Multicast (clustering) behind a VPN
Hi all,
When I work from home over a VPN, I can't get 2 WLS 9 servers (on my laptop) to form a cluster. I get these errors in the log:
<Aug 14, 2009 4:30:02 PM CDT> <Error> <Cluster> <BEA-000170> <Server busB did no
t receive the multicast packets that were sent by itself>
<Aug 14, 2009 4:30:02 PM CDT> <Critical> <Health> <BEA-310006> <Critical Subsyst
em Cluster has failed. Setting server state to FAILED.
Reason: Unable to receive self generated multicast messages>
I've tried setting the interface address to blank, localhost, 127.0.0.1, and the VPN-assigned ip address. I've also tried increasing the ttl. I get the same results every time.
I also tried using various multicast test utilities but they don't seem to receive their own messages, either.
I know to get Oracle Coherence to cluster behind a VPN at startup I have to set a well-known address property to my IP address.
This is with WLS 9.2.3 and XP Pro. Any idea what I can do with WLS?
thanks
Have you attempted to set up a MS Loopback Adapter and binding the WLS servers to that network interface? Not sure if it'll work, just an idea.
Similar Messages
-
Multicast via Remotes Access VPN (ASA)
Hi all,
I have an ASA 5505 that I would like to use as a head end device for several customers to RA into so they can access our TEST network. The trouble is that the TEST net provides multicast video streams that my clients need to see. I am currently doing this with a Windows Server and Clients via L2TP. How can I do this with the ASA instead? I know IPSEC doesn't support multicast.....can anything be done?Hi,
Currently IPSec / Any connect doesn't support multicast over vpn tunnel. As you have now it is possible through L2TP with L2TP client / ASA / Windows Server or if you have IOS router it can be possible through DMVPN/GETVPN....
Regards
Karthik -
1720 VPN and Winproxy behind 826, VPN drop outs
DSL into 826. Winproxy and 1720 into 826.
1. Can the 826 prevent VPN traffic while allowing web traffic to flow thru Proxy?
2. Does the Proxy server setting in IE connection override default gateway IP?
The problem is that VPN clients have Default GW as IP to 1720 and proxy server WinProxy IP. Connections are unstable w/ no correlations. Web and VPN can both work or either or none.You could block all "non-proxy" access through the router by creating an access list doing so. The only IP you would allow through would be the proxy server's requests and then, only it's source address and proxy ports if you want to be very specific. As I understand it, when you configure a proxy setting in a browser, any request the browser makes (http, https, ftp, etc.) will be directed to only the proxy address and the default gateway will never be used. The PC would only use the default gateway for any non-browser client applications (VPN client software, telnet, ping, smtp, pop3, etc.) Of course, if you blocked all "non-proxy" traffic as I suggested, none of these applications wil work unless you modify your access list to allow them.
-
Multicast clustering IBM servers with N7K and 2k
i have two severs IBM are working as a cluster and connected to Fiber fabric extender 2K using VPC as per attached diagram
two IBM server are woriking fine for network connectivity with N2k but the servers have a multicast named ( power HA 7.1) to work as acluster
but i tried to configue multicat in N7K and N2k to server working as acluster but the servers are not working
please advice me about the configuration in N7K and N2k to working IBM servers as a cluster .One option is the IGMP querier:
config t
ip igmp snooping
vlan 2
switch(config-vlan-config)# ip igmp snooping querier 10.0.10.253
(or a good source address of the interface)
The other option is run PIM on the VLAN interface:
feature pim
vlan 2
ip pim sparse-mode
Both has the same purpose: combined with IGMP snooping, the L3 interface will flood the VLAN with IGMP queries that traverse the inter-switch links. As a result, the inter-switch links will be included in the snooping port list. In turn,
packets destined to 228.5.10.5 will be sent out the inter-switch link and reach the other server.
Without the IGMP queries, 228.5.10.5 packets will not be sent from one switch to the other as it is not in the 224.0.0.0/24 range. -
Multicast VPN support in RV042?
Hello,
A quick check of the user manual for the RV042 didn't reveal in crystal clarity whether the RV042 will tunnel multicast packets (between two RV042s).
What I'd like to create is a VPN between two different offices. Some of the applications use multicast, and it's crucial that these apps 'see' each other in both offices (via VPN).
The RV042 manual does mention a "multicast pass through" setting, but it didn't mention whether enabling this applies to a VPN connection established between the two offices, such that any multicast packet on LAN #1 is reflected to LAN #2 (and vice versa) through the VPN.
Has anyone used RV042s to create a VPN between to locations/offices, and turned on multicast pass through? Have you found that apps which use multicast (e.g., iChat on Mac OS X, Bonjour advertised infranet websites, etc.) have their multicast traffic properly appear on both LANs?
