MAPI latency/slowness over L2L VPN

We recently implented an email archiving solution (Symantec Enterprise Vault) that sends the archives to a vendor across a L2L VPN on an ASA 5510.  EV apparently uses MAPI during the archive process.
We're experencing slowness during the archive process, and the slowness seems to originate with the VPN tunnel.
I'm reaching out to see if anyone has had any experience with MAPI over VPN or if anyone has seen a similar issue.
The vendor is saying it's a "network issue", which I seriously doubt.
Thanks.

We recently implented an email archiving solution (Symantec Enterprise Vault) that sends the archives to a vendor across a L2L VPN on an ASA 5510.  EV apparently uses MAPI during the archive process.
We're experencing slowness during the archive process, and the slowness seems to originate with the VPN tunnel.
I'm reaching out to see if anyone has had any experience with MAPI over VPN or if anyone has seen a similar issue.
The vendor is saying it's a "network issue", which I seriously doubt.
Thanks.

Similar Messages

  • LAN Pool cant communicate over L2L VPN on AdvanceSecurity IOS

    Hi i have strange issue, when i upgraded my Cisco Router IOS of Advance Security IOS before that all was good on advanceipservices.
    IPSEC VPN is up
    But No traffic Passing.
    Traffic does pass if i make Source IP as loop back on same router A having VPN (Loopback 100) , but traffic dont pass/cannot ping when i try to generate it from my one hope before the router that is my CORE switches by creating loopback on CORE switch.
    is this IOS behaving like ASA? do i need to enable some kind of security levels on interfaces? or statefull issue etc? any help would be great
    VPN Router A
    for understanding
    GigabitEthernet0/0.1       10.174.1.4
    GigabitEthernet0/0.202     222.125.139.225
    Loopback 100 100.100.100.100
    ip route 101.101.101.101 255.255.255.255 GigabitEthernet0/0.202
    VPN Router B
    GigabitEthernet0/0.1       10.110.1.4
    GigabitEthernet0/0.202     203.126.123.145
    Loopback 101 101.101.101.101
    ip route 100.100.100.100 255.255.255.255 GigabitEthernet0/0.202
    again: VPN dont have any issue in itself, since when loopback are made on routers they do ping, and when i create same loop back on my core switches it done ( i do proper static routing when i move loopback on core so routing is not issue )

    My issues is resvoled by upgrading to advance ip services again.
    so its some feature or bug with IOS for sure, since config was untouched

  • SMB Extremely Slow over VPN With Windows Server 2003

    Hello everyone,
    I finally convinced another person at my law firm to switch to a MacBook Pro. In preparation, I am attempting to fix any compatibility problems that would put off this new user. Unfortunately, our IT guy recently switched us to a Sonicwall SSL-VPN 200. I can connect to our server through the VPN client with no problems and I can mount our internal file server, but the connection is incredibly slow. My initial reaction was that it must be a problem with Windows Server 2003 and SMB, but I was previously able to connect to and operate on our VPN through our old Fortinet (ipsec) device with no problems. Simply put, directory switching, file moving, etc. are all now incredibly slow over the VPN. Help!

    Full support for SMB signing did not appear until Samba 3.0.2 released in 2004. Mac OS X 10.5 (Leopard) supports SMB signing. Previous versions require either disabling SMB signing server-side, using a third party SMB client, using the command-line smbclient program, or updating samba yourself.

  • Very slow Windows domain login over IPSec VPN

    Hi
    I'm experiencing very slow Windows domain logins over an IPSec VPN connection. The AD is in Site 1, some users are in Site 2. Two Cisco ASA firewalls connect both sites by an IPSec VPN over the Internet.
    I made some registery changes on the Windows XP client on site2 to let Kerberos communicate over TCP instead of UDP. Still the logins take extremely long (45 minutes). Profiles are very small, so there had to be a problem with Kerberos, MTU sizes or somethin like that. I already changed the clients MTU settings to 1000 byes, but login is still very slow. I made some sniffer logs...
    Does anybody know what the problem can be ?
    Regards
    Remco

    Hi Remco,
    The most common issue with slowness over VPN is going to be fragementation. In general below are the recommendations to avoid fragmentation
    1. For TCP traffic, use "ip tcp adjust-mss 1360" on the Internal LAN Interface on the Router. If you are using GRE then configure "ip mtu 1400" under the Tunnel Interface.
    If you are not using GRE then the value of "ip tcp adjust-mss" depends on the type of transform-set being used E.g. AES\3DES etc, so you can increase the value of TCP adjust command from 1360 to a higher value. Though I will start from 1360 first for testing.
    Also take a look at the below article for MTU Issues
    http://www.cisco.com/en/US/customer/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
    Thanks,
    Naman

  • L2L VPN Decrypted Traffic Not Exiting ASA

    Hi,
    I have a pair of ASAs runing version 9.1 at the remote site and 8.4 (4) at the local site. When sending traffic over the tunnel from the local to remote, I can see in the IPSec SA the encap packet count increasing locally and the decap count increasing on the remote ASAs but no traffic is egressing the remote ASA's interfaces.
    Here is the remote ASAs config:
    GigabitEthernet0/0       outside                x.x.x.123       255.255.255.192GigabitEthernet0/1.701   dev_1                  10.140.0.1      255.255.255.0crypto map VPN-Z 10 match address acl_temp_vpncrypto map VPN-Z 10 set pfs crypto map VPN-Z 10 set peer x.x.x.67 crypto map VPN-Z 10 set ikev1 transform-set ESP-3DES-SHAcrypto map VPN-Z 10 set security-association lifetime seconds 28800crypto map VPN-Z 10 set security-association lifetime kilobytes 4608000crypto map VPN-Z 10 set nat-t-disablecrypto map VPN-Z interface outsideaccess-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 object-group zx-subs (hitcnt=5) 0x3e8360b3 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 10.0.0.0 255.0.0.0 (hitcnt=0) 0x5cf3e6d1 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 172.16.0.0 255.240.0.0 (hitcnt=15) 0x73407a52 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0xe1b9579c access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 x.x.x.224 255.255.255.224 (hitcnt=0) 0x894cf410 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 x.x.x.0 255.255.255.192 (hitcnt=0) 0xa879a3f1tunnel-group x.x.x.67 type ipsec-l2ltunnel-group x.x.x.67 ipsec-attributes ikev1 pre-shared-key *****nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subs
    Here is the ipsec sa stats
    Crypto map tag: VPN-Zanox, seq num: 10, local addr: x.x.x.123access-list acl_temp_vpn extended permit ip 10.140.0.0 255.255.0.0 172.16.0.0 255.240.0.0       local ident (addr/mask/prot/port): (10.140.0.0/255.255.0.0/0/0)      remote ident (addr/mask/prot/port): (172.16.0.0/255.240.0.0/0/0)      current_peer: x.x.x.67      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0      #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
    With a dump on the dev_1 interface
    capture dev type raw-data interface dev_1 [Capturing - 0 bytes]   match tcp any any
    With packet tracer the egress interface is correct but in the capture there appears to be nothing traversing the interface.
    Can any body see anything wrong wiht this config or any suggestions as to might be going wrong?
    Thanks
    James

