Logging dynamic vpn connections

Similar Messages

• Windows 2008 R2 TS VPN connection closed when another user logs in

  Hi.
  I have a W 2008 R2 Ent. server with TS
  I have VPN on the TS configured with a L2TP/Ipsec connection to connect to a customer site
  Users will remote into the server, and make a VPN connection (click on shortcut to start VPN) and access the customer's site. This has worked OK for 2 years often with several users logged into the TS via RDP.
  Recently users are encountering this problem: User A logs into the TS, makes VPN connection, accesses customer site. User B logs into the TS, user A's VPN connection is broken immediately. It seems to happen every time - not sporadic.
  Can I get some suggestions on how to troubleshoot this?
  Thanks!

  Hi,
  The error which you are facing is because of Event Id 20226 (RAS connection termination).
  Error 831 (ERROR_FAST_USER_SWITCH)
  The connection was terminated because user switch happened.
  There are multiple login sessions on the user's computer. The user switched from a login session with an active RAS connection to another session. This resulted in the termination of the connection.
  For this you can check that you can limit the connection and tried to switch back the original session and make all new connection again. Please refer “Event ID
  20226 — RAS Connection Termination” for more details.
  Hope it helps!
  Thanks.

• Logging VPN connection information

  I want to log to my syslog server the IP that a VPN client receives from the locally configured pool on my ASA for both IPSec and SSL VPN connections. Does anyone know the logging configuration I need to capture this information?

  If you load your ASA ASDM look at realtime log.. have a user vpn in and watch the log you will see IDs and its severity category..
  6Sep 25 2009 12:43:24 713228 Group = ciscovpn_ra_access, Username = XXX, IP = xxx.xxx.xxx.xx, Assigned private IP address 10.20.20.20 to remote user
  That particular syslog message is ID :713228 , under severity 6 - informational.
  for confirming the syslog ID go to syslog IDs link and look at the ID number .
  http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp5391006
  for SSL VPN do the procedure above ..
  for logging particualr IDs to syslog server use syslog filters.
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_syslog.html#wp1097397

• Logging VPN connections

  Greetings All,
  I have a customer who wishes to log all VPN user activity on their ASA5510 so he can look back and see who was using a VPN connection on a particular day.
  I can see in the ASDM how you can see real time, who is on but do you know what logging command I need to use to log this activity for reference so that it can be viewed at a later date?
  Thanks

  You can use the Cisco Secure Access Control Server (ACS) for this. This is RADIUS/TACACS+ software that you can install on various versions of Windows Server 200x.
  You can perform Authentication, Authorization and most import for you; Accounting. The server keeps track of who logged in, when he/she did that, how much traffic passed by, how long he/she stayed connected, etc etc.
  More information on the Cisco Secure ACS can be found here: http://www.cisco.com/go/acs
  Please rate if the post helps!
  Regards,
  Michael

• ASA 5505 vpn connection issues

  Hello I am having some issues with getting my vpn connection working on a new site. I get no internet connection when hooking up the asa. My current config is below. I have included a packet trace from my remote site to my main site. Any help would be appriciated, I am not very experanced in coniguring the devices.
  hostname ciscoasa
  domain-name .com
  enable password w3iW.W8jLtqmhFnt encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
   nameif inside
   security-level 100
   ip address 10.10.10.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 72.xxx.xx.xx 255.255.255.0
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
   domain-name .com
  access-list NONATACL extended permit ip 10.10.10.0 255.255.255.0 192.1.1.0 255.2
  55.255.0
  access-list VPNACL extended permit ip 10.10.10.0 255.255.255.0 192.1.1.0 255.255
  .255.0
  access-list OUTSIDEACL extended permit icmp any any
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/flash
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NONATACL
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group OUTSIDEACL in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 inside
  http 10.10.10.1 255.255.255.255 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESPDESMD5 esp-des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map VPNMAP 13 match address VPNACL
  crypto map VPNMAP 13 set peer 68.xx.xxx.xxx
  crypto map VPNMAP 13 set transform-set ESPDESMD5
  crypto map VPNMAP interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 13
   authentication pre-share
   encryption des
   hash md5
   group 2
   lifetime 86400
  telnet 10.10.10.0 255.255.255.0 inside
  telnet 192.1.1.0 255.255.255.0 outside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd dns 192.1.1.6 192.1.1.4
  dhcpd wins 192.1.1.6 192.1.1.4
  dhcpd ping_timeout 750
  dhcpd domain .com
  dhcpd auto_config outside
  dhcpd address 10.10.10.10-10.10.10.40 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  tunnel-group 76.xxx.xxx.xx type ipsec-l2l
  tunnel-group 76.xxx.xxx.xx ipsec-attributes
   pre-shared-key *
  tunnel-group 68.xx.xxx.xxx type ipsec-l2l
  tunnel-group 68.xx.xxx.xxx ipsec-attributes
   pre-shared-key *
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:229af8a14b475d91b876176163124158
  : end
  ciscoasa(config)#reciated

