Remote DNS server across ASA
Hi guys,
i am hoping if anyone can reply to my query below.
We have got a new batch of servers and they reside on a separate VLAN 192.168.45.x 255.255.255.0
Those servers are required to be registered on the DNS server located on the remote site (SITE 2). Please refer to the attached diagaram. We also have a DNS server in our LAN but these new servers will need to be in the domain in SITE 2
Can anyone advise if need anythin else other than the following ACLs in the ASA firewall
Access-list inside extended permit udp 192.168.45.0 255.255.255.0 host 10.10.100.150 eq 53
Access-list inside extended permit tcp 192.168.45.0 255.255.255.0 host 10.10.100.150 eq 53
Thanks
jay
The ACL entries above will allow DNS queries across the provider link from your local site. We are assuming matching entries allow the communications on the remote and and that routing etc. is all in place..
You asked however about needing to be "registered" on the DNS server and in the domain. Also your diagram mentions the server is a DHCP server and you show it configured with the helper-address in your local core switch. DHCP uses TCP ports 67 and 68. When you say domain if you are talking about a Windows domain that is another set of ports.
Similar Messages
-
What is the trick in adding a "secondary zone" to my DNS server
Hello,
I am having a hard time adding a secondary zone to my dns server. I followed the instructions carefully but I still get the "refuse" on my zone transfer. Do I need to go to the "NIC" of my interface card and make the primary DNS
as the server itself and the secondary DNS the IP of the "remote" DNS server?
Also, do I need to start configuring the "reverse Lookup zone" (before even starting to add a "secondary zone" and perform a -ZONE -TRANSFER), and add first the "a" record of the other (remote) DNS server?
Thanks,
Teapaq Long.
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 6525
Date: 11/10/2014
Time: 2:07:21 PM
User: N/A
Computer: REM-LAB-2K3.leftremote.com
Description:
A zone transfer request for the secondary zone localright.com was refused by
the master DNS server at 192.168.77.92. Check the zone at the master server
192.168.77.92 to verify that zone transfer is enabled to this server. To do
so, use the DNS console, and select master server 192.168.77.92 as the appli
cable server, then in secondary zone localright.com Properties,view the set-
tings on the Zone Transfers tab. Based on the settings you choose, make any
configuration adjustments there (or possibly in the Name Servers tab) so that
a zone transfer can be made to this server.
For more information, see Help and Support Center at
http://go.microsoft.com/
fwlink/events.asp.
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 6525
Date: 11/10/2014
Time: 12:03:18 PM
User: N/A
Computer: LOC-LAB-2K8.localright.com
Description:
A zone transfer request for the secondary zone leftremote.com was refused by
the master DNS server at 192.168.95.92. Check the zone at the master server
192.168.95.92 to verify that zone transfer is enabled to this server. To do
so, use the DNS console, and select master server 192.168.95.92 as the appli
cable server, then in secondary zone leftremote.com Properties,view the set-
tings on the Zone Transfers tab. Based on the settings you choose, make any
configuration adjustments there (or possibly in the Name Servers tab) so that
a zone transfer can be made to this server.
For more information, see Help and Support Center at
http://go.microsoft.com/
fwlink/events.asp.Hi,
According to the event ID 6525, this may be caused by a refuse of zone transfer request.
In normal, the secondary DNS server just configured with a preferred DNS server as itself, the alternate DNS server is optional, it depends on your needs.
When you fill the master DNS server’s IP address when you add secondary zone in the secondary DNS server, it will prompt a warming information if you do not add a PTR record in the master DNS server in the reverse lookup zone, but this won’t affect the zone
transfer process.
Have you followed the description of event log and check to see if the master server has enabled zone transfer(Properties
of zone->Zone Transfer tab->Allow zone transfer)?
Besides, verify that the master server of the secondary zone is authoritative for the zone. Reference steps below:
1. On the secondary DNS server, open DNS manager.
2. Right-click zone, select the General tab, note the IP address of the server that is listed in
Master Servers.
3. In the console tree, right-click DNS, and then click
Connect to DNS Server.
4. Click The following computer, type the IP address of the master DNS server, and then click
OK.
5. In the console tree, expand the master DNS server, and then expand the folder that contains the zone.
Note: If the zone is not in the folder, the server is not authoritative for the zone. In this case, you must configure the secondary server to transfer the zone from the correct master server.
6. Right-click the zone, click Properties, and then click the
Name Servers tab.
7. Confirm that the secondary server is listed with the correct IP address. To correct the list, do one of the following:
If the secondary server is not in the list, click Add.
If the IP address of the secondary server is incorrect, click the server in the list, and then click
Edit.
If this problem still exits, from the event log I notice that there are 2 secondary DNS server, REM-LAB-2K3.leftremote.com and LOC-LAB-2K8.localright.com. Are they belong to different domain(leftremote.com and localrght.com) ? what the relationship between
them?
It would be helpful if you could provide the network topology. And describe the IP configuration of master DNS server and secondary DNS server.
Best Regards,
Eve Wang -
Remote access VPN with ASA 5510 using DHCP server
Hi,
Can someone please share your knowledge to help me find why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?
I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
ASA Version 8.2(5)
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.6.0.12 255.255.254.0
ip local pool testpool 10.6.240.150-10.6.240.159 mask 255.255.248.0 !(worked with this)
route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface inside
crypto isakmp enable inside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
vpn-addr-assign aaa
vpn-addr-assign dhcp
group-policy testgroup internal
group-policy testgroup attributes
dhcp-network-scope 10.6.192.1
ipsec-udp enable
ipsec-udp-port 10000
username testlay password *********** encrypted
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
default-group-policy testgroup
dhcp-server 10.6.20.3
tunnel-group testgroup ipsec-attributes
pre-shared-key *****
I got following output when I test connect to ASA with Cisco VPN client 5.0
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDO
4024 bytesR copied in 3.41 0 secs (1341 by(tes/sec)13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 853
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ISA_KE payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received xauth V6 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received DPD VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Fragmentation VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received NAT-Traversal ver 02 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, Connection landed on tunnel_group testgroup
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing IKE SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ISAKMP SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for Responder...
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Cisco Unity VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing xauth V6 VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing dpd vid payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Traversal VID ver 02 payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Fragmentation VID + extended capabilities payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
[OK]
kens-mgmt-012# P = 10.15.200.108, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 87
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing MODE_CFG Reply attributes.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: IP Compression = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling Policy = Disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, User (testlay) authenticated.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg ACK attributes
Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=49ae1bb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 182
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg Request attributes
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 net mask!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DNS server address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for WINS server address!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Received unsupported transaction mode attribute: 5
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Banner!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Save PW setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Default Domain Name!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split Tunnel List!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split DNS!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for PFS setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Browser Proxy Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for backup ip-sec peer list!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Application Version!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Client Type: WinNT Client Application Version: 5.0.07.0440
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for FWTYPE!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DHCP hostname for DDNS is: DEC20128!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for UDP Port!
Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=b04e830f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE received response of type [] to a request from the IP address utility
Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Cannot obtain an IP address for remote peer
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE TM V6 FSM error history (struct &0xd8030048) <state>, <event>: TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE AM Responder FSM error history (struct &0xd82b6740) <state>, <event>: AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b terminating: flags 0x0945c001, refcnt 0, tuncnt 0
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending delete/delete with reason message
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing IKE delete payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=9de30522) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Regards,
LayFor RADIUS you need a aaa-server-definition:
aaa-server NPS-RADIUS protocol radius
aaa-server NPS-RADIUS (inside) host 10.10.18.12
key *****
authentication-port 1812
accounting-port 1813
and tell your tunnel-group to ask that server:
tunnel-group VPN general-attributes
authentication-server-group NPS-RADIUS LOCAL
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
DNS Server problems with ASA 5505
Hi guys,
we setup a new ASA 5505 which is mainly used as our VPN gateway. The ASA is configured and controlled by our ISP (and this is where the problem starts )) and they somehow cannot manage to get the VPN settings really working.
So, here is our problem.
our machines(Windows 7) are configured to get the network settings through DHCP (Windows 2012 Server).
Before I connect with AnyConnect to our VPN gateway, the DNS Server setting in the network settings for the adapters(IPv4) are set to 'dynamic'
When I now connect, this setting is changes to a statc entry (which is our DNS server).
When disconnecting, it is not reverted back, which means I have to do this always manually.
What I do not understand is the fact, that the DNS server is set for all the adapters, shouldtn't it be only set to the anyconnect adapter?.
The interesting thing is, that when I connect to a different ASA, this does not happen. The ISP is now saying, that the machines are configured exactly the same and that they cannot reproduce, but I can't believe this.
This issue shows up at every machine which connects to our vpn, so it is not only a single machine which might be misconfigured.
Do you have any idea what might cause this issue?
btw, the second ASA (which works) is from our partner company, so we cannot simply copy the config
THanks in advance
PatrickNice to see someone from BT has addressed your issue
I have this exact same problem, seems completely bizarre, I'm pretty sure I had the same problem with the original home hub (i have the latest one now). Can you confirm whether the problem does affect anyone with a bt home hub and not just the one that the dyndns is pointing at? I'll try and confirm by hitting your domain from my home connection. -
I originally posted this question to the community section and was advised to post it here. Please bear with me as this will be a long post. I'm including the scenarios involving this reoccurring issue, the trouble shooting steps I've already
taken and the results of several diagnostic tools and logs.
I have a Sony VAIOS VPCEBB33FM lap top since 2011. I have had this issue on an off for a long time. I'm at my wit's end. Any new insights or suggestions would be greatly appreciated.
Scenario Details
1) Some times it's on and off through out the day, sometimes it won't work all day, and once in a while it will work fine for the entire day.
2) I've had this issue across several wireless services, Clear Network accessed with WiMax, Library Wi-fi, Comcast cable internet using wireless router and Wi-fi, and Comcast Xfinity Wi-Fi, to name a few examples.