    Hi Javier,
    Packet-tracer output with a temp ACL to permit ip any any inbound on the outside interface:
    l-de-ham-asa-01/act(config)# packet-tracer input outside tcp 172.22.0.90 1234 10.140.0.10 22Phase: 1Type: UN-NATSubtype: staticResult: ALLOWConfig:nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subsAdditional Information:NAT divert to egress interface dev_1Untranslate 10.140.0.10/22 to 10.140.0.10/22Phase: 2Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in   0.0.0.0         0.0.0.0         outsidePhase: 3Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group acl_outside in interface outsideaccess-list acl_outside extended permit ip any any access-list acl_outside remark Zugriffsrichtlinie fuer ICMP Antworten aus dem InternetAdditional Information:Phase: 4Type: CONN-SETTINGSSubtype: Result: ALLOWConfig:Additional Information:Phase: 5Type: NATSubtype: Result: ALLOWConfig:nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subsAdditional Information:Static translate 172.22.0.90/1234 to 172.22.0.90/1234Phase: 6Type: NATSubtype: per-sessionResult: ALLOWConfig:       Additional Information:Phase: 7Type: IP-OPTIONSSubtype: Result: ALLOWConfig:Additional Information:Phase: 8Type: VPNSubtype: ipsec-tunnel-flowResult: DROPConfig:Additional Information:Result:input-interface: outsideinput-status: upinput-line-status: upoutput-interface: dev_1output-status: upoutput-line-status: upAction: dropDrop-reason: (acl-drop) Flow is denied by configured rule
    This is the same result from another site that has an L2L VPN configured.
    ASP drop capture to follow...

  • L2L VPN Issue - one subnet not reachable

    Hi Folks,
    I have a strange issue with a new VPN connection and would appreciate any help.
    I have a pair of Cisco asa 5540s configured as a failover pair (code version 8.2(5)).   
    I have recently added 2 new L2L VPNs - both these VPNs are sourced from the same interface on my ASA (called isp), and both are to the same customer, but they terminate on different firewalls on the cusomter end, and encrypt traffic from different customer subnets.    There's a basic network diagram attached.
    VPN 1 - is for traffic from the customer subnet 10.2.1.0/24.    Devices in this subnet should be able to access 2 subnets on my network - DMZ 211 (192.168.211.0./24) and DMZ 144 (192.168.144.0/24).    This VPN works correctly.
    VPN 2 - is for traffic from the customer subnet 192.168.1.0/24.    Devices in  this subnet should be able to access the same 2 subnets on my network - DMZ 211  (192.168.211.0./24) and DMZ 144 (192.168.144.0/24).    This VPN is not working correctly - the customer can access DMZ 144, but not DMZ 211.
    There are isakmp and ipsec SAs for both VPNs.    I've noticed that the packets encaps/decaps counter does not increment when the customer sends test traffic to DMZ 211.  This counter does increment when they send test traffic to DMZ144.   I can also see traffic sent to DMZ 144 from the customer subnet 192.168.1.0/24 in packet captures on the DMZ 144 interface of the ASA.   I cannot see similar traffic in captures on the DMZ211 interface (although I can see traffic sent to DMZ211 if it is sourced from 10.2.1.0/24 - ie when it uses VPN1)
    Nat exemption is configured for both 192.168.1.0/24 and 10.2.1.0/24.
    There is a route to both customer subnets via the same next hop.
    There is nothing in the logs toindicate that traffic from 192.168.1.0/24 is being dropped
    I suspect that this may be an issue on the customer end, but I'd like to be able to prove that.   Specifically, I would really like to be able to capture traffic destined to DMZ 211 on the isp interface of the firewall after it has been decrypted - I don't know if this can be done however, and I haven'treally found a good way to prove or disprove that VPN traffic from 192.168.1.0/24 to DMZ211 is arriving at the isp interface of my ASA, and to show what's happening to that traffic after it arrives.
    Here is the relevant vpn configuration:
    crypto map MY_CRYPTO_MAP 90 match address VPN_2
    crypto map MY_CRYPTO_MAP 90 set peer 217.154.147.221
    crypto map MY_CRYPTO_MAP 90 set transform-set 3dessha
    crypto map MY_CRYPTO_MAP 90 set security-association lifetime seconds 86400
    crypto map MY_CRYPTO_MAP 100 match address VPN_1
    crypto map MY_CRYPTO_MAP 100 set peer 193.108.169.48
    crypto map MY_CRYPTO_MAP 100 set transform-set 3dessha
    crypto map MY_CRYPTO_MAP 100 set security-association lifetime seconds 86400
    crypto map MY_CRYPTO_MAP interface isp
    ASA# sh access-list VPN_2
    access-list VPN_2; 6 elements; name hash: 0xa902d2f4
    access-list VPN_2 line 1 extended permit ip object-group VPN_2_NETS 192.168.1.0 255.255.255.0 0x56c7fb8f
      access-list VPN_2 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=45) 0x93b6dc21
      access-list VPN_2 line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=6) 0x0abf7bb9
      access-list VPN_2 line 1 extended permit ip host 192.168.146.29 192.168.1.0 255.255.255.0 (hitcnt=8) 0xcc48a56e
    ASA# sh access-list VPN_1
    access-list VPN_1; 3 elements; name hash: 0x30168cce
    access-list VPN_1 line 1 extended permit ip 192.168.144.0 255.255.252.0 10.2.1.0 255.255.255.0 (hitcnt=6) 0x61759554
    access-list VPN_1 line 2 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=3) 0xa602c97c
    access-list VPN_1 line 3 extended permit ip host 192.168.146.29 10.2.1.0 255.255.255.0 (hitcnt=0) 0x7b9f32e3
    nat (dmz144) 0 access-list nonatdmz144
    nat (dmz211) 0 access-list nonatdmz211
    ASA# sh access-list nonatdmz144
    access-list nonatdmz144; 5 elements; name hash: 0xbf28538e
    access-list nonatdmz144 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0x20121683
    access-list nonatdmz144 line 2 extended permit ip 192.168.144.0 255.255.255.0 172.28.2.0 255.255.254.0 (hitcnt=0) 0xbc8ab4f1
    access-list nonatdmz144 line 3 extended permit ip 192.168.144.0 255.255.255.0 194.97.141.160 255.255.255.224 (hitcnt=0) 0xce869e1e
    access-list nonatdmz144 line 4 extended permit ip 192.168.144.0 255.255.255.0 172.30.0.0 255.255.240.0 (hitcnt=0) 0xd3ec5035
    access-list nonatdmz144 line 5 extended permit ip 192.168.144.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x4c9cc781
    ASA# sh access-list nonatdmz211 | in 192.168\.1\.
    access-list nonatdmz1 line 3 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x2bbfcfdd
    ASA# sh access-list nonatdmz211 | in 10.2.1.
    access-list nonatdmz1 line 4 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x8a836d91
    route isp 192.168.1.0 255.255.255.0 137.191.234.33 1
    route isp 10.2.1.0 255.255.255.0 137.191.234.33 1
    Thanks in advance to anyone who gets this far!

