aironet 1131AG when WPA is enabled. It definitely does not occur when WEP or no wireless security is enabled. It rarely happens with a PPC iMac and an Intel MBP, both with OS X 10.5.2 and airport cards (regardless of network security settings and WAP used).

• Timeouts and connection problems after 5.1(2) upgrade

  AIM/chat and some other programs are having timeout/connection problems after upgrade to 5.1(2). I am using S241 also. The connection problems stopped when the IPS was set to bypass. Rebuilt IPS and left sigs at default settings and problem is still happening. I am not seeing any of the IPs that are having the problem in the Event Viewer or on the Events in the IDM.
  Any known issues with the 5.1(2) that would cause this type of problem?

  I don't know specifically, but I did notice that 5.1(3) was released today.

• I'm trying to connect to my home wifi with my imac gh5. After I enter the password it says connection timeout or password incorrect. I know there's no issue with the connection but I don't know what else to do. Does anyone know how to fix this problem?

  I'm trying to connect to my home wifi with my imac gh5. After I enter the password it says connection timeout or password incorrect. I know there's no issue with the connection but I don't know what else to do. Does anyone know how to fix this problem?

  What is the make & model of your home Wi-Fi router that you are attempting to connect your G5 iMac to? Which exact model of iMac do you have?
  What wireless security type is your router using: WEP, WPA, or WPA2? If you temporarily disable wireless security, can the iMac connect to it now?

• ASA TCP Idle Connection Timeout Suspense

  Hello I upgraded our Cisco ASA 5520 with a Cisco ASA 5585. Though both ASA were configured with default TCP Idle Connection Timeout values people are now starting to complaint that idle SSH connections are being terminated. This is proper behavior but they were claiming it didn't occur with the old firewall. Our users are setting keepalives for 1800 seconds to get around this before I can bump the setting to infinite (setting 0). Is there a bug with the feature in older ASA OS?

  Hi,
  Before looking for a bug I would check the ASA logs (hopefully you are storing them to a separate Syslog server) and see why the connections are torn down (Teardown reason) and how long have they been on the ASAs connection table before they were torn down.
  You also have the option to perform traffic capture on the ASA for the traffic in question and confirm why or which party terminates the connection.
  I guess you can use the MPF on the ASA to configure separate idle timeouts for just these SSH Connections if you do not want to touch the global timeout values.
  I have not run into any problems with the timeout settings on the older softwares. In the newer softwares (8.3+) I have run into these problems. In those situation the ASA has not removed the connection that have reached the timeout value. I have seen connection that have been idle for over 1000h.
  - Jouni

• No network LAN-connection after iOS 5.1.1update

  Today i tried to solve a big issue after updating my AppleTV's to 5.1.1 (actual version: AppleTV3,1_5.1_10A406e_Restore.ipsw). After updating my Apple TV´s, they could not connect to  the Apple activation server. No Home Sharing was adjustable and also logging in iTunesStore was not possible. The update I have done via LAN cable, and I changed  nothing in my network configuration. The network (networkadress via DHCP) is indeed set up by default in the AppleTV automatically. Nevertheless, nothing went. Then I removed the network cable and made a reset of the AppleTV and tried to connect via Wi-Fi. With Wi-Fi, he finds the activation server and everything works as it should. Home Sharing, iTunes, streaming. However, once the network cable is plugged in and the Apple TV is restarted, it is again not possible to get access the iTunesStore. Home Sharing is not possible. The networkcable are fine. Both MacBook, as well as my TVs have internet connection over the same network cable. If I unplug the network cable from the AppleTV again, anything goes. Only via WLAN, but it's just too slow to stream data from my Mac. I have this "strange behavior" on 3 AppleTV 3.Gen., which are in the apartment. The previous iOS-Version on the same network cables, worked great. Can anyone reproduce the problem? Or have I now 3 bricked devices? I tried to downgrade over itunes. But this is not possible anymore. I installed 3 times the update. But nothing goes. Please can anybody help me.

