Remote access VPN Users not able to see local lan or internet

Similar Messages

• Remote Access VPN Users with CX Active Authentication.

  I have ASA 5515 with CX for webfiltering , also have enabled remote access vpn . All my inside users are able to get active and passive authentication correctly . But for remote access VPN users , they are redirected to ASA external ip and CX authentication port 9000 but a blank page comes in and there is no prompt for authentication. I wasnt doing split tunneling , but now i have excluded ASA WAN ip from the tunnel and still have the same issue.
  The CX version we have is 9.3.1.1

  Have you excluded the VPN traffic from being NATed when traffic is going between clients?
  Please post a full sanitised configuration of the router so we can check it for configuration issues.
  Please remember to select a correct answer and rate helpful posts

• Except sadmin other users not able to see siebel BI publisher reports

  Hi,
  we have integrated siebel with BI publisher, except sadmin other users not able to see BI publisher reports, it is throwing error "No file has been attached to this record, please attach a file. SBL-SVC-00155".
  when login with sadmin report is generating. we have created user sadmin on BI publisher. if we change that user sadmin on BI publisher to some other name, then sadmin not able to generate reports. is there any specific on user creation on BIP should match with siebel?
  Thanks,
  Joe

  i suggest then dropping user and re-creating and then re-assigning permission (just keep his webcat files) - it'll be faster than looking into individual permissions
  another possible option - did you check his browser? sometimes the screen resolution can be too low and they don't see it on the same screen - need to scroll.
  is it possible he's not using the same Dashboard page as others? just check the "Report Links" to make sure
  i'm not sure what else could be a cause of this

• Users not able to see remote users on the node network

  Users that belong to one node are not able to see users in another calendar
  server node. Both calendar servers are pointing to the same directory server.
  Some errors that occur in the log files:
  DEXOTEK ERRCODE Ox13608 -> SchedBaseOpen: Section name too long
  DEXOTEK ERRCODE Ox13608 -> OpenConnection: SchedBaseOpenOnHost
  And when uninode -cws nodeID is run, it does not report being able to see all
  the users and resources on the remote nodes.
  uninode: connected to hostname.net.xxx.com, node 10000
  directory of items: 10 (USERS = 10/RESOURCES = 0)
  CONNECTION EX AV Q-SIZE IN-PROCESS IMPORT-DIR
  (10000)->xxxxxx.xxx.com(10001) 2 2 0 0 370 (U=370/R=0)
  Here is the nodes.ini file:
  + H=xxxxxxx.xxx.com/N=10000
  + H=xxxx.xxx.com/N=10001
  all=2
  There is a reported bug, that 16 chars is max on domain names for the nodes.ini
  file, which means that you need to change that file and use:
       a) an alias that can be resolved on the network with either DNS or local
       host files
       b) use the IP address.
  As documented in the release notes, here is the procedure on how to modify the
  hostname when it is too long. Or how to modify the hostname for any reason.
  Fix for long host names problem
  If the fully qualified domain name for your network exceeds 16 characters, it
  will be necessary to shorten the host name of all the servers in the Calendar
  Server network . These instructions must be carefully followed to avoid causing
  problems with the network. Ensure that the procedure is applied to ALL nodes in
  the Calendar network.
  1) The following procedure should be carried out on each server in the
  Calendar network:
  a) Bring the Calendar services down.
  % unistop -y
  b) Run the unidbfix command in export mode.
  % unidbfix -export -n node-id
  This will create a remotenode.ini file for each node on the server. The file is
  located in the node's perm directory.
  Example:
  If you have two nodes on the server ROCK, node 1(in N1) and node (in N2), the
  files are:
  /users/unison/db/nodes/N1/perm/remotenode.ini
  /users/unison/db/nodes/N2/perm/remotenode.ini
  The remotenode.ini file will look something like this:
  [1]
  RN_NUMCONNECT = 2
  RN_SURNAME = "unison"
  RN_GIVENNAME = "unison"
  RN_ORGUNIT1 = "uni2"
  RN_ORGUNIT2 = "openmail"
  RN_ORGANIZATION = "ABC Corp"
  RN_ACCESSMETHOD = 2
  RN_SERVICENAME = "unieng"
  RN_HOSTNAME = "rock"
  [2]
  RN_NUMCONNECT = 2
  RN_SURNAME = "unison"
  RN_GIVENNAME = "unison"
  RN_ORGUNIT1 = "uni4"
  RN_ORGUNIT2 = "openmail"
  RN_ORGANIZATION = "ABC Corp"
  RN_ACCESSMETHOD = 2
  RN_SERVICENAME = "unieng"
  RN_HOSTNAME = "rock"
  2) Once you have run unidbfix in export mode on all the servers, proceed as
  follows:
  a) Compare the remotenode.ini files and verify that the entries are the
  same. In each file, you will note that an entry for the local node is not
  included.
  b) Edit one of the files (on any of the servers). This file will be
  referred to as the master file. Add the appropriate entries for the
  local node (copy the section from one of the other files). Modify the
  RN_HOSTNAME in each of the sections of the master file to shorten the
  name.
  c) Copy the master file in the perm directories of each node on all the
  servers.
  3) Once the master file is in the perm directory of all the nodes, proceed as
  follows on each server:
  a) Run the unidbfix command in the -import mode.
  % unidbfix -import -n node-id
  b) Edit the nodes.ini file on the hub server and make the same changes to
  the host names. You do not need to apply the changes.
  c) Edit the [UTL] section of the /users/unison/misc/unison.ini file and
  change the host name.
  d) Start up the services.
  % unistart
  4) After all the changes have been made, run the uninode -cws all and
  uninode -snc all commands and verify that the results are accurate.