    Darragh
    Clearing the counters was a good idea. If the counter is not incrementing and if ping from the remote side is not causing the VPN to come up it certainly confirms that something is not working right.
    It might be interesting to wait till the SAs time out and go inactive and then test again with the ping from the remote subnet that is not working. Turn on debug for ISAKMP and see if there is any attempt to negotiate. Especially if you do not receive any attempt to initiate ISAKMP from then then that would be one way to show that there is a problem on the remote side.
    Certainly the ASA does have the ability to do packet capture. I have used that capability and it can be quite helpful. I have not tried to do a capture on the outside interface for incoming VPN traffic and so am not sure whether you would be capturing the encrypted packet or the de-encrypted packet. You can configure an access list to identify traffic to capture and I guess that you could write an access list that included both the peer addresses as source and destination to capture the encrypted traffic and entries that were the un-encrypted source and destination subnets to capture traffic after de-encryption.
    HTH
    Rick

  • Is it OK to have two SBS Servers with same name, on different subnets but connected over a VPN?

    Hi Everyone,
                       I'm just about to connect up two SBS 2011 Servers with the same server name but on different subnets & domains over a VPN.
    So for example both servers will have the name Server01, one would have an ip address of 192.168.85.5, the other 192.168.86.5, they both then would be connected over a VPN.
    Can anyone foresee any issues with this configuration, like DNS & DHCP requests, adding new machines to the domain, mapping drives etc.
    Many thanks,
    Nick

    Hi Larry & Strike First,
                      Thank you for your responses. I understand that this is an unusual situation. Basically I've recently taken over the IT support for this client. The client has just had a new phone system installed
    & are asking if they can speak to each office internally, which can easily be done once I setup the VPN.
    However I noticed whilst looking at this further that the Server names are the same, hence my question?
    Am I right in saying that providing the workstations  have a trust relationship with their own domain controllers through their individual domains on separate subnets, that hopefully there shouldn't be any DNS issues between the two domains and Servers?
    I could build a new VM if you feel it would be better practice to do so?
    Many thanks for your assistance,
    Nick

