PIX/ASA not able to reach DMZ
Hi everyone ,
I am able to ping from outside to inside all ips , but there is no communication from inside and outside to DMZ .
I did debug icmp trace 255 and it gives below debug , anyone can guide me if i am doing any mistake here in config .
pixfirewall(config)# ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=0 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=1 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=2 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=3 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=74 seq=4 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
DMZ>sh ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.0.1 YES manual up up
Ethernet0/1 unassigned YES unset administratively down down
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
FastEthernet1/0 20.1.1.2 YES NVRAM administratively down down
Loopback0 192.168.10.10 YES manual up up
Loopback1 4.4.4.4 YES NVRAM up up
DMZ>
INSIDE-RTR>sh ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 10.10.254.2 YES NVRAM up up
Ethernet0/1 unassigned YES NVRAM administratively down down
Ethernet0/2 unassigned YES NVRAM administratively down down
Ethernet0/3 unassigned YES NVRAM administratively down down
Loopback0 10.14.8.50 YES NVRAM up up
Loopback1 10.10.10.10 YES manual up up
INSIDE-RTR>
OUTSIDE>sh ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES TFTP administratively down down
Ethernet0/1 131.1.23.1 YES NVRAM up up
Ethernet0/2 unassigned YES NVRAM administratively down down
Ethernet0/3 unassigned YES NVRAM administratively down down
Loopback0 5.5.5.5 YES manual up up
Loopback1 1.1.1.1 YES NVRAM up up
OUTSIDE>
pixfirewall# sh run
: Saved
PIX Version 7.2(4)
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0
speed 100
duplex full
nameif INSIDE
security-level 100
ip address 10.10.254.1 255.255.255.0
interface Ethernet1
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address 131.1.23.2 255.255.255.0
interface Ethernet2
speed 100
duplex full
shutdown
no nameif
security-level 50
no ip address
interface Ethernet3
speed 100
duplex full
nameif DMZ
security-level 50
ip address 192.168.0.2 255.255.255.0
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
ftp mode passive
same-security-traffic permit intra-interface
access-list 101 extended permit ip any any log
access-list ACL-BW extended permit ip any any
access-list DMZtoINSIDE extended permit ip any any log
pager lines 24
logging buffered debugging
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 131.1.23.12-131.1.23.254
nat (INSIDE) 1 10.0.0.0 255.0.0.0
static (INSIDE,OUTSIDE) 131.1.23.11 10.14.8.50 netmask 255.255.255.255
static (INSIDE,DMZ) 192.168.11.11 10.10.10.10 netmask 255.255.255.255
static (DMZ,OUTSIDE) 131.1.23.10 192.168.10.10 netmask 255.255.255.255
access-group 101 in interface OUTSIDE
access-group DMZtoINSIDE in interface DMZ
route INSIDE 10.14.8.0 255.255.255.0 10.10.254.2 1
route INSIDE 10.10.10.0 255.255.255.0 10.10.254.2 1
route OUTSIDE 0.0.0.0 0.0.0.0 131.1.23.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
priority-queue OUTSIDE
class-map CLASS-BW
match access-list ACL-BW
class-map bw-limit1
policy-map POLICY-BW
class CLASS-BW
police output 8000 1000 conform-action drop
service-policy POLICY-BW interface OUTSIDE
prompt hostname context
Cryptochecksum:2544d2c2a04267b55ac2ae90ba42d40f
: end
=====================
thanks 4 reply
Hi Julio ,
Thanks 4 your reply .
Here are the outputs u asked me -
1-Can you ping 131.1.23.1 from the ASA ----yes pinging
pixfirewall# ping 131.1.23.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 131.1.23.1, timeout is 2 seconds:
ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=36579 len=72
!ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=36579 len=72
ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=36579 len=72
2-Can you ping 192.168.10.10 from the ASA. ---not reachable
pixfirewall# ping 192.168.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=16281 len=72
Success rate is 0 percent (0/5)
pixfirewall#
I have applied all below captures ----->>
access-list capout permit icmp 131.1.23.1 255.255.255.255 host 131.1.23.10
access-list capout permit icmp host 131.1.23.10 131.1.23.1 255.255.255.255
access-list capdmz permit icmp host 131.1.23.1 host 192.168.10.10
access-list capdmz permit icmp host 192.168.10.10 host 131.1.23.1
capture capdmz access-list capdmz interface dmz
capture capout access-list capout interface outside
pixfirewall# clear access-list capout counters
pixfirewall#
pixfirewall# clear access-list capdmz counters
pixfirewall#
pixfirewall# clear access-list 101 counters
pixfirewall#
pixfirewall# clear access-list DMZtoINSIDE counters
pixfirewall#
---then ---->
OUTSIDE#ping 131.1.23.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 131.1.23.10, timeout is 2 seconds:
Success rate is 0 percent (0/5)
OUTSIDE#
pixfirewall# ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=0 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=1 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=2 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=3 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
ICMP echo request from OUTSIDE:131.1.23.1 to DMZ:131.1.23.10 ID=77 seq=4 len=72
ICMP echo request untranslating OUTSIDE:131.1.23.10 to DMZ:192.168.10.10
pixfirewall#
pixfirewall# ping 192.168.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
?ICMP echo request from 131.1.23.2 to 192.168.10.10 ID=4388 seq=18641 len=72
Success rate is 0 percent (0/5)
pixfirewall#
pixfirewall#
pixfirewall# ping 131.1.23.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 131.1.23.1, timeout is 2 seconds:
ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
!ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
!ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
!ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
!ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
ICMP echo request from 131.1.23.2 to 131.1.23.1 ID=4388 seq=44599 len=72
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/50/90 ms
pixfirewall# ICMP echo reply from 131.1.23.1 to 131.1.23.2 ID=4388 seq=44599 len=72
pixfirewall#
pixfirewall#
pixfirewall# sh access-list
access-list cached ACL log flows: total 1, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list 101; 1 elements
access-list 101 line 1 extended permit ip any any log informational interval 300 (hitcnt=1) 0x28676dfa
access-list ACL-BW; 1 elements
access-list ACL-BW line 1 extended permit ip any any (hitcnt=156) 0xfa95bcad
access-list DMZtoINSIDE; 1 elements
access-list DMZtoINSIDE line 1 extended permit ip any any log informational interval 300 (hitcnt=0) 0xf5a55e4b
access-list capout; 2 elements
access-list capout line 1 extended permit icmp host 131.1.23.1 host 131.1.23.10 (hitcnt=5) 0xfb220e61
access-list capout line 2 extended permit icmp host 131.1.23.10 host 131.1.23.1 (hitcnt=0) 0xda226f3d
access-list capdmz; 2 elements
access-list capdmz line 1 extended permit icmp host 131.1.23.1 host 192.168.10.10 (hitcnt=0) 0xa133807b
access-list capdmz line 2 extended permit icmp host 192.168.10.10 host 131.1.23.1 (hitcnt=0) 0x99b84706
pixfirewall#
==================
Thanks 4 your reply again
Similar Messages
-
how can i activate an ipad that was attached to someones icloud account. I am not able to reach the person to have them release it
You can't, i'm sorry. What you're running into is the activation lock and it requires that the original owner release it with their apple ID before you can set it up.
-
PXE boot problem: guest VM DHCP request packets not able to reach DHCP server
Hi Gurus,
I'm wondering if anyone could help me with this problem. I wanted to install Linux on Oracle VMs using PXE. I set up a DHCP server and the OVM running RHEL6.4 box. The DHCP server worked fine since other PHYSICAL servers could get IPs from this DHCP server. However, DHCP requests from Oracle VMs was not able to reach the DHCP server. So I suspect this is a VM-specific issue.
If I type in "dhcp net0" on gPXE prompt on the OVS machine(sappire), I can see the requests were being sent from the OVS server (sapphire):
gPXE> dhcp net0
DHCP (net0 00:21:f6:00:00:00) .............................................Connection time out (0x4c106035)
Could not configure net0: Connection time out (0x4c106035)
gPXE>
[root@sapphire ~]# tcpdump -i any -n udp dst portrange 67-68
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
20:47:25.606400 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:21:f6:00:00:00, length: 387
20:47:25.606549 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:21:f6:00:00:00, length: 387
20:47:25.606559 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:21:f6:00:00:00, length: 387
^C
12 packets captured
14 packets received by filter
0 packets dropped by kernel
But if I snoop the same on the RHEL6.4 server running DHCP server and OVM, no request can be seen:
[root@bluestone Desktop]# tcpdump -i any -n udp dst portrange 67-68
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
OVS(sapphire) and OVM(bluestone) are located in the same subnet:
[root@bluestone network-scripts]# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:14:22:72:7C:27
inet addr:192.168.2.48 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::214:22ff:fe72:7c27/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:106795 errors:0 dropped:0 overruns:0 frame:0
TX packets:122056 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:59173975 (56.4 MiB) TX bytes:25362955 (24.1 MiB)
[root@sapphire ~]# ifconfig -a
10049df2fc Link encap:Ethernet HWaddr 8A:C5:05:83:AF:C9
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:80 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:33200 (32.4 KiB) TX bytes:0 (0.0 b)
eth0 Link encap:Ethernet HWaddr 00:1A:64:64:DA:64
inet addr:192.168.2.202 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:37664 errors:0 dropped:0 overruns:0 frame:0
TX packets:38939 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4537897 (4.3 MiB) TX bytes:23127790 (22.0 MiB)
eth0:0 Link encap:Ethernet HWaddr 00:1A:64:64:DA:64
inet addr:192.168.2.212 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
[root@sapphire ~]# brctl show
bridge name bridge id STP enabled interfaces
10049df2fc 8000.8ac50583afc9 yes tap7.0
tap7.1
vif7.0
vif7.1
I turned off iptables and SELinux on the DHCP server, the issue still remained.
