RV082 - SRP527W - VPN behind NAT not working
Hello,
I've really strange behaviors with my routers. We managed to get things running but once a week, the VPN link is down.
The connection is not restart, both routers shows "connected" but are not, and we had to click on "disconnect" to get the link back.
That was before an update in our infrastructure. Now, both routers are behind routers, so both NAT.
Now, the connection works for some time, but once a week, the link disconnected but i'm unable to get it back ! NOTHING works.
Last time, i spent 2Hours to configure the link again, setting the same parameters almost 10 time, and suddenly by magic, the 11st time it worked again. I read many people have troubles with RVXXX firmware so i don't know what to think.
Anyway, my BIG concern now, is that the link is down again, and it has been 6hours since we can't got it back. I restarted the routers many times, i've made some changes in the configuration, but if it worked, why should i modify it ?????? Why is it not working anymore ?
The log for the RV082 is almost empty about the link. Here's a snippet :
Feb 10 19:01:52 2014
VPN Log
(g2gips0) #8: initiating Main Mode
Feb 10 19:01:52 2014
VPN Log
(g2gips0) #8: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Feb 10 19:01:52 2014
VPN Log
(g2gips0) #8: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Feb 10 19:01:52 2014
System Log
gateway_to_gateway.htm is changed.
Feb 10 19:09:08 2014
VPN Log
(g2gips0): deleting connection
Feb 10 19:09:08 2014
VPN Log
(g2gips0) #8: deleting state (STATE_MAIN_I1)
Feb 10 19:09:08 2014
VPN Log
added connection description (g2gips0)
Feb 10 19:09:08 2014
VPN Log
listening for IKE messages
Feb 10 19:09:08 2014
VPN Log
forgetting secrets
Feb 10 19:09:08 2014
VPN Log
loading secrets from '/etc/ipsec.d/ipsec.secrets'
Feb 10 19:09:09 2014
System Log
gateway_to_gateway.htm is changed.
The log for the SRP527W is full of this :
Dump pluto log message in syslog : cat /var/log/messages |grep plutoJan 1 02:29:39 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1Jan 1 02:29:39 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: STATE_MAIN_R1: sent MR1, expecting MI2Jan 1 02:30:09 TLSR0254 authpriv.warn pluto[1156]: "G2" #186: max number of retransmissions (2) reached STATE_MAIN_R1Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=109 Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: responding to Main ModeJan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: STATE_MAIN_R1: sent MR1, expecting MI2Jan 1 02:30:25 TLSR0254 authpriv.warn pluto[1156]: pending Quick Mode with 37.1.XXX.XXX "G2" took too long -- replacing phase 1Jan 1 02:30:25 TLSR0254 authpriv.warn pluto[1156]: "G2" #189: initiating Main Mode to replace #185Jan 1 02:30:49 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: max number of retransmissions (2) reached STATE_MAIN_R1Jan 1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=109 Jan 1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109Jan 1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109Jan 1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]Jan 1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: "G2" #190: responding to Main Mode
Please help me to get things sorted. I just don't understand why nothing is written in the log about the SRP trying to make a connection. I also don't understand why suddenly the link is broken, and without changing anything, it can't get it back normally !!
Best Regards
Hi again,
Samir, i rebooted all the routers dozens of time when that happened, and it doesn't changed anything. Anyway, i called the Cisco Hotline. They could connect by VPN to RV082, but not the SRP, they didn't know why. Hardware or software failure.
Anyway, i bought another router.
Now i would like to use the SRP527W as a WIFI hotspot only. It doesn't work.
My settings are :
- Router defined as BRIDGE only (using Port lan 4 as Ethernet WAN)
- WAN Interface is assigned 192.168.0.246 / 24
- Gateway for the WAN interface is 192.168.0.254
- Ethernet cable is plugged from LAN4/WAN to my new Modem/Router on LAN3.
- Port LAN2 of SRP527W is defined with VLAN IP Address 192.168.15.254.
When connected to the SRP527W on LAN2, from my computer (192.168.15.200), i can't ping 192.168.0.246 neither 0.254 (gateway is set to 15.254)
Still, when connected to the SRP527W and with the Ping Dagnosis interface, pinging "192.168.0.254" shows "timed out".
I tried almost every configuration, none worked.
Please note that when connected from my computer directly to my new modem/router on port LAN3, with IP Address 192.168.0.200, i can access internet and ping everything. When set as DHCP too, i can grab an IP Address from my DHCP Windows Server.
So, why is the SRP527W unable to work in this configuration ? it seems nothing pass through WAN port.