3) Other devices in the household or library will work with no problems such as my smart phone or my roommates' laptops or desktop computers.
4) Once in a while, the built-in wireless adapter is not found and I have to reinstall the driver. Also the diagnostic tool has had to reset my adapter on an increasing basis.
5) I had my hard drive replaced in December 2014 and my system restored from the System Restore disks that came with it when I bought the laptop. Even though I've been online on an infrequent basis it worked just fine for a while. Now that
I've been online a bit more I'm having the same issues again.
Below are my attempts at trouble shooting so far but I still have not been able to consistently resolve my DNS issues
1) Restarting my adapter
2) Turning off my laptop and removing the power supply for 5-10 minutes before turning it back on.
3) Using the IP Config in Command Prompt
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
4) Using the NetSh reset in Command Prompt and restarting my laptop
netsh int ip reset c:\resetlog.txt
netsh winsock reset
ipconfig /flushdns
[restart laptop]
5) Configuring the TCP/IP in several settings
Select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
I have used the following settings:
a) Obtain an DNS server address automatically
b) OpenDNS
208 67 222 222
208 67 220 220
c) Google DNS
8 8 8 8
8 8 4 4
6) Updating the driver for my Intel Centrino(R) Advanced-N 6250 AGN and Intel Centrino(R) WIMAX 6250 from the Intel website previous having my laptop wiped clean in 2014. It still did not resolve the issue. My laptop
manufacturer as not come up with an driver update for my adapter since 2010. I haven't tried to update the adapter driver from Intel's website since having my laptop repaired due to the fact that Intel strongly recommending using the manufacturer's updates
instead and frankly it didn't make much of a difference when I did it the first time.
7) The last one I've tried as of today is going into Services and changing the start up type to automatic for the following:
Computer Browser [changed from manual to automatic]
DHCP Client [already set to automatic]
DNS Client [already set to automatic]
Network Connections [already set to automatic]
Network Location Awareness [changed from manual to automatic]
Remote Procedure Call (RPC) [already set to automatic]
Server [already set to automatic]
TCP/IP Netbios helper [already set to automatic]
Workstation [already set to automatic]
...and I'm still having DNS issues.
My only guessing are that my laptop came with a lemon adapter that needs to be replaced, some advanced setting(s) that I'm not aware off, or my firewall/anti-virus is interfering. I've used Symmantic Anti-virus and Firewall in the past and currently
Avast Anti-Virus with Microsoft Network Firewall. I've had DNS issues with both anti-virus/firewall set ups.
Below are the results from the diagnostics and tests that I've ran.
Windows Network Diagnostics
Your computer appears to be correctly configured, but the device or resource (DNS server) is not responding Detected Detected
Contact your network administrator or Internet service provider (ISP) Completed
Windows can't communicate with the device or resource (DNS server). The computer or service you are trying to reach might be...
Details about network adapter diagnosis:
Network adapter Wireless Network Connection driver information:
Description . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6250 AGN
Manufacturer . . . . . . . . . : Intel Corporation
Provider . . . . . . . . . . . : Intel
Version . . . . . . . . . . . : 13.2.1.5
Inf File Name . . . . . . . . . : C:\Windows\INF\oem17.inf
Inf File Date . . . . . . . . . : Monday, June 14, 2010 9:05:44 AM
Section Name . . . . . . . . . : Install_MPCIEX_GEN_6250_AGN_2x2_HMC_WIN7_64_MOW
Hardware ID . . . . . . . . . . : pci\ven_8086&dev_0087&subsys_13018086
Instance Status Flags . . . . . : 0x180200a
Device Manager Status Code . . : 0
IfType . . . . . . . . . . . . : 71
Physical Media Type . . . . . . : 9
Informational Diagnostics Information (Wireless Connectivity)
Details about wireless connectivity diagnosis:
Information for connection being diagnosed
Interface GUID: 70a0781d-6329-45e4-8d7c-34aeca294c39
Interface name: Intel(R) Centrino(R) Advanced-N 6250 AGN
Interface type: Native WiFi
Connection incident diagnosed
Auto Configuration ID: 1
Connection ID: 1
Connection status summary
Connection started at: 2015-03-07 19:57:14-186
Profile match: Success
Pre-Association: Success
Association: Success
Security and Authentication: Success
List of visible access point(s): 22 item(s) total, 22 item(s) displayed
BSSID BSS Type PHY Signal(dB) Chnl/freq SSID
60-02-92-C6-D3-E8 Infra <unknown> -62 11 HOME-C7D4-2.4
60-02-92-A1-75-E0 Infra <unknown> -58 6 HOME-B917-2.4
00-1D-D5-D5-34-F0 Infra <unknown> -73 6 HOME-34F2
60-02-92-A1-75-E1 Infra <unknown> -58 6 (Unnamed Network)
06-1D-D5-D5-34-F0 Infra <unknown> -78 6 xfinitywifi
C4-27-95-C9-C4-2D Infra <unknown> -57 1 HOME-C42D
02-1D-D5-D5-34-F0 Infra <unknown> -74 6 (Unnamed Network)
00-0D-97-07-E0-79 Infra g -75 6 (Unnamed Network)
00-1D-CF-2A-44-C0 Infra <unknown> -86 6 HOME-44C2
02-1D-CF-2A-44-C0 Infra <unknown> -86 6 (Unnamed Network)
F8-E4-FB-3C-87-A2 Infra <unknown> -89 6 YVNM7
06-1D-CF-2A-44-C0 Infra <unknown> -87 6 xfinitywifi
0C-F8-93-7A-13-50 Infra b -87 6 PKennedy
06-F8-93-7A-13-50 Infra b -89 6 xfinitywifi
02-F8-93-7A-13-50 Infra b -87 6 (Unnamed Network)
E0-88-5D-C8-A9-DC Infra <unknown> -80 1 HOME-A9DC
E2-88-5D-C8-A9-DD Infra <unknown> -79 1 (Unnamed Network)
16-CF-E2-43-0B-30 Infra <unknown> -88 1 xfinitywifi
60-02-92-F0-A8-C0 Infra <unknown> -90 11 HOME-96A6-2.4
60-02-92-C6-D3-E9 Infra <unknown> -63 11 (Unnamed Network)
02-1D-D4-EB-87-00 Infra <unknown> -88 11 (Unnamed Network)
06-1D-D4-EB-87-00 Infra <unknown> -88 11 xfinitywifi
Connection History
Information for Auto Configuration ID 1
List of visible networks: 13 item(s) total, 13 item(s) displayed
BSS Type PHY Security Signal(RSSI) Compatible SSID
Infra <unknown> Yes 63 Yes HOME-C7D4-2.4
Infra <unknown> Yes 70 Yes HOME-B917-2.4
Infra <unknown> Yes 43 Yes HOME-34F2
Infra <unknown> Yes 70 Yes (Unnamed Network)
Infra <unknown> No 40 Yes xfinitywifi
Infra <unknown> Yes 71 Yes HOME-C42D
Infra g No 43 Yes (Unnamed Network)
Infra <unknown> Yes 28 Yes HOME-44C2
Infra <unknown> Yes 20 Yes YVNM7
Infra b Yes 21 Yes PKennedy
Infra <unknown> Yes 33 Yes HOME-A9DC
Infra <unknown> Yes 35 Yes (Unnamed Network)
Infra <unknown> Yes 16 Yes HOME-96A6-2.4
List of preferred networks: 3 item(s)
Profile: xfinitywifi
SSID: xfinitywifi
SSID length: 11
Connection mode: Infra
Security: No
Set by group policy: No
Connect even if network is not broadcasting: No
Connectable: Yes
Profile: HTC Portable Hotspot 9F50
SSID: HTC Portable Hotspot 9F50
SSID length: 25
Connection mode: Infra
Security: Yes
Set by group policy: No
Connect even if network is not broadcasting: No
Connectable: No
Reason: 0x00028002
Profile: belkin.332
SSID: belkin.332
SSID length: 10
Connection mode: Infra
Security: Yes
Set by group policy: No
Connect even if network is not broadcasting: No
Connectable: No
Reason: 0x00028002
Information for Connection ID 1
Connection started at: 2015-03-07 19:57:14-186
Auto Configuration ID: 1
Profile: xfinitywifi
SSID: xfinitywifi
SSID length: 11
Connection mode: Infra
Security: No
Pre-Association and Association
Connectivity settings provided by hardware manufacturer (IHV): No
Security settings provided by hardware manufacturer (IHV): No
Profile matches network requirements: Success
Pre-association status: Success
Association status: Success
Last AP: 06-1d-d5-d5-34-f0
Security and Authentication
Configured security type: Open
Configured encryption type: None
802.1X protocol: No
Key exchange initiated: Yes
Unicast key received: No
Multicast key received: No
Number of security packets received: 0
Number of security packets sent: 0
Security attempt status: Success
Connectivity
Packet statistics
Ndis Rx: 2068
Ndis Tx: 2543
Unicast decrypt success: 0
Multicast decrypt success: 0
Unicast decrypt failure: 0
Multicast decrypt failure: 0
Rx success: 3954
Rx failure: 0
Tx success: 537
Tx failure: 4
Tx retry: 2
Tx multiple retry: 2
Tx max lifetime exceeded: 0
Tx ACK failure: 18
Roaming history: 0 item(s)
InformationalDiagnostics Information (Wireless Connectivity)
Details about wireless connectivity diagnosis:
For complete information about this session see the wireless connectivity information event.