Any help will be highly appriciaited.
Thanks in advance,
AlexHi,
- Do you install Oracle VM Server (OVS) on an emulated environment like Oracle VM VirtualBox ? if yes so you can't do it.
- Don't forget to configure the Virtual Machines Network and also to add this network to this Virtual Machine.
I hope this can help you
Best Regards -
IPSec Tunnel established but not able to reach remote Local subnet
Hi,
We established IPsec Tunnel. It was active but I found following issue. Please give your suggestion to troubleshoot it.
1. 192.168.50.0/24 (Site A) able to reach 192.168.90.0/24. (Site B) and Vice Versa
2. 192.168.30.0/24 (Site C) able to reach 192.168.50.0/24 (Site A) but not vice versa.
3. 192.168.10.0/24, 155.220.21.175 (Site A) reaches up to 192.168.90.0/24 (Site B) and vice versa. but not reach to 192.168.50.0/24 (Site A)
Want to access 192.168.30.0/24, 192.168.10.0/24, 155.220.21.175 (Site C) from 192.168.50.0/24 (Site A)
Additionally Tunnel only established if active traffice send from site B.
Thanks & Rgds,
Dhaval DikshitThanks, Punit. Additionalily I found following error, it might reach us to nearer to solution. Please suggest if any suggetion.
When I'm doing packet tracer from site B I got following massage.
ASA# packet-trace input outside tcp 192.168.50.220 2000 155.220.21.175 21 detail
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc959c928, priority=1, domain=permit, deny=false
hits=143495595, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 155.220.21.175 255.255.255.255 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object-group Tas_Tunnel host 155.220.21.175 log
object-group network Tas_Tunnel
network-object host 192.168.50.50
network-object host 192.168.50.65
network-object host 192.168.50.220
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca246310, priority=12, domain=permit, deny=false
hits=1, user_data=0xc793bcc0, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.50.220, mask=255.255.255.255, port=0
dst ip=155.220.21.175, mask=255.255.255.255, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc959f4d8, priority=0, domain=inspect-ip-options, deny=true
hits=3443418, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc962fa60, priority=70, domain=inspect-ftp, deny=false
hits=11, user_data=0xc962f8b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=21, dscp=0x0
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9f1c290, priority=12, domain=ipsec-tunnel-flow, deny=true
hits=167708, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc965a700, priority=6, domain=nat-exempt-reverse, deny=false
hits=2, user_data=0xc965a490, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=192.168.50.220, mask=255.255.255.255, port=0
dst ip=155.220.21.175, mask=255.255.255.255, port=0, dscp=0x0
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc95ea328, priority=0, domain=inspect-ip-options, deny=true
hits=17273465, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xca2f4c98, priority=70, domain=encrypt, deny=false
hits=2, user_data=0x0, cs_id=0xc9dd8d90, reverse, flags=0x0, protocol=0
src ip=155.220.21.175, mask=255.255.255.255, port=0
dst ip=192.168.50.192, mask=255.255.255.192, port=0, dscp=0x0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Thanks & Rgrds,
Dhaval Dikshit -
Dispatcher Died after not able to reach message server
Hi Gurus,
My Dispatcher is not able to connect to MS. Please note I am using windows/oracle. After som time disp+work died. Here I am posting latest dev_disp log. Please suggest.
regards-JASWANT
trc file: "dev_disp", trc level: 1, release: "700"
sysno 00
sid EC5
systemid 560 (PC with Windows NT)
relno 7000
patchlevel 0
patchno 144
intno 20050900
make: multithreaded, Unicode, optimized
pid 3096
Mon Apr 27 11:01:58 2009
kernel runs with dp version 232000(ext=109000) (@(#) DPLIB-INT-VERSION-232000-UC)
length of sys_adm_ext is 576 bytes
SWITCH TRC-HIDE on ***
***LOG Q00=> DpSapEnvInit, DPStart (00 3096) [dpxxdisp.c 1243]
shared lib "dw_xml.dll" version 144 successfully loaded
shared lib "dw_xtc.dll" version 144 successfully loaded
shared lib "dw_stl.dll" version 144 successfully loaded
shared lib "dw_gui.dll" version 144 successfully loaded
shared lib "dw_mdm.dll" version 144 successfully loaded
rdisp/softcancel_sequence : -> 0,5,-1
Mon Apr 27 11:02:03 2009
WARNING => DpNetCheck: NiAddrToHost(1.0.0.0) took 4 seconds
***LOG GZZ=> 1 possible network problems detected - check tracefile and adjust the DNS settings [dpxxtool2.c 5371]
MtxInit: 30000 0 0
DpSysAdmExtInit: ABAP is active
DpSysAdmExtInit: VMC (JAVA VM in WP) is not active
DpIPCInit2: start server >hpnwecc_EC5_00 <
DpShMCreate: sizeof(wp_adm) 18672 (1436)
DpShMCreate: sizeof(tm_adm) 4270848 (21248)
DpShMCreate: sizeof(wp_ca_adm) 24000 (80)
DpShMCreate: sizeof(appc_ca_adm) 8000 (80)
DpCommTableSize: max/headSize/ftSize/tableSize=500/8/528056/528064
DpShMCreate: sizeof(comm_adm) 528064 (1048)
DpSlockTableSize: max/headSize/ftSize/fiSize/tableSize=0/0/0/0/0
DpShMCreate: sizeof(slock_adm) 0 (96)
DpFileTableSize: max/headSize/ftSize/tableSize=0/0/0/0
DpShMCreate: sizeof(file_adm) 0 (72)
DpShMCreate: sizeof(vmc_adm) 0 (1544)
DpShMCreate: sizeof(wall_adm) (38456/34360/64/184)
DpShMCreate: sizeof(gw_adm) 48
DpShMCreate: SHM_DP_ADM_KEY (addr: 05970040, size: 4930904)
DpShMCreate: allocated sys_adm at 05970040
DpShMCreate: allocated wp_adm at 05972090
DpShMCreate: allocated tm_adm_list at 05976980
DpShMCreate: allocated tm_adm at 059769B0
DpShMCreate: allocated wp_ca_adm at 05D894B0
DpShMCreate: allocated appc_ca_adm at 05D8F270
DpShMCreate: allocated comm_adm at 05D911B0
DpShMCreate: system runs without slock table
DpShMCreate: system runs without file table
DpShMCreate: allocated vmc_adm_list at 05E12070
DpShMCreate: allocated gw_adm at 05E120B0
DpShMCreate: system runs without vmc_adm
DpShMCreate: allocated ca_info at 05E120E0
DpShMCreate: allocated wall_adm at 05E120E8
MBUF state OFF
DpCommInitTable: init table for 500 entries
Mon Apr 27 11:02:04 2009
ThTaskStatus: rdisp/reset_online_during_debug 0
EmInit: MmSetImplementation( 2 ).
MM global diagnostic options set: 0
<ES> client 0 initializing ....
<ES> InitFreeList
<ES> block size is 1024 kByte.
Using implementation view
<EsNT> Using memory model view.
<EsNT> Memory Reset disabled as NT default
<ES> 755 blocks reserved for free list.
ES initialized.
J2EE server info
start = TRUE
state = STARTED
pid = 5940
argv[0] = E:\usr\sap\EC5\DVEBMGS00\exe\jcontrol.EXE
argv[1] = E:\usr\sap\EC5\DVEBMGS00\exe\jcontrol.EXE
argv[2] = pf=E:\usr\sap\EC5\SYS\profile\EC5_DVEBMGS00_hpnwecc
argv[3] = -DSAPSTART=1
argv[4] = -DCONNECT_PORT=65000
argv[5] = -DSAPSYSTEM=00
argv[6] = -DSAPSYSTEMNAME=EC5
argv[7] = -DSAPMYNAME=hpnwecc_EC5_00
argv[8] = -DSAPPROFILE=E:\usr\sap\EC5\SYS\profile\EC5_DVEBMGS00_hpnwecc
argv[9] = -DFRFC_FALLBACK=ON
argv[10] = -DFRFC_FALLBACK_HOST=localhost
start_lazy = 0
start_control = SAP J2EE startup framework
Continued...........continued
DpJ2eeStart: j2ee state = STARTED
rdisp/http_min_wait_dia_wp : 1 -> 1
***LOG CPS=> DpLoopInit, ICU ( 3.0 3.0 4.0.1) [dpxxdisp.c 1633]
***LOG Q0F=> DpLoopInit, nomstry () [dpxxdisp.c 1720]
ERROR => Connection to Message Server failed - check installation [dpxxdisp.c 1721]
CCMS: AlInitGlobals : alert/use_sema_lock = TRUE.
CCMS: start to initalize 3.X shared alert area (first segment).