  • Public-to-Public L2L VPN no return traffic

    Hello all,
    I'm hoping someone can give me a little help. I've researched the web and have read many forums, but I still can't get this to work. One of our vendors requires using a public ip address to setup a site-to-site IPSEC vpn. We only have one public ip address and that will be used for the vpn endpoint and for internet access for the local network. I've setup policy NAT from our local network to the outside interface. I'm also using the outside ip address for the crypto map. The tunnel setups successfully and the Tx count increases anytime I try to ping the remote network, but the ping fails and the Rx count does not increase. According to our vendor, we should be able to ping the remote network and connect using port 443. When trying to connect using port 443, I see a SYN timeout in the logs. I'm not sure if the problem is on their end and they're rejecting our traffic, or if something is misconfigured on our end. I'd like to make sure that I have everything configured correctly before I go and point fingers at them. Any help would be appreciated. Thanks.
    Local Network - 10.10.9.0/24
    Remote Network - 20.20.41.0/24
    Remote Peer - 20.20.60.193
    ASA Version 8.2(5)
    hostname ciscoasa
    domain-name
    names
    name 10.10.9.3 VPN description VPN Server
    name 10.10.9.4 IntranetMySQL description MySQL For Webserver
    name 192.168.0.100 IIS_Webserver
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    switchport access vlan 3
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.10.9.254 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 71.***.***.162 255.255.255.0
    interface Vlan3
    nameif dmz
    security-level 50
    ip address 192.168.0.254 255.255.255.0
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 10.10.9.1
      domain-name
    same-security-traffic permit inter-interface
    object-group service VPN_TCP
    description VPN TCP Connection
    service-object tcp eq 1195
    object-group service VPN_UDP
    description VPN UDP Port
    service-object udp eq 1194
    object-group service VPN_HTTPS
    description VPN HTTPS Web Server
    service-object tcp eq 943
    service-object udp eq 943
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service WebServer
    service-object tcp eq 8001
    object-group service DM_INLINE_SERVICE_1
    service-object tcp-udp eq www
    service-object tcp eq https
    object-group service VPN_HTTPS_UDP udp
    port-object eq 943
    object-group service WCF_WebService tcp
    port-object eq 808
    object-group service RDP tcp
    port-object eq 3389
    object-group service RDP_UDP udp
    port-object eq 3389
    object-group service DM_INLINE_SERVICE_2
    service-object tcp-udp eq www
    service-object tcp eq https
    object-group service *_Apache tcp
    port-object eq 8001
    object-group service *_ApacheUDP udp
    port-object eq 8001
    object-group service IIS_SQL_Server tcp
    port-object eq 1433
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq www
    port-object eq https
    object-group service File_Sharing tcp
    port-object eq 445
    object-group service File_Sharing_UDP udp
    port-object eq 445
    object-group service MySQL tcp
    port-object eq 3306
    object-group service Http_Claims_Portal tcp
    port-object eq 8080
    object-group service Http_Claims_PortalUDP udp
    port-object eq 8080
    object-group service RTR_Portal tcp
      description Real Time Rating Portal
    port-object eq 8081
    object-group service RTR_PortalUDP udp
    port-object eq 8081
    object-group service DM_INLINE_SERVICE_3
    service-object tcp-udp eq www
    service-object tcp eq https
    access-list outside_access_in extended permit udp any 70.***.***.0 255.255.255.0 eq 1194
    access-list outside_access_in extended permit tcp any any eq 1195
    access-list outside_access_in extended permit object-group VPN_HTTPS any any
    access-list outside_access_in extended permit tcp any interface outside eq 943
    access-list outside_access_in extended permit tcp any any eq 8001
    access-list inside_access_in extended permit tcp any any
    access-list outside_access_in_1 extended permit tcp any interface outside eq 943
    access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_1 host 71.***.***.165 host 71.***.***.162
    access-list outside_access_in_2 extended permit object-group TCPUDP any any inactive
    access-list outside_access_in_2 extended permit icmp any any
    access-list outside_access_in_2 extended permit object-group VPN_HTTPS any host 71.***.***.162
    access-list outside_access_in_2 remark VPN TCP Ports
    access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 eq 1195
    access-list outside_access_in_2 extended permit udp any host 71.***.***.162 eq 1194
    access-list outside_access_in_2 remark Palm Insure Apache Server
    access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group *_Apache inactive
    access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group *_ApacheUDP inactive
    access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group MySQL inactive
    access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group Http_Claims_Portal inactive
    access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group Http_Claims_PortalUDP inactive
    access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group RTR_Portal inactive
    access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group RTR_PortalUDP inactive
    access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_3 any host 71.***.***.164 inactive
    access-list outside_access_in_2 remark RTR Access Rule for Internal VM's