  Hello Belnet,
  What do the logs show from the ASA.
  Can you post them ??
  Any other question..Sure..Just remember to rate all of the community answers.
  Julio

• Unable to set manual IP address for VPN connection

  Recently a VPN connection with a client stopped working. They changed phone companies and changed some of the IP addresses.
  After alerting them I could no longer log in, I received the new server address which I can log in with it,
  BUT my computer is assigned a dynamic address that is already in use on their network. This causes my computer to *not* be connected to their network, even though I am inside their firewall; therefore I cannot adjust the database files I need to.
  I have tried to set the VPN (PPTP) connection TCP/IP address IPv4 manually, using the static address they just gave me. But each time I connect, [I believe] their router assigns me an address that is already in use.
  They do not use IPv6.
  Can anyone give me direction on how to make the manual IP address *stick*?
  The tech person at the site keeps telling me it is a problem with my "Mac, because with Windows.... blah, blah, blah".
  I am pretty sure this is not the case and in fact I was the one who let her know I was receiving a duplicate address.
  Your VPN expertise is really appreciated.
  Thanks in advance,
  Michele

  Hi,
  Please make sure the Ad hoc connection IP adress is at the same range with your local connection. In addition, how about recreate the ad hoc connection for test, please have a try.
  If problem persists, please use Network troubleshooter in Action Center to fix this problem for test.
  Roger Lu
  TechNet Community Support

• Permanent server to server VPN connection

  I have two Snow Leopard Servers in different locations which I would like to connect to each with a VPN over the Internet so that it appears as if they are in the same LAN. Something like:
  ServerAliveIP <- ("permanent" VPN over the Internet looking like a LAN) -> ServerBdynamicIP
  The connection should be permanent without a user being logged into either of the two. Both servers need to still be able to communicate "normally", so not all traffic can go through the VPN even if only in one direction (routing?). In addition it has to be actually server to server, I cannot put any other devices such as dedicated VPN appliances between the servers...
  Any ideas how to do that? If no directions, can anyone point me to where I should research (I have Googled but not found much...).
  Thanks!

  There is a built in option/tool:
  /usr/sbin/s2svpnadmin
  man s2svpnadmin
  This can create an IPSec tunnel between two servers/LANs.
  You'll need ESP protocol 50 and UDP port 500 ("VPN") passthrough through any Internet firewall/router and any dynamic IP connections are probably better handled if using a dynamic dns name service like dyndns for the public IP/name needed. Internet routers/firewalls can have trouble forwarding UDP port 500 if they have a built in VPN server.
  You should be able to decide what part of the LANs that can communicate through this tunnel by "size" of subnetmasks. Try this site http://jodies.de/ipcalc to get the right "size" if you don't want the whole LANs to be able to communicate. You will not be able to browse "the other side" LAN using Bonjour.
  If the servers are not the gateway/Internet router for your LANs, you'll need to setup static routes in the firewall/routers using the respective server as the gateway to the other (remote) LAN.

• Cisco ASA 5505 Remote Access IP/Sec VPN Connectivity Issues

  We have a Cisco ASA that we use just for Remote Access VPN. It uses UDP and was working fine for about 2 months. Recently clients have had intermittent issues when connecting from home. The following message is display by the Cisco VPN Client :
  "Secure VPN connection terminated locally by the Client. Reason 412: The remote peer is no longer responding"
  Upon looking at a client side packet capture, I notice that no response is being given back to the client for the udp packets sent to the ASA on udp 500. If I login to the ASA from the LAN and send a single ping FROM the ASA, then the client can connect without issue. I don't understand the significance of the needed outbound ping since ping is not used by the client to test if the ASA is alive.
  Once again this is a remote access udp ip/sec VPN. I set most of it up with the VPN wizard and then backed up the config. The issue started happening at least a month after setup (maybe two) and I restored to the saved config just in-case, but the issue remains.
  Any insight would be greatly appreciated.
  I'm using IOS 831 and have tried 821 and 823 as one thread that I found recommended downgraded to 821.
  Thanks much,
  Justin

