Routing issue with 2 VPN on ASA
Hello,
I am trying to setup a VPN between 3 sites :
site2 and site3 needs to communicate with site1(ASA) :
site1(ASA)
| |
| |
site2 site3
Peer
On site2 / site3 if have multiple peers that want to communicate to site 1 and that can arrive indifferently on site2 or site3 firewall.
All VPNs are UP but there is a routing problem is located on the ASA. Indeed, site2 to site1 communication is ok in both directions. The problem comes from site3.
On site3, incoming packets reach the target on site1 through the VPN, but the answer is sent back through site1/site2 VPN.
Is there a simple way to force the trafic to use the same VPN for responding data ?
Here is a sample of the configuration on the ASA (subnet on site2 and site3 must be left on 'any') :
access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 any
access-list outside_cryptomap_2 extended permit ip 10.0.0.0 255.255.0.0 any
crypto map my-crypto-map 1 match address outside_cryptomap_1
crypto map my-crypto-map 1 set pfs
crypto map my-crypto-map 1 set peer 90.X.Y.Z
crypto map my-crypto-map 1 set transform-set ESP-AES-256-SHA
crypto map my-crypto-map 1 set security-association lifetime kilobytes 51200
crypto map my-crypto-map 2 match address outside_cryptomap_2
crypto map my-crypto-map 2 set pfs
crypto map my-crypto-map 2 set peer 190.X.Y.Z
crypto map my-crypto-map 2 set transform-set ESP-AES-256-SHA
No, this is not possible, you cannot have overlapping crypto ACLs.
One possible solution might be to apply NAT to the traffic before it enters the tunnel on site3.
But so this requires changing from "any" to one or more specific networks.
hth
Herbert
Similar Messages
-
I think verizon has a routing issue with Telia.
thought I would share this, Telia has admited an issue on their network
Twitter / Telia_service: @Ungvall routing problem? This ...
https://twitter.com/Telia_service/status/179661595276881921
Cached
Similar
Share
View shared post
BTW Apparently @Telia_service had routing problems on both the latest iOS and ... DNS problem and we are working with Akamai for a sollution to this problem -
I am having a routing issue with a 3550 switch. I have 5 vlans and I need one of the vlans to access a different router based on destination IP rather than our edge router. I have entered a static route on the 3550 that points to the secondary router whenever a certain network is tried to be accessed. My problem is I can't seem to get the traffic to flow correctly. When I trace route an address on the Internet the path shows as expected, the 3550 then my firewall then my edge router. When I trace an address that is on the other side of the secondary router I get the 3550 as the first hop, then nothing. I can ping the address so I know the path is up. What could be the issue? Thanks in advance.
Hello,
in addition to Mahmood´s post, what do you have defined as the next hop for the default route to the secondary router ? If you use an interface on the 3550 as the next hop, make sure that whatever is connected is in the same subnet, otherwise use the IP address of the next hop. So, let´s say your remote network is 192.168.1.0, and the secondary router is connected to FastEthernet0/1, your default route should look like this if the secondary router is in the same subnet (in this example, the IP address of the secondary router would be 172.16.1.2):
interface FastEthernet0/1
no switchport
ip address 172.16.1.1 255.255.255.252
ip route 192.168.1.0 0.0.0.255 FastEthernet0/0
Otherwise, try:
ip route 192.168.1.0 0.0.0.255 172.16.1.2
where 172.16.1.2 would be the address of the secondary router.
Does that make sense ?
Regards,
GNT -
Routing issue with ASA and UC540 phone system - at ASA???
Having an issue with routing from the PC at .242 to the CUE server at 10.1.10.1. The CUE server is built into the UC540 phone system. It is an internal piece of software that is used for voicemail and management. The UC540 is not only a call router, it is also an IOS router. It has it's own WAN connection as does the ASA.
Here are some facts:
1. Can ping the UC540's internal CUE server from the PC ( ping to 10.1.10.1 )
2. Can ping the UC540's VLAN 1 address from the PC ( ping to 10.1.10.1 )
3. The ASA is the default gateway for the PC.
4. I have a route inserted at the asa that is:
route 10.1.10.1 255.255.255.0 10.19.250.254 1
5. I have a nat statement that prevents NAT from occuring but I don't think this is necessary as the 10.1.10.0/24 network isn't otherwise defined on the ASA.
6. I cannot pull up a web page when I point the browser on the PC to the 10.1.10.1 address
7. I CAN pull up a web page on the PC when I create a static route on the PC iteslf :
route add 10.1.10.1 mask 255.255.255.0 10.19.250.254
Is is only with this route that I am able to get to the web GUI on the phone system.
8. The phone system has a loopback interface at 10.1.10.2 that serves as the gateway for the internal CUE server, the internal CUE server is at 10.1.10.1
9. The switch is a 2960 and has a trunk port to the phone system to allow for the voice vlan which is at 10.1.1.0/24, no issues with this vlan and phones are connecting to the system fine.
Since I can get the GUI to come up when I set a static route on the PC, then I would assume that the routing in the phone system with it's internal server is fine as it wouldn't work otherwise. Since I can successfully ping the CUE server from the PC, that would lead me to believe that the ASA's routing is setup correctly..... TCP traffic doesn't seem to get to/from the CUE server.