If i'm right, there is only the WAN port that should be plugged to my modem router. With this settings, SSID should go directly to Internet, and for the other SSID, my LAN (through the modem/router). However, it doesn't work.
Could you help me please ? Thank you
Similar Messages
-
I have just upgraded to Lion and now my VPN connection does not work properly. It was working fine when I was using Leopard. The VPN is My Private Network and we use it to link to BBC iPlayer when abroad. It will actually connect to the VPN site and shows a UK IP address, but then when we try to load an iPlayer programme we get the message from the BBC that we are not in the country and, therefore, cannot access the site. Any suggestions?
Have a look at System Preferences, Accessibility, VoiceOver.
(Command - F5).
charlie -
ASA 5510 - Version 8.2(1) - SSH, ICMP and NAT not working
I have an ASA 5510 using version 8.2(1) and I have enabled ssh, icmp and they work from the inside network but not from the outside network.
Further to this, I exposed one site from the inside interface on the ASA (192.168.1.100) to outside (1.1.1.7) using NAT and it is not pingable nor accessible from the outside. I also allowed SSH from the outside network to the external IP addresses of the ASA and it is not working either. Any ideas what I could be missing in my configuration? I bolded the configurations involved in the ASA running configuration I copied below (please note I have replaced the real IP addresses with 1.1.1.x and 2.2.2.x):
ASA Version 8.2(1)
hostname fw
domain-name net.com
enable password eYKAfQL1.ZSbcTXZ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface Ethernet0/0
description Primary Outside (Internet)
speed 10
duplex full
nameif outside
security-level 0
ip address 1.1.1.5 255.255.255.240
ospf cost 10
interface Ethernet0/1
description inside
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
ospf cost 10
interface Ethernet0/2
description WLAN
nameif WLAN
security-level 100
ip address 192.168.108.240 255.255.255.0
ospf cost 10
interface Ethernet0/3
description Secondary Outside (Internet)
speed 100
duplex full
nameif WAN2
security-level 0
ip address 2.2.2.133 255.255.255.192
interface Management0/0
description LAN/STATE Failover Interface
time-range after_hours
periodic weekdays 7:00 to 23:00
boot system disk0:/asa821-k8.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup WLAN
dns server-group DefaultDNS
retries 3
timeout 5
name-server 8.8.8.8
name-server 206.191.0.210
name-server 4.2.2.1
name-server 4.2.2.2
domain-name net.com
access-list WAN2_access_in extended permit icmp any any echo-reply
access-list WAN2_access_in extended permit icmp any any time-exceeded
access-list WAN2_access_in extended permit icmp any any source-quench
access-list WAN2_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit icmp any any echo-reply
access-list WLAN_access_in extended permit icmp any any time-exceeded
access-list WLAN_access_in extended permit icmp any any source-quench
access-list WLAN_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit tcp host 192.168.1.100 eq ssh any
access-list WLAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
access-list WLAN_access_in extended permit ip any any
access-list time_based extended permit ip any any time-range after_hours
access-list split_tunnel standard permit host 206.191.0.210
access-list split_tunnel standard permit host 206.191.0.140
access-list split_tunnel standard permit host 207.181.101.4
access-list split_tunnel standard permit host 207.181.101.5
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 1.1.1.7 eq ssh
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any host 192.168.1.100 eq ssh
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
pager lines 20
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu WLAN 1500
mtu WAN2 1500
ip local pool DHCP 192.168.1.245-192.168.1.252 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface WAN2
failover
failover lan unit secondary
failover lan interface FO Management0/0
failover key *****
failover link FO Management0/0
failover interface ip FO 192.168.255.171 255.255.255.0 standby 192.168.255.172
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any WLAN
icmp permit any WAN2
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (WAN2) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (WLAN) 1 192.168.108.0 255.255.255.0
static (inside,outside) 1.1.1.7 192.168.1.100 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group WLAN_access_in in interface WLAN
access-group WAN2_access_in in interface WAN2
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route WAN2 0.0.0.0 0.0.0.0 2.2.2.129 254
route inside 192.168.1.100 255.255.255.255 192.168.1.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.108.0 255.255.255.0 WLAN
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.101 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
timeout 1000
frequency 3
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 123 reachability
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh scopy enable
ssh 2.2.2.132 255.255.255.255 outside
ssh 69.17.141.134 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.108.0 255.255.255.0 WLAN
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.108.11-192.168.108.239 WLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 128.100.100.128
ntp server 132.246.168.148
ntp server 128.100.56.135
tftp-server inside 192.168.1.100 /
webvpn
group-policy Wifi internal
group-policy Wifi attributes
wins-server none
dns-server value 206.191.0.210 206.191.0.140
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
tunnel-group Wifi type remote-access
tunnel-group Wifi general-attributes
address-pool DHCP
default-group-policy Wifi
tunnel-group Wifi ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
service-policy global_policy global
prompt hostname context
Cryptochecksum:ac25ef0642e0ecb8f0ef63219833f3ae
: end
asdm image disk0:/asdm-621.bin
asdm location 192.168.1.245 255.255.255.255 inside
asdm location 192.168.1.252 255.255.255.255 inside
asdm history enableHi,
I can't see any problems right away in the configuration.