Helper Class: Auto Configuration
Initialize status: Success
Information for connection being diagnosed
Interface GUID: 70a0781d-6329-45e4-8d7c-34aeca294c39
Interface name: Intel(R) Centrino(R) Advanced-N 6250 AGN
Interface type: Native WiFi
Result of diagnosis: There may be problem
Network Connection details from Command Prompt (some info hidden for security reasons)
Connection-specific DNS Suffix:
Description: Intel(R) Centrino(R) Advanced-N 6250 AGN
Physical Address: 00-23-15-54-19-B8
DHCP Enabled: Yes
IPv4 Address: 192.168.X.XX
IPv4 Subnet Mask: 255.255.XX.X
Lease Obtained: Saturday, March 07, 2015 7:57:14 PM
Lease Expires: Saturday, March 07, 2015 8:24:44 PM
IPv4 Default Gateway: 192.168.X.X
IPv4 DHCP Server: 192.168.X.X
IPv4 DNS Servers: 75.75.75.75, 75.75.76.76
IPv4 WINS Server:
NetBIOS over Tcpip Enabled: Yes
Link-local IPv6 Address: fe80::b8de:3ac9:e166:XXX%XX
IPv6 Default Gateway:
IPv6 DNS Server:
Results of Ping and Trace Route in Command Prompt
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>ping 127.0.0.1
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Windows\system32>ping www.youtube.com
Pinging youtube-ui.l.google.com [173.194.121.6] with 32 bytes of data:
Reply from 173.194.121.6: bytes=32 time=24ms TTL=55
Reply from 173.194.121.6: bytes=32 time=19ms TTL=55
Request timed out.
Request timed out.
Ping statistics for 173.194.121.6:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 19ms, Maximum = 24ms, Average = 21ms
C:\Windows\system32>ping 74.125.239.34
Pinging 74.125.239.34 with 32 bytes of data:
Request timed out.
Request timed out.
Reply from 74.125.239.34: bytes=32 time=3286ms TTL=50
Request timed out.
Ping statistics for 74.125.239.34:
Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),
Approximate round trip times in milli-seconds:
Minimum = 3286ms, Maximum = 3286ms, Average = 3286ms
C:\Windows\system32>ping www.hotmail.com
Pinging dispatch.kahuna.glbdns2.microsoft.com [65.55.157.204] with 32 bytes of data:
Reply from 65.55.157.204: bytes=32 time=111ms TTL=237
Request timed out.
Request timed out.
Reply from 65.55.157.204: bytes=32 time=1537ms TTL=237
Ping statistics for 65.55.157.204:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 111ms, Maximum = 1537ms, Average = 824ms
C:\Windows\system32>ping 207.46.11.236
Pinging 207.46.11.236 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 207.46.11.236:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Windows\system32>tracert www.youtube.com
Tracing route to youtube-ui.l.google.com [173.194.121.5]
over a maximum of 30 hops:
1 19 ms 13 ms 17 ms xfwsr12-nwca-01.sys.comcast.net [68.85.15.244]
2 13 ms 13 ms 27 ms ae-14-32767-ar03.newcastle.de.panjde.comcast.net [68.85.192.205]
3 20 ms 26 ms 21 ms he-5-10-0-0-cr01.ashburn.va.ibone.comcast.net [68.86.94.249]
4 18 ms 34 ms 22 ms he-0-13-0-0-pe07.ashburn.va.ibone.comcast.net [68.86.86.50]
5 19 ms 18 ms 18 ms 50-248-116-190-static.hfc.comcastbusiness.net [50.248.116.190]
6 35 ms 18 ms 18 ms 209.85.249.217
7 21 ms 19 ms 19 ms 72.14.233.93
8 * * * Request timed out.
9 * 2509 ms 677 ms iad23s25-in-f5.1e100.net [173.194.121.5]
Trace complete.
C:\Windows\system32>tracert 74.125.239.34
Tracing route to nuq04s19-in-f2.1e100.net [74.125.239.34]
over a maximum of 30 hops:
1 54 ms 23 ms 12 ms xfwsr12-nwca-01.sys.comcast.net [68.85.15.244]
2 22 ms 19 ms 17 ms ae-14-32767-ar03.newcastle.de.panjde.comcast.net[68.85.192.205]
3 19 ms 19 ms 18 ms he-5-14-0-0-cr01.ashburn.va.ibone.comcast.net [68.86.166.121]
4 18 ms 18 ms 18 ms he-0-15-0-0-cr01.350ecermak.il.ibone.comcast.net[68.86.85.74]
5 19 ms 18 ms 22 ms 50-248-116-190-static.hfc.comcastbusiness.net [50.248.116.190]
6 22 ms 36 ms 19 ms 209.85.249.217
7 26 ms 23 ms 25 ms 209.85.143.112
8 * * * Request timed out.
9 * * * Request timed out.
10 972 ms * * 216.239.51.97
11 148 ms 97 ms 95 ms 216.239.46.241
12 324 ms 130 ms 432 ms 209.85.246.252
13 * * * Request timed out.
14 1403 ms 101 ms 126 ms nuq04s19-in-f2.1e100.net [74.125.239.34]
Trace complete.
C:\Windows\system32>tracert www.hotmail.com
Tracing route to dispatch.kahuna.glbdns2.microsoft.com [65.55.157.144]
over a maximum of 30 hops:
1 13 ms 13 ms 25 ms xfwsr12-nwca-01.sys.comcast.net [68.85.15.244]
2 13 ms 15 ms 13 ms ae-14-32767-ar03.newcastle.de.panjde.comcast.net[68.85.192.205]
3 20 ms 19 ms 17 ms he-5-13-0-0-cr01.ashburn.va.ibone.comcast.net [68.86.95.145]
4 17 ms 20 ms 20 ms he-0-13-0-0-pe07.ashburn.va.ibone.comcast.net [68.86.86.50]
5 17 ms 18 ms 38 ms as8075-2-c.ashburn.va.ibone.comcast.net [173.167.58.82]
6 18 ms 18 ms 36 ms ae4-0.ash-96cbe-1a.ntwk.msn.net [207.46.36.172]
7 * * * Request timed out.
8 * 2191 ms 35 ms ae0-0.atb-96cbe-1b.ntwk.msn.net [191.234.81.167]
9 * * * Request timed out.
10 * * * Request timed out.
11 86 ms 84 ms 84 ms ae4-0.lax-96cbe-1a.ntwk.msn.net [191.234.83.150]
12 86 ms 86 ms 87 ms ae9-0.by2-96c-1a.ntwk.msn.net [207.46.42.176]
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 87 ms 84 ms 85 ms origin.by173w.bay173.mail.live.com [65.55.157.144]
Trace complete.
C:\Users\C.Cunningham>tracert 207.46.11.236
Tracing route to origin.by181w.bay181.mail.live.com [207.46.11.236]
over a maximum of 30 hops:
1 16 ms 16 ms 19 ms xfwsr12-nwca-01.sys.comcast.net [68.85.15.244]
2 18 ms 13 ms 13 ms ae-14-32767-ar03.newcastle.de.panjde.comcast.net[68.85.192.205]
3 21 ms 19 ms 21 ms he-5-12-0-0-cr01.ashburn.va.ibone.comcast.net [68.86.95.141]
4 18 ms 21 ms 18 ms he-0-13-0-0-pe07.ashburn.va.ibone.comcast.net [68.86.86.50]
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Trace complete.
Results of Intel WiFi Manual Diagnostics
Test Name Test Result Test Summary
Hardware Test Passed Wireless Hardware is enabled
Driver Test Passed Diver is loaded. NETwNs64 Version 13.3.0.24
Radio Test Passed Radio is ON
Scan Test Passed There are 25 Networks available to connect
Association Test Passed Associated
Authentication Test Passed Authenticated
Signal Test Passed Signal Quality: Poor
Ping Test Failed No Reponse: default gateway, DHCP server
I hope this information is enough to get to the root of this problem once and for all. Please let me know if you any other information such as event logs or statistics.
Thanks in advance.Results of Intel WiFi Event View Log (I deleted some lines since there were basically repeats of the same messages)
#Event Source Time
Error Severity Domain
User Description
45 EvtEngine
3/8/2015 20:40 Success
Connection SYSTEM
iAMT - Failed to read Windows Events Log
46 S24EvMon
3/8/2015 20:41 Information
AppDriver
SYSTEM
Getting List of adapters.
47 S24EvMon
3/8/2015 20:41 Information
AppDriver
SYSTEM
Intel adapter(s) found.
156 S24EvMon
3/8/2015 20:47 Information
Driver SYSTEM
AddToExclude 06:1d:d5:d5:34:f0 xfinitywifi 6 WEV_EXCLUDE_LIST_REASON_802_11_AUTH_FAILURE
157 S24EvMon
3/8/2015 20:47 Information
Driver SYSTEM
ATC 06:1d:cf:2a:44:c0 xfinitywifi 6 RSSI=-88
158 S24EvMon
3/8/2015 20:47 Error
Driver SYSTEM
AssociationFailure 06:1d:cf:2a:44:c0 xfinitywifi 6 CNCT_GENERAL_FAILURE
159 S24EvMon
3/8/2015 20:47 Information
Driver SYSTEM
AddToExclude 06:1d:cf:2a:44:c0 xfinitywifi 6 WEV_EXCLUDE_LIST_REASON_802_11_ASSOC_FAILURE
160 S24EvMon
3/8/2015 20:47 Information
Driver SYSTEM
ATC 06:1d:d5:d5:34:f0 xfinitywifi 6 RSSI=-79
161 S24EvMon
3/8/2015 20:47 Success
Driver SYSTEM
RxAuthSuccess 06:1d:d5:d5:34:f0 6
162 S24EvMon
3/8/2015 20:47 Success
Driver SYSTEM
RxAssocResp 06:1d:d5:d5:34:f0 6 -77
163 S24EvMon
3/8/2015 20:49 Information
TCP/IP SYSTEM
VoIP: Got link down - deleting flows .