Here are the routing tables:
ASA:
Gateway of last resort is xxx.xxx.xxx.xxx to network 0.0.0.0
C xxx.xxx.xxx.xxx 255.255.255.252 is directly connected, outside
S 172.16.100.100 255.255.255.255 [1/0] via 38.97.193.65, outside
S 10.1.10.0 255.255.255.252 [1/0] via 10.19.250.254, inside
C 10.19.250.0 255.255.254.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via xx.xx.xx.xx, outside
The UC540 phone system's router side:
Gateway of last resort is xx.xx.xx.xx to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via xx.xx.xx.xx
10.0.0.0/8 is variably subnetted, 7 subnets, 4 masks
C 10.1.1.0/24 is directly connected, BVI100
L 10.1.1.1/32 is directly connected, BVI100
C 10.1.10.0/30 is directly connected, Loopback0
S 10.1.10.1/32 is directly connected, Integrated-Service-Engine0/0
L 10.1.10.2/32 is directly connected, Loopback0
C 10.19.250.0/23 is directly connected, BVI1
L 10.19.250.254/32 is directly connected, BVI1
XX.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C XX.XX.XX.XX/29 is directly connected, FastEthernet0/0
L XX.XX.XX.XX/32 is directly connected, FastEthernet0/0
172.16.0.0/24 is subnetted, 1 subnets
S 172.16.100.0 [1/0] via 10.19.250.1
The UC540's internal CUE server:
Main Routing Table:
DEST GATE MASK IFACE
10.1.10.0 0.0.0.0 255.255.255.252 eth0
0.0.0.0 10.1.10.2 0.0.0.0 eth0
Any help appreciated!!!
Thanks!Hello,
Where you able to solve this problem? It does sound like an issue with TCP state checking on the ASA. The Firewall needs to see both sides of the traffic but the return traffic is going from your UC540 direct to the PC. The firewall essentially kills the traffic.
I would recommend disabling TCP state checking on the ASA and see if it works. Otherwise, you will need to stub route the UC540 as a separate VLAN off the ASA which needs to route through the ASA to reach the PC.
Here is a info page on the TCP State Bypass:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111986-asa-tcp-bypass-00.html
Please let me know how it works out. -
Hello, I have a strange issue with a VPN we have on our ASA 5520. We have 2 subnets my side of the VPN that can get to 27 subnets on the other side of the VPN. However the last remote subnet which I will call 28 I find only 1 of my 2 subnets can get too. When I reset the tunnel I find that my subnet cannot bring the IPSec tunnel up but the othe side of the tunnel can. When I view my VPN tunnel Rx always has a value but Tx is always zero, which suggests the traffic isnt even getting there, but this subnet is all the same rules as the other subnets that work. Any debug commands or tracing you can suggest? I've had others look at the issue and the cant see an issue. Thanks
Looks like you have a OD server setup for user authentication so you need to run this
vpnaddkeyagentuser /LDAPv3/127.0.0.1
that will add the correct record to OD and it will authenticate.
Peter -
Issue with VPN compatibility between 2811 and 2911
hello
I would like to ask anyone have had any issues with setting up a VPN tunnel between 2811 and 2911?
The IPSec VPN is established but for some reason I cannot ping the LAN side to the other LAN side of the other end of the VPN Router?
Any experience would be much appreciated
ThanksIPSec VPN can be with no problem set up between any cisco routers (and not nesesserely cisco), so there are should be no issues in your case.
If you say that tunnel is established successfully, then problem most probably related to routing issues between sites or incorrect crypto-acl configured. Check if hosts on both sites have correct routing information on how to get to subnets on the other site.
To make more accurate assumptions it would help if you provide config on both sites and describe your topology. -
Routing Issue with 3550 Switch
I am having an issue with routing with one of my Cisco 3550 switches. I know the 3550s are EoL but some of us have to work with what we have.
I am using a 3550 on either side of a Layer 2 link. The Layer 2 link is 2 Extreme Summit X-440 switches with Microwave between the switches. I have a VLAN configured on both switches and tagged on the ports connected to the Microwave. The 3550 switch on each end is configured for IP routing but I cannot pass traffic between the switches. If I unplug the switch on the local end and plug in a laptop, I can ping the switch on the remote end and access devices at the remote end.
I know this should work because I am doing the same thing over another Microwave link and Layer 2 link using another 3550 and a HP ProCurve at the remote end.
Here are the configs for each 3550:
Local end; Port Fa0/23 goes to the Remote Side. Port Fa0/24 goes to the rest of the network
Current configuration : 5417 bytes
! No configuration change since last restart
version 12.2
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
no service password-encryption
service sequence-numbers
hostname Brindley3550
enable secret 5 $1$3A.n$lzBUQg.fn4hJ7f0jEOqe71
no aaa new-model
clock timezone UTC -6
clock summer-time UTC recurring 1 Sun Apr 2:00 1 Sun Nov 2:00
mls qos map cos-dscp 0 8 16 26 32 46 48 56
mls qos min-reserve 5 170
mls qos min-reserve 6 10
mls qos min-reserve 7 65
mls qos min-reserve 8 26
mls qos
ip subnet-zero
ip routing
ip domain-name morgan911.net
ip name-server 1.2.150.11
ip name-server 1.2.150.5
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet0/1
switchport access vlan 18
switchport mode dynamic desirable
spanning-tree portfast
{Removed for Brevity}
|
interface FastEthernet0/7
switchport access vlan 13
switchport mode dynamic desirable
spanning-tree portfast
interface FastEthernet0/8
switchport access vlan 13
switchport mode dynamic desirable
spanning-tree portfast
{Removed for Brevity}
interface FastEthernet0/23
description To Gum Springs via Extreme P10
no switchport
ip address 1.2.147.1 255.255.255.252
speed 100
duplex full
interface FastEthernet0/24
description To Flint via Ceragon Eth 2
switchport trunk encapsulation dot1q
switchport mode trunk
speed 100
duplex full
mls qos trust cos
auto qos voip trust
wrr-queue bandwidth 20 1 80 1
wrr-queue min-reserve 1 5
wrr-queue min-reserve 2 6
wrr-queue min-reserve 3 7
wrr-queue min-reserve 4 8
wrr-queue cos-map 1 0 1 2 4
wrr-queue cos-map 3 3 6 7
wrr-queue cos-map 4 5
priority-queue out
spanning-tree link-type point-to-point
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/2
switchport access vlan 10
switchport trunk native vlan 50
switchport mode dynamic desirable
spanning-tree portfast trunk
interface Vlan1
ip address 1.2.145.2 255.255.255.0
ip default-gateway 1.2.145.1
ip classless
ip route 0.0.0.0 0.0.0.0 1.2.145.1
ip route 1.2.165.0 255.255.255.240 1.2.147.2
ip route 1.2.166.0 255.255.255.240 1.2.147.2
ip http server
snmp-server community public RO
snmp-server community public/RO RO
snmp-server location Brindlee Mountain Tower Site
snmp-server contact Jamey Wright
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps cluster
snmp-server enable traps entity
snmp-server enable traps envmon fan shutdown supply temperature
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server enable traps mac-notification
snmp-server enable traps vlan-membership
snmp-server host 1.2.150.100 public tty envmon syslog snmp
control-plane
ntp clock-period 17180143
ntp server 1.2.150.21
end
And this is the config for the remote end. Port Fa0/24 is the port for the link back to the local end.