DpJ2eeLogin: j2ee state = CONNECTED
Mon Apr 27 11:02:07 2009
***LOG Q0I=> NiIRead: recv (10054: WSAECONNRESET: Connection reset by peer) [nixxi.cpp 4424]
ERROR => NiIRead: SiRecv failed for hdl 3 / sock 1500
(SI_ECONN_BROKEN/10054; I4; ST; 127.0.0.1:3319) [nixxi.cpp 4424]
DpJ2eeMsgProcess: j2ee state = CONNECTED (NIECONN_BROKEN)
DpIJ2eeShutdown: send SIGINT to SAP J2EE startup framework (pid=5940)
ERROR => DpProcKill: kill failed [dpntdisp.c 371]
DpIJ2eeShutdown: j2ee state = SHUTDOWN
Mon Apr 27 11:02:44 2009
ERROR => DpHdlDeadWp: W0 (pid 5680) died [dpxxdisp.c 14532]
ERROR => DpHdlDeadWp: W1 (pid 4888) died [dpxxdisp.c 14532]
ERROR => DpHdlDeadWp: W2 (pid 4208) died [dpxxdisp.c 14532]
ERROR => DpHdlDeadWp: W3 (pid 444) died [dpxxdisp.c 14532]
ERROR => DpHdlDeadWp: W4 (pid 5312) died [dpxxdisp.c 14532]
ERROR => DpHdlDeadWp: W5 (pid 4880) died [dpxxdisp.c 14532]
my types changed after wp death/restart 0xbf --> 0xbe
ERROR => MsIModTypes: not_attached [msxxi.c 1834]
ERROR => DpHdlDeadWp: W6 (pid 6120) died [dpxxdisp.c 14532]
my types changed after wp death/restart 0xbe --> 0xbc
ERROR => MsIModTypes: not_attached [msxxi.c 1834]
ERROR => DpHdlDeadWp: W7 (pid 2604) died [dpxxdisp.c 14532]
my types changed after wp death/restart 0xbc --> 0xb8
ERROR => MsIModTypes: not_attached [msxxi.c 1834]
ERROR => DpHdlDeadWp: W8 (pid 4688) died [dpxxdisp.c 14532]
ERROR => DpHdlDeadWp: W9 (pid 2636) died [dpxxdisp.c 14532]
ERROR => DpHdlDeadWp: W10 (pid 6012) died [dpxxdisp.c 14532]
my types changed after wp death/restart 0xb8 --> 0xb0
ERROR => MsIModTypes: not_attached [msxxi.c 1834]
ERROR => DpHdlDeadWp: W11 (pid 2428) died [dpxxdisp.c 14532]
my types changed after wp death/restart 0xb0 --> 0xa0
ERROR => MsIModTypes: not_attached [msxxi.c 1834]
ERROR => DpHdlDeadWp: W12 (pid 5256) died [dpxxdisp.c 14532]
my types changed after wp death/restart 0xa0 --> 0x80
ERROR => MsIModTypes: not_attached [msxxi.c 1834]
DP_FATAL_ERROR => DpWPCheck: no more work processes
DISPATCHER EMERGENCY SHUTDOWN ***
increase tracelevel of WPs
NiWait: sleep (10000ms) ...
NiISelect: timeout 10000ms
NiISelect: maximum fd=1597
NiISelect: read-mask is NULL
NiISelect: write-mask is NULL
Mon Apr 27 11:02:54 2009
NiISelect: TIMEOUT occured (10000ms)
dump system status
Workprocess Table (long) Mon Apr 27 05:32:54 2009
========================
No Ty. Pid Status Cause Start Err Sem CPU Time Program Cl User Action Table
0 DIA 5680 Ended no 1 0 0
1 DIA 4888 Ended no 1 0 0
2 DIA 4208 Ended no 1 0 0
3 DIA 444 Ended no 1 0 0
4 DIA 5312 Ended no 1 0 0
5 DIA 4880 Ended no 1 0 0
6 UPD 6120 Ended no 1 0 0
7 ENQ 2604 Ended no 1 0 0
8 BTC 4688 Ended no 1 0 0
9 BTC 2636 Ended no 1 0 0
10 BTC 6012 Ended no 1 0 0
11 SPO 2428 Ended no 1 0 0
12 UP2 5256 Ended no 1 0 0
Dispatcher Queue Statistics Mon Apr 27 05:32:54 2009
===========================
--------++++--
+
Typ
now
high
max
writes
reads
--------++++--
+
NOWP
0
2
2000
6
6
--------++++--
+
DIA
5
5
2000
5
0
--------++++--
+
UPD
0
0
2000
0
0
--------++++--
+
ENQ
0
0
2000
0
0
--------++++--
+
BTC
0
0
2000
0
0
--------++++--
+
SPO
0
0
2000
0
0
--------++++--
+
UP2
0
0
2000
0
0
--------++++--
+
max_rq_id 9
wake_evt_udp_now 0
wake events total 7, udp 6 ( 85%), shm 1 ( 14%)
since last update total 7, udp 6 ( 85%), shm 1 ( 14%)
Dump of tm_adm structure: Mon Apr 27 05:32:54 2009
=========================
Term uid man user term lastop mod wp ta a/i (modes)
RM-T13, U14, , tr-12-05, 11:02:30, M0, W-1, , 1/0
RM-T14, U15, , tr-12-08, 11:02:31, M0, W-1, , 1/0
Workprocess Comm. Area Blocks Mon Apr 27 05:32:54 2009
=============================
Slots: 300, Used: 2, Max: 1
--------++--
+
id
owner
pid
eyecatcher
--------++--
+
0
DISPATCHER
-1
WPCAAD000
1
DISPATCHER
-1
WPCAAD001
NiWait: sleep (5000ms) ...
NiISelect: timeout 5000ms
NiISelect: maximum fd=1597
NiISelect: read-mask is NULL
NiISelect: write-mask is NULL
Mon Apr 27 11:02:59 2009
NiISelect: TIMEOUT occured (5000ms)
DpHalt: shutdown server >hpnwecc_EC5_00 < (normal)
DpJ2eeDisableRestart
Switch off Shared memory profiling
ShmProtect( 57, 3 )
ShmProtect(SHM_PROFILE, SHM_PROT_RW
ShmProtect( 57, 1 )
ShmProtect(SHM_PROFILE, SHM_PROT_RD
DpWakeUpWps: wake up all wp's
Stop work processes
Stop gateway
killing process (4884) (SOFT_KILL)
Stop icman
killing process (4708) (SOFT_KILL)
Terminate gui connections
send SHUTDOWN to REM TM 13
blks_in_queue/wp_ca_blk_no/wp_max_no = 2/300/13
LOCK WP ca_blk 2
return errno (-17) to T13
errormsg without overhead: take mode 0
NiBufIAlloc: malloc NiBufadm, to 0 bytes
try to send 14 to M0
NiBufSend starting
NiIWrite: hdl 3 sent data (wrt=14,pac=1,MESG_IO)
REL WP ca_blk 2
set status of T13 to TM_DISCONNECTED
NiBufISelUpdate: new MODE -- (r-) for hdl 3 in set0
SiSelNSet: set events of sock 1500 to: ---
NiBufISelRemove: remove hdl 3 from set0
SiSelNRemove: removed sock 1500 (pos=2)
SiSelNRemove: removed sock 1500
NiSelIRemove: removed hdl 3
DpDelSocketInfo: del info for socket 3 (type=3)
NiICloseHandle: shutdown and close hdl 3 / sock 1500
NiBufIClose: clear extension for hdl 3
dp_tm_adm[13].stat = DP_SLOT_FREE
DpGetSchedule: next schedule 1240810384/282000
DpGetSchedule: no schedule found
DpITmSlotRelease: release slot 13
DpListInsert: insert elem 13 into tmadm_free_list (at begin)
DpListInsert: 187 elems in tmadm_free_list
DpListRemove: remove elem 13 from tmadm_inuse_list
DpListRemove: 14 elems in tmadm_inuse_list
send SHUTDOWN to REM TM 14
blks_in_queue/wp_ca_blk_no/wp_max_no = 2/300/13
LOCK WP ca_blk 2
return errno (-17) to T14
errormsg without overhead: take mode 0
NiBufIAlloc: malloc NiBufadm, to 0 bytes
try to send 14 to M0
NiBufSend starting
NiIWrite: hdl 5 sent data (wrt=14,pac=1,MESG_IO)
REL WP ca_blk 2
set status of T14 to TM_DISCONNECTED
NiBufISelUpdate: new MODE -- (r-) for hdl 5 in set0
SiSelNSet: set events of sock 1452 to: ---
NiBufISelRemove: remove hdl 5 from set0
SiSelNRemove: removed sock 1452
NiSelIRemove: removed hdl 5
DpDelSocketInfo: del info for socket 5 (type=3)
NiICloseHandle: shutdown and close hdl 5 / sock 1452
NiBufIClose: clear extension for hdl 5
dp_tm_adm[14].stat = DP_SLOT_FREE
DpGetSchedule: next schedule 1240810384/282000
DpGetSchedule: no schedule found
DpITmSlotRelease: release slot 14
DpListInsert: insert elem 14 into tmadm_free_list (at begin)
DpListInsert: 188 elems in tmadm_free_list
DpListRemove: remove elem 14 from tmadm_inuse_list
DpListRemove: 13 elems in tmadm_inuse_list
wait for end of work processes
wait for end of gateway
[DpProcDied] Process lives (PID:4884 HANDLE:1568)
waiting for termination of gateway ...
NiWait: sleep (1000ms) ...