164 S24EvMon
3/8/2015 20:49 Information
Driver SYSTEM
ATC 06:1d:d4:eb:87:00 xfinitywifi 11 RSSI=-88
165 S24EvMon
3/8/2015 20:49 Error
Driver SYSTEM
AssociationFailure 06:1d:d4:eb:87:00 xfinitywifi 11 CNCT_GENERAL_FAILURE
166 S24EvMon
3/8/2015 20:49 Information
Driver SYSTEM
AddToExclude 06:1d:d4:eb:87:00 xfinitywifi 11 WEV_EXCLUDE_LIST_REASON_802_11_ASSOC_FAILURE
167 S24EvMon
3/8/2015 20:49 Information
Driver SYSTEM
ATC 06:1d:d4:eb:87:00 xfinitywifi 11 RSSI=-89
168 S24EvMon
3/8/2015 20:49 Error
Driver SYSTEM
AssociationFailure 06:1d:d4:eb:87:00 xfinitywifi 11 CNCT_GENERAL_FAILURE
169 S24EvMon
3/8/2015 20:49 Information
Driver SYSTEM
AddToExclude 06:1d:d4:eb:87:00 xfinitywifi 11 WEV_EXCLUDE_LIST_REASON_802_11_ASSOC_FAILURE
170 S24EvMon
3/8/2015 20:49 Information
Driver SYSTEM
ATC 06:1d:d4:eb:87:00 xfinitywifi 11 RSSI=-90
171 S24EvMon
3/8/2015 20:49 Error
Driver SYSTEM
AssociationFailure 06:1d:d4:eb:87:00 xfinitywifi 11 CNCT_GENERAL_FAILURE
172 S24EvMon
3/8/2015 20:49 Information
Driver SYSTEM
ATC 06:1d:d5:d5:34:f0 xfinitywifi 6 RSSI=-82
173 S24EvMon
3/8/2015 20:49 Success
Driver SYSTEM
RxAuthSuccess 06:1d:d5:d5:34:f0 6
174 S24EvMon
3/8/2015 20:49 Success
Driver SYSTEM
RxAssocResp 06:1d:d5:d5:34:f0 6 -81
175 S24EvMon
3/8/2015 20:50 Information
Driver SYSTEM
AddToExclude 06:1d:d5:d5:34:f0 xfinitywifi 6 WEV_EXCLUDE_LIST_REASON_802_11_AUTH_FAILURE
176 S24EvMon
3/8/2015 20:50 Information
Driver SYSTEM
ATC 06:1d:d5:d5:34:f0 xfinitywifi 6 RSSI=-79
177 S24EvMon
3/8/2015 20:50 Success
Driver SYSTEM
RxAuthSuccess 06:1d:d5:d5:34:f0 6
178 S24EvMon
3/8/2015 20:50 Success
Driver SYSTEM
RxAssocResp 06:1d:d5:d5:34:f0 6 -80
179 S24EvMon
3/8/2015 21:03 Information
Driver SYSTEM
RoamTrigger 06:1d:d5:d5:34:f0 xfinitywifi 6 RSSI=-81 MisBcn=8 RSSITh=-85 Roam Other Reason
186 S24EvMon
3/8/2015 21:21 Information
General
SYSTEM
DeviceIoCtrlS24NDIS: (2) Failed to send OID 0xff100055 to driver. Error - 31
187
S24EvMon
3/8/2015 21:21 Information
General
SYSTEM
DeviceIoCtrlS24NDIS - Dot11ExtNicSpecificExtension failed (31) -
Problem with Remote Access VPN on ASA 5505
I am currently having an issue configuring an ASA 5505 to connect via remote access VPN using the Cisco VPN Client 5.0.07.0440 running on Windows 8 Pro x64. The VPN client prompts for the username and password during the connect process, but fails soon after.
The VPN client logs are as follows:
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.2.9200
2 15:09:21.240 12/11/12 Sev=Info/4 CM/0x63100002
Begin connection process
3 15:09:21.287 12/11/12 Sev=Info/4 CM/0x63100004
Establish secure connection
4 15:09:21.287 12/11/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "**.**.***.***"
5 15:09:21.287 12/11/12 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with **.**.***.***.
6 15:09:21.287 12/11/12 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
7 15:09:21.303 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to **.**.***.***
8 15:09:21.365 12/11/12 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
9 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
10 15:09:21.334 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from **.**.***.***
11 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
12 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
13 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000001
Peer supports DPD
14 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
15 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
16 15:09:21.334 12/11/12 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
17 15:09:21.334 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to **.**.***.***
18 15:09:21.334 12/11/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
19 15:09:21.334 12/11/12 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xFBCE, Remote Port = 0x1194
20 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
21 15:09:21.334 12/11/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
22 15:09:21.365 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
23 15:09:21.365 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
24 15:09:21.365 12/11/12 Sev=Info/4 CM/0x63100015
Launch xAuth application
25 15:09:21.474 12/11/12 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
26 15:09:21.474 12/11/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
27 15:09:27.319 12/11/12 Sev=Info/4 CM/0x63100017
xAuth application returned
28 15:09:27.319 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
29 15:09:27.365 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
30 15:09:27.365 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
31 15:09:27.365 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
32 15:09:27.365 12/11/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
33 15:09:27.365 12/11/12 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
34 15:09:27.365 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
35 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
36 15:09:27.397 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
37 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
38 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
39 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
40 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
41 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
42 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO
43 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
44 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.2(5) built by builders on Fri 20-May-11 16:00
45 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
46 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
47 15:09:27.397 12/11/12 Sev=Info/4 CM/0x63100019
Mode Config data received
48 15:09:27.412 12/11/12 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.2.70, GW IP = **.**.***.***, Remote IP = 0.0.0.0
49 15:09:27.412 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to **.**.***.***
50 15:09:27.444 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
51 15:09:27.444 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
52 15:09:27.444 12/11/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
53 15:09:27.444 12/11/12 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 6 seconds, setting expiry to 86394 seconds from now
54 15:09:27.459 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
55 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from **.**.***.***
56 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to **.**.***.***
57 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=CE99A8A8
58 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
59 15:09:27.459 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
60 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924
61 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from **.**.***.***
62 15:09:27.490 12/11/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
63 15:09:30.475 12/11/12 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
64 15:09:30.475 12/11/12 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
65 15:09:30.475 12/11/12 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
66 15:09:30.475 12/11/12 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
67 15:09:30.475 12/11/12 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
68 15:09:30.475 12/11/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
69 15:09:30.475 12/11/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
70 15:09:30.475 12/11/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
71 15:09:30.475 12/11/12 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
The running configuration is as follows (there is a site-to-site VPN set up as well to another ASA 5505, but that is working flawlessly):
: Saved
ASA Version 8.2(5)
hostname NCHCO
enable password hTjwXz/V8EuTw9p9 encrypted
passwd hTjwXz/V8EuTw9p9 encrypted
names
name 192.168.2.0 NCHCO description City Offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address **.**.***.*** 255.255.255.248
boot system disk0:/asa825-k8.bin
ftp mode passive
access-list outside_nat0_outbound extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
access-list outside_1_cryptomap extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
access-list LAN_Access standard permit NCHCO 255.255.255.0
access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 74.219.208.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
network-acl outside_nat0_outbound
webvpn
svc ask enable default svc
http server enable
http 192.168.1.0 255.255.255.0 inside
http **.**.***.*** 255.255.255.255 outside
http 74.218.158.238 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set l2tp-transform esp-3des esp-sha-hmac
crypto ipsec transform-set l2tp-transform mode transport
crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs group1
crypto dynamic-map dyn-map 10 set transform-set l2tp-transform vpn-transform
crypto dynamic-map dyn-map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 74.219.208.50
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map vpn-map 1 match address outside_1_cryptomap_1
crypto map vpn-map 1 set pfs group1
crypto map vpn-map 1 set peer 74.219.208.50
crypto map vpn-map 1 set transform-set ESP-3DES-SHA
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 35
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet NCHCO 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh NCHCO 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.150-192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
dhcpd lease 64000 interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value nchco.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
password-storage enable
ipsec-udp enable
intercept-dhcp 255.255.255.0 enable
address-pools value VPN_Pool
group-policy NCHVPN internal
group-policy NCHVPN attributes
dns-server value 192.168.2.1 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value NCHCO
username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
username NCHvpn99 password QhZZtJfwbnowceB7 encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) VPN_Pool
address-pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
authorization-server-group (outside) LOCAL
default-group-policy DefaultRAGroup
strip-realm
strip-group
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 74.219.208.50 type ipsec-l2l
tunnel-group 74.219.208.50 ipsec-attributes
pre-shared-key *****
tunnel-group NCHVPN type remote-access
tunnel-group NCHVPN general-attributes
address-pool VPN_Pool
default-group-policy NCHVPN
tunnel-group NCHVPN ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:15852745977ff159ba808c4a4feb61fa
: end
asdm image disk0:/asdm-645.bin
asdm location VPN_Start 255.255.255.255 inside
asdm location VPN_End 255.255.255.255 inside
no asdm history enable
Anyone have any idea why this is happening?
Thanks!Thanks again for your reply, and sorry about the late response, havent gotten back to this issue until just now. I applied the above command as you specified, and unfortunately, it did not resolve the problem. Below are the logs from the VPN Client for the connection + attempted browsing of a network share that is behind the ASA, and the new running configuration.
VPN Client Log:
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.2.9200
331 13:11:41.362 12/17/12 Sev=Info/4 CM/0x63100002
Begin connection process
332 13:11:41.362 12/17/12 Sev=Info/4 CM/0x63100004
Establish secure connection
333 13:11:41.362 12/17/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "69.61.228.178"
334 13:11:41.362 12/17/12 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 69.61.228.178.