Current configuration : 5058 bytes
version 12.2
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
no service password-encryption
service sequence-numbers
hostname GS3550
enable secret 5 $1$3A.n$lzBUQg.fn4hJ7f0jEOqe71
no aaa new-model
clock timezone UTC -6
clock summer-time UTC recurring
mls qos map cos-dscp 0 8 16 24 32 46 46 56
udld aggressive
ip subnet-zero
ip routing
ip domain-name morgan911.net
ip name-server 1.2.150.11
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet0/1
switchport access vlan 21
switchport mode dynamic desirable
spanning-tree portfast
interface FastEthernet0/2
switchport access vlan 21
switchport mode dynamic desirable
power inline delay shutdown 20 initial 300
spanning-tree portfast
{Removed for Brevity}
interface FastEthernet0/23
switchport access vlan 22
switchport trunk encapsulation dot1q
switchport mode trunk
speed 100
duplex full
spanning-tree portfast
interface FastEthernet0/24
description To Brindlee via Extreme P10
switchport mode dynamic desirable
(Is a member of VLAN 1)
speed 100
spanning-tree portfast
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/2
switchport mode dynamic desirable
spanning-tree portfast
interface Vlan1
ip address 1.2.147.2 255.255.255.252
interface Vlan21
ip address 1.2.165.1 255.255.255.240
ip helper-address 1.2.150.11
ip helper-address 1.2.150.5
interface Vlan22
ip address 1.2.166.1 255.255.255.240
ip helper-address 1.2.150.5
ip helper-address 1.2.150.11
ip default-gateway 1.2.147.1
ip classless
ip route 0.0.0.0 0.0.0.0 1.2.147.1 10
ip http server
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps cluster
snmp-server enable traps entity
snmp-server enable traps envmon fan shutdown supply temperature
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps syslog
snmp-server enable traps mac-notification
snmp-server enable traps vlan-membership
snmp-server host 1.2.150.100 public envmon syslog snmp
control-plane
ntp clock-period 17180192
ntp server 1.2.150.21 key 0 prefer
Ideas? Anything stand out as grossly wrong? I have worked on this for 2 days and am at a loss.
Thanks
JameySorry for the delay in replying. Other items at the office took priority over this project. I tried that and no change. I pulled the switch from the remote site and took it back to the local end and connected the switches with a crossover cable and everything works fine. I have pretty much determined that it is an issue with the config in one of the Extreme switches. The config in those look pretty normal but there are a few things I am unsure of. Guess I'll see if there is a similar site for Extreme gear.
Thanks
Jamey -
Routing Issue with 2 Nics on Windows Server 2008 R2
Good Day
My issue is I needed to set up port forwarding for a web server to communicate with our hotels management server to check availability.
Initially the server has a single Nic configured in the 172.26.1.0 /24 network , Its default gateway the Switch vlan interface 172.26.1.1
We have many vlans for all the systems in the hotel and the server also needs to communicate with 3 other servers on different subnets which it does just fine.
I now added an additional adsl line with a managed router which has an interface of 192.168.10.1 /24 , My servers second NIC has the IP address 192.168.10.2 with its gateway being the 192.168.10.1
This 192.168.10.0 network is in a L2 Vlan and the rest of the network does not know it exists. It was working fine then just stopped asfter i added a static route to the server , which i did with RRas... I did this as the server could not communicate with
just one of the servers..
If i disable the 172.26.1.0 NIC the port forwarding works but then obviously the rest of the network goes down.. I know its a routing issue but am lost
please helpHello,
using multiple default gateways is not a good idea.