  I found another link titled "Apple TV Death after update"  and found several links that have proven to work to restore to the previous version.  Here is my post:
  "I had originally replied to a post titled "No network LAN-connection after iOS 5.1.1 update". That has been my issue after updating to 5.1. Wirless worked for me but iTunes match and Podcasts were slow to respond. I finally downgraded to the previous version (5.0.2). So far, my ATV3 has been operating exactly as it did out of the box. No more activation failed message, and all components of ATV are functioning flawlessly on my whole home LAN network.
  I also wonder what Apple was thinking for releasing this update without adaquate testing. I can forgive them for Maps, but not this. ATV has been around long enough for all of the kinks to be worked out and any updates to just plain work. I did like the new menu displays in apps and how you could rearrange the program icons on the home screen.
  Perhaps they will get it right. Some day. But until they show proof that any future updates are correct and provide detailed instructions on how to revert back to a previous version, I will be very leary of updating. Spending a week reading message boards on how to do a simple resotre is not my idea of how to spend my weekends.
  As a side note, I am a PC, so to restore from an .ispw file located on your system, you must press the Alt & Shift keys togather, then click the Restore button, and a window will pop-up so you can select the location for the restore file."
  Directions to restore:
  "Yes you can. I am a PC. Download the .ipsw file and save to your desktop. Unplug the LAN, HDMI and power cable. Connect the usb cable from your laptop to the ATV. If iTunes does not automatically launch, start it. After iTunes is running, plug in the power cable to the ATV. iTunes will recognize the ATV and will open the restore window in iTunes.
  Press the Alt and Shift keys togather, then click on the Restore button. A file window will open so you can navigate to the desktop (or where ever you saved the file). Select the AppleTV3,1_5.-.2_9B830_Restore.ipsw file. iTunes will start the restore process.
  When you see the message that it has completed the restore, unplug the usb cable and power cable. Reconnect the LAN and HDMI cable then plug in the Power cable in that sequence.
  Follow the setup procedure again and all should be as it was before."

• Causing some network problem after connecting the new ASA to my network

  Hi everyone,
  Hope you can help on this issue.... It is strange to me...but may not be to you
  Currently, I have a subnet connects to my primary network. All the internet travel thru a router there in turn thru a pair of ASA failover firewall (ie Subet -> router -> Subnet ASA -> Pirmary network ASA -> Primary network router -> Internet).
  Now we try to setup a internet pipe so the subnet can go to internet by its own. So...for security purpose, we put another new ASA in between.the subnet and the new internet. This will be the first, and the old path to Interent would be the back up route.
  NOW
  I have not even make any route cahgnes on the router yet. What I did was to connect the new ASA to the subnet. Again, I do not change any routes, or any gateway settings on all the computers yet in the subnet!! I just connect the asa. That is it...please remember this.
  However, problem happens. I have a application server in the same subnet.... that keeps kick out users. I also have continuous ping to it... I saw that the server has requesdted time out...it did not come back up until about 10 to 20 seconds later. The server, in fact, is a cluster server. Although I can ping the physical server, I cannot ping the virutal server.
  In order to fix the problem, I really need to unplug the new ASA from the network, and reload the cluster server. Then it starts to work.
  ANother symptom is that...people complaint the log on is obviously slower than usual.
  May I ask why the new ASA will cuase this trouble?? Again, no routes on the router have been change. And all PCs in the subnet are still using old gateway, and did not nkow about the new ASA.
  Any ideas would be great!! Very strange to me. Thank you very much for your help.
  Riderfaiz

  First guest would be proxy ARP.
  Proxy ARP is enabled by default on the ASA. The new ASA might be proxy ARPing for whatever reason.
  OR the new ASA might have been configured with an ip address that belongs to another device by mistake.

• Cannot re-boot after enabling K8T Neo LAN Connection

  I've tried to enable the K8T Neo LAN controller in BIOS so that I can connect a Wireless Router to my PC. However, when I do this, the PC will not boot and I have to disable the LAN controller.
  On booting-up the BIOS seems to be looking for an ethernet controller and a message states that either the device is not plugged in or the cable is faulty ! Why should enabling the onboard LAN controller affect the device the BIOS boots from ?
  Can I plug a Wireless Router directly into the RJ45 LAN connection on the K8T Neo and if so, how ?
  Thankyou for any helpful advice   