I guess we could start by using the "packet-tracer" to simulate the SSH and ICMP through the firewall
packet-tracer input outside tcp 1.1.1.1 12345 22
packet-tracer input outside icmp 1.1.1.1 8 0
Don'd mind the source address of 1.1.1.1. Its just an address that is located behind "outside" interface according to the ASA routing table. (As the configurations 1.1.1.0/28 is not actually configured on the ASA)
Share the exact "packet-tracer" command used (wihtout the public IP, notice that the output contains the public IP also) and the output of the command with us here.
Also, have you made sure that there is no old translations active on the ASA?
You can use this command to view those
show xlate local 192.168.1.100
You can clear the xlates with
clear xlate local 192.168.1.100
- Jouni -
RV016 V3 vs RV082 V3 VPN Tunnel Backup not available on RV016
VPN tunnel backup is not available on the RV016 firmware version 4.0.2.08 (it IS on the RV082. The data sheet and the manual for the RV016 is wrong. I have purchased several RV016 hardware V3 and several RV082 hardware V3. Both have the same current firmware version. We have noted that the RV016 does not have the VPN tunnel failover option found in the RV082. It also does not have split DNS (noted in the manual. A I would have thought that the firmware would provide equal options on the RV042, RV082, and RV016. Good job, Cisco!
We did not have VPN back up with the V1 RV016, either. Also tried V2 and at the time it was not working. The product that we have found works as expected is the Peplink Balance. There is still a few second delay on failover, but if you have two broadband connections, it is imperceptible. We gave up on the Cisco products.
-
Zone Base Forewall for VPN connections does not work after IOS upgrade
Hi all,
We use cisco router 2911 as corporate gateway - there is Zone Based Firewall implemented - I upgraded IOS to last version (15.2(2)T1) - originaly version 15.1(4)M1 - to solve issue with Anyconnect connections (bug CSCtx38806) but I found that after upgrade the VPN users are not able to communicate with sources in other zones.
More specific
WebVPN use this virtual template interface
interface Virtual-Template100
description Template for SSLVPN
ip unnumbered GigabitEthernet0/1.100
zone-member security INSIDE
There are other zones VOICE, LAB, ...
In the policy any connection is allowed (used inspection of icmp, tcp and udp) from INSIDE zone to VOICE or LAB zone
After VPN connection I am able to reach resources in INSIDE zone (which is the most important), but not in other zones. Before upgrade it worked.
Once I changed zone in Virtual-Template interface to VOICE, I was able to reach sources in VOICE zone but not in any other. I searched more and found the stateful firewall is not working for connections from VPN as ping is blocked by policy on returning way - it means by policy VOICE->INSIDE, once I allowed communication from "destination" zone to INSIDE zone - the connections started to work, but of cause it is not something I want to setup.
Does anybody has the same experiance?
Regards
PavelIt seems to me I should add one importatant note - if client is connected directly in INSIDE zone, he can reach resources in other zones without any issue - so the problem is only when the client is connected by VPN - not in ZBF policy setup.
Pavel -
Hi,
I'm configuring a 1841 router with 4-port FE WIC card.
Interface FE0/1 is outside and FE0/0/0 (WIC) is used for LAN connection.
I'm using dinamic NAT for LAN users access to Internet and static NAT to connect to internal servers from external network.
In my test configuration, I cannot connect to LAN (192.168.0.0/24) from external network. Dinamic NAT, though, is working fine.
My config follows. Am I missing something? Hope someone can help me.
Thanks in advance.
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 10.10.10.1 255.255.255.248
duplex auto
speed auto
interface FastEthernet0/1
description $ETH-LAN$
ip address 192.168.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/0/0
interface FastEthernet0/0/1
interface FastEthernet0/0/2
interface FastEthernet0/0/3
interface Vlan1
ip address 192.168.0.6 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.1 23 interface FastEthernet0/1 23
ip nat inside source static tcp 192.168.0.5 5900 interface FastEthernet0/1 5900
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.0.18 0.0.0.128Albert
It looks to me like your NAT is working. I get similiar results in my NAT table.