See details in http://support.microsoft.com/kb/159168/en-us
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter: -
Hi,
I have been struggling to find a solution as to why my L2TP tunnel comes up, but, no ip through IPCP is working. I have a few third party VPN providers that I can connect to with no problem. My config is solid as far as the Virtual-PPP interface is concerned. So, as far as the AAA is concerned, here are a few commands that I have used:
aaa new-model
aaa authentication login local_auth local
aaa authentication ppp default none
So, here is the revelant debugs:
008940: *Jan 7 15:08:05.543 MDT: Vp1 LCP: Timeout: State Listen
008941: *Jan 7 15:08:05.543 MDT: AAA/AUTHOR (00000007): Method list id=0 not configured. Skip author
008942: *Jan 7 15:08:05.543 MDT: Vp1 PPP: Authorization NOT required
008943: *Jan 7 15:08:05.543 MDT: Vp1 PPP: No remote authentication for call-out
008944: *Jan 7 15:08:05.543 MDT: Vp1 AAA/AUTHOR/LCP: Authorization succeeds trivially
008945: *Jan 7 15:08:05.543 MDT: Vp1 LCP: O CONFREQ [Listen] id 142 len 10
008946: *Jan 7 15:08:05.543 MDT: Vp1 LCP: MagicNumber 0x1A220FED (0x05061A220FED)
Cisco3825#
008947: *Jan 7 15:08:07.559 MDT: Vp1 LCP: Timeout: State REQsent
008948: *Jan 7 15:08:07.559 MDT: Vp1 LCP: O CONFREQ [REQsent] id 143 len 10
008949: *Jan 7 15:08:07.559 MDT: Vp1 LCP: MagicNumber 0x1A220FED (0x05061A220FED)
Cisco3825#
008950: *Jan 7 15:08:09.575 MDT: Vp1 LCP: Timeout: State REQsent
008951: *Jan 7 15:08:09.575 MDT: Vp1 LCP: O CONFREQ [REQsent] id 144 len 10
008952: *Jan 7 15:08:09.575 MDT: Vp1 LCP: MagicNumber 0x1A220FED (0x05061A220FED)
Cisco3825#
008953: *Jan 7 15:08:11.591 MDT: Vp1 LCP: Timeout: State REQsent
008954: *Jan 7 15:08:11.591 MDT: Vp1 LCP: O CONFREQ [REQsent] id 145 len 10
008955: *Jan 7 15:08:11.591 MDT: Vp1 LCP: MagicNumber 0x1A220FED (0x05061A220FED)
Cisco3825#
008956: *Jan 7 15:08:13.607 MDT: Vp1 LCP: Timeout: State REQsent
008957: *Jan 7 15:08:13.607 MDT: Vp1 LCP: O CONFREQ [REQsent] id 146 len 10
008958: *Jan 7 15:08:13.607 MDT: Vp1 LCP: MagicNumber 0x1A220FED (0x05061A220FED)
008959: *Jan 7 15:08:13.691 MDT: Vp1 LCP: I CONFREQ [REQsent] id 0 len 8
008960: *Jan 7 15:08:13.691 MDT: Vp1 LCP: AuthProto PAP (0x0304C023)
008961: *Jan 7 15:08:13.691 MDT: Vp1 LCP: O CONFACK [REQsent] id 0 len 8
008962: *Jan 7 15:08:13.691 MDT: Vp1 LCP: AuthProto PAP (0x0304C023)
008963: *Jan 7 15:08:13.691 MDT: Vp1 LCP: State is Open
008964: *Jan 7 15:08:13.691 MDT: Vp1 PPP: Phase is AUTHENTICATING, by the peer
Cisco3825#
008965: *Jan 7 15:08:13.691 MDT: AAA/AUTHEN/PPP (00000007): Pick method list 'default'
008966: *Jan 7 15:08:13.691 MDT: Vp1 LCP: I CONFREJ [Open] id 146 len 10
008967: *Jan 7 15:08:13.691 MDT: Vp1 LCP: MagicNumber 0x1A220FED (0x05061A220FED)
008968: *Jan 7 15:08:13.691 MDT: Vp1 LCP: O CONFREQ [ACKsent] id 147 len 4
008969: *Jan 7 15:08:13.775 MDT: Vp1 LCP: I CONFACK [ACKsent] id 147 len 4
008970: *Jan 7 15:08:13.775 MDT: Vp1 LCP: State is Open
008971: *Jan 7 15:08:13.775 MDT: AAA/AUTHEN/PPP (00000007): Pick method list 'default'
Cisco3825#
008972: *Jan 7 15:08:23.783 MDT: Vp1 AUTH: Timeout 1
Cisco3825#
008973: *Jan 7 15:08:33.799 MDT: Vp1 AUTH: Timeout 2
Cisco3825#
008974: *Jan 7 15:08:43.815 MDT: Vp1 AUTH: Timeout 3
Cisco3825#
008975: *Jan 7 15:08:53.831 MDT: Vp1 AUTH: Timeout 4
Cisco3825#
008976: *Jan 7 15:09:03.847 MDT: Vp1 AUTH: Timeout 5
Cisco3825#
008977: *Jan 7 15:09:07.356 MDT: Vp1 PPP: Outbound ip packet dropped
Cisco3825#
008978: *Jan 7 15:09:13.864 MDT: Vp1 AUTH: Timeout 6
Cisco3825#
008979: *Jan 7 15:09:17.356 MDT: Vp1 PPP: Outbound ip packet dropped
Cisco3825#
008980: *Jan 7 15:09:23.880 MDT: Vp1 AUTH: Timeout 7
Cisco3825#
008981: *Jan 7 15:09:27.356 MDT: Vp1 PPP: Outbound ip packet dropped
Cisco3825#
008982: *Jan 7 15:09:33.896 MDT: Vp1 AUTH: Timeout 8
Cisco3825#
008983: *Jan 7 15:09:37.356 MDT: Vp1 PPP: Outbound ip packet dropped
Cisco3825#
008984: *Jan 7 15:09:43.912 MDT: Vp1 AUTH: Timeout 9
Cisco3825#
008985: *Jan 7 15:09:47.356 MDT: Vp1 PPP: Outbound ip packet dropped
Cisco3825#
008986: *Jan 7 15:09:53.928 MDT: Vp1 AUTH: Timeout 10
Cisco3825#
008987: *Jan 7 15:09:57.356 MDT: Vp1 PPP: Outbound ip packet dropped