  Javier,
  I logged into the ASA last time the VPN went down. I issued the following commands:
  debug crypto isakmp 190
  debug crypto ipsec 190
  capture outside-cap interface outside match udp any any
  I then used a remote access tool to access the client and tried to connect. I got absolutely nothing from debugging. So I issued the following command:
  show capture outside | include 500
  and also got nothing. So I issued the following command:
  ping 4.2.2.2
  Upon which my normal deug messaged began to showup, so I issued the show capture outside command again and recieved the expected output below:
     1: 15:44:18.570160 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 868
     2: 15:44:18.579269 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 444
     3: 15:44:18.703866 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 172
     4: 15:44:18.706567 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 76
     5: 15:44:18.831499 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 92
     6: 15:44:19.024061 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 76
     7: 15:44:19.111963 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 60
     8: 15:44:19.517185 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 204
     9: 15:44:19.521350 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 92
    10: 15:44:19.522723 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 252
    11: 15:44:42.121957 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 868
    12: 15:44:42.130822 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 444
    13: 15:44:42.228397 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 172
    14: 15:44:42.231036 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 76
    15: 15:44:42.329557 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 92
    16: 15:44:42.521091 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 76
    17: 15:44:42.610167 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 60
    18: 15:44:42.649258 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 204
    19: 15:44:42.653790 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 252
    20: 15:44:42.789342 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 1036
    21: 15:44:42.792119 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 92
    22: 15:44:42.800846 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 188
    23: 15:44:42.892120 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 60
    34: 15:44:54.446220 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 92
    35: 15:44:54.447913 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 92
    70: 15:45:01.825000 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000:  udp 100
  174: 15:45:03.417764 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000:  udp 500
  377: 15:45:07.881500 802.1Q vlan#2 P0 REMOTE_IP.10000 > OFFICE_IP.10000:  udp 100    1: 15:44:18.570160 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 868
     2: 15:44:18.579269 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 444
     3: 15:44:18.703866 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 172
     4: 15:44:18.706567 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 76
     5: 15:44:18.831499 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 92
     6: 15:44:19.024061 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 76
     7: 15:44:19.111963 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 60
     8: 15:44:19.517185 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 204
     9: 15:44:19.521350 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 92
    10: 15:44:19.522723 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 252
    11: 15:44:42.121957 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 868
    12: 15:44:42.130822 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 444
    13: 15:44:42.228397 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 172
    14: 15:44:42.231036 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 76
    15: 15:44:42.329557 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 92
    16: 15:44:42.521091 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 76
    17: 15:44:42.610167 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 60
    18: 15:44:42.649258 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 204
    19: 15:44:42.653790 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 252
    20: 15:44:42.789342 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 1036
    21: 15:44:42.792119 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 92
    22: 15:44:42.800846 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 188
    23: 15:44:42.892120 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 60
    34: 15:44:54.446220 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 92
    35: 15:44:54.447913 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 92
    70: 15:45:01.825000 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000:  udp 100
  174: 15:45:03.417764 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000:  udp 500
  377: 15:45:07.881500 802.1Q vlan#2 P0 REMOTE_IP.10000 > OFFICE_IP.10000:  udp 100
  It would seem as if no traffic reached the ASA until some outbound traffic to an arbitrary public IP. In this case I sent an echo request to a public DNS server. It seems almost like a state-table issue although I don't know how ICMP ties in.
  Once again, any insight would be greatly appreciated.
  Thanks,
  Justin

• Dynamic Data Connection Parameter and Report Parameters

  Post Author: despec
  CA Forum: General
  Hello to all,I am using a business view that is based on a dynamic data connection of 13 databases, each a different school.  When I use the BV is a CXrystal Report (XI), it correctly, of course, uses the "read only" parameter for me to select a school.  My problem arises when I try to enter a student name "list of values"  parameter using that same dynamic data connection.  After I select the "read only" school parameter, I then  select that student name and immediately, the "read only" school parameter resets to "--".  Therefore when I click okay, I get an error saying that my selection for the first parameter is invalid.Anyone have any suggestion on how I may be able to resolve this?Thanks,David