  See this:
  http://docs.info.apple.com/article.html?path=Mac/10.6/en/8203.html
  You should then see your pcs listed in Finder's sidebar under the shared section.
  Regards

• Report exection problem for one user - not able to see the data.

  Hello Friends ,
  Need some help . I have got the one ticket from bussniess side about the report execution .
  Unfortunately , I am also not having authorisation of that report due to sensible data.
  Problem - User is executing the report but some how he is not ABLE TO see the data for one company code Hierachy .
  I executed the same report through RSSMQ via his user id , and I got the  below message.
  All value were selected . Hierachy Authorisation cannot be used.
  A displayed hierachy requier a hierachy authorisation .
  But when i checked his authorisation , I am able to see that he should have authorisation to all the hireachy .
  could you please let me know , how can I check more ?
  Regards,

  after accessing the report , u go to su53 tcode and check the authorization and u can see what is problem in authorization for the that user and u can send the details to secuity team to rectify the issue ,

• Remote Access VPN users unable to communicate with each other

  Hi,
  We have configured Remote Access VPN on Cisco IOS router. Users are able to access the inside resources but cant communicate to each other. Any suggestions on the issue?
  Regards
  Saif

  Have you excluded the VPN traffic from being NATed when traffic is going between clients?
  Please post a full sanitised configuration of the router so we can check it for configuration issues.
  Please remember to select a correct answer and rate helpful posts

• Service Desk end user not able to see messages

  Hi
  Im configuring service desk.Iam facing following issues.
  1. In solution manager service desk user could not able to see his submitted messages.He could able to submit his message and they are appearing in crm_dno_monitor. Is there any way he can see his submitted messages and message status.
  2. I have assigned following roles to user, but he couldnot able to send message and getting 513 error. If i assign sap_all to him, he is able to submit message. Just i wanted to know how can i avoid sap_all to him.
  ZSAP_SOL_SERVTRANS_CREATE
  ZSAP_SUPPDESK_CREATE
  ZSAP_SV_FDB_NOTIF_BC_CREATE
  Your help is highly appreciated
  Thanks
  Regards
  Mahi