    access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 object-group Http_Claims_Portal
    access-list outside_access_in_2 remark RTR Access rule for internal VMs
    access-list outside_access_in_2 extended permit udp any host 71.***.***.162 object-group Http_Claims_PortalUDP
    access-list inside_access_in_1 extended permit object-group TCPUDP any any
    access-list inside_access_in_1 extended permit icmp any any
    access-list inside_access_in_1 extended permit esp any any
    access-list inside_access_in_1 extended permit udp any any eq isakmp
    access-list dmz_access_in extended permit ip any any
    access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 any host 70.***.***.252
    access-list dmz_access_in extended permit tcp any host 70.***.***.252 eq www
    access-list dmz_access_in_1 extended permit tcp host IIS_Webserver host 10.10.9.5 object-group DM_INLINE_TCP_1 inactive
    access-list dmz_access_in_1 extended permit object-group TCPUDP any host IIS_Webserver eq www inactive
    access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq https inactive
    access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group *_Apache inactive
    access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group *_ApacheUDP inactive
    access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq 3389 inactive
    access-list dmz_access_in_1 extended permit udp any host IIS_Webserver eq 3389 inactive
    access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group IIS_SQL_Server inactive
    access-list dmz_access_in_1 extended permit object-group TCPUDP any any inactive
    access-list dmz_access_in_1 extended permit tcp host 10.10.9.5 host IIS_Webserver eq ftp inactive
    access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group MySQL inactive
    access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group Http_Claims_Portal inactive
    access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group Http_Claims_PortalUDP inactive
    access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group RTR_Portal inactive
    access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group RTR_PortalUDP inactive
    access-list inside_nat_static extended permit ip host 10.10.9.1 20.20.41.0 255.255.255.0
    access-list outside_1_cryptomap extended permit ip host 71.***.***.162 20.20.41.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    global (dmz) 1 interface
    nat (inside) 1 10.10.9.0 255.255.255.0
    static (inside,outside) tcp interface 943 VPN 943 netmask 255.255.255.255
    static (inside,outside) tcp interface 1195 VPN 1195 netmask 255.255.255.255
    static (inside,outside) tcp interface 1194 VPN 1194 netmask 255.255.255.255
    static (inside,outside) udp interface 1194 VPN 1194 netmask 255.255.255.255
    static (inside,outside) udp interface 1195 VPN 1195 netmask 255.255.255.255
    static (inside,outside) tcp interface ssh IntranetMySQL ssh netmask 255.255.255.255
    static (inside,outside) tcp interface ftp IntranetMySQL ftp netmask 255.255.255.255
    static (dmz,inside) tcp IIS_Webserver 3389 IIS_Webserver 3389 netmask 255.255.255.255
    static (inside,outside) tcp interface www 10.10.9.5 www netmask 255.255.255.255
    static (dmz,outside) tcp 71.***.***.164 3389 IIS_Webserver 3389 netmask 255.255.255.255
    static (dmz,outside) tcp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255
    static (dmz,outside) udp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255
    static (dmz,outside) tcp 71.***.***.164 www IIS_Webserver www netmask 255.255.255.255
    static (dmz,outside) tcp 71.***.***.164 https IIS_Webserver https netmask 255.255.255.255
    static (dmz,outside) tcp 71.***.***.164 ftp IIS_Webserver ftp netmask 255.255.255.255
    static (dmz,outside) tcp 71.***.***.164 3306 IIS_Webserver 3306 netmask 255.255.255.255
    static (dmz,inside) tcp IIS_Webserver 3306 IIS_Webserver 3306 netmask 255.255.255.255
    static (dmz,outside) tcp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255
    static (dmz,outside) udp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255
    static (dmz,inside) tcp IIS_Webserver 8080 IIS_Webserver 8080 netmask 255.255.255.255
    static (dmz,outside) tcp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255
    static (dmz,outside) udp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255
    static (dmz,inside) tcp IIS_Webserver 8081 IIS_Webserver 8081 netmask 255.255.255.255
    static (inside,outside) tcp interface 8080 10.10.9.15 8080 netmask 255.255.255.255
    static (inside,outside) udp interface 8080 10.10.9.15 8080 netmask 255.255.255.255
    static (dmz,outside) 71.***.***.164 IIS_Webserver netmask 255.255.255.255
    static (dmz,inside) IIS_Webserver IIS_Webserver netmask 255.255.255.255
    static (inside,dmz) 10.10.9.5 10.10.9.5 netmask 255.255.255.255
    static (inside,outside) interface  access-list inside_nat_static
    access-group inside_access_in_1 in interface inside
    access-group outside_access_in_2 in interface outside
    access-group dmz_access_in_1 in interface dmz
    route outside 0.0.0.0 0.0.0.0 71.***.***.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 10.10.9.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set peer 20.20.60.193
    crypto map outside_map 1 set transform-set ESP-AES-256-SHA
    crypto map outside_map 1 set reverse-route
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    telnet timeout 5
    ssh 10.10.9.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    tunnel-group 20.20.60.193 type ipsec-l2l
    tunnel-group 20.20.60.193 ipsec-attributes
    pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
      class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous

    Hi,
    If you are using the public IP address of your ASA (that is used as the PAT address for all outbound traffic) as the only source IP address for the L2L VPN you dont really have to build any additional NAT configurations for the L2L VPN connection. So you shouldnt need the "static" configuration you have made.
    static (inside,outside) interface  access-list inside_nat_static
    This is because any traffic from your local LAN will be PATed to the "outside" IP address and when the ASA also sees that the destination network for the connection is part of the L2L VPN configurations, then the traffic should be forwarded to the L2L VPN connection just fine.
    Did you try the connectivity without the "static" configuration?
    For ICMP testing I would add the command
    fixup protocol icmp
    or
    policy-map global_policy
      class inspection_default
       inspect icmp
    Should do the same thing
    - Jouni

  • L2L VPN not coming up

    I am using GNS3 to build a tunnel between an ASA and a router.
    Below are my configurations but the tunnel is not coming, can anyone spot what's wrong with my configs? Or could it be because of bugs on GNS3?
    ciscoasa# sho running-config crypto
    crypto ipsec transform-set MySET esp-aes esp-sha-hmac
    access-list VPN_Traffic extended permit ip 12.123.15.0 255.255.255.0 192.168.10.0 255.255.255.0
    crypto map SampleVPN 100 match address VPN_Traffic
    crypto map SampleVPN 100 set peer 10.123.5.2
    crypto map SampleVPN 100 set transform-set MySET
    crypto map SampleVPN interface outside
    crypto isakmp enable outside
    crypto isakmp policy 100
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    tunnel-group VPN type ipsec-l2l
    tunnel-group VPN ipsec-attributes
    pre-shared-key 1234
    R1#sho run | sec crypto
    crypto isakmp policy 100
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key 1234 address 12.152.45.2 no-xauth
    crypto ipsec transform-set MySET esp-aes esp-sha-hmac
    ip access-list extended VPN_Traffic
    permit ip 192.168.10.0 0.0.0.255 12.123.15.0 0.0.0.255
    crypto map VPN 100 ipsec-isakmp
    set peer 12.152.45.2
    set transform-set MySET
    match address VPN_Traffic
    interface f0/0
    crypto map VPN
    Here are the debugs from the router...
    *Feb 18 15:59:03.971: ISAKMP:(0): SA request profile is (NULL)
    *Feb 18 15:59:03.971: ISAKMP: Created a peer struct for 12.152.45.2, peer port 500
    *Feb 18 15:59:03.971: ISAKMP: New peer created peer = 0x65C73CCC peer_handle = 0x80000004
    *Feb 18 15:59:03.975: ISAKMP: Locking peer struct 0x65C73CCC, refcount 1 for isakmp_initiator
    *Feb 18 15:59:03.975: ISAKMP: local port 500, remote port 500
    *Feb 18 15:59:03.975: ISAKMP: set new node 0 to QM_IDLE
    *Feb 18 15:59:03.975: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6568F26C
    *Feb 18 15:59:03.979: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
    *Feb 18 15:59:03.979: ISAKMP:(0):found peer pre-shared key matching 12.152.45.2
    *Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    *Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-07 ID
    *Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-03 ID
    *Feb 18 15:59:03.987: ISAKMP:(0): constructed NAT-T vendor-02 ID
    *Feb 18 15:59:03.987: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    *Feb 18 15:59:03.987: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
    *Feb 18 15:59:03.987: ISAKMP:(0): beginning Main Mode exchange
    *Feb 18 15:59:03.991: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_NO_STATE
    *Feb 18 15:59:03.991: ISAKMP:(0):Sending an IKE IPv4 Packet......
    Success rate is 0 percent (0/5)
    R1#
    *Feb 18 15:59:13.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
    *Feb 18 15:59:13.991: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
    *Feb 18 15:59:13.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
    *Feb 18 15:59:13.995: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_NO_STATE
    *Feb 18 15:59:13.995: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *Feb 18 15:59:14.043: ISAKMP (0:0): received packet from 12.152.45.2 dport 500 sport 500 Global (I) MM_NO_STATE
    *Feb 18 15:59:14.047: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *Feb 18 15:59:14.047: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
    *Feb 18 15:59:14.051: ISAKMP:(0): processing SA payload. message ID = 0
    *Feb 18 15:59:14.055: ISAKMP:(0): processing vendor id payload
    *Feb 18 15:59:14.055: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    *Feb 18 15:59:14.055: ISAKMP:(0): vendor ID is NAT-T v2
    *Feb 18 15:59:14.055: ISAKMP:(0)
    R1#: processing vendor id payload
    *Feb 18 15:59:14.059: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
    *Feb 18 15:59:14.059: ISAKMP:(0):found peer pre-shared key matching 12.152.45.2
    *Feb 18 15:59:14.059: ISAKMP:(0): local preshared key found
    *Feb 18 15:59:14.059: ISAKMP : Scanning profiles for xauth ...
    *Feb 18 15:59:14.063: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
    *Feb 18 15:59:14.063: ISAKMP:      encryption 3DES-CBC
    *Feb 18 15:59:14.063: ISAKMP:      hash MD5
    *Feb 18 15:59:14.063: ISAKMP:      default group 2
    *Feb 18 15:59:14.063: ISAKMP:      auth pre-share
    *Feb 18 15:59:14.063: ISAKMP:      life type in seconds
    *Feb 18 15:59:14.067: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
    *Feb 18 15:59:14.067: ISAKMP:(0):atts are acceptable. Next payload is 0
    *Feb 18 15:59:14.071: ISAKMP:(0): processing vendor id payload
    *Feb 18 15:59:14.071: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    *Feb 18 15:59:14.071: ISAK
    R1#
    R1#MP:(0): vendor ID is NAT-T v2
    *Feb 18 15:59:14.071: ISAKMP:(0): processing vendor id payload
    *Feb 18 15:59:14.075: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
    *Feb 18 15:59:14.075: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    *Feb 18 15:59:14.075: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
    *Feb 18 15:59:14.079: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
    *Feb 18 15:59:14.079: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *Feb 18 15:59:14.079: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    *Feb 18 15:59:14.079: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
    R1#
    *Feb 18 15:59:23.291: ISAKMP:(0):purging node -49064826
    *Feb 18 15:59:23.291: ISAKMP:(0):purging node -330154301
    *Feb 18 15:59:24.079: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
    *Feb 18 15:59:24.079: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
    *Feb 18 15:59:24.079: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
    *Feb 18 15:59:24.083: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
    *Feb 18 15:59:24.083: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *Feb 18 15:59:24.111: ISAKMP (0:0): received packet from 12.152.45.2 dport 500 sport 500 Global (I) MM_SA_SETUP
    *Feb 18 15:59:24.111: ISAKMP:(0):Notify has no hash. Rejected.
    *Feb 18 15:59:24.111: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM3
    *Feb 18 15:59:24.115: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
    *Feb 18 15:59:24.115: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM3
    R1#ping ip 12.123.15.2 source loo0
    *Feb 18 15:59:24.115: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 12.152.45.2
    R1#ping ip 12.123.15.2 source loo0
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 12.123.15.2, timeout is 2 seconds:
    Packet sent with a source address of 192.168.10.1
    *Feb 18 15:59:33.295: ISAKMP:(0):purging SA., sa=6568EB18, delme=6568EB18
    *Feb 18 15:59:33.967: ISAKMP: set new node 0 to QM_IDLE
    *Feb 18 15:59:33.971: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.123.5.2, remote 12.152.45.2)
    *Feb 18 15:59:33.971: ISAKMP: Error while processing SA request: Failed to initialize SA
    *Feb 18 15:59:33.975: ISAKMP: Error while processing KMI message 0, error 2..
    Success rate is 0 percent (0/5)
    R1#
    *Feb 18 16:00:18.975: ISAKMP: quick mode timer expired.
    *Feb 18 16:00:18.975: ISAKMP:(0):src 10.123.5.2 dst 12.152.45.2, SA is not authenticated
    *Feb 18 16:00:18.975: ISAKMP:(0):peer does not do paranoid keepalives.
    *Feb 18 16:00:18.979: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_SA_SETUP (peer 12.152.45.2)
    *Feb 18 16:00:18.983: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_SA_SETUP (peer 12.152.45.2)
    *Feb 18 16:00:18.983: ISAKMP: Unlocking peer struct 0x65C73CCC for isadb_mark_sa_deleted(), count 0
    *Feb 18 16:00:18.987: ISAKMP: Deleting peer node by peer_reap for 12.152.45.2: 65C73CCC
    R1#
    *Feb 18 16:00:18.987: ISAKMP:(0):deleting node 1582877960 error FALSE reason "IKE deleted"
    *Feb 18 16:00:18.987: ISAKMP:(0):deleting node 814986207 error FALSE reason "IKE deleted"
    *Feb 18 16:00:18.991: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    *Feb 18 16:00:18.991: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_DEST_SA
    R1#
    *Feb 18 16:01:08.987: ISAKMP:(0):purging node 1582877960
    *Feb 18 16:01:08.987: ISAKMP:(0):purging node 814986207
    R1#
    *Feb 18 16:01:18.991: ISAKMP:(0):purging SA., sa=6568F26C, delme=6568F26C

    Hi,
    when you applied the tunnel-group VPN, you should have seen a warning telling that tunnel-group can have name only if it's for remote-access VPN, or certificate authentication is used. so, L2L vpn with pre-shared keys can only have tunnel-groups named as the peer IP address.
    Mashal