  Check to make sure you are not set to boot from network. Unfortunately I can't remember the exact name or where it is located, but it may help.
  Quote from: Geps on 07-July-05, 22:52:17
  as you say: a WIRELESS router is WIRELESS, how could you plugin a cable from a wireles router. or does it also have rj45 conectors?
  if you want to use the wirreles function, you will need to buy a wirrles lan adapter (usb) for your pc
  I have never seen a wireless router without rj45 connectors. (WAP yes, router no).
  Good Luck
  Jeremy

• Connectivity Issues Cisco ASA 5515 in Transparent Mode

  Hi,
  we´re having problems with one transparent mode setup at one customer site. The ASA is equiped with a CX Module, but we´re not using it, so far in the service policy rules it was enabled and matched all traffic, but in "monitor only" mode. There is a global acl that allows any-any-IP.
  Firewall-Info:
  - ASA Version 9.1(2) 
  - Interfaces gi0/0 + gi0/2 without any interface errors
  The ASA 5515x is configured as a "bump in the wire". In general our setup is working but with beginning of the installation of the firewall the customer faces following connection issues, without the firewall no problems:
  - Connections to SAP-Servers behind the MPLS begin to drop, affected all users
  - Incoming monitoring sessions (ping/snmp) from central management are facing ping timeouts, connection timeouts
  - http downloads are stopping, Customer: it will stop responding and the download will fail.
  In general the customer describes it this way: "We do not have the best connection here so once we connected the firewall all the problems are magnified"
  I recognized, that we unconfigured the default inspection during initial setup and reconfigured this entry for the cx module. So the the default inspection with all the settings are not present any more... How important are these settings? One phenomen is, that I´ve seen a large numbers of concurrent connections that increased over time. And we already had that situation, that the firewall reached the max-conn count.
  Should I try to reconfigure the default inspection, as it ships from factory? And whats the best way to check for problems? What can be the reason for the dropping connections?
  I attached a network plan and the firewall config, hopefully, that somebody has an idea. Of course I can provide additional information...
  Best Regards
  Sebastian

  Hi Vibhor,
  thanks for your reply. Does this also affect the traffic, even the setting is set to "Monitor Only" ?
  Is it recommend to configure the default-inspection rule as a default setting? 
  Further Question: I´ve read sth. about, that service policy rules must be "reloaded" to take effect, after they have been changed. Is that right and how do I reload them?
  Here is an output from sh asp drop, do I have to care about certain values? This values result from two connected users doing some downloads over a 2Mbit connection.
  ciscoasa# show asp drop
  Frame drop:
    Invalid encapsulation (invalid-encap)                                       10
    First TCP packet not SYN (tcp-not-syn)                                     114
    TCP failed 3 way handshake (tcp-3whs-failed)                                 3
    TCP RST/FIN out of order (tcp-rstfin-ooo)                                   18
    Dst MAC L2 Lookup Failed (dst-l2_lookup-fail)                               33
    L2 Src/Dst same LAN port (l2_same-lan-port)                                260
    FP L2 rule drop (l2_acl)                                                  2958
    Interface is down (interface-down)                                        9420
    No management IP address configured for TFW (tfw-no-mgmt-ip-config)        117
    Dropped pending packets in a closed socket (np-socket-closed)               66
  Thanks
  Sebastian