  Hi Mahi,
  Please check about Workcenter:
  1160651:  Work Centers: How to Customize (Solution Manager)
  http://help.sap.com/saphelp_smehp1/helpdata/en/6a/4b4713fc2e45ad921a20b0831d07a5/content.htm
  Make sure the user has the following roles:
  SAP_SUPPDESK_CREATE
  SAP_SUPPCF_CREATE
  SAP_SMWORK_BASIC
  SAP_SMWORK_INCIDENT_MAN
  Message processor:
  SAP_SMWORK_BASIC
  SAP_SUPPDESK_CREATE
  SAP_SUPPDESK_PROCESS
  SAP_SUPPDESK_DISPLAY
    SAP_SMWORK_INCIDENT_MAN
  Concerning this please pay attention of the note:
    834534 - SAP Solution Manager roles in Release 7.0
  Error message 513 is probably caused by incorrect or incomplete
  customizing. Please review attached note 864195 for more details.
  Please also ensure note 1356510 has been applied in your system,
  you may find more explanation in note 1522809.
  Please check the authorizations for your key users. The key user
  shouldn't have the following value on authorization object CRM_TXT_ID:
  TEXTID   SU15
  ACTVT    02
  FM AI_SDK_KEY_USER_CHECK can be used to check a user is a key user or
  not. The key user should have limited authorizations on authorization
  object CRM_TXT_ID.
  Please check security guide for the message processor roles and
  other roles. You can download the security guide from below link which
  will be available to download after half an hour or so or you can also
  find security guide from below link:
  http://service.sap.com/instguides -> SAP Components -> SAP Solution
  Manager
  Thanks
  Regards,
  Vikram Jain

• Users not able to see all the default reports in FDM under analysis

  All,
  Users in FDM are not able to see all the default reports which will be available under Analysis. I have checked the MenuNavigation and MenuNavigationItems under object maintainence in FDM which have "ALL" as the provisioning level. I am not sure where the issue is as the users still not able to see the reports. Please advise if there is something that can be done in workbench.
  Regards

  You can set security on Report folders in workbench.  You would go to the report tab in workbench, and right click on a Folder (Cannot do it on the individual report, it has to be on the folder), and you can assign security levels to the report folder.  There are some in here that default to the admin level but you can override it.
  Regards
  JTF

• Users not able to print local (frontend)

  SAP users are not able to print LOCL (front-end). The error message found in SP01 is waiting for formatter. This is no dump on ST22 related to this problem. SM21 is clean as well. SM66 looks OK. There are plenty of spool work process in wait status (SM50). How to troubleshoot this problem?

  Hello.
  Is this an issue across all of the users?
  The way i would look into this is first look at the user in SU01. Does the user have local as the printer default and is print immediately checked?
  From there i would have a look at the spool using transaction SP01. Is this beginning to get full?
  If it is just specfic users is there any differences with the SAPGui's to someone that it works with? Does the users have SAPLPD coming up? This often gives a better error than the spool. If it is what is the error.
  Sorry if you have already looked into this but this is the process i always work through with printing errors
  Kind Regards,
  Emily
  Edited by: Emily Needham on Jul 28, 2009 3:24 PM

• Remote access vpn clients, access to Internet resources

  Hello, we currently have a remote access vpn set up terminating on an ASA 5520.  Remote access users connect into this ASA and are able to access resources inside of the firewall- the public IP of the ASA is 1.1.1.135.  We need these users to be able to access resources natted behind another ASA firewall on the same public IP segment, at IP address 1.1.1.165.
  I have gotten to the point where I believe I have all of my Nat/global statements in place, along with my ACLs on both firewalls, but I am not able to make the connection to the server behind the second ASA.
  running packet tracer on the second ASA (hosting the 1.1.1.165 server) shows that the packet will be allowed.  RUnning packet tracer on the Remote access VPN ASA is showing that the packet is dropped due to :
  Action: drop
  Drop-reason: (ipsec-spoof) IPSEC Spoof detected
  To me, this should be a simple setup, very similar to a company that tunnels all traffic (including Internet traffic) for remote access VPN users.  It just doesn't seem like my traffic is getting to the second ASA wioth the remote host.
  Anyone have any ideas?

  I figured out the answer- I had to add a nat statement form my VPN user subnet to be natted to the outside global IP:
  nat (outside) 1 10.2.2.0 255.255.255.0 (this is my vpn subnet)
  global (outside) 1 interface

• User not able to run a report.