Cisco3825#
008988: *Jan 7 15:10:03.944 MDT: Vp1 AUTH: Timeout 11
008989: *Jan 7 15:10:03.944 MDT: Vp1 PPP: Sending Acct Event[Down] id[7]
008990: *Jan 7 15:10:03.944 MDT: AAA/ACCT/EVENT/(00000007): NET DOWN
008991: *Jan 7 15:10:03.944 MDT: AAA/ACCT/NET(00000007): Method list not found
008992: *Jan 7 15:10:03.944 MDT: AAA/ACCT(00000007): del node, session 4
008993: *Jan 7 15:10:03.944 MDT: AAA/ACCT/NET(00000007): free_rec, count 0
008994: *Jan 7 15:10:03.944 MDT: AAA/ACCT/NET(00000007) reccnt 0, csr FALSE, osr 0
008995: *Jan 7 15:10:03.944 MDT: AAA/ACCT/HC(00000007): Update Vp1
008996: *Jan 7 15:10:03.944 MDT: AAA/ACCT/HC(00000007): Vp1 [pre-sess] (rx/tx) base 2114/15028 pre 15468/32490 call 15468/32490
008997: *Jan 7 15:10:03.944 MDT: AAA/ACCT/HC(00000007): Vp1 [pre-sess] (rx/tx) adjusted, pre 13354/17462 call 0/0
008998: *Jan 7 15:10:03.944 MDT: AAA/ACCT/HC(00000007): Update Vp1
008999: *Jan 7 15:10:03.944 MDT: AAA/ACCT/HC(00000007): Vp1 [sess] (rx/tx) base 2114/15028
Cisco3825# pre 15468/32490 call 15468/32490
009000: *Jan 7 15:10:03.944 MDT: AAA/ACCT/HC(00000007): Vp1 [sess] (rx/tx) adjusted, pre 13354/17462 call 0/0
009001: *Jan 7 15:10:03.944 MDT: AAA/ACCT/HC(00000007): Deregister Vp1
009002: *Jan 7 15:10:03.944 MDT: Vp1 PPP: Phase is TERMINATING
009003: *Jan 7 15:10:03.944 MDT: Vp1 LCP: O TERMREQ [Open] id 148 len 4
009004: *Jan 7 15:10:03.944 MDT: AAA/ACCT/EVENT/(00000007): CALL STOP
009005: *Jan 7 15:10:03.944 MDT: AAA/ACCT(00000007) reccnt 0, osr 0
009006: *Jan 7 15:10:04.028 MDT: Vp1 LCP: I TERMACK [TERMsent] id 148 len 4
009007: *Jan 7 15:10:04.028 MDT: Vp1 LCP: State is Closed
009008: *Jan 7 15:10:04.028 MDT: Vp1 PPP: Phase is DOWN
009009: *Jan 7 15:10:04.028 MDT: Vp1 PPP: Phase is ESTABLISHING, Passive Open
009010: *Jan 7 15:10:04.028 MDT: Vp1 LCP: State is Listen
Cisco3825#
009011: *Jan 7 15:10:06.024 MDT: Vp1 LCP: Timeout: State Listen
009012: *Jan 7 15:10:06.024 MDT: AAA/BIND(00000009): Bind i/f Virtual-PPP1
009013: *Jan 7 15:10:06.024 MDT: AAA/ACCT/HC(00000009): Register Vp1 100Mbit/s, poll every 5m 0s
009014: *Jan 7 15:10:06.024 MDT: AAA/ACCT/HC(00000009): Update Vp1
009015: *Jan 7 15:10:06.024 MDT: AAA/ACCT/HC(00000009): Vp1 [init-sess] (rx/tx) base 15474/32498 pre 15474/32498 call 15474/32498
009016: *Jan 7 15:10:06.024 MDT: AAA/ACCT/HC(00000009): Vp1 [init-sess] (rx/tx) adjusted, pre 0/0 call 0/0
009017: *Jan 7 15:10:06.024 MDT: AAA/ACCT/EVENT/(00000009): CALL START
009018: *Jan 7 15:10:06.024 MDT: Getting session id for NET(00000009) : db=6902396C
009019: *Jan 7 15:10:06.024 MDT: AAA/ACCT(00000000): add node, session 6
009020: *Jan 7 15:10:06.024 MDT: AAA/ACCT/NET(00000009): add, count 1
009021: *Jan 7 15:10:06.024 MDT: Getting session id for NONE(00000009) : db=6902396C
009022: *Jan 7 15:10:06.024 MDT: AAA/AUTHOR (0000
Cisco3825#0009): Method list id=0 not configured. Skip author
009023: *Jan 7 15:10:06.024 MDT: Vp1 PPP: Authorization NOT required
009024: *Jan 7 15:10:06.024 MDT: Vp1 PPP: No remote authentication for call-out
009025: *Jan 7 15:10:06.024 MDT: Vp1 AAA/AUTHOR/LCP: Authorization succeeds trivially
009026: *Jan 7 15:10:06.024 MDT: Vp1 LCP: O CONFREQ [Listen] id 149 len 10
009027: *Jan 7 15:10:06.024 MDT: Vp1 LCP: MagicNumber 0x1A23E698 (0x05061A23E698)
009028: *Jan 7 15:10:06.108 MDT: Vp1 LCP: I CONFREJ [REQsent] id 149 len 10
009029: *Jan 7 15:10:06.108 MDT: Vp1 LCP: MagicNumber 0x1A23E698 (0x05061A23E698)
009030: *Jan 7 15:10:06.108 MDT: Vp1 LCP: O CONFREQ [REQsent] id 150 len 4
009031: *Jan 7 15:10:06.192 MDT: Vp1 LCP: I CONFACK [REQsent] id 150 len 4
Cisco3825#
009032: *Jan 7 15:10:07.356 MDT: Vp1 PPP: Outbound ip packet dropped
009033: *Jan 7 15:10:08.104 MDT: Vp1 LCP: Timeout: State ACKrcvd
009034: *Jan 7 15:10:08.104 MDT: Vp1 LCP: O CONFREQ [ACKrcvd] id 151 len 4
009035: *Jan 7 15:10:08.188 MDT: Vp1 LCP: I CONFACK [REQsent] id 151 len 4
Cisco3825#
009036: *Jan 7 15:10:10.120 MDT: Vp1 LCP: Timeout: State ACKrcvd
009037: *Jan 7 15:10:10.120 MDT: Vp1 LCP: O CONFREQ [ACKrcvd] id 152 len 4
009038: *Jan 7 15:10:10.204 MDT: Vp1 LCP: I CONFACK [REQsent] id 152 len 4
Cisco3825#show
009039: *Jan 7 15:10:12.136 MDT: Vp1 LCP: Timeout: State ACKrcvd