  • Sqlsrv very slow over network

    I'm using sqlsrv (php_pdo_sqlsrv_55_ts.dll and php_sqlsrv_55_ts.dll) in PHP (5.5.12, CLI version on Windows 8.1) to connect to a SQL Server 2012 over a VPN tunnel. But the transfer rate for large result sets is very slow.
    Testing SSMS on the same PC over the same VPN tunnel for this query (query is just for testing purposes, I also tried other queries with large data sets and all showed the same performance issues):
        SELECT *
        FROM [Data].[dbo].[Logins]
        WHERE date >= '2014-01-27 00:00:00.000' AND date < '2014-01-29 00:00:00.000'
    returns about 100,000 rows in 4 seconds. Checking the transfer rate on my firewall/VPN shows 2,500 KB/s (on a 100mbit network) while the query is running.
    Using PHP:
        sqlsrv_configure('ClientBufferMaxKBSize', 1024*1024);
        $dbconnect = "SERVER\\HERE";
        $dbconinfo = array("UID" => "user", "PWD" => "pass", "Database" => "Data")
        $conn = sqlsrv_connect( $dbconnect, $dbconinfo);
        $sql = "
        SELECT *
        FROM [dbo].[Logins]
        WHERE date >= '2014-01-27 00:00:00.000' AND date < '2014-01-29 00:00:00.000'
        $options = array();
        $options["Scrollable"] = SQLSRV_CURSOR_CLIENT_BUFFERED;
        $options["QueryTimeout"] = 30000;      
        $stmt = sqlsrv_query( $conn, $sql, array(), $options);
    runs 40 seconds and the firewall/VPN shows less than 150 KB/s while the query is running. Task-Manager shows around 5% CPU load for the script.
    I used SQLSRV_CURSOR_CLIENT_BUFFERED just for testing, because it reads the result in its own buffer without any further PHP code. Fetching each set of data without buffering is just a little bit slower (around 45 seconds).
    I also tried a PDO version which lead to the same result.
    ConnectionPooling 0 or 1 didn't make any difference either.
    Changing server name to DNS vs. IP adress also made no difference.
    LogSubsystems -1 and LogSeverity -1 did not show any issues or anything helpful at all.
    I even used Wireshark to watch the network traffic but couldn't find any big differences between PHP and SSMS versions. But I don't know too much about networking layers.
    So the CPU load is low, there is no HDD use at all, the network transfer rate is extremely slow and the SQL server would be capable to deliver the results very much faster. And it actually is a lot faster with SSMS on the same PC and network connection.
    Why is sqlsrv so very slow?
    Any ideas what might be the issue or what I could try to speed up PHP/sqlsrv would be greatly appreciated.

    Please tell us what are waits assigned to query, you can use below tsql code to get the information.
    select session_id, t.text, start_time, status, command, db_name(database_id) As DBname, USER_NAME(user_id) As UserName, blocking_session_id, wait_type, wait_time, wait_resource, percent_complete from sys.dm_exec_requests
    CROSS APPLY sys.dm_exec_sql_text(sql_handle) as t
    This information can help us to understand the problem.
    Thanks,
    Shashikant 
    Sadly I don't have the rights on the SQL Server for this query. But from what I gathered from similar issues on the web, SQL Server is most likely waiting for the client.
    I also tried the same testing query now with Power Query in Excel. It's as fast as with SSMS. Just with sqlsrv on PHP it's extremly slow.
    Testing the query on a local SQL Server, it's pretty much instantaneous with SSMS, Excel and sqlsrv on PHP as well.

  • Remote Desktop/Access shared files over PPTP VPN

    Hello,
    I just bought the RV180W so I can connect to my office computer from anywhere as a VPN client. The two things I need to do while I am connected as a VPN client is to be able to access my files on my office desktop and be able to remote desktop to it as well. I have Win7 on all of my computers. Ideally, I would like to do that over PPTP VPN connection but if that is not possible I can try Cisco QuickVPN software.
    I enabled PPTP on my router and created a user account. I was also able to successfully establish the connection remotely. While I was connected as a PPTP VPN client, I was able to access the Internet and my router setup page which is telling me that the connection is good. However, I was not able to either discover my office PC under my network tab in Win7 nor I was able to remote desktop. I keep my office PC on all the time and it never go to sleep. I did not create any connection policy but maybe this is the problem. Please let me know if you know of a solution.
    Thanks!

    Hi David,
    Thank you for the response.
    I was able to access the router configuration using the local IP address (in my case 192.168.1.1). I don't think I would have been able to access it using the public IP address since I have the router remote management feature disabled.
    Now after reading your email, I was finally able to remote desktop and access shared files through a PPTP VPN connection. Here is what I did:
    1- I separted the PPTP VPN IP address range from my DHCP range (in my case, PPTP VPN range is 192.168.1.200 to 210 and my DHCP range is from 192.168.1.100 to 199)
    2- I assigned my office desktop PC that I am trying to remote desktop to a fixed IP address (192.168.1.20)
    3- For remote desktop, I had to type the IP address (192.168.1.20). Typing the PC name (officepc) or searching for was not working.
    4- For shared files, I had to map a network drive as //192.168.1.20/My Pictures for example. I couldn't find my PC when searched for it under Network.
    After doing all that, I was able to do kinda what I wanted. Ideally, I would have liked to avoid using fixed IP addresses and be able to access computers by their name and see them under the Network tab. Is their a way to do this? I noticed that RV220W offers SSL VPN, would that help me?
    I would appreciate it if you could answer my last two questions.
    Thanks!
    Mustafa

  • HA between Dedicated T1 and L2L VPN

    I'm looking for ideas on how to have complete HA between a dedicated T1 and an L2L VPN over the internet.
    We had discussed routing protocol OSPF but would like to avoid the converge issues that could rise and affect other customers in the same DMZ.
    What would be our options if we do not want to use a routing protocol? How could we fail over to the backup line, the L2L, should the T1 fail. I had mentioned changing the metrics but this will not identify a problem on the line should the customers ethernet link goe down.
    Feel free to include an ideas that would use routing protocols.