  Report Server has encountered a SharePoint error. (rsSharePointError) Cannot open database "dbname" requested by the login. The login failed. Login failed for user . For more information about this error navigate to the report server on the local
  server machine, or enable remote errors

  Hi Kunal, here are a few links that might point you in the right direction:
  http://social.msdn.microsoft.com/Forums/sharepoint/en-US/cca6cb99-c86d-4ba6-b6b9-81ec88771aa8/users-not-able-to-see-the-published-reports?forum=sqlreportingservices
  http://social.msdn.microsoft.com/Forums/sharepoint/en-US/c6c1414c-c338-4222-a5ca-a554d3ad912c/problem-getting-some-users-to-be-able-to-run-reports-probably-security-of-some-sort?forum=sqlreportingservices
  http://gj80blogtech.blogspot.com/2010/07/ssrs-error-report-server-has.html
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;2597014
  cameron rautmann

• Remote Access VPN Support in Multiple Context Mode (9.1(2))?

  Hi Guys,
  I am currently running two Cisco ASA5520 (ASA Version: 9.1(2)) firewalls in Active/Standby failover and was contemplating the option of migrating my remote access VPN to these firewalls. However seeing that the new IOS now support mixed multiple context mode and dynamic routing. Is it safe to ask whether or not Remote Access VPN is now support in this IOS upgrade?
  Multiple Context Mode New Features:
  Site-to-Site VPN in multiple context mode | Site-to-site VPN tunnels are now supported in multiple context mode.
  New resource type for site-to-site VPN tunnels | New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context.
  Dynamic routing in Security Contexts | EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing are not supported.
  New resource type for routing table entries | A new resource class, routes, was created to set the maximum number of routing table entries in each context. We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation. We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class.
  Mixed firewall mode support in multiple context mode | You can set the firewall mode independently for each security context in multiple context mode, so some can run in transparent mode while others run in routed mode. We modified the following command: firewall transparent. You cannot set the firewall mode in ASDM; you must use the command-line interface. Also available in Version 8.5(1).
  Regards,
  Leon

  Hey Leon,
  According to the ASA 9.1 Configuration Guide, Remote Access VPN is not yet supported with version 9.1(2). Only Site-to-Site VPN support in multiple context was introduced with release ASA 9.0(x). This was mentioned in the 9.0(x) release notes.
  Regards,
  Dennis

• Remote Access VPN to Site-to-Site VPN

  We have a remote access VPN and a site-to-site VPN. Both work fine except that clients of the remote access VPN can not access hosts on the site-to-site VPN.
  We are 10.5.5.0
  Site-to-Site VPN goes to 10.2.2.0
  Remote access clients can access anything on 10.5.5.0 but nothing on 10.2.2.0.
  What needs to be done to allow this to happen?

  Is this ASA/PIX 7?
  You need to add the traffic between the lans to the nat exemption and crypto acls on the firewalls.
  Headend Firewall
  same-security-traffic permit intra-interface
  access-list extended permit ip 10.2.2.0 255.255.255.0
  Remote Firewall
  access-list extended permit ip 10.2.2.0 255.255.255.0
  access-list extended permit ip 10.2.2.0 255.255.255.0
  Also, if you are split tunnelling you need to add the remote subnet to be tunneled.
  Please rate helpful posts.

• Does ASA Service Module on 6509-E support Remote Access VPN ?

  I'm having a problem configuring Remote Access VPN (SSL, Anyconnect ect.) on ASA Service Module on 6509-E. Is this even supported  or am i wasting my time trying to make something work which will not work in a first place :) ? Site-to-Site works without any problems.
  Tech Info:
  6509-E running SUP 2T 15.1(2)SY
  ASA Module - WS-SVC-ASA-SM1 running image - asa912-smp-k8 & asdm-712
  Licenses on ASA:
  Encryption-DES - Enabled
  Encryption-3DES-AES  -Enabled
  Thanks in Advance for support.

  Are you running multiple context mode?
  If you are, remote access VPN is not supported in that case:
  "Note Multiple context mode only applies to IKEv2 and IKEv1 site to site and does not apply to AnyConnect, clientless SSL VPN, the legacy Cisco VPN client, the Apple native VPN client, the Microsoft native VPN client, or cTCP for IKEv1 IPsec."
  Reference.

• Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??