2600_connect#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
1) icmp 172.16.1.9:4388 10.15.1.2:4388 10.5.1.1:4388 10.5.1.1:4388
2) tcp 172.16.1.9:23 10.15.1.3:23 172.16.1.10:62274 172.16.1.10:62274
3) tcp 172.16.1.9:23 10.15.1.3:23 --- ---
Line 1) is a dynamic translation from inside to outside for ping.
Line 2) is the dynamic entry builti when i telnet from outside (172.16.1.10)
to 172.16.1.9 (which gets Natted to 10.15.1.3)
Line 3) is the permanent static translation that gets entered when from the
config line "ip nat source static tcp 10.15.1.3 23 interface fa0/1 23"
Relevant Router config
======================
interface FastEthernet0/0
description Connection to CR02
ip address 10.15.1.1 255.255.255.240
ip nat inside
ip pim dense-mode
no ip route-cache
speed 100
full-duplex
interface FastEthernet0/1
description Connection to P1
ip address 172.16.1.9 255.255.255.248
ip nat outside
ip pim dense-mode
no ip route-cache
speed 100
full-duplex
router eigrp 20
redistribute connected
redistribute static
network 10.0.0.0
network 172.16.0.0
no auto-summary
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.15.1.3 23 interface FastEthernet0/1 23
ip classless
access-list 1 permit 10.15.1.0 0.0.0.15
=====================
Are you sure it is a natting problem ?
Jon -
Clientless VPN and Java not working correctly
In a recent discovery we found that the newest version of java will not work with our Cisco SSLVPN setup
We are using an ASA5510 with 8.0.4 IOS version and 6.1.3 ADSM version and most users use an mstsc.exe smart tunnel to rdp into our terminal server farm.
Our laptops are being imaged with Java 6 update 3 (this works fine) then upgraded to Java 6 update 11, after which the smart tunnel appears to launch but a connection cannot be established. Reinstalling the older version of Java resolves the problem.
I was wondering if anyone else has encountered a similar problem and found a workaround. Currently, company equipment is not being upgraded to the latest version of Java but personal equipment is a different story.To get the old downloader back follow the directions below.
# In the [[Location bar autocomplete|Location bar]], type '''about:config''' and press '''Enter'''. The about:config "''This might void your warranty!''" warning page may appear.
# Click '''I'll be careful, I promise!''', to continue to the about:config page.
# Filter '''browser.download.useToolkitIT'''.
# Double click and '''make sure it says true.'''
# You now have the classic downloader back! Yay!
Any issues or confused?
* http://kb.mozillazine.org/About:config -
STUMPED! VPN into ASA5510 not working
Trying to setup remote vpn into a 5510, ran through the wizard, have the preshare and usernames, along with the pool configured. No errors when uploaded, but the Cisco VPN client does not connect at all, Reason 412. I have all crypto debugs running and I got nothing when I try to connect. If I had fat fingered the preshare or the username, I would at least think I would see some debug info when I tried to connect, but I got nothing. I have done this type of setup via the CLI on PIX and have not had problems, but I am not familiar with the new commands, and all I can find are stinking gui examples.
Well, I rebuilt from scratch through CLI, and at least now I have some debug output, but still stumped. Still get the same error with the client.
Jun 06 15:05:37 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!
Jun 06 15:05:37 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry
Jun 06 15:05:42 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!
Jun 06 15:05:42 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry
Jun 06 15:05:47 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!
Jun 06 15:05:47 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry
Jun 06 15:05:52 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!
Jun 06 15:05:52 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry -
VPN Split-Tunneling not working
Hello,
First off - thanks to all who post here. I often browse the forums and search for help on here and its very useful, so a great pat on the back for everyone who contributes. My first time posting so here goes.....
I have my ASA 5505 v8.2 configured to allow AnyConnect. This is working. Client can connect and access the remote systems through VPN. What is causing me a massive headache is that the client loses internet connectivity. I have played around with my config somewhat so what I am about to post I know for certain is incorrect but any help is greatly appreciated.
Notes
1. The Router was set up for a standard site-to-site VPN which is no longer functional but as you can see all the settings are still in the router.