  Hello,
  Jsut a reminder this is not a Support Case Management system but for all to use.
  Since you have BOE 3.1 you should have a valid support contract. Log into Service Market Place and create a case on line and a support Engineer will call you.
  If you don't know how to then ask your Manager who is your SAP Account Super User and that person can add you to the list and give you a log in ID and password.
  Thank you
  Don

• Multiple VPN connection question

  I want to connect two on-premise locations to azure.  The hardware in these locations only support static routing so per the documentation I can only connect on site to site tunnel to the vpn connection in azure.
  Im curious what my options are, can I add two vpn's in azure and make it all work that way?  Also if I wanted could I simply run a VM (windows rras, linux, etc) inside my VNET and make it a VPN server that can accept two tunnels?
  thanks

  Hi Chris,
  Please be advised that for a Multi-Site VPN, you need to have a VPN Device that is compatible with Dynamic Routing.
  You could refer the following link for details about Multi-Site VPN:
  http://msdn.microsoft.com/en-us/library/azure/dn690124.aspx
  And the following link for the list of Azure Compatible VPN Devices and the Routing Configurations they support:
  http://msdn.microsoft.com/en-us/library/azure/jj156075.aspx#bkmk_VPN_Devics
  Also, please be advised Microsoft Azure Virtual Machines do not support Remote Access and Routing Roles.
  You could refer the following link for details:
  http://support.microsoft.com/kb/2721672
  Regards,Malar.

• Slow transfer speed over VPN connection

  Hello,
  Recently I setup an SSL VPN to connect to my parent's home network.  I have some computers there, and want to try to transfer files between my computer and the one at my parent's.  Over the VPN connection, I only get 128kb/s.  On both ends, they are 15Mbps connections, and can support internal copies of 4 megs/s.  I feel like I should get a better speed than that.  I looked around, and people suggested changing the MTU.  I have changed the MTU around, and not noticed any increase in the network speed over the VPN.  Currently the MTU is at 1500.  Below is a copy of my running config.  Any thing I'm overlooking, or is this speed normal?  Sorry, still relatively new to the ASA 5505.
  ASA Version 8.2(5)
  hostname HardmanASA
  enable password #####
  passwd ###### encrypted
  names
  interface Ethernet0/0
  switchport access vlan 20
  interface Ethernet0/1
  switchport access vlan 10
  interface Ethernet0/2
  switchport access vlan 10
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown    
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  switchport access vlan 10
  interface Vlan1
  no nameif
  no security-level
  no ip address
  interface Vlan10
  nameif inside
  security-level 100
  ip address 192.168.250.1 255.255.255.0
  interface Vlan20
  nameif outside
  security-level 0
  ip address dhcp setroute
  ftp mode passive
  dns domain-lookup inside
  dns domain-lookup outside
  access-list nat_0 extended permit ip 192.168.250.0 255.255.255.0 192.168.251.0 255.255.255.0
  access-list split_tunnel standard permit 192.168.250.0 255.255.255.0
  pager lines 24
  mtu inside 1500
  mtu outside 1500
  ip local pool VPN_Pool 192.168.251.100-192.168.251.101 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 10 interface
  nat (inside) 0 access-list nat_0
  nat (inside) 10 192.168.250.0 255.255.255.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.250.0 255.255.255.0 inside
  http 192.168.251.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet timeout 5
  ssh 192.168.250.0 255.255.255.0 inside
  ssh 192.168.251.0 255.255.255.0 inside
  ssh timeout 5
  ssh version 2
  console timeout 0
  management-access inside
  dhcpd dns 8.8.8.8
  dhcpd address 192.168.250.20-192.168.250.50 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
  svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
  svc enable
  tunnel-group-list enable
  group-policy DfltGrpPolicy attributes
  dns-server value 8.8.8.8
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split_tunnel
  username ###### password ###### encrypted
  tunnel-group AnyConnect type remote-access
  tunnel-group AnyConnect general-attributes
  address-pool VPN_Pool
  tunnel-group AnyConnect webvpn-attributes
  group-alias AnyConnect enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:74fc2287573841a837e97887840a2d91
  : end