• Lan connectivity Issue on autonomous AP with throttles

            Hello,
    I encounter a strange problem on several AP 1242 in version 12.4(25d)JA1 of a customer :
    He has 10 autonomous AP covering a factory and is using them for laptop connectivity and TOIP with mainly 7921 Cisco Wifi Phones.
    The phones are configured to use only 802.11a.
    The APs loose LAN connectivity randomly and therefore the clients don't work anymore.
    The AP are connected on a 2960 and a 3560 wich are in turn connected on a 3750 wich route the trafic.
    After checking spanning-tree no loops are present.
    When I check the counters on the AP involved I see the "trhottles" and "ignored" counters incrementing on the fa0 link of the AP impacted wich mean I think it can't handle the incoming traffic. This incoming traffic seems not to be too big however. I can see drops on the switch interface connecting the AP.
  There is a lot of roaming on the AP due to people walking in the factory with their wifi phones.
  Here is a view of the fa0 counters :
  AP1242-LOGIST#sh int fa0
  FastEthernet0 is up, line protocol is up
    Hardware is PowerPCElvis Ethernet, address is 001d.a1ce.26e2 (bia 001d.a1ce.26e2)
    MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    Full-duplex, 100Mb/s, MII
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input 00:00:00, output 00:00:00, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/160/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 81000 bits/sec, 53 packets/sec
    5 minute output rate 29000 bits/sec, 26 packets/sec
       7447113 packets input, 674891974 bytes
       Received 286839 broadcasts, 0 runts, 0 giants, 549631 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 549631 ignored
       0 watchdog
       0 input packets with dribble condition detected
       4422100 packets output, 609868806 bytes, 0 underruns
       0 output errors, 0 collisions, 4 interface resets
       1 unknown protocol drops
       0 babbles, 0 late collision, 0 deferred
       0 lost carrier, 0 no carrier
       0 output buffer failures, 0 output buffers swapped out
    Here is a small part of logs concerning roaming, i don't see errors or log indicating that something is wrong nor in the switches log :
  Jun  6 12:57:27.007: %DOT11-6-ASSOC: Interface Dot11Radio1, Station SEP001E4A3EE15D 001e.4a3e.e15d Associated KEY_MGMT[WPAv2 PSK]
  Jun  6 12:57:42.499: %DOT11-6-ASSOC: Interface Dot11Radio1, Station SEP588D09D3A92B 588d.09d3.a92b Reassociated KEY_MGMT[WPAv2 PSK]
  Jun  6 12:58:02.620: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 588d.09d3.a92b Reason: Sending station has left the BSS
  Jun  6 12:58:03.653: %DOT11-6-ASSOC: Interface Dot11Radio1, Station SEP588D09D3A92B 588d.09d3.a92b Reassociated KEY_MGMT[WPAv2 PSK]
  Jun  6 12:59:15.564: %DOT11-6-ROAMED: Station 588d.09d3.a92b Roamed to 001e.134c.5a50
  Jun  6 12:59:15.564: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 588d.09d3.a92b Reason: Sending station has left the BSS
  Jun  6 12:59:41.905: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 442b.0355.ab28 Reason: Previous authentication no longer valid
  Jun  6 12:59:54.728: %DOT11-6-ASSOC: Interface Dot11Radio1, Station SEP442B0355AB28 442b.0355.ab28 Associated KEY_MGMT[WPAv2 PSK]
  Jun  6 13:01:12.541: %DOT11-6-ASSOC: Interface Dot11Radio1, Station SEP588D09D3A92B 588d.09d3.a92b Reassociated KEY_MGMT[WPAv2 PSK]
  Jun  6 13:02:35.841: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 001e.4a3e.d875 Reason: Previous authentication no longer valid
  Jun  6 13:02:36.489: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   ec85.2f7c.c837 Associated KEY_MGMT[WPAv2 PSK]
  Jun  6 13:03:29.256: %DOT11-6-ROAMED: Station 588d.09d3.a92b Roamed to 001e.134c.5a50
  Jun  6 13:03:29.256: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 588d.09d3.a92b Reason: Sending station has left the BSS
  Jun  6 13:04:32.754: %DOT11-6-ASSOC: Interface Dot11Radio1, Station SEP001E4A3ED875 001e.4a3e.d875 Associated KEY_MGMT[WPAv2 PSK]
  Jun  6 13:06:47.858: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 001e.4a3e.e15d Reason: Previous authentication no longer valid
  Jun  6 13:07:18.107: %DOT11-6-ROAMED: Station 001f.6c7a.5101 Roamed to 001d.a2bb.15b0
  Jun  6 13:07:18.107: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 001f.6c7a.5101 Reason: Sending station has left the BSS
  Jun  6 13:07:38.109: %DOT11-6-ASSOC: Interface Dot11Radio1, Station SEP588D09D3A92B 588d.09d3.a92b Reassociated KEY_MGMT[WPAv2 PSK]
  Jun  6 13:07:42.031: %DOT11-6-ROAMED: Station 588d.09d3.a92b Roamed to 001e.134c.5a50
  Jun  6 13:07:42.031: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 588d.09d3.a92b Reason: Sending station has left the BSS
  Jun  6 13:07:46.489: %DOT11-6-ASSOC: Interface Dot11Radio1, Station SEP001F6C7A5101 001f.6c7a.5101 Reassociated KEY_MGMT[WPAv2 PSK]
  Jun  6 13:08:27.712: %DOT11-6-ASSOC: Interface Dot11Radio1, Station SEP588D09D3A92B 588d.09d3.a92b Reassociated KEY_MGMT[WPAv2 PSK]
  Jun  6 13:08:44.502: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 588d.09d3.a92b Reason: Sending station has left the BSS
  Jun  6 13:08:44.572: %DOT11-6-ASSOC: Interface Dot11Radio1, Station SEP588D09D3A92B 588d.09d3.a92b Associated KEY_MGMT[WPAv2 PSK]
  Jun  6 13:08:56.778: %DOT11-6-ROAMED: Station 588d.09d3.a92b Roamed to 001e.134c.5a50