Thanks,
KeithAre there any Cisco [or Linksys by Cisco] routers which support Multicast VPN (multicast packets tunneled over VPN)? Looks like there are a number of white papers on this topic, but I've yet to identify a particular model with this functionality.
Thanks,
Keith -
I can connect my cisco mobile vpn but can't ping & access internal IP
Hi somebody,
i've configured mobile vpn configuration in cisco 7200 with GNS3. i can connect VPN to my cisco router with cisco vpn client software from outside. but i can't ping to internal ip and can't access internal resources.
My Internal IP is 192.168.1.x . And IP for mobile VPN client from outside is 172.60.1.x.
Your advise will be appreciate.
here is my configuration with cisco 7200 in GNS 3,
OfficeVPN_Router#sh run
Building configuration...
Current configuration : 2186 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname OfficeVPN_Router
boot-start-marker
boot-end-marker
enable secret 5 $1$E0Gz$U8UzNtHOXy2CeoEFj30by0
aaa new-model
aaa authentication login userlist local
aaa authorization network grouplist local
aaa session-id common
ip cef
no ip domain lookup
username asm privilege 15 password 0 pncsadmin
username user privilege 15 password 0 pncsadmin
username user1 privilege 15 password 0 pncsadmin
username cisco123 secret 5 $1$lCOc$Db.e8AFd/0f02ZI4/aeV./
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp client configuration group MWG
key cisco
dns 165.21.83.88
pool vpnpool
acl 101
netmask 255.255.0.0
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map mymap client authentication list userlist
crypto map mymap isakmp authorization list grouplist
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
interface FastEthernet1/1
ip address 200.200.200.200 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
ip local pool vpnpool 172.60.1.10 172.60.1.100
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 200.200.200.201
no ip http server
no ip http secure-server
ip nat inside source list 111 interface FastEthernet1/1 overload
access-list 101 permit ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
access-list 111 permit ip any any
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
password cisco123
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco123
end
OfficeVPN_Router#sh ver
Cisco IOS Software, 7200 Software (C7200-A3JK9S-M), Version 12.4(25), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Tue 21-Apr-09 18:50 by prod_rel_team
ROM: ROMMON Emulation Microcode
BOOTLDR: 7200 Software (C7200-A3JK9S-M), Version 12.4(25), RELEASE SOFTWARE (fc2)
OfficeVPN_Router uptime is 30 minutes
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System image file is "tftp://255.255.255.255/unknown"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 7206VXR (NPE400) processor (revision A) with 245760K/16384K bytes of memory.
Processor board ID 4279256517
R7000 CPU at 150MHz, Implementation 39, Rev 2.1, 256KB L2 Cache
6 slot VXR midplane, Version 2.1
Last reset from power-on
PCI bus mb0_mb1 (Slots 0, 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb0_mb1 has a total of 600 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
PCI bus mb2 (Slots 2, 4, 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 0 bandwidth points
This configuration is within the PCI bus capacity and is supported.
Please refer to the following document "Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth points oversubscription and usage guidelines.
3 FastEthernet interfaces
125K bytes of NVRAM.
65536K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
8192K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102
OfficeVPN_Router#Dear Javier ,
Thanks for your info. i already tested as you say. but still i can't use & ping to my internal IP which is behind cisco VPN router. i posted my config file.
OfficeVPN_Router(config)#ip access-list resequence 111 10 10
OfficeVPN_Router(config)#do sh run
Building configuration...
Current configuration : 2201 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname OfficeVPN_Router
boot-start-marker
boot-end-marker
enable secret 5 $1$E0Gz$U8UzNtHOXy2CeoEFj30by0
aaa new-model
aaa authentication login userlist local
aaa authorization network grouplist local
aaa session-id common
ip cef
no ip domain lookup
username asm privilege 15 password 0 pncsadmin
username user privilege 15 password 0 pncsadmin
username user1 privilege 15 password 0 pncsadmin
username cisco123 secret 5 $1$lCOc$Db.e8AFd/0f02ZI4/aeV./
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp client configuration group MWG
key cisco
dns 165.21.83.88
pool vpnpool
acl 101
netmask 255.255.0.0
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map mymap client authentication list userlist
crypto map mymap isakmp authorization list grouplist
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
interface FastEthernet1/1
ip address 200.200.200.200 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
ip local pool vpnpool 172.60.1.10 172.60.1.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 200.200.200.201
no ip http server
no ip http secure-server
ip nat inside source list 111 interface FastEthernet1/1 overload
access-list 101 permit ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
password cisco123
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco123
end -
Hello.
I have a question about a connection between an asa5505-sec-bun-k9 (that acts as Easy VPN client) and a EASY VPN server.