  Hi,
  Another option is the use of the compression command, this is usually enabled by default but maybe you can enter it due to is not showed in the running config, the command is compression svc.
  Note: The command helps when we have low bandwitdh connections, the command reduces the size if the packets, for broadband connections this can decrease regular performance
  Regards,
  Sent from Cisco Technical Support iPhone App

• Branch Office DC Demand Dial VPN connection keeps failing

  here is me issue
  Our Branch Office DC is connected to Main Office DC with a Demand Dial Connection in RRAS Everything is connected fine for a little bit then its like the connection just gives out, it stays connected but i cannot ping the branch office DC with the local
  IP from the Main Office or access any network shares on it. When this happens i have to disconnect the server at the remote office and wait for it to reconnect im currently baffled as there are no Error LOGS to help me along and there doesnt seem to be anything
  that would be causing the issue for now until i get some answers as to what is going on i opened a command prompt on the DC here at the main office and i typed "ping 10.141.70.25 -t100" to monitor the connection more or less and when i see it timeout
  i reconnect it, i also have the networking tab open in task manager to monitor the LAN and RAS (Dial-In) Interface  the LAN doesnt seem too active but the RAS Interface does its got a constant network utilization of 0.28% and the Demand Dial interface
  on the remote office DC has a Utilization of 0.38% (Server Just disconnected as i was typing this and the utilization on the VPN connections on both servers went through the roof) heres the troubleshooting i have tried so far
  1. Rebooted both office DC`s at the same time
  2. Rebooted the branch office DC alone (this helped a little because the connection is staying active longer without fail)
  3. looked through all RRAS configuration on both servers to see if theres any mistakes by any other administrators (None Were Found)
  4. Used wireshark to see if there was anything interfering or that would cause this to happen (Nothing found)
  5. manually connected to the server in multiple ways like accessing network shares and remote management via MMC and manually making the servers replicate to see if any of that was causing issues and it wasnt
  My thoughts: im starting to think it may be a switch or something causing the connection issue at the branch office because the main office has all new routers and switches and just recently got a 100.00MBPS connection but nothing was affected for a good
  month so im not thinking it is the new connection or anything at the main office if theres something im overlooking here please let me know if some ipconfig /all results are needed i can provide them
  Viper Technologies Computer Repair Putting The Venomus Bite Back In Your Computer We Are Located In Antigonish ,NS Canada Check Us Out HTTP://WWW.VIPERTECHNOLOGIES.TK

  Hi,
  Are there any error messages on the event log ?
  Meanwhile, it is more network issue, i think you may ask in network forums:
  http://social.technet.microsoft.com/Forums/en-US/home?forum=winserverNIS
  Regards.
  Vivian Wang

• VPN connection created with CMAK fails to update routing table on Windows 8.1 with error 8000ffff

  When my clients connect their CMAK-created VPN, it fails to run the script to set their routing table with the following error:
  Custom script (to update your routing table) failed (8000ffff)
  My objective is to create a VPN connection with split tunneling - does not use the VPN connection as the client's default gateway.
  All my clients are on Windows 8.1 64-bit, and are logged in with Administrative privileges
  My VPN Clients are on 10.242.2.0/24, my internal network is on 10.172.16.0/24
  I want only traffic for 10.172.16.0 to go via the VPN. Everything else should go via the client's internet connection
  My Connection Manager Administration Kit profile, was created on Windows 2012 R2 CMAK with the following settings:
  "Make this connection the client's default gateway" is UNticked on the IPv4 tab.
  Define a routing table update is specified with a text file containing:
  +++ Start of txt file +++
  REMOVE_GATEWAY
  add 10.172.16.0 mask 255.255.255.0 default metric default if default
  +++ End of txt file +++
  The txt file is saved in DOS/Windows format (not Unicode or UTF-8 which I've read causes problems)
  I've tried everything in lower and upper case in the txt file after reading that the file might be case sensitive
  The following appears on the client with logging enabled:
  [cmdial32] 10:42:34
  03 Pre-Init Event       CallingProcess = C:\WINDOWS\system32\rasautou.exe
  [cmdial32] 10:42:40
  04 Pre-Connect Event    ConnectionType = 1
  [cmdial32] 10:42:40
  06 Pre-Tunnel Event     UserName = UserName Domain =  DUNSetting = VPN (L2TP x64 NoGW) Tunnel DeviceName =  TunnelAddress = vpn.mydomain.tld
  [cmdial32] 10:42:43
  07 Connect Event
  [cmdial32] 10:42:43
  09 Custom Action Exe    ActionType = Connect Actions Description = (none) ActionPath = CMDL32.EXE. The program was launched successfully.
  [cmdial32] 10:42:43
  08 Custom Action Dll    ActionType = Connect Actions Description = to update your routing table ActionPath = C:\Users\UserName\AppData\Roaming\Microsoft\Network\Connections\Cm\VPN64\CMROUTE.DLL ReturnValue
  = 0x8000ffff
  [cmdial32] 10:42:43
  21 On-Error Event       ErrorCode = -2147418113 ErrorSource = to update your routing table
  [cmdial32] 10:42:43
  13 Disconnect Event     CallingProcess = C:\WINDOWS\system32\cmdial32.dll
  Where can I find out what error codes 8000ffff or -2147418113 mean?