NiISelect: timeout 1000ms
NiISelect: maximum fd=1597
NiISelect: read-mask is NULL
NiISelect: write-mask is NULL
Mon Apr 27 11:03:00 2009
NiISelect: TIMEOUT occured (1000ms)
[DpProcDied] Process died (PID:4884 HANDLE:1568)
wait for end of icman
[DpProcDied] Process lives (PID:4708 HANDLE:1572)
waiting for termination of icman ...
NiWait: sleep (1000ms) ...
NiISelect: timeout 1000ms
NiISelect: maximum fd=1597
NiISelect: read-mask is NULL
NiISelect: write-mask is NULL
Mon Apr 27 11:03:01 2009
NiISelect: TIMEOUT occured (1000ms)
[DpProcDied] Process lives (PID:4708 HANDLE:1572)
waiting for termination of icman ...
NiWait: sleep (1000ms) ...
NiISelect: timeout 1000ms
NiISelect: maximum fd=1597
NiISelect: read-mask is NULL
NiISelect: write-mask is NULL
Mon Apr 27 11:03:02 2009
NiISelect: TIMEOUT occured (1000ms)
[DpProcDied] Process lives (PID:4708 HANDLE:1572)
waiting for termination of icman ...
NiWait: sleep (1000ms) ...
NiISelect: timeout 1000ms
NiISelect: maximum fd=1597
NiISelect: read-mask is NULL
NiISelect: write-mask is NULL
Mon Apr 27 11:03:03 2009
NiISelect: TIMEOUT occured (1000ms)
[DpProcDied] Process lives (PID:4708 HANDLE:1572)
waiting for termination of icman ...
NiWait: sleep (1000ms) ...
NiISelect: timeout 1000ms
NiISelect: maximum fd=1597
NiISelect: read-mask is NULL
NiISelect: write-mask is NULL
Mon Apr 27 11:03:04 2009
NiISelect: TIMEOUT occured (1000ms)
[DpProcDied] Process lives (PID:4708 HANDLE:1572)
waiting for termination of icman ...
NiWait: sleep (1000ms) ...
NiISelect: timeout 1000ms
NiISelect: maximum fd=1597
NiISelect: read-mask is NULL
NiISelect: write-mask is NULL
Mon Apr 27 11:03:05 2009
NiISelect: TIMEOUT occured (1000ms)
[DpProcDied] Process lives (PID:4708 HANDLE:1572)
waiting for termination of icman ...
NiWait: sleep (1000ms) ...
NiISelect: timeout 1000ms
NiISelect: maximum fd=1597
NiISelect: read-mask is NULL
NiISelect: write-mask is NULL
Mon Apr 27 11:03:06 2009
NiISelect: TIMEOUT occured (1000ms)
[DpProcDied] Process died (PID:4708 HANDLE:1572)
[DpProcDied] Process died (PID:5940 HANDLE:1552)
not attached to the message server
cleanup EM
EsCleanup ....
EmCleanup() -> 0
Es2Cleanup: Cleanup ES2
***LOG Q05=> DpHalt, DPStop ( 3096) [dpxxdisp.c 10421]
Good Bye ..... -
Not able to reach start of selection event in the called program
hi,
I have a report 1 in which i am calling report2 using below syntax,
SUBMIT Report2 VIA JOB gv_jobname NUMBER gv_jobcount
WITH s_g_yr IN s_g_yr
WITH s_c_rf IN s_c_rf
AND RETURN.
the problem is when report 2 is called it exists after event "at selection screen output" and does not go in the event "start of selection".
Please advise. how can i reach the "start of selection" event where all the processing logic is specified..
Thanks and Regards,
KritiHi,
In your report you have used the event AT SELECTION-SCREEN OUTPUT. So, first it will trigger this event and then it will go for START-OF-SELECTION event.
Events will trigger in this following way.
LOAD PROGRAM
INITIALIZATION
AT SELECTION-SCREEN
AT SELECTION-SCREEN OUTPUT
START-OF-SELECTION
END-OF-SELECTION
TOP-OF-PAGE
END-OF-PAGE
In above sequence events will trigger in report.
Regards,
Shankar. -
TC not able to reach more than 17ish mbps
Hello, my ISP connection is 30mbps and the only way to reach that speed is to connect my MBP directly to the RJ45 that comes from the cable modem. If I used wireless (tried every settings on both 2.4 and 5GHz) or wired from the TC, the connection speed never get faster than 17-18mbps!
I tried wireless directly in front of the TC and even wired and speed isnt there. Is my TC dying slowly? or this kind of thing is on or off?
thanksAny router will introduce some loss of speed both in the firewall and in the security that is used for wireless.
So, you need to check 3 things:
1) Connection from the modem directly to your computer.
2) Connection from one of the Ethernet LAN ports on the TC to your computer. This will normally be about 80-85% of the direct connection from the modem to the computer. What speed do you see when you test this way?
3) Wireless connection near the TC. The speed here will usually drop another 10-15% from the Ethernet connection due to wireless security and normal loss in the conversion to a wireless signal.
Wireless interference from a nearby cordless phone (it could be at the neighors), a wireless camera/security system or other wireless networks near you can slow down the wireless signal as well. There is not much that you can do about this. -
Firefox stays in foreground for maybe 10 secs before going into background. I can't reach FF to do anything with FF.
I have to use Task Manager to close FF.
I don't remember which 3 addons were updated, but I was notified of updates when I tried to open FF at about midnight this morning.hi there i tried the removal of the sessionstore.js file and and fired up the mozilla firefox up again and still no joy from the windows xp machine all other browsers work fine, its just hanging still, reading the article from the link you sent i can't any issues that i am getting but i did manage to un-install the FF8 again deleted any folders and dowloaded V3.6.24 from here http://www.mozilla.org/en-US/firefox/all-older.html
then updated from there and all seemed to go well then yet again i got the same issue ,when i open the browser i am unable to type in the search and use the mouse on the File edit etc menus rendering the browser useless so i think its a the update to V8.0 that is causing the issue, when i reinstalled i had no themes no plugins the extensions on the 1st boot ticked the MS .net there was that and java Un-ticked when the browser booted up it was the same hanging for ever . i think i may stick with the older version for now until a fix is available as there is some thing that does not like this new version on that pc... but i hope you can help me to upgrade as its annoying now
:-) -
Web Browsers Not Able to Reach Server
Sometimes my browser will not reach a page entirely, or sometimes it'll just not load the style sheets or the images or something. This first started happening when I installed Safari 5. At first the problem only applied to Safari, but now the same problem seems to be appearing in Firefox and Chrome as well. Can anyone help me?
HI,
Go here for trouble shooting 3rd party plugins or input managers which might be causing the problem. Safari: Add-ons may cause Safari to unexpectedly quit or have performance issues
Users are having better performance with their browsers using Open DNS / Free - Basic
If you didn't repair disk permissions after the update was installed, it would be beneficial to do that.
Launch Disk Utility. (Applications/Utilities) Select MacintoshHD in the panel on the left, select the FirstAid tab. Click: Repair Disk Permissions. When it's finished from the Menu Bar, Quit Disk Utility and restart your Mac. If you see a long list of "messages" in the permissions window, it's ok. That can be ignored. As long as you see, "Permissions Repair Complete" when it's finished... you're done. Quit Disk Utility and restart your Mac.
Carolyn -
Jscrollpanel not able to reach the end while watching wth cursor
Hello there, I don't know at compilation time how many lines I will have to take care of.
Here, I can't reach the end of my table if too many lines, especially when my resolution is low 1024x...
How can I avoid it please?
I intentionnaly changed the class names.
thank you
http://img10.imageshack.us/img10/3012/toktoktoktoktok.th.jpg
Here was the screenshot picture .
Here is the code:
www.seabova.com/a/code.java
thank youI think that at this point you'll have to post some compilable code to the forum. I recommend that you create and post the smallest program possible that is compilable, runnable, demonstrates your problem, and has no extraneous code not related to the problem, an [SSCCE.|http://sscce.org] Please see the link for details on how to create one of these because trust me, if your SSCCE is compliant with the specs, you'll likely get a very helpful answer from someone here quickly.
-
IDOC going out of SAP but not able to reach XI
Hi,
I am sending an idoc from SAP to XI but its getting stuck somewhere. I checked SM58 and found the following error there.
"EDISDEF: Port SAPLED segment defn E2EDL37005 in IDoc type DELVRY05 CIM ty".
Can you suggest what might be the problem.Hi Madan,
have u done the required configuration: Can you please check it.
Pre-requisites for Outbound IDoc from R/3 to PI:
Configurations required in R/3:
Maintain Logical System (SALE)
Define RFC Destination (SM59) which points to PI system
Maintain Port (WE21)
Maintain partner profile. (WE20):
Maintain Distribution Model (BD64):
XI side:
Upload the metadata using IDX2 transaction.
File To IDOC - Part1 (SLD and Design):
https://www.sdn.sap.com/irj/sdn/wiki?path=/display/profile/2007/05/11/fileToIDOC&
File To IDOC - Part2 (Configuration):
https://www.sdn.sap.com/irj/sdn/wiki?path=/display/profile/2007/05/11/fileToIDOC-Part2+(Configuration)&
File To IDOC - Part3 (Steps required in XI and R3):
https://www.sdn.sap.com/irj/sdn/wiki?path=/display/profile/2007/05/11/fileToIDOC-Part3(StepsrequiredinXIandR3)&
Are u able to see the message in SXMB_MONI transaction.