The connection with the Easy VPN server is OK but I cannot more connect to internet and create VPN connections to my ASA5505 when I enable the feature.
Is this a normal condition with Easy VPN Client enabled?u need to do split tunneling on ur vpn server and apply it to the vpn client config on the vpn server that encypt only traffic destined to the server side pravite network
lets say the private network behind the vpn server is 192.168.1.0/24
so make a standard ACL
access-list split standard permit 192.168.1.0 255.255.255.0
group-policy [ur grop policy name] attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
then when u connect from the easy client only traffic to 192.168.1.0 will go through the tunnel other traffic will not be part of encrypted traffic
good luck
Rate if helpful -
VPN with 2 network cards - vpn clients cannot see LAN.
Problem: When a VPN client connects they can only access the server and not any LAN computers. Unable to even ping the LAN computers. The VPN client machine connects via PPTP and receives the appropriate IP address but the subnet mask field is blank. The router is being set to 192.168.1.2
Here's my network setup:
en0: (external) IP: 192.168.1.2 and is connected to aDSL modem (192.168.1.1)
en1: (internal net) IP: 192.168.2.1
The internal en1 network range is: 192.168.2.2 - 192.168.2.25
The VPN range being handed out is: 192.168.2.26 - 192.168.2.30
VPN client machines are able to fully interact with the server, just cannot reach any LAN computers.
Any ideas??
XServe Mac OS X (10.4.9) Various Intel laptops and G5/G4 Lan machines
XServe Mac OS X (10.4.9) Various Intel laptops and G5/G4 Lan machines>The network address at the vpn client location is not 192.168.2.0/24. The vpn client has a public IP.
So you're saying that your client system has a 192.168.2.x address, and that's also the address range you're using behind the VPN?
That won't work.
You now have two 192.168.2.x networks - one local to the client and one over the VPN.
Normal routing rules dictate that the local connection wil always take priority over the remote connection, so the client will look on the local LAN for anything in the 192.168.2.x range, completely ignoring the VPN.
If you think about it, your machine is told that it has two paths to get to anything in the 192.168.2.x network, either directly connected, or across the VPN connection. Given teh choice, which one do you think you'd take?
The only real solution here is to use a different subnet at each end of the link - either change the client network to something else, or change the internal corp network. If you don't do that you'll have to set up host-based routes (one per system over the VPN) that overrides the local routing table (assuming that's even possible... I'd have to think about it). -
how to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configurations
before ver 8.3 and after version 8.3 ...8.4.. 9 versions..Hi,
To my understanding you should be able to attach the same cryptomap to the other "outside" interface or perhaps alternatively create a new crypto map that you attach only to your new "outside" interface.
Also I think you will probably need to route the remote peer ip of the VPN connection towards the gateway IP address of that new "outside" and also the remote network found behind the VPN connection.
If you attempt to use VPN Client connection instead of L2L VPN connection with the new "outside" interface then you will run into routing problems as naturally you can have 2 default routes active at the sametime (default route would be required on the new "outside" interface if VPN Client was used since you DONT KNOW where the VPN Clients are connecting to your ASA)
Hope this helps
- Jouni -
How not to check mail for VPN only mail accounts?
I have a internal mail server that is only accessible via VPN.
How can I tell the iPhone not to check the mailbox without first being connected via VPN?Unfortunately you can't. Technically, you should be able to set it to manual and be done, but there seems to be a bug in the entire PUSH/FETCH/MANUAL algorithm.
I have found that the iPhone will check for email of POP3 accounts that are set to manual when it pulls PUSH email or even if I go into any inbox.
If you are worried about revealing your password, there is some good news. Even if the phone goes to check your email that is behind a VPN server, it won't send the password until the TCP connection is established with the email server. Since this connection is never established, there is no password sent. -
Lion VPN with a Windows 7 client; can't browse network
So, here's my setup..
I have a Lion Server running VPN (192.168.1.11 /24), a windows box behind the VPN (192.168.1.15) and a Windows 7 client connecting.
I've been able to get the Windows 7 client to actually connect to the VPN. I can also manually go to the client machine (i.e. \\192.168.1.15 ), and I've even thought of creating a static hosts entry for the netbios name -> IP, but, while all that works, the simple fact is that I can NOT browse the network using either a mac client OR a windows client.
DHCP/DNS is being done by the router (A Verizon Actiontec router with a MoCA connection.)
I COULD get the lion server to serve dns/dhcp for the whole network, but, haven't yet. Lion server uses the router IP as it's DNS (and does not use the local DNS at all). I've tried to both ways though; didn't solve the issue.
So, is there any way to fix the ability to browse beyond the VPN? Lion does not include (that I can find) a WINS server....
Lion server is DMZ'd from the router. So, all ports are open.
Help!No one has any ideas on how to fix this?