  Jun  6 13:08:56.779: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 588d.09d3.a92b Reason: Sending station has left the BSS
  Jun  6 13:09:17.874: %DOT11-6-ROAMED: Station 001f.6c7a.5101 Roamed to 003a.9a92.8d70
  Jun  6 13:09:17.874: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station 001f.6c7a.5101 Reason: Sending station has left the BSS
  The AP are configured as follow :
  Current configuration : 5184 bytes
  ! No configuration change since last restart
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname AP1242-LOGIST
  logging rate-limit console 9
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  clock timezone gmt+1 1
  clock summer-time gmt recurring last Sun Mar 2:00 last Sun Oct 3:00
  dot11 syslog
  dot11 vlan-name Data vlan 11
  dot11 vlan-name Voix vlan 14
  dot11 vlan-name Webguest vlan 5
  dot11 ssid WLAN_data
     vlan 11
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 10600C0E261B173C252203797479633F371A29
  dot11 ssid WLAN_voice
     vlan 14
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 080F49592A1500203B2D25567A7A7622263C0C
  dot11 ssid Webguest
     vlan 5
     authentication open
     mbssid guest-mode
  dot11 wpa handshake timeout 1000
  dot11 arp-cache
  dot11 priority-map avvid
  dot11 phone
  power inline negotiation prestandard source
  class-map match-all _class_voice0
  match ip dscp ef
  class-map match-all _class_voice1
  match ip dscp cs3
  policy-map voice
  class _class_voice0
    set cos 6
  class _class_voice1
    set cos 3
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 11 mode ciphers aes-ccm
  encryption vlan 14 mode ciphers aes-ccm
  ssid WLAN_data
  ssid WLAN_voice
  ssid Webguest
  mbssid
  power client 17
  channel 2472
  station-role root
  dot11 qos class voice local
      admission-control
      admit-traffic narrowband max-channel 75 roam-channel 6
  dot11 qos class voice cell
      admission-control
  no cdp enable
  infrastructure-client
  interface Dot11Radio0.5
  encapsulation dot1Q 5
  no ip route-cache
  no cdp enable
  bridge-group 5
  bridge-group 5 subscriber-loop-control
  bridge-group 5 block-unknown-source
  no bridge-group 5 source-learning
  no bridge-group 5 unicast-flooding
  bridge-group 5 spanning-disabled
  interface Dot11Radio0.11
  encapsulation dot1Q 11
  no ip route-cache
  no cdp enable
  bridge-group 11
  bridge-group 11 subscriber-loop-control
  bridge-group 11 block-unknown-source
  no bridge-group 11 source-learning
  no bridge-group 11 unicast-flooding
  bridge-group 11 spanning-disabled
  interface Dot11Radio0.14
  encapsulation dot1Q 14
  no ip route-cache
  no cdp enable
  bridge-group 14
  bridge-group 14 subscriber-loop-control
  bridge-group 14 block-unknown-source
  no bridge-group 14 source-learning
  no bridge-group 14 unicast-flooding
  bridge-group 14 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  encryption vlan 11 mode ciphers aes-ccm
  encryption vlan 14 mode ciphers aes-ccm
  ssid WLAN_data
  ssid WLAN_voice
  ssid Webguest
  no dfs band block
  mbssid
  channel dfs
  station-role root
  interface Dot11Radio1.5
  encapsulation dot1Q 5
  no ip route-cache
  no cdp enable
  bridge-group 5
  bridge-group 5 subscriber-loop-control
  bridge-group 5 block-unknown-source
  no bridge-group 5 source-learning
  no bridge-group 5 unicast-flooding
  bridge-group 5 spanning-disabled
  interface Dot11Radio1.11
  encapsulation dot1Q 11
  no ip route-cache
  no cdp enable
  bridge-group 11
  bridge-group 11 subscriber-loop-control
  bridge-group 11 block-unknown-source
  no bridge-group 11 source-learning
  no bridge-group 11 unicast-flooding
  bridge-group 11 spanning-disabled
  interface Dot11Radio1.14
  encapsulation dot1Q 14
  no ip route-cache
  no cdp enable
  bridge-group 14
  bridge-group 14 subscriber-loop-control
  bridge-group 14 block-unknown-source
  no bridge-group 14 source-learning
  no bridge-group 14 unicast-flooding
  bridge-group 14 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  speed 100
  full-duplex
  no cdp enable
  hold-queue 160 in
  interface FastEthernet0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  no cdp enable
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface FastEthernet0.5
  encapsulation dot1Q 5
  no ip route-cache
  no cdp enable
  bridge-group 5
  no bridge-group 5 source-learning
  bridge-group 5 spanning-disabled
  interface FastEthernet0.11
  encapsulation dot1Q 11
  no ip route-cache
  no cdp enable
  bridge-group 11
  no bridge-group 11 source-learning
  bridge-group 11 spanning-disabled
  interface FastEthernet0.14
  encapsulation dot1Q 14
  no ip route-cache
  no cdp enable
  bridge-group 14
  no bridge-group 14 source-learning
  bridge-group 14 spanning-disabled
  service-policy input voice
  service-policy output voice
  interface BVI1
  ip address 10.17.10.5 255.255.255.0
  no ip route-cache
  ip default-gateway 10.17.10.254
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  logging trap warnings
  logging 10.15.51.115
  no cdp run
  bridge 1 route ip
  line con 0
  line vty 0 4
  sntp server 10.15.1.50
  sntp broadcast client
  end
  Does someone ever experienced a similar problem ?
  When I shut radio interfaces they're is no more problems on the LAN. Can this be an overlapping coverage issue ?
  Can someone please give me advices on how to troubleshoot this issue ?
  Thank you in advance as I'm a bit stuck.
  Best Regards,