Thnx
Chirag -
Issue with only one distribution point not able to access only one folder wile PIXE boot
I am facing problem only one distribution point not able to reach perticular folder through network access account, all other DP and other folder are working fine, I already verifiy share and security permission are in place, through <a href="file:///\\041TBVELCMS-001.xyz.ORG\SMSPKGE$\VEL000EA\">\\041TBVELCMS001.xyz.ORG\SMSPKGE$\VEL000EA\</a>
i am able to reach from network, but while booting from system belongs to perticular DP, it stuck on below folder where fdisk.cmd files are uploded from primery server. pls check below logs and suggest what could be the actual issue.
</p><p></p><p><spanlang="ENIN">Severity Type
Site code Date / Time System Component
Message ID Description</span></p><p><span lang="EN-IN">Error Milestone
CES 1/31/2014 12:32:11 PM MININT-L670NBC Task
Sequence Engine 11135 The task sequence execution engine failed executing the action (DiskPart DataDisk) in the group (Install Operating System) with the error code 2147942402 Action output: T=80070047
(e:\nts_sms_fre\sms\framework\tscore\tsconnection.cpp,148) Failed to access the share <a href="file:///\\041TBVELCMS-001.xyz.ORG\SMSPKGE$\VEL000EA\">\\041TBVELCMS-001.xyz.ORG\SMSPKGE$\VEL000EA\</a> with network access account !sAccessibleSource.empty(),
HRESULT=80070002 (e:\nts_sms_fre\sms\framework\tscore\resolvesource.cpp,2392) GetAccessibleLocation(pszSource, saResolvedPath, sSourceDirectory, dwFlags, hUserToken), HRESULT=80070002 (e:... [Show more]The error 80070047 states a msg as "No more connections can be made to this remote computer at this time because there are already as many connection as the computer can accept." Check the share quota if at all any limitations has been provided, if not,
try giving one.. Also, check if any enterprise policy has been applied for the share connections limitations..
bluerail -
Hi there,
We have an implementation of Cisco Secure ACS 4.1.4 using RSA SecurID as its authentication source to provide role-based access control and command level authorisation.
We have succesfully deployed this our routers/switches, and are now looking at configuring Cisco PIX/ASA devices to use ACS and have stubbled across issues.
Config on PIX/ASA (note we actually have 4 ACS servers defined for resilience etc):
aaa-server XXXXX protocol tacacs+
accounting-mode simultaneous
reactivation-mode depletion deadtime 1
max-failed-attempts 1
aaa-server XXXXX inside host <SERVER>
key <SECRET>
timeout 5
aaa authentication telnet console XXXXX LOCAL
aaa authentication enable console XXXXX LOCAL
aaa authentication ssh console XXXXX LOCAL
aaa authentication http console XXXXX LOCAL
aaa authentication serial console XXXXX LOCAL
aaa accounting command XXXXX
aaa accounting telnet console XXXXX
aaa accounting ssh console XXXXX
aaa accounting enable console XXXXX
aaa accounting serial console XXXXX
aaa authorization command XXXXX LOCAL
Problems:
Enter PASSCODE is NOT displayed on first attempt to logon to the PIX/ASA because it does not attempt to communicate with ACS until username/pass is sent.
Username with null password (e.g. CR) will correctly then display Enter PASSCODE prompt received from ACS.
PIX/ASA does not attempt to authenticate against all configured TACACS+ servers in one go, instead it tries each sequentially per authentication attemptâ¦.e.g.
1st Attempt = Server 1
2nd Attempt = Server 2
3rd Attempt = Server 3
4th Attempt = Server 4
This means that in total failure of ACS users will have to attempt authentication N+1 times before failing to LOCAL credentials depending on number of servers configured, this seems to be from setting "depletion deadtime 1" however the alternative is worse:
With âdepletion timedâ configured, by the time the user has attempted authentication to servers 2,3 and 4 the hard coded 30 second timeout has likely elapsed and the first server has been re-enabled by the PIX for authentication attempts, as such it will never fail to local authentication locking the user out of the device, the PIX itself does warn of this with the following error:
âWARNING: Fallback authentication is configured, but reactivation mode is set to
timed. Multiple aaa servers may prevent the appliance from ever invoking the fallback auth
mechanism.â
The next issue is that of accounting.....AAA Accounting does not record âSHOWâ commands or session accounting records (start/stop) or âENABLE".
The final issue is ASDM. We can login to ASDM successfully using ACS/RSA SecurID, however when a change is made to the configuration ASDM repeatedly sends the users logon credentials multiple times.
As RSA SecurID token can only be used once this fails and locks the account.
Any ideas on how to make two of Ciscos leading security products work together better?Just re-reading the PIX/ASA 7.2 command reference guide below:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/crt_72.pdf
It appears some of the above are known issues.
PASSCODE issue, page 2-17 states:
We recommend that you use the same username and password in the local database as the
AAA server because the security appliance prompt does not give any indication which method is being used.
Failure to LOCAL, page 2-42 states:
You can have up to 15 server groups in single mode or 4 server groups per context in multiple mode. Each group can have up to 16 servers in single mode or 4 servers in multiple mode. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
AAA Accounting, page 2-2 states:
To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode.
ASDM issue, page 2-17 states:
HTTP management authentication does not support the SDI protocol for AAA server group
So looks like all my issues are known "features" of PIX/ASA integration with ACS, any ideas of how to achieve a "slicker" integration?
Is there a roadmap to improve this with later versions of the OS?
Will the PIX/ASA code ever properly support the same features as IOS?
Would it be better to look at using something like CSM instead of ASDM? -
S2S between Cisco ASA 5505 and Sonicwall TZ-170 but not able to ping across
Hi,
I am helping out a friend of mine with his Site-to-Site VPN between his companies Cisco ASA another company's SonicWall TZ-170. I have checked the screenshots proivded by the other end and tried to match with ours. The Tunnel shows but we are not able to Ping resources on the other end. The other side insists that the problem is on our end but I am not sure where the issue resides. Please take a look at our config and let me know if there is anything that I have missed. I am pretty sure I didn't but extra eyes may be of need here.
Our LAN is 10.200.x.x /16 and theirs is 192.168.9.0 /24
ASA Version 8.2(2)
terminal width 300
hostname company-asa
domain-name Company.com
no names
name 10.1.0.0 sacramento-network
name 10.3.0.0 irvine-network
name 10.2.0.0 portland-network
name x.x.x.x MailLive
name 192.168.9.0 revit-vpn-remote-subnet
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.128
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.200.200.1 255.255.0.0
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.22.22.1 255.255.255.0
interface Ethernet0/3
description Internal Wireless
shutdown
nameif Wireless
security-level 100
ip address 10.201.201.1 255.255.255.0
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
domain-name company.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network local_net_group
network-object 10.1.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0
network-object 10.200.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
network-object 10.5.0.0 255.255.0.0
network-object 10.6.0.0 255.255.0.0
network-object 10.7.0.0 255.255.0.0
network-object 192.168.200.0 255.255.255.0
object-group network NACIO123
network-object 1.1.1.1 255.255.255.224
object-group service MAIL_HTTPS_BORDERWARE tcp
port-object eq smtp
port-object eq https
port-object eq 10101
object-group service SYSLOG_SNMP_NETFLOW udp
port-object eq syslog
port-object eq snmp
port-object eq 2055
object-group service HTTP_HTTPS tcp
port-object eq www
port-object eq https
object-group network OUTSIDECO_SERVERS
network-object host x.x.x.34
network-object host x.x.x.201
network-object host x.x.x.63
object-group network NO-LOG
network-object host 10.200.200.13
network-object host 10.200.200.25
network-object host 10.200.200.32
object-group service iPhoneSync-Services-TCP tcp
port-object eq 993
port-object eq 990
port-object eq 998
port-object eq 5678
port-object eq 5721
port-object eq 26675
object-group service termserv tcp
description terminal services
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DTI tcp
description DCS CONTROL PROTOCOL
port-object eq 3333
object-group service H.245 tcp
description h.245 signaling
port-object range 1024 4999
object-group service RAS udp
port-object eq 1719
port-object range 1718 1720
object-group service XML tcp
port-object range 3336 3341
object-group service mpi tcp
port-object eq 2010
object-group service mvp_control tcp
port-object eq 2946
object-group service rpc tcp-udp
port-object eq 1809
object-group service tcp8080 tcp
port-object eq 8080
object-group service tcp8011 tcp
port-object eq 8011
object-group service rtp_rtcp_udp udp
port-object range 1024 65535
object-group service ecs_xml tcp-udp
port-object eq 3271
object-group service rtp20000 udp
description 10000-65535
port-object range 20000 25000
port-object range 10000 65535
object-group service tcp5222 tcp
port-object range 5222 5269
object-group service tcp7070 tcp
port-object eq 7070
object-group network videoco
network-object host x.x.x.144
network-object host x.x.x.145
object-group service video tcp
port-object range 1718 h323
object-group service XML2 tcp-udp
port-object range 3336 3345
object-group service tcp_tls tcp
port-object eq 5061
object-group service Autodesk tcp
port-object eq 2080
port-object range 27000 27009
access-list outside_policy remark ====== Begin Mail From Postini Network ======
access-list outside_policy extended permit tcp x.x.x.x 255.255.240.0 host x.x.x.x eq smtp