2. The router also has a DMZ setup to allow some clients access to the internet through it using the DMZ
CONFIGURATION:
ASA Version 8.2(5)
hostname MYHOST
enable password mUUvr2NINofYuSh2 encrypted
passwd UNDrnIuGV0tAPtz2 encrypted
names
name x.x.x.x AIME-SD
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.0.0
interface Vlan7
no forward interface Vlan1
nameif DMZ
security-level 20
ip address 137.57.183.1 255.255.255.0
ftp mode passive
clock timezone MST -7
object-group network obj_any_dmz
access-list 10 extended permit ip 192.168.25.0 255.255.255.0 192.168.6.0 255.255 .255.0
access-list no_nat extended permit ip host x.x.x.x 192.168.25.0 255.255.25 5.0
access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 access-list nonat
nat (DMZ) 10 137.57.183.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable 64000
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set batus esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map batus 100 match address 10
crypto map batus 100 set peer AIME-SD
crypto map batus 100 set transform-set batus
crypto map batus interface outside
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=MYHOST
keypair ClientX_cert
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate 0f817951
308201e7 30820150 a0030201 0202040f 81795130 0d06092a 864886f7 0d010105
05003038 31173015 06035504 03130e41 494d452d 56504e2d 42415455 53311d30
1b06092a 864886f7 0d010902 160e4149 4d452d56 504e2d42 41545553 301e170d
31333036 32373137 32393335 5a170d32 33303632 35313732 3933355a 30383117
30150603 55040313 0e41494d 452d5650 4e2d4241 54555331 1d301b06 092a8648
86f70d01 0902160e 41494d45 2d56504e 2d424154 55533081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 818100c9 ff840bf4 cfb8d394 2c940430
1887f25a 49038aa0 1299cf10 bda2a436 227dcdbf f1c5566b c35c2f19 8b3514d3
4e24f5b1 c8840e8c 60e2b39d bdc0082f 08cce525 97ffefba d42bb087 81b9adb9
db0a8b2f b643e651 d17cd6f8 f67297f2 d785ef46 c3acbb39 615e1ef1 23db072c
783fe112 acd6dc80 dc38e94b 6e56fe94 d59d5d02 03010001 300d0609 2a864886
f70d0101 05050003 8181007e 29e90ea0 e337976e 9006bc02 402fd58a a1d30fe8
b2c1ab49 a1828ee0 488d1d2f 1dc5d150 3ed85f09 54f099b2 064cd622 dc3d3821
fca46c69 62231fd2 6e396cd1 7ef586f9 f41205af c2199174 3c5ee887 42b684c9
7f4d2045 4742adb5 d70c3805 4ad13191 8d802bbc b2bcd8c7 8eec111b 761d89f3
63ebd49d 30dd06f4 e0fa25
quit
crypto isakmp enable outside
crypto isakmp policy 40
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 DMZ
ssh timeout 10
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint1 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
group-policy ClientX_access internal
group-policy ClientX_access attributes
vpn-tunnel-protocol svc
split-tunnel-network-list value split-tunneling
default-domain value access.local
address-pools value Internal_Range
ipv6-address-pools none
webvpn
svc mtu 1406
svc rekey time none
svc rekey method ssl
username ClientX password ykAxQ227nzontdIh encrypted privilege 15
username ClientX attributes
vpn-group-policy ClientX_access
service-type admin
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group ClientX type remote-access
tunnel-group ClientX general-attributes
address-pool Internal_Range
default-group-policy ClientX_access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy ClientX_access
tunnel-group ClientX_access type remote-access
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e7d92a387d1c5f07e14b3c894d159ec1
: end
Thank you for any help!!Karsten!
That fixed my internet access problem. Yippee!
Unfortunately it seems to have broken my access to the internal network. Boo!
I can no longer access/ping anything on the internal IP range (192.168.101.x).
I assume this is a nat issue somewhere along the line. Posting the top half of my config for any assistance and the info requested by Raj (although VPN is connecting fine). Thank you both for your very prompt replies!!!
Short Config
object-group network obj_any_dmz
access-list 10 extended permit ip 192.168.25.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list no_nat extended permit ip host x.x.x.x 192.168.25.0 255.255.255.0
access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 access-list nonat
nat (DMZ) 10 137.57.183.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 207.229.2.129 1
route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
Show vpn-sessiondb svc
Session Type: SVC
Username : ClientX Index : 9
Assigned IP : 192.168.101.125 Public IP : x.x.x.x
Protocol : Clientless SSL-Tunnel DTLS-Tunnel
License : SSL VPN
Encryption : RC4 AES128 Hashing : MD5 SHA1
Bytes Tx : 11662 Bytes Rx : 62930
Group Policy : ClientX_access Tunnel Group : DefaultWEBVPNGroup
Login Time : 22:40:56 MST Mon Jul 1 2013
Duration : 0h:11m:08s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none -
Time Capsule Drive on WAN + NAT not working.