009040: *Jan 7 15:10:12.136 MDT: Vp1 LCP: O CONFREQ [ACKrcvd] id 153 len 4
009041: *Jan 7 15:10:12.216 MDT: Vp1 LCP: I CONFACK [REQsent] id 153 len 4
Cisco3825#show l2tp
009042: *Jan 7 15:10:14.152 MDT: Vp1 LCP: Timeout: State ACKrcvd
009043: *Jan 7 15:10:14.152 MDT: Vp1 LCP: O CONFREQ [ACKrcvd] id 154 len 4
009044: *Jan 7 15:10:14.232 MDT: Vp1 LCP: I CONFACK [REQsent] id 154 len 4
Cisco3825#show l2tp
L2TP Tunnel and Session Information Total tunnels 1 sessions 1
LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class/
Count VPDN Group
37822 1 xxxxxxxxxxxx est xxx.xxx.xxx.xxx 1 l2tp_default_cl
LocID RemID TunID Username, Intf/ State Last Chg Uniq ID
Vcid, Circuit
124 1 37822 1, Vp1 est 00:02:03 1
Here are a couple things I noticed:
009001: *Jan 7 15:10:03.944 MDT: AAA/ACCT/HC(00000007): Deregister Vp1
008990: *Jan 7 15:10:03.944 MDT: AAA/ACCT/EVENT/(00000007): NET DOWN
I don't have this issue with other providers. I don't have the whole radius / tacacs things setup as it's not necessary for our needs.
Ideas?
Thanks for the help.
JasonHi,
To resolve your issue as soon as possible, please post your question on the Forefront TMG forum:
http://social.technet.microsoft.com/Forums/en-US/home?forum=Forefrontedgegeneral
Steven Lee
TechNet Community Support -
I have a new C2D MBP, and my linksys WRT54G router will not work with it. When i plug the wall ethernet cable into my MBP, the ip address and all that info gets filled in and i can acces the internet. But when i try to connect to the router using wifi or ethernet cable, no ip address is assigned to the MBP, and i can't access the internet. This was not an issue with my old MBP where i just turned the wifi on and it connected.
What is causing this??
ThanksI had similar problems with a WRT54G Linksys Router, and after a bunch of searching, I found that there is a problem with the latest firmware on the router. I downgraded the firmware as the post recommended (Linksys Forum) and now all my macs can connect.
Here's a link to the post I found on the Linksys site that solved my problems:
http://forums.linksys.com/linksys/board/message?board.id=Wireless_Routers&messag e.id=10007#M10007 -
Issues with vpn connection thru ATT DSL
Hi I hope someone can help me out...
At work we use Cysco VPN Client Verstion 4.8.02.0010
Everyone (about 18 people) can connect to it from their homes. For some reason I am the only member who can not connect.
I am tryihg to connect Via ATT DSL and Cysco VPN Client shows that I am connected, however,
I have no access to any of the networks from work.
I have tried connecting using Cox Cable from a friend's home and it connects just fine.
I have read many threads online that indicate that this is a common occurance with ATT DSL users but I have not found
the fix.
I am using modem/router type 2701 HG-B
Any feedback will be greatly appreciated.
Thank you,Make sure the encrytpion and parameters such as VPN group are negtotiated properly between the client and the server. Refer http://cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml for most commonly occuring VPN issues . Contact ATT for configuring their servers.
-
Routing Experts please help with below LAN routing issue with NAT
Hello Experts,
I have a weird situation and requirement.
The existing setup is -
We have email/ticketing server hosted in the LAN which is reachable on the publicly NAT'ed IP with respective port numbers of 89 & 443. We have LAN & servers on the same subnet. The internet is with public DHCP IP assigned by ISP (/29). We use linksys router GUI for NAT settings (attached).We are using the same public IP for the server NAT & user NAT.
We tried to refresh our network by separating the subnets for LAN users & servers. We used the Cisco 3845 router to create sub-interfaces in the LAN and configure respective subnets. Now both user subnet and server subnet are connecting to the Internet with same public IP (static NAT for servers & dynamic for users). We can connect to the server IP from the Internet and it resolves fine. However user LAN subnet cannot connect to the server if we try the URL. Users can access the Internet fine.