access-list outside_policy extended permit tcp x.x.x.x 255.255.255.240 host x.x.x.x eq smtp
access-list outside_policy extended permit tcp x.x.x.0 255.255.240.0 host x.x.x.x eq smtp
access-list outside_policy remark ****** End Mail From Postini Network ******
access-list outside_policy remark ====== Begin Inbound Web Mail Access ======
access-list outside_policy extended permit tcp any host x.x.x.x object-group HTTP_HTTPS
access-list outside_policy remark ****** End Inbound Web Mail Access ******
access-list outside_policy remark ====== Begin iPhone Sync Rules to Mail Server ======
access-list outside_policy extended permit tcp any host x.x.x.x object-group iPhoneSync-Services-TCP
access-list outside_policy remark ****** End iPhone Sync Rules to Mail Server ******
access-list outside_policy remark ====== Begin MARS Monitoring ======
access-list outside_policy extended permit udp x.x.x.x 255.255.255.128 host x.x.x.x object-group SYSLOG_SNMP_NETFLOW
access-list outside_policy extended permit icmp x.x.x.x 255.255.255.128 host x.x.x.x
access-list outside_policy remark ****** End MARS Monitoring ******
access-list outside_policy extended permit tcp object-group NACIO123 host x.x.x.141 eq ssh
access-list outside_policy extended permit tcp any host x.x.x.x eq www
access-list outside_policy extended permit tcp any host x.x.x.x eq https
access-list outside_policy extended permit tcp any host x.x.x.x eq h323
access-list outside_policy extended permit tcp any host x.x.x.x range 60000 60001
access-list outside_policy extended permit udp any host x.x.x.x range 60000 60007
access-list outside_policy remark radvision 5110 port 80 both
access-list outside_policy extended permit object-group TCPUDP any object-group videoco eq www
access-list outside_policy remark radvision
access-list outside_policy extended permit tcp any object-group videoco object-group termserv
access-list outside_policy remark radvision 5110 port21 out
access-list outside_policy extended permit tcp any object-group videoco eq ftp
access-list outside_policy remark rad5110 port22 both
access-list outside_policy extended permit tcp any object-group videoco eq ssh
access-list outside_policy remark rad 5110 port161 udp both
access-list outside_policy extended permit udp any object-group videoco eq snmp
access-list outside_policy remark rad5110 port443 both
access-list outside_policy extended permit tcp any object-group videoco eq https
access-list outside_policy remark rad5110 port 1024-4999 both
access-list outside_policy extended permit tcp any object-group videoco object-group H.245
access-list outside_policy remark rad5110 port 1719 udp both
access-list outside_policy extended permit udp any object-group videoco object-group RAS
access-list outside_policy remark rad5110 port 1720 both
access-list outside_policy extended permit tcp any any eq h323
access-list outside_policy remark RAD 5110 port 3333 tcp both
access-list outside_policy extended permit tcp any object-group videoco object-group DTI
access-list outside_policy remark rad5110 port 3336-3341 both
access-list outside_policy extended permit object-group TCPUDP any object-group videoco object-group XML2
access-list outside_policy remark port 5060 tcp/udp
access-list outside_policy extended permit object-group TCPUDP any object-group videoco eq sip
access-list outside_policy remark rad 5110port 1809 rpc both
access-list outside_policy extended permit object-group TCPUDP any object-group videoco object-group rpc
access-list outside_policy remark rad 5110 port 2010 both
access-list outside_policy extended permit tcp any object-group videoco object-group mpi
access-list outside_policy remark rad 5110 port 2946 both
access-list outside_policy extended permit tcp any object-group videoco object-group mvp_control
access-list outside_policy extended permit tcp any object-group videoco object-group tcp8080
access-list outside_policy extended permit tcp any object-group videoco object-group tcp8011
access-list outside_policy remark 1024-65535
access-list outside_policy extended permit udp any object-group videoco object-group rtp_rtcp_udp
access-list outside_policy extended permit object-group TCPUDP any object-group videoco object-group ecs_xml
access-list outside_policy extended permit udp any object-group videoco object-group rtp20000
access-list outside_policy extended permit tcp any object-group videoco eq telnet
access-list outside_policy remark port 53 dns
access-list outside_policy extended permit object-group TCPUDP any object-group videoco eq domain
access-list outside_policy remark 7070
access-list outside_policy extended permit tcp any object-group videoco object-group tcp7070
access-list outside_policy remark 5222-5269 tcp
access-list outside_policy extended permit tcp any object-group videoco range 5222 5269
access-list outside_policy extended permit tcp any object-group videoco object-group video
access-list outside_policy extended permit tcp any object-group videoco object-group tcp_tls
access-list outside_policy remark ====== Begin Autodesk Activation access ======
access-list outside_policy extended permit tcp any any object-group Autodesk
access-list outside_policy remark ****** End Autodesk Activation access ******
access-list outside_policy extended permit tcp x.x.x.x 255.255.255.248 host x.x.x.x eq smtp
access-list outside_policy remark ****** End Autodesk Activation access ******
access-list inside_policy extended deny tcp host 10.200.200.25 10.1.0.0 255.255.0.0 eq 2967 log disable
access-list inside_policy extended deny tcp host 10.200.200.25 10.3.0.0 255.255.0.0 eq 2967 log disable
access-list inside_policy extended deny tcp host 10.200.200.25 10.2.0.0 255.255.0.0 eq 2967 log disable
access-list inside_policy extended deny tcp host 10.200.200.25 10.4.0.0 255.255.0.0 eq 2967 log disable
access-list inside_policy extended deny tcp host 10.200.200.25 10.5.0.0 255.255.0.0 eq 2967 log disable
access-list inside_policy extended deny udp object-group NO-LOG any eq 2967 log disable
access-list inside_policy extended deny tcp object-group NO-LOG any eq 2967 log disable
access-list inside_policy remark ====== Begin Outbound Mail Server Rules ======
access-list inside_policy extended permit udp host 10.200.200.222 any eq 5679
access-list inside_policy extended permit tcp host 10.200.200.222 any eq smtp
access-list inside_policy remark ****** End Outbound Mail Server Rules ******
access-list inside_policy extended permit ip object-group local_net_group any
access-list inside_policy extended permit icmp object-group local_net_group any
access-list OUTSIDECO_VPN extended permit ip host x.x.x.x object-group OUTSIDECO_SERVERS
access-list company-split-tunnel standard permit 10.1.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.2.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.3.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.4.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.200.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.5.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.6.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.7.0.0 255.255.0.0
access-list company-split-tunnel standard permit 172.22.22.0 255.255.255.0
access-list company-split-tunnel remark Video
access-list company-split-tunnel standard permit 192.168.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.1.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.2.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.3.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.200.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.4.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.5.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.6.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.7.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 172.22.22.0 255.255.255.0
access-list SSL_SPLIT remark Video
access-list SSL_SPLIT standard permit 192.168.0.0 255.255.0.0
access-list NONAT_SSL extended permit ip object-group local_net_group 172.20.20.0 255.255.255.0
access-list NONAT_SSL extended permit ip 10.200.0.0 255.255.0.0 192.168.9.0 255.255.255.0
access-list tom extended permit tcp host x.x.x.x any eq smtp
access-list tom extended permit tcp host 10.200.200.222 any eq smtp
access-list tom extended permit tcp any host x.x.x.x
access-list aaron extended permit tcp any any eq 2967
access-list capauth extended permit ip host 10.200.200.1 host 10.200.200.220
access-list capauth extended permit ip host 10.200.200.220 host 10.200.200.1
access-list DMZ extended permit icmp any any
access-list dmz_access_in extended permit tcp any eq 51024 any eq 3336
access-list dmz_access_in extended permit icmp any any
access-list dmz_access_in extended permit tcp any any eq ftp
access-list dmz_access_in extended permit tcp any any eq https
access-list dmz_access_in remark rad5110 port 162 out
access-list dmz_access_in extended permit udp any any eq snmptrap
access-list dmz_access_in remark port 23 out
access-list dmz_access_in extended permit tcp any any eq telnet
access-list dmz_access_in remark port 53 dns out
access-list dmz_access_in extended permit object-group TCPUDP any any eq domain
access-list dmz_access_in extended permit object-group TCPUDP any any eq www
access-list dmz_access_in extended permit tcp any any eq h323
access-list dmz_access_in extended permit tcp any any object-group XML
access-list dmz_access_in extended permit udp any any object-group RAS
access-list dmz_access_in extended permit tcp any any range 1718 h323
access-list dmz_access_in extended permit tcp any any object-group H.245
access-list dmz_access_in extended permit object-group TCPUDP any any eq sip
access-list dmz_access_in extended permit udp any any object-group rtp_rtcp_udp
access-list dmz_access_in extended permit object-group TCPUDP any any object-group XML2
access-list dmz_access_in extended permit ip object-group local_net_group any
access-list dmz_access_in remark port 5061
access-list dmz_access_in extended permit tcp any any object-group tcp_tls
access-list outside_cryptomap extended permit ip 10.200.0.0 255.255.0.0 192.168.9.0 255.255.255.0