-
We just purchased and setup the WRV210 VPN router, but we are having a major issue with it. We are running a mail server behind the VPN router, but we can no longer connect to it through Outlook. We forwarded all of the appropriate ports but still can't connect. On our previous router we only had to forward the ports and everything worked. We can't telnet the SMTP port or anything. We have disabled the firewall and tried nearly every setting we could fine. We access the webmail service that runs on the website (Port 80) and all of the other websites. We can also VPN into the router and access all of the servers. We are also able to do outbound transactions from within the network (when using local IP's) hence why all features in webmail work. Our problem is when trying connect to POP and SMTP through outlook. This is a mjor issue as it is now interrupting our day-to-day operations.
Did you open the Ports 25 and 110 ? What Firmware are you running on the router ? Did you try to reset and re-configure all the setting ?
-
SNMP Management of individual VPN Tunnels
Is there a way of indexing individual VPN Tunnels statically, through a VPN3000 concentrator?
If I MIB browse a VPN3000 concentrator, I can see the individual VPN tunnels each with ifindex numbers, so for the period this tunnel is active, I can collect performance statistics from it. The problem occurs when the connection from the same site is reset, the ifindex is renumbered which means I have to relearn the new ifindex in order to continue collecting information.
Is there a way around this, or is there another solution for getting traffic statistics from VPN tunnels between sites, via SNMP?Since the if numbers change the best way to get your stats would be from the routers behind the vpn on either side. Then you can turn on ip accounting or use netflow on the routers. There is a free netflow collector @ www.ntop.org. I think this approach will work if you.
Hope this helps. -
Internet stopped working when connected to Cisco VPN
Hi,
I have configured IPSec (Ikev1) Remote access VPN in ASA 5520, VPN is connecting properly and i am able to access all internal resources but Internet is not working when connected to VPN. I have investigated on this and found problem with the default gateway, i am getting ddefault gateway duringVPN connection. I am surprised in ASA there is no default gateway configured for remote VPN IP pool then how remote clients can get default gateway.
I am describing my problem in below given image Please help me to shootout it.
Thanks in advanve.Hi,
The top configurations is specified to Tunnel All traffic as you can see from the "split-tunnel-policy tunneall". In this case the Split Tunnel ACL is ignored to my understanding.
The bottom configuration is specified to use Split Tunnel but I cant see the ACL specified there.
To my understanding you should be seeing routes on your actual computers routing table for the networks that are reached through the VPN.
On a Windows machine you can open the command prompt and issue the command "route print" to view the routes
Here is an example when I am connected to one Split Tunnel VPN (click to enlarge)
To my understanding there is no default gateway in the virtual VPN interface configurations as the host forward all the traffic that needs to be tunneled to the actual virtual interface and from there on in it heads through the VPN Connection.
Here is an example what the VPN Client Statistics/Route Details tells me
Both Internet and the remote network/host behind the VPN connection can be reached.
What does the above window show for you in your VPN Client when active?
- Jouni -
hi,
dose anybody can tell me that if current IOS support label switching multicast traffic in the core mpls network? i search the cco and find some information only about support multicast traffic in mpls/vpn.
could you answer this question or give me some links to read, thanks a lot :-)On the Cisco Feature Navigator you can look for:
Multicast-VPN: Multicast Support for MPLS VPN
http://tools.cisco.com/ITDIT/CFN/Dispatch
As fare I remember there is a special range Labels reserved for Multicasting but can't find this any more in the RFC
I think its an inportand feature for service providers if they want to connect customers that use Multicasting
Hope this help
Gerrit Frans van Pelt
Maybe you are looking for
-
Mail freezes computer temporarily when retriving mail w/14 GB Mail folder
Hi, I'd bet that my mailbox being enormous is why my computer basically locks up for a minute or so whenver I have mail, even little ones with no attachments. Here are the specifics: ~/library/mail is 13.73 GB ~/library/mail downloads is 536 mb ~/lib
-
Retrieving Raw Files after import...?
I shoot all RAW files and have imported them to my iPhoto. How do I retrieve the RAW file from iphoto. If I copy and drag them out of iPhoto they are .jpg... Is it too late and does iPhoto convert them upon import. Also and clue on if Aperture does t
-
Attendance (IT 2002) - to display in team calender
Dear All, Once a maanger has approved the over time in MSS, he no longer has access to view the approved records. I went through the documentation where i read that team calender supports both IT 2001 & IT 2002. Right now in the team calender only IT
-
Good morning Experts, we have a very strange issue with IT0006 for Norway. We have an employee which works in Norway but lives in Sweden. So normally our HR would just enter the Swedish address in IT6 how they do for similar cases in other countries
-
Ciscoworks Firewall Module Support
/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-