335 13:11:41.362 12/17/12 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
336 13:11:41.424 12/17/12 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
337 13:11:41.362 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 69.61.228.178
338 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
339 13:11:41.393 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 69.61.228.178
340 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
341 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
342 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000001
Peer supports DPD
343 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
344 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
345 13:11:41.393 12/17/12 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
346 13:11:41.393 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 69.61.228.178
347 13:11:41.393 12/17/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
348 13:11:41.393 12/17/12 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xD271, Remote Port = 0x1194
349 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
350 13:11:41.393 12/17/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
351 13:11:41.424 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
352 13:11:41.424 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
353 13:11:41.424 12/17/12 Sev=Info/4 CM/0x63100015
Launch xAuth application
354 13:11:41.424 12/17/12 Sev=Info/4 CM/0x63100017
xAuth application returned
355 13:11:41.424 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
356 13:11:41.456 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
357 13:11:41.456 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
358 13:11:41.456 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
359 13:11:41.456 12/17/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
360 13:11:41.456 12/17/12 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
361 13:11:41.456 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
362 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
363 13:11:41.502 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
364 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
365 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
366 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
367 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
368 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
369 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
370 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 192.168.2.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
371 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO.local
372 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
373 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.4(1) built by builders on Mon 31-Jan-11 02:11
374 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
375 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
376 13:11:41.502 12/17/12 Sev=Info/4 CM/0x63100019
Mode Config data received
377 13:11:41.502 12/17/12 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.2.70, GW IP = 69.61.228.178, Remote IP = 0.0.0.0
378 13:11:41.502 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 69.61.228.178
379 13:11:41.534 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
380 13:11:41.534 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 69.61.228.178
381 13:11:41.534 12/17/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
382 13:11:41.534 12/17/12 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now
383 13:11:41.549 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
384 13:11:41.549 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 69.61.228.178
385 13:11:41.549 12/17/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds
386 13:11:41.549 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to 69.61.228.178
387 13:11:41.549 12/17/12 Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=C4F5B5A6 OUTBOUND SPI = 0xD2DBADEA INBOUND SPI = 0x14762837)
388 13:11:41.549 12/17/12 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0xD2DBADEA
389 13:11:41.549 12/17/12 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0x14762837
390 13:11:41.549 12/17/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.162 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.162 192.168.1.162 266
192.168.1.162 255.255.255.255 192.168.1.162 192.168.1.162 266
192.168.1.255 255.255.255.255 192.168.1.162 192.168.1.162 266
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 192.168.1.162 192.168.1.162 266
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 192.168.1.162 192.168.1.162 266
391 13:11:41.877 12/17/12 Sev=Info/6 CVPND/0x63400001
Launch VAInst64 to control IPSec Virtual Adapter
392 13:11:43.455 12/17/12 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=192.168.2.70/255.255.255.0
DNS=192.168.2.1,8.8.8.8
WINS=0.0.0.0,0.0.0.0
Domain=NCHCO.local
Split DNS Names=
393 13:11:43.455 12/17/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.162 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.162 192.168.1.162 266
192.168.1.162 255.255.255.255 192.168.1.162 192.168.1.162 266
192.168.1.255 255.255.255.255 192.168.1.162 192.168.1.162 266
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 192.168.1.162 192.168.1.162 266
224.0.0.0 240.0.0.0 0.0.0.0 0.0.0.0 266
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 192.168.1.162 192.168.1.162 266
255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 266
394 13:11:47.517 12/17/12 Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.
395 13:11:47.517 12/17/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.162 10
69.61.228.178 255.255.255.255 192.168.1.1 192.168.1.162 100
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.162 192.168.1.162 266
192.168.1.2 255.255.255.255 192.168.1.162 192.168.1.162 100
192.168.1.162 255.255.255.255 192.168.1.162 192.168.1.162 266
192.168.1.255 255.255.255.255 192.168.1.162 192.168.1.162 266
192.168.2.0 255.255.255.0 192.168.2.70 192.168.2.70 266
192.168.2.0 255.255.255.0 192.168.2.1 192.168.2.70 100
192.168.2.70 255.255.255.255 192.168.2.70 192.168.2.70 266
192.168.2.255 255.255.255.255 192.168.2.70 192.168.2.70 266
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 192.168.1.162 192.168.1.162 266
224.0.0.0 240.0.0.0 192.168.2.70 192.168.2.70 266
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 192.168.1.162 192.168.1.162 266
255.255.255.255 255.255.255.255 192.168.2.70 192.168.2.70 266
396 13:11:47.517 12/17/12 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter
397 13:11:47.517 12/17/12 Sev=Info/4 CM/0x6310001A
One secure connection established
398 13:11:47.517 12/17/12 Sev=Info/4 CM/0x6310003B
Address watch added for 192.168.1.162. Current hostname: MATT-PC, Current address(es): 192.168.2.70, 192.168.1.162.
399 13:11:47.517 12/17/12 Sev=Info/4 CM/0x6310003B
Address watch added for 192.168.2.70. Current hostname: MATT-PC, Current address(es): 192.168.2.70, 192.168.1.162.
400 13:11:47.517 12/17/12 Sev=Info/5 CM/0x63100001
Did not find the Smartcard to watch for removal
401 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
402 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
403 13:11:47.517 12/17/12 Sev=Info/6 IPSEC/0x6370002C
Sent 109 packets, 0 were fragmented.
404 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
405 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
406 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xeaaddbd2 into key list
407 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
408 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x37287614 into key list
409 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 192.168.2.70
410 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700037
Configure public interface: 192.168.1.162. SG: 69.61.228.178
411 13:11:47.517 12/17/12 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 1.
412 13:11:52.688 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
413 13:11:52.688 12/17/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 69.61.228.178, our seq# = 2722476009
414 13:11:52.704 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
415 13:11:52.704 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
416 13:11:52.704 12/17/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 69.61.228.178, seq# received = 2722476009, seq# expected = 2722476009
417 13:12:03.187 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
418 13:12:03.187 12/17/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 69.61.228.178, our seq# = 2722476010
419 13:12:03.202 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
420 13:12:03.202 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
421 13:12:03.202 12/17/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 69.61.228.178, seq# received = 2722476010, seq# expected = 2722476010
422 13:12:14.185 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
423 13:12:14.185 12/17/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 69.61.228.178, our seq# = 2722476011
424 13:12:14.201 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
425 13:12:14.201 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
426 13:12:14.201 12/17/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 69.61.228.178, seq# received = 2722476011, seq# expected = 2722476011
427 13:12:24.762 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
428 13:12:24.762 12/17/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 69.61.228.178, our seq# = 2722476012
429 13:12:24.778 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
430 13:12:24.778 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
431 13:12:24.778 12/17/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 69.61.228.178, seq# received = 2722476012, seq# expected = 2722476012
New running configuration:
: Saved
ASA Version 8.4(1)
hostname NCHCO
enable password hTjwXz/V8EuTw9p9 encrypted
passwd hTjwXz/V8EuTw9p9 encrypted
names
name 192.168.2.0 NCHCO description City Offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 69.61.228.178 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa841-k8.bin
ftp mode passive
object network NCHCO
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.64
subnet 192.168.2.64 255.255.255.224
object network obj-0.0.0.0
subnet 0.0.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
network-acl outside_nat0_outbound
webvpn
svc ask enable default svc
http server enable
http 192.168.1.0 255.255.255.0 inside
http 69.61.228.178 255.255.255.255 outside
http 74.218.158.238 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set l2tp-transform mode transport
crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs group1
crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
crypto dynamic-map dyn-map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 74.219.208.50
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map vpn-map 1 match address outside_1_cryptomap_1
crypto map vpn-map 1 set pfs group1
crypto map vpn-map 1 set peer 74.219.208.50
crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto isakmp identity address
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 35
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet NCHCO 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh NCHCO 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.150-192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
dhcpd lease 64000 interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value nchco.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
ipsec-udp enable
intercept-dhcp 255.255.255.0 enable
address-pools value VPN_Pool
group-policy NCHCO internal
group-policy NCHCO attributes
dns-server value 192.168.2.1 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NCHCO_splitTunnelAcl_1
default-domain value NCHCO.local
username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) VPN_Pool
address-pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
authorization-server-group (outside) LOCAL
default-group-policy DefaultRAGroup
strip-realm
strip-group
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 74.219.208.50 type ipsec-l2l
tunnel-group 74.219.208.50 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group NCHCO type remote-access
tunnel-group NCHCO general-attributes
address-pool VPN_Pool
default-group-policy NCHCO
tunnel-group NCHCO ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b6ce58676b6aaeba48caacbeefea53a5
: end
asdm image disk0:/asdm-649.bin
asdm location VPN_Start 255.255.255.255 inside
asdm location VPN_End 255.255.255.255 inside
no asdm history enable
I'm at a loss myself as to why this isn't working, and i'm sure that you are running out of solutions yourself. Any other ideas? I really need to get this working.
Thanks so much!
Matthew -
Dear friends i am facing an issue in the hosting of my server from ASA publicly
i have already assing a public ip addd to the outside interface of the ASA ,My requirement is to configure firewall to host my web server publicly using the public ip not assign to the outside interface but different subnet,i make every configuration is i have done but i cant ping or connect my web server i can ping the web server from my ASA,but from outside i cannot reach my webserver.Could anyone help me in this because i am facing problem.