pager lines 24
logging enable
logging buffered warnings
logging trap informational
logging history informational
logging asdm warnings
logging host outside x.x.x.x
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu Wireless 1500
mtu management 1500
ip local pool SSL_VPN_POOL 172.20.20.1-172.20.20.75 mask 255.255.255.0
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT_SSL
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.12 10.200.200.15 netmask 255.255.255.255
static (inside,outside) x.x.x.15 10.5.0.11 netmask 255.255.255.255
static (inside,outside) x.x.x.13 10.200.200.240 netmask 255.255.255.255
static (inside,outside) x.x.x.16 10.200.200.222 netmask 255.255.255.255
static (inside,outside) x.x.x.14 10.200.200.155 netmask 255.255.255.255
static (inside,dmz) 10.200.200.0 10.200.200.0 netmask 255.255.255.0
static (inside,dmz) 10.4.0.0 10.4.0.0 netmask 255.255.0.0
static (dmz,outside) x.x.x.18 172.22.22.15 netmask 255.255.255.255
static (dmz,outside) x.x.x.19 172.22.22.16 netmask 255.255.255.255
static (inside,dmz) 10.3.0.0 10.3.0.0 netmask 255.255.0.0
static (inside,dmz) 10.2.0.0 10.2.0.0 netmask 255.255.0.0
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,dmz) 10.6.0.0 10.6.0.0 netmask 255.255.0.0
static (inside,dmz) 10.7.0.0 10.7.0.0 netmask 255.255.0.0
static (inside,dmz) 10.5.0.0 10.5.0.0 netmask 255.255.0.0
access-group outside_policy in interface outside
access-group inside_policy in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.12 1
route inside 10.1.0.0 255.255.0.0 10.200.200.254 1
route inside 10.2.0.0 255.255.0.0 10.200.200.254 1
route inside 10.3.0.0 255.255.0.0 10.200.200.254 1
route inside 10.4.0.0 255.255.0.0 10.200.200.254 1
route inside 10.5.0.0 255.255.0.0 10.200.200.254 1
route inside 10.6.0.0 255.255.0.0 10.200.200.254 1
route inside 10.7.0.0 255.255.0.0 10.200.200.150 1
route inside x.x.x.0 255.255.255.0 10.200.200.2 1
route inside x.x.x.0 255.255.255.0 10.200.200.2 1
route inside 192.168.1.0 255.255.255.0 10.200.200.254 1
route inside 192.168.2.0 255.255.255.0 10.200.200.254 1
route inside 192.168.3.0 255.255.255.0 10.200.200.254 1
route inside 192.168.4.0 255.255.255.0 10.200.200.254 1
route inside 192.168.5.0 255.255.255.0 10.200.200.254 1
route inside 192.168.6.0 255.255.255.0 10.200.200.254 1
route inside 192.168.7.0 255.255.255.0 10.200.200.254 1
route inside 192.168.200.0 255.255.255.0 10.200.200.254 1
route inside 192.168.201.0 255.255.255.0 10.200.200.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 2:00:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server COMPANY-NT-AUTH protocol nt
aaa-server COMPANY-NT-AUTH (inside) host 10.200.200.220
nt-auth-domain-controller DC
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 10.200.200.0 255.255.255.0 inside
http 10.200.0.0 255.255.0.0 inside
http 10.3.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set asa2transform esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set 3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map OUTSIDE_MAP 5 match address outside_cryptomap
crypto map OUTSIDE_MAP 5 set pfs
crypto map OUTSIDE_MAP 5 set peer x.x.x.53
crypto map OUTSIDE_MAP 5 set transform-set 3DES-SHA
crypto map OUTSIDE_MAP 5 set security-association lifetime seconds 28800
crypto map OUTSIDE_MAP 10 match address OUTSIDECO_VPN
crypto map OUTSIDE_MAP 10 set peer x.x.x.25
crypto map OUTSIDE_MAP 10 set transform-set AES256-SHA
crypto map OUTSIDE_MAP 10 set security-association lifetime seconds 28800
crypto map OUTSIDE_MAP 10 set security-association lifetime kilobytes 4608000
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map OUTSIDE_MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 20
console timeout 0
dhcpd dns 10.200.200.220 10.200.200.225
dhcpd wins 10.200.200.220 10.200.200.225
dhcpd lease 18000
dhcpd domain company.com
dhcpd dns 10.200.200.220 10.200.200.225 interface Wireless
dhcpd wins 10.200.200.220 10.200.200.225 interface Wireless
dhcpd lease 18000 interface Wireless
dhcpd domain company.com interface Wireless
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.5.41.40 source outside prefer
ssl trust-point vpn.company.com outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2017-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSL_Client_Policy internal
group-policy SSL_Client_Policy attributes
wins-server value 10.200.200.220
dns-server value 10.200.200.220
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSL_SPLIT
default-domain value company.com
webvpn
sso-server none
auto-signon allow uri * auth-type all
group-policy no-split-test internal
group-policy no-split-test attributes
banner value Welcome to company and Associates
banner value Welcome to company and Associates
dns-server value 10.200.200.220
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelall
default-domain value company.com
group-policy DfltGrpPolicy attributes
dns-server value 10.200.200.220
default-domain value company.com
group-policy company internal
group-policy company attributes
banner value Welcome to company and Associates
banner value Welcome to company and Associates
dns-server value 10.200.200.220
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSL_SPLIT
default-domain value company.com
username ciscoadmin password xxxxxxxxxxx encrypted privilege 15
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool SSL_VPN_POOL
authentication-server-group COMPANY-NT-AUTH
default-group-policy SSL_Client_Policy
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias company_SSL_VPN enable
tunnel-group company_group type remote-access
tunnel-group company_group general-attributes
address-pool SSL_VPN_POOL
authentication-server-group COMPANY-NT-AUTH LOCAL
default-group-policy company
tunnel-group company_group ipsec-attributes
pre-shared-key *****
tunnel-group x.x.x.53 type ipsec-l2l
tunnel-group x.x.x.53 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect tftp
inspect esmtp
inspect ftp
inspect icmp
inspect ip-options
inspect netbios
inspect rsh
inspect skinny
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect mgcp
inspect h323 h225
inspect h323 ras
inspect sip
service-policy global_policy global
privilege cmd level 5 mode exec command ping
privilege cmd level 6 mode exec command write
privilege show level 5 mode exec command running-config
privilege show level 5 mode exec command version
privilege show level 5 mode exec command conn
privilege show level 5 mode exec command memory
privilege show level 5 mode exec command cpu
privilege show level 5 mode exec command xlate
privilege show level 5 mode exec command traffic
privilege show level 5 mode exec command interface
privilege show level 5 mode exec command clock
privilege show level 5 mode exec command ip
privilege show level 5 mode exec command failover
privilege show level 5 mode exec command arp
privilege show level 5 mode exec command route
privilege show level 5 mode exec command blocks
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a0689b4c837c79a51e7a0cfed591dec9
: end
COMPANY-asa#Hi Sian,
Yes on their end the PFS is enabled for DH Group 2.
Here is the information that you requested:
company-asa# sh crypto isakmp sa
Active SA: 3
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 3
1 IKE Peer: x.x.x.87
Type : user Role : responder
Rekey : no State : AM_ACTIVE
2 IKE Peer: x.x.x.53
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
3 IKE Peer: x.x.x.25
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG4
company-asa# sh crypto ipsec sa
interface: outside
Crypto map tag: OUTSIDE_MAP, seq num: 5, local addr: x.x.x.13
access-list outside_cryptomap extended permit ip 10.200.0.0 255.255.0.0 192.168.9.0 255.255.255.0
local ident (addr/mask/prot/port): (10.200.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0)
current_peer: x.x.x.53
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 10744, #pkts decrypt: 10744, #pkts verify: 10744
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.13, remote crypto endpt.: x.x.x.53
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 500EC8BF
current inbound spi : 8DAE3436
inbound esp sas:
spi: 0x8DAE3436 (2377004086)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 32768, crypto-map: OUTSIDE_MAP
sa timing: remaining key lifetime (kB/sec): (3914946/24388)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x500EC8BF (1343146175)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 32768, crypto-map: OUTSIDE_MAP
sa timing: remaining key lifetime (kB/sec): (3915000/24388)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_dyn_map, seq num: 20, local addr: x.x.x.13
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.20.20.8/255.255.255.255/0/0)
current_peer: x.x.x.87, username: ewebb
dynamic allocated peer ip: 172.20.20.8
#pkts encaps: 16434, #pkts encrypt: 16464, #pkts digest: 16464
#pkts decaps: 19889, #pkts decrypt: 19889, #pkts verify: 19889
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 16434, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 30, #pre-frag failures: 0, #fragments created: 60
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 60
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.13/4500, remote crypto endpt.: x.x.x.87/2252
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 2D712C9F
current inbound spi : 0EDB79C8
inbound esp sas:
spi: 0x0EDB79C8 (249264584)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 65536, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 18262
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x2D712C9F (762391711)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 65536, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 18261
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001 -
VPN clients not able to ping Remote PCs & Servers : ASA 5520
VPN is connected successfully. But not able to ping any remote ip or fqdn from client pc. But able to ping ASA 5520 firewalls inside interface. Also some clients able to access, some clients not able to access. I new to these firewalls. I tried most of ways from internet, please any one can help asap.