  That was it. Thanks, Steven
  "By default, the dial-up entry and the VPN entry have Make this connection the default gateway selected.
  Leave this default in place, and remove any gateways by using the REMOVE_GATEWAY command in the routing table update file itself."
  It seems counter-intuitive to leave
  Make this connection the default gateway selected, when I specifically don't want that behaviour, but leaving it selected and using REMOVE_GATEWAY works for me.

• IPad2, Verizon 3G, VPN Connectivity Issues

  Greetings all. I am the systems administrator for my corporation and have seen an issue that I wish to present to the community for discussion.
  For those enterprise users that have an iPad2 with Verizons 3G, are you experiencing connectivity issues while trying to connect to your VPNs from the 3G network? If so, have you found any work around to allow connectivity or does it work fine for you?
  Here's a summary of my issues:
  We have a VPN server built on Debian Linux that has been in operation for over four years. It handles remote VPN connections from Windows, Linux,  Android, OS X, iOS, and from many different devices including multiple flavors of Apple products (iMacs, Minis, MacBooks, iPads, etc.). To date, it has performed flawlessly with assorted devices connecting to it through broadband and assorted 3G networks.
  Recently I purchased an iPad2 with Verizon 3G. I was able to set up the VPN connection using PPTP and connect using a Wi-Fi connection. When I turned off the Wi-Fi and attempted the same connection via Verizon 3G, it fails. I then took an associates iPad1 using AT&T 3G, set up the same connection, and was able to connect. I don't have access to an iPad2 on AT&T 3G so, I can't speak for that.
  Here's the logs from the VPN server while connecting from my iPad2:
  Wi-Fi
  Jul 27 05:20:43 localhost pppd[31694]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
  Jul 27 05:20:43 localhost pppd[31694]: pptpd-logwtmp: $Version$
  Jul 27 05:20:43 localhost pppd[31694]: pppd 2.4.4 started by root, uid 0
  Jul 27 05:20:43 localhost pppd[31694]: Using interface ppp2
  Jul 27 05:20:43 localhost pppd[31694]: Connect: ppp2 <--> /dev/pts/4
  Jul 27 05:20:46 localhost pppd[31694]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received
  Jul 27 05:20:46 localhost pppd[31694]: found interface eth1 for proxy arp
  Jul 27 05:20:46 localhost pppd[31694]: local  IP address 192.168.1.69
  Jul 27 05:20:46 localhost pppd[31694]: remote IP address 192.168.1.82
  Jul 27 05:20:46 localhost pppd[31694]: pptpd-logwtmp.so ip-up ppp2 scott XXX.XXX.XXX.XXX (removed external IP for security reasons)
  Quick connect, able to utilize VPN connection normally. No issues.
  Verizon 3G
  Jul 27 05:20:29 localhost pppd[31682]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
  Jul 27 05:20:29 localhost pppd[31682]: pptpd-logwtmp: $Version$
  Jul 27 05:20:29 localhost pppd[31682]: pppd 2.4.4 started by root, uid 0
  Jul 27 05:20:29 localhost pppd[31682]: Using interface ppp2
  Jul 27 05:20:29 localhost pppd[31682]: Connect: ppp2 <--> /dev/pts/4
  Jul 27 05:20:32 localhost pppd[31682]: peer refused to authenticate: terminating link
  Jul 27 05:20:33 localhost pppd[31682]: Connection terminated.
  Jul 27 05:20:33 localhost pppd[31682]: Exit.
  As you can see, the peer refuses to authenticate causing the link to be terminated while attempting to connect using Verizons network. This is with the same VPN connection settings on the iPad2 that just worked with WiFi connection from the same device.
  Here's what I can verify with regards to 3G networks:
  Older (<4) iPhones and iPad1 using AT&T can connect
  Windows and OS X based laptops using Sprint 3G can connect
  Android based smart phones using Sprint 3G can connect
  I have not called Verizon or Apple Support yet but, that's next when I have the time. My initial conclusion is that there is something with Verizons 3G services that is causing the issue. It may be that Verizon is using some sort of data compression process that is problematic with VPN transmission. While the log shows an unsupported IPv6 protocol when connecting via Wi-Fi, it still negotiates a successful connection and I don't think that's the root cause for the disconnect. Thoughts?