Please find attached short diagram and below configuration and please give your inputs to solve this.
Cisco 3845 router
access-list 1 permit 10.155.60.0 0.0.0.255
access-list 2 permit 10.155.61.0 0.0.0.255
access-list 3 permit 10.155.62.0 0.0.0.255
ip nat inside source list 1 int g0/0 overload
ip nat inside source list 2 int g0/0 overload
ip nat inside source list 3 int g0/0 overload
int g0/0
ip add 8.8.8.8 255.255.255.248
ip nat outside
no shut
int g0/1
description Trunk-to-Switch
no shut
int g0/1.60
description User vlan
ip add 10.155.60.1 255.255.255.0
encapsulation dot1q 60
ip nat inside
int g0/1.62
description Server vlan
ip add 10.155.62.1 255.255.255.0
encapsulation dot1q 62
ip nat inside
exit
aaa new-model
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
aaa session-id common
acl 120
max-users 10
exit
!access-list 120 remark ==[Cisco VPN Users]==
access-list 120 permit ip any host 192.168.0.10
access-list 120 permit ip any host 192.168.0.11
access-list 120 permit ip any host 192.168.0.12
access-list 120 permit ip any host 192.168.0.13
access-list 120 permit ip any host 192.168.0.14
access-list 120 permit ip any host 192.168.0.15
access-list 120 permit ip any host 192.168.0.16
access-list 120 permit ip any host 192.168.0.17
access-list 120 permit ip any host 192.168.0.18
access-list 120 permit ip any host 192.168.0.19
no access-list 100
access-list 100 remark [Deny NAT for VPN Clients]=-
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.10
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.11
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.12
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.13
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.14
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.15
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.16
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.17
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.18
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.19
access-list 100 remark
access-list 100 remark -=[Internet NAT Service]=-
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
exit
ip nat inside source static tcp 10.155.62.55 21 8.8.8.8 21
ip nat inside source static tcp 10.155.62.55 88 8.8.8.8 88
ip nat inside source static udp 10.155.62.55 88 8.8.8.8 88
ip nat inside source static tcp 10.155.62.84 3389 8.8.8.8 3389
ip nat inside source static udp 10.155.62.84 3389 8.8.8.8 3389
ip nat inside source static tcp 10.155.62.98 80 8.8.8.8 80
ip nat inside source static udp 10.155.62.98 80 8.8.8.8 80
ip nat inside source static tcp 10.155.62.98 443 8.8.8.8 443
ip nat inside source static udp 10.155.62.98 443 8.8.8.8 443
ip nat inside source static tcp 10.155.62.98 25 8.8.8.8 25
ip nat inside source static udp 10.155.62.98 25 8.8.8.8 25
ip nat inside source static tcp 10.155.62.84 8080 8.8.8.8 89
ip nat inside source static udp 10.155.62.84 8080 8.8.8.8 89
ip nat inside source static tcp 10.155.62.84 9005 8.8.8.8 9005
ip nat inside source static udp 10.155.62.84 9005 8.8.8.8 9005
ip nat inside source static tcp 10.155.62.84 135 8.8.8.8 135
ip nat inside source static udp 10.155.62.84 135 8.8.8.8 135
ip nat inside source static tcp 10.155.62.84 139 8.8.8.8 139
ip nat inside source static udp 10.155.62.84 139 8.8.8.8 139
ip nat inside source static tcp 10.155.62.84 445 8.8.8.8 445
ip nat inside source static udp 10.155.62.84 445 8.8.8.8 445
ip nat inside source static tcp 10.155.62.84 90 8.8.8.8 465
ip nat inside source static udp 10.155.62.84 90 8.8.8.8 465
ip nat inside source static tcp 10.155.62.143 3381 8.8.8.8 3381
ip nat inside source static udp 10.155.62.143 3381 8.8.8.8 3381
ip nat inside source static tcp 10.155.62.46 8081 8.8.8.8 91
ip nat inside source static udp 10.155.62.46 8081 8.8.8.8 91
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:/cme-gui-7.1.0.1
file privilege 0
telephony-service
dn-webedit
time-webedit
transport input ssh
line con 0
line vty 0 15
login local
ntp server ntp.first2know.net
clock timezone gmt 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
ntp update-calendar
ntp master
=========================================================================================================================================
Cisco 3750 Config;
vlan 60
name User
vlan 61
name Voice
vlan 62
name Server
exit
interface g1/0/1
description Trunk-to-Router
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast trunk
interface vlan 60
description User Vlan
ip add 10.155.60.2 255.255.255.0
interface vlan 61
description Voice Vlan
ip add 10.155.61.2 255.255.255.0
interface vlan 62
description Server Vlan
ip add 10.155.62.2 255.255.255.0
service dhcp
ip dhcp pool Users
network 10.155.60.0 255.255.255.0
default-router 10.155.60.1
dns server 4.2.2.2
ip dhcp pool Voice
network 10.155.61.0 255.255.255.0
dns server 4.2.2.2
exit
ip dhcp excluded-address 10.155.60.1 10.155.60.2 10.155.60.3
ip dhcp excluded-address 10.155.61.1 10.155.61.2
interface range g1/0/2 - 1/0/21
switchport mode access
switchport access vlan 60
switchport access vlan 61
exit
exit
interface range g1/0/22 - 1/0/26
switchport mode access
switchport access vlan 62
exit
Thanks,
DeepakOne more thing I should clarify the route I am putting into the 10.10.1.9 server is
route add 10.1.6.0 mask 255.255.255.0 10.10.1.250 which tells the server to bypass the ASA and go directly to the ISP router.(then i can successfully tracert everything). The big question here is how to make the inside ASA connection 10.10.1.1 to force all traffic to 10.10.1.250.