       Hi Scott,
  Thanks for your reply.
  Do you think this can be the origin of the issue my customer encounters or is it only to be standard ? As this change will have to be made on all clients, if there is a chance it solves the problem I will do it ASAP, if not I will delay it in a less busy period :-)
  Can the constant roaming associations and dissasociations overload the AP and make it stop responding on the LAN or is it only a throuhput problem ?
  Thanks in advance for your answer.
  Best Regards,

• Untrusted VPN Server Blocked after a reload

  Hi
  I have an ASA5510 in failover, after a reload, a message "Untrusted VPN Server Blocked" appears after the first attempt to connect to the VPN, if we uncheck the "Block connections to untrusted servers" in preference settings the profile is updated and the connection is successful.
  If I disconnect the VPN and try again it appears another profile.
  I try this step for another link, but the result is the same for me
  Try the following steps,
  1.  Click on Anyconnect Client profile
  2.  Edit Anyconnect_Group profile
  3.  Edit Server list
  4. Add or Edit the hostname (You will see IP address, however, your cert is URL address ) So you have to add it or delete the IP address and keep URL )
  5. Host display: Remote.exmaple.com and FQDN: Remote.example.com
  ** Your cert that you applied for the interface must match the URL otherwise it won't work. So you can make your Cert
  (( *.example.com )) and it should match any URL you give
  Does anyone knows what could be the cause of this problem?
  Regards

  Ricardo,
  it sounds like you don't have a certificate installed on the ASA, so the ASA uses a non-persistent self-signed certificate.
  This doc explains how to create a persistent self-signed certificate:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml
  Better still would be to purchase a 'real' certificate from a 3rd party CA, the doc below has more details on how to do this:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91.shtml
  hth
  Herbert