    I had to revisit this configuration. I had decided since we are not going to use a routing protocol that a floating route between the T1 router and VPN is the best solution. although this should work if the router or Ethernet of the router goes down it should fail if the the Ethernet interface of the router, which has OSPF running between their network and our LAN, does not fail.
    But it is not failing?
    I have attached a diagram.

  • Reinitiate L2L VPN tunnel

    Hi,
    I have cisco ASA 5520 and two L2L VPN are configured in that box.Now if any time I want to reinitiate or reestablished the tunnel what command I have to give.I want to reestablish the IKE and IPSec SA.
    Please guide wht command i have to give to reestablish all the L2L tunnel or a single tunnel.
    Regards,
    som

    1. ASA5510# clear crypto ipsec sa ?
    counters Clear IPsec SA counters
    entry Clear IPsec SAs by entry
    map Clear IPsec SAs by map
    peer Clear IPsec SA by peer
    2. ASA5510# clear crypto isakmp sa

  • Add a new L2L VPN tunnel URGENT

    Hi,
    I have a ASA5520 deviceand already 2 L2L VPN is running on that. I want to add a new VPN tuuel to connect other branch.
    In the configuration when i have given
    crypto map toremote 50 match address SINGAPORE this command...it's showing WARNING incomplete command !
    what is the problem for that..please help me in the issue.
    Thanks
    somnath

    Hi Somnath
    This is a normal prompt. You will get this prompt untill you complete your cryptomap.
    crypto map toremote 50 match address SINGAPORE
    crypto map toremote 50 set peer SINGAPOREIP
    crypto map toremote 50 set transform-set yoursetnamehere
    As you issue the last line above, cryptomap will be complete and you wont receive Warning anymore.
    Regards

  • 2811:connecting two ASA5505 l2l VPN's

    Hello,
    We have an HQ site with a 2811 (w/ADVSECURITYK9-M) acting as the firewall. We currently have 1 ASA5505 that has an established ipsec l2l VPN.
    I'm trying to connect a 2nd ASA, but I've noticed I can only add 1 cryptomap to the outside interface.
    A show ver shows 1 Virtual Private Network Module... Surely that doesn't mean only 1 VPN?
    Do I use one crypto map, and add a second 'set peer' & 'match address' inside the crypto map itself?
    Thanks,
    Jason

    Ok, I'm getting closer, but still failing. I was close enough that a VOIP phone registered with the phone system at some point, but not sure why it wont stay connected.
    The original, VPN1 is still connected though.
    I've varified the preshared keys on both ends match.
    Here's an error from the debug of the second ASA, VPN2
    Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, QM FSM error (P2 struct &0x42436b0, mess id 0x374e49ed)!
    Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, Removing peer from correlator table failed, no match!
    Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, QM FSM error (P2 struct &0x42436b0, mess id 0x374e49ed)!
    Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, Removing peer from correlator table failed, no match!
    As far as the ASA configs, everything is the exactly the same, except;
    NEW ASA VPN2 -both asa have object groups 1&2, containing other ip's of the HQ site. these ip's listed here are of VPN1's local lan.
    I imagine I will need to add VPN2's local ip to VPN1's config for objectgroup 1&2, but I don't think that is the reason this wont connect to HQ
    object-group network DM_INLINE_NETWORK_1
    network-object 192.168.26.0 255.255.255.0
    object-group network DM_INLINE_NETWORK_2
    network-object 192.168.26.0 255.255.255.0
    object-group network DM_INLINE_NETWORK_3
    network-object 192.168.27.0 255.255.255.0
    network-object 192.168.1.0 255.255.255.0
    Working ASA VPN1  - not sure exactly how the bolded line works
    no crypto isakmp nat-traversal
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    HQ 2811 -----------------------------------------------------------------------
    Hope I included enough of the router config. Again, VPN1 is working.
    crypto isakmp key VPN1PW address 99.x.x.x
    crypto isakmp key VPN2PW address 108.x.x.x
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec df-bit clear
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description Tunnel to 99.x.x.x VPN1
    set peer 99.x.x.x
    set transform-set ESP-AES-128-SHA
    match address 103
    crypto map SDM_CMAP_1 2 ipsec-isakmp
    description Tunnel to 108.x.x.x VPN2
    set peer 108.x.x.x
    set transform-set ESP-AES-128-SHA
    match address 105
    ****** This next section I dont recall typing in, but it refers to access group 105, but 105 was newly created for the new VPN2.  I didn't not find a corresponding command for access-group 103, which 105 is a copy of 103, except each one includes the others local lan too.
    class-map type inspect match-all sdm-nat-user-protocol--2-1
    match access-group 105
    match protocol user-protocol--2
    interface FastEthernet0/1
    description T1 to  Internet$FW_OUTSIDE$
    ip address 64.x.x.x 255.255.255.248
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map SDM_CMAP_1

Maybe you are looking for

  • How Can I Learn To Develop Flash Games For Under $50.00 USD?

    I am completely new to anything Flash. I have never written a single line of Actionscript. I don't know the difference between Flash and Flex. I don't know in what forums Flash developers hang out. I don't even know what kind of coffee they drink, or

  • Custom Ribbon tab does not show in generic list

    Hi. I'm deploying the following definiton on a generic list, but the new custom tab does not show up. Anyone that can see what I have done wrong? Thanks! <Elements xmlns=”http://schemas.microsoft.com/sharepoint/“> <CustomAction Id=”Ribbon.MyTab” Titl

  • Edit Custom Tag

    I have created a custom tag and when the tag is inserted, i would like the inner text to change color. is this possible? and if so, what file needs to be modified to do this? or if i have to create one, where would it go? example: i insert my custom

  • After upgrading to snow leopard 10.63

    After upgrading to snow leopard 10.63 Itunes doesn't recognize my iphone or ipad for syncing. 

  • FX Impact for entire Organization (Top Entity Member)

    Everything has been done before. Does seen "best practice" related to the below situation: What is the best way to see the total FX impact for the top member of an organization? We have a worldwide HFM application with over 40 differeny local currenc