  Hi Alexander,
  I am running in to the exact same issue (although not with Linux).  Did you ever find a fix for this?  I have some support tickets open with my VAR's, but found your post and thought I would check.  If I find anything I will post.
  Thanks
  Stu

• UNABLE TO ACCESS THE INTERNET FROM LOCAL PROVIDER ON A SITE-TO-SITE VPN CONNECTION

  Dear All,
  I have a site-to-site connection  from point A to point B. From point B i am unable to access the internet from local internet provider.
  I am trying to ping from 192.168.20.1 the dns 8.8.8.8   but i receive the  message "destination net unreachable".
  When i run "show ip nat translation" i receive nothing.
  The vpn connection is working properly, i can ping the other side 192.168.10/24
  Below is the configuration of the cisco router on point B.
  dot11 syslog
  ip source-route
  no ip dhcp use vrf connected
  ip dhcp excluded-address 192.168.21.254
  ip dhcp pool voice
   network 192.168.21.0 255.255.255.0
   default-router 192.168.21.254 
   option 150 ip 192.168.5.10 
  ip cef
  ip domain name neocleous.ru
  ip inspect name IOS_FIREWALL tcp
  ip inspect name IOS_FIREWALL udp
  ip inspect name IOS_FIREWALL icmp
  ip inspect name IOS_FIREWALL h323
  ip inspect name IOS_FIREWALL http
  ip inspect name IOS_FIREWALL https
  ip inspect name IOS_FIREWALL skinny
  ip inspect name IOS_FIREWALL sip
  no ipv6 cef
  multilink bundle-name authenticated
  vty-async
  isdn switch-type primary-net5
  redundancy
  crypto isakmp policy 5
   hash md5
   authentication pre-share
   group 2
  crypto isakmp policy 10
   encr aes
   authentication pre-share
   group 2
   lifetime 28800
  crypto isakmp policy 50
   encr 3des
   hash md5
   authentication pre-share
   group 2
  crypto isakmp key Pb85heuvMde9Wdac5Qohha7lziIf142u address [ip address]
  crypto isakmp invalid-spi-recovery
  crypto isakmp keepalive 10
  crypto ipsec transform-set TRANSET esp-aes esp-sha-hmac 
  crypto ipsec transform-set TRANSET2 esp-des esp-md5-hmac 
  crypto ipsec df-bit clear
  crypto map CryptoMAP1 ipsec-isakmp 
   set peer [ip address]
   set transform-set TRANSET 
   match address CryptoACL
  interface FastEthernet0/0
   description Primary Provider
   ip address [PUBLIC IP MAIN PROVIDER] 255.255.255.252
   ip access-group outside_acl in
   ip mtu 1390
   ip nat outside
   ip virtual-reassembly in
   load-interval 30
   duplex auto
   speed auto
   crypto map CryptoCY
   crypto ipsec df-bit clear
  interface FastEthernet0/1
   description TO LAN
   no ip address
   load-interval 30
   speed 100
   full-duplex
  interface FastEthernet0/1.1
   description DATA VLAN
   encapsulation dot1Q 20
   ip address 192.168.20.254 255.255.255.0
   ip access-group inside_acl in
   ip nat inside
   ip inspect IOS_FIREWALL in
   ip virtual-reassembly in
   ip tcp adjust-mss 1379
  interface FastEthernet0/1.2
   description VOICE VLAN
   encapsulation dot1Q 21
   ip address 192.168.21.254 255.255.255.0
  interface Serial0/2/0:15
   no ip address
   encapsulation hdlc
   isdn switch-type primary-net5
   isdn incoming-voice voice
   no cdp enable
  interface FastEthernet0/3/0
   no ip address