Hi I'm having trouble setting up my TC.
I can enable access to the drive by enabling "share disks over Ethernet WAN port" - people can simply connect to the tc drive using my WAN IP.
What I can't do is enable NAT Port Mapping at the same time because then people can't access the drive via the WAN IP anymore.
I then tried disabling "share disks over Ethernet WAN port" and then manually tried adding "Personal File Sharing" - it won't let me use a public port of 548 - It simply says "a public TCP port number conflicts with a file sharing port on the base station - Disable file sharing or choose a different port number". So I did, I made the public port 1000. Now people can access the drive via the WAN IP but have to add :1000 onto my ip address.
Why can't I just enable "share disks over Ethernet WAN port" so people can access my tc via my WAN IP (without :1000) and have my local machine in the DMZ (default host) while having NAT enabled for my torrents at the same time?
thingiI know that! The problem was not that simple..... You can't be in a DMZ and share your TC drive over the web at the same time.
I used to keep my mini in the DMZ by enabling the 'default host' and setting the ip manually on the mini so it always got the same ip = no NAT error when using torrents. You can't do that and have a TC which is contactable over the wibbly web.
So instead I took the mini out of the DMZ and set the TC to always give the same ip address to my mini by using a DHCPClient ID instead of using the default host.
I could have used the MAC address of the ethernet port in the access control list on the TC but that would have limited me to ethernet only. Sometimes I move my mini to under the tv to watch movies but that's not got ethernet......
That doesn't matter though because you can set the same DHCP Client IP for more than one interface in OSX This means that when my mini connects via ethernet or via airport I get the same IP address which means that the mini can continue downloading torrents without having to change the port forwarding on the TC or mess with manual IP addresses on the mini WooHoo!!!!!!
The real beauty is that I then use the 'Set Service Order' to make ethernet first, then airport. Even when both interfaces are enabled with the same IP address OSX is clever enough to route to ethernet first due to the service order. When I unplug the ethernet cable bang my net connection swaps right over to the airport with no fuss whatsoever on the same IP Torrents continue perfectly because the correct port routing is still applied.
This means that port forwarding always works because the mini always gets the same ip address even though it's assigned by the TC's DHCP server. I didn't know that the TC could give a specific IP to a specific client. I really didn't expect the multiple DHCP Client IP trick to work!!!!
It also means I'm safer because I'm behind the NAT firewall instead of being open due to being in the DMZ (why apple call it default host I'll never know).
Message was edited by: Stephen Medway -
I need to know if it is posible to establish a L-2-L VPN if the termination device (PIX 7.x) is behind a router with nat... All the traffic to the public IP is forwarded by the router to the PIX.
the schema is like this:
LAN -> FW -> Internet -> Router (NAT) -> FW (PIX) -> LAN
(see the attached file)
regards
marianoChris
We are talking pix/asa here aren't we ? And we are tlakin gbout Natting your source IP addresses right ?
If so, yes absolutely you can do this as i have done it many times in production environments.
No you won't need statics. You do generally need a static to go from lower to higher but remember that is for the destination IP.
Your'e not concerned with the destination IP addresses, you are only concerned with natting the source IP addresses.
Edit - just make sure on your NAT statement that it end with "outside" as in the above example. This is how the pix knows to nat in that direction in effect.
Jon -
Anyconnect VPN Certificate-matching not working
Cisco Adaptive Security Appliance Software Version 9.1(4); Device Manager Version 7.1(5)100; anyconnect-win-3.1.05152-k9.pkg
Hello, I am trying to implement Certificate Matching for certain client profiles. However 'certificate matching' does not seem to work- another certificate is always selected instead for Anyconnect SSL VPN authentication.
For example the client has two client-certificates installed: masin2 and masin3. I have configured the client-profile certificate-matching to use masin2 for authentication, but Anyconnect still chooses masin3 instead.
The client-profile looks like this:
<CertificateMatch>
<KeyUsage>
<MatchKey>Key_Encipherment</MatchKey>
<MatchKey>Digital_Signature</MatchKey>
</KeyUsage>
<ExtendedKeyUsage>
<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
</ExtendedKeyUsage>
<DistinguishedName>
<DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Disabled">
<Name>CN</Name>
<Pattern>masin2</Pattern>
</DistinguishedNameDefinition>
</DistinguishedName>
</CertificateMatch>
Any suggestions/ideas? thanks for any input,
heiki.enabling wildcard did not help. also tried disabling/enabling automatic certificate selection- no luck.