Below is the configuration of the firewall
server ip add 10.10.10.4(local,reachable)
public ip add-78.72.232.66(default gateway)
sho run configuration of the firewall
ASA Version 8.2(5)
hostname TAD-FW
domain-name tadrees.com
enable password lpW.MGeEHg0ISQZq encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
description Connected to TAD-Router G0/1
nameif outside
security-level 0
ip address 78.72.29.174 255.255.255.252
interface Ethernet0/1
description Connected to Cisco SMB Switch G1
nameif inside
security-level 100
ip address 10.15.1.1 255.255.255.248
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
no ip address
management-only
banner login ******** TADREES FIREWALL ********
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 84.22.224.11
name-server 84.22.224.12
domain-name tadrees.com
access-list split-tunnel standard permit 10.10.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.1.1.0 255.255.255.0
access-list Mename-Access extended permit tcp any host78.72.232.66 eq https
access-list Mename-Access extended permit tcp any host 78.72.232.66 eq www
pager lines 24
logging enable
logging buffered debugging
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool sslvpnpool 10.1.1.1-10.1.1.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-702.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 78.722..232.66 www 10.10.10.4 www netmask 255.255.255.255
access-group Mename-Access in interface outside
router rip
network 10.0.0.0
version 2
route outside 0.0.0.0 0.0.0.0 78.72.29.173 1
route inside 10.10.10.4 255.255.255.255 10.15.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TAD-AD protocol nt
aaa-server TAD-AD (inside) host 10.10.10.1
aaa authentication ssh console LOCAL
http server enable 444
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 2
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 20
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
no anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
internal-password enable
group-policy sslvpn internal
group-policy sslvpn attributes
wins-server none
dns-server none
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value tadrees.com
group-policy DfltGrpPolicy attributes
webvpn
svc ask enable default webvpn timeout 30
username asad password GxozRbsh8Rp9vCkf encrypted privilege 15
username cisco password HWFflA1bzYiq7Uut encrypted privilege 15
username naveed password d8KsovrcdE3to7qt encrypted privilege 15
tunnel-group TAD-SSLV type remote-access
tunnel-group TAD-SSLV general-attributes
address-pool sslvpnpool
authentication-server-group TAD-AD LOCAL
default-group-policy sslvpn
tunnel-group TAD-SSLV webvpn-attributes
group-alias ssl enable
group-url https://78.93.29.174/ssl enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:cec976b762f5e1d9d9856eeb4dea4019
: endSolution, give me your number so we can talk about or setup captures on the ASA to confirm that traffic from the Internet is being routed correctly to the ASA and also review logs.
capture out interface outside match ip any host 78.93.232.66
capture in interface inside match ip any host 10.10.10.4
After you try to access the server via the public IP from an Internet client check the captures:
show capture
If you see packets in the capture, download them:
https://10.15.1.1/capture/in/pcap
https://10.15.1.1/capture/out/pcap
It will ask you for your credentials to be able to download the file.
Check logs via ASDM:
Log into ASDM > Monitoring > logging > Real Time log viewer
Type in the external IP address of the server and run another test, if you see logs post them -
VPN Tunnel w/ 802.1X port authentication against remote RADIUS server
I have a Cisco 892 setup as a VPN client connecting to an ASA 5515-X. The tunnel works fine and comes up if theirs correct traffic. I have two RADIUS servers I want to use certificate based authentication to, that are located behind the ASA 5515-X.
If I connect a computer that has the correct certificates to ports FA0 through 3, authentication won't work. I'll see the following. This happens even if the VPN tunnel is established already by doing something such as connecting a VOIP phone. No entrys are located in the RADIUS logs, and I also cannot ping the RADIUS servers from VLAN10.
*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812,1813 is not responding.
*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.100:1812,1813 is being marked alive.
*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.26.10:1812,1813 is not responding.
*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.26.10:1812,1813 is being marked alive.
If I connect a second PC to an interface with 802.1X disabled, such as FA6, the VPN tunnel will establish itself correctly. In this situation, I can ping the RADIUS servers from VLAN10. If I go ahead and connect another PC with correct certificates to a port with 802.1X enabled such as port FA0 through 3, then 802.1X will suceed.
Current configuration : 6199 bytes
! Last configuration change at 15:40:11 EST Mon Feb 3 2014 by
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router1
boot-start-marker
boot-end-marker
aaa new-model
aaa local authentication default authorization default
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
ip cef
ip dhcp pool pool
import all
network 192.168.28.0 255.255.255.248
bootfile PXEboot.com
default-router 192.168.28.1
dns-server 192.168.26.10 192.168.1.100 8.8.8.8 4.2.2.2
domain-name domain.local
option 66 ip 192.168.23.10
option 67 ascii PXEboot.com
option 150 ip 192.168.23.10
lease 0 2
ip dhcp pool phonepool
network 192.168.28.128 255.255.255.248
default-router 192.168.28.129
dns-server 192.168.26.10 192.168.1.100
option 150 ip 192.168.1.132
domain-name domain.local
lease 0 2
ip dhcp pool guestpool
network 10.254.0.0 255.255.255.0
dns-server 8.8.8.8 4.2.2.2
domain-name local
default-router 10.254.0.1
lease 0 2
no ip domain lookup
ip domain name remote.domain.local
no ipv6 cef
multilink bundle-name authenticated
license udi pid CISCO892-K9
dot1x system-auth-control
username somebody privilege 15 password 0 password
redundancy
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key secretpassword address 123.123.123.123
crypto ipsec transform-set pix-set esp-aes 256 esp-sha-hmac
mode tunnel
crypto map pix 10 ipsec-isakmp
set peer 123.123.123.123
set transform-set pix-set
match address 110
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
interface FastEthernet0
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet1
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet2
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet3
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet4
switchport access vlan 10
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet5
switchport access vlan 12
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet6
switchport access vlan 10
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet7
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map pix
interface Vlan1
no ip address
interface Vlan10
ip address 192.168.28.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
interface Vlan11
ip address 192.168.28.129 255.255.255.248
interface Vlan12
ip address 10.254.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 101 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
ip radius source-interface Vlan10
ip sla auto discovery
access-list 101 deny ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.28.0 0.0.0.255 any
access-list 101 permit ip 10.254.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 110 permit ip 192.168.29.0 0.0.0.255 192.168.0.0 0.0.255.255
radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key secretkey
radius-server host 192.168.26.10 auth-port 1812 acct-port 1813 key secretkey
control-plane
mgcp profile default
line con 0
line aux 0
line vty 0 4
transport input all
ntp source FastEthernet0
ntp server 192.168.26.10
ntp server 192.168.1.100
endI have 802.1X certificate authentication enabled on the computers. As described in my post above, authentication will work if theirs another device on the same VLAN that is connected to a port that bypasses authentication. It seems like I have a chicken and egg scenario, a device needs to be sucessfully connected to VLAN10 before the router will use it's VLAN10 interface to communicate with my remote RADIUS server.
-
DNS debug logging to determine if 2008R2 DNS server is still being queried?
We are removing multiple DNS servers. We have removed those servers from DNS reference from all dhcp scopes, and ran script across all windows servers to make sure they are not being used. There still might be Linux/telecom/workstations manually
set that we do not know about, so I was going to use debug logging just to look for queries that are coming and to try and determine where they came from. I have debug logging set to log packets for Incoming, UDP, Queries/Transfers, and Request, but having
trouble figuring out this log. Here is an example of what I am seeing. Does anyone have a reference for this? I am having trouble finding one.
Is this saying that a computernamed POS188 made a query for a host(A) record? or is it saying that a query came in from 128.1.60.221 for a host(A) record named POS188? Just looking for reference to help explain this. The good news is the only
IP address that shows(128.1.60.221) is the IP of the DNS server, but the only thing I could find for reference was this -
http://technet.microsoft.com/en-us/library/cc776361(WS.10).aspx
9/16/2014 12:05:23 AM 1144 PACKET 000000000624CBD0 UDP Rcv 128.1.60.221 8952 Q [0001 D NOERROR] A
(8)POS188(11)contoso(3)com(0)
Thanks,
Dan HeimHi Dan,
The example you provide means that the DNS server receive a packet sent by 128.1.60.221,and the packet is used to query a host(A) record named POS188.contoso.com.
And the detail information about each field of the message is shows below. It is also showed in the dns.log.
Message logging key (for packets - other items use a subset of these fields):
Field # Information Values
1 Date
2 Time
3 Thread ID
4 Context
5 Internal packet identifier
6 UDP/TCP indicator
7 Send/Receive indicator
8 Remote IP
9 Xid (hex)
10 Query/Response R = Response
blank = Query
11 Opcode
Q = Standard Query
N = Notify
U = Update
? = Unknown
12 [ Flags (hex)
13 Flags (char codes) A = Authoritative Answer
T = Truncated Response
D = Recursion Desired
R = Recursion Available
14 ResponseCode ]
15 Question Type
16 Question Name
The corresponding example:
9/16/2014 12:05:23 AM 1144 PACKET 000000000624CBD0 UDP
Rcv 128.1.60.221 8952 Q [0001
D NOERROR] A
(8)POS188(11)contoso(3)com(0)
Best Regards,
Tina -
How can I get Quick VPN to use the correct DNS server IP
Right now it is defaulting to 192.168.x.1 (my RV042) I need it to default to 192.168.x.4 (Domain Controller). I need to be able to resolve names because remote users will have to log into the domain. I can not statically assign a DNS server on their machines because they are mobile, will be using WIFI hotspots and or/ wired LAN's at home.
The rv042 is obviously the router and server1 is the domain controller (also the DNS server for my LAN)
If I use nslookup to find a host it will default to the rv042 IP, so if I force the server IP in this case I get resolution with 192.168.x.4
C:\Users\XXXX>nslookup PC1 192.168.x.1
Server: rv042.xxxxxxxxxxxx.local
Address: 192.168.x.1
*** rv042.xxxxxxxxxxxx.local can't find PC1: Non-existent domain
C:\Users\XXXX>nslookup PC1 192.168.x.4
Server: server1.xxxxxxxxxxxx.local
Address: 192.168.x.4
Name: PC1.xxxxxxxxxxxx.local
Address: 192.168.x.5
C:\Users\XXXX>
Everything works right if I could just set my DNS server to .4. I came across many many posts from back as far as 2006 with poeple asking for this feature. What gives Cisco???One of the first things to check in Mail Preferences, Composing:
-
Cannot deploy BPM process from JDev into remote weblogic server
Hi all,
I have in a trouble!
I've built a simple BPM process but when i deploy it from JDeveloper to a remote weblogic server it have following error, pls give me solution
[02:16:27 PM] ---- Deployment started. ----
[02:16:27 PM] Target platform is (Weblogic 10.3).
[02:16:27 PM] Running dependency analysis...
[02:16:27 PM] Building...
[02:16:31 PM] Deploying profile...
[02:16:31 PM] Updating revision id for the SOA Project 'Project1.jpr' to '1.0'..
[02:16:31 PM] Wrote Archive Module to C:\JDeveloper\mywork\TestDeploy\Project1\deploy\sca_Project1_rev1.0.jar
[02:16:31 PM] Running dependency analysis...
[02:16:31 PM] Building...
[02:16:33 PM] Deploying 2 profiles...