   ip access-group outside_acl in
   ip nat outside
   ip virtual-reassembly in
   shutdown
   duplex auto
   speed auto
   crypto map CryptoCY
  ip local pool VPNPool 192.168.23.2 192.168.23.10
  ip forward-protocol nd
  ip http server
  no ip http secure-server
  ip nat inside source list nat_list interface FastEthernet0/3/0 overload
  ip route 0.0.0.0 0.0.0.0 [default gateway ip]
  ip access-list standard VTY
    permit 192.168.20.0 0.0.0.255
  ip access-list extended CryptoACL
   permit ip 192.168.20.0 0.0.0.255 192.168.3.0 0.0.0.255
   permit ip 192.168.21.0 0.0.0.255 192.168.5.0 0.0.0.255
   permit ip 192.168.21.0 0.0.0.255 192.168.6.0 0.0.0.255
   permit ip 192.168.21.0 0.0.0.255 192.168.12.0 0.0.0.255
   permit ip 192.168.21.0 0.0.0.255 192.168.2.0 0.0.0.255
   permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
   permit ip host 192.168.22.1 192.168.5.0 0.0.0.255
   permit ip host 192.168.20.1 192.168.5.0 0.0.0.255
   permit ip host 192.168.22.1 192.168.6.0 0.0.0.255
  ip access-list extended DFBIT_acl
   permit tcp any any
  ip access-list extended inside_acl
   permit ip 192.168.20.0 0.0.0.255 host 192.168.3.35
   permit ip 192.168.20.0 0.0.0.255 host 192.168.3.39
   permit ip 192.168.20.0 0.0.0.255 host 192.168.3.23
   permit ip 192.168.20.0 0.0.0.255 host 192.168.3.18
   permit ip 192.168.20.0 0.0.0.255 host 192.168.3.55
   permit ip 192.168.20.0 0.0.0.255 host 192.168.10.144
   permit ip 192.168.20.0 0.0.0.255 host 192.168.10.146
   permit ip 192.168.20.0 0.0.0.255 host 192.168.10.141
   permit ip host 192.168.20.253 host 192.168.3.21
   permit ip host 192.168.20.254 host 192.168.3.21
   permit ip 192.168.20.0 0.0.0.255 host 192.168.3.10
   permit ip 192.168.20.0 0.0.0.255 host 192.168.20.254
  ip access-list extended nat_list
   deny   ip host 192.168.20.254 192.168.10.0 0.0.0.255
   deny   ip host 192.168.20.254 192.168.3.0 0.0.0.255
   deny   ip host 192.168.20.1 192.168.3.0 0.0.0.255
   deny   ip host 192.168.20.1 192.168.10.0 0.0.0.255
   deny   ip host 192.168.20.2 192.168.3.0 0.0.0.255
   deny   ip host 192.168.20.2 192.168.10.0 0.0.0.255
   permit ip host 192.168.20.1 any
   permit ip host 192.168.20.2 any
   permit ip host 192.168.20.254 any
  ip access-list extended outside_acl
   permit gre any host [ip address]
   permit esp any host [ip address]
   deny   ip any any
  ip sla 2
   icmp-echo 192.168.10.254 source-interface FastEthernet0/1.1
   frequency 180
   timeout 500
  ip sla schedule 2 life forever start-time now
  logging 192.168.3.21
  route-map DFBIT_routemap permit 10
   match ip address DFBIT_acl
   set ip df 0
  route-map ISP2 permit 10
   match ip address nat_list
   match interface FastEthernet0/3/0
  route-map nonat permit 10
   match ip address nonat_acl
  route-map ISP1 permit 10
   match ip address nat_list
   match interface FastEthernet0/0

  You cannot access internet, because all traffic is tunneled for VPN !!!!
  Please see cisco tech documentation and bypass traffic for internet.
  eg.  if lan traffic is going from site a to site b  then through vpn
        else
         lan traffic to internet (any) should be out thorugh the vpn .