I have also tried with and without different keyusage and extendedkeyusage- no difference.
The Client Profile is correctly updated on the client PC every time a change in made, but it seems like Anyconnect is not evaluating the Certificate Matching fields at all. And it seems like the problem is only with the CertificateMatch fields, because other fields are used as configured (for example: certificatestore, retainvpnonlogoff, usestartbeforelogon and so on).
I even upgraded Anyconnect to the latest version 3.1.05160 and still- anyconnect completely ignores certificatematch configuration in client-profile. -
VPN server does not work when a second network adapter is enabled
I have an Xserve providing DNS, filesharing, and VPN services on an office LAN. The server sits behind a gateway router and is set as a DMZ host.
VPN has been working absoluely flawlessly on the server for some time. However, I've recently discovered that this all changes when the Xserve's second ethernet adapter is enabled.
To illustrate:
en0: static IP 192.168.2.250
en1: disabled
VPN works perfectly
en0: static IP 192.168.2.250
en1: static IP 192.168.2.251
DNS settings unchanged, DMZ host unchanged
VPN doesn't work
The above is even true when attempting to connect internally.
VPN is configured for L2TP, and when the second NIC is connected the VPN server logs the following (below). There are a number of other users of Lion Server users that seem to be experiencing the same log pattern, but there doesn't seem to be a definitive solution.
I was wondering if anyone has any advice on how I could solve this problem? Is it possible to bind the VPN server to a specified network adapter?
Thanks in advance for any help or ideas.
(And to preempt the question of "why do you need to use both NICs", the two interfaces are to be used for load balancing. See https://discussions.apple.com/message/17655599?ac_cid=142432)
Wed Feb 22 15:53:53 2012 : Directory Services Authentication plugin initialized
Wed Feb 22 15:53:53 2012 : Directory Services Authorization plugin initialized
Wed Feb 22 15:53:53 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
Wed Feb 22 15:53:53 2012 : L2TP received SCCRQ
Wed Feb 22 15:53:53 2012 : L2TP sent SCCRP
2012-02-22 15:53:54 GMT Incoming call... Address given to client = 192.168.2.229
Wed Feb 22 15:53:54 2012 : Directory Services Authentication plugin initialized
Wed Feb 22 15:53:54 2012 : Directory Services Authorization plugin initialized
Wed Feb 22 15:53:54 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
Wed Feb 22 15:53:54 2012 : L2TP received SCCRQ
Wed Feb 22 15:53:54 2012 : L2TP sent SCCRP
2012-02-22 15:53:56 GMT Incoming call... Address given to client = 192.168.2.220
Wed Feb 22 15:53:56 2012 : Directory Services Authentication plugin initialized
Wed Feb 22 15:53:56 2012 : Directory Services Authorization plugin initialized
Wed Feb 22 15:53:56 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
Wed Feb 22 15:53:56 2012 : L2TP received SCCRQ
Wed Feb 22 15:53:56 2012 : L2TP sent SCCRP
2012-02-22 15:54:00 GMT Incoming call... Address given to client = 192.168.2.221
Wed Feb 22 15:54:00 2012 : Directory Services Authentication plugin initialized
Wed Feb 22 15:54:00 2012 : Directory Services Authorization plugin initialized
Wed Feb 22 15:54:00 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
Wed Feb 22 15:54:00 2012 : L2TP received SCCRQ
Wed Feb 22 15:54:00 2012 : L2TP sent SCCRP
2012-02-22 15:54:04 GMT Incoming call... Address given to client = 192.168.2.222
Wed Feb 22 15:54:04 2012 : Directory Services Authentication plugin initialized
Wed Feb 22 15:54:04 2012 : Directory Services Authorization plugin initialized
Wed Feb 22 15:54:04 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
Wed Feb 22 15:54:04 2012 : L2TP received SCCRQ
Wed Feb 22 15:54:04 2012 : L2TP sent SCCRP
2012-02-22 15:54:08 GMT Incoming call... Address given to client = 192.168.2.226
Wed Feb 22 15:54:08 2012 : Directory Services Authentication plugin initialized
Wed Feb 22 15:54:08 2012 : Directory Services Authorization plugin initialized
Wed Feb 22 15:54:08 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
Wed Feb 22 15:54:08 2012 : L2TP received SCCRQ
Wed Feb 22 15:54:08 2012 : L2TP sent SCCRP
2012-02-22 15:54:12 GMT Incoming call... Address given to client = 192.168.2.223
Wed Feb 22 15:54:12 2012 : Directory Services Authentication plugin initialized
Wed Feb 22 15:54:12 2012 : Directory Services Authorization plugin initialized
Wed Feb 22 15:54:12 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
Wed Feb 22 15:54:12 2012 : L2TP received SCCRQ
Wed Feb 22 15:54:12 2012 : L2TP sent SCCRP
2012-02-22 15:54:13 GMT --> Client with address = 192.168.2.228 has hungup
2012-02-22 15:54:14 GMT --> Client with address = 192.168.2.229 has hungup
2012-02-22 15:54:16 GMT --> Client with address = 192.168.2.220 has hungup
2012-02-22 15:54:20 GMT --> Client with address = 192.168.2.221 has hungup
2012-02-22 15:54:24 GMT --> Client with address = 192.168.2.222 has hungup
2012-02-22 15:54:28 GMT --> Client with address = 192.168.2.226 has hungup
2012-02-22 15:54:32 GMT --> Client with address = 192.168.2.223 has hungupTry switching the order of the services in System Preferences > Network.