  Hii frnds,
  here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
  Below is the out put from the router
  r1#sh run
  Building configuration...
  Current configuration : 3488 bytes
  ! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
  ! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
  version 15.1
  service config
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname r1
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
  aaa new-model
  aaa authentication login local-console local
  aaa authentication login userauth local
  aaa authorization network groupauth local
  aaa session-id common
  dot11 syslog
  ip source-route
  ip cef
  ip domain name r1.com
  multilink bundle-name authenticated
  license udi pid CISCO1841 sn FHK145171DM
  username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
  username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
  redundancy
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group ra-vpn
  key xxxxxx
  domain r1.com
  pool vpn-pool
  acl 150
  save-password
    include-local-lan
  max-users 10
  crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
  crypto dynamic-map RA 1
  set transform-set my-vpn
  reverse-route
  crypto map ra-vpn client authentication list userauth
  crypto map ra-vpn isakmp authorization list groupauth
  crypto map ra-vpn client configuration address respond
  crypto map ra-vpn 1 ipsec-isakmp dynamic RA
  interface Loopback0
  ip address 10.2.2.2 255.255.255.255
  interface FastEthernet0/0
  bandwidth 8000000
  ip address 117.239.xx.xx 255.255.255.240
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map ra-vpn
  interface FastEthernet0/1
  description $ES_LAN$
  ip address 192.168.10.252 255.255.255.0 secondary
  ip address 10.10.10.1 255.255.252.0 secondary
  ip address 172.16.0.1 255.255.252.0 secondary
  ip address 10.10.7.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip local pool vpn-pool 172.18.1.1   172.18.1.100
  ip forward-protocol nd
  ip http server
  ip http authentication local
  no ip http secure-server
  ip dns server
  ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
  ip nat inside source list 100 pool INTERNETPOOL overload
  ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
  access-list 100 permit ip 10.10.7.0 0.0.0.255 any
  access-list 100 permit ip 10.10.10.0 0.0.1.255 any
  access-list 100 permit ip 172.16.0.0 0.0.3.255 any
  access-list 100 permit ip 192.168.10.0 0.0.0.255 any
  access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
  access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
  access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
  control-plane
  line con 0
  login authentication local-console
  line aux 0
  line vty 0 4
  login authentication local-console
  transport input telnet ssh
  scheduler allocate 20000 1000
  end
  r1>sh ip route
  Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route, + - replicated route
  Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via 117.239.xx.xx
        10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
  C        10.2.2.2/32 is directly connected, Loopback0
  C        10.10.7.0/24 is directly connected, FastEthernet0/1
  L        10.10.7.1/32 is directly connected, FastEthernet0/1
  C        10.10.8.0/22 is directly connected, FastEthernet0/1
  L        10.10.10.1/32 is directly connected, FastEthernet0/1
        117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C        117.239.xx.xx/28 is directly connected, FastEthernet0/0
  L        117.239.xx.xx/32 is directly connected, FastEthernet0/0
        172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
  C        172.16.0.0/22 is directly connected, FastEthernet0/1
  L        172.16.0.1/32 is directly connected, FastEthernet0/1
        172.18.0.0/32 is subnetted, 1 subnets
  S        172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
        192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
  C        192.168.10.0/24 is directly connected, FastEthernet0/1
  L        192.168.10.252/32 is directly connected, FastEthernet0/1
  r1#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  117.239.xx.xx   49.206.59.86    QM_IDLE           1043 ACTIVE
  IPv6 Crypto ISAKMP SA
  r1 #sh crypto ipsec sa
  interface: FastEthernet0/0
      Crypto map tag: giet-vpn, local addr 117.239.xx.xx
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
     remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
     current_peer 49.206.59.86 port 50083
       PERMIT, flags={}
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
       local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
       path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
       current outbound spi: 0x550E70F9(1427009785)
       PFS (Y/N): N, DH group: none
       inbound esp sas:
        spi: 0x5668C75(90606709)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
          sa timing: remaining key lifetime (k/sec): (4550169/3437)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0x550E70F9(1427009785)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
          sa timing: remaining key lifetime (k/sec): (4550170/3437)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       outbound ah sas:
       outbound pcp sas:

  hi  Maximilian Schojohann..
  First i would like to Thank you for showing  interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF "  Router cpu processer goes to 99% and hangs...
  In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
  so plz give me an alternate solution ....thanks in advance....