Remote ip section : 192.168.1.0/24
VPN IP Pool : 192.168.5.0/24
Running Config :
ip address 192.168.1.2 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
passwd z40TgSyhcLKQc3n1 encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone GST 4
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 213.42.20.20
domain-name default.domain.invalid
access-list outtoin extended permit tcp any host 83.111.113.114 eq 3389
access-list outtoin extended permit tcp any host 83.111.113.113 eq https
access-list outtoin extended permit tcp any host 83.111.113.114 eq smtp
access-list outtoin extended permit tcp any host 83.111.113.114 eq https
access-list outtoin extended permit tcp any host 83.111.113.114 eq www
access-list outtoin extended permit tcp any host 83.111.113.115 eq https
access-list outtoin extended permit tcp any host 94.56.148.98 eq 3389
access-list outtoin extended permit tcp any host 83.111.113.117 eq ssh
access-list fualavpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0
92.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 1
2.168.5.0 255.255.255.0
access-list inet_in extended permit icmp any any time-exceeded
access-list inet_in extended permit icmp any any unreachable
access-list inet_in extended permit icmp any any echo-reply
access-list inet_in extended permit icmp any any echo
pager lines 24
logging enable
logging asdm informational
logging from-address [email protected]
logging recipient-address [email protected] level errors
logging recipient-address [email protected] level emergencies
logging recipient-address [email protected] level errors
mtu outside 1500
mtu inside 1500
ip local pool fualapool 192.168.5.10-192.168.5.50 mask 255.255.255.0
ip local pool VPNPool 192.168.5.51-192.168.5.150 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound outside
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 94.56.148.98 192.168.1.11 netmask 255.255.255.255
static (inside,outside) 83.111.113.114 192.168.1.111 netmask 255.255.255.255
access-group inet_in in interface outside
route outside 0.0.0.0 0.0.0.0 83.111.113.116 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have no
been met or due to some specific group policy, you do not have permission to u
e any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy fualavpn internal
group-policy fualavpn attributes
dns-server value 192.168.1.111 192.168.1.100
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value fualavpn_splitTunnelAcl
username test password I7ZgrgChfw4FV2AW encrypted privilege 0
username Mohamed password Vqmmt8cR/.Qu7LhU encrypted privilege 0
username Moghazi password GMr7xgdqmGEQ2SVR encrypted privilege 0
username Moghazi attributes
password-storage enable
username fualauaq password E6CgvoOpTKphiM2U encrypted privilege 0
username fualauaq attributes
password-storage enable
username fuala password IFtijSYb7LAOV/IW encrypted privilege 15
username Basher password Djf15nXIJXmayfjY encrypted privilege 0
username Basher attributes
password-storage enable
username fualafac password VGC/7cKXW1A6eyXS encrypted privilege 0
username fualafac attributes
password-storage enable
username fualaab password ONTH8opuP4RKgRXD encrypted privilege 0
username fualaab attributes
password-storage enable
username fualaadh2 password mNEgLxzPBeF4SyDb encrypted privilege 0
username fualaadh2 attributes
password-storage enable
username fualaain2 password LSKk6slwsVn4pxqr encrypted privilege 0
username fualaain2 attributes
password-storage enable
username fualafj2 password lE4Wu7.5s7VXwCqv encrypted privilege 0
username fualafj2 attributes
password-storage enable
username fualakf2 password 38oMUuwKyShs4Iid encrypted privilege 0
username fualakf2 attributes
password-storage enable
username fualaklb password .3AMGUZ1NWU1zzIp encrypted privilege 0
username fualaklb attributes
password-storage enable
username fualastr password RDXSdBgMaJxNLnaH encrypted privilege 0
username fualastr attributes
password-storage enable
username fualauaq2 password HnjodvZocYhDKrED encrypted privilege 0
username fualauaq2 attributes
password-storage enable
username fualastore password wWDVHfUu9pdM9jGj encrypted privilege 0
username fualastore attributes
password-storage enable
username fualadhd password GK8k1MkMlIDluqF4 encrypted privilege 0
username fualadhd attributes
password-storage enable
username fualaabi password eYL0j16kscNhhci4 encrypted privilege 0
username fualaabi attributes
password-storage enable
username fualaadh password GTs/9BVCAU0TRUQE encrypted privilege 0
username fualaadh attributes
password-storage enable
username fualajuh password b9QGJ1GHhR88reM1 encrypted privilege 0
username fualajuh attributes
password-storage enable
username fualadah password JwVlqQNIellNgxnZ encrypted privilege 0
username fualadah attributes
password-storage enable
username fualarak password UE41e9hpvcMeChqx encrypted privilege 0
username fualarak attributes
password-storage enable
username fualasnk password ZwZ7fVglexrCWFUH encrypted privilege 0
username fualasnk attributes
password-storage enable
username rais password HrvvrIw5tEuam/M8 encrypted privilege 0
username rais attributes
password-storage enable
username fualafuj password yY2jRMPqmNGS.3zb encrypted privilege 0
username fualafuj attributes
password-storage enable
username fualamaz password U1YUfQzFYrsatEzC encrypted privilege 0
username fualamaz attributes
password-storage enable
username fualashj password gN4AXk/oGBTEkelQ encrypted privilege 0
username fualashj attributes
password-storage enable
username fualabdz password tg.pB7RXJx2CWKWi encrypted privilege 0
username fualabdz attributes
password-storage enable
username fualamam password uwLjc0cV7LENI17Y encrypted privilege 0
username fualamam attributes
password-storage enable
username fualaajm password u3yLk0Pz0U1n.Q0c encrypted privilege 0
username fualaajm attributes
password-storage enable
username fualagrm password mUt3A60gLJ8N5HVr encrypted privilege 0
username fualagrm attributes
password-storage enable
username fualakfn password ceTa6jmvnzOFNSgF encrypted privilege 0
username fualakfn attributes
password-storage enable
username Fualaain password Yyhr.dlc6/J7WvF0 encrypted privilege 0
username Fualaain attributes
password-storage enable
username fualaban password RCJKLGTrh7VM2EBW encrypted privilege 0
username John password D9xGV1o/ONPM9YNW encrypted privilege 15
username John attributes
password-storage disable
username wrkshopuaq password cFKpS5e6Whp0A7TZ encrypted privilege 0
username wrkshopuaq attributes
password-storage enable
username Talha password 3VoAABwXxVonLmWi encrypted privilege 0
username Houssam password Cj/uHUqsj36xUv/R encrypted privilege 0
username Faraj password w2qYfE3DkYvS/oPq encrypted privilege 0
username Faraj attributes
password-storage enable
username gowth password HQhALLeiQXuIzptCnTv1rA== nt-encrypted privilege 15
username Hameed password 0Kr0N1VRmLuWdoDE encrypted privilege 0
username Hameed attributes
password-storage enable
username Hassan password Uy4ASuiNyEd70LCw encrypted privilege 0
username cisco password IPVBkPI1GLlHurPD encrypted privilege 15
username Karim password 5iOtm58EKMyvruZA encrypted privilege 0
username Shakir password BESX2bAvlbqbDha/ encrypted privilege 0
username Riad password iB.miiOF7qMESlCL encrypted privilege 0
username Azeem password 0zAqiCG8dmLyRQ8f encrypted privilege 15
username Azeem attributes
password-storage disable
username Osama password xu66er.7duIVaP79 encrypted privilege 0
username Osama attributes
password-storage enable
username Mahmoud password bonjr0B19aOQSpud encrypted privilege 0
username alpha password x8WO0aiHL3pVFy2E encrypted privilege 15
username Wissam password SctmeK/qKVNLh/Vv encrypted privilege 0
username Wissam attributes
password-storage enable
username Nabil password m4fMvkTgVwK/O3Ms encrypted privilege 0
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.4 255.255.255.255 inside
http 192.168.1.100 255.255.255.255 inside
http 192.168.1.111 255.255.255.255 inside
http 192.168.1.200 255.255.255.255 inside
http 83.111.113.117 255.255.255.255 outside
http 192.168.1.17 255.255.255.255 inside
http 192.168.1.16 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group fualavpn type ipsec-ra
tunnel-group fualavpn type ipsec-ra
tunnel-group fualavpn general-attributes
address-pool fualapool
address-pool VPNPool
default-group-policy fualavpn
tunnel-group fualavpn ipsec-attributes
pre-shared-key *
tunnel-group fualavpn ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
Cryptochecksum:38e41e83465d37f69542355df734db35
: endHi,
What about translating the traffic on the local ASA (Active unit) for traffic received from the VPN tunnel to the internal interface IP address? You can try something like nat (outside,inside) source dynamic obj-VpnRemoteTraffic interface destination static StandbyIP StandbyIP
Regards,
Maybe you are looking for
-
Hello Friends, I have a query where I select organization, item_num, and transaction_date. I need to group and count the result by transaction_date, so I will have 3 groups: First - will count records where transaction_date falls between the 1st and
-
Reading and writing u16 binary file to a new file
Hello all, a very simple thing that I just don't seem to be able to figure out. I have a file containing 1024bytes of unsigned 16bit words. I can read it successfully with the right value being displayed. But then I try to write these values to a ne
-
Consignment issue Accounting entries problem
Dear Guru's I have configured the consignment sales for my client but i am facing one problem pl advice 1. Consignment fill up process (delivery of goods) Create Billing document Accounting Entry C
-
Firefox 19 suddenly became very slow after using it for about an hour.
I've been using firefox 19 since it came out and have experienced no problems. Now today after about an hour of using the browser it has become so slow to the point where it becomes unresponsive for about ten seconds when I try to switch to a differe
-
Purchase OS MOuntain Lion through Mac App Store but it stated error has occurred.
Hi, Need help here. I purchase OS X Mountain Lion tgrought Mac App Store but it stated an error has occured and it was not completely download. In the purchase box, the application is under "other purchase" and the button is blank. I can't resume dow