Put the second one at the top.
HTH,
b. -
Polycom HDX7000 behind ASA not working
I have ran into a problem with my Polycom behind my ASA5510. I cannot receive calls from the outside and when placing calles from inside to outside the connection completes and my audio/video reaches the outside but no audio/video is returned through the firewall. I am a newbe to firewall configs so any help would be greatly appreciated. My ASA is running version 9.1(2) and below is the config as it relates to the polycom.
object network polycom_private
host 10.3.0.x
object network polycom_public
host 63.234.x.x
object-group service h323-Group
service-object tcp destination eq h323
service-object object 3230-3235
service-object object 3230-3280
access-list outside_acl extended permit object-group h323-Group any object polycom_private
object network polycom_private
nat (inside,outside) static 63.234..x.x
I have disabled h323 inspection and still i cannot make a successful connection.
Thanks in advance.After working with TAC we have made a few changes on the ASA to get this partially working. I can now make outbound calls to remote sites and get audio and video to pass in both directions. However, I still cannnot get any inbound calls to pass through the ASA. Here are the changes TAC made to the ASA to get this working most of the way.
Issue: ASA was dropping packets with 'router alert' IP option set.
Fix: Created a new policy-map to specifically allow this traffic and applied it to the Global Policy.
Also, enabled Skinny, SIP, H323 inspection on the global policy.
Still working on the remote site dialing in but as of right now when testing an inbound call from a remote site for reasons unknown, we were seeing SYN on port 1720 coming in from the remote Polycom unit, being untranslated and going to the local Polycom unit, however, we never saw a Syn Ack for that.
Work in progress..
Jimmy -
VBA- Code behind button not working
I am trying to add a vba code behind a close button to close a form but error keeps coming up. Each time i click the close button a Compile Error message: Sub or Function not Defined, keeps on coming up.
Code is below
Private Sub cmdClose_Click()
On Error GoTo Err_cmdClose_Click
' If Me.Dirty Then Me.Dirty = False
DoCmd.Close
Exit_cmdClose_Click:
Exit Sub
Err_cmdClose_Click
MsgBox Err.Description
Resume Exit_cmdClose_Click
End SubSometimes the link between the button and its event gets broken. Select the button on the form in design view. Select the On Click event in the properties sheet. Then press F7. That usually fixes it.
Bill Mosca
www.thatlldoit.com
http://tech.groups.yahoo.com/group/MS_Access_Professionals
Maybe you are looking for
-
Rolling Sum by dynamic range of data
Hello guys I have a report that looks like this: Year Month Local Cost 2005 1 100 2005 2 10 2005 3 200 2005 4 5 2005 5
-
Under Leopard's Spaces I could force an application to open in an assigned desktop, i.e. Safari would be assigned to Space 2 and always open in that Space. How can I do the same thing in Lion? I want certain apps to always open in their separate desk
-
Ipod Scrolls when other that shuffle is used
My IPod 2002 20gb works only consistantly in the shuffle mode. If I choose artist for example then choose the album and enter, it will just scroll through all the different songs but never stop. I have done a reset but no change in operation Dell Ins
-
Putting an applet window inside a dialog box
I am relatively new to Java, and have recently been introduced to swing and applets. Is it possible to put an applet window inside a dialog box? If this is a dumb question, I apologize in advance. Thank you, Jonathan
-
A few days ago I rendered a project with an audio file (a WAV file) and everthing rendered perfect. Today I tried to render again the same project, but now when I hit render, my render stays on the first frame and doesn't move from there; it freezes.