[02:16:33 PM] Wrote Web Application Module to C:\JDeveloper\mywork\TestDeploy\Project2_UI\deploy\Project2_UI.war
[02:16:33 PM] Wrote Enterprise Application Module to C:\JDeveloper\mywork\TestDeploy\deploy\TestDeploy.ear
[02:16:33 PM] Deploying sca_Project1_rev1.0.jar to partition "default" on server AdminServer [http://HP:7001]
[02:16:33 PM] Processing sar=/C:/JDeveloper/mywork/TestDeploy/Project1/deploy/sca_Project1_rev1.0.jar
[02:16:33 PM] Adding sar file - C:\JDeveloper\mywork\TestDeploy\Project1\deploy\sca_Project1_rev1.0.jar
[02:16:33 PM] Preparing to send HTTP request for deployment
[02:16:33 PM] Creating HTTP connection to host:HP, port:7001
[02:16:33 PM] Sending internal deployment descriptor
[02:16:33 PM] Sending archive - sca_Project1_rev1.0.jar
[02:16:33 PM] Received HTTP response from the server, response code=503
[02:16:33 PM] Invalid logging line: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
[02:16:33 PM] Invalid logging line: <html><head>
[02:16:33 PM] Invalid logging level on line: <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
[02:16:33 PM] Invalid logging line: <title>ERROR: The requested URL could not be retrieved</title>
[02:16:33 PM] Invalid logging line: <style type="text/css"><!--
[02:16:33 PM] Invalid logging line: /*
[02:16:33 PM] Invalid logging line: Stylesheet for Squid Error pages
[02:16:33 PM] Invalid logging line: Adapted from design by Free CSS Templates
[02:16:33 PM] Invalid logging line: http://www.freecsstemplates.org
[02:16:33 PM] Invalid logging line: Released for free under a Creative Commons Attribution 2.5 License
[02:16:33 PM] Invalid logging line: */
[02:16:33 PM] Invalid logging line: /* Page basics */
[02:16:33 PM] Invalid logging line: * {
[02:16:33 PM] Invalid logging level on line: font-family: verdana, sans-serif;
[02:16:33 PM] Invalid logging line: }
[02:16:33 PM] Invalid logging line: html body {
[02:16:33 PM] Invalid logging level on line: margin: 0;
[02:16:33 PM] Invalid logging level on line: padding: 0;
[02:16:33 PM] Invalid logging level on line: background: #efefef;
[02:16:33 PM] Invalid logging level on line: font-size: 12px;
[02:16:33 PM] Invalid logging level on line: color: #1e1e1e;
[02:16:33 PM] Invalid logging line: }
[02:16:33 PM] Invalid logging line: /* Page displayed title area */
[02:16:33 PM] Invalid logging line: #titles {
[02:16:33 PM] Invalid logging level on line: margin-left: 15px;
[02:16:33 PM] Invalid logging level on line: padding: 10px;
[02:16:33 PM] Invalid logging level on line: padding-left: 100px;
[02:16:33 PM] Invalid logging level on line: background: url('http://www.squid-cache.org/Artwork/SN.png') no-repeat left;
[02:16:33 PM] Invalid logging line: }
[02:16:33 PM] Invalid logging line: /* initial title */
[02:16:33 PM] Invalid logging line: #titles h1 {
[02:16:33 PM] Invalid logging level on line: color: #000000;
[02:16:33 PM] Invalid logging line: }
[02:16:33 PM] Invalid logging line: #titles h2 {
[02:16:33 PM] Invalid logging level on line: color: #000000;
[02:16:33 PM] Invalid logging line: }
[02:16:33 PM] Invalid logging line: /* special event: FTP success page titles */
[02:16:33 PM] Invalid logging line: #titles ftpsuccess {
[02:16:33 PM] Invalid logging level on line: background-color:#00ff00;
[02:16:33 PM] Invalid logging level on line: width:100%;
[02:16:33 PM] Invalid logging line: }
[02:16:33 PM] Invalid logging line: /* Page displayed body content area */
[02:16:33 PM] Invalid logging line: #content {
[02:16:33 PM] Invalid logging level on line: padding: 10px;
[02:16:33 PM] Invalid logging level on line: background: #ffffff;
[02:16:33 PM] Invalid logging line: }
[02:16:33 PM] Invalid logging line: /* General text */
[02:16:33 PM] Invalid logging line: p {
[02:16:33 PM] Invalid logging line: }
[02:16:33 PM] Invalid logging line: /* error brief description */
[02:16:33 PM] Invalid logging line: #error p {
[02:16:33 PM] Invalid logging line: }
[02:16:33 PM] Invalid logging line: /* some data which may have caused the problem */
[02:16:33 PM] Invalid logging line: #data {
[02:16:33 PM] Invalid logging line: }
[02:16:33 PM] Invalid logging line: /* the error message received from the system or other software */
[02:16:33 PM] Invalid logging line: #sysmsg {
[02:16:33 PM] Invalid logging line: }
[02:16:33 PM] Invalid logging line: pre {
[02:16:33 PM] Invalid logging level on line: font-family:sans-serif;
[02:16:33 PM] Invalid logging line: }
[02:16:33 PM] Invalid logging line: /* special event: FTP / Gopher directory listing */
[02:16:33 PM] Invalid logging line: #dirlisting tr.entry td.icon,td.filename,td.size,td.date {
[02:16:33 PM] Invalid logging level on line: border-bottom: groove;
[02:16:33 PM] Invalid logging line: }
[02:16:33 PM] Invalid logging line: #dirlisting td.size {
[02:16:33 PM] Invalid logging level on line: width: 50px;
[02:16:33 PM] Invalid logging level on line: text-align: right;
[02:16:33 PM] Invalid logging level on line: padding-right: 5px;
[02:16:33 PM] Invalid logging line: }
[02:16:33 PM] Invalid logging line: /* horizontal lines */
[02:16:33 PM] Invalid logging line: hr {
[02:16:33 PM] Invalid logging level on line: margin: 0;
[02:16:33 PM] Invalid logging line: }
[02:16:33 PM] Invalid logging line: /* page displayed footer area */
[02:16:33 PM] Invalid logging line: #footer {
[02:16:33 PM] Invalid logging level on line: font-size: 9px;
[02:16:33 PM] Invalid logging level on line: padding-left: 10px;
[02:16:33 PM] Invalid logging line: }
[02:16:33 PM] Invalid logging line: body
[02:16:33 PM] Invalid logging level on line: :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
[02:16:33 PM] Invalid logging level on line: :lang(he) { direction: rtl; float: right; }
[02:16:33 PM] Invalid logging line: --></style>
[02:16:33 PM] Invalid logging line: </head><body>
[02:16:33 PM] Invalid logging line: <div id="titles">
[02:16:33 PM] Invalid logging line: <h1>ERROR</h1>
[02:16:33 PM] Invalid logging line: <h2>The requested URL could not be retrieved</h2>
[02:16:33 PM] Invalid logging line: </div>
[02:16:33 PM] Invalid logging line: <hr>
[02:16:33 PM] Invalid logging line: <div id="content">
[02:16:33 PM] Invalid logging line: <p>The following error was encountered while trying to retrieve the URL: http://hp:7001/soa-infra/deployer</p>
[02:16:33 PM] Invalid logging line: <blockquote id="error">
[02:16:33 PM] Invalid logging line: <p><b>Unable to determine IP address from host name <q>hp</q></b></p>
[02:16:33 PM] Invalid logging line: </blockquote>
[02:16:33 PM] Invalid logging line: <p>The DNS server returned:</p>
[02:16:33 PM] Invalid logging line: <blockquote id="data">
[02:16:33 PM] Invalid logging line: <pre>Name Error: The domain name does not exist.</pre>
[02:16:33 PM] Invalid logging line: </blockquote>
[02:16:33 PM] Invalid logging line: <p>This means that the cache was not able to resolve the hostname presented in the URL. Check if the address is correct.</p>
[02:16:33 PM] Invalid logging level on line: <p>Your cache administrator is [email protected].</p>
[02:16:33 PM] Invalid logging line: <br>
[02:16:33 PM] Invalid logging line: </div>
[02:16:33 PM] Invalid logging line: <hr>
[02:16:33 PM] Invalid logging line: <div id="footer">
[02:16:33 PM] Invalid logging line: <p>Generated Tue, 20 Dec 2011 07:18:27 GMT by proxy.hipt.com.vn (squid/3.1.4)</p>
[02:16:33 PM] Invalid logging line: <!-- ERR_DNS_FAIL -->
[02:16:33 PM] Invalid logging line: </div>
[02:16:33 PM] Invalid logging line: </body></html>
[02:16:33 PM] Error deploying archive sca_Project1_rev1.0.jar to partition "default" on server AdminServer [http://HP:7001]
[02:16:33 PM] HTTP error code returned [503]
[02:16:33 PM] No error message is returned from the server.
[02:16:33 PM] Error deploying archive sca_Project1_rev1.0.jar to partition "default" on server AdminServer [http://HP:7001]
[02:16:33 PM] #### Deployment incomplete. ####
[02:16:33 PM] Error deploying archive file:/C:/JDeveloper/mywork/TestDeploy/Project1/deploy/sca_Project1_rev1.0.jar
(oracle.tip.tools.ide.fabric.deploy.common.SOARemoteDeployer)
Thanks a lot!Hi, thanks for your reply,
I just check but soa-infra is up
Result:
Welcome to the Oracle SOA Platform on WebLogic
SOA Version: v11.1.1.5.0 - 11.1.1.5.0_110418.1550.0174 built on Mon Apr 18 18:05:14 PDT 2011
WebLogic Server 10.3.5.0 Fri Apr 1 20:20:06 PDT 2011 1398638 (10.3.5.0)
I've deployed my process in local computer that good! but from remote JDev i've wrong
Help me pls! -
Can i use same certificate on 2 different CAS Server across sites
Hi All
I have a question I have been playing with for a few days,
I have the following setup,
2 sites connected via a VPN and a DAG configured between sites.