Thanks in advance. -
NImDNSResponder and NILXIDiscovery cause issues with VPN & system
The two windows processes nimDNSResponder.exe and niLxiDiscovery.exe are installed after installing LabView 8.6. They run automatically in the background, but have negative effects on system performance. DNSResponder corrupts the routing table, thus rendering Juniper VPN inoperative. If that process is stopped niLxiDiscovery begins to consume computing resources (>80% of processor time). If both processes are stopped, the PC & VPN seem to run normally. I uninstalled and reinstalled LV 8.6, and have the same results - apparently it wasn't a corruption at install. Can you direct me to the parts of LV that I must un-install to eliminate the issues associated with these processes?
Thank you,
...jerryRelated Post
Spex
National Instruments
To the pessimist, the glass is half empty; to the optimist, the glass is half full; to the engineer, the glass is twice as big as it needs to be... -
I have a PC hosting Windows 8.1, attached to two Networks. One leads to the internet - and uses the private IP address (172.*) the other is purely internal (also using the private address 198.*) but, has no internet connectivity. I'm finding
that if I don't disable my internal NIC, I can't access any internet sites. Is this a bug, or have I not done something correctly.
I have also, a Windows 7 PC, attached to the same Networks, and it exhibits no issues when connecting to either the internet or to internal locations.
(Both are Enterprise builds, though only across a Windows for Workgroups network).
Can anyone tell me what I need to be doing with Windows 8.1 please, to make both internal & external network connectivity work as is the case with Windows 7 ?
I'm only running IPv4, and both Wired Networks have at their respective ends, Routers that support DHCP & NAT. Though the internal Router's external port is not connected to anything.
Thanks in advance...Hi,
Can you tell me what you have tried so far and how did you set?
Firstly please update all network adapter driver.
After that, do the following:
1. Open the Command Prompt (Admin).
2. Run "Ipconfig /all" to check your nics IP information.
3. Use route command tell the computer which interface you want the packets to leave from.
Assuming Network A is...
10.10.11.0 /24
Router is 10.10.10.1
and Network B is...
10.10.12.0 /24
Router is 10.10.10.2
then use this command:
route add 10.10.11.0 mask 255.255.255.0 10.10.10.1 -p
route add 10.10.12.0 mask 255.255.255.0 10.10.10.2 -p
Hope this helps.
Karen Hu
TechNet Community Support -
Routing issue with Nokia Drive on Lumia 900
So I finally tried to use Nokia Drive on a real trip (in New Jersey, USA) and I've noticed that the software often seems stuck on returning you to the originally plotted route when you deviate from it, instead of finding the best remaining route based on the new location. I'll give details for my particular trip in case this is a local issue.
We decided to take the NJ Turnpike to route 18 to River Road to Interstate 287 instead of 295 to 206 to 287 as Nokia Drive recommended (the routes are roughly equivalent in travel time, so I don't fault this initial route selection). When we entered the Turnpike, the new route kept trying to get us to 295 until we passed Exit 7 (In reality, past Exit 5 there isa considerable penalty to getting off the turnpike and onto I 295).
Finally, after Exit 7 it decided we should stay on the turnpike and get to 287 directly using Exit 10 (This too is roughly equivalent in travel time, so it was a reasonable suggestion). Once we took Exit 9 to route 18 instead it picked a different route than the one we are familiar with and this is where the biggest problem occurred. The route it suggested would enter 287 North at Exit 7, while the route we took entered 287 at Exit 9. It kept insisting we get back on its rout and get on at exit 7 to the point that when we were about to enter 287 at exit 9, it told us to get onto 287 *south* and take it to exit 7 where we would exit the highway and immediately re-enter it northbound. This is rediculous and should never have been suggested.
Am I right in my assessment that the software tries to stick to the original route instead of calculating a new one on the spot? What possible advantage can there be in doing it this way?
Thanks in advance,
BorisHere is a quite stupid example on route recalculation and how it tries to return to the route originally suggested. The recalculated route suggests that I turn right, drive a few meters and then make a U-turn. The error is not in map data itself. The other picture shows that turning left is not forbidden.
Fonero
(Lumia 820, 8.0.10328.78, 3047.0000.1328.0003, Here Drive+ 3.0.4121.0, map 8.30.51.121)
Attachments:
MapsRoute.jpg 15 KB
MapsRoute2.jpg 15 KB
Maybe you are looking for
-
How can i import an audio file in logic pro 9
i want to make some samples out of a song. how can i do it in logic pro 9?
-
I have 286 separate pdf form files that I need to combine to one pdf file so that I can export the text into a spreadsheet. Problem is that when I combine the files, Acrobat replaces the data on the forms with the data from the first file. For exampl
-
Request for some Visual Basic code?
Hello not sure if I'm posting in the correct area but I have a request for some Visual Basic Code. I use a particular document in word quite often to fill out forms for my job. However I would like something that allows me to open a new instance of t
-
IMac G5 Distorted Video (Possibly Capacitors)
This is the main story you can skip this if you want to get straight to the problem: Hi, I got an iMac G5 (1st Generation 17-inch 1.6ghz PowerPC no isight) from my dad's friend and he said I could look around inside. He said he already looked around
-
How do I restore my mac mini and back up selected files
Hi everyone, I have a question as I'm a little uncertain how to handle this: I have a Mac Mini 2011, Processor 2 GHz Intel Core i7, Memory 4 GB 1333 MHz DDR3, Software OS X 10.9.4 (13E28), with SATA Disks of 500GB each. I have noticed it remarkab