Site 1-Head Office
2 exchange 2010 servers,
1 running CAS and Mailbox (this server is entry point to all clients for owa etc.)
1 running Hub, CAS, Mailbox. (this is the main server and a DAG Member)
We have a UNC certificate associated with all records pointing to remote access and its installed on both servers.
** Everything in this site works fine.
** The AD DNS server does not have a zone for the public domain with all the external records only the .local domain. Planning to change this soon.
Site 2.
1 exchange 2010 servers,
1 running Hub, CAS, Mailbox. (this is the main server for this site, a DAG Member and no entry point at this time but we intend to use it for redundancy)
** Currently all BD are on server in site 1.
** The AD DNS server does not have a zone for the public domain with all the external records only the .local domain. Planning to change this soon.
My questions are as follows:
1 on site 2’s the cas server can I use the same certificate I’m using onsite 1. in other words all clients currently use mail.domain.com which has an IP pointing to site 1, can I use that same certificate in site 2 and associate
it with the CAS server there? (in the event of a failover I just change the records IP)
2 All smtp traffic come through site 1, when I test moving active databases to site 2, all email stay in the ques of exchange server in site one, they don’t get delivered. (I have not set AD replication through smtp so don’t know
if this is a factor)
3 When I do set the active databases to site 2, webmail and remote services stop working, I get the infamous error when logging onto webmail, service unavailable because it’s been moved. I have read a lot about this being an internal
external url issue.
All these issues im starting to think they all interlinked, and would like some help.
CheersAnswers to your questions:
Yes. Understand that until you swap your external DNS so it points to Site 2, the mail.domain.com won't be accessed, but it will be there for when you want it to be.
AD replication is not the issue, so don't try to set it to use SMTP. If you have hub servers in both sites, your inbound Internet email should be delivered from the Site 1 hubs to the Site 2 hubs. We may need more information before we can give
you a good answer for this question. However, you may check the following TechNet article (and its links) for assistance.
http://technet.microsoft.com/en-us/library/aa998825(v=exchg.141).aspx
Web access requires that the CAS you connect to be either externally accessible and in the same site as your mailbox server, or that the CAS in the inaccessible Windows site needs to be configured as internal only and the accessible CAS needs to be configured
to proxy connections. For this, make sure you have followed the directions in the following TechNet article.
http://technet.microsoft.com/en-us/library/bb310763(v=exchg.141).aspx
HTH ... -
How do I close an open DNS Server
I have received an email from my internet provider stating I have an open DNS Server and my network has been used to attack other networks (DOS) Denial of service. I can't figure out how to secure my network. or close the open DNS server.
You should at least update your Mac to 10.6.8 although I am not sure there are any particular security issues that would be there.
Of course running later OS is always better.. as the latest security updates are implemented in the most recent OS.. but I am not sure one follows the other as some weaknesses are introduced as well in later OS. Any security updates should certainly be installed.
The main point is what modem and what router do you have?
There are a number of these notices being sent to users with apple routers which are hard to believe can be involved. It is more likely the ISP equipment. But we cannot really help you with exact details of your network .. or any more precise details the ISP has given you.
Ring up and talk to their technical help dept. and ask for their help. Even if they won't help you fix apple router.. put the modem in router mode or buy a new modem with router mode and change the apple router to bridge.. then the issue is not caused by you and the ISP can remotely adjust their own box. -
Can I avoid setting up a DNS server?
Dear all,
I’m a newbie to set up a server but I recently bought a Mac Mini Server and I have some questions in setting up the machine.
My ultimate goal:
Set up a multimedia server in my Mac Mini Server which provide photos up / download and Quicktime video streaming services for my friends outside my local Lan.
My settings:
ISP (Dynamic IP) →DSL modem →Linksys Router (DHCP) →
1. Web Cam IP: 192.168.1.253 port 50000
2. Synology NAS IP:192.168.1.107 port 5000
3. Mac Mini Server IP: 192.168.1.108
4. Mac Book Pro x 2(wireless)
Since I don’t have a static IP, I registered a domain name which link to my dynamic IP. i.e. abc.viewnetcam.com
I can access my web cam and Synology from outside through port forwarding i.e. http://abc.viewnetcam.com: 50000 & http://abc.viewnetcam.com: 5000
During set up my Mac Mini Server, I was required to enter the Primary Domain Name, since I did not have a DNS server in my local Lan, I entered MacMinSserver.private
After I set up the server, I found that there was a message left on the desktop saying that; ….The domain name servers you’re using don’t have an entry for the domain MacMiniServer.private, and therefore your clients won’t be able to access your server using the name MacMiniServer.private…..
Now here is the question:
1. Can I just simply avoid to set up a DNS server in my Mac Mini Server? Cause it is very complicate; I have read up some information about DNS server settings which make me feel puzzle.
2. If DNS server is a must, so how can I set it? I have read the instructions in the HoffmanLabs, but after setting up the DNS server, how can I access my server from outside? Through port forward?
( Now I can access my server from outside in Safari with URL afp://abc.viewnetcam.com:548)
Many thanks.I take some time to digest your suggestions. I’m convinced to build up a DNS server, although I don’t fully understand how it works.
DNS is a way to ask a server or a series of servers to translate a string of a specific format into an IP address. If you follow the article in your implementation, then the local DNS services will cooperate with and access external DNS servers world-wide for public DNS translations.
But then questions come up again, first what should be my Primary Domain Name?
I don't know what you're looking at that is using "primary domain name", but the "domain name" you use? I use real and registered and public domains for the domain on private LANs. It's simple, effective, and unique. And I don't have to deal with collisions. I don't prefer to recommend using a made-up domain, as it's a few dollars to get a real domain and then you don't have to deal with collisions if and when you need to expose parts of your network.
Here, a bogus TLD would be, for instance, macminiserver.myhouse.ngmy69; that's a top-level domain (ngmy69) (TLD) that is not allocated, and unlikely to be publicly allocated, and a subdomain (myhouse) of your choice, and a host name (macminiserver) of your choice. (There are around 300 TLDs already allocated and live, and more are on the way. com, net, biz, org, travel, cat, two-character country codes, and more...)
This is listed in the article, including the trade-offs, and including a description of bogus domains.
As you said that the external DNS and the internal DNS should be separately functioning, then is it true that I have the freedom to choose my Primary DNS name? Or I have to stick to certain rules?
DNS and IP routing work by cooperation. You have to stick to certain rules, and the article guides you through the four general choices for picking a domain name.
In my case, do I need to use the external domain name, i.e. macminiserver.abc.viewnetcam.com or I rent another registered domain name and it will be macminiserver.xxxxx.com or even I create an imaginary name?
After you get your LAN DNS going, then read the [dynamic DNS article|http://labs.hoffmanlabs.com/node/1541].
Here, you've picked a domain (viewnetcam.com) name that's real and registered. That, and the use of the abc and macminiserver subdomains are something you'd have to work out with the folks administering that domain. While it is technically a domain name, macminiserver.abc.viewnetcam.com is also variously called a host name, as that'll usually have an associated IP address, and a subdomain like abc.viewnetcam.com might and variously will not.
With a real and registered domain (your own registered domain, or a DynDNS host), you can (later) choose to expose parts of your network. You don't own a DynDNS name, and DynDNS doesn't allow you to use various server functions and you can't use that on your LAN. DynDNS is a good solution for remote access into a home network and even for a VPN connection in but (if you're eventually looking to use mail or secure web access or other features) you'll usually end up using your own domain name.
The second question is that, how can I avoid using the subnet 192.168.1.0/24, as my router is providing the DHCP service, will that means I need to re-organized the whole network included the web cam and my Synology? Is there any simple way to achieve that?
It's the effort you think it is, and it involves getting that gateway server reconfigured to have its address in a different subnet and the DHCP server reconfigured to pass out addresses within a range within that subnet, and this is an effort that scales as your network increases and as you get IP addresses embedded. If you're going to do remote access via VPN, many home networks and many coffee shops will use 192.168.0.0/24 or 192.168.1.0/24, and having the same subnet on both ends of the VPN means IP routing tosses a snit.
[Please read the DNS article|http://labs.hoffmanlabs.com/node/1436] through, and then post up questions you might have. -
How can I get my Tiger Sever to look at itself as a DNS Server
I have installed Tiger server remotely and have no GUI.
I want to change the DNS Server ip address with that Server
If I had access to the System Prefs/Network panel I could simply make the change.
Can I do this via a command line in Terminal ??
ThanksTwo options come to mind.
First is networksetup, the command-line interface to network settings:
networksetup -setdnsservers "Built-in Ethernet 1" 127.0.0.1
(you can add additional name servers in order if you want).
The other is to just rewrite /etc/resolv.conf which stores the active name server settings (although this might get rewritten at boot).
Maybe you are looking for
-
Hotspot click for only some rows in ALV grid for a particular column ?
Hi there, In ALV grid, we can make Hotspot enable for all rows in a specified column by specifying in the fieldcatalog with Hotspot attribute set as true. But I want to enable Hotspot only for certain rows in the particular column. I tried wi
-
N8 Belle Refresh pb with contacts
Hello, I have updated my N8 to belle refresh and now I can not access to the details of my contacts. it is openning the screen (one step before editing it) but nothing is loading, then I am going back to the list of contacts. Does anyone have the sam
-
Hi, When I create a file from R3 using open dataset for output, the file is created at the OS Level with rights coming from R3. Is there a way to control the properties of those rights. Regards,
-
Hi, I've created a web service from a function module. The problem is that the web service gets called only in mandant 200, but I want it to be called in mandant 100. In wsadmin in mandant 100 the webservice is not visible, in mandant 200 it is visib
-
Windows Live Accounts for Company Phones?
Hi all, I am hoping you can help. At the company I work for we are enrolling Windows Phones as the Business phone but to get our Mobile Device management Software on we need access to the Windows Store. I only need the Live accounts for the store. Th